From noel.butler at ausics.net Mon Jun 3 06:16:56 2013 From: noel.butler at ausics.net (Noel Butler) Date: Mon, 03 Jun 2013 15:16:56 +1000 Subject: fprot users - warning Message-ID: <1370236616.7628.9.camel@tardis> Well, long time since I've used Mailscanner due to previous errors never being resolved on latter OS's, so not sure if this list has discussed this or not, but... If you use f-prot, it is advisable NOT to upgrade to a 3.9 kernel if you rely solely on fpscan etc will likely segfault everytime you try run a scan. if you upgrade, disable f-prot and use alternative AV, though, I'd hope most are using multiple anyways so should not be too much of a problem. I give you this advice since commtouch dont apparently read support tickets for f-prot,or not at least in past few weeks. (please note- this is advice only, I dont read this folder, its auto set to mark as read, if you really need me to see any reply, CC direct) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130603/9a25502a/attachment.html From rsmith at dynamicquest.com Mon Jun 3 19:19:26 2013 From: rsmith at dynamicquest.com (Ronnie Smith) Date: Mon, 3 Jun 2013 14:19:26 -0400 Subject: winmail.dat Message-ID: <00aa01ce6086$e2acc260$a8064720$@dynamicquest.com> I have whitelisted some domains but often it will quarantine as W/L Other because of winamil.dat. I have TNEF turned off but yet it still blocks these messages. It even says Dangerous No but still quarantines. I can't figure out why. _____ Ronnie Smith // Support Engineer rsmith at dynamicquest.com 336.389.4687 Description: Dynamic Quest IT Solutions // Business Consulting // Marketing // Data Center // Software // Helpdesk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130603/29fa17a5/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 6679 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130603/29fa17a5/attachment.jpe From phil.randal at hoopleltd.co.uk Tue Jun 4 10:06:19 2013 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Tue, 4 Jun 2013 09:06:19 +0000 Subject: winmail.dat In-Reply-To: <00aa01ce6086$e2acc260$a8064720$@dynamicquest.com> References: <00aa01ce6086$e2acc260$a8064720$@dynamicquest.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B8541965428@HC-EXMBX04.herefordshire.gov.uk> Try using the latest TNEF.pm from the MailScanner GIT repository: https://github.com/MailScanner/MailScanner/blob/master/mailscanner/bin/MailScanner/TNEF.pm Even with this, I ended up turning off TNEF handling. Something just isn't right, still. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.randal at hoopleltd.co.uk From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ronnie Smith Sent: 03 June 2013 19:19 To: mailscanner at lists.mailscanner.info Subject: winmail.dat I have whitelisted some domains but often it will quarantine as W/L Other because of winamil.dat. I have TNEF turned off but yet it still blocks these messages. It even says Dangerous No but still quarantines. I can't figure out why. ________________________________ Ronnie Smith // Support Engineer rsmith at dynamicquest.com 336.389.4687 [Description: Dynamic Quest] IT Solutions // Business Consulting // Marketing // Data Center // Software // Helpdesk Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130604/9509f1ea/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 6679 bytes Desc: image001.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130604/9509f1ea/attachment.jpg From rogeride at rogeride.com Tue Jun 4 22:45:45 2013 From: rogeride at rogeride.com (Roger Ide) Date: Tue, 4 Jun 2013 17:45:45 -0400 Subject: unsubscribe In-Reply-To: References: Message-ID: <004a01ce616c$de67a620$9b36f260$@com> unsubscribe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130604/9b39bddb/attachment.html From mikael at syska.dk Wed Jun 5 01:18:11 2013 From: mikael at syska.dk (Mikael Syska) Date: Wed, 5 Jun 2013 02:18:11 +0200 Subject: unsubscribe In-Reply-To: <004a01ce616c$de67a620$9b36f260$@com> References: <004a01ce616c$de67a620$9b36f260$@com> Message-ID: List-Unsubscribe: , mvh Mikael Syska On Tue, Jun 4, 2013 at 11:45 PM, Roger Ide wrote: > unsubscribe**** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130605/bc327c7a/attachment.html From f.immenroth at klinikum-braunschweig.de Fri Jun 7 07:32:58 2013 From: f.immenroth at klinikum-braunschweig.de (f immenroth) Date: Fri, 07 Jun 2013 08:32:58 +0200 Subject: problem with mail address case In-Reply-To: References: Message-ID: <51B19ABA0200007D00037F8B@groupwise.skbs.de> Hello, we have a Problem with our MailScanner / Postfix system. When I send a mail to T1485 at domain.com the address will be changed after processing to t1485 at domain.com . Since the receiving system is requesting case sensitive addresses (and so defined in RFC) what have i to change for not rewriting the mail addresses? Thank you Florian Log-Output: Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: hold: header Received: from groupwise.skbs.de (groupwise2.serverskbs.de [192.168.12.169])??by mailproxy.serverskbs.de (Postfix) with ESMTP id C5226107EF9??for ; Fri, 7 Jun 20 from groupwise2.serverskbs.de[192.168.12.169]; from= to= proto=ESMTP helo= Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: message-id=<51B198C20200007D00037F85 at groupwise.skbs.de> Jun 7 08:24:35 mailproxy postfix/smtpd[24004]: disconnect from groupwise2.serverskbs.de[192.168.12.169] Jun 7 08:24:40 mailproxy MailScanner[24012]: New Batch: Scanning 1 messages, 1433 bytes Jun 7 08:24:40 mailproxy MailScanner[24012]: Filename Checks: Allowing C5226107EF9.AA8A5 msg-24012-1.txt Jun 7 08:24:41 mailproxy MailScanner[24012]: Filetype Checks: Allowing C5226107EF9.AA8A5 msg-24012-1.txt (no match found) Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus and Content Scanning: Starting Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Scanning completed at 2563 bytes per second Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks: Starting Jun 7 08:24:41 mailproxy MailScanner[24012]: Message C5226107EF9.AA8A5 from 192.168.12.169 (f.immenroth at klinikum-braunschweig.de) is whitelisted Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks completed at 616898 bytes per second Jun 7 08:24:41 mailproxy MailScanner[24012]: Requeue: C5226107EF9.AA8A5 to 97AA1107F06 Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: from=, size=603, nrcpt=1 (queue active) Jun 7 08:24:41 mailproxy MailScanner[24012]: Uninfected: Delivered 1 messages Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Processing completed at 176088 bytes per second Jun 7 08:24:41 mailproxy MailScanner[24012]: Deleted 1 messages from processing-database Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch completed at 2404 bytes per second (1433 / 0) Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch (1 message) processed in 0.60 seconds Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 97AA1107F06: to=, relay=172.16.60.75[172.16.60.75]:25, delay=5.8, delays=5.7/0/0.01/0.02, dsn=5.0.0, status=bounced (host 172.16.60.75[172.16.60.75] said: 553 Requested action not taken: mailbox name not allowed (in reply to RCPT TO command)) Jun 7 08:24:41 mailproxy MailScanner[24012]: Logging message C5226107EF9.AA8A5 to SQL Jun 7 08:24:41 mailproxy MailScanner[24015]: C5226107EF9.AA8A5: Logged to MailWatch SQL Jun 7 08:24:41 mailproxy postfix/cleanup[24006]: 89149107EF9: message-id=<20130607062441.89149107EF9 at mailproxy.serverskbs.de> Jun 7 08:24:41 mailproxy MailScanner[24012]: "Always Looked Up Last" took 0.01 seconds Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: from=<>, size=3064, nrcpt=1 (queue active) Jun 7 08:24:41 mailproxy postfix/bounce[24129]: 97AA1107F06: sender non-delivery notification: 89149107EF9 Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: removed Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 89149107EF9: to=, relay=192.168.12.169[192.168.12.169]:25, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (250 Ok) Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: removed St?dtisches Klinikum Braunschweig gGmbH Freisestr. 9/10, 38118 Braunschweig Gesch?ftsf?hrer: Dipl.-Kfm. Helmut Sch?ttig Aufsichtsrat: Ulrich Markurth, Vorsitzender Amtsgericht Braunschweig, HRB 9319 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130607/88ff9623/attachment.html From jerry.benton at mailborder.com Fri Jun 7 08:54:17 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 7 Jun 2013 09:54:17 +0200 Subject: problem with mail address case In-Reply-To: <51B19ABA0200007D00037F8B@groupwise.skbs.de> References: <51B19ABA0200007D00037F8B@groupwise.skbs.de> Message-ID: I believe this is actually an MTA ( postfix) issue and not MailScanner. There is a lot of info out there in groups where this has been discussed. On a similar note, I stick with all lower case addresses. While RFC compliant, not everything out there is compliant and could cause issues outside of your enclave. On Friday, June 7, 2013, f immenroth wrote: > Hello, > > we have a Problem with our MailScanner / Postfix system. > When I send a mail to T1485 at domain.com 'T1485 at domain.com');> the address will be changed after processing to > t1485 at domain.com . > Since the receiving system is requesting case sensitive addresses (and so > defined in RFC) what have i to change for not rewriting the mail addresses? > > Thank you > > Florian > > Log-Output: > Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: hold: > header Received: from groupwise.skbs.de (groupwise2.serverskbs.de[192.168.12.169])??by > mailproxy.serverskbs.de (Postfix) with ESMTP id C5226107EF9??for < > T1485 at oscar.klinikum-braunschweig.de 'T1485 at oscar.klinikum-braunschweig.de');>>; Fri, 7 Jun 20 from > groupwise2.serverskbs.de[192.168.12.169]; from=< > f.immenroth at klinikum-braunschweig.de 'f.immenroth at klinikum-braunschweig.de');>> to=< > T1485 at oscar.klinikum-braunschweig.de 'T1485 at oscar.klinikum-braunschweig.de');>> proto=ESMTP helo=< > groupwise.skbs.de> > Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: message-id=< > 51B198C20200007D00037F85 at groupwise.skbs.de '51B198C20200007D00037F85 at groupwise.skbs.de');>> > Jun 7 08:24:35 mailproxy postfix/smtpd[24004]: disconnect from > groupwise2.serverskbs.de[192.168.12.169] > Jun 7 08:24:40 mailproxy MailScanner[24012]: New Batch: Scanning 1 > messages, 1433 bytes > Jun 7 08:24:40 mailproxy MailScanner[24012]: Filename Checks: Allowing > C5226107EF9.AA8A5 msg-24012-1.txt > Jun 7 08:24:41 mailproxy MailScanner[24012]: Filetype Checks: Allowing > C5226107EF9.AA8A5 msg-24012-1.txt (no match found) > Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus and Content Scanning: > Starting > Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Scanning completed at > 2563 bytes per second > Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks: Starting > Jun 7 08:24:41 mailproxy MailScanner[24012]: Message C5226107EF9.AA8A5 > from 192.168.12.169 (f.immenroth at klinikum-braunschweig.de) > is whitelisted > Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks completed at > 616898 bytes per second > Jun 7 08:24:41 mailproxy MailScanner[24012]: Requeue: C5226107EF9.AA8A5 > to 97AA1107F06 > Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: from=< > f.immenroth at klinikum-braunschweig.de 'f.immenroth at klinikum-braunschweig.de');>>, size=603, nrcpt=1 (queue > active) > Jun 7 08:24:41 mailproxy MailScanner[24012]: Uninfected: Delivered 1 > messages > Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Processing completed > at 176088 bytes per second > Jun 7 08:24:41 mailproxy MailScanner[24012]: Deleted 1 messages from > processing-database > Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch completed at 2404 > bytes per second (1433 / 0) > Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch (1 message) processed > in 0.60 seconds > Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 97AA1107F06: to=< > t1485 at oscar.klinikum-braunschweig.de 't1485 at oscar.klinikum-braunschweig.de');>>, > relay=172.16.60.75[172.16.60.75]:25, delay=5.8, delays=5.7/0/0.01/0.02, > dsn=5.0.0, status=bounced (host 172.16.60.75[172.16.60.75] said: 553 > Requested action not taken: mailbox name not allowed (in reply to RCPT TO > command)) > Jun 7 08:24:41 mailproxy MailScanner[24012]: Logging message > C5226107EF9.AA8A5 to SQL > Jun 7 08:24:41 mailproxy MailScanner[24015]: C5226107EF9.AA8A5: Logged to > MailWatch SQL > Jun 7 08:24:41 mailproxy postfix/cleanup[24006]: 89149107EF9: message-id=< > 20130607062441.89149107EF9 at mailproxy.serverskbs.de 'cvml', '20130607062441.89149107EF9 at mailproxy.serverskbs.de');>> > Jun 7 08:24:41 mailproxy MailScanner[24012]: "Always Looked Up Last" took > 0.01 seconds > Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: from=<>, > size=3064, nrcpt=1 (queue active) > Jun 7 08:24:41 mailproxy postfix/bounce[24129]: 97AA1107F06: sender > non-delivery notification: 89149107EF9 > Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: removed > Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 89149107EF9: to=< > f.immenroth at klinikum-braunschweig.de 'f.immenroth at klinikum-braunschweig.de');>>, > relay=192.168.12.169[192.168.12.169]:25, delay=0.03, delays=0.02/0/0/0.01, > dsn=2.0.0, status=sent (250 Ok) > Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: removed > > St?dtisches Klinikum Braunschweig gGmbH > > Freisestr. 9/10, 38118 Braunschweig > > Gesch?ftsf?hrer: Dipl.-Kfm. Helmut Sch?ttig > > Aufsichtsrat: Ulrich Markurth, Vorsitzender > > Amtsgericht Braunschweig, HRB 9319 > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130607/394dd016/attachment.html From garry at glendown.de Fri Jun 7 10:38:38 2013 From: garry at glendown.de (Garry Glendown) Date: Fri, 07 Jun 2013 11:38:38 +0200 Subject: Excluding recipients from all checks? Message-ID: <51B1AA1E.5090500@glendown.de> Hi, is it possible to define some global list of recipients which will not have any checks performed for? I have the need to exclude some special accounts which must never have any false positives, no matter what ... The only way I could think of to implement this would be by creating special rule files for just about every check, disabling them for those accounts ... needless to say that the work to do this is way too big to actually do that ... Help appreciated, -garry From jerry.benton at mailborder.com Fri Jun 7 12:20:00 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 7 Jun 2013 13:20:00 +0200 Subject: Excluding recipients from all checks? In-Reply-To: <51B1AA1E.5090500@glendown.de> References: <51B1AA1E.5090500@glendown.de> Message-ID: scan.message.rules On Fri, Jun 7, 2013 at 11:38 AM, Garry Glendown wrote: > Hi, > > is it possible to define some global list of recipients which will not > have any checks performed for? I have the need to exclude some special > accounts which must never have any false positives, no matter what ... > The only way I could think of to implement this would be by creating > special rule files for just about every check, disabling them for those > accounts ... needless to say that the work to do this is way too big to > actually do that ... > > Help appreciated, -garry > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130607/c3cbf7bc/attachment.html From f.immenroth at klinikum-braunschweig.de Fri Jun 7 12:22:30 2013 From: f.immenroth at klinikum-braunschweig.de (f immenroth) Date: Fri, 07 Jun 2013 13:22:30 +0200 Subject: Antw: Re: problem with mail address case In-Reply-To: References: <51B19ABA0200007D00037F8B@groupwise.skbs.de> Message-ID: <51B1DE960200007D00038001@groupwise.skbs.de> Hi, i finally found the problem after some searching in the internet. The error is located in MailScanner. After changing all lines with "{to}" in it in /usr/lib/MailScanner/MailScanner/Postfix.pm from push @{$message->{to}}, lc($recdata); to push @{$message->{to}}, $recdata; the mailadress is unchanged. Regards Florian >> Jerry Benton schrieb am 07.06.2013 um 09:54: I believe this is actually an MTA ( postfix) issue and not MailScanner. There is a lot of info out there in groups where this has been discussed. On a similar note, I stick with all lower case addresses. While RFC compliant, not everything out there is compliant and could cause issues outside of your enclave. On Friday, June 7, 2013, f immenroth wrote: Hello, we have a Problem with our MailScanner / Postfix system. When I send a mail to T1485 at domain.com the address will be changed after processing to t1485 at domain.com . Since the receiving system is requesting case sensitive addresses (and so defined in RFC) what have i to change for not rewriting the mail addresses? Thank you Florian Log-Output: Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: hold: header Received: from groupwise.skbs.de (groupwise2.serverskbs.de [192.168.12.169])??by mailproxy.serverskbs.de (Postfix) with ESMTP id C5226107EF9??for ; Fri, 7 Jun 20 from groupwise2.serverskbs.de[192.168.12.169]; from= to= proto=ESMTP helo= Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: message-id=<51B198C20200007D00037F85 at groupwise.skbs.de> Jun 7 08:24:35 mailproxy postfix/smtpd[24004]: disconnect from groupwise2.serverskbs.de[192.168.12.169] Jun 7 08:24:40 mailproxy MailScanner[24012]: New Batch: Scanning 1 messages, 1433 bytes Jun 7 08:24:40 mailproxy MailScanner[24012]: Filename Checks: Allowing C5226107EF9.AA8A5 msg-24012-1.txt Jun 7 08:24:41 mailproxy MailScanner[24012]: Filetype Checks: Allowing C5226107EF9.AA8A5 msg-24012-1.txt (no match found) Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus and Content Scanning: Starting Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Scanning completed at 2563 bytes per second Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks: Starting Jun 7 08:24:41 mailproxy MailScanner[24012]: Message C5226107EF9.AA8A5 from 192.168.12.169 (f.immenroth at klinikum-braunschweig.de) is whitelisted Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks completed at 616898 bytes per second Jun 7 08:24:41 mailproxy MailScanner[24012]: Requeue: C5226107EF9.AA8A5 to 97AA1107F06 Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: from=, size=603, nrcpt=1 (queue active) Jun 7 08:24:41 mailproxy MailScanner[24012]: Uninfected: Delivered 1 messages Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Processing completed at 176088 bytes per second Jun 7 08:24:41 mailproxy MailScanner[24012]: Deleted 1 messages from processing-database Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch completed at 2404 bytes per second (1433 / 0) Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch (1 message) processed in 0.60 seconds Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 97AA1107F06: to=, relay=172.16.60.75[172.16.60.75]:25, delay=5.8, delays=5.7/0/0.01/0.02, dsn=5.0.0, status=bounced (host 172.16.60.75[172.16.60.75] said: 553 Requested action not taken: mailbox name not allowed (in reply to RCPT TO command)) Jun 7 08:24:41 mailproxy MailScanner[24012]: Logging message C5226107EF9.AA8A5 to SQL Jun 7 08:24:41 mailproxy MailScanner[24015]: C5226107EF9.AA8A5: Logged to MailWatch SQL Jun 7 08:24:41 mailproxy postfix/cleanup[24006]: 89149107EF9: message-id=<20130607062441.89149107EF9 at mailproxy.serverskbs.de> Jun 7 08:24:41 mailproxy MailScanner[24012]: "Always Looked Up Last" took 0.01 seconds Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: from=<>, size=3064, nrcpt=1 (queue active) Jun 7 08:24:41 mailproxy postfix/bounce[24129]: 97AA1107F06: sender non-delivery notification: 89149107EF9 Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: removed Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 89149107EF9: to=, relay=192.168.12.169[192.168.12.169]:25, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (250 Ok) Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: removed St?dtisches Klinikum Braunschweig gGmbH Freisestr. 9/10, 38118 Braunschweig Gesch?ftsf?hrer: Dipl.-Kfm. Helmut Sch?ttig Aufsichtsrat: Ulrich Markurth, Vorsitzender Amtsgericht Braunschweig, HRB 9319 -- -- Jerry Benton Mailborder Systems www.mailborder.com St?dtisches Klinikum Braunschweig gGmbH Freisestr. 9/10, 38118 Braunschweig Gesch?ftsf?hrer: Dipl.-Kfm. Helmut Sch?ttig Aufsichtsrat: Ulrich Markurth, Vorsitzender Amtsgericht Braunschweig, HRB 9319 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130607/084fe816/attachment.html From maxsec at gmail.com Fri Jun 7 12:43:38 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 7 Jun 2013 12:43:38 +0100 Subject: Excluding recipients from all checks? In-Reply-To: <51B1AA1E.5090500@glendown.de> References: <51B1AA1E.5090500@glendown.de> Message-ID: for spam checks you can use the "Is Definitely Not spam" setting and a ruleset off that. Or theres the big switch Scan Messages.. http://www.mailscanner.info/MailScanner.conf.index.html#Scan%20Messages -- Martin Hepworth, CISSP Oxford, UK On 7 June 2013 10:38, Garry Glendown wrote: > Hi, > > is it possible to define some global list of recipients which will not > have any checks performed for? I have the need to exclude some special > accounts which must never have any false positives, no matter what ... > The only way I could think of to implement this would be by creating > special rule files for just about every check, disabling them for those > accounts ... needless to say that the work to do this is way too big to > actually do that ... > > Help appreciated, -garry > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130607/a9e04cfb/attachment.html From glenn.steen at gmail.com Fri Jun 7 13:04:43 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 7 Jun 2013 14:04:43 +0200 Subject: Corrupted messages Postfix In-Reply-To: References: Message-ID: Hello David, This problem you have may be stemming from the change of locking scheme in Postfix 2.10. It was also a problem (in the past) when we did the two-postfix deferred queue thing to implement MailScanner (prior to the hold queue thing we usually do now). Check wether your postfix is using fifo or unix locks in master.cf, and consider going back to fifo in that (with appropriat restart of Postfix afterwards, of course)... OR change MailScanner.conf accordingly and restart MailScanner (setting is "Lock Type"). I would think it fairly safe&easy to do the PF change. Cheers -- -- Glenn On 31 May 2013 09:18, David Valin Alonso wrote: > Hi Martin, > this is a copy/pste from my mail.log: > May 29 11:02:21 server postfix/cleanup[27995]: 19D6CDFD3F: > message-id=<201305290411.3.5607.30342.2445274 at cog.lumata.com> > May 29 11:02:21 server postfix/smtpd[27991]: disconnect from > unknown[213.92.42.10] > May 29 11:02:22 server MailScanner[24390]: New Batch: Scanning 1 messages, > 4532 bytes > May 29 11:02:22 server MailScanner[24390]: Virus and Content Scanning: > Starting > May 29 11:02:36 server MailScanner[24390]: Requeue: 19D6CDFD3F.AEAD7 to > C6CEEDFD46 > May 29 11:02:36 server MailScanner[24390]: Uninfected: Delivered 1 messages > May 29 11:02:36 server postfix/qmgr[3507]: C6CEEDFD46: from=<>, size=3885, > nrcpt=1 (queue active) > May 29 11:02:36 server postfix/qmgr[3507]: warning: C6CEEDFD46: message > rejected: missing end record > May 29 11:02:36 server postfix/qmgr[3507]: warning: saving corrupt file > "C6CEEDFD46" from queue "active" to queue "corrupt" > May 29 11:02:36 server MailScanner[24390]: Deleted 1 messages from > processing-database > > Not all mails go to corrupt, for example if a mail comes to 1 person i > handles well the first time, the next time it sends to corrupt, i am loosing > the 60-75% in the corrupt queue, yesterday i had to stop MailScanner and > reconfig headers_checks to bypass the problem till i find a solution because > everything was working great. > > Regards, > > David > 2013/5/30 Martin Hepworth >> >> what do the logs say for the messages in question? >> check the postfix logs and the mailscanner logs. >> Also try running mailscanner in debug mode (see the wiki) >> >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> >> On 30 May 2013 09:10, David Valin Alonso wrote: >>> >>> Hello, >>> i got a server runing ubuntu 10.04 lts x64 + postfix 2.10 + cyrus 2.2 + >>> Mailscanner 4.84 + Spamassasin and all was working really great til a couple >>> of days that began to send mails to corrupt folder >>> /var/spool/postfix/corrupt. It complains about a missing record and it >>> rejects the mail moving from active to corrupt queue. >>> I don't know what happend and the configurations of postfix and >>> mailscanner didn't change as it was working really great. >>> >>> What could happened? >>> >>> Regards, >>> >>> David >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jun 7 13:19:49 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 7 Jun 2013 14:19:49 +0200 Subject: MailScanner Development In-Reply-To: <7422D1030AB0A0479EE5090F3702AAF819A4D9@BUGATTI.snjlaw.local> References: <7422D1030AB0A0479EE5090F3702AAF819A4D9@BUGATTI.snjlaw.local> Message-ID: On 31 May 2013 16:48, Quintin Giesbrecht wrote: > Just curious? > > > > We?ve been using MailScanner for a long time (I have used it at 2 different > employers for more than 10 years). > > > > At my latest firm, where I have been for 8 years, we took a break for about > a year and a half, and tried out a commercial appliance ? it was HORRIBLE. > > > > In any case, we are back, and fully enjoying MailScanner again J > > > > I do have a question though, that I have searched for, and haven?t found an > answer to so far. I believe that at one time, new versions of MS came out > almost monthly (correct me if I am wrong), and I notice that the latest > version available is from November of last year. Is development still > continuing? I hope so J > > Hello Quintin, AFAIU, Jules has more or less passed this on to some members of this list (among others the Baruwa originator), and most (if not all) development is tracked on github these days... Search the list for github references and you'll see:-). BTW you don't remember wrong... It used to be a stable release every month, then bimonthly... and now almost never:-):-). It might reflect a couple of different things... That the product has stabilised nicely, that email threats are on a decline (well:-) etc. Major factor is probably that Jules isn't so directly involved any more. Cheers -- -- Glenn > > Sorry if this has been asked and answered, I just couldn?t find it? > > > > > > Thanks! > > > > > > _______________________________________________________ > > Quintin Giesbrecht > > Smith Neufeld Jodoin LLP > > IT Manager > > q at snj.ca > > (204)346-5106 > > > > > ________________________________ > This communication, including its attachments, if any, is confidential and > intended only for the person(s) to whom it is addressed, and may contain > proprietary and/or privileged material. Any unauthorized review, disclosure, > copying, other distribution of this communication or taking of any action in > reliance on its contents is strictly prohibited. If you have received this > message in error, please notify us immediately so that we may amend our > records. Then, please delete this message, and its attachments, if any, > without reading, copying or forwarding it to anyone. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jerry.benton at mailborder.com Fri Jun 7 13:20:42 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 7 Jun 2013 14:20:42 +0200 Subject: problem with mail address case In-Reply-To: <51B1DE960200007D00038001@groupwise.skbs.de> References: <51B19ABA0200007D00037F8B@groupwise.skbs.de> <51B1DE960200007D00038001@groupwise.skbs.de> Message-ID: Ah... good to know. I was not aware of that "feature". On Fri, Jun 7, 2013 at 1:22 PM, f immenroth < f.immenroth at klinikum-braunschweig.de> wrote: > Hi, > > i finally found the problem after some searching in the internet. > > The error is located in MailScanner. After changing all lines with "{to}" > in it in /usr/lib/MailScanner/MailScanner/Postfix.pm from > > push @{$message->{to}}, lc($recdata); > > to > > push @{$message->{to}}, $recdata; > > the mailadress is unchanged. > > Regards > Florian > > > >> Jerry Benton schrieb am 07.06.2013 um > 09:54: > I believe this is actually an MTA ( postfix) issue and not MailScanner. > There is a lot of info out there in groups where this has been discussed. > > On a similar note, I stick with all lower case addresses. While RFC > compliant, not everything out there is compliant and could cause issues > outside of your enclave. > > > On Friday, June 7, 2013, f immenroth wrote: > >> Hello, >> we have a Problem with our MailScanner / Postfix system. >> When I send a mail to T1485 at domain.com the address will be changed after >> processing to t1485 at domain.com . >> Since the receiving system is requesting case sensitive addresses (and so >> defined in RFC) what have i to change for not rewriting the mail addresses? >> Thank you >> Florian >> Log-Output: >> Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: hold: >> header Received: from groupwise.skbs.de (groupwise2.serverskbs.de[192.168.12.169])??by >> mailproxy.serverskbs.de (Postfix) with ESMTP id C5226107EF9??for < >> T1485 at oscar.klinikum-braunschweig.de>; Fri, 7 Jun 20 from >> groupwise2.serverskbs.de[192.168.12.169]; from=< >> f.immenroth at klinikum-braunschweig.de> to=< >> T1485 at oscar.klinikum-braunschweig.de> proto=ESMTP helo=> > >> Jun 7 08:24:35 mailproxy postfix/cleanup[24006]: C5226107EF9: message-id=< >> 51B198C20200007D00037F85 at groupwise.skbs.de> >> Jun 7 08:24:35 mailproxy postfix/smtpd[24004]: disconnect from >> groupwise2.serverskbs.de[192.168.12.169] >> Jun 7 08:24:40 mailproxy MailScanner[24012]: New Batch: Scanning 1 >> messages, 1433 bytes >> Jun 7 08:24:40 mailproxy MailScanner[24012]: Filename Checks: Allowing >> C5226107EF9.AA8A5 msg-24012-1.txt >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Filetype Checks: Allowing >> C5226107EF9.AA8A5 msg-24012-1.txt (no match found) >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus and Content Scanning: >> Starting >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Scanning completed at >> 2563 bytes per second >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks: Starting >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Message C5226107EF9.AA8A5 >> from 192.168.12.169 (f.immenroth at klinikum-braunschweig.de) is whitelisted >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Spam Checks completed at >> 616898 bytes per second >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Requeue: C5226107EF9.AA8A5 >> to 97AA1107F06 >> Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: from=< >> f.immenroth at klinikum-braunschweig.de>, size=603, nrcpt=1 (queue active) >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Uninfected: Delivered 1 >> messages >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Virus Processing completed >> at 176088 bytes per second >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Deleted 1 messages from >> processing-database >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch completed at 2404 >> bytes per second (1433 / 0) >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Batch (1 message) processed >> in 0.60 seconds >> Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 97AA1107F06: to=< >> t1485 at oscar.klinikum-braunschweig.de>, >> relay=172.16.60.75[172.16.60.75]:25, delay=5.8, delays=5.7/0/0.01/0.02, >> dsn=5.0.0, status=bounced (host 172.16.60.75[172.16.60.75] said: 553 >> Requested action not taken: mailbox name not allowed (in reply to RCPT TO >> command)) >> Jun 7 08:24:41 mailproxy MailScanner[24012]: Logging message >> C5226107EF9.AA8A5 to SQL >> Jun 7 08:24:41 mailproxy MailScanner[24015]: C5226107EF9.AA8A5: Logged to >> MailWatch SQL >> Jun 7 08:24:41 mailproxy postfix/cleanup[24006]: 89149107EF9: message-id=< >> 20130607062441.89149107EF9 at mailproxy.serverskbs.de> >> Jun 7 08:24:41 mailproxy MailScanner[24012]: "Always Looked Up Last" took >> 0.01 seconds >> Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: from=<>, >> size=3064, nrcpt=1 (queue active) >> Jun 7 08:24:41 mailproxy postfix/bounce[24129]: 97AA1107F06: sender >> non-delivery notification: 89149107EF9 >> Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 97AA1107F06: removed >> Jun 7 08:24:41 mailproxy postfix/smtp[24026]: 89149107EF9: to=< >> f.immenroth at klinikum-braunschweig.de>, >> relay=192.168.12.169[192.168.12.169]:25, delay=0.03, delays=0.02/0/0/0.01, >> dsn=2.0.0, status=sent (250 Ok) >> Jun 7 08:24:41 mailproxy postfix/qmgr[5855]: 89149107EF9: removed >> >> St?dtisches Klinikum Braunschweig gGmbH >> >> Freisestr. 9/10, 38118 Braunschweig >> >> Gesch?ftsf?hrer: Dipl.-Kfm. Helmut Sch?ttig >> >> Aufsichtsrat: Ulrich Markurth, Vorsitzender >> >> Amtsgericht Braunschweig, HRB 9319 >> > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > > St?dtisches Klinikum Braunschweig gGmbH > > Freisestr. 9/10, 38118 Braunschweig > > Gesch?ftsf?hrer: Dipl.-Kfm. Helmut Sch?ttig > > Aufsichtsrat: Ulrich Markurth, Vorsitzender > > Amtsgericht Braunschweig, HRB 9319 > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130607/5a4740a8/attachment.html From garry at glendown.de Fri Jun 7 13:33:06 2013 From: garry at glendown.de (Garry Glendown) Date: Fri, 07 Jun 2013 14:33:06 +0200 Subject: Excluding recipients from all checks? In-Reply-To: References: <51B1AA1E.5090500@glendown.de> Message-ID: <51B1D302.6050107@glendown.de> On 07.06.2013 13:20, Jerry Benton wrote: > scan.message.rules > Thanks! From glenn.steen at gmail.com Fri Jun 7 13:37:22 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 7 Jun 2013 14:37:22 +0200 Subject: storing messages - found permission pb... not enought... In-Reply-To: <20130527112125.GA5732@ubuntu> References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> <20130527112125.GA5732@ubuntu> Message-ID: Hello Sandro, Sorry for the late reply, I've been ill for a while, so,... hence the delay. Look below. On 27 May 2013 13:21, Alessandro Dentella wrote: > On Mon, May 27, 2013 at 10:41:36AM +0200, Glenn Steen wrote: >> >> start the debug run via "MailScanner --debug". This will start >> >> MailScanner without forking any children and without closing >> >> stdin/stderr... And it will wait for exactly 1 message (or rather ... >> >> one batch), process it and then exit... whilst spewing a bit of debug >> >> info onto the screen. >> >> Best is to run that as the postfix user (even though it should work >> >> perfectly well from root... you could do two runs, one from root, one >> >> from postfix.. The process should change user to whatever you have the >> >> "Run User" set to... ie postfix:-). >> >> After a bit of chatter, it'll hang, waiting for a messagebatch... >> >> Which you need provide via normal SMTP methods. >> >> >> >> We'll see what that gives you. >> > >> > Runnng as root: >> > >> > root at smtp:~# MailScanner --debug >> > >> > >> > In Debugging mode, not forking... >> > Trying to setlogsock(unix) >> > Building a message batch to scan... >> > Have a batch of 2 messages. >> > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63, <$fh> line 4. >> > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. >> > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. >> > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. >> > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. >> > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. >> > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. >> > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. >> > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. >> > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. >> > Stopping now as you are debugging me. >> > >> > >> > Googling for this message, I understand is related to the perl code not to >> > system setup, correct? >> > So I don't see any interesting message... >> > >> Well, the above probably indicate that any file manipulations done in >> the perl code, through those "insecure" calls/dependencies, don't get >> done. >> Edit your MailScanner executable and change the first line from >> #!/usr/bin/perl -I/usr/lib/MailScanner >> to >> #!/usr/bin/perl -I/usr/lib/MailScanner -U > > Well, I'm getting more and more puzzled. > > 1. I already have -U flag in the shabang > And is that the one used, the one you're looking at? You don't have multiple installs or some other such silliness? > 2. the system is derived from an EFA [1] virtual machine that I modified. I > reinstalled the original EFA and that does work correctly So ... what mods did you do? One is inclined to think that therein would lie the difference;-). > So I'm checking the two system side-by-side and I can't see the > differences... > > Is there a way to raise the debugging level of MailScanner? > Well, if you're handy with an editor and know a bit about the structure of the code in MS, you could uncomment some of the "debugging printf" statements that litter the code... And you can add SpamAssasin debigging with --debug-sa... Other than that, the answer is "no". > sandro > *:-) Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jun 7 13:49:10 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 7 Jun 2013 14:49:10 +0200 Subject: storing messages - strace verdict: keepspamarchiveclean - HOW to FIX? In-Reply-To: <20130529085120.GA11830@ubuntu> References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> <20130527112125.GA5732@ubuntu> <20130527181636.GA10586@ubuntu> <20130529085120.GA11830@ubuntu> Message-ID: On 29 May 2013 10:51, Alessandro Dentella wrote: > On Mon, May 27, 2013 at 09:10:10PM +0200, Jerry Benton wrote: >> These are the primary things I check for when dealing with this problem: >> >> 1. Selinux. Put in permissive and then build custom policies. Return to >> enforcing. >> 2. MailScanner Run As and directory ownership and permissions. >> 3. MailScanner store messages as user matches permissions. >> 4. Making sure you add the -U option to MailScanner for the newer versions of >> perl. >> >> sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner >> > > Today I decided to debug using strace, it resulted clearly that the file was > correctly written in quarantine but later deleted (unlink). > > I also found the single line that does that, commenting it I get the mail in > quarantine: > > > > sub RemoveInfectedSpam { > my $this = shift; > > my($id, $message); > > while(($id, $message) = each %{$this->{messages}}) { > #print STDERR "Message is infected\n" if $message->{infected}; > # next unless $message->{infected}; > next unless > MailScanner::Config::Value('keepspamarchiveclean', $message) =~ /1/; > #print STDERR "Deleting " . join(',',@{$message->{spamarchive}}) . "\n"; > # unlink @{$message->{spamarchive}}; # Wipe the spamarchive files <<<<< this deletes > @{$this->{spamarchive}} = (); # Wipe the spamarchive array > } > } > > > So the problem is to understand why > MailScanner::Config::Value('keepspamarchiveclean', $message) =~ /1/; says > that it should be deleted. > > How is that evaluated? > You've set Keep Spam And MCP Archive Clean = yes ... So if you don't want that, then set it to "no" (should be the default:). > Thanks again for any help > sandro > *:-) > > Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From deivishome at gmail.com Fri Jun 7 13:53:02 2013 From: deivishome at gmail.com (David Valin Alonso) Date: Fri, 7 Jun 2013 14:53:02 +0200 Subject: Corrupted messages Postfix In-Reply-To: References: Message-ID: Hi Glenn, i think i am using fifo lock if you mean the qmgr line: qmgr fifo n - n 300 1 qmgr So the correct lock type in mailscanner.conf for postfix 2.10 should be flock or posix?? Thanks for your reply. Regards, David 2013/6/7 Glenn Steen > Hello David, > > This problem you have may be stemming from the change of locking > scheme in Postfix 2.10. It was also a problem (in the past) when we > did the two-postfix deferred queue thing to implement MailScanner > (prior to the hold queue thing we usually do now). > Check wether your postfix is using fifo or unix locks in master.cf, > and consider going back to fifo in that (with appropriat restart of > Postfix afterwards, of course)... OR change MailScanner.conf > accordingly and restart MailScanner (setting is "Lock Type"). > > I would think it fairly safe&easy to do the PF change. > > Cheers > -- > -- Glenn > > On 31 May 2013 09:18, David Valin Alonso wrote: > > Hi Martin, > > this is a copy/pste from my mail.log: > > May 29 11:02:21 server postfix/cleanup[27995]: 19D6CDFD3F: > > message-id=<201305290411.3.5607.30342.2445274 at cog.lumata.com> > > May 29 11:02:21 server postfix/smtpd[27991]: disconnect from > > unknown[213.92.42.10] > > May 29 11:02:22 server MailScanner[24390]: New Batch: Scanning 1 > messages, > > 4532 bytes > > May 29 11:02:22 server MailScanner[24390]: Virus and Content Scanning: > > Starting > > May 29 11:02:36 server MailScanner[24390]: Requeue: 19D6CDFD3F.AEAD7 to > > C6CEEDFD46 > > May 29 11:02:36 server MailScanner[24390]: Uninfected: Delivered 1 > messages > > May 29 11:02:36 server postfix/qmgr[3507]: C6CEEDFD46: from=<>, > size=3885, > > nrcpt=1 (queue active) > > May 29 11:02:36 server postfix/qmgr[3507]: warning: C6CEEDFD46: message > > rejected: missing end record > > May 29 11:02:36 server postfix/qmgr[3507]: warning: saving corrupt file > > "C6CEEDFD46" from queue "active" to queue "corrupt" > > May 29 11:02:36 server MailScanner[24390]: Deleted 1 messages from > > processing-database > > > > Not all mails go to corrupt, for example if a mail comes to 1 person i > > handles well the first time, the next time it sends to corrupt, i am > loosing > > the 60-75% in the corrupt queue, yesterday i had to stop MailScanner and > > reconfig headers_checks to bypass the problem till i find a solution > because > > everything was working great. > > > > Regards, > > > > David > > 2013/5/30 Martin Hepworth > >> > >> what do the logs say for the messages in question? > >> check the postfix logs and the mailscanner logs. > >> Also try running mailscanner in debug mode (see the wiki) > >> > >> -- > >> Martin Hepworth, CISSP > >> Oxford, UK > >> > >> > >> On 30 May 2013 09:10, David Valin Alonso wrote: > >>> > >>> Hello, > >>> i got a server runing ubuntu 10.04 lts x64 + postfix 2.10 + cyrus 2.2 + > >>> Mailscanner 4.84 + Spamassasin and all was working really great til a > couple > >>> of days that began to send mails to corrupt folder > >>> /var/spool/postfix/corrupt. It complains about a missing record and it > >>> rejects the mail moving from active to corrupt queue. > >>> I don't know what happend and the configurations of postfix and > >>> mailscanner didn't change as it was working really great. > >>> > >>> What could happened? > >>> > >>> Regards, > >>> > >>> David > >>> > >>> -- > >>> MailScanner mailing list > >>> mailscanner at lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> Before posting, read http://wiki.mailscanner.info/posting > >>> > >>> Support MailScanner development - buy the book off the website! > >>> > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130607/4e3bad87/attachment.html From glenn.steen at gmail.com Fri Jun 7 16:27:55 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 7 Jun 2013 17:27:55 +0200 Subject: Corrupted messages Postfix In-Reply-To: References: Message-ID: On 7 June 2013 14:53, David Valin Alonso wrote: > Hi Glenn, > > i think i am using fifo lock if you mean the qmgr line: > qmgr fifo n - n 300 1 qmgr pickup as well... > > So the correct lock type in mailscanner.conf for postfix 2.10 should be > flock or posix?? > Just leaving it empty *should* be fine. -- -- Glenn > Thanks for your reply. > > Regards, > > David > > > 2013/6/7 Glenn Steen >> >> Hello David, >> >> This problem you have may be stemming from the change of locking >> scheme in Postfix 2.10. It was also a problem (in the past) when we >> did the two-postfix deferred queue thing to implement MailScanner >> (prior to the hold queue thing we usually do now). >> Check wether your postfix is using fifo or unix locks in master.cf, >> and consider going back to fifo in that (with appropriat restart of >> Postfix afterwards, of course)... OR change MailScanner.conf >> accordingly and restart MailScanner (setting is "Lock Type"). >> >> I would think it fairly safe&easy to do the PF change. >> >> Cheers >> -- >> -- Glenn >> >> On 31 May 2013 09:18, David Valin Alonso wrote: >> > Hi Martin, >> > this is a copy/pste from my mail.log: >> > May 29 11:02:21 server postfix/cleanup[27995]: 19D6CDFD3F: >> > message-id=<201305290411.3.5607.30342.2445274 at cog.lumata.com> >> > May 29 11:02:21 server postfix/smtpd[27991]: disconnect from >> > unknown[213.92.42.10] >> > May 29 11:02:22 server MailScanner[24390]: New Batch: Scanning 1 >> > messages, >> > 4532 bytes >> > May 29 11:02:22 server MailScanner[24390]: Virus and Content Scanning: >> > Starting >> > May 29 11:02:36 server MailScanner[24390]: Requeue: 19D6CDFD3F.AEAD7 to >> > C6CEEDFD46 >> > May 29 11:02:36 server MailScanner[24390]: Uninfected: Delivered 1 >> > messages >> > May 29 11:02:36 server postfix/qmgr[3507]: C6CEEDFD46: from=<>, >> > size=3885, >> > nrcpt=1 (queue active) >> > May 29 11:02:36 server postfix/qmgr[3507]: warning: C6CEEDFD46: message >> > rejected: missing end record >> > May 29 11:02:36 server postfix/qmgr[3507]: warning: saving corrupt file >> > "C6CEEDFD46" from queue "active" to queue "corrupt" >> > May 29 11:02:36 server MailScanner[24390]: Deleted 1 messages from >> > processing-database >> > >> > Not all mails go to corrupt, for example if a mail comes to 1 person i >> > handles well the first time, the next time it sends to corrupt, i am >> > loosing >> > the 60-75% in the corrupt queue, yesterday i had to stop MailScanner and >> > reconfig headers_checks to bypass the problem till i find a solution >> > because >> > everything was working great. >> > >> > Regards, >> > >> > David >> > 2013/5/30 Martin Hepworth >> >> >> >> what do the logs say for the messages in question? >> >> check the postfix logs and the mailscanner logs. >> >> Also try running mailscanner in debug mode (see the wiki) >> >> >> >> -- >> >> Martin Hepworth, CISSP >> >> Oxford, UK >> >> >> >> >> >> On 30 May 2013 09:10, David Valin Alonso wrote: >> >>> >> >>> Hello, >> >>> i got a server runing ubuntu 10.04 lts x64 + postfix 2.10 + cyrus 2.2 >> >>> + >> >>> Mailscanner 4.84 + Spamassasin and all was working really great til a >> >>> couple >> >>> of days that began to send mails to corrupt folder >> >>> /var/spool/postfix/corrupt. It complains about a missing record and it >> >>> rejects the mail moving from active to corrupt queue. >> >>> I don't know what happend and the configurations of postfix and >> >>> mailscanner didn't change as it was working really great. >> >>> >> >>> What could happened? >> >>> >> >>> Regards, >> >>> >> >>> David >> >>> >> >>> -- >> >>> MailScanner mailing list >> >>> mailscanner at lists.mailscanner.info >> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>> >> >>> Before posting, read http://wiki.mailscanner.info/posting >> >>> >> >>> Support MailScanner development - buy the book off the website! >> >>> >> >> >> >> >> >> -- >> >> MailScanner mailing list >> >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> >> >> > >> > >> > -- >> > MailScanner mailing list >> > mailscanner at lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> >> >> >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Sun Jun 9 01:44:19 2013 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 08 Jun 2013 17:44:19 -0700 Subject: ScamNailer update STILL not working Message-ID: <51B3CFE3.10500@msapiro.net> ScamNailer gets the information about current data by doing a DNS lookup of a TXT record for emails.msupdate.greylist.bastionmail.com. For over 6 weeks, this has been returning "emails.2013-164.6", i.e. week 16, day 4 update 6. It is currently week 23, day 0. I posted a patch at that works around this by guessing the current update, and it seems to work for me, but contrary to Matt Hampton's statement at , the underlying issue of the TXT record for emails.msupdate.greylist.bastionmail.com not being updated is NOT FIXED. Does anyone care? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From rpf at marinesoftware.co.uk Tue Jun 11 17:20:11 2013 From: rpf at marinesoftware.co.uk (Ritchie P. Fraser) Date: Tue, 11 Jun 2013 16:20:11 +0000 Subject: Messages Stuck in the system... Message-ID: <7F5CCC2656447841A7BDF64811DEA91610BD39E7@Bart1.MarineSoftware.EXT> Hi, I have a CentOS 6.4 box with exim 4.80.1-1 / MailScanner 4.84.5-3 / Baruwa 2.0/ clamav 0.97.8-1 / spamassassin 3.3.1-2. Set up like this... CentOS 6.4 Windows SBS Internet ---> THELMA (Wash eMail) ---> LOUISE exim/mailscanner/ MS Exchange Server clam/spamassassin My simplistic understanding of the way this process works is... 1 - Internet | 2 - exim(1) --- incoming mail placed in /var/spool/exim.in/input | 3 - MailScanner --- should pick up mail and manage scanning clam/spamassassin | 4 - MailScanner --- Clean eMail should be placed in /var/spool/exim/input | 5 - exim(2) --- picks up washed mail and delivers to smarthost LOUISE | 6 - MS Exchange --- delivers mail to end users | 7 - End Users I have telnet'ed onto the box and created some mail messages. They all seem to be stuck in the /var/spool/exim.in/input directory Between steps 2 and 3 above. If I try to purge / delete / expunge the mail from the queue with "exim -qff" yields the following in the 2013-06-11 16:49:18 Start queue run: pid=11415 -qff 2013-06-11 16:48:38 1UmMnb-0001VC-AU Spool file is locked (another process is handling this message) ... 2013-06-11 16:48:38 1UmN0o-0001br-Cl Spool file is locked (another process is handling this message) 2013-06-11 16:48:38 End queue run: pid=11274 -qff How do I find out what process is stuck? Kind Regards, Ritchie Fraser Systems Administrator T : +44 (0) 1304 840506 F : +44 (0) 1304 840075 W : http://www.marinesoftware.co.uk Marine Software Limited Planned Maintenance, Stock Control, Project (Refit) Management, Purchasing, Safety and ISM Document Management systems for the Marine Industry since 1991. --------------------------------------------------------------------------------------------------------------------------- Unless otherwise agreed expressly in writing by Marine Software Limited, This communication and attachments are to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it was sent. If you are not the intended recipient of this communication you should notify the sender immediately, then destroy it without copying, disclosing or otherwise using its contents. Marine Software Limited. Registered in England & Wales. No 2576494 Registered Office. 4 Ozengell Place, Eurokent Business Park, Ramsgate. Kent. United Kingdom. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130611/a38c3b2d/attachment.html From x72m35 at gmail.com Wed Jun 12 12:15:17 2013 From: x72m35 at gmail.com (Lasantha Marian) Date: Wed, 12 Jun 2013 16:45:17 +0530 Subject: Mail addresses with more @ signs Message-ID: <51B85845.4070308@gmail.com> Friends, I have noticed that MailScanner ignores messages with envelop address having more than one "@" sign. Notably those messages are appended with an IP address. An example like (sender at xyz.uv@193.216.123.213) returns "X-ABC-MailScanner-SpamCheck: spam(no watermark or sender address)". Any thoughts as to what could cause this (letting this spam go as ham). Looking at the message content, they are positively spam. Best regards. -- Lasantha. From maxsec at gmail.com Wed Jun 12 14:04:52 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 12 Jun 2013 14:04:52 +0100 Subject: Messages Stuck in the system... In-Reply-To: <7F5CCC2656447841A7BDF64811DEA91610BD39E7@Bart1.MarineSoftware.EXT> References: <7F5CCC2656447841A7BDF64811DEA91610BD39E7@Bart1.MarineSoftware.EXT> Message-ID: you need two exim queues and MailScanner pickup from 1st queue processes and drop clean email into the 2nd. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:installation so MailScanner is the glue if you like between two MTA queues, the 2nd does the local delivery in your case to the MS-Exchange system -- Martin Hepworth, CISSP Oxford, UK On 11 June 2013 17:20, Ritchie P. Fraser wrote: > Hi,**** > > I have a CentOS 6.4 box with exim 4.80.1-1 / MailScanner 4.84.5-3 / **** > > Baruwa 2.0/ clamav 0.97.8-1 / spamassassin 3.3.1-2.**** > > Set up like this...**** > > ** ** > > CentOS 6.4 > Windows SBS**** > > Internet ---> THELMA (Wash eMail) ---> LOUISE**** > > > exim/mailscanner/ MS Exchange Server**** > > clam/spamassassin**** > > ** ** > > My simplistic understanding of the way this process works is...**** > > **** > > 1 - Internet**** > > |**** > > 2 - exim(1) --- incoming mail placed in /var/spool/exim.in/input**** > > | **** > > 3 - MailScanner --- should pick up mail and manage scanning > clam/spamassassin**** > > | **** > > 4 - MailScanner --- Clean eMail should be placed in /var/spool/exim/input > **** > > |**** > > 5 - exim(2) --- picks up washed mail and delivers to smarthost LOUISE**** > > | **** > > 6 - MS Exchange --- delivers mail to end users**** > > |**** > > 7 - End Users **** > > ** ** > > I have telnet'ed onto the box and created some mail messages. They all > seem **** > > to be stuck in the /var/spool/exim.in/input directory Between steps 2 and > 3 above.**** > > ** ** > > If I try to purge / delete / expunge the mail from the queue with**** > > ** ** > > "exim -qff" **** > > ** ** > > yields the following in the **** > > ** ** > > 2013-06-11 16:49:18 Start queue run: pid=11415 -qff**** > > 2013-06-11 16:48:38 1UmMnb-0001VC-AU Spool file is locked (another process > is handling this message)**** > > ...**** > > 2013-06-11 16:48:38 1UmN0o-0001br-Cl Spool file is locked (another process > is handling this message)**** > > 2013-06-11 16:48:38 End queue run: pid=11274 -qff**** > > ** ** > > How do I find out what process is stuck?**** > > ** ** > > Kind Regards,**** > > *Ritchie Fraser* > > Systems Administrator**** > > ** ** > > T : +44 (0) 1304 840506**** > > F : +44 (0) 1304 840075**** > > W : http://www.marinesoftware.co.uk**** > > ** ** > > *Marine Software Limited* > > Planned Maintenance, Stock Control, Project (Refit) Management, > Purchasing, **** > > Safety and ISM Document Management systems for the Marine Industry since > 1991.**** > > > --------------------------------------------------------------------------------------------------------------------------- > **** > > *Unless otherwise agreed expressly in writing by Marine Software Limited, > This communication and attachments are to be treated as confidential and > the information in it may not be used or disclosed except for the purpose > for which it was sent. If you are not the intended recipient of this > communication you should notify the sender immediately, then destroy it > without copying, disclosing or otherwise using its contents. Marine > Software Limited. Registered in England & Wales. No 2576494 Registered > Office. 4 Ozengell Place, Eurokent Business Park, Ramsgate. Kent. United > Kingdom. Internet communications cannot be guaranteed to be secure or > error-free as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. Therefore, we do not accept > responsibility for any errors or omissions that are present in this > message, or any attachment, that have arisen as a result of e-mail > transmission. Any views or opinions presented are solely those of the > author and do not necessarily represent those of the company.* > > ** ** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130612/b1886351/attachment.html From brian.duncan at kattenlaw.com Wed Jun 12 22:05:37 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed, 12 Jun 2013 21:05:37 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time Message-ID: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> spamassassin-3.3.1-3.el5.rf mailscanner-4.83.5-1 Looking for some help here, it looks like sometimes Mailscanner is causing SpamAssassin to not use some rules. (Not exactly sure on this I assume it is Mailscanner based on the behavior I am seeing) I receive the message and it is not tagged as Spam and winds up in my inbox. The headers show on this example: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8,required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00,RP_MATCHES_RCVD -0.00) I then take that message and drag it into a separate mailbox I had setup on our Exchange server, then pull it down to my Sendmail/Mailscanner/SpamAssassin box through imap in rfc822 format. I then run the same message through Spamassassin with -test-mode locally from my mail server I get different scoring on, it looks like I am missing some of the checks because now it defiantly shows as Spam: Content analysis details: (17.3 hits, 6.5 required) 5.0 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist [URIs: eelefs.net] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5050] 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.0 LOTS_OF_MONEY Huge... sums of money ------ End of SpamAssassin results, Original message follows -------- So I was wondering if it had to with my MailScanner.conf having this line: SpamAssassin Local State Dir = # /var/lib/spamassassin But based on my debug of MailScanner, it does not matter if the # is present or not, MailScanner seems to think it knows where all the rules are. The below output is with SpamAssassin Local State Dir = /var/lib/spamassassin In Debugging mode, not forking... Trying to setlogsock(unix) 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: adding facilities: all 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: logging level is DBG 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: SpamAssassin version 3.3.1 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: Perl 5.008008, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spam assassin 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: timing enabled 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: score set 0 chosen. 15:54:01 Jun 12 15:54:01.477 [32352] dbg: util: running in taint mode? no 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: is Net::DNS::Resolver available? yes 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: Net::DNS version: 0.65 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules pre files 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/init.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v310.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v312.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v320.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v330.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for sys rules pre files 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for default rules dir 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /var/lib/spamassassin/3.003001/updates_spamassassin_org.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules dir 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/chickenpox.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/local.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: read file /root/.spamassassin/user_prefs 15:54:01 Jun 12 15:54:01.484 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 15:54:01 Jun 12 15:54:01.488 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 15:54:01 Jun 12 15:54:01.491 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 15:54:01 Jun 12 15:54:01.494 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 15:54:01 Jun 12 15:54:01.496 [32352] dbg: pyzor: network tests on, attempting Pyzor The odd thing here to me, is if I search my maillog for some of the hits from above, Like URIBL_DBL_SPAM, I am seeing many hits on this.. It just seems to be skipping some of the rules for a certain messages. I looked through Anyone have any ideas where I can start to figure this one out? I checked my rules, but since some of the rules are firing I assumed it can't have anything to do with that.. Here is the complete output from the message I give as an example from above: (minus the spammy body) Received: from CHI-US-HT-01.us.kmz.com (10.18.17.28) by CHI-US-CAS-1B.us.kmz.com (10.125.15.2) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 12 Jun 2013 15:44:04 -0500 Received: from chi-us-vwall-01.us.kmz.com (10.18.16.181) by CHI-US-HT-01.us.kmz.com (10.18.17.28) with Microsoft SMTP Server id 14.3.123.3; Wed, 12 Jun 2013 15:44:03 -0500 Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 844d8c4f001d4ac4 ; Wed, 12 Jun 2013 15:44:01 -0500 Received: from smtp1.eelefs.net (smtp1.eelefs.net [66.197.143.105]) by venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5CKi0H8028960 for ; Wed, 12 Jun 2013 15:44:03 -0500 From: 2013 Models To: "Duncan, Brian M." Subject: *Reduction Information* 2013's for thousands less Thread-Topic: *Reduction Information* 2013's for thousands less Thread-Index: AQHOZ62T+0z+e2LgwkiBidggfWeC0A== Date: Wed, 12 Jun 2013 15:43:58 -0500 Message-ID: <29295056e3e7741908e644022e5f0220 at smtp1.eelefs.net> Reply-To: "Jorge.Mendoza at eelefs.net" Content-Language: en-US X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-AuthSource: CHI-US-HT-01.us.kmz.com X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailscanner-from: jorgemendoza at smtp1.eelefs.net x-mailscanner-spamcheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00, RP_MATCHES_RCVD -0.00) x-kattenlaw-mailscanner-information: x-mailscanner-spam: no x-kattenlaw-mailscanner-id: r5CKi0H8028960 x-tm-imss-message-id: <844d8c4f001d4ac4 at us.kmz.com> x-kattenlaw: NS Content-Type: text/plain; charset="us-ascii" Content-ID: <8737EB66163E6F4DA060748F2D862AD0 at kattenlaw.com> MIME-Version: 1.0 Thanks for any help. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130612/690ca823/attachment.html From rlopezcnm at gmail.com Wed Jun 12 22:22:21 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed, 12 Jun 2013 15:22:21 -0600 Subject: ScamNailer update STILL not working In-Reply-To: <51B3CFE3.10500@msapiro.net> References: <51B3CFE3.10500@msapiro.net> Message-ID: On Sat, Jun 8, 2013 at 6:44 PM, Mark Sapiro wrote: > ScamNailer gets the information about current data by doing a DNS lookup > of a TXT record for emails.msupdate.greylist.bastionmail.com. For over 6 > weeks, this has been returning "emails.2013-164.6", i.e. week 16, day 4 > update 6. It is currently week 23, day 0. > > I posted a patch at > > that works around this by guessing the current update, and it seems to > work for me, but contrary to Matt Hampton's statement at > , > the underlying issue of the TXT record for > emails.msupdate.greylist.bastionmail.com not being updated is NOT FIXED. > > Does anyone care? > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Mark, I also only have the 2013-164.6 as the most recent file and do care about the problem of the file not being updated. I confess to not trying your patch because I do not understand it. -- Robert Lopez From richard.siddall at elirion.net Wed Jun 12 22:27:02 2013 From: richard.siddall at elirion.net (Richard Siddall) Date: Wed, 12 Jun 2013 17:27:02 -0400 Subject: ScamNailer update STILL not working In-Reply-To: <51B3CFE3.10500@msapiro.net> References: <51B3CFE3.10500@msapiro.net> Message-ID: <51B8E7A6.4090403@elirion.net> Mark Sapiro wrote: > ScamNailer gets the information about current data by doing a DNS lookup > of a TXT record for emails.msupdate.greylist.bastionmail.com. For over 6 > weeks, this has been returning "emails.2013-164.6", i.e. week 16, day 4 > update 6. It is currently week 23, day 0. > > I posted a patch at > > that works around this by guessing the current update, and it seems to > work for me, but contrary to Matt Hampton's statement at > , > the underlying issue of the TXT record for > emails.msupdate.greylist.bastionmail.com not being updated is NOT FIXED. > > Does anyone care? > It would be nice if it was fixed. Richard. From rlopezcnm at gmail.com Wed Jun 12 23:45:43 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed, 12 Jun 2013 16:45:43 -0600 Subject: Will MailScanner save the original Attachment which the file name is unsafe? In-Reply-To: <24907158.41251369887162253.JavaMail.root@webmail8> References: <24907158.41251369887162253.JavaMail.root@webmail8> Message-ID: On Wed, May 29, 2013 at 10:12 PM, ?? wrote: > Dear all, > some users tell me ,they receive some mail ,and the attachment replace > by a message( MailScanner: No programs allowed). > I found MailScanner will tell user No programs allowed when MailScanner > scan the attachment by clamd found the attachment file type is not allowed. > Now I want to find the original Attachment to show it to user,but i > can't find it in the server. In my case the attachment is saved in /var/spool/MailScanner/quarantine/[date]/[queue-id]/ > Cound you tell me whether MailScanner save the original Attachment?or > MailScanner will drop it without saving it? There may be a configuration parameter to drop it without saving it. I do not know because I have not done that. Search for attachment on http://www.mailscanner.info/MailScanner.conf.index.html and you may find an answer. -- Robert Lopez From maxsec at gmail.com Thu Jun 13 07:50:37 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 13 Jun 2013 07:50:37 +0100 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> Message-ID: Are you running the tests against the same user MailScanner runs as to make sure any .spamassassin directory settings arent overriding in both headers you're getting spamassassin cache hits which is a mailscanner option. You might want to stop MailScanner, delete the spamassassin cache file ans retry. Could be the cache file has got corrupt somehow. martin -- Martin Hepworth, CISSP Oxford, UK On 12 June 2013 22:05, Duncan, Brian M. wrote: > spamassassin-3.3.1-3.el5.rf**** > > mailscanner-4.83.5-1**** > > ** ** > > Looking for some help here, it looks like sometimes Mailscanner is causing > SpamAssassin to not use some rules. (Not exactly sure on this I assume it > is Mailscanner based on the behavior I am seeing)**** > > ** ** > > I receive the message and it is not tagged as Spam and winds up in my > inbox. The headers show on this example:**** > > ** ** > > X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, > score=0.8,required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00,RP_MATCHES_RCVD > -0.00)**** > > ** ** > > I then take that message and drag it into a separate mailbox I had setup > on our Exchange server, then pull it down to my > Sendmail/Mailscanner/SpamAssassin box through imap in rfc822 format.**** > > ** ** > > I then run the same message through Spamassassin with ?test-mode locally > from my mail server I get different scoring on, it looks like I am missing > some of the checks because now it defiantly shows as Spam:**** > > ** ** > > Content analysis details: (17.3 hits, 6.5 required)**** > > 5.0 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist*** > * > > [URIs: eelefs.net]**** > > -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay > domain**** > > 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%**** > > [score: 0.5050]**** > > 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level**** > > above 50%**** > > [cf: 100]**** > > 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)**** > > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%**** > > [cf: 100]**** > > 0.0 LOTS_OF_MONEY Huge... sums of money**** > > ** ** > > ------ End of SpamAssassin results, Original message follows --------**** > > ** ** > > So I was wondering if it had to with my MailScanner.conf having this line: > SpamAssassin Local State Dir = # /var/lib/spamassassin**** > > ** ** > > But based on my debug of MailScanner, it does not matter if the # is > present or not, MailScanner seems to think it knows where all the rules > are. The below output is with SpamAssassin Local State Dir = > /var/lib/spamassassin**** > > ** ** > > In Debugging mode, not forking...**** > > Trying to setlogsock(unix)**** > > 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: adding facilities: all** > ** > > 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: logging level is DBG**** > > 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: SpamAssassin version > 3.3.1**** > > 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: Perl 5.008008, > PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, > LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spam**** > > assassin**** > > 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: timing enabled**** > > 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: score set 0 chosen.**** > > 15:54:01 Jun 12 15:54:01.477 [32352] dbg: util: running in taint mode? no* > *** > > 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: is Net::DNS::Resolver > available? yes**** > > 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: Net::DNS version: 0.65**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using > "/etc/mail/spamassassin" for site rules pre files**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file > /etc/mail/spamassassin/init.pre**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file > /etc/mail/spamassassin/v310.pre**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file > /etc/mail/spamassassin/v312.pre**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file > /etc/mail/spamassassin/v320.pre**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file > /etc/mail/spamassassin/v330.pre**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using > "/var/lib/spamassassin/3.003001" for sys rules pre files**** > > 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using > "/var/lib/spamassassin/3.003001" for default rules dir**** > > 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file > /var/lib/spamassassin/3.003001/updates_spamassassin_org.cf**** > > 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: using > "/etc/mail/spamassassin" for site rules dir**** > > 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file > /etc/mail/spamassassin/70_sare_evilnum1.cf**** > > 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file > /etc/mail/spamassassin/70_sare_unsub.cf**** > > 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file > /etc/mail/spamassassin/chickenpox.cf**** > > 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file > /etc/mail/spamassassin/local.cf**** > > 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file > /etc/mail/spamassassin/mailscanner.cf**** > > 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: using > "/root/.spamassassin/user_prefs" for user prefs file**** > > 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: read file > /root/.spamassassin/user_prefs**** > > 15:54:01 Jun 12 15:54:01.484 [32352] dbg: plugin: loading > Mail::SpamAssassin::Plugin::URIDNSBL from @INC**** > > 15:54:01 Jun 12 15:54:01.488 [32352] dbg: plugin: loading > Mail::SpamAssassin::Plugin::Hashcash from @INC**** > > 15:54:01 Jun 12 15:54:01.491 [32352] dbg: plugin: loading > Mail::SpamAssassin::Plugin::SPF from @INC**** > > 15:54:01 Jun 12 15:54:01.494 [32352] dbg: plugin: loading > Mail::SpamAssassin::Plugin::Pyzor from @INC**** > > 15:54:01 Jun 12 15:54:01.496 [32352] dbg: pyzor: network tests on, > attempting Pyzor**** > > ** ** > > The odd thing here to me, is if I search my maillog for some of the hits > from above, Like URIBL_DBL_SPAM, I am seeing many hits on this.. It just > seems to be skipping some of the rules for a certain messages. I looked > through**** > > ** ** > > Anyone have any ideas where I can start to figure this one out? I checked > my rules, but since some of the rules are firing I assumed it can?t have > anything to do with that..**** > > ** ** > > Here is the complete output from the message I give as an example from > above: (minus the spammy body)**** > > ** ** > > Received: from CHI-US-HT-01.us.kmz.com (10.18.17.28) by**** > > CHI-US-CAS-1B.us.kmz.com (10.125.15.2) with Microsoft SMTP Server (TLS) > id**** > > 14.3.123.3; Wed, 12 Jun 2013 15:44:04 -0500**** > > Received: from chi-us-vwall-01.us.kmz.com (10.18.16.181) by**** > > CHI-US-HT-01.us.kmz.com (10.18.17.28) with Microsoft SMTP Server id**** > > 14.3.123.3; Wed, 12 Jun 2013 15:44:03 -0500**** > > Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com**** > > ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id > 844d8c4f001d4ac4**** > > ; Wed, 12 Jun 2013 15:44:01 -0500**** > > Received: from smtp1.eelefs.net (smtp1.eelefs.net [66.197.143.105]) by > **** > > venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5CKi0H8028960 > for**** > > ; Wed, 12 Jun 2013 15:44:03 -0500**** > > From: 2013 Models **** > > To: "Duncan, Brian M." **** > > Subject: *Reduction Information* 2013's for thousands less**** > > Thread-Topic: *Reduction Information* 2013's for thousands less**** > > Thread-Index: AQHOZ62T+0z+e2LgwkiBidggfWeC0A==**** > > Date: Wed, 12 Jun 2013 15:43:58 -0500**** > > Message-ID: <29295056e3e7741908e644022e5f0220 at smtp1.eelefs.net>**** > > Reply-To: "Jorge.Mendoza at eelefs.net" **** > > Content-Language: en-US**** > > X-MS-Exchange-Organization-AuthAs: Anonymous**** > > X-MS-Exchange-Organization-AuthSource: CHI-US-HT-01.us.kmz.com**** > > X-MS-Has-Attach:**** > > X-MS-TNEF-Correlator:**** > > x-mailscanner-from: jorgemendoza at smtp1.eelefs.net**** > > x-mailscanner-spamcheck: not spam, SpamAssassin (cached, score=0.8, > required**** > > 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00, RP_MATCHES_RCVD -0.00)**** > > x-kattenlaw-mailscanner-information:**** > > x-mailscanner-spam: no**** > > x-kattenlaw-mailscanner-id: r5CKi0H8028960**** > > x-tm-imss-message-id: <844d8c4f001d4ac4 at us.kmz.com>**** > > x-kattenlaw: NS**** > > Content-Type: text/plain; charset="us-ascii"**** > > Content-ID: <8737EB66163E6F4DA060748F2D862AD0 at kattenlaw.com>**** > > MIME-Version: 1.0**** > > ** ** > > Thanks for any help.**** > > ** ** > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue > Service, any tax advice contained herein is not intended or written to be used and cannot be used > by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information intended for the exclusive > use of the individual or entity to whom it is addressed and may contain information that is > proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or > distribution of this information may be subject to legal restriction or sanction. Please notify > the sender, by electronic mail or telephone, of any unintended recipients and delete the original > message without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has > elected to be governed by the Illinois Uniform Partnership Act (1997). > =========================================================== > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130613/803b5982/attachment.html From andrew at topdog.za.net Thu Jun 13 09:19:19 2013 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Thu, 13 Jun 2013 10:19:19 +0200 Subject: MailScanner Development In-Reply-To: References: <7422D1030AB0A0479EE5090F3702AAF819A4D9@BUGATTI.snjlaw.local> Message-ID: On 07 Jun 2013, at 2:19 PM, Glenn Steen wrote: > AFAIU, Jules has more or less passed this on to some members of this > list (among others the Baruwa originator), and most (if not all) > development is tracked on github these days... Search the list for > github references and you'll see:-). > > BTW you don't remember wrong... It used to be a stable release every > month, then bimonthly... and now almost never:-):-). > It might reflect a couple of different things... That the product has > stabilised nicely, that email threats are on a decline (well:-) etc. > Major factor is probably that Jules isn't so directly involved any more. The product has mostly reached maturity in the present state, there is not enough code changes any more to justify a monthly release. That having been said, there a few ideas that i would like to implement to improve the performance and speed of processing one being changing from scanning the queue to a file monitoring based pickup instead which will immediately scan the message as soon as it is written to the MTA spool directory. Anyone with feature requests should file them to the Github issues. - Andrew -- www.baruwa.org From rcooper at dwford.com Thu Jun 13 20:23:14 2013 From: rcooper at dwford.com (Rick Cooper) Date: Thu, 13 Jun 2013 15:23:14 -0400 Subject: MailScanner Development In-Reply-To: References: <7422D1030AB0A0479EE5090F3702AAF819A4D9@BUGATTI.snjlaw.local> Message-ID: <55DEA710275A4EA29A91BA1DEEA9D271@SAHOMELT> Andrew Colin Kissa wrote: > On 07 Jun 2013, at 2:19 PM, Glenn Steen wrote: > >> AFAIU, Jules has more or less passed this on to some members of this >> list (among others the Baruwa originator), and most (if not all) >> development is tracked on github these days... Search the list for >> github references and you'll see:-). >> >> BTW you don't remember wrong... It used to be a stable release every >> month, then bimonthly... and now almost never:-):-). >> It might reflect a couple of different things... That the product has >> stabilised nicely, that email threats are on a decline (well:-) etc. >> Major factor is probably that Jules isn't so directly involved any >> more. > > The product has mostly reached maturity in the present state, there > is not enough code changes any more to justify a monthly release. > > That having been said, there a few ideas that i would like to > implement to improve the performance and speed of processing one > being changing from scanning the queue to a file monitoring based > pickup instead which will immediately scan the message as soon as it > is written to the MTA spool directory. > > Anyone with feature requests should file them to the Github issues. > > - Andrew > > -- > www.baruwa.org Is there a link for that? I have, some time ago, been running spamd instead of the perl module and while the speed difference is insignificant the memory usage and aparent load is probably more than switching from the clamav module to clamd Rick Cooper From andrew at topdog.za.net Thu Jun 13 20:57:42 2013 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Thu, 13 Jun 2013 21:57:42 +0200 Subject: MailScanner Development In-Reply-To: <55DEA710275A4EA29A91BA1DEEA9D271@SAHOMELT> References: <7422D1030AB0A0479EE5090F3702AAF819A4D9@BUGATTI.snjlaw.local> <55DEA710275A4EA29A91BA1DEEA9D271@SAHOMELT> Message-ID: <827EEEB2-BB14-4DA6-9C7B-B3225762FB5E@topdog.za.net> On 13 Jun 2013, at 9:23 PM, Rick Cooper wrote: > Is there a link for that? I have, some time ago, been running spamd instead > of the perl module and while the speed difference is insignificant the > memory usage and aparent load is probably more than switching from the > clamav module to clamd https://github.com/MailScanner/MailScanner/issues/new -- www.baruwa.org From rlopezcnm at gmail.com Thu Jun 13 21:16:47 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu, 13 Jun 2013 14:16:47 -0600 Subject: Visible code in emails tagged as dis-armed Message-ID: A google of the following code will show it is found in a lot of email as visible code. var WAX = function () { var _arrInputs; window.addEventListener('waxSetArr', function(evt) {_arrInputs=evt.detail;}); return { getElement: function (i) { return _arrInputs[i]; } } }(); function waxGetElement(i) { return WAX.getElement(i); } In all cases where it has been reported to our service desk it occurs in email in which the Subject line of the email has the MailScanner generated tag of "{Disarmed} ". Before this recent situation I have never before seen any code become visible in HTML email which was disarmed by MailScanner. Any idea if it is intentionally visible of if it is the side effect of a MailScanner bug while processing the web bug? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From jerry.benton at mailborder.com Fri Jun 14 00:38:41 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 14 Jun 2013 01:38:41 +0200 Subject: Rules and Tabs Message-ID: Does anyone know off hand if tabs are required in the spam black lists rules? I have been reviewing the documentation and it does not specifically state if this is required or not for these types of rules. Ex: From: bob at hi.com and To: domain.com yes or: From: bob at hi.com and To: domain.com yes -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130614/b7bfccf6/attachment.html From brian.duncan at kattenlaw.com Fri Jun 14 01:35:02 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri, 14 Jun 2013 00:35:02 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> Thanks for the suggestions Martin. I don't have any specific user that I run as: Run As User = So I assume it is running as root? My tests with -test-mode were run as root.. I do have the .spamassassin dir in root that has bayes db's that are the ones that get updated, and I did confirm there was nothing there causing problems. I took your advice and started by stopping Mailscanner and deleting the cache and any orphaned files in the directories, hopefully that will have a positive impact. I assume it must be something odd like that, these messages started coming through last week. I have to believe if all my rules were not firing since I built that box a year or so ago I would have noticed this sooner. One thing I noticed after taking other messages that failed due to body checks that actually wind up tagged as Spam, most seem to have more rules that fire off when I run them locally as root with -test-mode then what they have in my mail client after they have come through. I do see hits on messages for rules that ONLY exist in some of the rules in the /var/lib/spamassassin/3.003001/updates_spamassassin_org directory. So I know it is accessing those files, just not all of them for some reason at certain times.. I just took a message that made it through today for me: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, DIET_1 0.00, RP_MATCHES_RCVD -0.00) When I check this message on my MailScanner box with Spamassassin as root I get: Content analysis details: (30.1 hits, 6.5 required) 6.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: nthjus.com] 0.0 DIET_1 BODY: Lose Weight Spam 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [64.191.19.228 listed in bl.score.senderscore.com] 10 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: nthjus.com] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5001] 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] It seems to be all the rules that don't fire are the ones where it would actually be looking something up, right? Through DNS? BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Thursday, June 13, 2013 1:51 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time Are you running the tests against the same user MailScanner runs as to make sure any .spamassassin directory settings arent overriding in both headers you're getting spamassassin cache hits which is a mailscanner option. You might want to stop MailScanner, delete the spamassassin cache file ans retry. Could be the cache file has got corrupt somehow. martin -- Martin Hepworth, CISSP Oxford, UK On 12 June 2013 22:05, Duncan, Brian M. > wrote: spamassassin-3.3.1-3.el5.rf mailscanner-4.83.5-1 Looking for some help here, it looks like sometimes Mailscanner is causing SpamAssassin to not use some rules. (Not exactly sure on this I assume it is Mailscanner based on the behavior I am seeing) I receive the message and it is not tagged as Spam and winds up in my inbox. The headers show on this example: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8,required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00,RP_MATCHES_RCVD -0.00) I then take that message and drag it into a separate mailbox I had setup on our Exchange server, then pull it down to my Sendmail/Mailscanner/SpamAssassin box through imap in rfc822 format. I then run the same message through Spamassassin with -test-mode locally from my mail server I get different scoring on, it looks like I am missing some of the checks because now it defiantly shows as Spam: Content analysis details: (17.3 hits, 6.5 required) 5.0 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist [URIs: eelefs.net] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5050] 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.0 LOTS_OF_MONEY Huge... sums of money ------ End of SpamAssassin results, Original message follows -------- So I was wondering if it had to with my MailScanner.conf having this line: SpamAssassin Local State Dir = # /var/lib/spamassassin But based on my debug of MailScanner, it does not matter if the # is present or not, MailScanner seems to think it knows where all the rules are. The below output is with SpamAssassin Local State Dir = /var/lib/spamassassin In Debugging mode, not forking... Trying to setlogsock(unix) 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: adding facilities: all 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: logging level is DBG 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: SpamAssassin version 3.3.1 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: Perl 5.008008, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spam assassin 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: timing enabled 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: score set 0 chosen. 15:54:01 Jun 12 15:54:01.477 [32352] dbg: util: running in taint mode? no 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: is Net::DNS::Resolver available? yes 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: Net::DNS version: 0.65 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules pre files 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/init.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v310.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v312.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v320.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v330.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for sys rules pre files 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for default rules dir 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /var/lib/spamassassin/3.003001/updates_spamassassin_org.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules dir 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/chickenpox.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/local.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: read file /root/.spamassassin/user_prefs 15:54:01 Jun 12 15:54:01.484 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 15:54:01 Jun 12 15:54:01.488 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 15:54:01 Jun 12 15:54:01.491 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 15:54:01 Jun 12 15:54:01.494 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 15:54:01 Jun 12 15:54:01.496 [32352] dbg: pyzor: network tests on, attempting Pyzor The odd thing here to me, is if I search my maillog for some of the hits from above, Like URIBL_DBL_SPAM, I am seeing many hits on this.. It just seems to be skipping some of the rules for a certain messages. I looked through Anyone have any ideas where I can start to figure this one out? I checked my rules, but since some of the rules are firing I assumed it can't have anything to do with that.. Here is the complete output from the message I give as an example from above: (minus the spammy body) Received: from CHI-US-HT-01.us.kmz.com (10.18.17.28) by CHI-US-CAS-1B.us.kmz.com (10.125.15.2) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 12 Jun 2013 15:44:04 -0500 Received: from chi-us-vwall-01.us.kmz.com (10.18.16.181) by CHI-US-HT-01.us.kmz.com (10.18.17.28) with Microsoft SMTP Server id 14.3.123.3; Wed, 12 Jun 2013 15:44:03 -0500 Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 844d8c4f001d4ac4 ; Wed, 12 Jun 2013 15:44:01 -0500 Received: from smtp1.eelefs.net (smtp1.eelefs.net [66.197.143.105]) by venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5CKi0H8028960 for >; Wed, 12 Jun 2013 15:44:03 -0500 From: 2013 Models > To: "Duncan, Brian M." > Subject: *Reduction Information* 2013's for thousands less Thread-Topic: *Reduction Information* 2013's for thousands less Thread-Index: AQHOZ62T+0z+e2LgwkiBidggfWeC0A== Date: Wed, 12 Jun 2013 15:43:58 -0500 Message-ID: <29295056e3e7741908e644022e5f0220 at smtp1.eelefs.net> Reply-To: "Jorge.Mendoza at eelefs.net" > Content-Language: en-US X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-AuthSource: CHI-US-HT-01.us.kmz.com X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailscanner-from: jorgemendoza at smtp1.eelefs.net x-mailscanner-spamcheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00, RP_MATCHES_RCVD -0.00) x-kattenlaw-mailscanner-information: x-mailscanner-spam: no x-kattenlaw-mailscanner-id: r5CKi0H8028960 x-tm-imss-message-id: <844d8c4f001d4ac4 at us.kmz.com> x-kattenlaw: NS Content-Type: text/plain; charset="us-ascii" Content-ID: <8737EB66163E6F4DA060748F2D862AD0 at kattenlaw.com> MIME-Version: 1.0 Thanks for any help. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130614/81a13109/attachment.html From mark at msapiro.net Fri Jun 14 02:35:36 2013 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 13 Jun 2013 18:35:36 -0700 Subject: ScamNailer update STILL not working In-Reply-To: References: <51B3CFE3.10500@msapiro.net> Message-ID: <51BA7368.9040306@msapiro.net> On 06/12/2013 02:22 PM, Robert Lopez wrote: > On Sat, Jun 8, 2013 at 6:44 PM, Mark Sapiro wrote: >> ScamNailer gets the information about current data by doing a DNS lookup >> of a TXT record for emails.msupdate.greylist.bastionmail.com. For over 6 >> weeks, this has been returning "emails.2013-164.6", i.e. week 16, day 4 >> update 6. It is currently week 23, day 0. >> >> I posted a patch at >> >> that works around this by guessing the current update, and it seems to >> work for me ... [...] > I confess to not trying your patch because I do not understand it. The string such as "emails.2013-164.6" identifies the most recent ScamNailer update. It is very structured and predictable. In this string, 2013 is the year, 16 is the week # within the year, 4 is the day number within the week and 6 is the 6th update of the day. The patch first figures for the current date (GMT) what the year, week and day of week are. It's a bit tricky because the perl gmtime function doesn't return a week number so we have to calculate it from day of year, but it also depends on what day of the week Jan 1 fell on. Anyway, the only thing it can't determine is the update number. For each day, update 0 is the current full file at the beginning of the day and the remaining updates are incremental changes added as needed. So the first thing the patch does after computing the above is put together the year, week and day into something like 2013-234 which is the correct string for Thursday, 13 June, 2013. It then compares that to the string it got from the TXT record, and if the one from the TXT record is >=, it just accepts that and effectively does nothing, but if it's <, the patched code replaces the string from the TXT record with its own and arbitrarily says the update # is 99. The patched ScamNailer then retrieves the base if necessary and the sequential updates from the last cached one until it gets a 404 or some other error (or retrieves update 99, but so far that hasn't happened. Then it resets the update # to the last one retrieved and proceeds. The rest of the patch just adds another condition around a piece of the code to avoid the issue described in the comment. I hope this explanation helps. The patched code has been working well for me because the updates are actually being pushed to the update server(s), it's just the information about the current update name that isn't there. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at vidadigital.com.pa Fri Jun 14 03:58:11 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Thu, 13 Jun 2013 19:58:11 -0700 Subject: Rules and Tabs In-Reply-To: References: Message-ID: I believe they were once required but are now optional. That being said, they make the file more easily readable. On Thu, Jun 13, 2013 at 4:38 PM, Jerry Benton wrote: > Does anyone know off hand if tabs are required in the spam black lists > rules? I have been reviewing the documentation and it does not specifically > state if this is required or not for these types of rules. > > Ex: > > From: bob at hi.com and To: domain.com yes > > or: > > From: bob at hi.com and To: domain.com yes > > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From brian.duncan at kattenlaw.com Fri Jun 14 14:23:49 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri, 14 Jun 2013 13:23:49 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> Looks like deleting the spamassassin cache made no difference. This morning I received another spam that made it through. This is what it scored when passed through Mailscanner/Spamassassin: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00, RP_MATCHES_RCVD -0.00) I moved it over to my mailscanner/spamassassin box within 30 seconds of receiving it and this is what it scored on my Mailscanner box from the command line doing spamassassin -test-mode < message.txt: Content analysis details: (14.6 hits, 6.5 required) -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 3.0 BAYES_60 BODY: Bayes spam probability is 60 to 80% [score: 0.6460] 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.0 LOTS_OF_MONEY Huge... sums of money 0.1 FROM_12LTRDOM From a 12-letter domain ------ End of SpamAssassin results, Original message follows -------- The really odd thing, is if I take the body and subject from the spam message above and send it through a hotmail account I have (which I white list, which is why that shows in the below results), this is what it scores when passed through Mailscanner/Spamassassin: X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=20.146, required 6.5, autolearn=spam, AWL -13.90, BAYES_50 0.80, FREEMAIL_ENVFROM_END_DIGIT 0.25, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, LOTS_OF_MONEY 0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 2.50, RAZOR2_CHECK 8.50, RCVD_IN_DNSWL_NONE -0.00, RP_MATCHES_RCVD -0.00, SPF_PASS -0.00, URIBL_BLACK 10.00, URIBL_DBL_SPAM 5.00, URIBL_JP_SURBL 6.50) This makes no sense to me, it's almost like this specific Spammer has figured out a way to get Mailscanner to stop scanning portions of its message. I am going to turn off caching of spamassassin results next in my mailscanner conf to see if that has any impact. If anyone has any ideas please let me know. Brian BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Thursday, June 13, 2013 7:35 PM To: MailScanner discussion Subject: RE: Certain Spamassassin rules do not seem to be firing all of the time Thanks for the suggestions Martin. I don't have any specific user that I run as: Run As User = So I assume it is running as root? My tests with -test-mode were run as root.. I do have the .spamassassin dir in root that has bayes db's that are the ones that get updated, and I did confirm there was nothing there causing problems. I took your advice and started by stopping Mailscanner and deleting the cache and any orphaned files in the directories, hopefully that will have a positive impact. I assume it must be something odd like that, these messages started coming through last week. I have to believe if all my rules were not firing since I built that box a year or so ago I would have noticed this sooner. One thing I noticed after taking other messages that failed due to body checks that actually wind up tagged as Spam, most seem to have more rules that fire off when I run them locally as root with -test-mode then what they have in my mail client after they have come through. I do see hits on messages for rules that ONLY exist in some of the rules in the /var/lib/spamassassin/3.003001/updates_spamassassin_org directory. So I know it is accessing those files, just not all of them for some reason at certain times.. I just took a message that made it through today for me: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, DIET_1 0.00, RP_MATCHES_RCVD -0.00) When I check this message on my MailScanner box with Spamassassin as root I get: Content analysis details: (30.1 hits, 6.5 required) 6.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: nthjus.com] 0.0 DIET_1 BODY: Lose Weight Spam 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [64.191.19.228 listed in bl.score.senderscore.com] 10 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: nthjus.com] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5001] 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] It seems to be all the rules that don't fire are the ones where it would actually be looking something up, right? Through DNS? BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Thursday, June 13, 2013 1:51 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time Are you running the tests against the same user MailScanner runs as to make sure any .spamassassin directory settings arent overriding in both headers you're getting spamassassin cache hits which is a mailscanner option. You might want to stop MailScanner, delete the spamassassin cache file ans retry. Could be the cache file has got corrupt somehow. martin -- Martin Hepworth, CISSP Oxford, UK On 12 June 2013 22:05, Duncan, Brian M. > wrote: spamassassin-3.3.1-3.el5.rf mailscanner-4.83.5-1 Looking for some help here, it looks like sometimes Mailscanner is causing SpamAssassin to not use some rules. (Not exactly sure on this I assume it is Mailscanner based on the behavior I am seeing) I receive the message and it is not tagged as Spam and winds up in my inbox. The headers show on this example: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8,required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00,RP_MATCHES_RCVD -0.00) I then take that message and drag it into a separate mailbox I had setup on our Exchange server, then pull it down to my Sendmail/Mailscanner/SpamAssassin box through imap in rfc822 format. I then run the same message through Spamassassin with -test-mode locally from my mail server I get different scoring on, it looks like I am missing some of the checks because now it defiantly shows as Spam: Content analysis details: (17.3 hits, 6.5 required) 5.0 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist [URIs: eelefs.net] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5050] 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.0 LOTS_OF_MONEY Huge... sums of money ------ End of SpamAssassin results, Original message follows -------- So I was wondering if it had to with my MailScanner.conf having this line: SpamAssassin Local State Dir = # /var/lib/spamassassin But based on my debug of MailScanner, it does not matter if the # is present or not, MailScanner seems to think it knows where all the rules are. The below output is with SpamAssassin Local State Dir = /var/lib/spamassassin In Debugging mode, not forking... Trying to setlogsock(unix) 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: adding facilities: all 15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: logging level is DBG 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: SpamAssassin version 3.3.1 15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: Perl 5.008008, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spam assassin 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: timing enabled 15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: score set 0 chosen. 15:54:01 Jun 12 15:54:01.477 [32352] dbg: util: running in taint mode? no 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: is Net::DNS::Resolver available? yes 15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: Net::DNS version: 0.65 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules pre files 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/init.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v310.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v312.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v320.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v330.pre 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for sys rules pre files 15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for default rules dir 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /var/lib/spamassassin/3.003001/updates_spamassassin_org.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules dir 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/chickenpox.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/local.cf 15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file 15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: read file /root/.spamassassin/user_prefs 15:54:01 Jun 12 15:54:01.484 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 15:54:01 Jun 12 15:54:01.488 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 15:54:01 Jun 12 15:54:01.491 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 15:54:01 Jun 12 15:54:01.494 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 15:54:01 Jun 12 15:54:01.496 [32352] dbg: pyzor: network tests on, attempting Pyzor The odd thing here to me, is if I search my maillog for some of the hits from above, Like URIBL_DBL_SPAM, I am seeing many hits on this.. It just seems to be skipping some of the rules for a certain messages. I looked through Anyone have any ideas where I can start to figure this one out? I checked my rules, but since some of the rules are firing I assumed it can't have anything to do with that.. Here is the complete output from the message I give as an example from above: (minus the spammy body) Received: from CHI-US-HT-01.us.kmz.com (10.18.17.28) by CHI-US-CAS-1B.us.kmz.com (10.125.15.2) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 12 Jun 2013 15:44:04 -0500 Received: from chi-us-vwall-01.us.kmz.com (10.18.16.181) by CHI-US-HT-01.us.kmz.com (10.18.17.28) with Microsoft SMTP Server id 14.3.123.3; Wed, 12 Jun 2013 15:44:03 -0500 Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 844d8c4f001d4ac4 ; Wed, 12 Jun 2013 15:44:01 -0500 Received: from smtp1.eelefs.net (smtp1.eelefs.net [66.197.143.105]) by venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5CKi0H8028960 for >; Wed, 12 Jun 2013 15:44:03 -0500 From: 2013 Models > To: "Duncan, Brian M." > Subject: *Reduction Information* 2013's for thousands less Thread-Topic: *Reduction Information* 2013's for thousands less Thread-Index: AQHOZ62T+0z+e2LgwkiBidggfWeC0A== Date: Wed, 12 Jun 2013 15:43:58 -0500 Message-ID: <29295056e3e7741908e644022e5f0220 at smtp1.eelefs.net> Reply-To: "Jorge.Mendoza at eelefs.net" > Content-Language: en-US X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-AuthSource: CHI-US-HT-01.us.kmz.com X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailscanner-from: jorgemendoza at smtp1.eelefs.net x-mailscanner-spamcheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00, RP_MATCHES_RCVD -0.00) x-kattenlaw-mailscanner-information: x-mailscanner-spam: no x-kattenlaw-mailscanner-id: r5CKi0H8028960 x-tm-imss-message-id: <844d8c4f001d4ac4 at us.kmz.com> x-kattenlaw: NS Content-Type: text/plain; charset="us-ascii" Content-ID: <8737EB66163E6F4DA060748F2D862AD0 at kattenlaw.com> MIME-Version: 1.0 Thanks for any help. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130614/413d766f/attachment.html From maxsec at gmail.com Fri Jun 14 18:15:26 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 14 Jun 2013 18:15:26 +0100 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> Message-ID: Very odd can u pastebin the raw email and drop the pastebin link so we can run it over our systems to compare On Friday, 14 June 2013, Duncan, Brian M. wrote: > Looks like deleting the spamassassin cache made no difference.**** > > ** ** > > This morning I received another spam that made it through.**** > > ** ** > > This is what it scored when passed through Mailscanner/Spamassassin:**** > > ** ** > > X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8,**** > > required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00,**** > > RP_MATCHES_RCVD -0.00)**** > > ** ** > > I moved it over to my mailscanner/spamassassin box within 30 seconds of > receiving it and this is what it scored on my Mailscanner box from the > command line doing spamassassin ?test-mode < message.txt:**** > > ** ** > > Content analysis details: (14.6 hits, 6.5 required)**** > > -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay > domain**** > > 3.0 BAYES_60 BODY: Bayes spam probability is 60 to 80%**** > > [score: 0.6460]**** > > 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level**** > > above 50%**** > > [cf: 100]**** > > 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)**** > > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%**** > > [cf: 100]**** > > 0.0 LOTS_OF_MONEY Huge... sums of money**** > > 0.1 FROM_12LTRDOM From a 12-letter domain**** > > ** ** > > ------ End of SpamAssassin results, Original message follows --------**** > > ** ** > > The really odd thing, is if I take the body and subject from the spam > message above and send it through a hotmail account I have (which I white > list, which is why that shows in the below results), this is what it scores > when passed through Mailscanner/Spamassassin:**** > > ** ** > > X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, > **** > > score=20.146, required 6.5, autolearn=spam, AWL -13.90,*** > * > > BAYES_50 0.80, FREEMAIL_ENVFROM_END_DIGIT 0.25, > FREEMAIL_FROM 0.00,**** > > HTML_MESSAGE 0.00, LOTS_OF_MONEY 0.00, > RAZOR2_CF_RANGE_51_100 0.50,**** > > RAZOR2_CF_RANGE_E8_51_100 2.50, RAZOR2_CHECK 8.50,**** > > RCVD_IN_DNSWL_NONE -0.00, RP_MATCHES_RCVD -0.00, SPF_PASS > -0.00,**** > > URIBL_BLACK 10.00, URIBL_DBL_SPAM 5.00, URIBL_JP_SURBL > 6.50)**** > > ** ** > > This makes no sense to me, it?s almost like this specific Spammer has > figured out a way to get Mailscanner to stop scanning portions of its > message. **** > > ** ** > > I am going to turn off caching of spamassassin results next in my > mailscanner conf to see if that has any impact. **** > > ** ** > > If anyone has any ideas please let me know.**** > > ** ** > > Brian**** > > ** ** > > ** ** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com 'brian.duncan at kattenlaw.com');> / www.kattenlaw.com > **** > > ** ** > > *From:* mailscanner-bounces at lists.mailscanner.info 'cvml', 'mailscanner-bounces at lists.mailscanner.info');> [mailto: > mailscanner-bounces at lists.mailscanner.info 'mailscanner-bounces at lists.mailscanner.info');>] *On Behalf Of *Duncan, > Brian M. > *Sent:* Thursday, June 13, 2013 7:35 PM > *To:* MailScanner discussion > *Subject:* RE: Certain Spamassassin rules do not seem to be firing all of > the time**** > > ** ** > > Thanks for the suggestions Martin.**** > > ** ** > > I don?t have any specific user that I run as:**** > > ** ** > > Run As User =**** > > ** ** > > So I assume it is running as root? My tests with ?test-mode were run as > root.. I do have the .spamassassin dir in root that has bayes db?s that are > the ones that get updated, and I did confirm there was nothing there > causing problems.**** > > ** ** > > I took your advice and started by stopping Mailscanner and deleting the > cache and any orphaned files in the directories, hopefully that will have a > positive impact.**** > > ** ** > > I assume it must be something odd like that, these messages started > coming through last week. I have to believe if all my rules were not > firing since I built that box a year or so ago I would have noticed this > sooner.**** > > ** ** > > One thing I noticed after taking other messages that failed due to body > checks that actually wind up tagged as Spam, most seem to have more rules > that fire off when I run them locally as root with ?test-mode then what > they have in my mail client after they have come through.**** > > ** ** > > I do see hits on messages for rules that ONLY exist in some of the rules > in the /var/lib/spamassassin/3.003001/updates_spamassassin_org directory. > So I know it is accessing those files, just not all of them for some reason > at certain times..**** > > ** ** > > I just took a message that made it through today for me: **** > > ** ** > > X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8,**** > > required 6.5, BAYES_50 0.80, DIET_1 0.00, RP_MATCHES_RCVD > -0.00)**** > > ** ** > > When I check this message on my MailScanner box with Spamassassin as root > I get:**** > > ** ** > > Content analysis details: (30.1 hits, > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130614/3853e651/attachment.html From brian.duncan at kattenlaw.com Fri Jun 14 19:33:33 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri, 14 Jun 2013 18:33:33 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> http://pastebin.com/VQs2FSxK I also tried disabling caching with SpamAssassin in my Mailscanner.conf today. I don't think it made a difference.. I don't have many examples today, it seems as if this specific spammer is only sending out a few today. The above example just came in within the last 15 minutes. It did manage to get classified as Spam, but when I compare what rules it hit on going through MailScanner/Spamassassin vs using the above text and scanning with -test-mode, some of the rules are not hitting when going through MailScanner/Spamassassin. The rules it hits on for me through Mailscanner: X-MailScanner-SpamCheck: spam, SpamAssassin (score=9.3, required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00, RAZOR2_CHECK 8.50, RP_MATCHES_RCVD -0.00) The rules it hits on according to spamassassin -test-mode: Content analysis details: (28.1 hits, 6.5 required) 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 6.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: eldmil.com] 5.0 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist [URIs: eldmil.com] 10 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: eldmil.com] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.0 LOTS_OF_MONEY Huge... sums of money -8.4 AWL AWL: From: address is in the auto white-list ------ End of SpamAssassin results, Original message follows -------- Thanks for your assistance. Brian BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, June 14, 2013 12:15 PM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time Very odd can u pastebin the raw email and drop the pastebin link so we can run it over our systems to compare On Friday, 14 June 2013, Duncan, Brian M. wrote: Looks like deleting the spamassassin cache made no difference. This morning I received another spam that made it through. This is what it scored when passed through Mailscanner/Spamassassin: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00, RP_MATCHES_RCVD -0.00) I moved it over to my mailscanner/spamassassin box within 30 seconds of receiving it and this is what it scored on my Mailscanner box from the command line doing spamassassin -test-mode < message.txt: Content analysis details: (14.6 hits, 6.5 required) -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 3.0 BAYES_60 BODY: Bayes spam probability is 60 to 80% [score: 0.6460] 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.0 LOTS_OF_MONEY Huge... sums of money 0.1 FROM_12LTRDOM From a 12-letter domain ------ End of SpamAssassin results, Original message follows -------- The really odd thing, is if I take the body and subject from the spam message above and send it through a hotmail account I have (which I white list, which is why that shows in the below results), this is what it scores when passed through Mailscanner/Spamassassin: X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=20.146, required 6.5, autolearn=spam, AWL -13.90, BAYES_50 0.80, FREEMAIL_ENVFROM_END_DIGIT 0.25, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, LOTS_OF_MONEY 0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 2.50, RAZOR2_CHECK 8.50, RCVD_IN_DNSWL_NONE -0.00, RP_MATCHES_RCVD -0.00, SPF_PASS -0.00, URIBL_BLACK 10.00, URIBL_DBL_SPAM 5.00, URIBL_JP_SURBL 6.50) This makes no sense to me, it's almost like this specific Spammer has figured out a way to get Mailscanner to stop scanning portions of its message. I am going to turn off caching of spamassassin results next in my mailscanner conf to see if that has any impact. If anyone has any ideas please let me know. Brian BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Thursday, June 13, 2013 7:35 PM To: MailScanner discussion Subject: RE: Certain Spamassassin rules do not seem to be firing all of the time Thanks for the suggestions Martin. I don't have any specific user that I run as: Run As User = So I assume it is running as root? My tests with -test-mode were run as root.. I do have the .spamassassin dir in root that has bayes db's that are the ones that get updated, and I did confirm there was nothing there causing problems. I took your advice and started by stopping Mailscanner and deleting the cache and any orphaned files in the directories, hopefully that will have a positive impact. I assume it must be something odd like that, these messages started coming through last week. I have to believe if all my rules were not firing since I built that box a year or so ago I would have noticed this sooner. One thing I noticed after taking other messages that failed due to body checks that actually wind up tagged as Spam, most seem to have more rules that fire off when I run them locally as root with -test-mode then what they have in my mail client after they have come through. I do see hits on messages for rules that ONLY exist in some of the rules in the /var/lib/spamassassin/3.003001/updates_spamassassin_org directory. So I know it is accessing those files, just not all of them for some reason at certain times.. I just took a message that made it through today for me: X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8, required 6.5, BAYES_50 0.80, DIET_1 0.00, RP_MATCHES_RCVD -0.00) When I check this message on my MailScanner box with Spamassassin as root I get: Content analysis details: (30.1 hits, -- -- Martin Hepworth, CISSP Oxford, UK =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130614/5a315a0a/attachment-0001.html From brian.duncan at kattenlaw.com Fri Jun 14 20:11:25 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri, 14 Jun 2013 19:11:25 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> Here is one more that just came in to me and was not tagged as Spam: http://pastebin.com/w8SJk660 Mailscanner/Spamassassin results: X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, BAYES_60 3.00, RP_MATCHES_RCVD -0.00) --test-mode results: Content analysis details: (10.5 hits, 6.5 required) 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] -7.5 AWL AWL: From: address is in the auto white-list ------ End of SpamAssassin results, Original message follows -------- =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130614/3da6d488/attachment.html From maxsec at gmail.com Fri Jun 14 22:16:06 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 14 Jun 2013 22:16:06 +0100 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> Message-ID: Hmm most if the extra rules youre hitting are dns based I'd check youre running a local caching dns server on the scanning box and that youre not timing out the network checks in sa too quickly Martin On Friday, 14 June 2013, Duncan, Brian M. wrote: > Here is one more that just came in to me and was not tagged as Spam:**** > > ** ** > > http://pastebin.com/w8SJk660**** > > ** ** > > ** ** > > Mailscanner/Spamassassin results:**** > > ** ** > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, > **** > > BAYES_60 3.00, RP_MATCHES_RCVD -0.00)**** > > ** ** > > ** ** > > --test-mode results:**** > > ** ** > > Content analysis details: (10.5 hits, 6.5 required)**** > > 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100%**** > > [score: 1.0000]**** > > -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay > domain**** > > 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level**** > > above 50%**** > > [cf: 100]**** > > 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)**** > > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%**** > > [cf: 100]**** > > -7.5 AWL AWL: From: address is in the auto white-list** > ** > > ** ** > > ------ End of SpamAssassin results, Original message follows --------**** > > ** ** > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue > Service, any tax advice contained herein is not intended or written to be used and cannot be used > by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information intended for the exclusive > use of the individual or entity to whom it is addressed and may contain information that is > proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or > distribution of this information may be subject to legal restriction or sanction. Please notify > the sender, by electronic mail or telephone, of any unintended recipients and delete the original > message without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has > elected to be governed by the Illinois Uniform Partnership Act (1997). > =========================================================== > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130614/afa54b77/attachment.html From brian.duncan at kattenlaw.com Sat Jun 15 03:22:37 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Sat, 15 Jun 2013 02:22:37 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> Thanks, yes I noticed that, they all do seem to be the DNS rules. I do have a caching DNS server but it is on the local network. I will try and see if the behavior changes at all by running one locally on the box itself. When you say "that youre not timing out the network checks in sa too quickly" I have not changed anything in the defaults of Mailscanner or included any directives that would lower whatever time limits are set by default. I took a look at the last example I put on pastebin, and it looks like it took 3 seconds to go from my Mailscanner box to my next gateway. Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 8e3c2381002025b2 ; Fri, 14 Jun 2013 14:01:09 -0500 Received: from a.loselit.net (a.loselit.net [66.96.254.156]) by venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449 for ; Fri, 14 Jun 2013 14:01:06 -0500 I am assuming the 3 seconds going from my incoming mail server Venus, to the next hop in my environment includes the time it took for the Spammer to send me the message. I also don't see anything in my maillogs related to Spam Assassin timing out for anything.. I recall many years ago when we used to run systems with much less CPU power (10+) seeing Spam Assassin time outs. Which BTW, at the peak of activity today the lowest idle %idle was 91.00 and that is because I turned off caching of SpamAssassin in Mailscanner to see if that had any impact. I also looked at the local caching DNS server that is on the same switch as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 requests from anything that uses it locally according to iptraf. It also seems to be these messages from the same Spammer, as I said before if I take any of these message bodies and send them in myself I seem to get the DNS Spam Assassin hits then. Really odd one.. Thanks for your help BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, June 14, 2013 4:16 PM To: MailScanner discussion Subject: Certain Spamassassin rules do not seem to be firing all of the time Hmm most if the extra rules youre hitting are dns based I'd check youre running a local caching dns server on the scanning box and that youre not timing out the network checks in sa too quickly Martin On Friday, 14 June 2013, Duncan, Brian M. wrote: Here is one more that just came in to me and was not tagged as Spam: http://pastebin.com/w8SJk660 Mailscanner/Spamassassin results: X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, BAYES_60 3.00, RP_MATCHES_RCVD -0.00) --test-mode results: Content analysis details: (10.5 hits, 6.5 required) 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] -7.5 AWL AWL: From: address is in the auto white-list ------ End of SpamAssassin results, Original message follows -------- =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130615/75f6ec22/attachment.html From maxsec at gmail.com Sat Jun 15 14:46:10 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Sat, 15 Jun 2013 14:46:10 +0100 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> Message-ID: Ok, you really need to put a local DNS server on the MailScanner box, doesn't matter if the DNS resolver is next to the server in the switch port, DNS is actually quite heavy on network traffic and hitting this all the time makes a huge difference. It can forward to the current machine, but the time this saves is actually quite noticable. that three seconds for the pass across seems very quick to me, esp as it's got all the DNS requests to process.I normally remove most of the RBL's from being scanned in Spamassassin by giving most of them a zero score (see 50_scores.cf in the DNSEval section). also make sure you're updating sa rules regularly. In fact its almost as if you've got skip-rbl-checks set to 1 in a spamassassin .cf or mailscanner,conf file somewhere. I'd double check all the setup to make sure everythings OK, as it's really odd that you're getting DNS based hits in test mode but not in test mode. Check the MailScanner.conf setttings and any site MailScanner.conf, and also get rid of any .spamassassin dirs esp if there's anything in root's home dir (so i presume ther MTA is sendmail?) to make sure that isnt overriding any settings. Check you've got one MailScanner.conf and not multiple ones, sometimes some distributions put the active file in 'non-standard' places. -- Martin Hepworth, CISSP Oxford, UK On 15 June 2013 03:22, Duncan, Brian M. wrote: > Thanks, yes I noticed that, they all do seem to be the DNS rules. I do > have a caching DNS server but it is on the local network. I will try and > see if the behavior changes at all by running one locally on the box itself. > **** > > ** ** > > When you say ?that youre not timing out the network checks in sa too > quickly? I have not changed anything in the defaults of Mailscanner or > included any directives that would lower whatever time limits are set by > default.**** > > ** ** > > I took a look at the last example I put on pastebin, and it looks like it > took 3 seconds to go from my Mailscanner box to my next gateway. **** > > ** ** > > Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com**** > > ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id > 8e3c2381002025b2**** > > ; Fri, 14 Jun 2013 14:01:09 -0500**** > > Received: from a.loselit.net (a.loselit.net [66.96.254.156]) by**** > > venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449 > for**** > > ; Fri, 14 Jun 2013 14:01:06 -0500**** > > ** ** > > I am assuming the 3 seconds going from my incoming mail server Venus, to > the next hop in my environment includes the time it took for the Spammer to > send me the message.**** > > ** ** > > I also don?t see anything in my maillogs related to Spam Assassin timing > out for anything.. I recall many years ago when we used to run systems with > much less CPU power (10+) seeing Spam Assassin time outs.**** > > ** ** > > Which BTW, at the peak of activity today the lowest idle %idle was 91.00 > and that is because I turned off caching of SpamAssassin in Mailscanner to > see if that had any impact.**** > > ** ** > > I also looked at the local caching DNS server that is on the same switch > as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 > requests from anything that uses it locally according to iptraf.**** > > ** ** > > It also seems to be these messages from the same Spammer, as I said before > if I take any of these message bodies and send them in myself I seem to get > the DNS Spam Assassin hits then. **** > > ** ** > > Really odd one..**** > > ** ** > > Thanks for your help**** > > ** ** > > ** ** > > ** ** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com / www.kattenlaw.com > **** > > ** ** > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* Friday, June 14, 2013 4:16 PM > *To:* MailScanner discussion > *Subject:* Certain Spamassassin rules do not seem to be firing all of the > time**** > > ** ** > > Hmm most if the extra rules youre hitting are dns based**** > > I'd check youre running a local caching dns server on the scanning box and > that youre not timing out the network checks in sa too quickly**** > > ** ** > > Martin > > On Friday, 14 June 2013, Duncan, Brian M. wrote:**** > > Here is one more that just came in to me and was not tagged as Spam:**** > > **** > > http://pastebin.com/w8SJk660**** > > **** > > **** > > Mailscanner/Spamassassin results:**** > > **** > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, > **** > > BAYES_60 3.00, RP_MATCHES_RCVD -0.00)**** > > **** > > **** > > --test-mode results:**** > > **** > > Content analysis details: (10.5 hits, 6.5 required)**** > > 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100%**** > > [score: 1.0000]**** > > -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay > domain**** > > 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level**** > > above 50%**** > > [cf: 100]**** > > 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)**** > > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%**** > > [cf: 100]**** > > -7.5 AWL AWL: From: address is in the auto white-list** > ** > > **** > > ------ End of SpamAssassin results, Original message follows --------**** > > **** > > ===========================================================**** > > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue**** > > Service, any tax advice contained herein is not intended or written to be used and cannot be used**** > > by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.**** > > ===========================================================**** > > CONFIDENTIALITY NOTICE:**** > > This electronic mail message and any attached files contain information intended for the exclusive**** > > use of the individual or entity to whom it is addressed and may contain information that is**** > > proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you**** > > are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or **** > > distribution of this information may be subject to legal restriction or sanction. Please notify**** > > the sender, by electronic mail or telephone, of any unintended recipients and delete the original **** > > message without making any copies.**** > > ===========================================================**** > > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has**** > > elected to be governed by the Illinois Uniform Partnership Act (1997).**** > > ===========================================================**** > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK**** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130615/99eef3d6/attachment.html From brian.duncan at kattenlaw.com Sat Jun 15 21:08:31 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Sat, 15 Jun 2013 20:08:31 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04E9F710@CHI-US-MAIL-1B.us.kmz.com> Thanks for the recommendations Martin. The way I have it setup in Mailscanner is if the sending mail server is on a RBL, (If it on at least 1 of the 4 RBLS we use with MailScanner) It becomes high scoring spam and is tagged and moved on, it does not get scanned by Spamassassin then. The one thing I never considered before was if Spamassassin is scanning the same sending mail server IP for being listed when it does not get caught by MailScanner as being on any of the 4 RB:'s I use. Not that it is causing my problem now, but that it is not very efficient if it is doing it again. (I would guess 80% of my mail never gets scanned by SpamAssassin each day because the sending mail gateway is blacklisted and it is marked as Spam and moves on) When you say: " I normally remove most of the RBL's from being scanned in Spamassassin by giving most of them a zero score (see 50_scores.cf in the DNSEval section)." I don't think I follow, are you saying Spamassassin is scanning the sending mail host again against the RBL's? So by giving them a zero score you are avoiding the double effort? This section has nothing to do with the URL/URI scanning that is happening? I assumed the rules that I have that are NOT hitting when it goes through MailScanner/Spamassassin have all been based on the URI/URL's in the body of the message. When I take these specific Spam messages that make it into my inbox, I am noticing they never hit on the same URIBL hits I get when I move the message locally to the box, if I take one of these URI based RBL checking rules like for example URIBL_BLACK, I have never seen that rule hit on ANY of these ones making it into my inbox. If I search my maillog from yesterday for every message that wound up being scanned by Spamassassin, I see that there were 1014 times that rule is listed on detected Spam. Last night I first tried setting up a caching bind server local to the box. Made no difference. I tried upgrading to MailScanner 4.84.5-3 after and updating to SpamAssassin 3.3.2-1 to see if that would make a difference, I even looked at the Perl modules that come with MailScanner, one of them was perl-Net-DNS-0.65-2, I was running perl-Net-DNS-0.65-1, was hoping that had something to do with this so I updated to .65-2 of that perl modules.. the rest all seemed to be the same version that comes with 4.84.5-3 (I was running 4.83.5-1 before I updated) I went over all my configs for both MailScanner and SpamAssassin, nothing seems wrong or set to low that would create the situation I am seeing. I did find I had the pyzor plugin loading in SpamAssassin but no exe, so I just disabled pyzor and verified in the -debug-sa that everything looks fine. I waited and sure enough it happened again today. We get less mail on the weekends so it took awhile waiting.. I have posted my MailScanner -debug-sa to pastebin if anyone can take a look and give me a recommendation of where to look next. I am almost out of things to try. Here is one -debug-sa: http://pastebin.com/C2XPs7D2 Then I kept running with -debug-sa till it caught one with a DNS based rule like URIBL_* rules. This one hits on those URIBL rules that are DNS based and it looks like everything is OK as far as I can tell.. This is really the first time I have tried to debug a debug log from MailScanner/Spamassassin before.. http://pastebin.com/iWMnJqf3 Thanks BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Saturday, June 15, 2013 8:46 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time Ok, you really need to put a local DNS server on the MailScanner box, doesn't matter if the DNS resolver is next to the server in the switch port, DNS is actually quite heavy on network traffic and hitting this all the time makes a huge difference. It can forward to the current machine, but the time this saves is actually quite noticable. that three seconds for the pass across seems very quick to me, esp as it's got all the DNS requests to process.I normally remove most of the RBL's from being scanned in Spamassassin by giving most of them a zero score (see 50_scores.cf in the DNSEval section). also make sure you're updating sa rules regularly. In fact its almost as if you've got skip-rbl-checks set to 1 in a spamassassin .cf or mailscanner,conf file somewhere. I'd double check all the setup to make sure everythings OK, as it's really odd that you're getting DNS based hits in test mode but not in test mode. Check the MailScanner.conf setttings and any site MailScanner.conf, and also get rid of any .spamassassin dirs esp if there's anything in root's home dir (so i presume ther MTA is sendmail?) to make sure that isnt overriding any settings. Check you've got one MailScanner.conf and not multiple ones, sometimes some distributions put the active file in 'non-standard' places. -- Martin Hepworth, CISSP Oxford, UK On 15 June 2013 03:22, Duncan, Brian M. > wrote: Thanks, yes I noticed that, they all do seem to be the DNS rules. I do have a caching DNS server but it is on the local network. I will try and see if the behavior changes at all by running one locally on the box itself. When you say "that youre not timing out the network checks in sa too quickly" I have not changed anything in the defaults of Mailscanner or included any directives that would lower whatever time limits are set by default. I took a look at the last example I put on pastebin, and it looks like it took 3 seconds to go from my Mailscanner box to my next gateway. Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 8e3c2381002025b2 ; Fri, 14 Jun 2013 14:01:09 -0500 Received: from a.loselit.net (a.loselit.net [66.96.254.156]) by venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449 for >; Fri, 14 Jun 2013 14:01:06 -0500 I am assuming the 3 seconds going from my incoming mail server Venus, to the next hop in my environment includes the time it took for the Spammer to send me the message. I also don't see anything in my maillogs related to Spam Assassin timing out for anything.. I recall many years ago when we used to run systems with much less CPU power (10+) seeing Spam Assassin time outs. Which BTW, at the peak of activity today the lowest idle %idle was 91.00 and that is because I turned off caching of SpamAssassin in Mailscanner to see if that had any impact. I also looked at the local caching DNS server that is on the same switch as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 requests from anything that uses it locally according to iptraf. It also seems to be these messages from the same Spammer, as I said before if I take any of these message bodies and send them in myself I seem to get the DNS Spam Assassin hits then. Really odd one.. Thanks for your help BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, June 14, 2013 4:16 PM To: MailScanner discussion Subject: Certain Spamassassin rules do not seem to be firing all of the time Hmm most if the extra rules youre hitting are dns based I'd check youre running a local caching dns server on the scanning box and that youre not timing out the network checks in sa too quickly Martin On Friday, 14 June 2013, Duncan, Brian M. wrote: Here is one more that just came in to me and was not tagged as Spam: http://pastebin.com/w8SJk660 Mailscanner/Spamassassin results: X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, BAYES_60 3.00, RP_MATCHES_RCVD -0.00) --test-mode results: Content analysis details: (10.5 hits, 6.5 required) 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] -7.5 AWL AWL: From: address is in the auto white-list ------ End of SpamAssassin results, Original message follows -------- =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- -- Martin Hepworth, CISSP Oxford, UK -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130615/841ea31f/attachment.html From ismailozatay at gmail.com Mon Jun 17 16:53:39 2013 From: ismailozatay at gmail.com (Ismail Ozatay) Date: Mon, 17 Jun 2013 18:53:39 +0300 Subject: quarantine error Message-ID: Hi everyone, I have installed MailScanner version 4.84.6-1 on Centos 6.4 x64 box with Clam-0.96.5-SA-3.3.1 package and configured them with postfix. Everything is working except quarantine. When i blacklist someone, it holds the mail but does not put into quarantine folder. If it is not blacklisted, mailscanner sends it to the exchange without any problem. How can i handle this problem? Here you may see an example; [root at avgw postfix]# cat /etc/postfix/header_checks /^Received:/ HOLD MailScanner.conf ---------------- MTA = postfix Quarantine Dir = /var/spool/MailScanner/quarantine Incoming Queue Dir = /var/spool/postfix/hold Run As User = postfix Run As Group = postfix Outgoing Queue Dir = /var/spool/postfix/incoming Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Now i am trying to send an email from blacklisted sender to the receiver; Jun 17 18:18:03 avgw postfix/cleanup[6166]: D41361DF1E4: hold: header Received: from mail.xxx.com (mail.xxx.com [81.213.x.x])??by avgw.yyy.com(Postfix) with SMTP id D41361DF1E4??for < ysimsek at yyy.com>; Mon, 17 Jun 2013 18:17:44 +0300 (EEST) from mail.xxx.com[81.213.x.x]; from= to= proto=SMTP helo= Jun 17 18:18:03 avgw postfix/cleanup[6166]: D41361DF1E4: message-id=<> Jun 17 18:18:04 avgw MailScanner[6085]: New Batch: Scanning 1 messages, 892 bytes Jun 17 18:18:04 avgw MailScanner[6085]: Virus and Content Scanning: Starting Jun 17 18:18:04 avgw MailScanner[6085]: Virus Scanning completed at 21519 bytes per second Jun 17 18:18:04 avgw MailScanner[6085]: Spam Checks: Starting Jun 17 18:18:04 avgw MailScanner[6085]: Message D41361DF1E4.A7BA5 from 81.213.x.x (ismail at xxx.com) to yyy.com is spam (blacklisted) Jun 17 18:18:04 avgw MailScanner[6085]: Spam Checks: Found 1 spam messages Jun 17 18:18:04 avgw MailScanner[6085]: Non-delivery of spam: message D41361DF1E4.A7BA5 from ismail at xxx.com to xxx at yyy.com with subject Jun 17 18:18:04 avgw MailScanner[6085]: Spam Actions: message D41361DF1E4.A7BA5 actions are store Jun 17 18:18:04 avgw MailScanner[6170]: MailScanner E-Mail Virus Scanner version 4.84.6 starting... Jun 17 18:18:04 avgw MailScanner[6170]: Reading configuration file /etc/MailScanner/MailScanner.conf Jun 17 18:18:04 avgw MailScanner[6170]: Reading configuration file /etc/MailScanner/conf.d/README Jun 17 18:18:04 avgw MailScanner[6170]: Read 872 hostnames from the phishing whitelist Jun 17 18:18:04 avgw MailScanner[6170]: Read 3966 hostnames from the phishing blacklists Jun 17 18:18:04 avgw MailScanner[6170]: Config: calling custom init function MailWatchLogging Jun 17 18:18:04 avgw MailScanner[6170]: Started SQL Logging child Jun 17 18:18:04 avgw MailScanner[6170]: Enabling SpamAssassin auto-whitelist functionality... Jun 17 18:18:05 avgw MailScanner[6170]: Connected to Processing Attempts Database Jun 17 18:18:05 avgw MailScanner[6170]: Found 5 messages in the Processing Attempts Database Jun 17 18:18:05 avgw MailScanner[6170]: Using locktype = flock [root at avgw postfix]# ll /var/spool/postfix/hold/ total 4 -rwx------ 1 postfix postfix 892 Jun 17 18:18 D41361DF1E4 As you can see, the holded mail waits there. These are the permissions; [root at avgw postfix]# ll /var/spool/postfix total 56 drwx------. 2 postfix root 4096 Jun 17 18:17 active drwx------. 2 postfix root 4096 Jun 16 03:05 bounce drwx------. 2 postfix root 4096 Dec 3 2011 corrupt drwx------. 15 postfix root 4096 Jun 17 11:01 defer drwx------. 15 postfix root 4096 Jun 17 11:01 deferred drwx------. 2 postfix root 4096 Dec 3 2011 flush drwxrwsr-x. 2 postfix postfix 4096 Jun 17 18:18 hold drwxrwsr-x. 2 postfix postfix 4096 Jun 17 18:18 incoming drwx-wx---. 2 postfix postdrop 4096 Jun 17 18:01 maildrop drwxr-xr-x. 2 root root 4096 Jun 16 03:37 pid drwx------. 2 postfix root 4096 Jun 17 18:15 private drwx--x---. 2 postfix postdrop 4096 Jun 17 18:15 public drwx------. 2 postfix root 4096 Dec 3 2011 saved drwx------. 2 postfix root 4096 Dec 3 2011 trace [root at avgw postfix]# ll /var/spool/MailScanner/ total 4 drwxrwxrwt 9 postfix root 200 Jun 17 18:25 incoming drwxrwx--- 5 postfix apache 4096 Jun 17 16:43 quarantine [root at avgw ~]# MailScanner -V Running on Linux avgw.eser.com 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 6.4 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.6 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.12 Digest::SHA1 missing Encode::Detect 0.17015 Error 0.18 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query missing Module::Build 0.20 Net::CIDR::Lite 0.65 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.17 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.40 URI 0.77 version 0.62 YAML -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130617/712d73a1/attachment.html From maxsec at gmail.com Mon Jun 17 18:47:20 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 17 Jun 2013 18:47:20 +0100 Subject: quarantine error In-Reply-To: References: Message-ID: Is the quarantine dir writable by the postfix user at all? On Monday, 17 June 2013, Ismail Ozatay wrote: > Hi everyone, > > I have installed MailScanner version 4.84.6-1 on Centos 6.4 x64 box with > Clam-0.96.5-SA-3.3.1 package and configured them with postfix. Everything > is working except quarantine. When i blacklist someone, it holds the mail > but does not put into quarantine folder. If it is not blacklisted, > mailscanner sends it to the exchange without any problem. How can i handle > this problem? Here you may see an example; > > [root at avgw postfix]# cat /etc/postfix/header_checks > /^Received:/ HOLD > > MailScanner.conf > ---------------- > MTA = postfix > Quarantine Dir = /var/spool/MailScanner/quarantine > Incoming Queue Dir = /var/spool/postfix/hold > Run As User = postfix > Run As Group = postfix > Outgoing Queue Dir = /var/spool/postfix/incoming > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > > Now i am trying to send an email from blacklisted sender to the receiver; > > Jun 17 18:18:03 avgw postfix/cleanup[6166]: D41361DF1E4: hold: header > Received: from mail.xxx.com (mail.xxx.com [81.213.x.x])??by avgw.yyy.com(Postfix) with SMTP id D41361DF1E4??for < > ysimsek at yyy.com >; Mon, 17 > Jun 2013 18:17:44 +0300 (EEST) from mail.xxx.com[81.213.x.x]; from=< > ismail at xxx.com > to=< > ysimsek at yyy.com > > proto=SMTP helo= > Jun 17 18:18:03 avgw postfix/cleanup[6166]: D41361DF1E4: message-id=<> > Jun 17 18:18:04 avgw MailScanner[6085]: New Batch: Scanning 1 messages, > 892 bytes > Jun 17 18:18:04 avgw MailScanner[6085]: Virus and Content Scanning: > Starting > Jun 17 18:18:04 avgw MailScanner[6085]: Virus Scanning completed at 21519 > bytes per second > Jun 17 18:18:04 avgw MailScanner[6085]: Spam Checks: Starting > Jun 17 18:18:04 avgw MailScanner[6085]: Message D41361DF1E4.A7BA5 from > 81.213.x.x (ismail at xxx.com ) > to yyy.com is spam (blacklisted) > Jun 17 18:18:04 avgw MailScanner[6085]: Spam Checks: Found 1 spam messages > Jun 17 18:18:04 avgw MailScanner[6085]: Non-delivery of spam: message > D41361DF1E4.A7BA5 from ismail at xxx.com 'ismail at xxx.com');> to xxx at yyy.com 'xxx at yyy.com');> with subject > Jun 17 18:18:04 avgw MailScanner[6085]: Spam Actions: message > D41361DF1E4.A7BA5 actions are store > Jun 17 18:18:04 avgw MailScanner[6170]: MailScanner E-Mail Virus Scanner > version 4.84.6 starting... > Jun 17 18:18:04 avgw MailScanner[6170]: Reading configuration file > /etc/MailScanner/MailScanner.conf > Jun 17 18:18:04 avgw MailScanner[6170]: Reading configuration file > /etc/MailScanner/conf.d/README > Jun 17 18:18:04 avgw MailScanner[6170]: Read 872 hostnames from the > phishing whitelist > Jun 17 18:18:04 avgw MailScanner[6170]: Read 3966 hostnames from the > phishing blacklists > Jun 17 18:18:04 avgw MailScanner[6170]: Config: calling custom init > function MailWatchLogging > Jun 17 18:18:04 avgw MailScanner[6170]: Started SQL Logging child > Jun 17 18:18:04 avgw MailScanner[6170]: Enabling SpamAssassin > auto-whitelist functionality... > Jun 17 18:18:05 avgw MailScanner[6170]: Connected to Processing Attempts > Database > Jun 17 18:18:05 avgw MailScanner[6170]: Found 5 messages in the Processing > Attempts Database > Jun 17 18:18:05 avgw MailScanner[6170]: Using locktype = flock > > [root at avgw postfix]# ll /var/spool/postfix/hold/ > total 4 > -rwx------ 1 postfix postfix 892 Jun 17 18:18 D41361DF1E4 > > As you can see, the holded mail waits there. These are the permissions; > > [root at avgw postfix]# ll /var/spool/postfix > total 56 > drwx------. 2 postfix root 4096 Jun 17 18:17 active > drwx------. 2 postfix root 4096 Jun 16 03:05 bounce > drwx------. 2 postfix root 4096 Dec 3 2011 corrupt > drwx------. 15 postfix root 4096 Jun 17 11:01 defer > drwx------. 15 postfix root 4096 Jun 17 11:01 deferred > drwx------. 2 postfix root 4096 Dec 3 2011 flush > drwxrwsr-x. 2 postfix postfix 4096 Jun 17 18:18 hold > drwxrwsr-x. 2 postfix postfix 4096 Jun 17 18:18 incoming > drwx-wx---. 2 postfix postdrop 4096 Jun 17 18:01 maildrop > drwxr-xr-x. 2 root root 4096 Jun 16 03:37 pid > drwx------. 2 postfix root 4096 Jun 17 18:15 private > drwx--x---. 2 postfix postdrop 4096 Jun 17 18:15 public > drwx------. 2 postfix root 4096 Dec 3 2011 saved > drwx------. 2 postfix root 4096 Dec 3 2011 trace > > [root at avgw postfix]# ll /var/spool/MailScanner/ > total 4 > drwxrwxrwt 9 postfix root 200 Jun 17 18:25 incoming > drwxrwx--- 5 postfix apache 4096 Jun 17 16:43 quarantine > > [root at avgw ~]# MailScanner -V > Running on > Linux avgw.eser.com 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 > UTC 2013 x86_64 x86_64 x86_64 GNU/Linux > This is CentOS release 6.4 (Final) > This is Perl version 5.010001 (5.10.1) > > This is MailScanner version 4.84.6 > Module versions are: > 1.00 AnyDBM_File > 1.30 Archive::Zip > 0.23 bignum > 1.11 Carp > 2.02 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.124 Data::Dumper > 2.27 Date::Parse > 1.03 DirHandle > 1.06 Fcntl > 2.77 File::Basename > 2.14 File::Copy > 2.02 FileHandle > 2.08 File::Path > 0.22 File::Temp > 0.92 Filesys::Df > 3.64 HTML::Entities > 3.64 HTML::Parser > 3.57 HTML::TokeParser > 1.25 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.04 Mail::Header > 1.89 Math::BigInt > 0.22 Math::BigRat > 3.08 MIME::Base64 > 5.427 MIME::Decoder > 5.427 MIME::Decoder::UU > 5.427 MIME::Head > 5.427 MIME::Parser > 3.08 MIME::QuotedPrint > 5.427 MIME::Tools > 0.14 Net::CIDR > 1.25 Net::IP > 0.19 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.13 Pod::Simple > 1.17 POSIX > 1.21 Scalar::Util > 1.82 Socket > 2.20 Storable > 1.4 Sys::Hostname::Long > 0.27 Sys::Syslog > 1.40 Test::Pod > 0.92 Test::Simple > 1.9721 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.29 Archive::Tar > 0.23 bignum > 1.82 Business::ISBN > 1.10 Business::ISBN::Data > 1.08 Data::Dump > 1.82 DB_File > 1.27 DBD::SQLite > 1.609 DBI > 1.16 Digest > 1.01 Digest::HMAC > 2.39 Digest::MD5 > 2.12 Digest::SHA1 > missing Encode::Detect > 0.17015 Error > 0.18 ExtUtils::CBuilder > 2.2203 ExtUtils::ParseXS > 2.38 Getopt::Long > 0.44 Inline > 1.08 IO::String > 1.04 IO::Zlib > 2.21 IP::Country > 0.29 Mail::ClamAV > 3.003001 Mail::SpamAssassin > missing Mail::SPF > missing Mail::SPF::Query > missing Module::Build > 0.20 Net::CIDR::Lite > 0.65 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > 4.004 NetAddr::IP > 1.94 Parse::RecDescent > missing SAVI > 3.17 Test::Harness > 0.95 Test::Manifest > 2.0.0 Text::Balanced > 1.40 URI > 0.77 version > 0.62 YAML > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130617/9eab0e5e/attachment.html From ismailozatay at gmail.com Tue Jun 18 06:02:58 2013 From: ismailozatay at gmail.com (Ismail Ozatay) Date: Tue, 18 Jun 2013 08:02:58 +0300 Subject: quarantine error In-Reply-To: References: Message-ID: Hi Martin, Yes it is writable by postfix and apache. Thanks. On 17 June 2013 20:47, Martin Hepworth wrote: > Is the quarantine dir writable by the postfix user at all? > > > On Monday, 17 June 2013, Ismail Ozatay wrote: > >> Hi everyone, >> >> I have installed MailScanner version 4.84.6-1 on Centos 6.4 x64 box with >> Clam-0.96.5-SA-3.3.1 package and configured them with postfix. Everything >> is working except quarantine. When i blacklist someone, it holds the mail >> but does not put into quarantine folder. If it is not blacklisted, >> mailscanner sends it to the exchange without any problem. How can i handle >> this problem? Here you may see an example; >> >> [root at avgw postfix]# cat /etc/postfix/header_checks >> /^Received:/ HOLD >> >> MailScanner.conf >> ---------------- >> MTA = postfix >> Quarantine Dir = /var/spool/MailScanner/quarantine >> Incoming Queue Dir = /var/spool/postfix/hold >> Run As User = postfix >> Run As Group = postfix >> Outgoing Queue Dir = /var/spool/postfix/incoming >> Quarantine Whole Message = yes >> Quarantine Whole Messages As Queue Files = no >> >> Now i am trying to send an email from blacklisted sender to the receiver; >> >> Jun 17 18:18:03 avgw postfix/cleanup[6166]: D41361DF1E4: hold: header >> Received: from mail.xxx.com (mail.xxx.com [81.213.x.x])??by avgw.yyy.com(Postfix) with SMTP id D41361DF1E4??for < >> ysimsek at yyy.com>; Mon, 17 Jun 2013 18:17:44 +0300 (EEST) from >> mail.xxx.com[81.213.x.x]; from= to= >> proto=SMTP helo= >> Jun 17 18:18:03 avgw postfix/cleanup[6166]: D41361DF1E4: message-id=<> >> Jun 17 18:18:04 avgw MailScanner[6085]: New Batch: Scanning 1 messages, >> 892 bytes >> Jun 17 18:18:04 avgw MailScanner[6085]: Virus and Content Scanning: >> Starting >> Jun 17 18:18:04 avgw MailScanner[6085]: Virus Scanning completed at 21519 >> bytes per second >> Jun 17 18:18:04 avgw MailScanner[6085]: Spam Checks: Starting >> Jun 17 18:18:04 avgw MailScanner[6085]: Message D41361DF1E4.A7BA5 from >> 81.213.x.x (ismail at xxx.com) to yyy.com is spam (blacklisted) >> Jun 17 18:18:04 avgw MailScanner[6085]: Spam Checks: Found 1 spam messages >> Jun 17 18:18:04 avgw MailScanner[6085]: Non-delivery of spam: message >> D41361DF1E4.A7BA5 from ismail at xxx.com to xxx at yyy.com with subject >> Jun 17 18:18:04 avgw MailScanner[6085]: Spam Actions: message >> D41361DF1E4.A7BA5 actions are store >> Jun 17 18:18:04 avgw MailScanner[6170]: MailScanner E-Mail Virus Scanner >> version 4.84.6 starting... >> Jun 17 18:18:04 avgw MailScanner[6170]: Reading configuration file >> /etc/MailScanner/MailScanner.conf >> Jun 17 18:18:04 avgw MailScanner[6170]: Reading configuration file >> /etc/MailScanner/conf.d/README >> Jun 17 18:18:04 avgw MailScanner[6170]: Read 872 hostnames from the >> phishing whitelist >> Jun 17 18:18:04 avgw MailScanner[6170]: Read 3966 hostnames from the >> phishing blacklists >> Jun 17 18:18:04 avgw MailScanner[6170]: Config: calling custom init >> function MailWatchLogging >> Jun 17 18:18:04 avgw MailScanner[6170]: Started SQL Logging child >> Jun 17 18:18:04 avgw MailScanner[6170]: Enabling SpamAssassin >> auto-whitelist functionality... >> Jun 17 18:18:05 avgw MailScanner[6170]: Connected to Processing Attempts >> Database >> Jun 17 18:18:05 avgw MailScanner[6170]: Found 5 messages in the >> Processing Attempts Database >> Jun 17 18:18:05 avgw MailScanner[6170]: Using locktype = flock >> >> [root at avgw postfix]# ll /var/spool/postfix/hold/ >> total 4 >> -rwx------ 1 postfix postfix 892 Jun 17 18:18 D41361DF1E4 >> >> As you can see, the holded mail waits there. These are the permissions; >> >> [root at avgw postfix]# ll /var/spool/postfix >> total 56 >> drwx------. 2 postfix root 4096 Jun 17 18:17 active >> drwx------. 2 postfix root 4096 Jun 16 03:05 bounce >> drwx------. 2 postfix root 4096 Dec 3 2011 corrupt >> drwx------. 15 postfix root 4096 Jun 17 11:01 defer >> drwx------. 15 postfix root 4096 Jun 17 11:01 deferred >> drwx------. 2 postfix root 4096 Dec 3 2011 flush >> drwxrwsr-x. 2 postfix postfix 4096 Jun 17 18:18 hold >> drwxrwsr-x. 2 postfix postfix 4096 Jun 17 18:18 incoming >> drwx-wx---. 2 postfix postdrop 4096 Jun 17 18:01 maildrop >> drwxr-xr-x. 2 root root 4096 Jun 16 03:37 pid >> drwx------. 2 postfix root 4096 Jun 17 18:15 private >> drwx--x---. 2 postfix postdrop 4096 Jun 17 18:15 public >> drwx------. 2 postfix root 4096 Dec 3 2011 saved >> drwx------. 2 postfix root 4096 Dec 3 2011 trace >> >> [root at avgw postfix]# ll /var/spool/MailScanner/ >> total 4 >> drwxrwxrwt 9 postfix root 200 Jun 17 18:25 incoming >> drwxrwx--- 5 postfix apache 4096 Jun 17 16:43 quarantine >> >> [root at avgw ~]# MailScanner -V >> Running on >> Linux avgw.eser.com 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 >> 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux >> This is CentOS release 6.4 (Final) >> This is Perl version 5.010001 (5.10.1) >> >> This is MailScanner version 4.84.6 >> Module versions are: >> 1.00 AnyDBM_File >> 1.30 Archive::Zip >> 0.23 bignum >> 1.11 Carp >> 2.02 Compress::Zlib >> 1.119 Convert::BinHex >> 0.17 Convert::TNEF >> 2.124 Data::Dumper >> 2.27 Date::Parse >> 1.03 DirHandle >> 1.06 Fcntl >> 2.77 File::Basename >> 2.14 File::Copy >> 2.02 FileHandle >> 2.08 File::Path >> 0.22 File::Temp >> 0.92 Filesys::Df >> 3.64 HTML::Entities >> 3.64 HTML::Parser >> 3.57 HTML::TokeParser >> 1.25 IO >> 1.14 IO::File >> 1.13 IO::Pipe >> 2.04 Mail::Header >> 1.89 Math::BigInt >> 0.22 Math::BigRat >> 3.08 MIME::Base64 >> 5.427 MIME::Decoder >> 5.427 MIME::Decoder::UU >> 5.427 MIME::Head >> 5.427 MIME::Parser >> 3.08 MIME::QuotedPrint >> 5.427 MIME::Tools >> 0.14 Net::CIDR >> 1.25 Net::IP >> 0.19 OLE::Storage_Lite >> 1.04 Pod::Escapes >> 3.13 Pod::Simple >> 1.17 POSIX >> 1.21 Scalar::Util >> 1.82 Socket >> 2.20 Storable >> 1.4 Sys::Hostname::Long >> 0.27 Sys::Syslog >> 1.40 Test::Pod >> 0.92 Test::Simple >> 1.9721 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.29 Archive::Tar >> 0.23 bignum >> 1.82 Business::ISBN >> 1.10 Business::ISBN::Data >> 1.08 Data::Dump >> 1.82 DB_File >> 1.27 DBD::SQLite >> 1.609 DBI >> 1.16 Digest >> 1.01 Digest::HMAC >> 2.39 Digest::MD5 >> 2.12 Digest::SHA1 >> missing Encode::Detect >> 0.17015 Error >> 0.18 ExtUtils::CBuilder >> 2.2203 ExtUtils::ParseXS >> 2.38 Getopt::Long >> 0.44 Inline >> 1.08 IO::String >> 1.04 IO::Zlib >> 2.21 IP::Country >> 0.29 Mail::ClamAV >> 3.003001 Mail::SpamAssassin >> missing Mail::SPF >> missing Mail::SPF::Query >> missing Module::Build >> 0.20 Net::CIDR::Lite >> 0.65 Net::DNS >> missing Net::DNS::Resolver::Programmable >> missing Net::LDAP >> 4.004 NetAddr::IP >> 1.94 Parse::RecDescent >> missing SAVI >> 3.17 Test::Harness >> 0.95 Test::Manifest >> 2.0.0 Text::Balanced >> 1.40 URI >> 0.77 version >> 0.62 YAML >> >> > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130618/f8245322/attachment.html From maxsec at gmail.com Tue Jun 18 16:09:22 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 18 Jun 2013 16:09:22 +0100 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04E9F710@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9F710@CHI-US-MAIL-1B.us.kmz.com> Message-ID: really odd, seems to be suffering with network based rules, not just the URI ones but razor as well. Personally I always put all the RBL checks into SA rather than letting MailScanner do it by itself. that way no 1 rbl can false postive and email and the RBL just add to the overall score. What MTA are you running? and is there a .spamassassin directory in root's home dir? -- Martin Hepworth, CISSP Oxford, UK On 15 June 2013 21:08, Duncan, Brian M. wrote: > Thanks for the recommendations Martin.**** > > ** ** > > The way I have it setup in Mailscanner is if the sending mail server is on > a RBL, (If it on at least 1 of the 4 RBLS we use with MailScanner) It > becomes high scoring spam and is tagged and moved on, it does not get > scanned by Spamassassin then.**** > > ** ** > > The one thing I never considered before was if Spamassassin is scanning > the same sending mail server IP for being listed when it does not get > caught by MailScanner as being on any of the 4 RB:?s I use. Not that it > is causing my problem now, but that it is not very efficient if it is doing > it again. (I would guess 80% of my mail never gets scanned by SpamAssassin > each day because the sending mail gateway is blacklisted and it is marked > as Spam and moves on)**** > > ** ** > > When you say: ? I normally remove most of the RBL's from being scanned in > Spamassassin by giving most of them a zero score (see 50_scores.cfin the DNSEval section).? > **** > > ** ** > > I don?t think I follow, are you saying Spamassassin is scanning the > sending mail host again against the RBL?s? So by giving them a zero score > you are avoiding the double effort? This section has nothing to do with the > URL/URI scanning that is happening? I assumed the rules that I have that > are NOT hitting when it goes through MailScanner/Spamassassin have all been > based on the URI/URL?s in the body of the message. **** > > ** ** > > ** ** > > When I take these specific Spam messages that make it into my inbox, I am > noticing they never hit on the same URIBL hits I get when I move the > message locally to the box, if I take one of these URI based RBL checking > rules like for example URIBL_BLACK, I have never seen that rule hit on ANY > of these ones making it into my inbox. If I search my maillog from > yesterday for every message that wound up being scanned by Spamassassin, I > see that there were 1014 times that rule is listed on detected Spam. **** > > ** ** > > Last night I first tried setting up a caching bind server local to the > box. Made no difference.**** > > ** ** > > I tried upgrading to MailScanner 4.84.5-3 after and updating to > SpamAssassin 3.3.2-1 to see if that would make a difference, I even looked > at the Perl modules that come with MailScanner, one of them was > perl-Net-DNS-0.65-2, I was running**** > > perl-Net-DNS-0.65-1, was hoping that had something to do with this so I > updated to .65-2 of that perl modules.. the rest all seemed to be the same > version that comes with 4.84.5-3 (I was running 4.83.5-1 before I updated) > **** > > ** ** > > I went over all my configs for both MailScanner and SpamAssassin, nothing > seems wrong or set to low that would create the situation I am seeing. I > did find I had the pyzor plugin loading in SpamAssassin but no exe, so I > just disabled pyzor and verified in the ?debug-sa that everything looks > fine.**** > > ** ** > > I waited and sure enough it happened again today. We get less mail on the > weekends so it took awhile waiting..**** > > ** ** > > I have posted my MailScanner ?debug-sa to pastebin if anyone can take a > look and give me a recommendation of where to look next. I am almost out > of things to try.**** > > ** ** > > Here is one ?debug-sa:**** > > ** ** > > http://pastebin.com/C2XPs7D2**** > > ** ** > > Then I kept running with ?debug-sa till it caught one with a DNS based > rule like URIBL_* rules.**** > > ** ** > > This one hits on those URIBL rules that are DNS based and it looks like > everything is OK as far as I can tell.. This is really the first time I > have tried to debug a debug log from MailScanner/Spamassassin before..**** > > ** ** > > http://pastebin.com/iWMnJqf3**** > > ** ** > > ** ** > > Thanks**** > > ** ** > > ** ** > > ** ** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com / www.kattenlaw.com > **** > > ** ** > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* Saturday, June 15, 2013 8:46 AM > *To:* MailScanner discussion > *Subject:* Re: Certain Spamassassin rules do not seem to be firing all of > the time**** > > ** ** > > Ok, you really need to put a local DNS server on the MailScanner box, > doesn't matter if the DNS resolver is next to the server in the switch > port, DNS is actually quite heavy on network traffic and hitting this all > the time makes a huge difference. It can forward to the current machine, > but the time this saves is actually quite noticable.**** > > that three seconds for the pass across seems very quick to me, esp as it's > got all the DNS requests to process.I normally remove most of the RBL's > from being scanned in Spamassassin by giving most of them a zero score (see > 50_scores.cf in > the DNSEval section). also make sure you're updating sa rules regularly. In > fact its almost as if you've got skip-rbl-checks set to 1 in a spamassassin > .cf or mailscanner,conf file somewhere.**** > > I'd double check all the setup to make sure everythings OK, as it's really > odd that you're getting DNS based hits in test mode but not in test mode. > Check the MailScanner.conf setttings and any site MailScanner.conf, and > also get rid of any .spamassassin dirs esp if there's anything in root's > home dir (so i presume ther MTA is sendmail?) to make sure that isnt > overriding any settings. Check you've got one MailScanner.conf and not > multiple ones, sometimes some distributions put the active file in > 'non-standard' places. > > **** > > > **** > > -- > Martin Hepworth, CISSP > Oxford, UK**** > > ** ** > > On 15 June 2013 03:22, Duncan, Brian M. > wrote:**** > > Thanks, yes I noticed that, they all do seem to be the DNS rules. I do > have a caching DNS server but it is on the local network. I will try and > see if the behavior changes at all by running one locally on the box itself. > **** > > **** > > When you say ?that youre not timing out the network checks in sa too > quickly? I have not changed anything in the defaults of Mailscanner or > included any directives that would lower whatever time limits are set by > default.**** > > **** > > I took a look at the last example I put on pastebin, and it looks like it > took 3 seconds to go from my Mailscanner box to my next gateway. **** > > **** > > Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com**** > > ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id > 8e3c2381002025b2**** > > ; Fri, 14 Jun 2013 14:01:09 -0500**** > > Received: from a.loselit.net (a.loselit.net [66.96.254.156]) by**** > > venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449 > for**** > > ; Fri, 14 Jun 2013 14:01:06 -0500**** > > **** > > I am assuming the 3 seconds going from my incoming mail server Venus, to > the next hop in my environment includes the time it took for the Spammer to > send me the message.**** > > **** > > I also don?t see anything in my maillogs related to Spam Assassin timing > out for anything.. I recall many years ago when we used to run systems with > much less CPU power (10+) seeing Spam Assassin time outs.**** > > **** > > Which BTW, at the peak of activity today the lowest idle %idle was 91.00 > and that is because I turned off caching of SpamAssassin in Mailscanner to > see if that had any impact.**** > > **** > > I also looked at the local caching DNS server that is on the same switch > as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 > requests from anything that uses it locally according to iptraf.**** > > **** > > It also seems to be these messages from the same Spammer, as I said before > if I take any of these message bodies and send them in myself I seem to get > the DNS Spam Assassin hits then. **** > > **** > > Really odd one..**** > > **** > > Thanks for your help**** > > **** > > **** > > **** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com / www.kattenlaw.com > **** > > **** > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* Friday, June 14, 2013 4:16 PM > *To:* MailScanner discussion > *Subject:* Certain Spamassassin rules do not seem to be firing all of the > time**** > > **** > > Hmm most if the extra rules youre hitting are dns based**** > > I'd check youre running a local caching dns server on the scanning box and > that youre not timing out the network checks in sa too quickly**** > > **** > > Martin > > On Friday, 14 June 2013, Duncan, Brian M. wrote:**** > > Here is one more that just came in to me and was not tagged as Spam:**** > > **** > > http://pastebin.com/w8SJk660**** > > **** > > **** > > Mailscanner/Spamassassin results:**** > > **** > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, > **** > > BAYES_60 3.00, RP_MATCHES_RCVD -0.00)**** > > **** > > **** > > --test-mode results:**** > > **** > > Content analysis details: (10.5 hits, 6.5 required)**** > > 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100%**** > > [score: 1.0000]**** > > -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay > domain**** > > 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level**** > > above 50%**** > > [cf: 100]**** > > 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)**** > > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%**** > > [cf: 100]**** > > -7.5 AWL AWL: From: address is in the auto white-list** > ** > > **** > > ------ End of SpamAssassin results, Original message follows --------**** > > **** > > ===========================================================**** > > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue**** > > Service, any tax advice contained herein is not intended or written to be used and cannot be used**** > > by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.**** > > ===========================================================**** > > CONFIDENTIALITY NOTICE:**** > > This electronic mail message and any attached files contain information intended for the exclusive**** > > use of the individual or entity to whom it is addressed and may contain information that is**** > > proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you**** > > are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or **** > > distribution of this information may be subject to legal restriction or sanction. Please notify**** > > the sender, by electronic mail or telephone, of any unintended recipients and delete the original **** > > message without making any copies.**** > > ===========================================================**** > > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has**** > > elected to be governed by the Illinois Uniform Partnership Act (1997).**** > > ===========================================================**** > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK**** > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!**** > > ** ** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130618/31a09fe7/attachment.html From Kevin_Miller at ci.juneau.ak.us Tue Jun 18 18:34:25 2013 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue, 18 Jun 2013 09:34:25 -0800 Subject: update bad phishing sites broken? Message-ID: I've been seeing this for the last 12 hours or so. Is the server down? ------------ running hourly cronjob scripts SCRIPT: update_bad_phishing_sites exited with RETURNCODE = 9. ?...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From brian.duncan at kattenlaw.com Tue Jun 18 19:40:38 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Tue, 18 Jun 2013 18:40:38 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9F710@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04EA515C@CHI-US-MAIL-1B.us.kmz.com> Yeah I know it's very weird and I can't track it down. Yesterday, I tried removing the NET:DNS perl module (.65 is what MailScanner (and I believe SpamAssassin use by default) and compiling 0.72 in the hopes that it had something to do with that. Nope, still happening today. Fortunately it only seems to be letting a few Spam in overall. It just happens when there is a black listed domain that is used in a URL that is sent by a non-blacklisted gateway where I get caught by this issue. I am using Sendmail. Yes there is a .spamassassin directory in root, where the bayes db's are located and autowhitelist db's (I have autowhite list disabled for the moment) The user_prefs file has no directives set in it, they are all #'ed out. I don't specify a run as user in my MailScanner.conf, and according to ps all the MailScanner processes are running as root, and my spamassassin -test-mode I have run as root. I turned on skip_rbl_checks 1 yesterday, since I detect RBL'ed hosts using MailScanner I figured it was kind of pointless to do it again with SpamAssassin.. I also tried tweaking rbl_timeout to 60 seconds instead of 30, what is was before. Because I did find someone else reporting a similar issue to mine.. back in 2007 someone was reporting this same behavior that rules were not hitting when using Amavis with Spamassassin, but then when you ran them through Spamassassin they worked, and I believe it was the same types of rules I am not hitting on through MailScanner. And the issue wound up being Net:DNS. http://www.gossamer-threads.com/lists/spamassassin/users/102307?do=post_view_threaded#102307 If I can't figure this out, I might attempt a fresh install of Cent OS 6.4 and fresh install of MailScanner and SpamAssassin. Just don't have the time for a full re-install right now. Yeah I prefer doing the RBL's with MailScanner because it uses such little CPU to perform those tests. I mark as Spam probably as high as 80% of my incoming mail just on the RBL checks through MailScanner. Spamasssassin only has to process like 20% of my Spam mail then. Since we pass everything through and assign the Microsoft SCL score based on if it failed Spam checks, the users can whitelist if someone winds up on an RBL or they want what most consider Spam. BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Tuesday, June 18, 2013 10:09 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time really odd, seems to be suffering with network based rules, not just the URI ones but razor as well. Personally I always put all the RBL checks into SA rather than letting MailScanner do it by itself. that way no 1 rbl can false postive and email and the RBL just add to the overall score. What MTA are you running? and is there a .spamassassin directory in root's home dir? -- Martin Hepworth, CISSP Oxford, UK On 15 June 2013 21:08, Duncan, Brian M. > wrote: Thanks for the recommendations Martin. The way I have it setup in Mailscanner is if the sending mail server is on a RBL, (If it on at least 1 of the 4 RBLS we use with MailScanner) It becomes high scoring spam and is tagged and moved on, it does not get scanned by Spamassassin then. The one thing I never considered before was if Spamassassin is scanning the same sending mail server IP for being listed when it does not get caught by MailScanner as being on any of the 4 RB:'s I use. Not that it is causing my problem now, but that it is not very efficient if it is doing it again. (I would guess 80% of my mail never gets scanned by SpamAssassin each day because the sending mail gateway is blacklisted and it is marked as Spam and moves on) When you say: " I normally remove most of the RBL's from being scanned in Spamassassin by giving most of them a zero score (see 50_scores.cf in the DNSEval section)." I don't think I follow, are you saying Spamassassin is scanning the sending mail host again against the RBL's? So by giving them a zero score you are avoiding the double effort? This section has nothing to do with the URL/URI scanning that is happening? I assumed the rules that I have that are NOT hitting when it goes through MailScanner/Spamassassin have all been based on the URI/URL's in the body of the message. When I take these specific Spam messages that make it into my inbox, I am noticing they never hit on the same URIBL hits I get when I move the message locally to the box, if I take one of these URI based RBL checking rules like for example URIBL_BLACK, I have never seen that rule hit on ANY of these ones making it into my inbox. If I search my maillog from yesterday for every message that wound up being scanned by Spamassassin, I see that there were 1014 times that rule is listed on detected Spam. Last night I first tried setting up a caching bind server local to the box. Made no difference. I tried upgrading to MailScanner 4.84.5-3 after and updating to SpamAssassin 3.3.2-1 to see if that would make a difference, I even looked at the Perl modules that come with MailScanner, one of them was perl-Net-DNS-0.65-2, I was running perl-Net-DNS-0.65-1, was hoping that had something to do with this so I updated to .65-2 of that perl modules.. the rest all seemed to be the same version that comes with 4.84.5-3 (I was running 4.83.5-1 before I updated) I went over all my configs for both MailScanner and SpamAssassin, nothing seems wrong or set to low that would create the situation I am seeing. I did find I had the pyzor plugin loading in SpamAssassin but no exe, so I just disabled pyzor and verified in the -debug-sa that everything looks fine. I waited and sure enough it happened again today. We get less mail on the weekends so it took awhile waiting.. I have posted my MailScanner -debug-sa to pastebin if anyone can take a look and give me a recommendation of where to look next. I am almost out of things to try. Here is one -debug-sa: http://pastebin.com/C2XPs7D2 Then I kept running with -debug-sa till it caught one with a DNS based rule like URIBL_* rules. This one hits on those URIBL rules that are DNS based and it looks like everything is OK as far as I can tell.. This is really the first time I have tried to debug a debug log from MailScanner/Spamassassin before.. http://pastebin.com/iWMnJqf3 Thanks BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Saturday, June 15, 2013 8:46 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time Ok, you really need to put a local DNS server on the MailScanner box, doesn't matter if the DNS resolver is next to the server in the switch port, DNS is actually quite heavy on network traffic and hitting this all the time makes a huge difference. It can forward to the current machine, but the time this saves is actually quite noticable. that three seconds for the pass across seems very quick to me, esp as it's got all the DNS requests to process.I normally remove most of the RBL's from being scanned in Spamassassin by giving most of them a zero score (see 50_scores.cf in the DNSEval section). also make sure you're updating sa rules regularly. In fact its almost as if you've got skip-rbl-checks set to 1 in a spamassassin .cf or mailscanner,conf file somewhere. I'd double check all the setup to make sure everythings OK, as it's really odd that you're getting DNS based hits in test mode but not in test mode. Check the MailScanner.conf setttings and any site MailScanner.conf, and also get rid of any .spamassassin dirs esp if there's anything in root's home dir (so i presume ther MTA is sendmail?) to make sure that isnt overriding any settings. Check you've got one MailScanner.conf and not multiple ones, sometimes some distributions put the active file in 'non-standard' places. -- Martin Hepworth, CISSP Oxford, UK On 15 June 2013 03:22, Duncan, Brian M. > wrote: Thanks, yes I noticed that, they all do seem to be the DNS rules. I do have a caching DNS server but it is on the local network. I will try and see if the behavior changes at all by running one locally on the box itself. When you say "that youre not timing out the network checks in sa too quickly" I have not changed anything in the defaults of Mailscanner or included any directives that would lower whatever time limits are set by default. I took a look at the last example I put on pastebin, and it looks like it took 3 seconds to go from my Mailscanner box to my next gateway. Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 8e3c2381002025b2 ; Fri, 14 Jun 2013 14:01:09 -0500 Received: from a.loselit.net (a.loselit.net [66.96.254.156]) by venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449 for >; Fri, 14 Jun 2013 14:01:06 -0500 I am assuming the 3 seconds going from my incoming mail server Venus, to the next hop in my environment includes the time it took for the Spammer to send me the message. I also don't see anything in my maillogs related to Spam Assassin timing out for anything.. I recall many years ago when we used to run systems with much less CPU power (10+) seeing Spam Assassin time outs. Which BTW, at the peak of activity today the lowest idle %idle was 91.00 and that is because I turned off caching of SpamAssassin in Mailscanner to see if that had any impact. I also looked at the local caching DNS server that is on the same switch as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 requests from anything that uses it locally according to iptraf. It also seems to be these messages from the same Spammer, as I said before if I take any of these message bodies and send them in myself I seem to get the DNS Spam Assassin hits then. Really odd one.. Thanks for your help BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, June 14, 2013 4:16 PM To: MailScanner discussion Subject: Certain Spamassassin rules do not seem to be firing all of the time Hmm most if the extra rules youre hitting are dns based I'd check youre running a local caching dns server on the scanning box and that youre not timing out the network checks in sa too quickly Martin On Friday, 14 June 2013, Duncan, Brian M. wrote: Here is one more that just came in to me and was not tagged as Spam: http://pastebin.com/w8SJk660 Mailscanner/Spamassassin results: X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, BAYES_60 3.00, RP_MATCHES_RCVD -0.00) --test-mode results: Content analysis details: (10.5 hits, 6.5 required) 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] -7.5 AWL AWL: From: address is in the auto white-list ------ End of SpamAssassin results, Original message follows -------- =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- -- Martin Hepworth, CISSP Oxford, UK -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130618/6c414f14/attachment-0001.html From maxsec at gmail.com Wed Jun 19 11:30:16 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 19 Jun 2013 11:30:16 +0100 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04EA515C@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9F710@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04EA515C@CHI-US-MAIL-1B.us.kmz.com> Message-ID: maybe you can use sendmail to call-out for valid recipients first, I find this drops HUGE amounts of traffic dead before it gets anywhere near MailScanner, easily 50% and maybe higher http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:reject_non_existent_users -- Martin Hepworth, CISSP Oxford, UK On 18 June 2013 19:40, Duncan, Brian M. wrote: > Yeah I know it?s very weird and I can?t track it down. **** > > ** ** > > Yesterday, I tried removing the NET:DNS perl module (.65 is what > MailScanner (and I believe SpamAssassin use by default) and compiling 0.72 > in the hopes that it had something to do with that. Nope, still happening > today. Fortunately it only seems to be letting a few Spam in overall. > It just happens when there is a black listed domain that is used in a > URL that is sent by a non-blacklisted gateway where I get caught by this > issue.**** > > ** ** > > I am using Sendmail. Yes there is a .spamassassin directory in root, where > the bayes db?s are located and autowhitelist db?s (I have autowhite list > disabled for the moment) The user_prefs file has no directives set in it, > they are all #?ed out.**** > > ** ** > > I don?t specify a run as user in my MailScanner.conf, and according to ps > all the MailScanner processes are running as root, and my spamassassin > ?test-mode I have run as root.**** > > ** ** > > I turned on skip_rbl_checks 1 yesterday, since I detect RBL?ed hosts using > MailScanner I figured it was kind of pointless to do it again with > SpamAssassin.. **** > > ** ** > > I also tried tweaking rbl_timeout to 60 seconds instead of 30, what is was > before. Because I did find someone else reporting a similar issue to > mine.. back in 2007 someone was reporting this same behavior that rules > were not hitting when using Amavis with Spamassassin, but then when you ran > them through Spamassassin they worked, and I believe it was the same types > of rules I am not hitting on through MailScanner. And the issue wound up > being Net:DNS.**** > > ** ** > > > http://www.gossamer-threads.com/lists/spamassassin/users/102307?do=post_view_threaded#102307 > **** > > ** ** > > If I can?t figure this out, I might attempt a fresh install of Cent OS 6.4 > and fresh install of MailScanner and SpamAssassin. Just don?t have the > time for a full re-install right now.**** > > ** ** > > Yeah I prefer doing the RBL?s with MailScanner because it uses such little > CPU to perform those tests. I mark as Spam probably as high as 80% of my > incoming mail just on the RBL checks through MailScanner. Spamasssassin > only has to process like 20% of my Spam mail then. Since we pass > everything through and assign the Microsoft SCL score based on if it failed > Spam checks, the users can whitelist if someone winds up on an RBL or they > want what most consider Spam.**** > > ** ** > > ** ** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com / www.kattenlaw.com > **** > > ** ** > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* Tuesday, June 18, 2013 10:09 AM > > *To:* MailScanner discussion > *Subject:* Re: Certain Spamassassin rules do not seem to be firing all of > the time**** > > ** ** > > really odd, seems to be suffering with network based rules, not just the > URI ones but razor as well.**** > > Personally I always put all the RBL checks into SA rather than letting > MailScanner do it by itself. that way no 1 rbl can false postive and email > and the RBL just add to the overall score.**** > > ** ** > > What MTA are you running? and is there a .spamassassin directory in root's > home dir?**** > > > **** > > -- > Martin Hepworth, CISSP > Oxford, UK**** > > ** ** > > On 15 June 2013 21:08, Duncan, Brian M. > wrote:**** > > Thanks for the recommendations Martin.**** > > **** > > The way I have it setup in Mailscanner is if the sending mail server is on > a RBL, (If it on at least 1 of the 4 RBLS we use with MailScanner) It > becomes high scoring spam and is tagged and moved on, it does not get > scanned by Spamassassin then.**** > > **** > > The one thing I never considered before was if Spamassassin is scanning > the same sending mail server IP for being listed when it does not get > caught by MailScanner as being on any of the 4 RB:?s I use. Not that it > is causing my problem now, but that it is not very efficient if it is doing > it again. (I would guess 80% of my mail never gets scanned by SpamAssassin > each day because the sending mail gateway is blacklisted and it is marked > as Spam and moves on)**** > > **** > > When you say: ? I normally remove most of the RBL's from being scanned in > Spamassassin by giving most of them a zero score (see 50_scores.cfin the DNSEval section).? > **** > > **** > > I don?t think I follow, are you saying Spamassassin is scanning the > sending mail host again against the RBL?s? So by giving them a zero score > you are avoiding the double effort? This section has nothing to do with the > URL/URI scanning that is happening? I assumed the rules that I have that > are NOT hitting when it goes through MailScanner/Spamassassin have all been > based on the URI/URL?s in the body of the message. **** > > **** > > **** > > When I take these specific Spam messages that make it into my inbox, I am > noticing they never hit on the same URIBL hits I get when I move the > message locally to the box, if I take one of these URI based RBL checking > rules like for example URIBL_BLACK, I have never seen that rule hit on ANY > of these ones making it into my inbox. If I search my maillog from > yesterday for every message that wound up being scanned by Spamassassin, I > see that there were 1014 times that rule is listed on detected Spam. **** > > **** > > Last night I first tried setting up a caching bind server local to the > box. Made no difference.**** > > **** > > I tried upgrading to MailScanner 4.84.5-3 after and updating to > SpamAssassin 3.3.2-1 to see if that would make a difference, I even looked > at the Perl modules that come with MailScanner, one of them was > perl-Net-DNS-0.65-2, I was running**** > > perl-Net-DNS-0.65-1, was hoping that had something to do with this so I > updated to .65-2 of that perl modules.. the rest all seemed to be the same > version that comes with 4.84.5-3 (I was running 4.83.5-1 before I updated) > **** > > **** > > I went over all my configs for both MailScanner and SpamAssassin, nothing > seems wrong or set to low that would create the situation I am seeing. I > did find I had the pyzor plugin loading in SpamAssassin but no exe, so I > just disabled pyzor and verified in the ?debug-sa that everything looks > fine.**** > > **** > > I waited and sure enough it happened again today. We get less mail on the > weekends so it took awhile waiting..**** > > **** > > I have posted my MailScanner ?debug-sa to pastebin if anyone can take a > look and give me a recommendation of where to look next. I am almost out > of things to try.**** > > **** > > Here is one ?debug-sa:**** > > **** > > http://pastebin.com/C2XPs7D2**** > > **** > > Then I kept running with ?debug-sa till it caught one with a DNS based > rule like URIBL_* rules.**** > > **** > > This one hits on those URIBL rules that are DNS based and it looks like > everything is OK as far as I can tell.. This is really the first time I > have tried to debug a debug log from MailScanner/Spamassassin before..**** > > **** > > http://pastebin.com/iWMnJqf3**** > > **** > > **** > > Thanks**** > > **** > > **** > > **** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com / www.kattenlaw.com > **** > > **** > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* Saturday, June 15, 2013 8:46 AM > *To:* MailScanner discussion > *Subject:* Re: Certain Spamassassin rules do not seem to be firing all of > the time**** > > **** > > Ok, you really need to put a local DNS server on the MailScanner box, > doesn't matter if the DNS resolver is next to the server in the switch > port, DNS is actually quite heavy on network traffic and hitting this all > the time makes a huge difference. It can forward to the current machine, > but the time this saves is actually quite noticable.**** > > that three seconds for the pass across seems very quick to me, esp as it's > got all the DNS requests to process.I normally remove most of the RBL's > from being scanned in Spamassassin by giving most of them a zero score (see > 50_scores.cf in > the DNSEval section). also make sure you're updating sa rules regularly. In > fact its almost as if you've got skip-rbl-checks set to 1 in a spamassassin > .cf or mailscanner,conf file somewhere.**** > > I'd double check all the setup to make sure everythings OK, as it's really > odd that you're getting DNS based hits in test mode but not in test mode. > Check the MailScanner.conf setttings and any site MailScanner.conf, and > also get rid of any .spamassassin dirs esp if there's anything in root's > home dir (so i presume ther MTA is sendmail?) to make sure that isnt > overriding any settings. Check you've got one MailScanner.conf and not > multiple ones, sometimes some distributions put the active file in > 'non-standard' places.**** > > > **** > > -- > Martin Hepworth, CISSP > Oxford, UK**** > > **** > > On 15 June 2013 03:22, Duncan, Brian M. > wrote:**** > > Thanks, yes I noticed that, they all do seem to be the DNS rules. I do > have a caching DNS server but it is on the local network. I will try and > see if the behavior changes at all by running one locally on the box itself. > **** > > **** > > When you say ?that youre not timing out the network checks in sa too > quickly? I have not changed anything in the defaults of Mailscanner or > included any directives that would lower whatever time limits are set by > default.**** > > **** > > I took a look at the last example I put on pastebin, and it looks like it > took 3 seconds to go from my Mailscanner box to my next gateway. **** > > **** > > Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com**** > > ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id > 8e3c2381002025b2**** > > ; Fri, 14 Jun 2013 14:01:09 -0500**** > > Received: from a.loselit.net (a.loselit.net [66.96.254.156]) by**** > > venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449 > for**** > > ; Fri, 14 Jun 2013 14:01:06 -0500**** > > **** > > I am assuming the 3 seconds going from my incoming mail server Venus, to > the next hop in my environment includes the time it took for the Spammer to > send me the message.**** > > **** > > I also don?t see anything in my maillogs related to Spam Assassin timing > out for anything.. I recall many years ago when we used to run systems with > much less CPU power (10+) seeing Spam Assassin time outs.**** > > **** > > Which BTW, at the peak of activity today the lowest idle %idle was 91.00 > and that is because I turned off caching of SpamAssassin in Mailscanner to > see if that had any impact.**** > > **** > > I also looked at the local caching DNS server that is on the same switch > as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 > requests from anything that uses it locally according to iptraf.**** > > **** > > It also seems to be these messages from the same Spammer, as I said before > if I take any of these message bodies and send them in myself I seem to get > the DNS Spam Assassin hits then. **** > > **** > > Really odd one..**** > > **** > > Thanks for your help**** > > **** > > **** > > **** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com / www.kattenlaw.com > **** > > **** > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* Friday, June 14, 2013 4:16 PM > *To:* MailScanner discussion > *Subject:* Certain Spamassassin rules do not seem to be firing all of the > time**** > > **** > > Hmm most if the extra rules youre hitting are dns based**** > > I'd check youre running a local caching dns server on the scanning box and > that youre not timing out the network checks in sa too quickly**** > > **** > > Martin > > On Friday, 14 June 2013, Duncan, Brian M. wrote:**** > > Here is one more that just came in to me and was not tagged as Spam:**** > > **** > > http://pastebin.com/w8SJk660**** > > **** > > **** > > Mailscanner/Spamassassin results:**** > > **** > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, > **** > > BAYES_60 3.00, RP_MATCHES_RCVD -0.00)**** > > **** > > **** > > --test-mode results:**** > > **** > > Content analysis details: (10.5 hits, 6.5 required)**** > > 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100%**** > > [score: 1.0000]**** > > -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay > domain**** > > 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level**** > > above 50%**** > > [cf: 100]**** > > 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)**** > > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%**** > > [cf: 100]**** > > -7.5 AWL AWL: From: address is in the auto white-list** > ** > > **** > > ------ End of SpamAssassin results, Original message follows --------**** > > **** > > ===========================================================**** > > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue**** > > Service, any tax advice contained herein is not intended or written to be used and cannot be used**** > > by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.**** > > ===========================================================**** > > CONFIDENTIALITY NOTICE:**** > > This electronic mail message and any attached files contain information intended for the exclusive**** > > use of the individual or entity to whom it is addressed and may contain information that is**** > > proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you**** > > are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or **** > > distribution of this information may be subject to legal restriction or sanction. Please notify**** > > the sender, by electronic mail or telephone, of any unintended recipients and delete the original **** > > message without making any copies.**** > > ===========================================================**** > > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has**** > > elected to be governed by the Illinois Uniform Partnership Act (1997).**** > > ===========================================================**** > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK**** > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!**** > > **** > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!**** > > ** ** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130619/755f5b52/attachment.html From mark at msapiro.net Wed Jun 19 21:05:59 2013 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 19 Jun 2013 13:05:59 -0700 Subject: ScamNailer update STILL not working In-Reply-To: <51B3CFE3.10500@msapiro.net> References: <51B3CFE3.10500@msapiro.net> Message-ID: <51C20F27.4030401@msapiro.net> Mark Sapiro wrote: > ScamNailer gets the information about current data by doing a DNS lookup > of a TXT record for emails.msupdate.greylist.bastionmail.com. For over 6 > weeks, this has been returning "emails.2013-164.6", i.e. week 16, day 4 > update 6. It is currently week 23, day 0. It's now even worse. Currently the only TXT record for emails.msupdate.greylist.bastionmail.com is an SPF record "v=spf1 a -all". This causes ScamNailer to die with "Failed to retrieve valid current details\n". I have attached the latest version of my patch which works around this. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- ScamNailer-2.10 2012-03-05 03:04:14.000000000 -0800 +++ ScamNailer.new 2013-06-19 12:46:23.000000000 -0700 @@ -18,6 +18,7 @@ use LWP::UserAgent; use FileHandle; use DirHandle; +use Time::Local; # Output filename, goes into SpamAssassin. Can be over-ridden by just # adding the output filename on the command-line when you run this script. @@ -137,7 +138,8 @@ sub GetPhishingUpdate { my $cache = $emailscurrent . 'cache/'; my $status = $emailscurrent . 'status'; - my $urlbase = "http://cdn.mailscanner.info/emails."; +# my $urlbase = "http://cdn.mailscanner.info/emails."; + my $urlbase = "http://www.mailscanner.eu/emails."; my $target= $emailscurrent . 'phishing.emails.list'; my $query="emails.msupdate.greylist.bastionmail.com"; @@ -212,9 +214,23 @@ last; } } + if ($currentbase == -1) { + $currentbase = 0; + $currentupdate = 0; + warn "No appropriate TXT found at $query.\n"; + } } - die "Failed to retrieve valid current details\n" if $currentbase eq "-1"; + + my $day = (gmtime)[6]; + my $year = (gmtime)[5] + 1900; + my $janone = (gmtime(timegm(0,0,0,1,0,$year-1900)))[6]; + my $week = sprintf ("%02d", int (((gmtime)[7] + $janone) / 7)); + my $mybase = "$year-$week$day"; + if ($currentbase lt $mybase) { + $currentbase = $mybase; + $currentupdate = 99; + } print "I am working with: Current: $currentbase - $currentupdate and Status: $status_base - $status_update\n" unless $quiet; @@ -273,8 +289,10 @@ #print "Getting $urlbase . $currentbase.$i\n" unless $quiet; my $req = HTTP::Request->new(GET => $urlbase.$currentbase.".".$i); my $res = $ua->request($req); - warn "Failed to retrieve $urlbase$currentbase.$i" - unless $res->is_success; + unless ($res->is_success) { + warn "Failed to retrieve $urlbase$currentbase.$i"; + $currentupdate = $i - 1; + } my $line; foreach $line (split("\n", $res->content)) { # Is it an addition? @@ -299,6 +317,12 @@ } } } + # Because of our guess and retrieve until error strategy, we could be + # here without having retrieved any new updates which will result in + # our cached $status_update being erased. This does no real harm, but + # it causes extra work on the next run. To avoid this we skip the next + # section in that case. + if (!($status_update eq $currentupdate)) { # OK do we have a previous version to work from? if ($status_update>0) { # Yes - we open the most recent version @@ -341,6 +365,7 @@ } } close (FILEOUT); + } } } From mark at msapiro.net Wed Jun 19 21:13:14 2013 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 19 Jun 2013 13:13:14 -0700 Subject: ScamNailer update STILL not working In-Reply-To: <51C20F27.4030401@msapiro.net> References: <51B3CFE3.10500@msapiro.net> <51C20F27.4030401@msapiro.net> Message-ID: <51C210DA.6080409@msapiro.net> On 06/19/2013 01:05 PM, Mark Sapiro wrote: > > I have attached the latest version of my patch which works around this. That patch contained a bit that isn't part of this issue. It wouldn't hurt, but here's a patch without that extra bit. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- ScamNailer-2.10 2012-03-05 03:04:14.000000000 -0800 +++ ScamNailer.new 2013-06-19 13:08:56.000000000 -0700 @@ -18,6 +18,7 @@ use LWP::UserAgent; use FileHandle; use DirHandle; +use Time::Local; # Output filename, goes into SpamAssassin. Can be over-ridden by just # adding the output filename on the command-line when you run this script. @@ -212,9 +213,23 @@ last; } } + if ($currentbase == -1) { + $currentbase = 0; + $currentupdate = 0; + warn "No appropriate TXT found at $query.\n"; + } } - die "Failed to retrieve valid current details\n" if $currentbase eq "-1"; + + my $day = (gmtime)[6]; + my $year = (gmtime)[5] + 1900; + my $janone = (gmtime(timegm(0,0,0,1,0,$year-1900)))[6]; + my $week = sprintf ("%02d", int (((gmtime)[7] + $janone) / 7)); + my $mybase = "$year-$week$day"; + if ($currentbase lt $mybase) { + $currentbase = $mybase; + $currentupdate = 99; + } print "I am working with: Current: $currentbase - $currentupdate and Status: $status_base - $status_update\n" unless $quiet; @@ -273,8 +288,10 @@ #print "Getting $urlbase . $currentbase.$i\n" unless $quiet; my $req = HTTP::Request->new(GET => $urlbase.$currentbase.".".$i); my $res = $ua->request($req); - warn "Failed to retrieve $urlbase$currentbase.$i" - unless $res->is_success; + unless ($res->is_success) { + warn "Failed to retrieve $urlbase$currentbase.$i"; + $currentupdate = $i - 1; + } my $line; foreach $line (split("\n", $res->content)) { # Is it an addition? @@ -299,6 +316,12 @@ } } } + # Because of our guess and retrieve until error strategy, we could be + # here without having retrieved any new updates which will result in + # our cached $status_update being erased. This does no real harm, but + # it causes extra work on the next run. To avoid this we skip the next + # section in that case. + if (!($status_update eq $currentupdate)) { # OK do we have a previous version to work from? if ($status_update>0) { # Yes - we open the most recent version @@ -341,6 +364,7 @@ } } close (FILEOUT); + } } } From brian.duncan at kattenlaw.com Thu Jun 20 14:25:19 2013 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu, 20 Jun 2013 13:25:19 +0000 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9F710@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04EA515C@CHI-US-MAIL-1B.us.kmz.com> Message-ID: <946070139734074AA288505D2AD1D4CD04EA986C@CHI-US-MAIL-1B.us.kmz.com> I already do that in a sense.. I don't have it call out, but I export all my SMTP aliases from AD and add them to the access file on my sendmail servers and reject all other mail to my domain, so the rest is discarded to non existent users, and it saves with dealing with all the NDR's Well it looks like I bought myself some time. Even though I have NOT figured out what is going on here, since I disabled auto white listing the other day, it looks like the majority of these Spam messages that were making it through before because they were NOT hitting on these different URIBLS are getting tagged from Bayes hits now. And since the AWL is not factoring into it, 98% of them are getting labeled as Spam. I am probably just going to rebuild my primary mail server and re-install Mailscanner and Spamassassin in a few weeks and see if this problem goes away. I still think there is something unique with these particular Spam emails. These messages I am talking about, I have NEVER seen URIBL_BLACK ever fire on. (But does fire on it when I manually scan with spamassassin-test-mode) Yesterday I had plenty of other emails where it does fire on that rule: [root at venus log]# cat maillog.1 | grep -i "URIBL_BLACK" | wc -l 2971 BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Wednesday, June 19, 2013 5:30 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time maybe you can use sendmail to call-out for valid recipients first, I find this drops HUGE amounts of traffic dead before it gets anywhere near MailScanner, easily 50% and maybe higher http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:reject_non_existent_users -- Martin Hepworth, CISSP Oxford, UK On 18 June 2013 19:40, Duncan, Brian M. > wrote: Yeah I know it's very weird and I can't track it down. Yesterday, I tried removing the NET:DNS perl module (.65 is what MailScanner (and I believe SpamAssassin use by default) and compiling 0.72 in the hopes that it had something to do with that. Nope, still happening today. Fortunately it only seems to be letting a few Spam in overall. It just happens when there is a black listed domain that is used in a URL that is sent by a non-blacklisted gateway where I get caught by this issue. I am using Sendmail. Yes there is a .spamassassin directory in root, where the bayes db's are located and autowhitelist db's (I have autowhite list disabled for the moment) The user_prefs file has no directives set in it, they are all #'ed out. I don't specify a run as user in my MailScanner.conf, and according to ps all the MailScanner processes are running as root, and my spamassassin -test-mode I have run as root. I turned on skip_rbl_checks 1 yesterday, since I detect RBL'ed hosts using MailScanner I figured it was kind of pointless to do it again with SpamAssassin.. I also tried tweaking rbl_timeout to 60 seconds instead of 30, what is was before. Because I did find someone else reporting a similar issue to mine.. back in 2007 someone was reporting this same behavior that rules were not hitting when using Amavis with Spamassassin, but then when you ran them through Spamassassin they worked, and I believe it was the same types of rules I am not hitting on through MailScanner. And the issue wound up being Net:DNS. http://www.gossamer-threads.com/lists/spamassassin/users/102307?do=post_view_threaded#102307 If I can't figure this out, I might attempt a fresh install of Cent OS 6.4 and fresh install of MailScanner and SpamAssassin. Just don't have the time for a full re-install right now. Yeah I prefer doing the RBL's with MailScanner because it uses such little CPU to perform those tests. I mark as Spam probably as high as 80% of my incoming mail just on the RBL checks through MailScanner. Spamasssassin only has to process like 20% of my Spam mail then. Since we pass everything through and assign the Microsoft SCL score based on if it failed Spam checks, the users can whitelist if someone winds up on an RBL or they want what most consider Spam. BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Tuesday, June 18, 2013 10:09 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time really odd, seems to be suffering with network based rules, not just the URI ones but razor as well. Personally I always put all the RBL checks into SA rather than letting MailScanner do it by itself. that way no 1 rbl can false postive and email and the RBL just add to the overall score. What MTA are you running? and is there a .spamassassin directory in root's home dir? -- Martin Hepworth, CISSP Oxford, UK On 15 June 2013 21:08, Duncan, Brian M. > wrote: Thanks for the recommendations Martin. The way I have it setup in Mailscanner is if the sending mail server is on a RBL, (If it on at least 1 of the 4 RBLS we use with MailScanner) It becomes high scoring spam and is tagged and moved on, it does not get scanned by Spamassassin then. The one thing I never considered before was if Spamassassin is scanning the same sending mail server IP for being listed when it does not get caught by MailScanner as being on any of the 4 RB:'s I use. Not that it is causing my problem now, but that it is not very efficient if it is doing it again. (I would guess 80% of my mail never gets scanned by SpamAssassin each day because the sending mail gateway is blacklisted and it is marked as Spam and moves on) When you say: " I normally remove most of the RBL's from being scanned in Spamassassin by giving most of them a zero score (see 50_scores.cf in the DNSEval section)." I don't think I follow, are you saying Spamassassin is scanning the sending mail host again against the RBL's? So by giving them a zero score you are avoiding the double effort? This section has nothing to do with the URL/URI scanning that is happening? I assumed the rules that I have that are NOT hitting when it goes through MailScanner/Spamassassin have all been based on the URI/URL's in the body of the message. When I take these specific Spam messages that make it into my inbox, I am noticing they never hit on the same URIBL hits I get when I move the message locally to the box, if I take one of these URI based RBL checking rules like for example URIBL_BLACK, I have never seen that rule hit on ANY of these ones making it into my inbox. If I search my maillog from yesterday for every message that wound up being scanned by Spamassassin, I see that there were 1014 times that rule is listed on detected Spam. Last night I first tried setting up a caching bind server local to the box. Made no difference. I tried upgrading to MailScanner 4.84.5-3 after and updating to SpamAssassin 3.3.2-1 to see if that would make a difference, I even looked at the Perl modules that come with MailScanner, one of them was perl-Net-DNS-0.65-2, I was running perl-Net-DNS-0.65-1, was hoping that had something to do with this so I updated to .65-2 of that perl modules.. the rest all seemed to be the same version that comes with 4.84.5-3 (I was running 4.83.5-1 before I updated) I went over all my configs for both MailScanner and SpamAssassin, nothing seems wrong or set to low that would create the situation I am seeing. I did find I had the pyzor plugin loading in SpamAssassin but no exe, so I just disabled pyzor and verified in the -debug-sa that everything looks fine. I waited and sure enough it happened again today. We get less mail on the weekends so it took awhile waiting.. I have posted my MailScanner -debug-sa to pastebin if anyone can take a look and give me a recommendation of where to look next. I am almost out of things to try. Here is one -debug-sa: http://pastebin.com/C2XPs7D2 Then I kept running with -debug-sa till it caught one with a DNS based rule like URIBL_* rules. This one hits on those URIBL rules that are DNS based and it looks like everything is OK as far as I can tell.. This is really the first time I have tried to debug a debug log from MailScanner/Spamassassin before.. http://pastebin.com/iWMnJqf3 Thanks BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Saturday, June 15, 2013 8:46 AM To: MailScanner discussion Subject: Re: Certain Spamassassin rules do not seem to be firing all of the time Ok, you really need to put a local DNS server on the MailScanner box, doesn't matter if the DNS resolver is next to the server in the switch port, DNS is actually quite heavy on network traffic and hitting this all the time makes a huge difference. It can forward to the current machine, but the time this saves is actually quite noticable. that three seconds for the pass across seems very quick to me, esp as it's got all the DNS requests to process.I normally remove most of the RBL's from being scanned in Spamassassin by giving most of them a zero score (see 50_scores.cf in the DNSEval section). also make sure you're updating sa rules regularly. In fact its almost as if you've got skip-rbl-checks set to 1 in a spamassassin .cf or mailscanner,conf file somewhere. I'd double check all the setup to make sure everythings OK, as it's really odd that you're getting DNS based hits in test mode but not in test mode. Check the MailScanner.conf setttings and any site MailScanner.conf, and also get rid of any .spamassassin dirs esp if there's anything in root's home dir (so i presume ther MTA is sendmail?) to make sure that isnt overriding any settings. Check you've got one MailScanner.conf and not multiple ones, sometimes some distributions put the active file in 'non-standard' places. -- Martin Hepworth, CISSP Oxford, UK On 15 June 2013 03:22, Duncan, Brian M. > wrote: Thanks, yes I noticed that, they all do seem to be the DNS rules. I do have a caching DNS server but it is on the local network. I will try and see if the behavior changes at all by running one locally on the box itself. When you say "that youre not timing out the network checks in sa too quickly" I have not changed anything in the defaults of Mailscanner or included any directives that would lower whatever time limits are set by default. I took a look at the last example I put on pastebin, and it looks like it took 3 seconds to go from my Mailscanner box to my next gateway. Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 8e3c2381002025b2 ; Fri, 14 Jun 2013 14:01:09 -0500 Received: from a.loselit.net (a.loselit.net [66.96.254.156]) by venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449 for >; Fri, 14 Jun 2013 14:01:06 -0500 I am assuming the 3 seconds going from my incoming mail server Venus, to the next hop in my environment includes the time it took for the Spammer to send me the message. I also don't see anything in my maillogs related to Spam Assassin timing out for anything.. I recall many years ago when we used to run systems with much less CPU power (10+) seeing Spam Assassin time outs. Which BTW, at the peak of activity today the lowest idle %idle was 91.00 and that is because I turned off caching of SpamAssassin in Mailscanner to see if that had any impact. I also looked at the local caching DNS server that is on the same switch as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 requests from anything that uses it locally according to iptraf. It also seems to be these messages from the same Spammer, as I said before if I take any of these message bodies and send them in myself I seem to get the DNS Spam Assassin hits then. Really odd one.. Thanks for your help BRIAN M. DUNCAN Data Security Administrator Katten Muchin Rosenman LLP 525 W. Monroe Street / Chicago, IL 60661-3693 p / (312) 577-8045 f / (312) 577-4490 brian.duncan at kattenlaw.com / www.kattenlaw.com From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, June 14, 2013 4:16 PM To: MailScanner discussion Subject: Certain Spamassassin rules do not seem to be firing all of the time Hmm most if the extra rules youre hitting are dns based I'd check youre running a local caching dns server on the scanning box and that youre not timing out the network checks in sa too quickly Martin On Friday, 14 June 2013, Duncan, Brian M. wrote: Here is one more that just came in to me and was not tagged as Spam: http://pastebin.com/w8SJk660 Mailscanner/Spamassassin results: X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5, BAYES_60 3.00, RP_MATCHES_RCVD -0.00) --test-mode results: Content analysis details: (10.5 hits, 6.5 required) 6.6 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 8.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] -7.5 AWL AWL: From: address is in the auto white-list ------ End of SpamAssassin results, Original message follows -------- =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- -- Martin Hepworth, CISSP Oxford, UK -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130620/d15749a0/attachment.html From mark at msapiro.net Thu Jun 20 19:53:12 2013 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 20 Jun 2013 11:53:12 -0700 Subject: update bad phishing sites broken? In-Reply-To: References: Message-ID: <51C34F98.1050606@msapiro.net> Kevin Miller wrote: > I've been seeing this for the last 12 hours or so. Is the server down? > ------------ > running hourly cronjob scripts > > SCRIPT: update_bad_phishing_sites exited with RETURNCODE = 9. This is the same issue as that reported at . The issues affecting ScamNailer also affect update_bad_phishing_sites. The recent issue reported in the post is causing update_bad_phishing_sites to die. Previously, since around 25 April, it just wasn't updating. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maxsec at gmail.com Thu Jun 20 20:01:22 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 20 Jun 2013 20:01:22 +0100 Subject: Certain Spamassassin rules do not seem to be firing all of the time In-Reply-To: <946070139734074AA288505D2AD1D4CD04EA986C@CHI-US-MAIL-1B.us.kmz.com> References: <946070139734074AA288505D2AD1D4CD04E9A0C3@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9C4B2@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9D0B1@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DC61@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9DD9E@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9E551@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04E9F710@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04EA515C@CHI-US-MAIL-1B.us.kmz.com> <946070139734074AA288505D2AD1D4CD04EA986C@CHI-US-MAIL-1B.us.kmz.com> Message-ID: I find awl not very good when used in multiuser configs.. May be better in a user soecific env but never works very well for me using a standard ms setup On Thursday, 20 June 2013, Duncan, Brian M. wrote: > I already do that in a sense.. I don?t have it call out, but I export > all my SMTP aliases from AD and add them to the access file on my sendmail > servers and reject all other mail to my domain, so the rest is discarded to > non existent users, and it saves with dealing with all the NDR?s**** > > ** ** > > Well it looks like I bought myself some time. Even though I have NOT > figured out what is going on here, since I disabled auto white listing the > other day, it looks like the majority of these Spam messages that were > making it through before because they were NOT hitting on these different > URIBLS are getting tagged from Bayes hits now. And since the AWL is not > factoring into it, 98% of them are getting labeled as Spam.**** > > ** ** > > I am probably just going to rebuild my primary mail server and re-install > Mailscanner and Spamassassin in a few weeks and see if this problem goes > away. **** > > ** ** > > I still think there is something unique with these particular Spam > emails. These messages I am talking about, I have NEVER seen URIBL_BLACK > ever fire on. (But does fire on it when I manually scan with > spamassassin?test-mode)**** > > ** ** > > Yesterday I had plenty of other emails where it does fire on that rule:*** > * > > ** ** > > [root at venus log]# cat maillog.1 | grep -i "URIBL_BLACK" | wc -l**** > > 2971**** > > ** ** > > ** ** > > BRIAN M. DUNCAN > Data Security Administrator > Katten Muchin Rosenman LLP > 525 W. Monroe Street / Chicago, IL 60661-3693 > p / (312) 577-8045 f / (312) 577-4490 > brian.duncan at kattenlaw.com 'brian.duncan at kattenlaw.com');> / www.kattenlaw.com > **** > > ** ** > > *From:* mailscanner-bounces at lists.mailscanner.info 'cvml', 'mailscanner-bounces at lists.mailscanner.info');> [mailto: > mailscanner-bounces at lists.mailscanner.info 'mailscanner-bounces at lists.mailscanner.info');>] *On Behalf Of *Martin > Hepworth > *Sent:* Wednesday, June 19, 2013 5:30 AM > *To:* MailScanner discussion > *Subject:* Re: Certain Spamassassin rules do not seem to be firing all of > the time**** > > ** ** > > maybe you can use sendmail to call-out for valid recipients first, I find > this drops HUGE amounts of traffic dead before it gets anywhere near > MailScanner, easily 50% and maybe higher > > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:reject_non_existent_users > **** > > > **** > > -- > Martin Hepworth, CISSP > Oxford, UK**** > > ** ** > > On 18 June 2013 19:40, Duncan, Brian M. > wrote:**** > > Yeah I know it?s very weird and I can?t track it down. **** > > **** > > Yesterday, I tried removing the NET:DNS perl module (.65 is what > MailScanner (and I believe SpamAssassin use by default) and compiling 0.72 > in the hopes that it had something to do with that. Nope, still happening > today. Fortunately it only seems to be letting a few Spam in overall. > It just happens when there is a black listed domain that is used in a > URL that is sent by a non-blacklisted gateway where I get caught by this > issue.**** > > **** > > I am using Sendmail. Yes there is a .spamassassin directory in root, where > the bayes db?s are located and autowhitelist db?s (I have autowhite list > disabled for the moment) The user_prefs file has no directives set in it, > they are all #?ed out.**** > > **** > > I don?t specify a run as user in my MailScanner.conf, and according to ps > all the MailScanner processes are running as root, and my spamassassin > ?test-mode I have run as root.**** > > **** > > I turned on skip_rbl_checks 1 yesterday, since I detect RBL?ed hosts using > MailScanner I figured it was kind of pointless to do it again with > SpamAssassin.. **** > > **** > > I also tried tweaking rbl_timeout to 60 seconds instead of 30, what is was > before. Because I did find someone else reporting a similar issue to > mine.. back in 2007 someone was reporting this same behavior that rules > were not hitting when using Amavis with Spamassassin, but then when you ran > them through Spamassassin they worked, and I believe it was the same types > of rules I am not hitting on through MailScanner. And the issue wound up > being Net:DNS.**** > > **** > > > http://www.gossamer-threads.com/lists/spamassassin/users/102307?do=post_view_threaded#102307 > **** > > **** > > If I can?t figure this out, I might attempt a fresh install of Cent OS 6.4 > and fresh install of Ma > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130620/167f9203/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Jun 20 20:13:34 2013 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu, 20 Jun 2013 11:13:34 -0800 Subject: update bad phishing sites broken? In-Reply-To: <51C34F98.1050606@msapiro.net> References: <51C34F98.1050606@msapiro.net> Message-ID: Hmmmm. This doesn't bode well: ================================ whois bastionmail.com snip Domain Name: BASTIONMAIL.COM Registration Date: 17-Jun-2005 Expiration Date: 17-Jun-2013 Status:RENEWAL HOLD Note: This Domain Name has expired and hence inactive. The Domain Name must be renewed to activate it. The owner of the Domain Name can renew it from within the control panel or approach his service provider for the same. ================================ ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Thursday, June 20, 2013 10:53 AM To: mailscanner at lists.mailscanner.info Subject: Re: update bad phishing sites broken? Kevin Miller wrote: > I've been seeing this for the last 12 hours or so. Is the server down? > ------------ > running hourly cronjob scripts > > SCRIPT: update_bad_phishing_sites exited with RETURNCODE = 9. This is the same issue as that reported at . The issues affecting ScamNailer also affect update_bad_phishing_sites. The recent issue reported in the post is causing update_bad_phishing_sites to die. Previously, since around 25 April, it just wasn't updating. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From matt.hampton.uk at gmail.com Thu Jun 20 23:35:22 2013 From: matt.hampton.uk at gmail.com (Matt Hampton) Date: Thu, 20 Jun 2013 23:35:22 +0100 Subject: update bad phishing sites broken? In-Reply-To: References: <51C34F98.1050606@msapiro.net> Message-ID: renewed On 20 June 2013 20:13, Kevin Miller wrote: > Hmmmm. This doesn't bode well: > > ================================ > whois bastionmail.com > snip > Domain Name: BASTIONMAIL.COM > > Registration Date: 17-Jun-2005 > Expiration Date: 17-Jun-2013 > > Status:RENEWAL HOLD > Note: This Domain Name has expired and hence inactive. The Domain > Name > must be renewed to activate it. The owner of the Domain Name can > renew it from within the control panel or approach his service > provider for the same. > ================================ > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 > Registered Linux User No: 307357 > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro > Sent: Thursday, June 20, 2013 10:53 AM > To: mailscanner at lists.mailscanner.info > Subject: Re: update bad phishing sites broken? > > Kevin Miller wrote: > > I've been seeing this for the last 12 hours or so. Is the server down? > > ------------ > > running hourly cronjob scripts > > > > SCRIPT: update_bad_phishing_sites exited with RETURNCODE = 9. > > > This is the same issue as that reported at < > http://lists.mailscanner.info/pipermail/mailscanner/2013-June/100821.html > >. > > The issues affecting ScamNailer also affect update_bad_phishing_sites. > The recent issue reported in the post is causing update_bad_phishing_sites > to die. Previously, since around 25 April, it just wasn't updating. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130620/247a77fd/attachment.html From mark at msapiro.net Fri Jun 21 01:57:43 2013 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 20 Jun 2013 17:57:43 -0700 Subject: update bad phishing sites broken? In-Reply-To: References: Message-ID: <51C3A507.7020303@msapiro.net> Matt Hampton wrote: > > renewed But it still returns "v=spf1 a -all" as the only TXT record for emails.msupdate.greylist.bastionmail.com. Is this ever going to be fixed? Meanwhile, I have ported my Scamnailer patch to update_bad_phishing_sites. The patch is attached. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- /usr/sbin/update_bad_phishing_sites.bak 2013-06-20 17:27:55.000000000 -0700 +++ /usr/sbin/update_bad_phishing_sites 2013-06-20 17:45:30.000000000 -0700 @@ -36,6 +36,7 @@ use LWP::UserAgent; use FileHandle; use DirHandle; +use Time::Local; # Work out Quarantine Directory from MailScanner.conf my $base = '/var/spool/MailScanner/quarantine'; # Default value @@ -132,7 +133,22 @@ } } -die "Failed to retrieve valid current details\n" unless (!($currentbase eq "-1")); +#die "Failed to retrieve valid current details\n" unless (!($currentbase eq "-1")); +if ($currentbase == -1) { + $currentbase = 0; + $currentupdate = 0; + warn "No appropriate TXT found at $query.\n"; +} + +my $day = (gmtime)[6]; +my $year = (gmtime)[5] + 1900; +my $janone = (gmtime(timegm(0,0,0,1,0,$year-1900)))[6]; +my $week = sprintf ("%02d", int (((gmtime)[7] + $janone) / 7)); +my $mybase = "$year-$week$day"; +if ($currentbase lt $mybase) { + $currentbase = $mybase; + $currentupdate = 99; +} print "I am working with: Current: $currentbase - $currentupdate and Status: $status_base - $status_update\n"; @@ -196,7 +212,10 @@ print "Retrieving $urlbase$currentbase.$i\n"; my $req = HTTP::Request->new(GET => $urlbase.$currentbase.".".$i); my $res = $ua->request($req); - warn "Failed to retrieve $urlbase$currentbase.$i" unless ($res->is_success) ; + unless ($res->is_success) { + warn "Failed to retrieve $urlbase$currentbase.$i"; + $currentupdate = $i - 1; + } my $line; foreach $line (split("\n", $res->content)) { # Is it an addition? @@ -223,6 +242,12 @@ } } } + # Because of our guess and retrieve until error strategy, we could be + # here without having retrieved any new updates which will result in + # our cached $status_update being erased. This does no real harm, but + # it causes extra work on the next run. To avoid this we skip the next + # section in that case. + if (!($status_update eq $currentupdate)) { # OK do we have a previous version to work from? if ($status_update>0) { # Yes - we open the most recent version @@ -264,6 +289,7 @@ } } close (FILEOUT); + } } } From jerry.benton at mailborder.com Fri Jun 21 22:19:03 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 21 Jun 2013 23:19:03 +0200 Subject: MailScanner Logging Message-ID: Hola, I had a question and I am apparently not smart enough on perl to figure this out. The issues has to deal with how MailScanner passes logging information to loggers such as MailWatch. In short, the subject line "C'est ?a que ?a dit" gets chopped in the SQL logs to just "C'est". Reviewing the MailWatch code, the message information is pushed into an array like this: push @in, $_; So I guess my real question here is if anyone knows if the data being passed from MailScanner is escaped before being packed? I am trying to figure out where in this chain it is being broken: MailScanner => MailWatch => MailWatch processing => SQL Log I am guessing that is is not between these two: MailWatch processing => SQL Log Because I did some testing with expected results using quotemeta. Ideas? -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130621/09e33337/attachment.html From maxsec at gmail.com Sat Jun 22 11:01:57 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Sat, 22 Jun 2013 11:01:57 +0100 Subject: Fwd: Apache SpamAssassin 3.4.0 release candidate 2 - invitation to testers In-Reply-To: <201306220245.12714.Mark.Martinec+sa@ijs.si> References: <201306220245.12714.Mark.Martinec+sa@ijs.si> Message-ID: Heads up, if anyone can help test against Mailscanner would be useful ---------- Forwarded message ---------- From: *Mark Martinec* Date: Saturday, 22 June 2013 Subject: Apache SpamAssassin 3.4.0 release candidate 2 - invitation to testers To: users at spamassassin.apache.org This is not a formal announcement, but an invitation to a broader users community to try the release candidate of the coming release of Apache SpamAssassin version 3.4.0 . Preliminary release notes and a link to the package was published in a posting to the dev at spamassassin.apache.org mailing list: http://article.gmane.org/gmane.mail.spam.spamassassin.devel/69001 The "call for votes" in the message only applies to project members, but feedback from wider audience of testers is very much welcome. The Mail-SpamAssassin-3.4.0-rc2 package is available at: http://people.apache.org/~kmcgrail/devel/ Rules may be downloaded from the same location, but this is rarely necessary. A normal procedure is to install the software (the usual CPAN installation procedure should suffice, but this very much depends on a platform of choice), then run a 'sa-update' command, which will find and download appropriate rules to a version-specific directory. Except for some minor details, the 3.4.0 is compatible with 3.3.2 in its API and in database formats (but uses a separate directory to store rules), so it should be possible to switch back and forth between both versions in a test environment, if a need arises. Still, due diligence is appropriate: have your backups ready before starting to play with the new software, especially in a production environment. Nevertheless, this version has been in production use at several sites for months, so it should be at least as good as 3.3.2 . It is expected that the final release will follow shortly, so a quick response would be appreciated. Mark -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130622/4627bbc8/attachment.html From mark at msapiro.net Sun Jun 23 19:42:38 2013 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 23 Jun 2013 11:42:38 -0700 Subject: Fwd: Apache SpamAssassin 3.4.0 release candidate 2 - invitation to testers In-Reply-To: References: <201306220245.12714.Mark.Martinec+sa@ijs.si> Message-ID: <51C7419E.2020109@msapiro.net> On 06/22/2013 03:01 AM, Martin Hepworth wrote: > Heads up, if anyone can help test against Mailscanner would be useful I've been running SpamAssassin 3.4.0-rc2 now for a few hours with MailScanner-4.84.5-3 in an environment with compiled rule sets comprising the standard 3.004000 rules and several supplementary rule sets. I've seen no problems so far. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sun Jun 23 19:49:32 2013 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 23 Jun 2013 11:49:32 -0700 Subject: update bad phishing sites broken? In-Reply-To: <51C3A507.7020303@msapiro.net> References: <51C3A507.7020303@msapiro.net> Message-ID: <51C7433C.8070109@msapiro.net> On 06/20/2013 05:57 PM, Mark Sapiro wrote: > > But it still returns "v=spf1 a -all" as the only TXT record for > emails.msupdate.greylist.bastionmail.com. Is this ever going to be fixed? As of now it is back to returning "emails.2013-164.6" in response to the TXT query, but this is still the status from late last April. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pinemail11 at gmail.com Tue Jun 25 13:20:28 2013 From: pinemail11 at gmail.com (Mail Admin) Date: Tue, 25 Jun 2013 17:50:28 +0530 Subject: Filename & Filetype rules not working Message-ID: Hi All, We are trying to restrict attachment for per user and made changes as follows *mailscanner.conf* Allow Filenames = Deny Filenames = Filename Rules = %rules-dir%/filename.rules Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %rules-dir%/filetype.rules *Filename.rules* From: /\* domain\.com/ /etc/MailScanner/attachmentrestriction.rules.conf From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf FromOrTo: default /etc/MailScanner/filename.rules.conf *filetype.rules* From: /\* domain\.com/ /etc/MailScanner/attachmentfiletype.rules.conf From: 127.0.0.1 /etc/MailScanner/filetype.rules.allowall.conf FromOrTo: default /etc/MailScanner/filetype.rules.conf *attachmentrestriction.rules.conf* deny \.avi$ Test for restriction *attachmentfiletype.rules.conf* * * deny AVI No AVI movies No AVI movies allowed Still mails are delivering with .avi attachment!!. Your help is appreciated! Regards, Pine Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130625/9f896434/attachment.html From maxsec at gmail.com Tue Jun 25 20:31:38 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 25 Jun 2013 20:31:38 +0100 Subject: Filename & Filetype rules not working In-Reply-To: References: Message-ID: Have a look at the overloading rules section in the wiki for how best to do this at the dmsun level On Tuesday, 25 June 2013, Mail Admin wrote: > Hi All, > > We are trying to restrict attachment for per user and made changes as > follows > > *mailscanner.conf* > > Allow Filenames = > Deny Filenames = > Filename Rules = %rules-dir%/filename.rules > Allow Filetypes = > Allow File MIME Types = > Deny Filetypes = > Deny File MIME Types = > Filetype Rules = %rules-dir%/filetype.rules > > > *Filename.rules* > > From: /\* domain\.com/ > /etc/MailScanner/attachmentrestriction.rules.conf > From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf > FromOrTo: default /etc/MailScanner/filename.rules.conf > > *filetype.rules* > > From: /\* domain\.com/ > /etc/MailScanner/attachmentfiletype.rules.conf > From: 127.0.0.1 /etc/MailScanner/filetype.rules.allowall.conf > FromOrTo: default /etc/MailScanner/filetype.rules.conf > > > *attachmentrestriction.rules.conf* > > deny \.avi$ Test for restriction > > *attachmentfiletype.rules.conf* > * > * > deny AVI No AVI movies No AVI movies allowed > > Still mails are delivering with .avi attachment!!. > > Your help is appreciated! > > Regards, > > Pine Mail > > > > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130625/bc368588/attachment.html From jgao at veecall.com Thu Jun 27 20:56:43 2013 From: jgao at veecall.com (J Gao) Date: Thu, 27 Jun 2013 12:56:43 -0700 Subject: Do I need worry about this warning? Message-ID: <51CC98FB.8070801@veecall.com> Hi, all, I just installed MailScanner and when I test spamassassin I got this warning: [root at szeta cur]# spamassassin --lint Jun 27 12:47:00.068 [10910] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": use_auto_whitelist 0 Jun 27 12:47:01.163 [10910] warn: lint: 1 issues detected, please rerun with debug enabled for more information So I looked at the mailscanner.cf and the related part is here: # The --auto-whitelist and -a options for "spamd" and "spamassassin" to # turn on the auto-whitelist have been removed and replaced by the # "use_auto_whitelist" configuration option which is also now turned on by # default. use_auto_whitelist 0 Do I need worry about this warning? My email server is on CentOS 6.4/postfix/Courier/MailScanner/clamAV/Spamassassin/DCC/pyzor/razor Thanks for help. Gao -- __ _|==|_ ('')__/ >--(`^^') (`^'^'`) `======' -- From jgao at veecall.com Thu Jun 27 22:26:38 2013 From: jgao at veecall.com (J Gao) Date: Thu, 27 Jun 2013 14:26:38 -0700 Subject: Do I need worry about this warning? In-Reply-To: <51CC98FB.8070801@veecall.com> References: <51CC98FB.8070801@veecall.com> Message-ID: <51CCAE0E.5060309@veecall.com> I did some more test: [root at szeta cur]# MailScanner --lint ..... config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": use_auto_whitelist 0 pyzor: check failed: internal error, python traceback seen in response SpamAssassin reported an error. ..... So it seems I got two problem here. I dont know what I can do for the use_auto_whitelist setting. For the pyzor error, I run another test: spamassassin -D -t spammail.txt 2>&1 | grep -i pyzor [root at szeta cur]# spamassassin -D -t some_email_messege 2>&1 | grep -i pyzor Jun 27 14:24:50.772 [12727] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC Jun 27 14:24:50.775 [12727] dbg: pyzor: network tests on, attempting Pyzor Jun 27 14:24:51.073 [12727] dbg: config: fixed relative path: /var/lib/spamassassin/3.003001/updates_spamassassin_org/25_pyzor.cf Jun 27 14:24:51.073 [12727] dbg: config: using "/var/lib/spamassassin/3.003001/updates_spamassassin_org/25_pyzor.cf" for included file Jun 27 14:24:51.073 [12727] dbg: config: read file /var/lib/spamassassin/3.003001/updates_spamassassin_org/25_pyzor.cf Jun 27 14:24:57.810 [12727] dbg: util: executable for pyzor was found at /usr/bin/pyzor Jun 27 14:24:57.811 [12727] dbg: pyzor: pyzor is available: /usr/bin/pyzor Jun 27 14:24:57.812 [12727] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin12727yJmyXwtmp Jun 27 14:24:58.076 [12727] dbg: pyzor: [12731] finished: exit 1 Jun 27 14:24:58.076 [12727] dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 0 Jun 27 14:24:58.185 [12727] dbg: timing: total 7439 ms - init: 1343 (18.1%), parse: 1.46 (0.0%), extract_message_metadata: 23 (0.3%), get_uri_detail_list: 2 (0.0%), tests_pri_-1000: 26 (0.3%), compile_gen: 146 (2.0%), compile_eval: 31 (0.4%), tests_pri_-950: 5 (0.1%), tests_pri_-900: 6 (0.1%), tests_pri_-400: 5 (0.1%), tests_pri_0: 5920 (79.6%), dkim_load_modules: 35 (0.5%), check_dkim_signature: 0.98 (0.0%), check_dkim_adsp: 215 (2.9%), check_spf: 1.66 (0.0%), check_dcc: 4625 (62.2%), check_razor2: 393 (5.3%), check_pyzor: 268 (3.6%), tests_pri_500: 89 (1.2%) So it seems my pyzor is working fine, isn't it? Gao -- __ _|==|_ ('')__/ >--(`^^') (`^'^'`) `======' -- From rlopezcnm at gmail.com Fri Jun 28 00:37:50 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu, 27 Jun 2013 17:37:50 -0600 Subject: Do I need worry about this warning? In-Reply-To: <51CCAE0E.5060309@veecall.com> References: <51CC98FB.8070801@veecall.com> <51CCAE0E.5060309@veecall.com> Message-ID: For turning off the auto white list, I believe you have to make certain your spam.assassin.prefs.conf file matches the mailscanner.cf file. I do not understand why both need to be changed, but I do have both changed. I do not use pyzor so I am not familiar with that output, but it looks to me it is working. -- Robert Lopez From JS at wexoe.dk Fri Jun 28 10:14:07 2013 From: JS at wexoe.dk (Jens W. Skov) Date: Fri, 28 Jun 2013 11:14:07 +0200 Subject: Attachment filenames from Lotus Notes Message-ID: <1D67CF9D0FDB904AA8065ACF23F2EE671DA5A4D660@server12.wexoe.dk> Hi I have an issue with mail that we receive from one of our customers who are using Notes/Domino. When they include an attachment with a filename containing the Scandinavian letter ??? it is rewritten to something else. This gives a problem. I?m wondering if this is something that Mailscanner is doing and/or if Mailscanner can help me fix this? With the right filename would be ?Wex?e?? it would be received as: ?Wex??e?? I think the is that attachment definition from the mail (or I might be wrong): Content-Type: application/octet-stream; name="=?KOI8-R?B?V2V4hr9lIHNhbWxldCAxMC4wNi4yMDEzLnhsc3g=?=" Content-Disposition: attachment; filename="=?KOI8-R?B?V2V4hr9lIHNhbWxldCAxMC4wNi4yMDEzLnhsc3g=?=" Content-Transfer-Encoding: base64 Med venlig hilsen Wex?e A/S Jens W. Skov Systems Engineer - M.Sc.E Wex?e A/S Lejrvej 31 3500 V?rl?se Denmark T F E W +45 4546 5800 +45 4546 5801 wexoe at wexoe.dk www.wexoe.dk XD XM XE X X+45 4546 5923 X+45 2325 4077 XJS at wexoe.dk h Med mindre andet er aftalt p? skrift, sker salg og levering altid p? Wex?e A/S? til enhver tid g?ldende salgs- og leveringsbetingelser, som du bl.a. finder p? www.wexoe.dk [file:///C:\Users\js\AppData\Roaming\Microsoft\Signaturer\Wex?e%20-%20DK%20(Jens%20W.%20Skov)-Image01.JPG] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130628/3239ae71/attachment.html From maxsec at gmail.com Fri Jun 28 10:48:45 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 28 Jun 2013 10:48:45 +0100 Subject: Do I need worry about this warning? In-Reply-To: References: <51CC98FB.8070801@veecall.com> <51CCAE0E.5060309@veecall.com> Message-ID: comment out the line on autowhitelist and just make sure the plugin is disabled in the SA config -- Martin Hepworth, CISSP Oxford, UK On 28 June 2013 00:37, Robert Lopez wrote: > For turning off the auto white list, I believe you have to make > certain your spam.assassin.prefs.conf file matches the mailscanner.cf > file. > I do not understand why both need to be changed, but I do have both > changed. > > I do not use pyzor so I am not familiar with that output, but it looks > to me it is working. > -- > Robert Lopez > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130628/77426917/attachment.html From jerry.benton at mailborder.com Fri Jun 28 11:10:28 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 28 Jun 2013 12:10:28 +0200 Subject: Attachment filenames from Lotus Notes In-Reply-To: <1D67CF9D0FDB904AA8065ACF23F2EE671DA5A4D660@server12.wexoe.dk> References: <1D67CF9D0FDB904AA8065ACF23F2EE671DA5A4D660@server12.wexoe.dk> Message-ID: I will run a test through one of my lab gateways for you. I was doing some similar testing with French last week. MailScanner usually does a good job at handling UTF8. I will get back to you in a few hours as I am not in the office right at this moment. On Fri, Jun 28, 2013 at 11:14 AM, Jens W. Skov wrote: > Hi**** > > ** ** > > I have an issue with mail that we receive from one of our customers who > are using Notes/Domino.**** > > When they include an attachment with a filename containing the > Scandinavian letter ??? it is rewritten to something else.**** > > This gives a problem. I?m wondering if this is something that Mailscanner > is doing and/or if Mailscanner can help me fix this?**** > > ** ** > > With the right filename would be ?Wex?e?? it would be received as: > ?Wex??e??**** > > ** ** > > I think the is that attachment definition from the mail (or I might be > wrong):**** > > ** ** > > Content-Type: application/octet-stream; > name="=?KOI8-R?B?V2V4hr9lIHNhbWxldCAxMC4wNi4yMDEzLnhsc3g=?="**** > > Content-Disposition: attachment; > filename="=?KOI8-R?B?V2V4hr9lIHNhbWxldCAxMC4wNi4yMDEzLnhsc3g=?="**** > > Content-Transfer-Encoding: base64**** > > ** ** > > ** ** > > ** ** > > Med venlig hilsen > *Wex?e A/S***** > > *Jens W. Skov* > Systems Engineer - M.Sc.E**** > > Wex?e A/S > Lejrvej 31 > 3500 V?rl?se > Denmark**** > > T > F > E > W **** > > +45 4546 5800 > +45 4546 5801 > wexoe at wexoe.dk > www.wexoe.dk**** > > XD > XM > XE > X**** > > X+45 4546 5923 > X+45 2325 4077 > XJS at wexoe.dk > h**** > > Med mindre andet er aftalt p? skrift, sker salg og levering altid p? Wex?e > A/S? til enhver > tid g?ldende salgs- og leveringsbetingelser, som du bl.a. finder p? > www.wexoe.dk**** > > **** > > **** > > ** ** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130628/8beb5980/attachment.html From jgao at veecall.com Fri Jun 28 18:09:49 2013 From: jgao at veecall.com (J Gao) Date: Fri, 28 Jun 2013 10:09:49 -0700 Subject: Do I need worry about this warning? In-Reply-To: References: <51CC98FB.8070801@veecall.com> <51CCAE0E.5060309@veecall.com> Message-ID: <51CDC35D.3000008@veecall.com> On 13-06-27 04:37 PM, Robert Lopez wrote: > For turning off the auto white list, I believe you have to make > certain your spam.assassin.prefs.conf file matches the mailscanner.cf > file. > I do not understand why both need to be changed, but I do have both changed. > Yes you are right. It works. Now I need figure out the Pyzor issue. Thanks a lot! Gao -- __ _|==|_ ('')__/ >--(`^^') (`^'^'`) `======' From jaearick at colby.edu Sun Jun 30 13:52:42 2013 From: jaearick at colby.edu (Jeff Earickson) Date: Sun, 30 Jun 2013 08:52:42 -0400 Subject: ScamNailer update STILL not working In-Reply-To: <51C210DA.6080409@msapiro.net> References: <51B3CFE3.10500@msapiro.net> <51C20F27.4030401@msapiro.net> <51C210DA.6080409@msapiro.net> Message-ID: Gang, I have still been getting constant "not working" out of ScamNailer lately: Failed to retrieve http://mailscanner.eu/emails.2013-260.11 at /etc/MailScanner/ScamNailer line 289. or Failed to retrieve http://cdn.mailscanner.info/emails.2013-260.11 at /etc/MailScanner/ScamNailer line 289. This is after applying Mr. Sapiro's patch. Are these two websites dead? I can get to cdn.mailscanner.info via web, but that is it. Any ideas? ----------------------------------- Jeff A. Earickson, Ph.D Senior Server System Administrator Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 207-859-4214 (fax 207-859-4186) Eastern Time Zone, USA ----------------------------------- On Wed, Jun 19, 2013 at 4:13 PM, Mark Sapiro wrote: > On 06/19/2013 01:05 PM, Mark Sapiro wrote: > > > > I have attached the latest version of my patch which works around this. > > > That patch contained a bit that isn't part of this issue. It wouldn't > hurt, but here's a patch without that extra bit. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130630/15428a73/attachment.html