From paul at welshfamily.com Mon Oct 1 15:43:58 2012 From: paul at welshfamily.com (Paul Welsh) Date: Mon, 1 Oct 2012 15:43:58 +0100 Subject: Email with virus getting through Message-ID: Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS 6.3 with Exim 4.76 and an infected message is being delivered. Here's the maillog extract. I've changed the recipient domain to mydomain.com: Oct 1 10:34:00 mail MailScanner[15454]: Infected message 1TIcNu-0004Ww-Ny.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe came from Oct 1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from 83.149.158.186 (truismsjb95 at paypal.com) to mydomain.com is not spam, SpamAssassin (score=2.798, required 6, autolearn=disabled, DKIM_ADSP_ALL 1.10, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.72, SPF_SOFTFAIL 0.97, UNPARSEABLE_RELAY 0.00) Oct 1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message 1TIcNu-0004Ww-Ny from truismsjb95 at paypal.com to postmaster at mydomain.com with subject Your friend added a new photo with you to the album As you can see, it's identified as Infected but still delivered. If I manually scan the message, I get this from f-prot: # /opt/f-prot/fpscan Y*.eml [Found possible security risk] Your friend added a new photo with you to the album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe [Contains infected objects] Your friend added a new photo with you to the album.eml I get this from clam: # clamscan Y*.eml Your friend added a new photo with you to the album.eml: OK ----------- SCAN SUMMARY ----------- Known viruses: 1314671 Engine version: 0.97.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 In MailScanner.conf I have these set but neither affect virus checking, apparently: Maximum Archive Depth = 0 Find Archives By Content = no I also have: Virus Scanning = yes Virus Scanners = clamav f-prot-6 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* Block Encrypted Messages = no Allow Password-Protected Archives = no Check Filenames In Password-Protected Archives = yes Dangerous Content Scanning = yes Allow Partial Messages = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = no Any ideas? For now, I have tried this. Previously it was not set: Archives: Deny Filenames = \.exe$ From maxsec at gmail.com Mon Oct 1 17:31:01 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 1 Oct 2012 17:31:01 +0100 Subject: Email with virus getting through In-Reply-To: References: Message-ID: the double attachment check should have blocked this - never mind the anti-virus products you sure you've not turned that off somehow in the filetypes rule? http://www.mailscanner.info/files/filename.rules.conf -- Martin Hepworth, CISSP Oxford, UK On 1 October 2012 15:43, Paul Welsh wrote: > Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS > 6.3 with Exim 4.76 and an infected message is being delivered. Here's > the maillog extract. I've changed the recipient domain to > mydomain.com: > > Oct 1 10:34:00 mail MailScanner[15454]: Infected message > > 1TIcNu-0004Ww-Ny.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe > came from > Oct 1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from > 83.149.158.186 (truismsjb95 at paypal.com) to mydomain.com is not spam, > SpamAssassin (score=2.798, required 6, autolearn=disabled, > DKIM_ADSP_ALL 1.10, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.72, SPF_SOFTFAIL > 0.97, UNPARSEABLE_RELAY 0.00) > Oct 1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message > 1TIcNu-0004Ww-Ny from truismsjb95 at paypal.com to > postmaster at mydomain.com with subject Your friend added a new photo > with you to the album > > As you can see, it's identified as Infected but still delivered. > > If I manually scan the message, I get this from f-prot: > # /opt/f-prot/fpscan Y*.eml > > [Found possible security risk] disinfectable)> Your friend added a new photo with you to the > album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe > [Contains infected objects] Your friend added a new photo with you to > the album.eml > > > I get this from clam: > # clamscan Y*.eml > Your friend added a new photo with you to the album.eml: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 1314671 > Engine version: 0.97.6 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > > In MailScanner.conf I have these set but neither affect virus > checking, apparently: > Maximum Archive Depth = 0 > Find Archives By Content = no > > I also have: > Virus Scanning = yes > Virus Scanners = clamav f-prot-6 > Deliver Disinfected Files = no > Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses = no > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar > Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: > Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* > Block Encrypted Messages = no > Allow Password-Protected Archives = no > Check Filenames In Password-Protected Archives = yes > Dangerous Content Scanning = yes > Allow Partial Messages = no > Find Phishing Fraud = yes > Also Find Numeric Phishing = yes > Use Stricter Phishing Net = no > > Any ideas? > > For now, I have tried this. Previously it was not set: > Archives: Deny Filenames = \.exe$ > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121001/7c1e7211/attachment.html From paul at welshfamily.com Mon Oct 1 22:00:28 2012 From: paul at welshfamily.com (Paul Welsh) Date: Mon, 1 Oct 2012 22:00:28 +0100 Subject: Email with virus getting through In-Reply-To: References: Message-ID: On 1 October 2012 17:31, Martin Hepworth wrote: > the double attachment check should have blocked this - never mind the > anti-virus products > > you sure you've not turned that off somehow in the filetypes rule? > http://www.mailscanner.info/files/filename.rules.conf > Hi Martin As I said previously, I changed this in MailScanner.conf in an attempt to stop this: Archives: Deny Filenames = \.exe$ This evening I then sent myself the infected message and got this: Oct 1 20:29:56 mail MailScanner[6096]: New Batch: Scanning 2 messages, 70239 bytes Oct 1 20:29:56 mail MailScanner[6096]: Virus and Content Scanning: Starting Oct 1 20:30:00 mail MailScanner[6096]: [Found trojan] ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe Oct 1 20:30:00 mail MailScanner[6096]: Virus Scanning: F-Prot6 found 2 infections Oct 1 20:30:00 mail MailScanner[6096]: Infected message 1TIlgf-0002Ar-ST came from Oct 1 20:30:00 mail MailScanner[6096]: Infected message 1TIlgf-0002Ar-ST.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe came from Oct 1 20:30:00 mail MailScanner[6096]: Virus Scanning: Found 2 viruses Oct 1 20:30:00 mail MailScanner[6096]: Viruses marked as silent: F-Prot6: [Found trojan] ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe Note that now f-prot classifies it as W32/Trojan3.EBT whereas previously it was W32/Heuristic-200!Eldorado. Likewise when I scan it manually: # /opt/f-prot/fpscan Y*.eml ... [Found trojan] Your friend added a new photo with you to the album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe [Contains infected objects] Your friend added a new photo with you to the album.eml So it has gone from being a "possible security risk" to a "trojan". Clearly this is because f-prot was updated: Oct 1 16:09:18 mail F-Prot-6 autoupdate[32668]: F-Prot-6 updated Oct 1 19:09:17 mail F-Prot-6 autoupdate[6790]: F-Prot-6 updated Clam still says it is fine, even though I have confirmed Clam is up to date (and in fact has found several viruses recently): # clamscan -V ClamAV 0.97.6/15420/Mon Oct 1 12:57:26 2012 So, clearly f-prot's "possible security risk" isn't a sufficiently severe enough classification to get MailScanner to delete it. Just goes to show the importance of having > 1 virus scanner and some extra filename/filetype rules. I haven't changed filename.rules.conf for over a year: # Allow repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Regards Paul From ricardo at wenn.com Tue Oct 2 10:57:02 2012 From: ricardo at wenn.com (Ricardo Branco) Date: Tue, 02 Oct 2012 10:57:02 +0100 Subject: SpamAssasin Rule Actions ignores Whitelist entries Message-ID: <506ABA6E.6040100@wenn.com> An old issue has come up again. http://lists.mailscanner.info/pipermail/mailscanner/2010-March/095358.html We seem to have this and ive had to disable the rule action which means more spam will now get through. Oct 2 10:38:51 posti MailScanner[4163]: Message q929cgk9004175 from 10.0.0.xxx (newsdesk at wenn.com) is whitelisted Oct 2 10:38:51 posti MailScanner[4163]: SpamAssassin cache hit for message q929cgk9004175 Oct 2 10:38:51 posti MailScanner[4163]: SpamAssassin Rule Actions: rule spamscore>=20 caused action delete in message q929cgk9004175 Oct 2 10:38:51 posti MailScanner[4163]: Non-delivery of nonspam: message q929cgk9004175 from newsdesk at wenn.com to xxxxxx at xxxxxxxxx with subject WENN - ELITE Oct 2 10:38:52 posti MailScanner[4163]: Logging message q929cgk9004175 to SQL -- The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain any message or any part of it. If you have received an email in error, please contact the sender and delete the material from any computer. The contents of this email are not for publication unless specifically stated. Furthermore, the information contained in this message, and any attachment(s) thereto, is for information purposes only and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of WENN or its subsidiaries and associated companies. We make every effort to keep our network free from viruses. However, you do need to check this e-mail and any attachments to it for viruses as we can take no responsibility for any computer virus which may be transferred by way! of this e-mail. WENN Ltd: Registered Office: 35 Tileyard Studios, Tileyard Road, London, N7 9AH, England. Registered No: 4375163. Place of Registration: United Kingdom. USA Entertainment News Inc (d/b/a WENN): Registered Office: 60 Madison Avenue, Suite 1027, New York, NY 10010, USA The WENN name, design and related marks are trademarks of the WENN group of companies. (c) 2012 All Rights Reserved. From dave at KD0YU.COM Tue Oct 2 12:05:16 2012 From: dave at KD0YU.COM (Dave Helton) Date: Tue, 2 Oct 2012 06:05:16 -0500 Subject: SpamAssasin Rule Actions ignores Whitelist entries In-Reply-To: <506ABA6E.6040100@wenn.com> References: <506ABA6E.6040100@wenn.com> Message-ID: <77F23E6E4DE9084BA33755BA403E53FCFA678EC7B0@S8.KD0YU.COM> Richardo, I have seen a lot of updates to spamassassin recently. Are you getting updates as well? And, are they over-writing your 'local.cf' rule set? After I discovered the local.cf file was getting over-written, I moved all the rules I had placed in there to another .cf file so it wouldn't happen again. You might look at the "shortcircuit" function in the local.cf file, I think it might be what you're looking for. Oh.. and put it in a different file, like 'site.cf' or something ;) --Dave, KD0YU > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner- > bounces at lists.mailscanner.info] On Behalf Of Ricardo Branco > Sent: Tuesday, October 02, 2012 4:57 AM > To: MailScanner discussion > Subject: SpamAssasin Rule Actions ignores Whitelist entries > > An old issue has come up again. > > http://lists.mailscanner.info/pipermail/mailscanner/2010-March/095358.html > > We seem to have this and ive had to disable the rule action which means > more spam will now get through. > > Oct 2 10:38:51 posti MailScanner[4163]: Message q929cgk9004175 from > 10.0.0.xxx (newsdesk at wenn.com) is whitelisted Oct 2 10:38:51 posti > MailScanner[4163]: SpamAssassin cache hit for message q929cgk9004175 Oct > 2 10:38:51 posti MailScanner[4163]: SpamAssassin Rule Actions: rule > spamscore>=20 caused action delete in message -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. From glenn.steen at gmail.com Fri Oct 5 16:23:16 2012 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 5 Oct 2012 17:23:16 +0200 Subject: Correct format for allow.filename.conf In-Reply-To: References: Message-ID: Den 27 sep 2012 12:03 skrev "Kai Schaetzl" : > > I seem to be hitting some problem with the content of this file lately or > may have just not recognized it earlier and may have been using a wrong > format for some time. > Locally released messages are caught although they are exempted by > scan.messages.rules. It seems I have to exempt them in allow.filename.conf > as well. > > Is something like this going to work? > > FromOrTo: 127.0.0.1 yes > \.txt$ yes > \.pdf$ yes > \.bmp$ yes > \.rel$ yes > \.rels yes > Hi Kai, No, that looks wrong. Take a look at the overloading examples in the wiki, to see what you'd need... Basically a ruleset that overload a "pure allow" file for localhost...;-). Remember to do both name and type! The ruleset(s) need a normal defaulr entry for the respective filename/filetype rulesets. > Do I need a default rule at the end? > > Thanks,? > > Kai > Cheers -- -- Glenn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121005/eacc723b/attachment.html From glenn.steen at gmail.com Fri Oct 5 16:33:29 2012 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 5 Oct 2012 17:33:29 +0200 Subject: Email with virus getting through In-Reply-To: References: Message-ID: Guess the fp6 wrapper and/or sweepviruses need some tender-love-and-care to actually do the right thing on a heuristic match... Someone who has fp6 should look at it (iow, not me;-). Cheers -- -- Glenn Den 1 okt 2012 23:24 skrev "Paul Welsh" : > On 1 October 2012 17:31, Martin Hepworth wrote: > > the double attachment check should have blocked this - never mind the > > anti-virus products > > > > you sure you've not turned that off somehow in the filetypes rule? > > http://www.mailscanner.info/files/filename.rules.conf > > > > Hi Martin > > As I said previously, I changed this in MailScanner.conf in an attempt > to stop this: > Archives: Deny Filenames = \.exe$ > > This evening I then sent myself the infected message and got this: > Oct 1 20:29:56 mail MailScanner[6096]: New Batch: Scanning 2 > messages, 70239 bytes > Oct 1 20:29:56 mail MailScanner[6096]: Virus and Content Scanning: > Starting > Oct 1 20:30:00 mail MailScanner[6096]: [Found trojan] > > > ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe > Oct 1 20:30:00 mail MailScanner[6096]: Virus Scanning: F-Prot6 found > 2 infections > Oct 1 20:30:00 mail MailScanner[6096]: Infected message > 1TIlgf-0002Ar-ST came from > Oct 1 20:30:00 mail MailScanner[6096]: Infected message > > 1TIlgf-0002Ar-ST.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe > came from > Oct 1 20:30:00 mail MailScanner[6096]: Virus Scanning: Found 2 viruses > Oct 1 20:30:00 mail MailScanner[6096]: Viruses marked as silent: > F-Prot6: [Found trojan] > > ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe > > Note that now f-prot classifies it as W32/Trojan3.EBT whereas > previously it was W32/Heuristic-200!Eldorado. > > Likewise when I scan it manually: > # /opt/f-prot/fpscan Y*.eml > ... > [Found trojan] Your > friend added a new photo with you to the > album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe > [Contains infected objects] Your friend added a new photo with you to > the album.eml > > So it has gone from being a "possible security risk" to a "trojan". > Clearly this is because f-prot was updated: > Oct 1 16:09:18 mail F-Prot-6 autoupdate[32668]: F-Prot-6 updated > Oct 1 19:09:17 mail F-Prot-6 autoupdate[6790]: F-Prot-6 updated > > Clam still says it is fine, even though I have confirmed Clam is up to > date (and in fact has found several viruses recently): > # clamscan -V > ClamAV 0.97.6/15420/Mon Oct 1 12:57:26 2012 > > So, clearly f-prot's "possible security risk" isn't a sufficiently > severe enough classification to get MailScanner to delete it. > > Just goes to show the importance of having > 1 virus scanner and some > extra filename/filetype rules. > > I haven't changed filename.rules.conf for over a year: > # Allow repeated file extension, e.g. blah.zip.zip > allow (\.[a-z0-9]{3})\1$ - - > > # Deny all other double file extensions. This catches any hidden filenames. > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding > > Regards > > Paul > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121005/0b2e042b/attachment.html From pinemail11 at gmail.com Sat Oct 6 12:56:21 2012 From: pinemail11 at gmail.com (Mail Admin) Date: Sat, 6 Oct 2012 17:26:21 +0530 Subject: Attachment restriction for specific user Message-ID: Hi Experts, I have blocked send and receive attachment for one user out of five normal users in mailscanner. When i tried to send attachments to multiple users including restricted user and all users getting attachment restricted. I have made the entry in /etc/Mailscanner/rules/maximum.attachment.size.rules From: user1 at mydomain.com 1b To: user1 at mydoamin.com 1b The above configuration is working fine for me but when this user is part of group of recipients then same configuration affects on all users. Kindly advise. Thanks in advance, Pinemail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121006/af7e6d35/attachment.html From maillists at conactive.com Sun Oct 7 13:31:15 2012 From: maillists at conactive.com (Kai Schaetzl) Date: Sun, 07 Oct 2012 14:31:15 +0200 Subject: Correct format for allow.filename.conf In-Reply-To: References: Message-ID: Glenn Steen wrote on Fri, 5 Oct 2012 17:23:16 +0200: > No, that looks wrong. Take a look at the overloading examples in the wiki, > to see what you'd need... Basically a ruleset that overload a "pure allow" > file for localhost...;-). Remember to do both name and type! So, something like this? From: 127.0.0.1 \.txt FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels where txt files from localhost would be allowed. What about allowing all files from local? Does this look ok, then? From: 127.0.0.1 .* FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From bonivart at opencsw.org Sun Oct 7 14:02:27 2012 From: bonivart at opencsw.org (Peter Bonivart) Date: Sun, 7 Oct 2012 15:02:27 +0200 Subject: Correct format for allow.filename.conf In-Reply-To: References: Message-ID: On Sun, Oct 7, 2012 at 2:31 PM, Kai Schaetzl wrote: > Glenn Steen wrote on Fri, 5 Oct 2012 17:23:16 +0200: > >> No, that looks wrong. Take a look at the overloading examples in the wiki, >> to see what you'd need... Basically a ruleset that overload a "pure allow" >> file for localhost...;-). Remember to do both name and type! > > So, something like this? > > From: 127.0.0.1 \.txt > FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels > > where txt files from localhost would be allowed. What about allowing all > files from local? Does this look ok, then? > > From: 127.0.0.1 .* > FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels Remember that rulesets decide on an option from MailScanner.conf. What option is it you're trying to create a ruleset for? Let's start there. /peter From maxsec at gmail.com Sun Oct 7 16:59:52 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Sun, 7 Oct 2012 16:59:52 +0100 Subject: Attachment restriction for specific user In-Reply-To: References: Message-ID: You need to split the emails into individual ones for each recipient, only way it can be done. Here's a how-to for sendmail http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient and postfix http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient -- Martin Hepworth, CISSP Oxford, UK On 6 October 2012 12:56, Mail Admin wrote: > Hi Experts, > > I have blocked send and receive attachment for one user out of five normal > users in mailscanner. When i tried to send attachments to multiple users > including restricted user and all users getting attachment restricted. > > > I have made the entry in > /etc/Mailscanner/rules/maximum.attachment.size.rules > > From: user1 at mydomain.com 1b > To: user1 at mydoamin.com 1b > > The above configuration is working fine for me but when this user is part > of group of recipients then same configuration affects on all users. > > > Kindly advise. > > Thanks in advance, > Pinemail > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121007/1338577b/attachment.html From bfebrian.milis at gmail.com Mon Oct 8 11:30:49 2012 From: bfebrian.milis at gmail.com (Budi Febrianto) Date: Mon, 8 Oct 2012 17:30:49 +0700 Subject: Receives email with blank body Message-ID: Dear all, My customer have problems with their mailscanner installation, sometimes users emails with blank body. I already search the web for possible reasons, but can't find any. This is the configurations: MailScanner 4.84.5 Centos 6.2 64 bit Sendmail 8.13 MailWatch-1.1.5.1 ClamAV 0.96.5 Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/ac45c7b2/attachment.html From maillists at conactive.com Mon Oct 8 12:31:13 2012 From: maillists at conactive.com (Kai Schaetzl) Date: Mon, 08 Oct 2012 13:31:13 +0200 Subject: Correct format for allow.filename.conf In-Reply-To: References: Message-ID: Peter Bonivart wrote on Sun, 7 Oct 2012 15:02:27 +0200: > What > option is it you're trying to create a ruleset for? Let's start there. Isn't that clear from the first posting and the Subject? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Mon Oct 8 12:53:04 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 8 Oct 2012 12:53:04 +0100 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Check the mailScanner logs for that message to see if it's doing anything 'unusual' with the message. -- Martin Hepworth, CISSP Oxford, UK On 8 October 2012 11:30, Budi Febrianto wrote: > Dear all, > > My customer have problems with their mailscanner installation, sometimes > users emails with blank body. I already search the web for possible > reasons, but can't find any. > > This is the configurations: > > MailScanner 4.84.5 > Centos 6.2 64 bit > Sendmail 8.13 > MailWatch-1.1.5.1 > ClamAV 0.96.5 > > Best regards > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/0ce706d8/attachment.html From bfebrian.milis at gmail.com Mon Oct 8 16:27:23 2012 From: bfebrian.milis at gmail.com (Budi Febrianto) Date: Mon, 8 Oct 2012 22:27:23 +0700 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Dear Martin, Thank you for the reply, but I don't see something strange in the maillog [root at spam log]# cat maillog.1 | grep q917UfQF014676 Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id [202.77.100.39] (may be forged) Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=, delay=00:00:11, mailer=smtp, pri=370562, stat=queued Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam checks (341198 > 200000 bytes) Oct 1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 to SQL Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to MailWatch SQL Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=, delay=00:00:13, xdelay=00:00:01, mailer=smtp, pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent (Message accepted for delivery) Best Regards On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: > Check the mailScanner logs for that message to see if it's doing anything > 'unusual' with the message. > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 8 October 2012 11:30, Budi Febrianto wrote: > >> Dear all, >> >> My customer have problems with their mailscanner installation, sometimes >> users emails with blank body. I already search the web for possible >> reasons, but can't find any. >> >> This is the configurations: >> >> MailScanner 4.84.5 >> Centos 6.2 64 bit >> Sendmail 8.13 >> MailWatch-1.1.5.1 >> ClamAV 0.96.5 >> >> Best regards >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/41035464/attachment.html From maxsec at gmail.com Mon Oct 8 17:13:37 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 8 Oct 2012 17:13:37 +0100 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Is this consistent with large emails above the spam checks size limit? If it is, you could run a test in debug mode of a large email to see what's going flakey. I presume the next host down the line (192.168.10.17) is handling this OK? -- Martin Hepworth, CISSP Oxford, UK On 8 October 2012 16:27, Budi Febrianto wrote: > Dear Martin, > > Thank you for the reply, but I don't see something strange in the maillog > > [root at spam log]# cat maillog.1 | grep q917UfQF014676 > Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< > cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< > E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, proto=ESMTP, > daemon=MTA, relay=ln-static-202-77-100-39.link.net.id [202.77.100.39] > (may be forged) > Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=, > delay=00:00:11, mailer=smtp, pri=370562, stat=queued > Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from > 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam > checks (341198 > 200000 bytes) > Oct 1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 to > SQL > Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to > MailWatch SQL > Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=, > delay=00:00:13, xdelay=00:00:01, mailer=smtp, pri=460562, > relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent (Message > accepted for delivery) > > Best Regards > > On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: > >> Check the mailScanner logs for that message to see if it's doing >> anything 'unusual' with the message. >> >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> >> On 8 October 2012 11:30, Budi Febrianto wrote: >> >>> Dear all, >>> >>> My customer have problems with their mailscanner installation, sometimes >>> users emails with blank body. I already search the web for possible >>> reasons, but can't find any. >>> >>> This is the configurations: >>> >>> MailScanner 4.84.5 >>> Centos 6.2 64 bit >>> Sendmail 8.13 >>> MailWatch-1.1.5.1 >>> ClamAV 0.96.5 >>> >>> Best regards >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/784a0304/attachment.html From bfebrian.milis at gmail.com Mon Oct 8 18:05:10 2012 From: bfebrian.milis at gmail.com (Budi Febrianto) Date: Tue, 9 Oct 2012 00:05:10 +0700 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Dear Martin, This happen not always with big emails, many big emails still delivered without any problems. This problem appears to be random, but often. The next host is the mail server, which is Lotus Domino 8.5. Is it possible that the anti virus or mailwatch somehow altered the mail format? Best regards On Oct 8, 2012 11:39 PM, "Martin Hepworth" wrote: > Is this consistent with large emails above the spam checks size limit? > > If it is, you could run a test in debug mode of a large email to see > what's going flakey. > > I presume the next host down the line (192.168.10.17) is handling this OK? > > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 8 October 2012 16:27, Budi Febrianto wrote: > >> Dear Martin, >> >> Thank you for the reply, but I don't see something strange in the maillog >> >> [root at spam log]# cat maillog.1 | grep q917UfQF014676 >> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< >> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< >> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, >> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id >> [202.77.100.39] (may be forged) >> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=, >> delay=00:00:11, mailer=smtp, pri=370562, stat=queued >> Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from >> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam >> checks (341198 > 200000 bytes) >> Oct 1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 >> to SQL >> Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to >> MailWatch SQL >> Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=, >> delay=00:00:13, xdelay=00:00:01, mailer=smtp, pri=460562, >> relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent (Message >> accepted for delivery) >> >> Best Regards >> >> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: >> >>> Check the mailScanner logs for that message to see if it's doing >>> anything 'unusual' with the message. >>> >>> -- >>> Martin Hepworth, CISSP >>> Oxford, UK >>> >>> >>> On 8 October 2012 11:30, Budi Febrianto wrote: >>> >>>> Dear all, >>>> >>>> My customer have problems with their mailscanner installation, >>>> sometimes users emails with blank body. I already search the web for >>>> possible reasons, but can't find any. >>>> >>>> This is the configurations: >>>> >>>> MailScanner 4.84.5 >>>> Centos 6.2 64 bit >>>> Sendmail 8.13 >>>> MailWatch-1.1.5.1 >>>> ClamAV 0.96.5 >>>> >>>> Best regards >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/eb3056c9/attachment.html From maxsec at gmail.com Mon Oct 8 19:31:19 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 8 Oct 2012 19:31:19 +0100 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Doubt it, unless the antivirus on the Domino server did something to it, all Mailwatch does is log the information. Can you replay messages at all - ie do you use the archive facility so you can inject the message again while running in debug mode? -- Martin Hepworth, CISSP Oxford, UK On 8 October 2012 18:05, Budi Febrianto wrote: > Dear Martin, > > This happen not always with big emails, many big emails still delivered > without any problems. > > This problem appears to be random, but often. > > The next host is the mail server, which is Lotus Domino 8.5. > > Is it possible that the anti virus or mailwatch somehow altered the mail > format? > > Best regards > On Oct 8, 2012 11:39 PM, "Martin Hepworth" wrote: > >> Is this consistent with large emails above the spam checks size limit? >> >> If it is, you could run a test in debug mode of a large email to see >> what's going flakey. >> >> I presume the next host down the line (192.168.10.17) is handling this >> OK? >> >> >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> >> On 8 October 2012 16:27, Budi Febrianto wrote: >> >>> Dear Martin, >>> >>> Thank you for the reply, but I don't see something strange in the maillog >>> >>> [root at spam log]# cat maillog.1 | grep q917UfQF014676 >>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< >>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< >>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, >>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id >>> [202.77.100.39] (may be forged) >>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=< >>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued >>> Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from >>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam >>> checks (341198 > 200000 bytes) >>> Oct 1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 >>> to SQL >>> Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to >>> MailWatch SQL >>> Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=< >>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp, >>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent >>> (Message accepted for delivery) >>> >>> Best Regards >>> >>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: >>> >>>> Check the mailScanner logs for that message to see if it's doing >>>> anything 'unusual' with the message. >>>> >>>> -- >>>> Martin Hepworth, CISSP >>>> Oxford, UK >>>> >>>> >>>> On 8 October 2012 11:30, Budi Febrianto wrote: >>>> >>>>> Dear all, >>>>> >>>>> My customer have problems with their mailscanner installation, >>>>> sometimes users emails with blank body. I already search the web for >>>>> possible reasons, but can't find any. >>>>> >>>>> This is the configurations: >>>>> >>>>> MailScanner 4.84.5 >>>>> Centos 6.2 64 bit >>>>> Sendmail 8.13 >>>>> MailWatch-1.1.5.1 >>>>> ClamAV 0.96.5 >>>>> >>>>> Best regards >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/bfb3069e/attachment.html From maxsec at gmail.com Mon Oct 8 19:35:49 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 8 Oct 2012 19:35:49 +0100 Subject: Correct format for allow.filename.conf In-Reply-To: References: Message-ID: Kai search for overloading in the mailscanner wiki. I's also check the Scan.messages.rules to make sure it's excepting from localhost first then carrying on, as it will trigger on the first rule that matches like a firewall rule. http://www.mailscanner.info/MailScanner.conf.index.html#Scan%20Messages -- Martin Hepworth, CISSP Oxford, UK On 8 October 2012 12:31, Kai Schaetzl wrote: > Peter Bonivart wrote on Sun, 7 Oct 2012 15:02:27 +0200: > > > What > > option is it you're trying to create a ruleset for? Let's start there. > > Isn't that clear from the first posting and the Subject? > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/73be86fb/attachment.html From bfebrian.milis at gmail.com Tue Oct 9 00:20:43 2012 From: bfebrian.milis at gmail.com (Budi Febrianto) Date: Tue, 9 Oct 2012 06:20:43 +0700 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Noted, will activate the archive for all emails. Sorry dumb question, but how to inject and run in debug mode? Best regards On Oct 9, 2012 1:58 AM, "Martin Hepworth" wrote: > Doubt it, unless the antivirus on the Domino server did something to it, > all Mailwatch does is log the information. > > Can you replay messages at all - ie do you use the archive facility so > you can inject the message again while running in debug mode? > > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 8 October 2012 18:05, Budi Febrianto wrote: > >> Dear Martin, >> >> This happen not always with big emails, many big emails still delivered >> without any problems. >> >> This problem appears to be random, but often. >> >> The next host is the mail server, which is Lotus Domino 8.5. >> >> Is it possible that the anti virus or mailwatch somehow altered the mail >> format? >> >> Best regards >> On Oct 8, 2012 11:39 PM, "Martin Hepworth" wrote: >> >>> Is this consistent with large emails above the spam checks size limit? >>> >>> If it is, you could run a test in debug mode of a large email to see >>> what's going flakey. >>> >>> I presume the next host down the line (192.168.10.17) is handling this >>> OK? >>> >>> >>> -- >>> Martin Hepworth, CISSP >>> Oxford, UK >>> >>> >>> On 8 October 2012 16:27, Budi Febrianto wrote: >>> >>>> Dear Martin, >>>> >>>> Thank you for the reply, but I don't see something strange in the >>>> maillog >>>> >>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676 >>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< >>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< >>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, >>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id >>>> [202.77.100.39] (may be forged) >>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=< >>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued >>>> Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from >>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam >>>> checks (341198 > 200000 bytes) >>>> Oct 1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 >>>> to SQL >>>> Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to >>>> MailWatch SQL >>>> Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=< >>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp, >>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent >>>> (Message accepted for delivery) >>>> >>>> Best Regards >>>> >>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: >>>> >>>>> Check the mailScanner logs for that message to see if it's doing >>>>> anything 'unusual' with the message. >>>>> >>>>> -- >>>>> Martin Hepworth, CISSP >>>>> Oxford, UK >>>>> >>>>> >>>>> On 8 October 2012 11:30, Budi Febrianto wrote: >>>>> >>>>>> Dear all, >>>>>> >>>>>> My customer have problems with their mailscanner installation, >>>>>> sometimes users emails with blank body. I already search the web for >>>>>> possible reasons, but can't find any. >>>>>> >>>>>> This is the configurations: >>>>>> >>>>>> MailScanner 4.84.5 >>>>>> Centos 6.2 64 bit >>>>>> Sendmail 8.13 >>>>>> MailWatch-1.1.5.1 >>>>>> ClamAV 0.96.5 >>>>>> >>>>>> Best regards >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/04a8a671/attachment.html From ryan.virgo at gmail.com Tue Oct 9 04:39:35 2012 From: ryan.virgo at gmail.com (Ryan Braganza) Date: Tue, 9 Oct 2012 09:09:35 +0530 Subject: Object Codebase/Data tag in HTM Message-ID: Dear Friends, Iam not able to figure out how to disable the below message Oct 8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected HTML-specific exploits in 407B555C6.AFE9D Oct 8 19:13:04 ispam10 MailScanner[17552]: Saved infected "msg-17552-152.html" to /var/spool/MailScanner/quarantine/20121008/407B555C6.AFE9D Oct 8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected and have disarmed script tags in HTML message in 407B555C6.AFE9D from xyz at xyz Found dangerous Object Codebase/Data tag in HTML message This is started ever since I had impleneted blocking of exe within a zip. :-( -- * _________________________________________________________________________________ * * Someone wrote: "I understand that if you play a Microsoft Windows CD backwards you hear strange Satanic messages" To which someone replied:* * "It's even worse than that; play it forwards and it installs Windows Vista !" _________________________________________________________________________________ * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/315a9f59/attachment.html From mailscanner at joolee.nl Tue Oct 9 07:50:05 2012 From: mailscanner at joolee.nl (Joolee) Date: Tue, 9 Oct 2012 08:50:05 +0200 Subject: Object Codebase/Data tag in HTM In-Reply-To: References: Message-ID: You might take a look at: https://github.com/MailScanner/MailScanner/blob/master/mailscanner/etc/mailscanner.conf#L1026 On 9 October 2012 05:39, Ryan Braganza wrote: > Dear Friends, > > Iam not able to figure out how to disable the below message > > Oct 8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected > HTML-specific exploits in 407B555C6.AFE9D > Oct 8 19:13:04 ispam10 MailScanner[17552]: Saved infected > "msg-17552-152.html" to > /var/spool/MailScanner/quarantine/20121008/407B555C6.AFE9D > Oct 8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected and > have disarmed script tags in HTML message in 407B555C6.AFE9D from xyz at xyz > > Found dangerous Object Codebase/Data tag in HTML message > > > This is started ever since I had impleneted blocking of exe within a zip. > :-( > > > > -- > * > _________________________________________________________________________________ > * > * Someone wrote: > "I understand that if you play a Microsoft Windows CD backwards you hear > strange Satanic messages" > > To which someone replied:* * > "It's even worse than that; play it forwards and it installs Windows Vista > !" > > _________________________________________________________________________________ > * > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/fa075c43/attachment.html From msz at astrouw.edu.pl Tue Oct 9 11:14:07 2012 From: msz at astrouw.edu.pl (Michal Szymanski) Date: Tue, 9 Oct 2012 12:14:07 +0200 Subject: MS ignores "Spam Actions = attachment" In-Reply-To: References: Message-ID: <20121009101406.GA14560@astrouw.edu.pl> After upgrading, both OS from CentOS 5.3 to 6.2 and MailScanner to the latest (at the time of upgrade) version 4.84.5, I noticed that Spam messages are no longer delivered as attachments. I have following configuration options, copied from the old conf: Spam Actions = attachment deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = attachment deliver header "X-Spam-Status: Yes High" In the previous environment, it was resulting in spam messages looking like: ================================================================== [...] X-WarsawObs-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=8.305, required 5, BAYES_80 3.00, RCVD_IN_PBL 0.91, RCVD_IN_XBL 4.30, RDNS_NONE 0.10) X-Spam-Level: ******** X-WarsawObs-MailScanner-From: caroliniannp at buhrmann.com X-Spam-Status: Yes Status: O Content-Length: 3363 Lines: 90 [-- Attachment #1 --] [-- Type: text/plain, Encoding: quoted-printable, Size: 1.1K --] Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Our MailScanner believes that the attachment to this message sent to you From: caroliniannp at buhrmann.com Subject: Job ad - see details! Sent through Search engine is Unsolicited Commercial Email (spam). Unless you are sure that this message is incorrectly thought to be spam, please delete this message without opening it. Opening spam messages might allow the spammer to verify your email address. If you believe that this message has been incorrectly marked as spam, please forward this email to postmaster. Date: 20120829 pts rule name description ---- ---------------------- -------------------------------------------------- 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [109.96.248.34 listed in zen.spamhaus.org] 4.3 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL 3.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.9161] 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS [-- Attachment #2 --] [-- Type: message/rfc822, Encoding: binary, Size: 1.9K --] Content-Type: message/rfc822 Content-Disposition: attachment Content-Transfer-Encoding: binary [...] Subject: Job ad - see details! Sent through Search engine [...] ================================================================== so I could, for some false-positive cases, use the attachment as a "clean" message. Now, after I upgrade, I am getting the spam "in-line", no attachments generated: ================================================================== [...] X-WarsawObs-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=21.542, required 5, autolearn=spam, BAYES_99 5.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_PBL 3.33, RCVD_IN_RP_RNBL 1.31, RDNS_NONE 0.79, URIBL_BLACK 2.60, URIBL_DBL_SPAM 1.70, URIBL_PH_SURBL 0.61, URIBL_RHS_DOB 1.51, URIBL_SBL 1.62, URIBL_WS_SURBL 1.61) X-Spam-Level: ********************* X-WarsawObs-MailScanner-From: adjudicatorskmf at clickz.com X-Spam-Status: Yes High Status: RO Content-Length: 1838 Lines: 33 Hello, A US e-builder IT company, located in Michigan, is looking for European personnell to act as intermediate chain for IT [...] ================================================================== Any idea why it is ignoring the "attachment" directive in "Spam Actions" options? The "X-Spam-Status:" line gets inserted into the header, as instructed by the same directive, so it apparently "goes through it". regards, Michal. -- Michal Szymanski (msz at astrouw dot edu dot pl) Warsaw University Observatory, Warszawa, POLAND From maillists at conactive.com Tue Oct 9 12:44:32 2012 From: maillists at conactive.com (Kai Schaetzl) Date: Tue, 09 Oct 2012 13:44:32 +0200 Subject: Correct format for allow.filename.conf In-Reply-To: References: Message-ID: Martin Hepworth wrote on Mon, 8 Oct 2012 19:35:49 +0100: > search for overloading in the mailscanner wiki. We may be talking at crosspurpose. Glenn also pointed to overloading. I don't see why I should need this. See below for more detail. > > I's also check the Scan.messages.rules Unfortunately, these actions (check for file name/type) seem to be exempt from "scanning". I have localhost in this file since day 1, but noticed only recently that it apparently doesn't stop the file name/type check from happening. So, exempting from scanning doesn't help. Now back to the question. I do not want to overload (unless I have to), I want to use filename.allow.conf (Allow Filenames =). What I'm asking for is the correct format for this ruleset. It's not mentioned anywhere and deriving from the general description of a ruleset it should be something like From: 127.0.0.1 \.txt because the format of the config option is # Allow Filenames = \.txt$ \.pdf$ So, according to http://wiki.mailscanner.info/doku.php? id=documentation:configuration:rulesets:tutorial I have the criteria on the left and the action on the right. Analogous to a ruleset from for instance scan.messages.rules From: 127.0.0.1 no the action is a "replacement" for the MailScanner.conf action on the right side of the equal sign. So, if I have a basic format of Allow Filenames = \.txt$ \.pdf$ then the equivalent entry in allow.filename.conf (Allow Filenames = %etc-dir%/allow.filename.conf) should be FromOrTo: default \.txt$ \.pdf$ If not, I don't understand how rulesets should be built. So, is this correct or not? If not, what's the correct syntax for allow.filename.conf? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From mailscanner at pdscc.com Wed Oct 10 00:21:12 2012 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Tue, 09 Oct 2012 16:21:12 -0700 Subject: maillscanner/postfix saturates bandwidth :-( In-Reply-To: References: <20120924171534.693B55A1C82@sinclaire.sibble.net>, Message-ID: <20121009232117.3ED5B5A1C81@sinclaire.sibble.net> On 24 Sep 2012 at 15:09, C. Jon Larsen wrote: > > Basically the dsl connection they share with another office was saturated > > when the office admin did a mailout on friday to about 2000 of their > > subscribers, each email was about 3.5mb total with conversion overhead. > > When I say saturated, I mean in both the upstream and downstream directions. > > According the admin who runs the multitenant network in this office, he was > > seeing a sustained 1.6mb/s INBOUND connection to my client's firewall while > > this was happening. > > I'm trying to figure out the best way to deal witih this moving forward, is > > there additional throttling I need to do at the postifx level or the > > mailscanner level or something else. I was also surprised as my understand > > of postfix is that it does connection throttling by default. > > You can play with variations of these settings in main.conf to control how > much email is sent out - these go into main.conf > > local_destination_concurrency_limit = 2 > default_destination_concurrency_limit = 2 > initial_destination_concurrency = 2 > > smtpd_client_connection_count_limit = 10 > default_destination_recipient_limit = 20 I'll do some testing with these as still getting same behaviour. Setup caching dns server on the Mailscanner box, to replicate circumstances similar as before, had user send from outlook via exchange an email with no attachments, just body text to approx 550 recipients and basically same issue cropped up again, I had to eventually do postqueue -p postsuper -d on the messages in the queue to get things back to normal. Which do you figure will give best bang for the buck assuming I add one at a time? Are there general rules of thumb for the various values? -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com Blog: http://www.pdscc.com/blog (604) 739-3709 (voice) From bfebrian.milis at gmail.com Thu Oct 11 04:25:07 2012 From: bfebrian.milis at gmail.com (Budi Febrianto) Date: Thu, 11 Oct 2012 10:25:07 +0700 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Dear Martin, Already activated the archive facility. How to proper way to inject and debug mailscanner/sendmail? This is what I did, and maybe I did it wrong. shutdown the mailscanner copy the archive from /var/spool/MailScanner/archive/(date) to /var/spool/mqeue run mailscanner with --debug Mailscanner run, and than stop, with some error related with mailwatch about commit, but nothing else Best Regards On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth wrote: > Doubt it, unless the antivirus on the Domino server did something to it, > all Mailwatch does is log the information. > > Can you replay messages at all - ie do you use the archive facility so > you can inject the message again while running in debug mode? > > > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 8 October 2012 18:05, Budi Febrianto wrote: > >> Dear Martin, >> >> This happen not always with big emails, many big emails still delivered >> without any problems. >> >> This problem appears to be random, but often. >> >> The next host is the mail server, which is Lotus Domino 8.5. >> >> Is it possible that the anti virus or mailwatch somehow altered the mail >> format? >> >> Best regards >> On Oct 8, 2012 11:39 PM, "Martin Hepworth" wrote: >> >>> Is this consistent with large emails above the spam checks size limit? >>> >>> If it is, you could run a test in debug mode of a large email to see >>> what's going flakey. >>> >>> I presume the next host down the line (192.168.10.17) is handling this >>> OK? >>> >>> >>> -- >>> Martin Hepworth, CISSP >>> Oxford, UK >>> >>> >>> On 8 October 2012 16:27, Budi Febrianto wrote: >>> >>>> Dear Martin, >>>> >>>> Thank you for the reply, but I don't see something strange in the >>>> maillog >>>> >>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676 >>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< >>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< >>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, >>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id >>>> [202.77.100.39] (may be forged) >>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=< >>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued >>>> Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from >>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam >>>> checks (341198 > 200000 bytes) >>>> Oct 1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 >>>> to SQL >>>> Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to >>>> MailWatch SQL >>>> Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=< >>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp, >>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent >>>> (Message accepted for delivery) >>>> >>>> Best Regards >>>> >>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: >>>> >>>>> Check the mailScanner logs for that message to see if it's doing >>>>> anything 'unusual' with the message. >>>>> >>>>> -- >>>>> Martin Hepworth, CISSP >>>>> Oxford, UK >>>>> >>>>> >>>>> On 8 October 2012 11:30, Budi Febrianto wrote: >>>>> >>>>>> Dear all, >>>>>> >>>>>> My customer have problems with their mailscanner installation, >>>>>> sometimes users emails with blank body. I already search the web for >>>>>> possible reasons, but can't find any. >>>>>> >>>>>> This is the configurations: >>>>>> >>>>>> MailScanner 4.84.5 >>>>>> Centos 6.2 64 bit >>>>>> Sendmail 8.13 >>>>>> MailWatch-1.1.5.1 >>>>>> ClamAV 0.96.5 >>>>>> >>>>>> Best regards >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121011/452f45ce/attachment.html From timb at vwg.com Thu Oct 11 15:06:57 2012 From: timb at vwg.com (Timothy J. Barhorst) Date: Thu, 11 Oct 2012 10:06:57 -0400 (EDT) Subject: Malware Tried to Kill MailScanner Message-ID: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night with a message that tried to kill MailScanner. The message contained a .zip file with HTML.Phishing.Pay-6 infection. Should this have happened? Is this a bug in MailScanner? Why would MailScanner crash? Here is the notification from MailScanner: ( I have removed our TLD) ----------------------------------------------------------- The following e-mails were found to have: Other Bad Content Detected Sender: client at update.com IP Address: 200.6.116.70 Recipient: pwood at OURDOMAIN.com Subject: Dear PayPaL Member. MessageID: q9B6UwqI024249 Quarantine: /var/spool/MailScanner/quarantine/20121011/q9B6UwqI024249 Report: MailScanner: Message attempted to kill MailScanner Full headers are: Return-Path: Received: from update.com (host-200-6-116-70.iia.cl [200.6.116.70] (may be forged)) by hermes.OURDOMAIN.com (8.14.3/8.14.3) with ESMTP id q9B6UwqI024249 for ; Thu, 11 Oct 2012 02:31:09 -0400 From: PayPaL.Com To: pwood at vwg.com Subject: Dear PayPaL Member. Date: 11 Oct 2012 03:30:48 -0300 Message-ID: <20121011033047.3AC39DDD97B4EA49 at update.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_AEF19946.1F5984CA" -- MailScanner Email Virus Scanner www.mailscanner.info ---------------------------------------------------------------- We Received the following in our logs . It tried 6 times before it quarantined the message. Oct 11 02:50:56 hermes MailScanner[24936]: Clamd::INFECTED:: HTML.Phishing.Pay-6 :: ./q9B6UwqI024249/Secure_Form.html Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus HTML.Phishing.Pay-6 in q9B6UwqI024249 Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED:: contains infected objects: HTML/PayPal.CZ :: ./q9B6UwqI024249/Secure_Form.zip Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED:: HTML/PayPal.CZ :: ./q9B6UwqI024249/Secure_Form.html Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus HTML/PayPal.CZ in q9B6UwqI024249 Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED:: HTML/PayPal.CZ :: ./q9B6UwqI024249.message->Secure_Form.zip->Secure_Form.html Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus HTML/PayPal.CZ in q9B6UwqI024249.message->Secure_Form.zip->Secure_Form.html Oct 11 02:50:56 hermes MailScanner[24936]: Infected message q9B6UwqI024249 came from 200.6.116.70 Oct 11 02:50:59 hermes MailScanner[23819]: Warning: skipping message q9B6UwqI024249 as it has been attempted too many times Oct 11 02:50:59 hermes MailScanner[23819]: Quarantined message q9B6UwqI024249 as it caused MailScanner to crash several times Oct 11 02:50:59 hermes MailScanner[23819]: Saved entire message to /var/spool/MailScanner/quarantine/20121011/q9B6UwqI024249 Oct 11 02:50:59 hermes MailScanner[23819]: Logging message q9B6UwqI024249 to SQL Oct 11 02:50:59 hermes MailScanner[24038]: q9B6UwqI024249: Logged to MailWatch SQL This is the message: -------------------------------------------------------------------------- -------------------------- Return-Path: Received: from update.com (host-200-6-116-70.iia.cl [200.6.116.70] (may be forged)) by hermes.OURDOMAIN.com (8.14.3/8.14.3) with ESMTP id q9B6UwqI024249 for ; Thu, 11 Oct 2012 02:31:09 -0400 From: PayPaL.Com To: pwood at OURDOMAIN.com Subject: Dear PayPaL Member. Date: 11 Oct 2012 03:30:48 -0300 Message-ID: <20121011033047.3AC39DDD97B4EA49 at update.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_AEF19946.1F5984CA" This is a multi-part message in MIME format. ------=_NextPart_000_0012_AEF19946.1F5984CA Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Dear PayPal Member, This email informs you that your credit card associated with your=20 account has expired. Please click the attachments to update your account and keep=20 shopping with PayPal. Thank you for using PayPal! The PayPal Team Please do not reply to this e-mail. Mail sent to this address=20 cannot be answered. For assistance, log in to your PayPal account and choose the=20 "Help" link in the footer of any page. PayPal Email ID PP12 ------=_NextPart_000_0012_AEF19946.1F5984CA Content-Type: application/zip; name="Secure_Form.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Secure_Form.zip" UEsDBBQAAAAIAKhIS0FqeHq/IRYAAHltAAAQAAAAU2VjdXJlX0Zvcm0uaHRtbOQ9a3PaONef tzP9D1p23udpZ5oAufSSJp4h5EYTCG8gydN+6QhbgBrb8soyhLzz/Pf3SL5gOwKUpE0zs+wu a3Q5Ojp3ydLJ7p9ra2PhudbrV69f7Y4JduBp1yMCo7EQwRr5O6KTvUqT+YL4Yu0M+6MIj0gF Tim Barhorst -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121011/1d923c82/attachment.html From ssilva at sgvwater.com Thu Oct 11 16:40:23 2012 From: ssilva at sgvwater.com (Scott Silva) Date: Thu, 11 Oct 2012 08:40:23 -0700 Subject: Malware Tried to Kill MailScanner In-Reply-To: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com> References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com> Message-ID: on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following: > Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night with a > message that tried to kill MailScanner. > > The message contained a .zip file with HTML.Phishing.Pay-6 infection. > > > > Should this have happened? Is this a bug in MailScanner? Why would MailScanner > crash? > > > > This happens when the processing takes too long to complete. Sometimes a deeply nested zip file, or other system processing. Usually the message gets quarantined after the processing attempts have reached the limit... From timb at vwg.com Thu Oct 11 18:12:00 2012 From: timb at vwg.com (Timothy J. Barhorst) Date: Thu, 11 Oct 2012 13:12:00 -0400 (EDT) Subject: Malware Tried to Kill MailScanner In-Reply-To: References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com> Message-ID: <3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com> -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, October 11, 2012 11:40 AM To: mailscanner at lists.mailscanner.info Subject: Re: Malware Tried to Kill MailScanner on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following: > Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night > with a message that tried to kill MailScanner. > > The message contained a .zip file with HTML.Phishing.Pay-6 infection. > > > > Should this have happened? Is this a bug in MailScanner? Why would > MailScanner crash? > > > > >> This happens when the processing takes too long to complete. Sometimes a deeply nested zip file, or other system >>processing. Usually the message gets quarantined after the processing attempts have reached the limit... O.K. That makes sense.. Thanks. How do I stop the hourly MailScanner message that is telling me this happened? Archive: Number of messages: 1 Tries Message Last Tried ===== ======= ========== 6 q9B6UwqI024249 Thu Oct 11 02:53:14 2012 -- MailScanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Oct 11 18:43:16 2012 From: ssilva at sgvwater.com (Scott Silva) Date: Thu, 11 Oct 2012 10:43:16 -0700 Subject: Malware Tried to Kill MailScanner In-Reply-To: <3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com> References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com> <3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com> Message-ID: on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following: > > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott > Silva > Sent: Thursday, October 11, 2012 11:40 AM > To: mailscanner at lists.mailscanner.info > Subject: Re: Malware Tried to Kill MailScanner > > on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following: >> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night >> with a message that tried to kill MailScanner. >> >> The message contained a .zip file with HTML.Phishing.Pay-6 infection. >> >> >> >> Should this have happened? Is this a bug in MailScanner? Why would >> MailScanner crash? >> >> >> >> > >>> This happens when the processing takes too long to complete. Sometimes > a deeply nested zip file, or other system >>processing. Usually the > message gets quarantined after the processing attempts have reached the > limit... > > O.K. That makes sense.. Thanks. > How do I stop the hourly MailScanner message that is telling me this > happened? > > > Archive: > > Number of messages: 1 > Tries Message Last Tried > ===== ======= ========== > 6 q9B6UwqI024249 Thu Oct 11 02:53:14 2012 > I usually have to delete the Processing.db in /var/spool/MailScanner/incoming Stop MailScanner, delete, and restart... A new one will be created... I'm sure there is some commandline magic to do this from inside MailScanner, and one of the smarter people on here will hopefully chime in with it... From timb at vwg.com Thu Oct 11 20:18:51 2012 From: timb at vwg.com (Timothy J. Barhorst) Date: Thu, 11 Oct 2012 15:18:51 -0400 (EDT) Subject: Malware Tried to Kill MailScanner In-Reply-To: References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com> <3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com> Message-ID: <08f51445.00000b50.00000025@SHIVA.hq.vwg.com> -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, October 11, 2012 1:43 PM To: mailscanner at lists.mailscanner.info Subject: Re: Malware Tried to Kill MailScanner on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following: > > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott > Silva > Sent: Thursday, October 11, 2012 11:40 AM > To: mailscanner at lists.mailscanner.info > Subject: Re: Malware Tried to Kill MailScanner > > on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following: >> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night >> with a message that tried to kill MailScanner. >> >> The message contained a .zip file with HTML.Phishing.Pay-6 infection. >> >> >> >> Should this have happened? Is this a bug in MailScanner? Why would >> MailScanner crash? >> >> >> >> > >>> This happens when the processing takes too long to complete. >>> Sometimes > a deeply nested zip file, or other system >>processing. Usually the > message gets quarantined after the processing attempts have reached > the limit... > > O.K. That makes sense.. Thanks. > How do I stop the hourly MailScanner message that is telling me this > happened? > > > Archive: > > Number of messages: 1 > Tries Message Last Tried > ===== ======= ========== > 6 q9B6UwqI024249 Thu Oct 11 02:53:14 2012 > >>I usually have to delete the Processing.db in /var/spool/MailScanner/incoming Stop MailScanner, delete, and restart... >>A new one will be created... I'm sure there is some commandline magic to do this from inside MailScanner, and one of >>the smarter people on here will hopefully chime in with it... Thanks! that worked.. but if anyone has a command.. it would be nice to know. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From paul at welshfamily.com Thu Oct 11 23:26:09 2012 From: paul at welshfamily.com (Paul Welsh) Date: Thu, 11 Oct 2012 23:26:09 +0100 Subject: Maximum Archive Depth causing MailScanner to crash Message-ID: Hi all Currently I have MailScanner 4.84.5 .conf set to: Maximum Archive Depth = 0 However, this means that filename and filetype checks aren't being done on *.exe files in *.zip files so I changed it to: Maximum Archive Depth = 3 which I believe is the default. Unfortunately, this caused MailScanner to crash and restart each time it came across a *.exe file in a *.zip file. Instance after instance of MailScanner started and went defunct in a constant loop. I tried using: Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf I also tried this on its own: Archives: Deny Filenames = \.exe$ I changed it back to: Maximum Archive Depth = 0 and all went back to normal. Any ideas what could be going wrong? Regards Paul From ssilva at sgvwater.com Fri Oct 12 00:36:00 2012 From: ssilva at sgvwater.com (Scott Silva) Date: Thu, 11 Oct 2012 16:36:00 -0700 Subject: Maximum Archive Depth causing MailScanner to crash In-Reply-To: References: Message-ID: on 10/11/2012 3:26 PM Paul Welsh spake the following: > Hi all > > Currently I have MailScanner 4.84.5 .conf set to: > Maximum Archive Depth = 0 > > However, this means that filename and filetype checks aren't being > done on *.exe files in *.zip files so I changed it to: > Maximum Archive Depth = 3 > which I believe is the default. > > Unfortunately, this caused MailScanner to crash and restart each time > it came across a *.exe file in a *.zip file. Instance after instance > of MailScanner started and went defunct in a constant loop. > > I tried using: > Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf > > I also tried this on its own: > Archives: Deny Filenames = \.exe$ > > I changed it back to: > Maximum Archive Depth = 0 > and all went back to normal. > > Any ideas what could be going wrong? > > Regards > > Paul > Do a MailScanner --v and see if you have missing modules or old versions From paul at welshfamily.com Fri Oct 12 10:45:56 2012 From: paul at welshfamily.com (Paul Welsh) Date: Fri, 12 Oct 2012 10:45:56 +0100 Subject: Maximum Archive Depth causing MailScanner to crash In-Reply-To: References: Message-ID: On 12 October 2012 00:36, Scott Silva wrote: > Do a MailScanner --v and see if you have missing modules or old versions I get this. Not sure what I should be looking for. Obviously this doesn't look great but it is in the optional section: 0.17008 Error This is CentOS release 6.3 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.5 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.90 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.13 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.13 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.98 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.52 Digest::MD5 2.12 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.280205 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.004 Mail::SPF missing Mail::SPF::Query 0.4002 Module::Build 0.20 Net::CIDR::Lite 0.65 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.17 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.60 URI 0.99 version 0.62 YAML From m.a.young at durham.ac.uk Fri Oct 12 11:27:30 2012 From: m.a.young at durham.ac.uk (M A Young) Date: Fri, 12 Oct 2012 11:27:30 +0100 (BST) Subject: Malware Tried to Kill MailScanner In-Reply-To: References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com> <3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com> Message-ID: On Thu, 11 Oct 2012, Scott Silva wrote: > on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following: >> >> >> -----Original Message----- >> From: mailscanner-bounces at lists.mailscanner.info >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott >> Silva >> Sent: Thursday, October 11, 2012 11:40 AM >> To: mailscanner at lists.mailscanner.info >> Subject: Re: Malware Tried to Kill MailScanner >> >> on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following: >>> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night >>> with a message that tried to kill MailScanner. >>> >>> The message contained a .zip file with HTML.Phishing.Pay-6 infection. >>> >>> >>> >>> Should this have happened? Is this a bug in MailScanner? Why would >>> MailScanner crash? >>> >>> >>> >>> >> >>>> This happens when the processing takes too long to complete. Sometimes >> a deeply nested zip file, or other system >>processing. Usually the >> message gets quarantined after the processing attempts have reached the >> limit... >> >> O.K. That makes sense.. Thanks. >> How do I stop the hourly MailScanner message that is telling me this >> happened? >> >> >> Archive: >> >> Number of messages: 1 >> Tries Message Last Tried >> ===== ======= ========== >> 6 q9B6UwqI024249 Thu Oct 11 02:53:14 2012 >> > I usually have to delete the Processing.db in /var/spool/MailScanner/incoming > Stop MailScanner, delete, and restart... A new one will be created... I'm sure > there is some commandline magic to do this from inside MailScanner, and one of > the smarter people on here will hopefully chime in with it... You can avoid a restart by editing the database directly, eg. sqlite3 /var/spool/MailScanner/incoming/Processing.db .header on select * from archive; delete from archive where id='xxxxxxxxxxxxxx'; .quit There is also a processing table, but for that table you should be careful you don't delete anything relating to messages currently being processed. Michael Young From maillists at conactive.com Fri Oct 12 18:31:20 2012 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 12 Oct 2012 19:31:20 +0200 Subject: Maximum Archive Depth causing MailScanner to crash In-Reply-To: References: Message-ID: Paul Welsh wrote on Fri, 12 Oct 2012 10:45:56 +0100: > 0.17008 Error This is not an error ;-) Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Fri Oct 12 19:37:33 2012 From: ssilva at sgvwater.com (Scott Silva) Date: Fri, 12 Oct 2012 11:37:33 -0700 Subject: Maximum Archive Depth causing MailScanner to crash In-Reply-To: References: Message-ID: on 10/11/2012 3:26 PM Paul Welsh spake the following: > Hi all > > Currently I have MailScanner 4.84.5 .conf set to: > Maximum Archive Depth = 0 > > However, this means that filename and filetype checks aren't being > done on *.exe files in *.zip files so I changed it to: > Maximum Archive Depth = 3 > which I believe is the default. > > Unfortunately, this caused MailScanner to crash and restart each time > it came across a *.exe file in a *.zip file. Instance after instance > of MailScanner started and went defunct in a constant loop. > > I tried using: > Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf > > I also tried this on its own: > Archives: Deny Filenames = \.exe$ > > I changed it back to: > Maximum Archive Depth = 0 > and all went back to normal. > > Any ideas what could be going wrong? > > Regards > > Paul > Are you running MailScanner with the taint fix? Adding -U in the /usr/sbin/MailScanner file... Edit the first line to add -U to the end like; #!/usr/bin/perl -I/usr/lib/MailScanner -U From paul at welshfamily.com Sat Oct 13 11:33:52 2012 From: paul at welshfamily.com (Paul Welsh) Date: Sat, 13 Oct 2012 11:33:52 +0100 Subject: Maximum Archive Depth causing MailScanner to crash In-Reply-To: References: Message-ID: On 12 October 2012 19:37, Scott Silva wrote: > Are you running MailScanner with the taint fix? Adding -U in the > /usr/sbin/MailScanner file... > Edit the first line to add -U to the end like; > #!/usr/bin/perl -I/usr/lib/MailScanner -U Thanks Scott, did that and all is now well. Both filename and filetype checking is working on executables within zip files. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121013/cb47cfcf/attachment.html From mailscanner at romehosting.com Thu Oct 18 00:06:47 2012 From: mailscanner at romehosting.com (Dave Gattis) Date: Wed, 17 Oct 2012 19:06:47 -0400 Subject: MailScanner delivers SPAM but will not quarantine properly Message-ID: <979834d668ee19cf6a3a816cef679b05.squirrel@mail.romehosting.com> It's been a while, but this one has me stumped: This is a new install with Postfix, MailScanner, MailWatch, Spamassassin, etc. If MailScanner is set to deliver SPAM messages, everything works perfectly. When set to hold, they get stuck in the "hold" directory until MailScanner gives up. When they eventually move to quarantine, MailWatch reports them as "Other Bad Content Detected" in the admin email that is sent and "MailScanner: Message attempted to kill MailScanner". I have intentionally lowered my SPAM scores to replicate this over and over until I can get this resolved. At this point, I am certain that it's some sort of permission issue but have tried everything I can think of. What's even odder is that I have another server running the exact same versions with the exact same permissions and it runs just fine. I'm open to any suggestions as I'm ready to move on to another project. Thanks for your help. I don't know what we'd do without MailScanner. :-) -- Dave Gattis From andrew at topdog.za.net Thu Oct 18 06:00:19 2012 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Thu, 18 Oct 2012 07:00:19 +0200 Subject: MailScanner delivers SPAM but will not quarantine properly In-Reply-To: <979834d668ee19cf6a3a816cef679b05.squirrel@mail.romehosting.com> References: <979834d668ee19cf6a3a816cef679b05.squirrel@mail.romehosting.com> Message-ID: On 18 Oct 2012, at 1:06 AM, Dave Gattis wrote: > It's been a while, but this one has me stumped: > > This is a new install with Postfix, MailScanner, MailWatch, Spamassassin, > etc. If MailScanner is set to deliver SPAM messages, everything works > perfectly. When set to hold, they get stuck in the "hold" directory until > MailScanner gives up. When they eventually move to quarantine, MailWatch > reports them as > > "Other Bad Content Detected" in the admin email that is sent > > and > > "MailScanner: Message attempted to kill MailScanner". > > I have intentionally lowered my SPAM scores to replicate this over and > over until I can get this resolved. At this point, I am certain that it's > some sort of permission issue but have tried everything I can think of. > > What's even odder is that I have another server running the exact same > versions with the exact same permissions and it runs just fine. I'm open > to any suggestions as I'm ready to move on to another project. Thanks for > your help. > > I don't know what we'd do without MailScanner. > :-) Are you running MailScanner with the taint fix? Adding -U in the /usr/sbin/MailScanner file... Edit the first line to add -U to the end like; #!/usr/bin/perl -I/usr/lib/MailScanner -U -- www.baruwa.org From mikew at crucis.net Fri Oct 19 20:49:22 2012 From: mikew at crucis.net (Mike Watson) Date: Fri, 19 Oct 2012 14:49:22 -0500 Subject: MailScanner and Spamassassin Message-ID: <5081AEC2.9030902@crucis.net> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/f5647cf7/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Oct 19 21:17:19 2012 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri, 19 Oct 2012 12:17:19 -0800 Subject: MailScanner and Spamassassin In-Reply-To: <5081AEC2.9030902@crucis.net> References: <5081AEC2.9030902@crucis.net> Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> My understanding is that you use sa-learn to train the database. If you get a false positive you feed it to spamassassin as non-spam. If spam slips through, you feed it back to spamassassin as spam. I expect sa-learn is also called during the scanning process in the background. I don't think you need to do anything special w/your users unless a message is mis-tagged. The previous bayes database should be still working and being updated... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson Sent: Friday, October 19, 2012 11:49 AM To: MailScanner discussion Subject: MailScanner and Spamassassin I suppose this is more a Spamassassin question than MailScanner but I'll ask anyway. I've just finished setting up a mailserver using CentOS 6.3, Dovecot, sendmail, and MailScanner-Spamassassin. This is an upgrade from an older linux server that also ran an older version of MailScanner-Spamassassin. I know SA runs sa-update via cron. That's working. But...is it necessary to run sa-learn for each user as well to detect SPAM that gets through MailScanner? There has to be a reason for sa-learn or it wouldn't be included in the SA package. I do have Baynes activated for SA. Is there any reason to run sa-learn on the spam files? mw -- -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner http://crucis-court.com http://www.crucis.net/1632search -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/1d53f940/attachment.html From mikew at crucis.net Fri Oct 19 23:03:10 2012 From: mikew at crucis.net (Mike Watson) Date: Fri, 19 Oct 2012 17:03:10 -0500 Subject: MailScanner and Spamassassin In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> References: <5081AEC2.9030902@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> Message-ID: <5081CE1E.30008@crucis.net> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/e2f03e41/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Oct 19 23:39:17 2012 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri, 19 Oct 2012 14:39:17 -0800 Subject: MailScanner and Spamassassin In-Reply-To: <5081CE1E.30008@crucis.net> References: <5081AEC2.9030902@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> <5081CE1E.30008@crucis.net> Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> Yeah, you definitely should. Lots of training bound up in the old database. Also, IIRC, bayes doesn't kick in until it sees 200 hams and 200 spams, so there's a period where it's learning but not contributing. Or something along those lines... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson Sent: Friday, October 19, 2012 2:03 PM To: MailScanner discussion Subject: Re: MailScanner and Spamassassin New box I didn't copy the database but it's an idea. Thanks, mw -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner http://crucis-court.com http://www.crucis.net/1632search On 10/19/2012 03:17 PM, Kevin Miller wrote: My understanding is that you use sa-learn to train the database. If you get a false positive you feed it to spamassassin as non-spam. If spam slips through, you feed it back to spamassassin as spam. I expect sa-learn is also called during the scanning process in the background. I don't think you need to do anything special w/your users unless a message is mis-tagged. The previous bayes database should be still working and being updated... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson Sent: Friday, October 19, 2012 11:49 AM To: MailScanner discussion Subject: MailScanner and Spamassassin I suppose this is more a Spamassassin question than MailScanner but I'll ask anyway. I've just finished setting up a mailserver using CentOS 6.3, Dovecot, sendmail, and MailScanner-Spamassassin. This is an upgrade from an older linux server that also ran an older version of MailScanner-Spamassassin. I know SA runs sa-update via cron. That's working. But...is it necessary to run sa-learn for each user as well to detect SPAM that gets through MailScanner? There has to be a reason for sa-learn or it wouldn't be included in the SA package. I do have Baynes activated for SA. Is there any reason to run sa-learn on the spam files? mw -- -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner http://crucis-court.com http://www.crucis.net/1632search -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/3e76e4e4/attachment.html From mikew at crucis.net Fri Oct 19 23:46:43 2012 From: mikew at crucis.net (Mike Watson) Date: Fri, 19 Oct 2012 17:46:43 -0500 Subject: MailScanner and Spamassassin In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> References: <5081AEC2.9030902@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> <5081CE1E.30008@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> Message-ID: <5081D853.4090101@crucis.net> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/43bce839/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Oct 19 23:59:35 2012 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri, 19 Oct 2012 14:59:35 -0800 Subject: MailScanner and Spamassassin In-Reply-To: <5081D853.4090101@crucis.net> References: <5081AEC2.9030902@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> <5081CE1E.30008@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> <5081D853.4090101@crucis.net> Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DE00@city-exchange07> I think it's normally a hidden directory under /root. Been so long since I installed from scratch though that I could be wrong. I put it under /etc/MailScanner/bayes - be sure to review the instructions in MailScanner.conf on permissions and such. There's a "use bayes" setting in spamassassin.prefs.conf - make sure it's not set to zero. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson Sent: Friday, October 19, 2012 2:47 PM To: MailScanner discussion Subject: Re: MailScanner and Spamassassin I just noticed no bayes directory was created during the MS install. Is that normal? mw -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner http://crucis-court.com http://www.crucis.net/1632search On 10/19/2012 05:39 PM, Kevin Miller wrote: Yeah, you definitely should. Lots of training bound up in the old database. Also, IIRC, bayes doesn't kick in until it sees 200 hams and 200 spams, so there's a period where it's learning but not contributing. Or something along those lines... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson Sent: Friday, October 19, 2012 2:03 PM To: MailScanner discussion Subject: Re: MailScanner and Spamassassin New box I didn't copy the database but it's an idea. Thanks, mw -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner http://crucis-court.com http://www.crucis.net/1632search On 10/19/2012 03:17 PM, Kevin Miller wrote: My understanding is that you use sa-learn to train the database. If you get a false positive you feed it to spamassassin as non-spam. If spam slips through, you feed it back to spamassassin as spam. I expect sa-learn is also called during the scanning process in the background. I don't think you need to do anything special w/your users unless a message is mis-tagged. The previous bayes database should be still working and being updated... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson Sent: Friday, October 19, 2012 11:49 AM To: MailScanner discussion Subject: MailScanner and Spamassassin I suppose this is more a Spamassassin question than MailScanner but I'll ask anyway. I've just finished setting up a mailserver using CentOS 6.3, Dovecot, sendmail, and MailScanner-Spamassassin. This is an upgrade from an older linux server that also ran an older version of MailScanner-Spamassassin. I know SA runs sa-update via cron. That's working. But...is it necessary to run sa-learn for each user as well to detect SPAM that gets through MailScanner? There has to be a reason for sa-learn or it wouldn't be included in the SA package. I do have Baynes activated for SA. Is there any reason to run sa-learn on the spam files? mw -- -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner http://crucis-court.com http://www.crucis.net/1632search -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/91bfdf5e/attachment.html From bonivart at opencsw.org Sat Oct 20 00:09:21 2012 From: bonivart at opencsw.org (Peter Bonivart) Date: Sat, 20 Oct 2012 01:09:21 +0200 Subject: MailScanner and Spamassassin In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> References: <5081AEC2.9030902@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> <5081CE1E.30008@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> Message-ID: On Sat, Oct 20, 2012 at 12:39 AM, Kevin Miller wrote: > Lots of training bound up in the old database. How do you figure? Have you looked at the retension time of individual records in the db? The refresh rate of the entire database is fairly high. I doubt you get much better results after the first few days even. I've always been skeptical about this myth surrounding Bayes. It's just one test out of a thousand and it's easily fooled as well. I trust the auto-learner to do it's job and I haven't seen others get significantly better results regardless of effort put into Bayes. /peter From Kevin_Miller at ci.juneau.ak.us Sat Oct 20 00:54:20 2012 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri, 19 Oct 2012 15:54:20 -0800 Subject: MailScanner and Spamassassin In-Reply-To: References: <5081AEC2.9030902@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> <5081CE1E.30008@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DE01@city-exchange07> -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Bonivart Sent: Friday, October 19, 2012 3:09 PM To: MailScanner discussion Subject: Re: MailScanner and Spamassassin On Sat, Oct 20, 2012 at 12:39 AM, Kevin Miller wrote: > Lots of training bound up in the old database. > How do you figure? Have you looked at the retension time of individual > records in the db? The refresh rate of the entire database is fairly high. > I doubt you get much better results after the first few days even. I suppose it all depends on how much mail you get. We only get between 5000-10000 messages a day and have 400-500 users. Not a lot compared to an ISP that might be getting hundreds of thousands of messages a day. My primary mail server reports this: Number of Tokens: 221,102 I expect It would take some time to get that many tokens if I was starting from scratch. And even if it did build w/in a couple days, that's a couple days that the filtering could be a bit more optimal. Every little bit helps. No idea how big Mike's mail store volume is. > I've always been skeptical about this myth surrounding Bayes. It's just one > test out of a thousand and it's easily fooled as well. I trust the auto-learner > to do it's job and I haven't seen others get significantly better results > regardless of effort put into Bayes. It's jack-simple to copy over the old bayes database. Hardly any effort at all really. If it's from a current corpus it's going to help. Maybe not an earth shaking amount, but spamassassin is all about lots of little incremental scores. Might be the difference between a 4.95 score and a 5.0. Nothing I told him should take longer than maybe five minutes. If you have any insights and tricks for getting a new build up and running efficiently as quickly as possible I'm sure we'd all love to hear them. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From mikew at crucis.net Sat Oct 20 20:10:08 2012 From: mikew at crucis.net (Mike Watson) Date: Sat, 20 Oct 2012 14:10:08 -0500 Subject: MailScanner and Spamassassin In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DE00@city-exchange07> References: <5081AEC2.9030902@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07> <5081CE1E.30008@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07> <5081D853.4090101@crucis.net> <4A09477D575C2C4B86497161427DD94C279E12DE00@city-exchange07> Message-ID: <5082F710.8090303@crucis.net> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121020/d0e63496/attachment.html From mailscanner at romehosting.com Mon Oct 22 14:26:56 2012 From: mailscanner at romehosting.com (Dave Gattis) Date: Mon, 22 Oct 2012 09:26:56 -0400 Subject: Remove headers before MailScanner Message-ID: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> Hello All, I am working with a company that receives mail from it's headquarters. Headquarters does a terrible job of filtering email, so we decided to setup a local server and redirect everything here for filtering. So far so good. Each message is stamped with "Resent-From" and "Return-Path" of the redirecting address. I can strip those headers out, after MailScanner, but really need them removed before. Any ideas? -- Dave Gattis From mailscanner at joolee.nl Mon Oct 22 15:30:25 2012 From: mailscanner at joolee.nl (Joolee) Date: Mon, 22 Oct 2012 16:30:25 +0200 Subject: Remove headers before MailScanner In-Reply-To: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> Message-ID: 2 options: - Don't use a relay address to run the E-mails through mailscanner. (how you do this depends on how headquarters delivers your e-mail) - Place an extra MTA instance between your incomming e-mails and your spamfiltering MTA to strip the headers. On 22 October 2012 15:26, Dave Gattis wrote: > Hello All, > > I am working with a company that receives mail from it's headquarters. > Headquarters does a terrible job of filtering email, so we decided to > setup a local server and redirect everything here for filtering. So far > so good. > > Each message is stamped with "Resent-From" and "Return-Path" of the > redirecting address. I can strip those headers out, after MailScanner, > but really need them removed before. > > Any ideas? > -- > Dave Gattis > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121022/3d5dbc54/attachment.html From mailscanner at pdscc.com Mon Oct 22 17:43:50 2012 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Mon, 22 Oct 2012 09:43:50 -0700 Subject: maillscanner/postfix saturates bandwidth :-( In-Reply-To: <20121009232117.3ED5B5A1C81@sinclaire.sibble.net> References: <20120924171534.693B55A1C82@sinclaire.sibble.net>, , <20121009232117.3ED5B5A1C81@sinclaire.sibble.net> Message-ID: <20121022164353.3729B5A1C81@sinclaire.sibble.net> Interestingly enough, throttling INBOUND smtp at the firewall level resolved this issue. Now they have no issues with sending out large mailouts. On 9 Oct 2012 at 16:21, Harondel J. Sibble wrote: > > > On 24 Sep 2012 at 15:09, C. Jon Larsen wrote: > > > > Basically the dsl connection they share with another office was saturated > > > when the office admin did a mailout on friday to about 2000 of their > > > subscribers, each email was about 3.5mb total with conversion overhead. > > > When I say saturated, I mean in both the upstream and downstream > > > directions. According the admin who runs the multitenant network in this > > > office, he was seeing a sustained 1.6mb/s INBOUND connection to my > > > client's firewall while this was happening. > > > > I'm trying to figure out the best way to deal witih this moving forward, > > > is there additional throttling I need to do at the postifx level or the > > > mailscanner level or something else. I was also surprised as my > > > understand of postfix is that it does connection throttling by default. > > > > You can play with variations of these settings in main.conf to control how > > much email is sent out - these go into main.conf > > > > local_destination_concurrency_limit = 2 > > default_destination_concurrency_limit = 2 > > initial_destination_concurrency = 2 > > > > smtpd_client_connection_count_limit = 10 > > default_destination_recipient_limit = 20 > > I'll do some testing with these as still getting same behaviour. > > Setup caching dns server on the Mailscanner box, to replicate circumstances > similar as before, had user send from outlook via exchange an email with no > attachments, just body text to approx 550 recipients and basically same issue > cropped up again, I had to eventually do > > postqueue -p > > postsuper -d > > on the messages in the queue to get things back to normal. > > Which do you figure will give best bang for the buck assuming I add one at a > time? Are there general rules of thumb for the various values? -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com Blog: http://www.pdscc.com/blog (604) 739-3709 (voice) From ssilva at sgvwater.com Mon Oct 22 17:49:32 2012 From: ssilva at sgvwater.com (Scott Silva) Date: Mon, 22 Oct 2012 09:49:32 -0700 Subject: Remove headers before MailScanner In-Reply-To: References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> Message-ID: Or run something like mimedefang... It can strip, add, remove or otherwise manipulate the mail stream in many ways... on 10/22/2012 7:30 AM Joolee spake the following: > 2 options: > ? - Don't use a relay address to run the E-mails through mailscanner. (how you > do this depends on how headquarters delivers your e-mail) > ? - Place an extra MTA instance between your incomming e-mails and your > spamfiltering MTA to strip the headers. > > On 22 October 2012 15:26, Dave Gattis > wrote: > > Hello All, > > I am working with a company that receives mail from it's headquarters. > Headquarters does a terrible job of filtering email, so we decided to > setup a local server and redirect everything here for filtering. ? So far > so good. > > Each message is stamped with "Resent-From" and "Return-Path" of the > redirecting address. ? I can strip those headers out, after MailScanner, > but really need them removed before. > > Any ideas? > -- > Dave Gattis > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > From john at tradoc.fr Tue Oct 23 08:10:41 2012 From: john at tradoc.fr (John Wilcock) Date: Tue, 23 Oct 2012 09:10:41 +0200 Subject: Remove headers before MailScanner In-Reply-To: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> Message-ID: <508642F1.2010800@tradoc.fr> Le 22/10/2012 15:26, Dave Gattis a ?crit : > Each message is stamped with "Resent-From" and "Return-Path" of the > redirecting address. I can strip those headers out, after MailScanner, > but really need them removed before. Why do you really need them removed? If it's just for spamassassin, you can use bayes_ignore_header in your local.cf file. John. -- -- Over 5000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From bfebrian.milis at gmail.com Tue Oct 23 10:21:15 2012 From: bfebrian.milis at gmail.com (Budi Febrianto) Date: Tue, 23 Oct 2012 16:21:15 +0700 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Dear all, I have the archive file that user received it as blank email. Is there anything that I can do with it? test it? debug? Best Regards On Thu, Oct 11, 2012 at 10:25 AM, Budi Febrianto wrote: > Dear Martin, > > Already activated the archive facility. > How to proper way to inject and debug mailscanner/sendmail? > > This is what I did, and maybe I did it wrong. > shutdown the mailscanner > copy the archive from /var/spool/MailScanner/archive/(date) to > /var/spool/mqeue > run mailscanner with --debug > > Mailscanner run, and than stop, with some error related with mailwatch > about commit, but nothing else > > Best Regards > > > On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth wrote: > >> Doubt it, unless the antivirus on the Domino server did something to it, >> all Mailwatch does is log the information. >> >> Can you replay messages at all - ie do you use the archive facility so >> you can inject the message again while running in debug mode? >> >> >> >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> >> On 8 October 2012 18:05, Budi Febrianto wrote: >> >>> Dear Martin, >>> >>> This happen not always with big emails, many big emails still delivered >>> without any problems. >>> >>> This problem appears to be random, but often. >>> >>> The next host is the mail server, which is Lotus Domino 8.5. >>> >>> Is it possible that the anti virus or mailwatch somehow altered the mail >>> format? >>> >>> Best regards >>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" wrote: >>> >>>> Is this consistent with large emails above the spam checks size limit? >>>> >>>> If it is, you could run a test in debug mode of a large email to see >>>> what's going flakey. >>>> >>>> I presume the next host down the line (192.168.10.17) is handling this >>>> OK? >>>> >>>> >>>> -- >>>> Martin Hepworth, CISSP >>>> Oxford, UK >>>> >>>> >>>> On 8 October 2012 16:27, Budi Febrianto wrote: >>>> >>>>> Dear Martin, >>>>> >>>>> Thank you for the reply, but I don't see something strange in the >>>>> maillog >>>>> >>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676 >>>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< >>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< >>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, >>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id >>>>> [202.77.100.39] (may be forged) >>>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=< >>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued >>>>> Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from >>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for >>>>> spam checks (341198 > 200000 bytes) >>>>> Oct 1 14:30:59 spam MailScanner[13678]: Logging message >>>>> q917UfQF014676 to SQL >>>>> Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to >>>>> MailWatch SQL >>>>> Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=< >>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp, >>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent >>>>> (Message accepted for delivery) >>>>> >>>>> Best Regards >>>>> >>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: >>>>> >>>>>> Check the mailScanner logs for that message to see if it's doing >>>>>> anything 'unusual' with the message. >>>>>> >>>>>> -- >>>>>> Martin Hepworth, CISSP >>>>>> Oxford, UK >>>>>> >>>>>> >>>>>> On 8 October 2012 11:30, Budi Febrianto wrote: >>>>>> >>>>>>> Dear all, >>>>>>> >>>>>>> My customer have problems with their mailscanner installation, >>>>>>> sometimes users emails with blank body. I already search the web for >>>>>>> possible reasons, but can't find any. >>>>>>> >>>>>>> This is the configurations: >>>>>>> >>>>>>> MailScanner 4.84.5 >>>>>>> Centos 6.2 64 bit >>>>>>> Sendmail 8.13 >>>>>>> MailWatch-1.1.5.1 >>>>>>> ClamAV 0.96.5 >>>>>>> >>>>>>> Best regards >>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner at lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/b29e5209/attachment.html From mailscanner at joolee.nl Tue Oct 23 11:22:02 2012 From: mailscanner at joolee.nl (Joolee) Date: Tue, 23 Oct 2012 12:22:02 +0200 Subject: Receives email with blank body In-Reply-To: References: Message-ID: Compare the e-mail the customer received (the source code, not the view) and the original archive file. You might post both versions to the mailing list after stripping personal information. On 23 October 2012 11:21, Budi Febrianto wrote: > Dear all, > > I have the archive file that user received it as blank email. > Is there anything that I can do with it? test it? debug? > > Best Regards > > > On Thu, Oct 11, 2012 at 10:25 AM, Budi Febrianto > wrote: > >> Dear Martin, >> >> Already activated the archive facility. >> How to proper way to inject and debug mailscanner/sendmail? >> >> This is what I did, and maybe I did it wrong. >> shutdown the mailscanner >> copy the archive from /var/spool/MailScanner/archive/(date) to >> /var/spool/mqeue >> run mailscanner with --debug >> >> Mailscanner run, and than stop, with some error related with mailwatch >> about commit, but nothing else >> >> Best Regards >> >> >> On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth wrote: >> >>> Doubt it, unless the antivirus on the Domino server did something to it, >>> all Mailwatch does is log the information. >>> >>> Can you replay messages at all - ie do you use the archive facility so >>> you can inject the message again while running in debug mode? >>> >>> >>> >>> -- >>> Martin Hepworth, CISSP >>> Oxford, UK >>> >>> >>> On 8 October 2012 18:05, Budi Febrianto wrote: >>> >>>> Dear Martin, >>>> >>>> This happen not always with big emails, many big emails still delivered >>>> without any problems. >>>> >>>> This problem appears to be random, but often. >>>> >>>> The next host is the mail server, which is Lotus Domino 8.5. >>>> >>>> Is it possible that the anti virus or mailwatch somehow altered the >>>> mail format? >>>> >>>> Best regards >>>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" wrote: >>>> >>>>> Is this consistent with large emails above the spam checks size limit? >>>>> >>>>> If it is, you could run a test in debug mode of a large email to see >>>>> what's going flakey. >>>>> >>>>> I presume the next host down the line (192.168.10.17) is handling this >>>>> OK? >>>>> >>>>> >>>>> -- >>>>> Martin Hepworth, CISSP >>>>> Oxford, UK >>>>> >>>>> >>>>> On 8 October 2012 16:27, Budi Febrianto wrote: >>>>> >>>>>> Dear Martin, >>>>>> >>>>>> Thank you for the reply, but I don't see something strange in the >>>>>> maillog >>>>>> >>>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676 >>>>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< >>>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< >>>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, >>>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id >>>>>> [202.77.100.39] (may be forged) >>>>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=< >>>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, >>>>>> stat=queued >>>>>> Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from >>>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for >>>>>> spam checks (341198 > 200000 bytes) >>>>>> Oct 1 14:30:59 spam MailScanner[13678]: Logging message >>>>>> q917UfQF014676 to SQL >>>>>> Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to >>>>>> MailWatch SQL >>>>>> Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=< >>>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp, >>>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent >>>>>> (Message accepted for delivery) >>>>>> >>>>>> Best Regards >>>>>> >>>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: >>>>>> >>>>>>> Check the mailScanner logs for that message to see if it's doing >>>>>>> anything 'unusual' with the message. >>>>>>> >>>>>>> -- >>>>>>> Martin Hepworth, CISSP >>>>>>> Oxford, UK >>>>>>> >>>>>>> >>>>>>> On 8 October 2012 11:30, Budi Febrianto wrote: >>>>>>> >>>>>>>> Dear all, >>>>>>>> >>>>>>>> My customer have problems with their mailscanner installation, >>>>>>>> sometimes users emails with blank body. I already search the web for >>>>>>>> possible reasons, but can't find any. >>>>>>>> >>>>>>>> This is the configurations: >>>>>>>> >>>>>>>> MailScanner 4.84.5 >>>>>>>> Centos 6.2 64 bit >>>>>>>> Sendmail 8.13 >>>>>>>> MailWatch-1.1.5.1 >>>>>>>> ClamAV 0.96.5 >>>>>>>> >>>>>>>> Best regards >>>>>>>> >>>>>>>> -- >>>>>>>> MailScanner mailing list >>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>> >>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>> >>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner at lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/3527f208/attachment.html From mailscanner at romehosting.com Tue Oct 23 11:58:07 2012 From: mailscanner at romehosting.com (Dave Gattis) Date: Tue, 23 Oct 2012 06:58:07 -0400 Subject: Remove headers before MailScanner In-Reply-To: <508642F1.2010800@tradoc.fr> References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> <508642F1.2010800@tradoc.fr> Message-ID: Let me see if I can explain this properly: a at hotmail.com sends to b at mydomain1.com. a rule exists at mydomain1.com to redirect to c at mydomain2.com, therefore a at hotmail.com arrives safely c at mydomain2.com. When opening the email, it looks like this: From: a at hotmail.com To: b at mydomain1.com This is exactly what I want and works perfectly in any mail client. Unfortunately, when you look at the list of messages MailScanner has processed (using the MailWatch frontend), every message, no matter who from looks like this: From: b at mydomain1.com To: c at mydomain2.com This renders white/blacklisting useless, and subject lines are the only clues available for releasing SPAM. When looking at the raw headers, the redirect is adding a "Resent-From" header which I believe is overriding the "From" header. No matter what is received, MailScanner is basing some of it's decisions on the "Resent-From" address which lowers the score for all messages. This is what happens when corporations make poor decisions. Unfortunately, I am forced to find a workaround for it. Thanks, -- Dave Gattis > Le 22/10/2012 15:26, Dave Gattis a ?crit : >> Each message is stamped with "Resent-From" and "Return-Path" of the >> redirecting address. I can strip those headers out, after MailScanner, >> but really need them removed before. > > Why do you really need them removed? If it's just for spamassassin, you > can use bayes_ignore_header in your local.cf file. > > John. > > -- > -- Over 5000 webcams from ski resorts around the world - www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mailscanner at joolee.nl Tue Oct 23 12:39:05 2012 From: mailscanner at joolee.nl (Joolee) Date: Tue, 23 Oct 2012 13:39:05 +0200 Subject: Remove headers before MailScanner In-Reply-To: References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> <508642F1.2010800@tradoc.fr> Message-ID: Mailwatch uses the "envelope-from" to display in the list. On 23 October 2012 12:58, Dave Gattis wrote: > Let me see if I can explain this properly: > > a at hotmail.com sends to b at mydomain1.com. > > a rule exists at mydomain1.com to redirect to c at mydomain2.com, therefore > > a at hotmail.com arrives safely c at mydomain2.com. > > When opening the email, it looks like this: > > From: a at hotmail.com > To: b at mydomain1.com > > This is exactly what I want and works perfectly in any mail client. > > Unfortunately, when you look at the list of messages MailScanner has > processed (using the MailWatch frontend), every message, no matter who > from looks like this: > > From: b at mydomain1.com > To: c at mydomain2.com > > This renders white/blacklisting useless, and subject lines are the only > clues available for releasing SPAM. When looking at the raw headers, the > redirect is adding a "Resent-From" header which I believe is overriding > the "From" header. > > No matter what is received, MailScanner is basing some of it's decisions > on the "Resent-From" address which lowers the score for all messages. > > This is what happens when corporations make poor decisions. > Unfortunately, I am forced to find a workaround for it. > > Thanks, > -- > Dave Gattis > > > > Le 22/10/2012 15:26, Dave Gattis a ?crit : > >> Each message is stamped with "Resent-From" and "Return-Path" of the > >> redirecting address. I can strip those headers out, after MailScanner, > >> but really need them removed before. > > > > Why do you really need them removed? If it's just for spamassassin, you > > can use bayes_ignore_header in your local.cf file. > > > > John. > > > > -- > > -- Over 5000 webcams from ski resorts around the world - www.snoweye.com > > -- Translate your technical documents and web pages - www.tradoc.fr > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/eb4d43fe/attachment.html From mailscanner at romehosting.com Tue Oct 23 14:08:36 2012 From: mailscanner at romehosting.com (Dave Gattis) Date: Tue, 23 Oct 2012 09:08:36 -0400 Subject: Remove headers before MailScanner In-Reply-To: References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> <508642F1.2010800@tradoc.fr> Message-ID: <25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com> According to mailwatch, here's all the listed headers: Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX]) by domain1.com (Postfix) with ESMTP id D30D01C100FB for ; Tue, 23 Oct 2012 08:48:31 -0400 (EDT) Received: from mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP Server id 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200 From: Dave Gattis <-- MailScanner/MailWatch ignores this line To: Dave Gattis Subject: test for mailscanner group Date: Tue, 23 Oct 2012 12:48:40 +0000 Message-ID: Resent-From: <-- MailScanner/MailWatch considers this line to be the sender Content-Type: multipart/alternative; boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_" MIME-Version: 1.0 MailWatch's recent messages tab displays the message like this, only in column format: Date/Time: 23/10/12 08:48:33 From: dave.gattis at domain1.com (needs to be dave.gattis at hotmail.com) To: dave.gattis at sdomain2.com Subject: test for mailscanner group Size 2.2Kb SA Score -1.02 Status Clean -- Dave Gattis > Mailwatch uses the "envelope-from" to display in the list. > > On 23 October 2012 12:58, Dave Gattis wrote: > >> Let me see if I can explain this properly: >> >> a at hotmail.com sends to b at mydomain1.com. >> >> a rule exists at mydomain1.com to redirect to c at mydomain2.com, therefore >> >> a at hotmail.com arrives safely c at mydomain2.com. >> >> When opening the email, it looks like this: >> >> From: a at hotmail.com >> To: b at mydomain1.com >> >> This is exactly what I want and works perfectly in any mail client. >> >> Unfortunately, when you look at the list of messages MailScanner has >> processed (using the MailWatch frontend), every message, no matter who >> from looks like this: >> >> From: b at mydomain1.com >> To: c at mydomain2.com >> >> This renders white/blacklisting useless, and subject lines are the only >> clues available for releasing SPAM. When looking at the raw headers, >> the >> redirect is adding a "Resent-From" header which I believe is overriding >> the "From" header. >> >> No matter what is received, MailScanner is basing some of it's decisions >> on the "Resent-From" address which lowers the score for all messages. >> >> This is what happens when corporations make poor decisions. >> Unfortunately, I am forced to find a workaround for it. >> >> Thanks, >> -- >> Dave Gattis >> >> >> > Le 22/10/2012 15:26, Dave Gattis a ??crit : >> >> Each message is stamped with "Resent-From" and "Return-Path" of the >> >> redirecting address. I can strip those headers out, after >> MailScanner, >> >> but really need them removed before. >> > >> > Why do you really need them removed? If it's just for spamassassin, >> you >> > can use bayes_ignore_header in your local.cf file. >> > >> > John. >> > >> > -- >> > -- Over 5000 webcams from ski resorts around the world - >> www.snoweye.com >> > -- Translate your technical documents and web pages - www.tradoc.fr >> > -- >> > MailScanner mailing list >> > mailscanner at lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maxsec at gmail.com Tue Oct 23 16:21:59 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 23 Oct 2012 16:21:59 +0100 Subject: Remove headers before MailScanner In-Reply-To: <25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com> References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> <508642F1.2010800@tradoc.fr> <25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com> Message-ID: hmm looks like exch doing a crap job of forwarding the emails, either that or it's poorly setup. My exch just forwards the emails to my local exch server without all this extra cruft in the logs. Are these two sites part of the same AD domain or do they run some sort of split design? -- Martin Hepworth, CISSP Oxford, UK On 23 October 2012 14:08, Dave Gattis wrote: > According to mailwatch, here's all the listed headers: > > Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX]) > by domain1.com (Postfix) with ESMTP id D30D01C100FB > for ; Tue, 23 Oct 2012 08:48:31 -0400 (EDT) > Received: from mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by > mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP > Server id > 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200 > From: Dave Gattis <-- MailScanner/MailWatch > ignores this line > To: Dave Gattis > Subject: test for mailscanner group > Date: Tue, 23 Oct 2012 12:48:40 +0000 > Message-ID: > Resent-From: <-- MailScanner/MailWatch > considers this line to be the sender > Content-Type: multipart/alternative; > boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_" > MIME-Version: 1.0 > > MailWatch's recent messages tab displays the message like this, only in > column format: > > > Date/Time: > 23/10/12 > 08:48:33 > > From: > dave.gattis at domain1.com (needs to be dave.gattis at hotmail.com) > > To: > dave.gattis at sdomain2.com > > Subject: > test for mailscanner group > > Size > 2.2Kb > > SA Score > -1.02 > > Status > Clean > > > -- > Dave Gattis > > > > Mailwatch uses the "envelope-from" to display in the list. > > > > On 23 October 2012 12:58, Dave Gattis > wrote: > > > >> Let me see if I can explain this properly: > >> > >> a at hotmail.com sends to b at mydomain1.com. > >> > >> a rule exists at mydomain1.com to redirect to c at mydomain2.com, > therefore > >> > >> a at hotmail.com arrives safely c at mydomain2.com. > >> > >> When opening the email, it looks like this: > >> > >> From: a at hotmail.com > >> To: b at mydomain1.com > >> > >> This is exactly what I want and works perfectly in any mail client. > >> > >> Unfortunately, when you look at the list of messages MailScanner has > >> processed (using the MailWatch frontend), every message, no matter who > >> from looks like this: > >> > >> From: b at mydomain1.com > >> To: c at mydomain2.com > >> > >> This renders white/blacklisting useless, and subject lines are the only > >> clues available for releasing SPAM. When looking at the raw headers, > >> the > >> redirect is adding a "Resent-From" header which I believe is overriding > >> the "From" header. > >> > >> No matter what is received, MailScanner is basing some of it's decisions > >> on the "Resent-From" address which lowers the score for all messages. > >> > >> This is what happens when corporations make poor decisions. > >> Unfortunately, I am forced to find a workaround for it. > >> > >> Thanks, > >> -- > >> Dave Gattis > >> > >> > >> > Le 22/10/2012 15:26, Dave Gattis a ??crit : > >> >> Each message is stamped with "Resent-From" and "Return-Path" of the > >> >> redirecting address. I can strip those headers out, after > >> MailScanner, > >> >> but really need them removed before. > >> > > >> > Why do you really need them removed? If it's just for spamassassin, > >> you > >> > can use bayes_ignore_header in your local.cf file. > >> > > >> > John. > >> > > >> > -- > >> > -- Over 5000 webcams from ski resorts around the world - > >> www.snoweye.com > >> > -- Translate your technical documents and web pages - > www.tradoc.fr > >> > -- > >> > MailScanner mailing list > >> > mailscanner at lists.mailscanner.info > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > >> > Before posting, read http://wiki.mailscanner.info/posting > >> > > >> > Support MailScanner development - buy the book off the website! > >> > > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/93270a91/attachment.html From maxsec at gmail.com Tue Oct 23 16:24:44 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 23 Oct 2012 16:24:44 +0100 Subject: Receives email with blank body In-Reply-To: References: Message-ID: and also look at the archive for the original message and the logs for the message to see what MS thought of the email and what it did with it. -- Martin Hepworth, CISSP Oxford, UK On 23 October 2012 11:22, Joolee wrote: > Compare the e-mail the customer received (the source code, not the view) > and the original archive file. > You might post both versions to the mailing list after stripping personal > information. > > > On 23 October 2012 11:21, Budi Febrianto wrote: > >> Dear all, >> >> I have the archive file that user received it as blank email. >> Is there anything that I can do with it? test it? debug? >> >> Best Regards >> >> >> On Thu, Oct 11, 2012 at 10:25 AM, Budi Febrianto < >> bfebrian.milis at gmail.com> wrote: >> >>> Dear Martin, >>> >>> Already activated the archive facility. >>> How to proper way to inject and debug mailscanner/sendmail? >>> >>> This is what I did, and maybe I did it wrong. >>> shutdown the mailscanner >>> copy the archive from /var/spool/MailScanner/archive/(date) to >>> /var/spool/mqeue >>> run mailscanner with --debug >>> >>> Mailscanner run, and than stop, with some error related with mailwatch >>> about commit, but nothing else >>> >>> Best Regards >>> >>> >>> On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth wrote: >>> >>>> Doubt it, unless the antivirus on the Domino server did something to >>>> it, all Mailwatch does is log the information. >>>> >>>> Can you replay messages at all - ie do you use the archive facility so >>>> you can inject the message again while running in debug mode? >>>> >>>> >>>> >>>> -- >>>> Martin Hepworth, CISSP >>>> Oxford, UK >>>> >>>> >>>> On 8 October 2012 18:05, Budi Febrianto wrote: >>>> >>>>> Dear Martin, >>>>> >>>>> This happen not always with big emails, many big emails still >>>>> delivered without any problems. >>>>> >>>>> This problem appears to be random, but often. >>>>> >>>>> The next host is the mail server, which is Lotus Domino 8.5. >>>>> >>>>> Is it possible that the anti virus or mailwatch somehow altered the >>>>> mail format? >>>>> >>>>> Best regards >>>>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" wrote: >>>>> >>>>>> Is this consistent with large emails above the spam checks size limit? >>>>>> >>>>>> If it is, you could run a test in debug mode of a large email to see >>>>>> what's going flakey. >>>>>> >>>>>> I presume the next host down the line (192.168.10.17) is handling >>>>>> this OK? >>>>>> >>>>>> >>>>>> -- >>>>>> Martin Hepworth, CISSP >>>>>> Oxford, UK >>>>>> >>>>>> >>>>>> On 8 October 2012 16:27, Budi Febrianto wrote: >>>>>> >>>>>>> Dear Martin, >>>>>>> >>>>>>> Thank you for the reply, but I don't see something strange in the >>>>>>> maillog >>>>>>> >>>>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676 >>>>>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=< >>>>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=< >>>>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, >>>>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id >>>>>>> [202.77.100.39] (may be forged) >>>>>>> Oct 1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=< >>>>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, >>>>>>> stat=queued >>>>>>> Oct 1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from >>>>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for >>>>>>> spam checks (341198 > 200000 bytes) >>>>>>> Oct 1 14:30:59 spam MailScanner[13678]: Logging message >>>>>>> q917UfQF014676 to SQL >>>>>>> Oct 1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to >>>>>>> MailWatch SQL >>>>>>> Oct 1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=< >>>>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp, >>>>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent >>>>>>> (Message accepted for delivery) >>>>>>> >>>>>>> Best Regards >>>>>>> >>>>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth wrote: >>>>>>> >>>>>>>> Check the mailScanner logs for that message to see if it's doing >>>>>>>> anything 'unusual' with the message. >>>>>>>> >>>>>>>> -- >>>>>>>> Martin Hepworth, CISSP >>>>>>>> Oxford, UK >>>>>>>> >>>>>>>> >>>>>>>> On 8 October 2012 11:30, Budi Febrianto wrote: >>>>>>>> >>>>>>>>> Dear all, >>>>>>>>> >>>>>>>>> My customer have problems with their mailscanner installation, >>>>>>>>> sometimes users emails with blank body. I already search the web for >>>>>>>>> possible reasons, but can't find any. >>>>>>>>> >>>>>>>>> This is the configurations: >>>>>>>>> >>>>>>>>> MailScanner 4.84.5 >>>>>>>>> Centos 6.2 64 bit >>>>>>>>> Sendmail 8.13 >>>>>>>>> MailWatch-1.1.5.1 >>>>>>>>> ClamAV 0.96.5 >>>>>>>>> >>>>>>>>> Best regards >>>>>>>>> >>>>>>>>> -- >>>>>>>>> MailScanner mailing list >>>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>>> >>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>>> >>>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> MailScanner mailing list >>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>> >>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>> >>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner at lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/b6e1833b/attachment.html From mailscanner at romehosting.com Tue Oct 23 18:11:21 2012 From: mailscanner at romehosting.com (Dave Gattis) Date: Tue, 23 Oct 2012 13:11:21 -0400 Subject: Remove headers before MailScanner In-Reply-To: References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> <508642F1.2010800@tradoc.fr> <25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com> Message-ID: Forwarder (exchange) is in Switzerland. Destination (postfix) is in USA. Non-related domains. -- Dave Gattis > hmm looks like exch doing a crap job of forwarding the emails, either that > or it's poorly setup. My exch just forwards the emails to my local exch > server without all this extra cruft in the logs. > > Are these two sites part of the same AD domain or do they run some sort of > split design? > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 23 October 2012 14:08, Dave Gattis wrote: > >> According to mailwatch, here's all the listed headers: >> >> Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX]) >> by domain1.com (Postfix) with ESMTP id D30D01C100FB >> for ; Tue, 23 Oct 2012 08:48:31 -0400 >> (EDT) >> Received: from mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by >> mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP >> Server id >> 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200 >> From: Dave Gattis <-- MailScanner/MailWatch >> ignores this line >> To: Dave Gattis >> Subject: test for mailscanner group >> Date: Tue, 23 Oct 2012 12:48:40 +0000 >> Message-ID: >> Resent-From: <-- MailScanner/MailWatch >> considers this line to be the sender >> Content-Type: multipart/alternative; >> boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_" >> MIME-Version: 1.0 >> >> MailWatch's recent messages tab displays the message like this, only in >> column format: >> >> >> Date/Time: >> 23/10/12 >> 08:48:33 >> >> From: >> dave.gattis at domain1.com (needs to be dave.gattis at hotmail.com) >> >> To: >> dave.gattis at sdomain2.com >> >> Subject: >> test for mailscanner group >> >> Size >> 2.2Kb >> >> SA Score >> -1.02 >> >> Status >> Clean >> >> >> -- >> Dave Gattis >> >> >> > Mailwatch uses the "envelope-from" to display in the list. >> > >> > On 23 October 2012 12:58, Dave Gattis >> wrote: >> > >> >> Let me see if I can explain this properly: >> >> >> >> a at hotmail.com sends to b at mydomain1.com. >> >> >> >> a rule exists at mydomain1.com to redirect to c at mydomain2.com, >> therefore >> >> >> >> a at hotmail.com arrives safely c at mydomain2.com. >> >> >> >> When opening the email, it looks like this: >> >> >> >> From: a at hotmail.com >> >> To: b at mydomain1.com >> >> >> >> This is exactly what I want and works perfectly in any mail client. >> >> >> >> Unfortunately, when you look at the list of messages MailScanner has >> >> processed (using the MailWatch frontend), every message, no matter >> who >> >> from looks like this: >> >> >> >> From: b at mydomain1.com >> >> To: c at mydomain2.com >> >> >> >> This renders white/blacklisting useless, and subject lines are the >> only >> >> clues available for releasing SPAM. When looking at the raw headers, >> >> the >> >> redirect is adding a "Resent-From" header which I believe is >> overriding >> >> the "From" header. >> >> >> >> No matter what is received, MailScanner is basing some of it's >> decisions >> >> on the "Resent-From" address which lowers the score for all messages. >> >> >> >> This is what happens when corporations make poor decisions. >> >> Unfortunately, I am forced to find a workaround for it. >> >> >> >> Thanks, >> >> -- >> >> Dave Gattis >> >> >> >> >> >> > Le 22/10/2012 15:26, Dave Gattis a ??crit : >> >> >> Each message is stamped with "Resent-From" and "Return-Path" of >> the >> >> >> redirecting address. I can strip those headers out, after >> >> MailScanner, >> >> >> but really need them removed before. >> >> > >> >> > Why do you really need them removed? If it's just for spamassassin, >> >> you >> >> > can use bayes_ignore_header in your local.cf file. >> >> > >> >> > John. >> >> > >> >> > -- >> >> > -- Over 5000 webcams from ski resorts around the world - >> >> www.snoweye.com >> >> > -- Translate your technical documents and web pages - >> www.tradoc.fr >> >> > -- >> >> > MailScanner mailing list >> >> > mailscanner at lists.mailscanner.info >> >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > >> >> > Before posting, read http://wiki.mailscanner.info/posting >> >> > >> >> > Support MailScanner development - buy the book off the website! >> >> > >> >> >> >> >> >> -- >> >> MailScanner mailing list >> >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> >> >> > -- >> > MailScanner mailing list >> > mailscanner at lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Thu Oct 25 14:55:32 2012 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 25 Oct 2012 15:55:32 +0200 Subject: Remove headers before MailScanner In-Reply-To: References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com> <508642F1.2010800@tradoc.fr> <25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com> Message-ID: So why dont they just relay your domain? Or am I reading this slightly wrong, so that you actually mean "yes, the recipients being forwarded are in the same domain (Swiss owned) as other non-forwarded recipients, and are aliased to our local domain, rather than being a straightforward relay"? If that is the case, you'd need do some hacking in MailWatch.pm to "solve" this, as well as look at the Received: futzing in both SA and MS. Or make the forward->relay...:-) Cheers -- -- Glenn Den 23 okt 2012 19:36 skrev "Dave Gattis" : > Forwarder (exchange) is in Switzerland. Destination (postfix) is in USA. > Non-related domains. > -- > Dave Gattis > > > > hmm looks like exch doing a crap job of forwarding the emails, either > that > > or it's poorly setup. My exch just forwards the emails to my local exch > > server without all this extra cruft in the logs. > > > > Are these two sites part of the same AD domain or do they run some sort > of > > split design? > > > > -- > > Martin Hepworth, CISSP > > Oxford, UK > > > > > > On 23 October 2012 14:08, Dave Gattis > wrote: > > > >> According to mailwatch, here's all the listed headers: > >> > >> Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX]) > >> by domain1.com (Postfix) with ESMTP id D30D01C100FB > >> for ; Tue, 23 Oct 2012 08:48:31 -0400 > >> (EDT) > >> Received: from mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by > >> mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP > >> Server id > >> 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200 > >> From: Dave Gattis <-- MailScanner/MailWatch > >> ignores this line > >> To: Dave Gattis > >> Subject: test for mailscanner group > >> Date: Tue, 23 Oct 2012 12:48:40 +0000 > >> Message-ID: > >> Resent-From: <-- MailScanner/MailWatch > >> considers this line to be the sender > >> Content-Type: multipart/alternative; > >> boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_" > >> MIME-Version: 1.0 > >> > >> MailWatch's recent messages tab displays the message like this, only in > >> column format: > >> > >> > >> Date/Time: > >> 23/10/12 > >> 08:48:33 > >> > >> From: > >> dave.gattis at domain1.com (needs to be dave.gattis at hotmail.com) > >> > >> To: > >> dave.gattis at sdomain2.com > >> > >> Subject: > >> test for mailscanner group > >> > >> Size > >> 2.2Kb > >> > >> SA Score > >> -1.02 > >> > >> Status > >> Clean > >> > >> > >> -- > >> Dave Gattis > >> > >> > >> > Mailwatch uses the "envelope-from" to display in the list. > >> > > >> > On 23 October 2012 12:58, Dave Gattis > >> wrote: > >> > > >> >> Let me see if I can explain this properly: > >> >> > >> >> a at hotmail.com sends to b at mydomain1.com. > >> >> > >> >> a rule exists at mydomain1.com to redirect to c at mydomain2.com, > >> therefore > >> >> > >> >> a at hotmail.com arrives safely c at mydomain2.com. > >> >> > >> >> When opening the email, it looks like this: > >> >> > >> >> From: a at hotmail.com > >> >> To: b at mydomain1.com > >> >> > >> >> This is exactly what I want and works perfectly in any mail client. > >> >> > >> >> Unfortunately, when you look at the list of messages MailScanner has > >> >> processed (using the MailWatch frontend), every message, no matter > >> who > >> >> from looks like this: > >> >> > >> >> From: b at mydomain1.com > >> >> To: c at mydomain2.com > >> >> > >> >> This renders white/blacklisting useless, and subject lines are the > >> only > >> >> clues available for releasing SPAM. When looking at the raw headers, > >> >> the > >> >> redirect is adding a "Resent-From" header which I believe is > >> overriding > >> >> the "From" header. > >> >> > >> >> No matter what is received, MailScanner is basing some of it's > >> decisions > >> >> on the "Resent-From" address which lowers the score for all messages. > >> >> > >> >> This is what happens when corporations make poor decisions. > >> >> Unfortunately, I am forced to find a workaround for it. > >> >> > >> >> Thanks, > >> >> -- > >> >> Dave Gattis > >> >> > >> >> > >> >> > Le 22/10/2012 15:26, Dave Gattis a ??crit : > >> >> >> Each message is stamped with "Resent-From" and "Return-Path" of > >> the > >> >> >> redirecting address. I can strip those headers out, after > >> >> MailScanner, > >> >> >> but really need them removed before. > >> >> > > >> >> > Why do you really need them removed? If it's just for spamassassin, > >> >> you > >> >> > can use bayes_ignore_header in your local.cf file. > >> >> > > >> >> > John. > >> >> > > >> >> > -- > >> >> > -- Over 5000 webcams from ski resorts around the world - > >> >> www.snoweye.com > >> >> > -- Translate your technical documents and web pages - > >> www.tradoc.fr > >> >> > -- > >> >> > MailScanner mailing list > >> >> > mailscanner at lists.mailscanner.info > >> >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> >> > > >> >> > Before posting, read http://wiki.mailscanner.info/posting > >> >> > > >> >> > Support MailScanner development - buy the book off the website! > >> >> > > >> >> > >> >> > >> >> -- > >> >> MailScanner mailing list > >> >> mailscanner at lists.mailscanner.info > >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> >> > >> >> Before posting, read http://wiki.mailscanner.info/posting > >> >> > >> >> Support MailScanner development - buy the book off the website! > >> >> > >> > -- > >> > MailScanner mailing list > >> > mailscanner at lists.mailscanner.info > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > >> > Before posting, read http://wiki.mailscanner.info/posting > >> > > >> > Support MailScanner development - buy the book off the website! > >> > > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121025/fca2ab49/attachment.html From doctor at doctor.nl2k.ab.ca Mon Oct 29 15:21:31 2012 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 29 Oct 2012 09:21:31 -0600 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 Message-ID: <20121029152130.GA14009@doctor.nl2k.ab.ca> Help!! Need to get this running. I have read the instructions and to date I do send but the e-mail does not come back. What am I doing wrong? -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k USA petition to dissolve the Republic and vote to disoolve it in November 2012 From mailscanner at joolee.nl Mon Oct 29 16:43:17 2012 From: mailscanner at joolee.nl (Joolee) Date: Mon, 29 Oct 2012 17:43:17 +0100 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: <20121029152130.GA14009@doctor.nl2k.ab.ca> References: <20121029152130.GA14009@doctor.nl2k.ab.ca> Message-ID: First thing your doing wrong is not sending any extra information in your request for help. There are a million things that can go wrong so we need more to go on. Start with your installation. What did you do? On what point do your logfiles say it's going wrong? On 29 October 2012 16:21, The Doctor wrote: > Help!! > > Need to get this running. > > I have read the instructions and to date I do send but the e-mail > does not come back. > > What am I doing wrong? > > -- > Member - Liberal International This is doctor at nl2k.ab.ca Ici > doctor at nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > http://www.fullyfollow.me/rootnl2k > USA petition to dissolve the Republic and vote to disoolve it in November > 2012 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121029/1962aef6/attachment.html From mikael at syska.dk Mon Oct 29 16:49:33 2012 From: mikael at syska.dk (Mikael Syska) Date: Mon, 29 Oct 2012 17:49:33 +0100 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: <20121029152130.GA14009@doctor.nl2k.ab.ca> References: <20121029152130.GA14009@doctor.nl2k.ab.ca> Message-ID: Hi, On Mon, Oct 29, 2012 at 4:21 PM, The Doctor wrote: > Help!! > > Need to get this running. Then hire someone for the job. > I have read the instructions and to date I do send but the e-mail > does not come back. Since everybody else can get it working, I guess you are doing something wrong. > What am I doing wrong? Not doing it right :-) You need to tell us about your setup, better more useless information, than no information ... else the above will be my best guess. > -- > Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! > http://www.fullyfollow.me/rootnl2k > USA petition to dissolve the Republic and vote to disoolve it in November 2012 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! mvh From doctor at doctor.nl2k.ab.ca Mon Oct 29 18:32:00 2012 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 29 Oct 2012 12:32:00 -0600 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: References: <20121029152130.GA14009@doctor.nl2k.ab.ca> Message-ID: <20121029183200.GA424@doctor.nl2k.ab.ca> On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote: > Hi, > > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor wrote: > > Help!! > > > > Need to get this running. > > Then hire someone for the job. > > > I have read the instructions and to date I do send but the e-mail > > does not come back. > > Since everybody else can get it working, I guess you are doing something wrong. > > > What am I doing wrong? > > Not doing it right :-) > > You need to tell us about your setup, better more useless information, > than no information ... else the above will be my best guess. > Sorry about that; I was wondering if this group was still alive. Could I post the MailScanner.conf and the exim configuration files? > > -- > > Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca > > God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! > > http://www.fullyfollow.me/rootnl2k > > USA petition to dissolve the Republic and vote to disoolve it in November 2012 > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > mvh > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k USA petition to dissolve the Republic and vote to disoolve it in November 2012 From mailscanner at joolee.nl Mon Oct 29 19:05:36 2012 From: mailscanner at joolee.nl (Joolee) Date: Mon, 29 Oct 2012 20:05:36 +0100 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: <20121029183200.GA424@doctor.nl2k.ab.ca> References: <20121029152130.GA14009@doctor.nl2k.ab.ca> <20121029183200.GA424@doctor.nl2k.ab.ca> Message-ID: You could but I don't think anyone will fix your problem for you that way. On 29 October 2012 19:32, The Doctor wrote: > On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote: > > Hi, > > > > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor > wrote: > > > Help!! > > > > > > Need to get this running. > > > > Then hire someone for the job. > > > > > I have read the instructions and to date I do send but the e-mail > > > does not come back. > > > > Since everybody else can get it working, I guess you are doing something > wrong. > > > > > What am I doing wrong? > > > > Not doing it right :-) > > > > You need to tell us about your setup, better more useless information, > > than no information ... else the above will be my best guess. > > > > > Sorry about that; I was wondering if this group was still alive. > > Could I post the MailScanner.conf and the exim configuration files? > > > > -- > > > Member - Liberal International This is doctor at nl2k.ab.ca Ici > doctor at nl2k.ab.ca > > > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > > > http://www.fullyfollow.me/rootnl2k > > > USA petition to dissolve the Republic and vote to disoolve it in > November 2012 > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > mvh > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > Member - Liberal International This is doctor at nl2k.ab.ca Ici > doctor at nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > http://www.fullyfollow.me/rootnl2k > USA petition to dissolve the Republic and vote to disoolve it in November > 2012 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121029/97cc8101/attachment.html From maxsec at gmail.com Mon Oct 29 19:55:37 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 29 Oct 2012 19:55:37 +0000 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: <20121029183200.GA424@doctor.nl2k.ab.ca> References: <20121029152130.GA14009@doctor.nl2k.ab.ca> <20121029183200.GA424@doctor.nl2k.ab.ca> Message-ID: Which instructions did you use to setup exim and MailScanner- there are seceral about Best way to start is get exim moving email by itself with mailscanner, then split exim into two and add Mailscanner into the mix. Martin On Monday, 29 October 2012, The Doctor wrote: > On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote: > > Hi, > > > > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor > > wrote: > > > Help!! > > > > > > Need to get this running. > > > > Then hire someone for the job. > > > > > I have read the instructions and to date I do send but the e-mail > > > does not come back. > > > > Since everybody else can get it working, I guess you are doing something > wrong. > > > > > What am I doing wrong? > > > > Not doing it right :-) > > > > You need to tell us about your setup, better more useless information, > > than no information ... else the above will be my best guess. > > > > > Sorry about that; I was wondering if this group was still alive. > > Could I post the MailScanner.conf and the exim configuration files? > > > > -- > > > Member - Liberal International This is doctor at nl2k.ab.caIci > doctor at nl2k.ab.ca > > > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > > > http://www.fullyfollow.me/rootnl2k > > > USA petition to dissolve the Republic and vote to disoolve it in > November 2012 > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > mvh > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > Member - Liberal International This is doctor at nl2k.ab.ca Ici > doctor at nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > http://www.fullyfollow.me/rootnl2k > USA petition to dissolve the Republic and vote to disoolve it in November > 2012 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121029/a61fb9df/attachment.html From doctor at doctor.nl2k.ab.ca Mon Oct 29 20:10:06 2012 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 29 Oct 2012 14:10:06 -0600 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: References: <20121029152130.GA14009@doctor.nl2k.ab.ca> <20121029183200.GA424@doctor.nl2k.ab.ca> Message-ID: <20121029201006.GA28621@doctor.nl2k.ab.ca> On Mon, Oct 29, 2012 at 08:05:36PM +0100, Joolee wrote: > You could but I don't think anyone will fix your problem for you that way. > Then Step 1 please. > On 29 October 2012 19:32, The Doctor wrote: > > > On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote: > > > Hi, > > > > > > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor > > wrote: > > > > Help!! > > > > > > > > Need to get this running. > > > > > > Then hire someone for the job. > > > > > > > I have read the instructions and to date I do send but the e-mail > > > > does not come back. > > > > > > Since everybody else can get it working, I guess you are doing something > > wrong. > > > > > > > What am I doing wrong? > > > > > > Not doing it right :-) > > > > > > You need to tell us about your setup, better more useless information, > > > than no information ... else the above will be my best guess. > > > > > > > > > Sorry about that; I was wondering if this group was still alive. > > > > Could I post the MailScanner.conf and the exim configuration files? > > > > > > -- > > > > Member - Liberal International This is doctor at nl2k.ab.ca Ici > > doctor at nl2k.ab.ca > > > > God,Queen and country!Never Satan President Republic!Beware AntiChrist > > rising! > > > > http://www.fullyfollow.me/rootnl2k > > > > USA petition to dissolve the Republic and vote to disoolve it in > > November 2012 > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > mvh > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > -- > > Member - Liberal International This is doctor at nl2k.ab.ca Ici > > doctor at nl2k.ab.ca > > God,Queen and country!Never Satan President Republic!Beware AntiChrist > > rising! > > http://www.fullyfollow.me/rootnl2k > > USA petition to dissolve the Republic and vote to disoolve it in November > > 2012 > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been 'sanitized'. This means that potentially > dangerous content has been rewritten or removed. The following > log describes which actions were taken. > > Sanitizer (start="1351537910"): > Part (pos="4248"): > Part (pos="107"): > SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): > Match (names="unnamed.txt", rule="2"): > Enforced policy: accept > > Part (pos="2576"): > SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"): > Match (names="unnamed.html, filetype.html", rule="2"): > Enforced policy: accept > > Note: Styles and layers give attackers many tools to fool the > user and common browsers interpret Javascript code found > within style definitions. > > Rewrote HTML tag: >>_div class="gmail_quote"_<< > as: >>_p__DEFANGED_div class="gmail_quote"_<< > Rewrote HTML tag: >>_span dir="ltr"_<< > as: >>_DEFANGED_span dir="ltr"_<< > Rewrote HTML tag: >>_/span_<< > as: >>_/DEFANGED_span_<< > Rewrote HTML tag: >>_blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<< > as: >>_blockquote class="gmail_quote" DEFANGED_style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<< > Rewrote HTML tag: >>_div class="im"_<< > as: >>_p__DEFANGED_div class="im"_<< > Rewrote HTML tag: >>_/div_<< > as: >>_/p__DEFANGED_div_<< > Rewrote HTML tag: >>_div class="HOEnZb"_<< > as: >>_p__DEFANGED_div class="HOEnZb"_<< > Rewrote HTML tag: >>_div class="h5"_<< > as: >>_p__DEFANGED_div class="h5"_<< > Rewrote HTML tag: >>_/div_<< > as: >>_/p__DEFANGED_div_<< > Rewrote HTML tag: >>_/div_<< > as: >>_/p__DEFANGED_div_<< > Rewrote HTML tag: >>_/div_<< > as: >>_/p__DEFANGED_div_<< > > Part (pos="11117"): > SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): > Match (names="unnamed.txt", rule="2"): > Enforced policy: accept > > Total modifications so far: 11 > > > Anomy 0.0.0 : Sanitizer.pm > $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $ -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k USA petition to dissolve the Republic and vote to disoolve it in November 2012 From doctor at doctor.nl2k.ab.ca Mon Oct 29 20:37:25 2012 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 29 Oct 2012 14:37:25 -0600 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: <20121029201006.GA28621@doctor.nl2k.ab.ca> References: <20121029152130.GA14009@doctor.nl2k.ab.ca> <20121029183200.GA424@doctor.nl2k.ab.ca> <20121029201006.GA28621@doctor.nl2k.ab.ca> Message-ID: <20121029203723.GA5541@doctor.nl2k.ab.ca> On Mon, Oct 29, 2012 at 02:10:06PM -0600, The Doctor wrote: > On Mon, Oct 29, 2012 at 08:05:36PM +0100, Joolee wrote: > > You could but I don't think anyone will fix your problem for you that way. > > > > Then Step 1 please. My MailScanner.conf file for exim is RElevant lines Run As User = exim Run As Group = exim Incoming Queue Dir = /var/spool/exim.in/input Outgoing Queue Dir = /var/spool/exim/input # Set whether to use postfix, sendmail, exim or zmailer. MTA = exim Sendmail = /usr/exim/bin/exim #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf Sendmail2 = /usr/exim/bin/exim -C /usr/exim/exim_send.conf > > > On 29 October 2012 19:32, The Doctor wrote: > > > > > On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote: > > > > Hi, > > > > > > > > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor > > > wrote: > > > > > Help!! > > > > > > > > > > Need to get this running. > > > > > > > > Then hire someone for the job. > > > > > > > > > I have read the instructions and to date I do send but the e-mail > > > > > does not come back. > > > > > > > > Since everybody else can get it working, I guess you are doing something > > > wrong. > > > > > > > > > What am I doing wrong? > > > > > > > > Not doing it right :-) > > > > > > > > You need to tell us about your setup, better more useless information, > > > > than no information ... else the above will be my best guess. > > > > > > > > > > > > > Sorry about that; I was wondering if this group was still alive. > > > > > > Could I post the MailScanner.conf and the exim configuration files? > > > > > > > > -- > > > > > Member - Liberal International This is doctor at nl2k.ab.ca Ici > > > doctor at nl2k.ab.ca > > > > > God,Queen and country!Never Satan President Republic!Beware AntiChrist > > > rising! > > > > > http://www.fullyfollow.me/rootnl2k > > > > > USA petition to dissolve the Republic and vote to disoolve it in > > > November 2012 > > > > > -- > > > > > MailScanner mailing list > > > > > mailscanner at lists.mailscanner.info > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > mvh > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > > Member - Liberal International This is doctor at nl2k.ab.ca Ici > > > doctor at nl2k.ab.ca > > > God,Queen and country!Never Satan President Republic!Beware AntiChrist > > > rising! > > > http://www.fullyfollow.me/rootnl2k > > > USA petition to dissolve the Republic and vote to disoolve it in November > > > 2012 > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > This message has been 'sanitized'. This means that potentially > > dangerous content has been rewritten or removed. The following > > log describes which actions were taken. > > > > Sanitizer (start="1351537910"): > > Part (pos="4248"): > > Part (pos="107"): > > SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): > > Match (names="unnamed.txt", rule="2"): > > Enforced policy: accept > > > > Part (pos="2576"): > > SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"): > > Match (names="unnamed.html, filetype.html", rule="2"): > > Enforced policy: accept > > > > Note: Styles and layers give attackers many tools to fool the > > user and common browsers interpret Javascript code found > > within style definitions. > > > > Rewrote HTML tag: >>_div class="gmail_quote"_<< > > as: >>_p__DEFANGED_div class="gmail_quote"_<< > > Rewrote HTML tag: >>_span dir="ltr"_<< > > as: >>_DEFANGED_span dir="ltr"_<< > > Rewrote HTML tag: >>_/span_<< > > as: >>_/DEFANGED_span_<< > > Rewrote HTML tag: >>_blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<< > > as: >>_blockquote class="gmail_quote" DEFANGED_style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<< > > Rewrote HTML tag: >>_div class="im"_<< > > as: >>_p__DEFANGED_div class="im"_<< > > Rewrote HTML tag: >>_/div_<< > > as: >>_/p__DEFANGED_div_<< > > Rewrote HTML tag: >>_div class="HOEnZb"_<< > > as: >>_p__DEFANGED_div class="HOEnZb"_<< > > Rewrote HTML tag: >>_div class="h5"_<< > > as: >>_p__DEFANGED_div class="h5"_<< > > Rewrote HTML tag: >>_/div_<< > > as: >>_/p__DEFANGED_div_<< > > Rewrote HTML tag: >>_/div_<< > > as: >>_/p__DEFANGED_div_<< > > Rewrote HTML tag: >>_/div_<< > > as: >>_/p__DEFANGED_div_<< > > > > Part (pos="11117"): > > SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): > > Match (names="unnamed.txt", rule="2"): > > Enforced policy: accept > > > > Total modifications so far: 11 > > > > > > Anomy 0.0.0 : Sanitizer.pm > > $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $ > > > -- > Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! > http://www.fullyfollow.me/rootnl2k > USA petition to dissolve the Republic and vote to disoolve it in November 2012 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k USA petition to dissolve the Republic and vote to disoolve it in November 2012 From mogens at fumlersoft.dk Mon Oct 29 21:59:55 2012 From: mogens at fumlersoft.dk (Mogens Melander) Date: Mon, 29 Oct 2012 22:59:55 +0100 (CET) Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: <20121029152130.GA14009@doctor.nl2k.ab.ca> References: <20121029152130.GA14009@doctor.nl2k.ab.ca> Message-ID: <25982.31318c7a.1351547995.nsm@mail.fumlersoft.dk> My guess would be, your signature get caught in your filters. On Mon, October 29, 2012 16:21, The Doctor wrote: > Help!! > > Need to get this running. > > I have read the instructions and to date I do send but the e-mail > does not come back. > > What am I doing wrong? > > -- > Member - Liberal International This is doctor at nl2k.ab.ca Ici > doctor at nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > http://www.fullyfollow.me/rootnl2k > USA petition to dissolve the Republic and vote to disoolve it in November > 2012 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Mogens Melander +66 8701 33224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doctor at doctor.nl2k.ab.ca Mon Oct 29 22:57:39 2012 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 29 Oct 2012 16:57:39 -0600 Subject: Exim 4.80.1 and MailScanner 4.82.6-1 In-Reply-To: <25982.31318c7a.1351547995.nsm@mail.fumlersoft.dk> References: <20121029152130.GA14009@doctor.nl2k.ab.ca> <25982.31318c7a.1351547995.nsm@mail.fumlersoft.dk> Message-ID: <20121029225739.GB3102@doctor.nl2k.ab.ca> On Mon, Oct 29, 2012 at 10:59:55PM +0100, Mogens Melander wrote: > My guess would be, your signature get caught in your filters. > > On Mon, October 29, 2012 16:21, The Doctor wrote: > > Help!! > > > > Need to get this running. > > > > I have read the instructions and to date I do send but the e-mail > > does not come back. > > > > What am I doing wrong? > > > > -- > > Member - Liberal International This is doctor at nl2k.ab.ca Ici > > doctor at nl2k.ab.ca > > God,Queen and country!Never Satan President Republic!Beware AntiChrist > > rising! > > http://www.fullyfollow.me/rootnl2k > > USA petition to dissolve the Republic and vote to disoolve it in November > > 2012 > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > LOL!! > > -- > Mogens Melander > +66 8701 33224 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k USA petition to dissolve the Republic and vote to disoolve it in November 2012 From doctor at doctor.nl2k.ab.ca Tue Oct 30 14:56:30 2012 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 30 Oct 2012 08:56:30 -0600 Subject: Spam Lists Message-ID: <20121030145630.GA14860@doctor.nl2k.ab.ca> Right Are the following Black Holes supported on MailScanner: sbl-xbl.spamhaus.org zen.spamhaus.org dnsbl.njabl.org combined.njabl.org bl.spamcop.net iscbl.anti-spam.org.cn cbl.anti-spam.org.cn cblplus.anti-spam.org.cn cblless.anti-spam.org.cn hostkarma.junkemailfilter.com=127.0.0.2 -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k USA petition to dissolve the Republic and vote to disoolve it in November 2012 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Tue Oct 30 16:52:14 2012 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue, 30 Oct 2012 08:52:14 -0800 Subject: Spam Lists In-Reply-To: <20121030145630.GA14860@doctor.nl2k.ab.ca> References: <20121030145630.GA14860@doctor.nl2k.ab.ca> Message-ID: <4A09477D575C2C4B86497161427DD94C27A372BEF3@city-exchange07> See /etc/MailScanner/spam.lists.conf ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of The Doctor Sent: Tuesday, October 30, 2012 6:57 AM To: mailscanner at lists.mailscanner.info Subject: Spam Lists Right Are the following Black Holes supported on MailScanner: sbl-xbl.spamhaus.org zen.spamhaus.org dnsbl.njabl.org combined.njabl.org bl.spamcop.net iscbl.anti-spam.org.cn cbl.anti-spam.org.cn cblplus.anti-spam.org.cn cblless.anti-spam.org.cn hostkarma.junkemailfilter.com=127.0.0.2 -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k USA petition to dissolve the Republic and vote to disoolve it in November 2012 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Tue Oct 30 17:05:48 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 30 Oct 2012 17:05:48 +0000 Subject: Spam Lists In-Reply-To: <20121030145630.GA14860@doctor.nl2k.ab.ca> References: <20121030145630.GA14860@doctor.nl2k.ab.ca> Message-ID: Best to use them in SpamAssassin rather than Mailscanner itself, so yes, although the zen/xbl and others also contain feed from each other. -- Martin Hepworth, CISSP Oxford, UK On 30 October 2012 14:56, The Doctor wrote: > Right > > Are the following Black Holes supported on MailScanner: > > sbl-xbl.spamhaus.org > zen.spamhaus.org > dnsbl.njabl.org > combined.njabl.org > bl.spamcop.net > iscbl.anti-spam.org.cn > cbl.anti-spam.org.cn > cblplus.anti-spam.org.cn > cblless.anti-spam.org.cn > hostkarma.junkemailfilter.com=127.0.0.2 > > > -- > Member - Liberal International This is doctor at nl2k.ab.ca Ici > doctor at nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > http://www.fullyfollow.me/rootnl2k > USA petition to dissolve the Republic and vote to disoolve it in November > 2012 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121030/190e3fb0/attachment.html From alvaro at hostalia.com Tue Oct 30 17:08:06 2012 From: alvaro at hostalia.com (Alvaro Marin) Date: Tue, 30 Oct 2012 18:08:06 +0100 Subject: Large rule files Message-ID: <50900976.5050104@hostalia.com> Hello, we've some rule files (whitelist, blacklist, checks...) and some days ago, I added new rules so some of those files have more than 25000 lines now. We have seen an important performance impact in MailScanner...Is there any "magic" solution to this? I've been reading about Ruleset-from-Function.pm, is anyone using it? Thanks! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From ecasarero at gmail.com Tue Oct 30 19:17:07 2012 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue, 30 Oct 2012 16:17:07 -0300 Subject: Large rule files In-Reply-To: <50900976.5050104@hostalia.com> References: <50900976.5050104@hostalia.com> Message-ID: Hi alvaro, we are using an sqlite db to hold white/blacklists, we didn't measure performance impacts, but both of our lists has over thousand rules and works fine. We took some CustomFunctions from Mailwatch and tuned to work with sqlite instead of mysql. Regards, Eduardo. 2012/10/30 Alvaro Marin > Hello, > > we've some rule files (whitelist, blacklist, checks...) and some days > ago, I added new rules so some of those files have more than 25000 lines > now. > > We have seen an important performance impact in MailScanner...Is there > any "magic" solution to this? > I've been reading about Ruleset-from-Function.pm, is anyone using it? > > Thanks! > > Regards, > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121030/c75431b8/attachment.html