From ryan.virgo at gmail.com  Fri Mar  1 03:36:28 2013
From: ryan.virgo at gmail.com (Ryan Braganza)
Date: Fri, 1 Mar 2013 09:06:28 +0530
Subject: detected virus mails still getting delivered
Message-ID: <CAEaVHLWH=Tsf6kF12WkypUeGnoSfD7cTi20qFybCNUA4XBUazQ@mail.gmail.com>

Hi

Iam facing a typical problem, in this case am using mailscanner-4.70.7-1
with bitdefender-scanner-7.6-4 .. The virus in mails is getting detected
but is still delivered to the users mailbox. Below is a log of one such
transaction

New Batch: Scanning 1 messages, 56072 bytes
Mar  1 09:02:13 demo1 MailScanner[11182]: Virus and Content Scanning:
Starting
Mar  1 09:02:18 demo1 MailScanner[11185]: MailScanner E-Mail Virus Scanner
version 4.70.7 starting...
Mar  1 09:02:18 demo1 MailScanner[11185]: SpamAssassin temporary working
directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
Mar  1 09:02:18 demo1 MailScanner[11185]: Using locktype = flock
Mar  1 09:02:19 demo1 MailScanner[11182]:
/var/spool/MailScanner/incoming/11182/0345E427247.16030/Ticket.zip=>Ticket.exe:infected:
Trojan.Agent.ATXG
Mar  1 09:02:19 demo1 MailScanner[11182]: Virus Scanning: Bitdefender found
1 infections
Mar  1 09:02:19 demo1 MailScanner[11182]: Virus Scanning: Found 1 viruses

MILTER: Processing mail in scan_source_destination for mail restrictions
Mar  1 09:02:19 demo1 MailScanner[11182]: MILTER: email-subject: Test Mail
Mar  1 09:02:19 demo1 MailScanner[11182]: MILTER: Ultimately the mail sent
only to RCPTs: a2 at mumbai.demo2.nsfleximail.com
Mar  1 09:02:19 demo1 MailScanner[11182]: Requeue: 0345E427247.16030 to
15FA3427249


USAGE a2 user: 0.003999 sys: 0.003999
Mar  1 09:02:19 demo1 postfix/lmtp[11189]: 15FA3427249: to=<
a2 at mumbai.demo2.nsfleximail.com>, orig_to=<a2 at demo2.nsfleximail.com>, relay=
mumbai.demo1.nsfleximail.com[/var/lib/imap/socket/lmtp], delay=6.7,
delays=6.6/0.01/0.01/0.15, dsn=2.1.5, status=sent (250 2.1.5 Ok
SESSIONID=<demo1.nsfleximail.com-10421-1362108739-1>)
Mar  1 09:02:19 demo1 postfix/lmtp[11189]: ECMPLOG : 15FA3427249|55381|<
idcalerts at netcore.co.in>|<a2 at mumbai.demo2.nsfleximail.com>|DOM|
mumbai.demo1.nsfleximail.com[/var/lib/imap/socket/lmtp]|-> 250 2.1.5 Ok
SESSIONID=<demo1.nsfleximail.com-10421-1362108739-1>|6|sent
Mar  1 09:02:19 demo1 postfix/qmgr[11148]: 15FA3427249: removed


-- 
-------------------------------------------------------------------------------------------------
*No matter how bad the day is...
There is always a bike ride back home... :-)
*
-------------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130301/28350025/attachment.html 

From maxsec at gmail.com  Fri Mar  1 11:29:39 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Fri, 1 Mar 2013 11:29:39 +0000
Subject: detected virus mails still getting delivered
In-Reply-To: <CAEaVHLWH=Tsf6kF12WkypUeGnoSfD7cTi20qFybCNUA4XBUazQ@mail.gmail.com>
References: <CAEaVHLWH=Tsf6kF12WkypUeGnoSfD7cTi20qFybCNUA4XBUazQ@mail.gmail.com>
Message-ID: <CAGDKorKR_HoKPMFNJuMkDfyKJ1WGc-gsHgcRnYeGF=Jr46vBRw@mail.gmail.com>

and your email rules for what do in this case are what?
-- 
Martin Hepworth, CISSP
Oxford, UK


On 1 March 2013 03:36, Ryan Braganza <ryan.virgo at gmail.com> wrote:

>
> Hi
>
> Iam facing a typical problem, in this case am using mailscanner-4.70.7-1
> with bitdefender-scanner-7.6-4 .. The virus in mails is getting detected
> but is still delivered to the users mailbox. Below is a log of one such
> transaction
>
> New Batch: Scanning 1 messages, 56072 bytes
> Mar  1 09:02:13 demo1 MailScanner[11182]: Virus and Content Scanning:
> Starting
> Mar  1 09:02:18 demo1 MailScanner[11185]: MailScanner E-Mail Virus Scanner
> version 4.70.7 starting...
> Mar  1 09:02:18 demo1 MailScanner[11185]: SpamAssassin temporary working
> directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Mar  1 09:02:18 demo1 MailScanner[11185]: Using locktype = flock
> Mar  1 09:02:19 demo1 MailScanner[11182]:
> /var/spool/MailScanner/incoming/11182/0345E427247.16030/Ticket.zip=>Ticket.exe:infected:
> Trojan.Agent.ATXG
> Mar  1 09:02:19 demo1 MailScanner[11182]: Virus Scanning: Bitdefender
> found 1 infections
> Mar  1 09:02:19 demo1 MailScanner[11182]: Virus Scanning: Found 1 viruses
>
> MILTER: Processing mail in scan_source_destination for mail restrictions
> Mar  1 09:02:19 demo1 MailScanner[11182]: MILTER: email-subject: Test Mail
> Mar  1 09:02:19 demo1 MailScanner[11182]: MILTER: Ultimately the mail sent
> only to RCPTs: a2 at mumbai.demo2.nsfleximail.com
> Mar  1 09:02:19 demo1 MailScanner[11182]: Requeue: 0345E427247.16030 to
> 15FA3427249
>
>
> USAGE a2 user: 0.003999 sys: 0.003999
> Mar  1 09:02:19 demo1 postfix/lmtp[11189]: 15FA3427249: to=<
> a2 at mumbai.demo2.nsfleximail.com>, orig_to=<a2 at demo2.nsfleximail.com>,
> relay=mumbai.demo1.nsfleximail.com[/var/lib/imap/socket/lmtp], delay=6.7,
> delays=6.6/0.01/0.01/0.15, dsn=2.1.5, status=sent (250 2.1.5 Ok
> SESSIONID=<demo1.nsfleximail.com-10421-1362108739-1>)
> Mar  1 09:02:19 demo1 postfix/lmtp[11189]: ECMPLOG : 15FA3427249|55381|<
> idcalerts at netcore.co.in>|<a2 at mumbai.demo2.nsfleximail.com>|DOM|
> mumbai.demo1.nsfleximail.com[/var/lib/imap/socket/lmtp]|-> 250 2.1.5 Ok
> SESSIONID=<demo1.nsfleximail.com-10421-1362108739-1>|6|sent
> Mar  1 09:02:19 demo1 postfix/qmgr[11148]: 15FA3427249: removed
>
>
> --
>
> -------------------------------------------------------------------------------------------------
> *No matter how bad the day is...
> There is always a bike ride back home... :-)
> *
> -------------------------------------------------------------------------------------------------
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130301/4574890c/attachment.html 

From ryan.virgo at gmail.com  Sat Mar  2 12:32:51 2013
From: ryan.virgo at gmail.com (Ryan Braganza)
Date: Sat, 2 Mar 2013 18:02:51 +0530
Subject: detected virus mails still getting delivered
In-Reply-To: <CAGDKorKR_HoKPMFNJuMkDfyKJ1WGc-gsHgcRnYeGF=Jr46vBRw@mail.gmail.com>
References: <CAEaVHLWH=Tsf6kF12WkypUeGnoSfD7cTi20qFybCNUA4XBUazQ@mail.gmail.com>
	<CAGDKorKR_HoKPMFNJuMkDfyKJ1WGc-gsHgcRnYeGF=Jr46vBRw@mail.gmail.com>
Message-ID: <CAEaVHLVLrBnsHHjeba6NyXrdrE7WKbsfdJusaGhrg2Lf2oH87g@mail.gmail.com>

Thanks Martin, I upgraded to the latest MS and the problem got solved

On Fri, Mar 1, 2013 at 4:59 PM, Martin Hepworth <maxsec at gmail.com> wrote:

> and your email rules for what do in this case are what?
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 1 March 2013 03:36, Ryan Braganza <ryan.virgo at gmail.com> wrote:
>
>>
>> Hi
>>
>> Iam facing a typical problem, in this case am using mailscanner-4.70.7-1
>> with bitdefender-scanner-7.6-4 .. The virus in mails is getting detected
>> but is still delivered to the users mailbox. Below is a log of one such
>> transaction
>>
>> New Batch: Scanning 1 messages, 56072 bytes
>> Mar  1 09:02:13 demo1 MailScanner[11182]: Virus and Content Scanning:
>> Starting
>> Mar  1 09:02:18 demo1 MailScanner[11185]: MailScanner E-Mail Virus
>> Scanner version 4.70.7 starting...
>> Mar  1 09:02:18 demo1 MailScanner[11185]: SpamAssassin temporary working
>> directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> Mar  1 09:02:18 demo1 MailScanner[11185]: Using locktype = flock
>> Mar  1 09:02:19 demo1 MailScanner[11182]:
>> /var/spool/MailScanner/incoming/11182/0345E427247.16030/Ticket.zip=>Ticket.exe:infected:
>> Trojan.Agent.ATXG
>> Mar  1 09:02:19 demo1 MailScanner[11182]: Virus Scanning: Bitdefender
>> found 1 infections
>> Mar  1 09:02:19 demo1 MailScanner[11182]: Virus Scanning: Found 1 viruses
>>
>> MILTER: Processing mail in scan_source_destination for mail restrictions
>> Mar  1 09:02:19 demo1 MailScanner[11182]: MILTER: email-subject: Test
>> Mail
>> Mar  1 09:02:19 demo1 MailScanner[11182]: MILTER: Ultimately the mail
>> sent only to RCPTs: a2 at mumbai.demo2.nsfleximail.com
>> Mar  1 09:02:19 demo1 MailScanner[11182]: Requeue: 0345E427247.16030 to
>> 15FA3427249
>>
>>
>> USAGE a2 user: 0.003999 sys: 0.003999
>> Mar  1 09:02:19 demo1 postfix/lmtp[11189]: 15FA3427249: to=<
>> a2 at mumbai.demo2.nsfleximail.com>, orig_to=<a2 at demo2.nsfleximail.com>,
>> relay=mumbai.demo1.nsfleximail.com[/var/lib/imap/socket/lmtp],
>> delay=6.7, delays=6.6/0.01/0.01/0.15, dsn=2.1.5, status=sent (250 2.1.5 Ok
>> SESSIONID=<demo1.nsfleximail.com-10421-1362108739-1>)
>> Mar  1 09:02:19 demo1 postfix/lmtp[11189]: ECMPLOG : 15FA3427249|55381|<
>> idcalerts at netcore.co.in>|<a2 at mumbai.demo2.nsfleximail.com>|DOM|
>> mumbai.demo1.nsfleximail.com[/var/lib/imap/socket/lmtp]|-> 250 2.1.5 Ok
>> SESSIONID=<demo1.nsfleximail.com-10421-1362108739-1>|6|sent
>> Mar  1 09:02:19 demo1 postfix/qmgr[11148]: 15FA3427249: removed
>>
>>
>> --
>> -------------------------------------------------------------------------------------------------
>> *No matter how bad the day is...
>> There is always a bike ride back home... :-)
>> *
>> -------------------------------------------------------------------------------------------------
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
-------------------------------------------------------------------------------------------------
*No matter how bad the day is...
There is always a bike ride back home... :-)
*
-------------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130302/c225a7d6/attachment.html 

From doctor at doctor.nl2k.ab.ca  Sat Mar  2 13:22:59 2013
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Sat, 2 Mar 2013 06:22:59 -0700
Subject: NJABL is dead
Message-ID: <20130302132258.GA25229@doctor.nl2k.ab.ca>

Please stop using NJABL
-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 amnd 53 on Atheism

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From alex at vidadigital.com.pa  Sun Mar  3 14:33:40 2013
From: alex at vidadigital.com.pa (Alex Neuman)
Date: Sun, 3 Mar 2013 09:33:40 -0500
Subject: NJABL is dead
In-Reply-To: <20130302132258.GA25229@doctor.nl2k.ab.ca>
References: <20130302132258.GA25229@doctor.nl2k.ab.ca>
Message-ID: <CANyE0PpiSgbw7kXA_33n7uYZmBEY6fS_dyV4z_NhTapyU3_r4g@mail.gmail.com>

In order to stop using NJABL we need to:

1. Get rid of the following line from "spam.lists.conf" (or comment it out
like other lists that have been deactivated):
NJABL                           dnsbl.njabl.org.
2. Remove "NJABL" from the "Spam List =" parameter if you're using it, in
/etc/MailScanner/MailScanner.conf or your designated config file.
3. Add the following to your /etc/mail/spamassassin/local.cf
score RCVD_IN_NJABL_CGI 0
score RCVD_IN_NJABL_MULTI 0
score RCVD_IN_NJABL_PROXY 0
score RCVD_IN_NJABL_RELAY 0
score RCVD_IN_NJABL_SPAM 0
4. Restart/reload your services.


On Sat, Mar 2, 2013 at 8:22 AM, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:

> Please stop using NJABL
> --
> Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 amnd 53 on Atheism
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 

--

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital


-- So-called "legal disclaimers" are not legally binding, so don't bother.
A cute graphic saying "save the planet, don't print this" can potentially
create more CO2, not less, so don't bother either.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130303/321c866b/attachment.html 

From andrew at topdog.za.net  Fri Mar  8 05:30:32 2013
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Fri, 8 Mar 2013 07:30:32 +0200
Subject: NJABL is dead
In-Reply-To: <20130302132258.GA25229@doctor.nl2k.ab.ca>
References: <20130302132258.GA25229@doctor.nl2k.ab.ca>
Message-ID: <C916AA4B-0694-419B-A9E8-82AE9AB4B6D1@topdog.za.net>


On 02 Mar 2013, at 3:22 PM, The Doctor wrote:

> Please stop using NJABL

Disabled[1] in the development version.

[1] https://github.com/MailScanner/MailScanner/commit/eda3f15e5cb5ca8d9594e9d42df240f240715269

--
www.baruwa.org




From trashcan at odo.in-berlin.de  Sat Mar  9 20:31:58 2013
From: trashcan at odo.in-berlin.de (Michael Grimm)
Date: Sat, 9 Mar 2013 21:31:58 +0100
Subject: MailScanner won't run ... 
Message-ID: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>

Hi --

I'm absolutely new regarding MailScanner, and I would like to migrate from amavisd-new, but:

This is my test mail server running in a FreeBSD jail:
	FreeBSD 9.1-RELEASE
	postfix 2.9.5
	clamav 0.97.6
	spamassassin 3.3.2
	perl 5.14.2

Following http://www.mailscanner.info/postfix.html I did modify MailScanner.conf as follows:
	Run As User = postfix
	Run As Group = postfix
	Incoming Queue Dir = /var/spool/postfix/hold
	Outgoing Queue Dir = /var/spool/postfix/incoming
	MTA = postfix

plus (due to clamav):
	Incoming Work User = 
	Incoming Work Group = clamav
	Incoming Work Permissions = 0640

and:
	SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

I did create the following directories:
	drwxrwxr-x    5 postfix          postfix	var/spool/MailScanner
	drwxr-xr-x    2 postfix          postfix	/var/spool/MailScanner/spamassassin
	drwxr-xr-x    2 postfix          postfix 	/var/spool/MailScanner/quarantine
	drwxr-xr-x    4 postfix          clamav		/var/spool/MailScanner/incoming
	drwx------    2 postfix          postfix	/var/spool/MailScanner/incoming/SpamAssassin-Temp
	drwxr-x---    2 postfix          postfix	/var/spool/MailScanner/incoming/Locks

"MailScanner --lint" and "spamassassin --lint" do run to completion without any complaints.

*BUT*: Whenever I do inject mail messages, they will be put into postfix' hold queue (as intended by postfix' header_checks) for ever, but MailScanner won't do *anything*, no single syslog entry, nothing, absolutely nothing :-( I would have expected that there were some complaints in syslog, but there's nothing! And, I did try a lot of different variations of what should be configured (according help text in MailScanner.conf and google searching).

MailScanner --debug isn't helpful, either. Nothing happens, nothing.
MailScanner -h tells me that I do have all modules installed.

I never ever experienced something comparable before: no error messages in syslog or wherever that would tell me about my mistakes :-( 

Thus: Anybody here that could teach me what to test next?

Thanks and with kind regards,
Michael








From mikael at syska.dk  Sat Mar  9 21:59:44 2013
From: mikael at syska.dk (Mikael Syska)
Date: Sat, 9 Mar 2013 22:59:44 +0100
Subject: MailScanner won't run ...
In-Reply-To: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
References: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
Message-ID: <CAJYT2Xm38tdDfrbb4s7u5+v4WNTX+W7HBbvyGORJnMbR2LGnBQ@mail.gmail.com>

Hi,

Have you changed where MailScanner looks for messages (change to
postfix, path, etc. in the MailScanner.conf)? This seems to be the
only thing you don't mention anything about.

Also running on FreeBSD here ... I havent got any problems. However
... I don't run mine in a jail, that seems to be the only diff.

mvh

On Sat, Mar 9, 2013 at 9:31 PM, Michael Grimm <trashcan at odo.in-berlin.de> wrote:
> Hi --
>
> I'm absolutely new regarding MailScanner, and I would like to migrate from amavisd-new, but:
>
> This is my test mail server running in a FreeBSD jail:
>         FreeBSD 9.1-RELEASE
>         postfix 2.9.5
>         clamav 0.97.6
>         spamassassin 3.3.2
>         perl 5.14.2
>
> Following http://www.mailscanner.info/postfix.html I did modify MailScanner.conf as follows:
>         Run As User = postfix
>         Run As Group = postfix
>         Incoming Queue Dir = /var/spool/postfix/hold
>         Outgoing Queue Dir = /var/spool/postfix/incoming
>         MTA = postfix
>
> plus (due to clamav):
>         Incoming Work User =
>         Incoming Work Group = clamav
>         Incoming Work Permissions = 0640
>
> and:
>         SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
>
> I did create the following directories:
>         drwxrwxr-x    5 postfix          postfix        var/spool/MailScanner
>         drwxr-xr-x    2 postfix          postfix        /var/spool/MailScanner/spamassassin
>         drwxr-xr-x    2 postfix          postfix        /var/spool/MailScanner/quarantine
>         drwxr-xr-x    4 postfix          clamav         /var/spool/MailScanner/incoming
>         drwx------    2 postfix          postfix        /var/spool/MailScanner/incoming/SpamAssassin-Temp
>         drwxr-x---    2 postfix          postfix        /var/spool/MailScanner/incoming/Locks
>
> "MailScanner --lint" and "spamassassin --lint" do run to completion without any complaints.
>
> *BUT*: Whenever I do inject mail messages, they will be put into postfix' hold queue (as intended by postfix' header_checks) for ever, but MailScanner won't do *anything*, no single syslog entry, nothing, absolutely nothing :-( I would have expected that there were some complaints in syslog, but there's nothing! And, I did try a lot of different variations of what should be configured (according help text in MailScanner.conf and google searching).
>
> MailScanner --debug isn't helpful, either. Nothing happens, nothing.
> MailScanner -h tells me that I do have all modules installed.
>
> I never ever experienced something comparable before: no error messages in syslog or wherever that would tell me about my mistakes :-(
>
> Thus: Anybody here that could teach me what to test next?
>
> Thanks and with kind regards,
> Michael
>
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

From mailscanner at joolee.nl  Sat Mar  9 22:33:22 2013
From: mailscanner at joolee.nl (Joolee)
Date: Sat, 9 Mar 2013 23:33:22 +0100
Subject: MailScanner won't run ...
In-Reply-To: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
References: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
Message-ID: <CA+Q-w8U40m0-vqcmxuR8Z7nyEDWrwrGFBTc5ho5LWWQ+6pJFdA@mail.gmail.com>

Stupid question maybe but are you sure Mailscanner is running and has the
right privilleges and did you check the mail.log?
Have you read and tried the suggestions from
http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot:mailscanner?

You should run the lint and debug checks as the user you configured in the
Mailscanner conf and try it as root user just to be sure of permissions

On 9 March 2013 21:31, Michael Grimm <trashcan at odo.in-berlin.de> wrote:

> Hi --
>
> I'm absolutely new regarding MailScanner, and I would like to migrate from
> amavisd-new, but:
>
> This is my test mail server running in a FreeBSD jail:
>         FreeBSD 9.1-RELEASE
>         postfix 2.9.5
>         clamav 0.97.6
>         spamassassin 3.3.2
>         perl 5.14.2
>
> Following http://www.mailscanner.info/postfix.html I did modify
> MailScanner.conf as follows:
>         Run As User = postfix
>         Run As Group = postfix
>         Incoming Queue Dir = /var/spool/postfix/hold
>         Outgoing Queue Dir = /var/spool/postfix/incoming
>         MTA = postfix
>
> plus (due to clamav):
>         Incoming Work User =
>         Incoming Work Group = clamav
>         Incoming Work Permissions = 0640
>
> and:
>         SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
>
> I did create the following directories:
>         drwxrwxr-x    5 postfix          postfix
>  var/spool/MailScanner
>         drwxr-xr-x    2 postfix          postfix
>  /var/spool/MailScanner/spamassassin
>         drwxr-xr-x    2 postfix          postfix
>  /var/spool/MailScanner/quarantine
>         drwxr-xr-x    4 postfix          clamav
> /var/spool/MailScanner/incoming
>         drwx------    2 postfix          postfix
>  /var/spool/MailScanner/incoming/SpamAssassin-Temp
>         drwxr-x---    2 postfix          postfix
>  /var/spool/MailScanner/incoming/Locks
>
> "MailScanner --lint" and "spamassassin --lint" do run to completion
> without any complaints.
>
> *BUT*: Whenever I do inject mail messages, they will be put into postfix'
> hold queue (as intended by postfix' header_checks) for ever, but
> MailScanner won't do *anything*, no single syslog entry, nothing,
> absolutely nothing :-( I would have expected that there were some
> complaints in syslog, but there's nothing! And, I did try a lot of
> different variations of what should be configured (according help text in
> MailScanner.conf and google searching).
>
> MailScanner --debug isn't helpful, either. Nothing happens, nothing.
> MailScanner -h tells me that I do have all modules installed.
>
> I never ever experienced something comparable before: no error messages in
> syslog or wherever that would tell me about my mistakes :-(
>
> Thus: Anybody here that could teach me what to test next?
>
> Thanks and with kind regards,
> Michael
>
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130309/7949782d/attachment.html 

From maxsec at gmail.com  Sat Mar  9 23:09:33 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Sat, 9 Mar 2013 23:09:33 +0000
Subject: MailScanner won't run ...
In-Reply-To: <CA+Q-w8U40m0-vqcmxuR8Z7nyEDWrwrGFBTc5ho5LWWQ+6pJFdA@mail.gmail.com>
References: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
	<CA+Q-w8U40m0-vqcmxuR8Z7nyEDWrwrGFBTc5ho5LWWQ+6pJFdA@mail.gmail.com>
Message-ID: <CAGDKor+0zniRTMLrZyjgPdaZwhZ3FXUWYXSTmRYHqdHAheCnHQ@mail.gmail.com>

Make sure the debug mode is run as su postfix first


Martin


On Saturday, 9 March 2013, Joolee wrote:

> Stupid question maybe but are you sure Mailscanner is running and has the
> right privilleges and did you check the mail.log?
> Have you read and tried the suggestions from
> http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot:mailscanner?
>
> You should run the lint and debug checks as the user you configured in the
> Mailscanner conf and try it as root user just to be sure of permissions
>
> On 9 March 2013 21:31, Michael Grimm <trashcan at odo.in-berlin.de<javascript:_e({}, 'cvml', 'trashcan at odo.in-berlin.de');>
> > wrote:
>
>> Hi --
>>
>> I'm absolutely new regarding MailScanner, and I would like to migrate
>> from amavisd-new, but:
>>
>> This is my test mail server running in a FreeBSD jail:
>>         FreeBSD 9.1-RELEASE
>>         postfix 2.9.5
>>         clamav 0.97.6
>>         spamassassin 3.3.2
>>         perl 5.14.2
>>
>> Following http://www.mailscanner.info/postfix.html I did modify
>> MailScanner.conf as follows:
>>         Run As User = postfix
>>         Run As Group = postfix
>>         Incoming Queue Dir = /var/spool/postfix/hold
>>         Outgoing Queue Dir = /var/spool/postfix/incoming
>>         MTA = postfix
>>
>> plus (due to clamav):
>>         Incoming Work User =
>>         Incoming Work Group = clamav
>>         Incoming Work Permissions = 0640
>>
>> and:
>>         SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
>>
>> I did create the following directories:
>>         drwxrwxr-x    5 postfix          postfix
>>  var/spool/MailScanner
>>         drwxr-xr-x    2 postfix          postfix
>>  /var/spool/MailScanner/spamassassin
>>         drwxr-xr-x    2 postfix          postfix
>>  /var/spool/MailScanner/quarantine
>>         drwxr-xr-x    4 postfix          clamav
>> /var/spool/MailScanner/incoming
>>         drwx------    2 postfix          postfix
>>  /var/spool/MailScanner/incoming/SpamAssassin-Temp
>>         drwxr-x---    2 postfix          postfix
>>  /var/spool/MailScanner/incoming/Locks
>>
>> "MailScanner --lint" and "spamassassin --lint" do run to completion
>> without any complaints.
>>
>> *BUT*: Whenever I do inject mail messages, they will be put into postfix'
>> hold queue (as intended by postfix' header_checks) for ever, but
>> MailScanner won't do *anything*, no single syslog entry, nothing,
>> absolutely nothing :-( I would have expected that there were some
>> complaints in syslog, but there's nothing! And, I did try a lot of
>> different variations of what should be configured (according help text in
>> MailScanner.conf and google searching).
>>
>> MailScanner --debug isn't helpful, either. Nothing happens, nothing.
>> MailScanner -h tells me that I do have all modules installed.
>>
>> I never ever experienced something comparable before: no error messages
>> in syslog or wherever that would tell me about my mistakes :-(
>>
>> Thus: Anybody here that could teach me what to test next?
>>
>> Thanks and with kind regards,
>> Michael
>>
>>
>>
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info <javascript:_e({}, 'cvml',
>> 'mailscanner at lists.mailscanner.info');>
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>

-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130309/3f5ec292/attachment.html 

From trashcan at odo.in-berlin.de  Sun Mar 10 16:24:59 2013
From: trashcan at odo.in-berlin.de (Michael Grimm)
Date: Sun, 10 Mar 2013 17:24:59 +0100
Subject: MailScanner won't run ... 
In-Reply-To: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
References: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
Message-ID: <B3A7ED1F-7A4D-4ADD-9BEF-D7511336DA73@odo.in-berlin.de>

Hi --

On 09.03.2013, at 21:31, Michael Grimm <trashcan at odo.in-berlin.de> wrote:

> Thus: Anybody here that could teach me what to test next?

First of all I'd like to thank all of you (this list's and private mails) for reassuring that my configuration and directory protections weren't wrong.

Thus, I used the old but tedious technique of inserting debugging messages into the code until I finally found the cause for my MailScanner's refusal of service:

A sample excerpt of my postfix' hold queue looks as follows:

| test> la /var/spool/postfix/hold/
| -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP6596tR1zKR1
| -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP6596xlmzKR2
| -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP659714vzKR3
| -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP65974zXzKR4

MailScanner simply fails to recognize those filenames because every test on queue directory an filenames uses the following regex ...

| '^([\\dA-F]+)$'

... which is plain wrong (IMHO). Thus I modified that regex to ...

| '^([\\w]+)$'

... and MailScanner is recognizing the correct HashDirDepth and every queued file, and now it does what it is supposed to do: scanning mails ;-)

That regex might well be optimized, I'm not that much an expert. And, I don't have any clue if my patch is going to break other parts (haven't done extensive testing up to now!).

Here's my udiff:
--- Postfix.pm.old	2013-03-10 16:33:29.917729549 +0100
+++ Postfix.pm	2013-03-10 16:36:23.032728554 +0100
@@ -85,7 +85,9 @@
 
   # These need to be improved
   # No change for V4
-  $this->{HDFileRegexp} = '^([\\dA-F]+)$';
+# GRIMM (modified regex to recognize filenames in /var/spool/postfix/hold)
+# $this->{HDFileRegexp} = '^([\\dA-F]+)$';
+  $this->{HDFileRegexp} = '^([\\w]+)$';
   $this->{TFileRegexp} = '^tf-' . $$ . '-([\\dA-F]+)$';
   # JKF Must fix this once I know what it's for.
   $this->{QueueFileRegexp} = '^([\\d]+-[\\d]+)$';

To those which are running postfix as well: which versions do you run and how do your filenames look like? (I am running postfix 2.9.5) Not sure if I happened to alter some postfix option that might have impact to those filenames, though.

Thanks to all and with kind regards,
Michael



From mailscanner at joolee.nl  Sun Mar 10 17:58:48 2013
From: mailscanner at joolee.nl (Joolee)
Date: Sun, 10 Mar 2013 18:58:48 +0100
Subject: MailScanner won't run ...
In-Reply-To: <B3A7ED1F-7A4D-4ADD-9BEF-D7511336DA73@odo.in-berlin.de>
References: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
	<B3A7ED1F-7A4D-4ADD-9BEF-D7511336DA73@odo.in-berlin.de>
Message-ID: <CA+Q-w8XorZQ2Pu-V8=MOy-mEmGs-E=R8rL7KE+vZmvUht3AvNg@mail.gmail.com>

It seems that you are running postfix configured with the
"enable_long_queue_ids" option, see:
http://www.postfix.org/postconf.5.html#enable_long_queue_ids

I think it would be best to make a note of this in the MailScanner Wiki to
disable the option. Enabling this option causes Postfix not to use unique
message ID's which can cause problems when using software like Baruwa or
Mailwatch.

On 10 March 2013 17:24, Michael Grimm <trashcan at odo.in-berlin.de> wrote:

> Hi --
>
> On 09.03.2013, at 21:31, Michael Grimm <trashcan at odo.in-berlin.de> wrote:
>
> > Thus: Anybody here that could teach me what to test next?
>
> First of all I'd like to thank all of you (this list's and private mails)
> for reassuring that my configuration and directory protections weren't
> wrong.
>
> Thus, I used the old but tedious technique of inserting debugging messages
> into the code until I finally found the cause for my MailScanner's refusal
> of service:
>
> A sample excerpt of my postfix' hold queue looks as follows:
>
> | test> la /var/spool/postfix/hold/
> | -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP6596tR1zKR1
> | -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP6596xlmzKR2
> | -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP659714vzKR3
> | -rwx------  1 postfix  postfix  - 547 Mar 10 16:37 3ZP65974zXzKR4
>
> MailScanner simply fails to recognize those filenames because every test
> on queue directory an filenames uses the following regex ...
>
> | '^([\\dA-F]+)$'
>
> ... which is plain wrong (IMHO). Thus I modified that regex to ...
>
> | '^([\\w]+)$'
>
> ... and MailScanner is recognizing the correct HashDirDepth and every
> queued file, and now it does what it is supposed to do: scanning mails ;-)
>
> That regex might well be optimized, I'm not that much an expert. And, I
> don't have any clue if my patch is going to break other parts (haven't done
> extensive testing up to now!).
>
> Here's my udiff:
> --- Postfix.pm.old      2013-03-10 16:33:29.917729549 +0100
> +++ Postfix.pm  2013-03-10 16:36:23.032728554 +0100
> @@ -85,7 +85,9 @@
>
>    # These need to be improved
>    # No change for V4
> -  $this->{HDFileRegexp} = '^([\\dA-F]+)$';
> +# GRIMM (modified regex to recognize filenames in /var/spool/postfix/hold)
> +# $this->{HDFileRegexp} = '^([\\dA-F]+)$';
> +  $this->{HDFileRegexp} = '^([\\w]+)$';
>    $this->{TFileRegexp} = '^tf-' . $$ . '-([\\dA-F]+)$';
>    # JKF Must fix this once I know what it's for.
>    $this->{QueueFileRegexp} = '^([\\d]+-[\\d]+)$';
>
> To those which are running postfix as well: which versions do you run and
> how do your filenames look like? (I am running postfix 2.9.5) Not sure if I
> happened to alter some postfix option that might have impact to those
> filenames, though.
>
> Thanks to all and with kind regards,
> Michael
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130310/387bdb59/attachment.html 

From trashcan at odo.in-berlin.de  Sun Mar 10 20:35:41 2013
From: trashcan at odo.in-berlin.de (Michael Grimm)
Date: Sun, 10 Mar 2013 21:35:41 +0100
Subject: MailScanner won't run ...
In-Reply-To: <CA+Q-w8XorZQ2Pu-V8=MOy-mEmGs-E=R8rL7KE+vZmvUht3AvNg@mail.gmail.com>
References: <BBDF22AB-675F-4794-B60A-E1C91B304328@odo.in-berlin.de>
	<B3A7ED1F-7A4D-4ADD-9BEF-D7511336DA73@odo.in-berlin.de>
	<CA+Q-w8XorZQ2Pu-V8=MOy-mEmGs-E=R8rL7KE+vZmvUht3AvNg@mail.gmail.com>
Message-ID: <E73A6C8D-844D-42D8-8EA9-F3C583DC7DFE@odo.in-berlin.de>

Hi --

On 10.03.2013, at 18:58, Joolee <mailscanner at joolee.nl> wrote:

> It seems that you are running postfix configured with the "enable_long_queue_ids" option, see: http://www.postfix.org/postconf.5.html#enable_long_queue_ids

Bingo! Yes, I did enable that postfix option because of (http://www.postfix.org/postconf.5.html#enable_long_queue_ids):

| The benefit of non-repeating names is simpler logfile analysis and easier 
| queue migration (there is no need to run "postsuper" to change queue file 
| names that don't match their message file inode number).

And that helped me numerous times in logfile analysis. Thus, I am very much hesitant to revert that option!

> I think it would be best to make a note of this in the MailScanner Wiki to disable the option.

ACK!

> Enabling this option causes Postfix not to use unique message ID's

No, if I am not mistaken: they *are* unique!

> which can cause problems when using software like Baruwa or Mailwatch.

I do not use that software. But I would like to stick to "enable_long_queue_ids = yes". Thus, I would rather prefer an option in MailScanner.conf that would deal with this option in postfix? main.cf instead! (BTW: http://www.postfix.org/postconf.5.html#enable_long_queue_ids might help in making that regex more specific.)

With kind regards,
Michael


From mailborder at gmail.com  Sun Mar 10 23:21:22 2013
From: mailborder at gmail.com (Mailborder at Gmail)
Date: Mon, 11 Mar 2013 00:21:22 +0100
Subject: Outlook.com Autocorrect - Beware
Message-ID: <CANK23U1B9cqwQzPvNBuXFMvfrP5Ty+J1O4SkTV=ZhDLh0CdN-g@mail.gmail.com>

This is just an informational email for the MailScanner community. I have
found that Outlook.com autocorrects email message bodies. Of course they
don't tell you about it. Nor can I find where it can be disabled. So if you
get a complaint about changed email, check to make sure no one in the mix
is using Outlook.com.

Personally, I just damn near tore a server apart thinking it had been
hacked. It wasn't until I went back to Outlook.com and viewed the source of
the message. So, the server wasn't hacked. And the email was not marked as
junk either. Instead, Bill Gates seems to think Border Mail is a better
organizational name for Mailborder. So he changed it for me. He also
doesn't like email links. Instead of breaking them, he just totally deletes
them. He also wants us to speak English like it is our 7th language by all
the changes I witnessed.


I'm ranting ... but beware.


Jerry Benton
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130311/34a72594/attachment.html 

From doctor at doctor.nl2k.ab.ca  Mon Mar 11 19:23:20 2013
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Mon, 11 Mar 2013 13:23:20 -0600
Subject: Show stopper
Message-ID: <20130311192320.GA6984@doctor.nl2k.ab.ca>

All right,

I had to do a quick reboot on the server to erase any trace of
virii and malware on the system.

When that happened MailScanner did not restart

When I manually run MailScanner I get

Can't locate object method "bootstrap" via package "DBI" at /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 259.
BEGIN failed--compilation aborted at /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 266.
Compilation failed in require at /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
BEGIN failed--compilation aborted at /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
Compilation failed in require at /opt/MailScanner/lib/Config.pm line 47.
Compilation failed in require at /usr/libdata/perl5/5.8.8/i386-bsdos/DynaLoader.pm line 25.
BEGIN failed--compilation aborted at /usr/libdata/perl5/5.8.8/i386-bsdos/DynaLoader.pm line 25.
Compilation failed in require at /usr/libdata/perl5/5.8.8/i386-bsdos/Time/HiRes.pm line 7.
Compilation failed in require at /usr/contrib/bin/MailScanner line 90.
BEGIN failed--compilation aborted at /usr/contrib/bin/MailScanner line 90.  

Pointers please.

-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 amnd 53 on Atheism
I am a New World Order Enemy - I am an enemy of totalitarians and dictators.

From maxsec at gmail.com  Tue Mar 12 06:39:57 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 12 Mar 2013 06:39:57 +0000
Subject: Show stopper
In-Reply-To: <20130311192320.GA6984@doctor.nl2k.ab.ca>
References: <20130311192320.GA6984@doctor.nl2k.ab.ca>
Message-ID: <CAGDKor+uRvM-07B+pBzSLHUd=U9znuYf+JaL76XfWS0LNc0Tbg@mail.gmail.com>

Sounds like youve dropped part of the DBI perl package to me.

Id reinstall and check all thr packaged are good

If you suspect its been compromised maybe built a fresh server and keep
this isolated fir further inspection later

Martin

On Monday, 11 March 2013, The Doctor wrote:

> All right,
>
> I had to do a quick reboot on the server to erase any trace of
> virii and malware on the system.
>
> When that happened MailScanner did not restart
>
> When I manually run MailScanner I get
>
> Can't locate object method "bootstrap" via package "DBI" at
> /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 259.
> BEGIN failed--compilation aborted at
> /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 266.
> Compilation failed in require at
> /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
> BEGIN failed--compilation aborted at
> /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
> Compilation failed in require at /opt/MailScanner/lib/Config.pm line 47.
> Compilation failed in require at
> /usr/libdata/perl5/5.8.8/i386-bsdos/DynaLoader.pm line 25.
> BEGIN failed--compilation aborted at
> /usr/libdata/perl5/5.8.8/i386-bsdos/DynaLoader.pm line 25.
> Compilation failed in require at
> /usr/libdata/perl5/5.8.8/i386-bsdos/Time/HiRes.pm line 7.
> Compilation failed in require at /usr/contrib/bin/MailScanner line 90.
> BEGIN failed--compilation aborted at /usr/contrib/bin/MailScanner line 90.
>
> Pointers please.
>
> --
> Member - Liberal International  This is doctor at nl2k.ab.ca <javascript:;>Ici
> doctor at nl2k.ab.ca <javascript:;>
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 amnd 53 on Atheism
> I am a New World Order Enemy - I am an enemy of totalitarians and
> dictators.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <javascript:;>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130312/e1ddaa38/attachment.html 

From stephencoxmail at gmail.com  Tue Mar 12 07:23:40 2013
From: stephencoxmail at gmail.com (Stephen Cox)
Date: Tue, 12 Mar 2013 09:23:40 +0200
Subject: Show stopper
In-Reply-To: <20130311192320.GA6984@doctor.nl2k.ab.ca>
References: <20130311192320.GA6984@doctor.nl2k.ab.ca>
Message-ID: <CAMgku6Q1bcYWZ2Bj8jB6LTC7wpUZSsWHYKtchyLkJ5dW61za9g@mail.gmail.com>

On Mon, Mar 11, 2013 at 9:23 PM, The Doctor <doctor at doctor.nl2k.ab.ca>wrote:

> Can't locate object method "bootstrap" via package "DBI" at
> /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 259.
>

Did you try to re-install perl?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130312/9076c5ea/attachment.html 

From doctor at doctor.nl2k.ab.ca  Tue Mar 12 13:51:26 2013
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Tue, 12 Mar 2013 07:51:26 -0600
Subject: Show stopper
In-Reply-To: <CAMgku6Q1bcYWZ2Bj8jB6LTC7wpUZSsWHYKtchyLkJ5dW61za9g@mail.gmail.com>
References: <20130311192320.GA6984@doctor.nl2k.ab.ca>
	<CAMgku6Q1bcYWZ2Bj8jB6LTC7wpUZSsWHYKtchyLkJ5dW61za9g@mail.gmail.com>
Message-ID: <20130312135126.GA9579@doctor.nl2k.ab.ca>

On Tue, Mar 12, 2013 at 09:23:40AM +0200, Stephen Cox wrote:
> On Mon, Mar 11, 2013 at 9:23 PM, The Doctor <doctor at doctor.nl2k.ab.ca>wrote:
> 
> > Can't locate object method "bootstrap" via package "DBI" at
> > /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 259.
> >


Yes.

> 
> Did you try to re-install perl?

> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 

> This message has been 'sanitized'.  This means that potentially
> dangerous content has been rewritten or removed.  The following
> log describes which actions were taken.
> 
> Sanitizer (start="1363077117"):
>   Part (pos="2956"):
>     Part (pos="107"):
>       SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>         Match (names="unnamed.txt", rule="2"):
>           Enforced policy: accept
> 
>     Part (pos="429"):
>       SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
>         Match (names="unnamed.html, filetype.html", rule="2"):
>           Enforced policy: accept
> 
>       Note: Styles and layers give attackers many tools to fool the
>       user and common browsers interpret Javascript code found
>       within style definitions.
>       
>       Rewrote HTML tag: >>_div dir="ltr"_<<
>                     as: >>_p__DEFANGED_div dir="ltr"_<<
>       Rewrote HTML tag: >>_span dir="ltr"_<<
>                     as: >>_DEFANGED_span dir="ltr"_<<
>       Rewrote HTML tag: >>_/span_<<
>                     as: >>_/DEFANGED_span_<<
>       Rewrote HTML tag: >>_div class="gmail_extra"_<<
>                     as: >>_p__DEFANGED_div class="gmail_extra"_<<
>       Rewrote HTML tag: >>_div class="gmail_quote"_<<
>                     as: >>_p__DEFANGED_div class="gmail_quote"_<<
>       Rewrote HTML tag: >>_blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<<
>                     as: >>_blockquote class="gmail_quote" DEFANGED_style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<<
>       Rewrote HTML tag: >>_div_<<
>                     as: >>_p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_div style_<<
>                     as: >>_p__DEFANGED_div style_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
> 
>   Part (pos="4162"):
>     SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>       Match (names="unnamed.txt", rule="2"):
>         Enforced policy: accept
> 
>   Total modifications so far: 13
> 
> 
> Anomy 0.0.0 : Sanitizer.pm
> $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $


-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 amnd 53 on Atheism
I am a New World Order Enemy - I am an enemy of totalitarians and dictators.

From alex at vidadigital.com.pa  Tue Mar 12 14:01:47 2013
From: alex at vidadigital.com.pa (Alex Neuman)
Date: Tue, 12 Mar 2013 09:01:47 -0500
Subject: Show stopper
In-Reply-To: <20130311192320.GA6984@doctor.nl2k.ab.ca>
References: <20130311192320.GA6984@doctor.nl2k.ab.ca>
Message-ID: <CANyE0Ppwt7L4MgZ50W=NMoEhYwDP3m8Nvzz4yLQDPDKgT746Dg@mail.gmail.com>

I believe the recommendations posted by Martin and Stephen are correct; you
should verify that perl, the DBI packages, and every other MailScanner
dependency is satisfied.

This is most likely solved by reinstalling, although you can run
MailScanner --lint and MailScanner --debug to check if there are any other
outstanding issues.

BTW "virii" is not the right term.

On Mon, Mar 11, 2013 at 2:23 PM, The Doctor <doctor at doctor.nl2k.ab.ca>wrote:

> All right,
>
> I had to do a quick reboot on the server to erase any trace of
> virii and malware on the system.
>
> When that happened MailScanner did not restart
>
> When I manually run MailScanner I get
>
> Can't locate object method "bootstrap" via package "DBI" at
> /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 259.
> BEGIN failed--compilation aborted at
> /usr/contrib/lib/perl5/site_perl/5.8.8/i386-bsdos/DBI.pm line 266.
> Compilation failed in require at
> /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
> BEGIN failed--compilation aborted at
> /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
> Compilation failed in require at /opt/MailScanner/lib/Config.pm line 47.
> Compilation failed in require at
> /usr/libdata/perl5/5.8.8/i386-bsdos/DynaLoader.pm line 25.
> BEGIN failed--compilation aborted at
> /usr/libdata/perl5/5.8.8/i386-bsdos/DynaLoader.pm line 25.
> Compilation failed in require at
> /usr/libdata/perl5/5.8.8/i386-bsdos/Time/HiRes.pm line 7.
> Compilation failed in require at /usr/contrib/bin/MailScanner line 90.
> BEGIN failed--compilation aborted at /usr/contrib/bin/MailScanner line 90.
>
> Pointers please.
>
> --
> Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 amnd 53 on Atheism
> I am a New World Order Enemy - I am an enemy of totalitarians and
> dictators.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 

--

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital


-- So-called "legal disclaimers" are not legally binding, so don't bother.
A cute graphic saying "save the planet, don't print this" can potentially
create more CO2, not less, so don't bother either.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130312/ffea77f5/attachment.html 

From rlopezcnm at gmail.com  Tue Mar 12 23:51:49 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Tue, 12 Mar 2013 17:51:49 -0600
Subject: Recipe for creating latest MailScanner .deb for Ubuntu
Message-ID: <CAAJHbAodwPpDuz8N8rj1GVuTZeVexhYK1-N8s_mrG0zzbwsFrg@mail.gmail.com>

Google seems to not find any MailScanner 4.84.5-3 for Ubuntu.

I looked at some instructions for using check install. But following them
lead to a system that forked mailscanner until memory is exhausted faster
than one can log into the system.
There has to be more to it.

I see several persons have older releases available.

Is there anyone who has been routinely getting latest tar files and
installing them on Ubuntu who is willing to share the recipe for how they
do it?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130312/24bb7019/attachment.html 

From jerry.benton at mailborder.com  Wed Mar 13 00:36:02 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 13 Mar 2013 01:36:02 +0100
Subject: Recipe for creating latest MailScanner .deb for Ubuntu
In-Reply-To: <CAAJHbAodwPpDuz8N8rj1GVuTZeVexhYK1-N8s_mrG0zzbwsFrg@mail.gmail.com>
References: <CAAJHbAodwPpDuz8N8rj1GVuTZeVexhYK1-N8s_mrG0zzbwsFrg@mail.gmail.com>
Message-ID: <CAED3VzBW9QBYC6Za51_O8n7dzdEkHEe+QJNx=q2v6GY4=VGrcA@mail.gmail.com>

Robert,

http://www.baruwa.org/ has a repo with the latest for Ubuntu.

Jerry Benton



On Wed, Mar 13, 2013 at 12:51 AM, Robert Lopez <rlopezcnm at gmail.com> wrote:

> Google seems to not find any MailScanner 4.84.5-3 for Ubuntu.
>
> I looked at some instructions for using check install. But following them
> lead to a system that forked mailscanner until memory is exhausted faster
> than one can log into the system.
> There has to be more to it.
>
> I see several persons have older releases available.
>
> Is there anyone who has been routinely getting latest tar files and
> installing them on Ubuntu who is willing to share the recipe for how they
> do it?
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130313/4e539986/attachment.html 

From paul at welshfamily.com  Wed Mar 13 13:00:15 2013
From: paul at welshfamily.com (Paul Welsh)
Date: Wed, 13 Mar 2013 13:00:15 +0000
Subject: SpamAssassin timed out and was killed
Message-ID: <CAA510g6PvoGmB5aonJbKwiLv1ihbH+KNYZdUe67XO8oOa9=_Jw@mail.gmail.com>

Anyone else seeing this today:
SpamAssassin timed out and was killed

Started for me at 10:51 GMT and is still going on.  I suspect it's a
local problem but no harm in checking.

From maxsec at gmail.com  Wed Mar 13 16:41:14 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Wed, 13 Mar 2013 16:41:14 +0000
Subject: SpamAssassin timed out and was killed
In-Reply-To: <CAA510g6PvoGmB5aonJbKwiLv1ihbH+KNYZdUe67XO8oOa9=_Jw@mail.gmail.com>
References: <CAA510g6PvoGmB5aonJbKwiLv1ihbH+KNYZdUe67XO8oOa9=_Jw@mail.gmail.com>
Message-ID: <CAGDKorKEDLmpP070=miKS6WiygYQPNwfNGCSBhbi+QNP4dkgEg@mail.gmail.com>

Check theres no 'odd' files in the the hold queue area (and not . hidden
directories/folders)

-- 
Martin Hepworth, CISSP
Oxford, UK


On 13 March 2013 13:00, Paul Welsh <paul at welshfamily.com> wrote:

> Anyone else seeing this today:
> SpamAssassin timed out and was killed
>
> Started for me at 10:51 GMT and is still going on.  I suspect it's a
> local problem but no harm in checking.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130313/d7bf428d/attachment.html 

From steve.freegard at fsl.com  Wed Mar 13 17:40:23 2013
From: steve.freegard at fsl.com (Steve Freegard)
Date: Wed, 13 Mar 2013 17:40:23 +0000
Subject: SpamAssassin timed out and was killed
In-Reply-To: <CAA510g6PvoGmB5aonJbKwiLv1ihbH+KNYZdUe67XO8oOa9=_Jw@mail.gmail.com>
References: <CAA510g6PvoGmB5aonJbKwiLv1ihbH+KNYZdUe67XO8oOa9=_Jw@mail.gmail.com>
Message-ID: <khqdkv$un6$1@ger.gmane.org>

On 13/03/13 13:00, Paul Welsh wrote:
> Anyone else seeing this today:
> SpamAssassin timed out and was killed
>
> Started for me at 10:51 GMT and is still going on.  I suspect it's a
> local problem but no harm in checking.
>

Run a batch through in --debug --debug-sa mode; in particular see if 
SpamAssassin is taking a long time on a particular test e.g. RBL, DCC, 
Pyzor or Razor2, or it might be trying to do a Bayes expiry etc.

HTH,
Steve.


From mailborder at gmail.com  Thu Mar 14 04:57:32 2013
From: mailborder at gmail.com (Mailborder at Gmail)
Date: Thu, 14 Mar 2013 05:57:32 +0100
Subject: Outlook.com Autocorrect - Beware
In-Reply-To: <VA.0000403a.0e9d5abe@news.conactive.com>
References: <CANK23U1B9cqwQzPvNBuXFMvfrP5Ty+J1O4SkTV=ZhDLh0CdN-g@mail.gmail.com>
	<VA.0000403a.0e9d5abe@news.conactive.com>
Message-ID: <CANK23U0dUuyALQ0PQsUDQ6zmuWqHzfCPwzBniEGEW+QFCZxYvA@mail.gmail.com>

Whatever you say dude.


On Wed, Mar 13, 2013 at 12:52 PM, Kai Schaetzl <maillists at conactive.com>wrote:

> Mailborder at Gmail wrote on Mon, 11 Mar 2013 00:21:22 +0100:
>
> > I'm ranting ... but beware.
>
> Hi Jerry,
>
> nothing of that is reproducible. I don't use outlook.com, but I have an
> account there that I sometimes use for testing, like now. I sent an email
> that contained the words "mailborder", "rebelion" (with one l) and a long
> link in it to and fro and there was not a single change. There is also no
> setting for autocorrect. There is no autocorrection in outlook.com at all,
> not even for clearly wrong words.
>
> Cheers,
>
> Kai
>
> --
> Get your web at Conactive Internet Services: http://www.conactive.com
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130314/fb3e83d9/attachment.html 

From rcooper at dwford.com  Thu Mar 14 16:38:53 2013
From: rcooper at dwford.com (Rick Cooper)
Date: Thu, 14 Mar 2013 12:38:53 -0400
Subject: Outlook.com Autocorrect - Beware
In-Reply-To: <CANK23U0dUuyALQ0PQsUDQ6zmuWqHzfCPwzBniEGEW+QFCZxYvA@mail.gmail.com>
References: <CANK23U1B9cqwQzPvNBuXFMvfrP5Ty+J1O4SkTV=ZhDLh0CdN-g@mail.gmail.com><VA.0000403a.0e9d5abe@news.conactive.com>
	<CANK23U0dUuyALQ0PQsUDQ6zmuWqHzfCPwzBniEGEW+QFCZxYvA@mail.gmail.com>
Message-ID: <43413110C7174944A21CE86332D8B11A@SAHOMELT>

I am wondering if the OP is using IE 10, I am not sure about IE 9 but there
are several threads out there about automatic spell check if your browser
supports it and apparently IE 10 does. They also state that you cannot
disable it in the outlook.com applications, including mail. I have not
installed IE 10 to test it though
 
RIck

  _____  

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mailborder
at Gmail
Sent: Thursday, March 14, 2013 12:58 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Outlook.com Autocorrect - Beware


Whatever you say dude.  


On Wed, Mar 13, 2013 at 12:52 PM, Kai Schaetzl <maillists at conactive.com>
wrote:


Mailborder at Gmail wrote on Mon, 11 Mar 2013 00:21:22 +0100:


> I'm ranting ... but beware.


Hi Jerry,

nothing of that is reproducible. I don't use outlook.com, but I have an
account there that I sometimes use for testing, like now. I sent an email
that contained the words "mailborder", "rebelion" (with one l) and a long
link in it to and fro and there was not a single change. There is also no
setting for autocorrect. There is no autocorrection in outlook.com at all,
not even for clearly wrong words.

Cheers,

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130314/162663fe/attachment.html 

From tomayengo at gmail.com  Fri Mar 15 13:26:45 2013
From: tomayengo at gmail.com (Kizito Thomas)
Date: Fri, 15 Mar 2013 16:26:45 +0300
Subject: Spamassassin seems to be in an incomplete loop
Message-ID: <1363354005.2212.62.camel@ICT>

Dear Good people,
I am a newbie on Mailscanner so any pointer is well appreciated before
hand.
I have spent the recent days trying to get Mailscanner, Clamav and
Spamassassin work on a Ubuntu 10.04.3 LTS running postfix 2.7.0 but
something is keeping on stopping it from working.
The MTA is working fine with out Mailscanner (when I comment out
header_checks = regexp:/etc/postfix/header_checks
from /etc/postfix/main.cf, mails get delivered).
At first I installed and configured mailscanner according to
http://www.linuxmail.info/mailscanner-postfix-clamav-spamassassin-howto-ubuntu-10-04/  but I couldn't have mails leaving the mail queue. When I check '/var/log/mail.log', I find a serie of repetitive logs, making me think there is some sort of incomplete loop spamassassin enters. (the logs are at the end of the mail)
When I tried to read about this, I found Mohammed Alli saying that the
Mailscanner provided by Ubuntu is broken.
http://www.mailscanner.info/ubuntu.html 
But even when I followed the step up there, there was no change.
I have tried to read the Mailscanner_manual_version 1.0.1 which talks
about auto_whitelist under /etc/MailScanner/spam.assassin.prefs.conf but
it doesn't make any difference setting 'use_auto_whitelist' to 0 or 1.
More reading dropped me to
http://wiki.apache.org/spamassassin/AutoWhitelist which talks about
loadplugin Mail::SpamAssassain::Plugin::AWL
in  /etc/mail/spamassassin/v310.pre but i found it commented out, even
uncommenting it didn't change a thing.
I hope I have provided enough information on my problem for help.
Thank you in advance.
######LOGs:###########
# tail -f /var/log/mail.log 
Mar 15 11:31:05 mail MailScanner[2712]: SpamAssassin cache hit for
message 873FB3A25E8.1D67D
Mar 15 11:31:08 mail MailScanner[2714]: MailScanner E-Mail Virus Scanner
version 4.74.16 starting...
Mar 15 11:31:08 mail MailScanner[2714]: Read 848 hostnames from the
phishing whitelist
Mar 15 11:31:08 mail MailScanner[2714]: Read 4278 hostnames from the
phishing blacklist
Mar 15 11:31:08 mail MailScanner[2714]: Using SpamAssassin results cache
Mar 15 11:31:08 mail MailScanner[2714]: Connected to SpamAssassin cache
database
Mar 15 11:31:08 mail MailScanner[2714]: Enabling SpamAssassin
auto-whitelist functionality...
Mar 15 11:31:10 mail MailScanner[2714]: Using locktype = flock
Mar 15 11:31:10 mail MailScanner[2714]: New Batch: Scanning 1 messages,
589 bytes
Mar 15 11:31:10 mail MailScanner[2714]: SpamAssassin cache hit for
message 873FB3A25E8.34EEF
Mar 15 11:31:13 mail MailScanner[2717]: MailScanner E-Mail Virus Scanner
version 4.74.16 starting...
Mar 15 11:31:13 mail MailScanner[2717]: Read 848 hostnames from the
phishing whitelist
Mar 15 11:31:13 mail MailScanner[2717]: Read 4278 hostnames from the
phishing blacklist
Mar 15 11:31:13 mail MailScanner[2717]: Using SpamAssassin results cache
Mar 15 11:31:13 mail MailScanner[2717]: Connected to SpamAssassin cache
database
Mar 15 11:31:13 mail MailScanner[2717]: Enabling SpamAssassin
auto-whitelist functionality...
Mar 15 11:31:15 mail MailScanner[2717]: Using locktype = flock
Mar 15 11:31:15 mail MailScanner[2717]: New Batch: Scanning 1 messages,
589 bytes
Mar 15 11:31:15 mail MailScanner[2717]: SpamAssassin cache hit for
message 873FB3A25E8.A6F2
-- 
Kind regards;
Kizito Tom Mayengo (KTM)
+256752602550||+256782062708




From rd at vladville.com  Fri Mar 15 14:48:08 2013
From: rd at vladville.com (Vlad Mazek)
Date: Fri, 15 Mar 2013 10:48:08 -0400
Subject: BATV PRVS Addressing
Message-ID: <CAEQ0g8HJWm=7+mewX_sF3ZE54vx3RAXqBJR-rTcbECWeonSp=Q@mail.gmail.com>

Anybody out there using the MailWatch's SQLBlackWhiteList.pm customfunction
that has figured out a way to make it handle BATV/PRVS Addressing correctly?

This is for a MailScanner/sendmail build
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130315/13884f7e/attachment.html 

From campbell at cnpapers.com  Fri Mar 15 18:07:16 2013
From: campbell at cnpapers.com (Steve Campbell)
Date: Fri, 15 Mar 2013 14:07:16 -0400
Subject: OT: Do RBLs take precedence over access entries
Message-ID: <51436354.70903@cnpapers.com>

Does anyone know which takes precedence in sendmail: RBLs defined in 
sendmail.mc or the access file?

I'm having a time with one customer who's domain uses a mail service or 
ISP that sends quite a bit of spam. I've blocked quite a bit of IPs in 
access, and some are more than likely ones the senders outgoing server 
is apart of, but see that a few of their IPs are listed in spamhaus 
also, which I use in sendmail (not MS). I've added an entry at the top 
of the access file to "OK" the sender, but the email still gets blocked.

I've informed the sender that she should be receiving some form of 
notice that we have rejected their email, but they insist that they do 
not get the notice, so I'm having a little trouble figuring out which IP 
they're using this week.

Thanks for any help.

steve campbell

From maillists at conactive.com  Fri Mar 15 18:46:18 2013
From: maillists at conactive.com (Kai Schaetzl)
Date: Fri, 15 Mar 2013 19:46:18 +0100
Subject: OT: Do RBLs take precedence over access entries
In-Reply-To: <51436354.70903@cnpapers.com>
References: <51436354.70903@cnpapers.com>
Message-ID: <VA.0000403e.1a65418b@news.conactive.com>

Steve Campbell wrote on Fri, 15 Mar 2013 14:07:16 -0400:

> I've added an entry at the top 
> of the access file to "OK" the sender, but the email still gets blocked.

I *think* it is the access file that takes precedence. But I don't know, 
sorry.
I have entries like
CONNECT: domain
in the last sendmail installation I have. But I'm not sure if it ever 
worked. We switched about the same time away from SORBS as it was giving 
too many FPs and the problem with the blocked mail servers went away.

> 
> I've informed the sender that she should be receiving some form of 
> notice that we have rejected their email, but they insist that they do 
> not get the notice, so I'm having a little trouble figuring out which IP 
> they're using this week.

The log tells you.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From campbell at cnpapers.com  Fri Mar 15 19:15:02 2013
From: campbell at cnpapers.com (Steve Campbell)
Date: Fri, 15 Mar 2013 15:15:02 -0400
Subject: OT: Do RBLs take precedence over access entries
In-Reply-To: <VA.0000403e.1a65418b@news.conactive.com>
References: <51436354.70903@cnpapers.com>
	<VA.0000403e.1a65418b@news.conactive.com>
Message-ID: <51437336.9090009@cnpapers.com>


On 3/15/2013 2:46 PM, Kai Schaetzl wrote:
> Steve Campbell wrote on Fri, 15 Mar 2013 14:07:16 -0400:
>
>> I've added an entry at the top
>> of the access file to "OK" the sender, but the email still gets blocked.
> I *think* it is the access file that takes precedence. But I don't know,
> sorry.
> I have entries like
> CONNECT: domain
> in the last sendmail installation I have. But I'm not sure if it ever
> worked. We switched about the same time away from SORBS as it was giving
> too many FPs and the problem with the blocked mail servers went away.
>
>> I've informed the sender that she should be receiving some form of
>> notice that we have rejected their email, but they insist that they do
>> not get the notice, so I'm having a little trouble figuring out which IP
>> they're using this week.
> The log tells you.
Thanks Kai,

Unfortunately, I can't discern which log entry is the one I'm looking 
for. I don't know for certain which domain is actually sending out the 
email. I know the domain of the sender, obviously, but the relay, which 
is what the log entries show, does not match the domain of the sender's 
domain. A quick count of rejected emails totals more than 100 a minute here.

So far, the sender is not cooperating with me and providing the IP that 
is reported on the return notice. If they feel it's important enough, 
maybe they'll forward me the rejection notice (to a gmail account or 
something other than here).

steve
>
> Kai
>


From steve.freegard at fsl.com  Fri Mar 15 20:58:44 2013
From: steve.freegard at fsl.com (Steve Freegard)
Date: Fri, 15 Mar 2013 20:58:44 +0000
Subject: OT: Do RBLs take precedence over access entries
In-Reply-To: <51436354.70903@cnpapers.com>
References: <51436354.70903@cnpapers.com>
Message-ID: <ki020p$g8s$1@ger.gmane.org>

On 15/03/13 18:07, Steve Campbell wrote:
> Does anyone know which takes precedence in sendmail: RBLs defined in
> sendmail.mc or the access file?
>
> I'm having a time with one customer who's domain uses a mail service or
> ISP that sends quite a bit of spam. I've blocked quite a bit of IPs in
> access, and some are more than likely ones the senders outgoing server
> is apart of, but see that a few of their IPs are listed in spamhaus
> also, which I use in sendmail (not MS). I've added an entry at the top
> of the access file to "OK" the sender, but the email still gets blocked.
>
> I've informed the sender that she should be receiving some form of
> notice that we have rejected their email, but they insist that they do
> not get the notice, so I'm having a little trouble figuring out which IP
> they're using this week.
>

Did you whitelist by the senders address or the source IP as it makes a 
difference.

The access-map will take precedence but only if you have 'delay_checks' 
enabled e.g.

FEATURE(`delay_checks')dnl

Otherwise the blacklisted address is rejected at connection time, so 
Sendmail doesn't get to see the sender to apply any further access map 
rules.

HTH,
Steve.



From mark at msapiro.net  Sun Mar 17 14:05:49 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Sun, 17 Mar 2013 07:05:49 -0700
Subject: ScamNailer
Message-ID: <PC1993201303170705490384eed1e871@Notebook-09>

It appears that ScamNailer data have not been updated in over 4 days
(since 13 Mar, file 2013-103.8). Is there a problem?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From rd at vladville.com  Mon Mar 18 15:54:41 2013
From: rd at vladville.com (Vlad Mazek)
Date: Mon, 18 Mar 2013 11:54:41 -0400
Subject: BATV PRVS Addressing
In-Reply-To: <CAEQ0g8HJWm=7+mewX_sF3ZE54vx3RAXqBJR-rTcbECWeonSp=Q@mail.gmail.com>
References: <CAEQ0g8HJWm=7+mewX_sF3ZE54vx3RAXqBJR-rTcbECWeonSp=Q@mail.gmail.com>
Message-ID: <CAEQ0g8HPH+jQneenw=t3qetPMZTt1FM1ayAo4Aw_atpRFi4cOQ@mail.gmail.com>

Perhaps a better way to phrase this is:

Has anyone found a configuration to have the script test against the From
address instead of the Envelope address?


On Fri, Mar 15, 2013 at 10:48 AM, Vlad Mazek <rd at vladville.com> wrote:

> Anybody out there using the MailWatch's SQLBlackWhiteList.pm
> customfunction that has figured out a way to make it handle BATV/PRVS
> Addressing correctly?
>
> This is for a MailScanner/sendmail build
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130318/17bcdf0a/attachment.html 

From rlopezcnm at gmail.com  Mon Mar 18 19:37:29 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Mon, 18 Mar 2013 13:37:29 -0600
Subject: ScamNailer
In-Reply-To: <PC1993201303170705490384eed1e871@Notebook-09>
References: <PC1993201303170705490384eed1e871@Notebook-09>
Message-ID: <CAAJHbArN2rahpnaFthZd2zc39FVudYLP6cabWOiXO=4FKkOx_w@mail.gmail.com>

I checked and see the same as Mark.


On Sun, Mar 17, 2013 at 8:05 AM, Mark Sapiro <mark at msapiro.net> wrote:

> It appears that ScamNailer data have not been updated in over 4 days
> (since 13 Mar, file 2013-103.8). Is there a problem?
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130318/04de7650/attachment.html 

From dgottsc at emory.edu  Mon Mar 18 20:17:47 2013
From: dgottsc at emory.edu (Gottschalk, David)
Date: Mon, 18 Mar 2013 20:17:47 +0000
Subject: ScamNailer
In-Reply-To: <CAAJHbArN2rahpnaFthZd2zc39FVudYLP6cabWOiXO=4FKkOx_w@mail.gmail.com>
References: <PC1993201303170705490384eed1e871@Notebook-09>
	<CAAJHbArN2rahpnaFthZd2zc39FVudYLP6cabWOiXO=4FKkOx_w@mail.gmail.com>
Message-ID: <29C400C10C01FA4C8405D52684332F6936D5DAC3@e14mbx15n.Enterprise.emory.net>

I'm seeing the same thing.

David Gottschalk
Emory University
UTS Messaging Team

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez
Sent: Monday, March 18, 2013 3:37 PM
To: MailScanner discussion
Subject: Re: ScamNailer

I checked and see the same as Mark.

On Sun, Mar 17, 2013 at 8:05 AM, Mark Sapiro <mark at msapiro.net<mailto:mark at msapiro.net>> wrote:
It appears that ScamNailer data have not been updated in over 4 days
(since 13 Mar, file 2013-103.8). Is there a problem?

--
Mark Sapiro <mark at msapiro.net<mailto:mark at msapiro.net>>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130318/31b9b62c/attachment.html 

From mailscanner at joolee.nl  Tue Mar 19 08:12:05 2013
From: mailscanner at joolee.nl (Joolee)
Date: Tue, 19 Mar 2013 09:12:05 +0100
Subject: BATV PRVS Addressing
In-Reply-To: <CAEQ0g8HPH+jQneenw=t3qetPMZTt1FM1ayAo4Aw_atpRFi4cOQ@mail.gmail.com>
References: <CAEQ0g8HJWm=7+mewX_sF3ZE54vx3RAXqBJR-rTcbECWeonSp=Q@mail.gmail.com>
	<CAEQ0g8HPH+jQneenw=t3qetPMZTt1FM1ayAo4Aw_atpRFi4cOQ@mail.gmail.com>
Message-ID: <CA+Q-w8UHqitkBVNSJxAKUYH_LN_fbxxr4V_1hn8V4f9Gux_M1w@mail.gmail.com>

If I remember correctly, that information is not available at the time the
script runs.

On 18 March 2013 16:54, Vlad Mazek <rd at vladville.com> wrote:

> Perhaps a better way to phrase this is:
>
> Has anyone found a configuration to have the script test against the From
> address instead of the Envelope address?
>
>
> On Fri, Mar 15, 2013 at 10:48 AM, Vlad Mazek <rd at vladville.com> wrote:
>
>> Anybody out there using the MailWatch's SQLBlackWhiteList.pm
>> customfunction that has figured out a way to make it handle BATV/PRVS
>> Addressing correctly?
>>
>> This is for a MailScanner/sendmail build
>>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130319/7e569389/attachment.html 

From btj at havleik.no  Tue Mar 19 08:49:42 2013
From: btj at havleik.no (=?UTF-8?B?QmrDuHJu?= T Johansen)
Date: Tue, 19 Mar 2013 09:49:42 +0100
Subject: Symbolic link?
Message-ID: <20130319094942.1c0421d2@havleik.no>

I moved /var/spool/MailScanner to a different disk and now I see this in the log when starting MailScanner..:


Your "Incoming Work Directory" should be specified as an absolute path, not including any links. But I will work okay anyway.


Can I just ignore this or should I change the Incoming Work Directory path?


Regards,

BTJ

-- 
-----------------------------------------------------------------------------------------------
Bj?rn T Johansen

btj at havleik.no
-----------------------------------------------------------------------------------------------
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
-----------------------------------------------------------------------------------------------

From maxsec at gmail.com  Tue Mar 19 12:39:44 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 19 Mar 2013 12:39:44 +0000
Subject: Symbolic link?
In-Reply-To: <20130319094942.1c0421d2@havleik.no>
References: <20130319094942.1c0421d2@havleik.no>
Message-ID: <CAGDKor+8ah6ReQfG2YR+y5DdM9gqNDZRdD61zd-VZpfXy=EeQw@mail.gmail.com>

set it properly - has been known to cause some issues in the past with
various MTAs

-- 
Martin Hepworth, CISSP
Oxford, UK


On 19 March 2013 08:49, Bj?rn T Johansen <btj at havleik.no> wrote:

> I moved /var/spool/MailScanner to a different disk and now I see this in
> the log when starting MailScanner..:
>
>
> Your "Incoming Work Directory" should be specified as an absolute path,
> not including any links. But I will work okay anyway.
>
>
> Can I just ignore this or should I change the Incoming Work Directory path?
>
>
> Regards,
>
> BTJ
>
> --
>
> -----------------------------------------------------------------------------------------------
> Bj?rn T Johansen
>
> btj at havleik.no
>
> -----------------------------------------------------------------------------------------------
> Someone wrote:
> "I understand that if you play a Windows CD backwards you hear strange
> Satanic messages"
> To which someone replied:
> "It's even worse than that; play it forwards and it installs Windows"
>
> -----------------------------------------------------------------------------------------------
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130319/53b07ff4/attachment.html 

From rlopezcnm at gmail.com  Tue Mar 19 23:57:38 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Tue, 19 Mar 2013 17:57:38 -0600
Subject: Watermarking and spoofed sender address
Message-ID: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>

I understand watermarking is to defend against "joe job blowback". I think
I understand that blowback problem is when email is sent, using for example
my address, to many other domains and all the flack (blow back) comes back
to me.

I am wondering if this watermarking is of any use in a type of SPAM we now
frequently see. It is where email is sent to a list of addresses, all at
our domain, and the from address is also the first address in the address
list. Everyone else thinks the first person sent it. Our gateways send such
email to Exchange and any communication back to the sender is entirely
within Exchange and never comes back through the gateways again.

In this kind of SPAM I have always considered it of no use. Am I wrong in
my thinking?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130319/ecf618ed/attachment.html 

From maxsec at gmail.com  Wed Mar 20 13:40:23 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Wed, 20 Mar 2013 13:40:23 +0000
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
Message-ID: <CAGDKorLhA6CUOdUrKf_G3VcX=kXDw9dvm-rm-o=cB+_0vVgJNw@mail.gmail.com>

the 'watermaking' is based on the ability of mailScanner to addin an extra
header containing a (I think) hash of your Org-name salted with the
predefined secret in your MailScanner.conf

http://www.mailscanner.info/MailScanner.conf.index.html#Watermark%20Header

Not any use for this case and it's purely for use in MailScanner code.

I would check your whitelisting rules (definitely no spam etc) and make
sure you're not whitelisting your own domain, this is a common mistake and
lets alot of spam through that would normally be detected. If you need to
whitelist your domain then use the ip-addresses of the internal email
servers and not your domain.


-- 
Martin Hepworth, CISSP
Oxford, UK


On 19 March 2013 23:57, Robert Lopez <rlopezcnm at gmail.com> wrote:

> I understand watermarking is to defend against "joe job blowback". I think
> I understand that blowback problem is when email is sent, using for example
> my address, to many other domains and all the flack (blow back) comes back
> to me.
>
> I am wondering if this watermarking is of any use in a type of SPAM we now
> frequently see. It is where email is sent to a list of addresses, all at
> our domain, and the from address is also the first address in the address
> list. Everyone else thinks the first person sent it. Our gateways send such
> email to Exchange and any communication back to the sender is entirely
> within Exchange and never comes back through the gateways again.
>
> In this kind of SPAM I have always considered it of no use. Am I wrong in
> my thinking?
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/27384ab4/attachment.html 

From Kevin_Miller at ci.juneau.ak.us  Wed Mar 20 16:20:34 2013
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Wed, 20 Mar 2013 08:20:34 -0800
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
Message-ID: <C87702B41702834792222AE25D4057B66593@city-exchange07>

For what you're trying to do, SPF is a better option.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez
Sent: Tuesday, March 19, 2013 3:58 PM
To: MailScanner discussion
Subject: Watermarking and spoofed sender address

I understand watermarking is to defend against "joe job blowback". I think I understand that blowback problem is when email is sent, using for example my address, to many other domains and all the flack (blow back) comes back to me.
I am wondering if this watermarking is of any use in a type of SPAM we now frequently see. It is where email is sent to a list of addresses, all at our domain, and the from address is also the first address in the address list. Everyone else thinks the first person sent it. Our gateways send such email to Exchange and any communication back to the sender is entirely within Exchange and never comes back through the gateways again.

In this kind of SPAM I have always considered it of no use. Am I wrong in my thinking?

--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/3217db95/attachment.html 

From david.hill at ubisoft.com  Wed Mar 20 16:24:26 2013
From: david.hill at ubisoft.com (David Hill)
Date: Wed, 20 Mar 2013 12:24:26 -0400
Subject: TNEF external expander vs internal
Message-ID: <710D4D6CE160654C87478D18385BB9972579808DD4@MDC-MAIL-CMS01.ubisoft.org>

Hi guys,

                We've upgraded from mailscanner 4.71.10-1 to 4.84.5-3 and we're running into an issue.
Some people said that TNEF external expander was broken, that they applied a patch and/or updated to tnef 1.4.9 but this doesn't
seem to solve our problem.     If we switch to internal, it's definitely solving the issue  but I think this is a hack for something that's broken.

So, just to leave a trace, external is broken, internal works well.

Thank you very much,

Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/9ed2b9d2/attachment.html 

From david.hill at ubisoft.com  Wed Mar 20 16:34:58 2013
From: david.hill at ubisoft.com (David Hill)
Date: Wed, 20 Mar 2013 12:34:58 -0400
Subject: TNEF external expander vs internal
Message-ID: <710D4D6CE160654C87478D18385BB9972579808DDA@MDC-MAIL-CMS01.ubisoft.org>

Hi guys,

                I may have < found > the problem but I'm not sure :

2013-03-20T16:28:26.021724+00:00 mailserver  MailScanner[11855]: Corrupt TNEF winmail.dat that cannot be analysed in message 4E5601ED1.AD737
2013-03-20T16:30:00.824823+00:00 mailserver MailScanner[12178]: Expanding TNEF archive at /var/spool/MailScanner/incoming/12178/D07311ED1.A0ADA/winmail.dat
2013-03-20T16:30:00.826306+00:00 mailserver MailScanner[12178]: Trying to unpack nwinmail.dat in message D07311ED1.A0ADA, could not create subdirectory D07311ED1.A0ADA//tnef6sGA3q, failed to unpack TNEF message - /var/spool/postfix/hold
2013-03-20T16:30:00.826566+00:00 mailserver MailScanner[12178]: Corrupt TNEF winmail.dat that cannot be analysed in message D07311ED1.A0ADA

I hacked the code a bit and seems like we're in /var/spool/postfix/hold instead of /var/spool/MailScanner/incoming/ !

If that's the case, perhaps the patch will be easily done?

Dave



From: David Hill
Sent: March-20-13 12:24 PM
To: 'mailscanner at lists.mailscanner.info'
Subject: TNEF external expander vs internal

Hi guys,

                We've upgraded from mailscanner 4.71.10-1 to 4.84.5-3 and we're running into an issue.
Some people said that TNEF external expander was broken, that they applied a patch and/or updated to tnef 1.4.9 but this doesn't
seem to solve our problem.     If we switch to internal, it's definitely solving the issue  but I think this is a hack for something that's broken.

So, just to leave a trace, external is broken, internal works well.

Thank you very much,

Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/2545f8f6/attachment.html 

From postal.janitor at gmail.com  Wed Mar 20 17:18:39 2013
From: postal.janitor at gmail.com (Adam Laye)
Date: Wed, 20 Mar 2013 10:18:39 -0700
Subject: Watermarking and spoofed sender
Message-ID: <CAF7oVknwGy+4QKTBUFxSVwLGuBOuo4066j8+VQBoz80WN5+e6A@mail.gmail.com>

On Wed, Mar 20, 2013 at 5:00 AM, <mailscanner-request at lists.mailscanner.info
> wrote:

> Send MailScanner mailing list submissions to
>         mailscanner at lists.mailscanner.info
> water marking and SPAM,



> I am not sure that water marking will be of any use to your here. However
> you can preven distribution groups from recieving external mail via
> settings in Active directory Users and Computers. This would auto reject
> Email sent to a group if the souce was External. ... Not sure this fits
> your sittuation, good luck.
>



> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.mailscanner.info/mailman/listinfo/mailscanner
> or, via email, send a message with subject or body 'help' to
>         mailscanner-request at lists.mailscanner.info
>
> You can reach the person managing the list at
>         mailscanner-owner at lists.mailscanner.info
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MailScanner digest..."
>
> Today's Topics:
>
>    1. Re: Symbolic link? (Martin Hepworth)
>    2. Watermarking and spoofed sender address (Robert Lopez)
>
>
> ---------- Forwarded message ----------
> From: Martin Hepworth <maxsec at gmail.com>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Cc:
> Date: Tue, 19 Mar 2013 12:39:44 +0000
> Subject: Re: Symbolic link?
> set it properly - has been known to cause some issues in the past with
> various MTAs
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 19 March 2013 08:49, Bj?rn T Johansen <btj at havleik.no> wrote:
>
>> I moved /var/spool/MailScanner to a different disk and now I see this in
>> the log when starting MailScanner..:
>>
>>
>> Your "Incoming Work Directory" should be specified as an absolute path,
>> not including any links. But I will work okay anyway.
>>
>>
>> Can I just ignore this or should I change the Incoming Work Directory
>> path?
>>
>>
>> Regards,
>>
>> BTJ
>>
>> --
>>
>> -----------------------------------------------------------------------------------------------
>> Bj?rn T Johansen
>>
>> btj at havleik.no
>>
>> -----------------------------------------------------------------------------------------------
>> Someone wrote:
>> "I understand that if you play a Windows CD backwards you hear strange
>> Satanic messages"
>> To which someone replied:
>> "It's even worse than that; play it forwards and it installs Windows"
>>
>> -----------------------------------------------------------------------------------------------
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>
>
> ---------- Forwarded message ----------
> From: Robert Lopez <rlopezcnm at gmail.com>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Cc:
> Date: Tue, 19 Mar 2013 17:57:38 -0600
> Subject: Watermarking and spoofed sender address
> I understand watermarking is to defend against "joe job blowback". I think
> I understand that blowback problem is when email is sent, using for example
> my address, to many other domains and all the flack (blow back) comes back
> to me.
>
> I am wondering if this watermarking is of any use in a type of SPAM we now
> frequently see. It is where email is sent to a list of addresses, all at
> our domain, and the from address is also the first address in the address
> list. Everyone else thinks the first person sent it. Our gateways send such
> email to Exchange and any communication back to the sender is entirely
> within Exchange and never comes back through the gateways again.
>
> In this kind of SPAM I have always considered it of no use. Am I wrong in
> my thinking?
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read the Wiki (http://wiki.mailscanner.info/).
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/12f478d9/attachment.html 

From rlopezcnm at gmail.com  Wed Mar 20 17:27:37 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Wed, 20 Mar 2013 11:27:37 -0600
Subject: Watermarking and spoofed sender address
In-Reply-To: <C87702B41702834792222AE25D4057B66593@city-exchange07>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66593@city-exchange07>
Message-ID: <CAAJHbAoT4jBPHr6j+FQjZCDEtFxmjjn2Y2LrR++b4ZKvPbA84g@mail.gmail.com>

Kevin,

If we do use SPF could there be something in the way we use it that it does
not help?  We added it as part of our out soucing student email.

>From http://www.kitterman.com/getspf2.py as of Wed Mar 20 2013:
"
SPF record lookup and validation for: cnm.edu
SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 include:_spf.google.com mx ~all

SPF records should also be published in DNS as type SPF records.

Type SPF records found for the domain are:
v=spf1 include:_spf.google.com mx ~all

Checking to see if there is a valid SPF record.

Results - Record may be valid, but ambiguous: v=spf1 records of both type
TXT and SPF (type 99) present, but not identical

Found v=spf1 record for cnm.edu:
v=spf1 include:_spf.google.com mx ~all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!
"



On Wed, Mar 20, 2013 at 10:20 AM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us
> wrote:

> For what you?re trying to do, SPF is a better option.  ****
>
> ** **
>
>  ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500
> Registered Linux User No: 307357 ****
>
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Robert Lopez
> *Sent:* Tuesday, March 19, 2013 3:58 PM
> *To:* MailScanner discussion
> *Subject:* Watermarking and spoofed sender address****
>
> ** **
>
> I understand watermarking is to defend against "joe job blowback". I think
> I understand that blowback problem is when email is sent, using for example
> my address, to many other domains and all the flack (blow back) comes back
> to me.****
>
> I am wondering if this watermarking is of any use in a type of SPAM we now
> frequently see. It is where email is sent to a list of addresses, all at
> our domain, and the from address is also the first address in the address
> list. Everyone else thinks the first person sent it. Our gateways send such
> email to Exchange and any communication back to the sender is entirely
> within Exchange and never comes back through the gateways again.
>
> In this kind of SPAM I have always considered it of no use. Am I wrong in
> my thinking?
> ****
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106 ****
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/130cab20/attachment.html 

From rlopezcnm at gmail.com  Wed Mar 20 17:35:04 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Wed, 20 Mar 2013 11:35:04 -0600
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAGDKorLhA6CUOdUrKf_G3VcX=kXDw9dvm-rm-o=cB+_0vVgJNw@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<CAGDKorLhA6CUOdUrKf_G3VcX=kXDw9dvm-rm-o=cB+_0vVgJNw@mail.gmail.com>
Message-ID: <CAAJHbApV1ro7Acdh-RJY78nkvM+CD7GnhQ2jsbU=uMSrpiLQzw@mail.gmail.com>

Martin,

We do not white list the cnm.edu domain. We do white list some departments
(example, The Marketing and Communications Office, The Office of the
President, etc.) because they sent such high volume of email it takes too
much time to inspect them all. They are white listed via
.../rules/spam.whitelist.rules and not in the white list postfix uses.

-Robert


On Wed, Mar 20, 2013 at 7:40 AM, Martin Hepworth <maxsec at gmail.com> wrote:

> the 'watermaking' is based on the ability of mailScanner to addin an extra
> header containing a (I think) hash of your Org-name salted with the
> predefined secret in your MailScanner.conf
>
> http://www.mailscanner.info/MailScanner.conf.index.html#Watermark%20Header
>
> Not any use for this case and it's purely for use in MailScanner code.
>
> I would check your whitelisting rules (definitely no spam etc) and make
> sure you're not whitelisting your own domain, this is a common mistake and
> lets alot of spam through that would normally be detected. If you need to
> whitelist your domain then use the ip-addresses of the internal email
> servers and not your domain.
>
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 19 March 2013 23:57, Robert Lopez <rlopezcnm at gmail.com> wrote:
>
>> I understand watermarking is to defend against "joe job blowback". I
>> think I understand that blowback problem is when email is sent, using for
>> example my address, to many other domains and all the flack (blow back)
>> comes back to me.
>>
>> I am wondering if this watermarking is of any use in a type of SPAM we
>> now frequently see. It is where email is sent to a list of addresses, all
>> at our domain, and the from address is also the first address in the
>> address list. Everyone else thinks the first person sent it. Our gateways
>> send such email to Exchange and any communication back to the sender is
>> entirely within Exchange and never comes back through the gateways again.
>>
>> In this kind of SPAM I have always considered it of no use. Am I wrong in
>> my thinking?
>>
>> --
>> Robert Lopez
>> Unix Systems Administrator
>> Central New Mexico Community College (CNM)
>> 525 Buena Vista SE
>> Albuquerque, New Mexico 87106
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/1efa00fb/attachment.html 

From david.hill at ubisoft.com  Wed Mar 20 17:42:52 2013
From: david.hill at ubisoft.com (David Hill)
Date: Wed, 20 Mar 2013 13:42:52 -0400
Subject: TNEF external expander vs internal
In-Reply-To: <710D4D6CE160654C87478D18385BB9972579808DDA@MDC-MAIL-CMS01.ubisoft.org>
References: <710D4D6CE160654C87478D18385BB9972579808DDA@MDC-MAIL-CMS01.ubisoft.org>
Message-ID: <710D4D6CE160654C87478D18385BB9972579808E2F@MDC-MAIL-CMS01.ubisoft.org>

Hi,

                Here is a patch for the bug with 4.84.5-3 !


--- TNEF.pm.broken      2013-03-20 16:26:35.026843525 +0000
+++ TNEF.pm     2013-03-20 17:37:45.030484881 +0000
@@ -230,7 +230,7 @@
   # Create the subdir to unpack it into
   #my $unpackdir = "tnef.$$";
   my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir, UNLINK => 0);
-  $dir =~ s,^.*/,,;
+#  $dir =~ s,^.*/,,;
   $unpackdir = $message->MakeNameSafe($unpackdir, $dir);
  unless (mkdir "$dir/$unpackdir", 0777) {
     MailScanner::Log::WarnLog("Trying to unpack %s in message %s, could not create subdirectory %s, failed to unpack TNEF message", $tnefname, $message->{id},

I don't understand why we're getting rid of the full path in this part of MailScanner code!  Did it solve anything for anybody?  It breaks TNEF expansion in my actual configuration !


Dave


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of David Hill
Sent: March-20-13 12:35 PM
To: mailscanner at lists.mailscanner.info
Subject: RE: TNEF external expander vs internal

Hi guys,

                I may have < found > the problem but I'm not sure :

2013-03-20T16:28:26.021724+00:00 mailserver  MailScanner[11855]: Corrupt TNEF winmail.dat that cannot be analysed in message 4E5601ED1.AD737
2013-03-20T16:30:00.824823+00:00 mailserver MailScanner[12178]: Expanding TNEF archive at /var/spool/MailScanner/incoming/12178/D07311ED1.A0ADA/winmail.dat
2013-03-20T16:30:00.826306+00:00 mailserver MailScanner[12178]: Trying to unpack nwinmail.dat in message D07311ED1.A0ADA, could not create subdirectory D07311ED1.A0ADA//tnef6sGA3q, failed to unpack TNEF message - /var/spool/postfix/hold
2013-03-20T16:30:00.826566+00:00 mailserver MailScanner[12178]: Corrupt TNEF winmail.dat that cannot be analysed in message D07311ED1.A0ADA

I hacked the code a bit and seems like we're in /var/spool/postfix/hold instead of /var/spool/MailScanner/incoming/ !

If that's the case, perhaps the patch will be easily done?

Dave



From: David Hill
Sent: March-20-13 12:24 PM
To: 'mailscanner at lists.mailscanner.info'
Subject: TNEF external expander vs internal

Hi guys,

                We've upgraded from mailscanner 4.71.10-1 to 4.84.5-3 and we're running into an issue.
Some people said that TNEF external expander was broken, that they applied a patch and/or updated to tnef 1.4.9 but this doesn't
seem to solve our problem.     If we switch to internal, it's definitely solving the issue  but I think this is a hack for something that's broken.

So, just to leave a trace, external is broken, internal works well.

Thank you very much,

Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/cb04acce/attachment.html 

From Kevin_Miller at ci.juneau.ak.us  Wed Mar 20 18:48:27 2013
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Wed, 20 Mar 2013 10:48:27 -0800
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAAJHbAoT4jBPHr6j+FQjZCDEtFxmjjn2Y2LrR++b4ZKvPbA84g@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66593@city-exchange07>
	<CAAJHbAoT4jBPHr6j+FQjZCDEtFxmjjn2Y2LrR++b4ZKvPbA84g@mail.gmail.com>
Message-ID: <C87702B41702834792222AE25D4057B66597@city-exchange07>

It's not clear to me how you're sending/receiving mail.  Do users send/receive as someone at gmail.com<mailto:someone at gmail.com> or someone at cnm.edu<mailto:someone at cnm.edu>?

Also, you have SPF set to softfail. That will flag a message as a fail, but doesn't actually deny it.  Are you running an SPF milter on your inbound server?  I presume that you have a MailScanner host that is accepting mail from the outside for your users.

There's an SPF mailing list, similar to this list.  Probably best to jump onto it.  There's some sharp guys over there...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez
Sent: Wednesday, March 20, 2013 9:28 AM
To: MailScanner discussion
Subject: Re: Watermarking and spoofed sender address

Kevin,
If we do use SPF could there be something in the way we use it that it does not help?  We added it as part of our out soucing student email.

>From http://www.kitterman.com/getspf2.py as of Wed Mar 20 2013:
"
SPF record lookup and validation for: cnm.edu<http://cnm.edu>
SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

SPF records should also be published in DNS as type SPF records.

Type SPF records found for the domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

Checking to see if there is a valid SPF record.

Results - Record may be valid, but ambiguous: v=spf1 records of both type TXT and SPF (type 99) present, but not identical

Found v=spf1 record for cnm.edu<http://cnm.edu>:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!
"

On Wed, Mar 20, 2013 at 10:20 AM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
For what you're trying to do, SPF is a better option.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242<tel:%28907%29%20586-0242>, Fax: (907) 586-4500<tel:%28907%29%20586-4500>
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Robert Lopez
Sent: Tuesday, March 19, 2013 3:58 PM
To: MailScanner discussion
Subject: Watermarking and spoofed sender address

I understand watermarking is to defend against "joe job blowback". I think I understand that blowback problem is when email is sent, using for example my address, to many other domains and all the flack (blow back) comes back to me.
I am wondering if this watermarking is of any use in a type of SPAM we now frequently see. It is where email is sent to a list of addresses, all at our domain, and the from address is also the first address in the address list. Everyone else thinks the first person sent it. Our gateways send such email to Exchange and any communication back to the sender is entirely within Exchange and never comes back through the gateways again.

In this kind of SPAM I have always considered it of no use. Am I wrong in my thinking?

--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/1b9c20bf/attachment.html 

From rlopezcnm at gmail.com  Wed Mar 20 22:21:40 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Wed, 20 Mar 2013 16:21:40 -0600
Subject: Watermarking and spoofed sender address
In-Reply-To: <C87702B41702834792222AE25D4057B66597@city-exchange07>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66593@city-exchange07>
	<CAAJHbAoT4jBPHr6j+FQjZCDEtFxmjjn2Y2LrR++b4ZKvPbA84g@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66597@city-exchange07>
Message-ID: <CAAJHbAqJHXYGA5EZ84-xX2f1Ynsm0n9Lmwzg2UE-iXqMAw1YPg@mail.gmail.com>

Kevin,
You have pointed to several things I need to look into.  All our senders
send and receive as someone at cnm.edu.  The email gateways forward all email
to anyone who is a students on to gmail.
No there is no specific SPF milter on inbound server. Yes MailScanner is
accepting mail from the outside for all users.
I will contact the SPF mailing list. Thanks.


On Wed, Mar 20, 2013 at 12:48 PM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us
> wrote:

> It?s not clear to me how you?re sending/receiving mail.  Do users
> send/receive as someone at gmail.com or someone at cnm.edu?****
>
> ** **
>
> Also, you have SPF set to softfail. That will flag a message as a fail,
> but doesn?t actually deny it.  Are you running an SPF milter on your
> inbound server?  I presume that you have a MailScanner host that is
> accepting mail from the outside for your users.  ****
>
> ** **
>
> There?s an SPF mailing list, similar to this list.  Probably best to jump
> onto it.  There?s some sharp guys over there?****
>
> ** **
>
>  ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500
> Registered Linux User No: 307357 ****
>
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Robert Lopez
> *Sent:* Wednesday, March 20, 2013 9:28 AM
> *To:* MailScanner discussion
> *Subject:* Re: Watermarking and spoofed sender address****
>
> ** **
>
> Kevin,****
>
> If we do use SPF could there be something in the way we use it that it
> does not help?  We added it as part of our out soucing student email.
>
> From http://www.kitterman.com/getspf2.py as of Wed Mar 20 2013:
> "
> SPF record lookup and validation for: cnm.edu
> SPF records are primarily published in DNS as TXT records.
>
> The TXT records found for your domain are:
> v=spf1 include:_spf.google.com mx ~all
>
> SPF records should also be published in DNS as type SPF records.
>
> Type SPF records found for the domain are:
> v=spf1 include:_spf.google.com mx ~all
>
> Checking to see if there is a valid SPF record.
>
> Results - Record may be valid, but ambiguous: v=spf1 records of both type
> TXT and SPF (type 99) present, but not identical
>
> Found v=spf1 record for cnm.edu:
> v=spf1 include:_spf.google.com mx ~all
>
> evaluating...
> SPF record passed validation test with pySPF (Python SPF library)!
> "****
>
> ** **
>
> On Wed, Mar 20, 2013 at 10:20 AM, Kevin Miller <
> Kevin_Miller at ci.juneau.ak.us> wrote:****
>
> For what you?re trying to do, SPF is a better option.  ****
>
>  ****
>
>  ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500
> Registered Linux User No: 307357 ****
>
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Robert Lopez
> *Sent:* Tuesday, March 19, 2013 3:58 PM
> *To:* MailScanner discussion
> *Subject:* Watermarking and spoofed sender address****
>
>  ****
>
> I understand watermarking is to defend against "joe job blowback". I think
> I understand that blowback problem is when email is sent, using for example
> my address, to many other domains and all the flack (blow back) comes back
> to me.****
>
> I am wondering if this watermarking is of any use in a type of SPAM we now
> frequently see. It is where email is sent to a list of addresses, all at
> our domain, and the from address is also the first address in the address
> list. Everyone else thinks the first person sent it. Our gateways send such
> email to Exchange and any communication back to the sender is entirely
> within Exchange and never comes back through the gateways again.
>
> In this kind of SPAM I have always considered it of no use. Am I wrong in
> my thinking?
> ****
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106 ****
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!****
>
>
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106 ****
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/db4f4956/attachment-0001.html 

From Kevin_Miller at ci.juneau.ak.us  Thu Mar 21 00:12:17 2013
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Wed, 20 Mar 2013 16:12:17 -0800
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAAJHbAqJHXYGA5EZ84-xX2f1Ynsm0n9Lmwzg2UE-iXqMAw1YPg@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66593@city-exchange07>
	<CAAJHbAoT4jBPHr6j+FQjZCDEtFxmjjn2Y2LrR++b4ZKvPbA84g@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66597@city-exchange07>
	<CAAJHbAqJHXYGA5EZ84-xX2f1Ynsm0n9Lmwzg2UE-iXqMAw1YPg@mail.gmail.com>
Message-ID: <C87702B41702834792222AE25D4057B6659C@city-exchange07>

Sounds good.  The thing about SPF is it validates where a message is *from*, not to.  Basically, you tell it (in DNS) which servers are authorized to send mail as SOMEONE at cnm.edu<mailto:SOMEONE at cnm.edu>.  It's not so much a filter for inbound mail as it is a way for mail servers to determine whether mail actually came from your server or not.  The effect of that however is that you can filter on mail coming in because you can verify the source.  If it came from one the hosts you've authorized, it's valid, at least as far as SPF is concerned.  And if I receive a message that claims to be from you, I can also validate the source.

Linux Journal had a couple of good articles on it about 6 or 7 years ago. You might hit their web site and see if they're still available.  They're worth the read...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez
Sent: Wednesday, March 20, 2013 2:22 PM
To: MailScanner discussion
Subject: Re: Watermarking and spoofed sender address


Kevin,
You have pointed to several things I need to look into.  All our senders send and receive as someone at cnm.edu<mailto:someone at cnm.edu>.  The email gateways forward all email to anyone who is a students on to gmail.
No there is no specific SPF milter on inbound server. Yes MailScanner is accepting mail from the outside for all users.
I will contact the SPF mailing list. Thanks.

On Wed, Mar 20, 2013 at 12:48 PM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
It's not clear to me how you're sending/receiving mail.  Do users send/receive as someone at gmail.com<mailto:someone at gmail.com> or someone at cnm.edu<mailto:someone at cnm.edu>?

Also, you have SPF set to softfail. That will flag a message as a fail, but doesn't actually deny it.  Are you running an SPF milter on your inbound server?  I presume that you have a MailScanner host that is accepting mail from the outside for your users.

There's an SPF mailing list, similar to this list.  Probably best to jump onto it.  There's some sharp guys over there...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242<tel:%28907%29%20586-0242>, Fax: (907) 586-4500<tel:%28907%29%20586-4500>
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Robert Lopez
Sent: Wednesday, March 20, 2013 9:28 AM
To: MailScanner discussion
Subject: Re: Watermarking and spoofed sender address

Kevin,
If we do use SPF could there be something in the way we use it that it does not help?  We added it as part of our out soucing student email.

>From http://www.kitterman.com/getspf2.py as of Wed Mar 20 2013:
"
SPF record lookup and validation for: cnm.edu<http://cnm.edu>
SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

SPF records should also be published in DNS as type SPF records.

Type SPF records found for the domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

Checking to see if there is a valid SPF record.

Results - Record may be valid, but ambiguous: v=spf1 records of both type TXT and SPF (type 99) present, but not identical

Found v=spf1 record for cnm.edu<http://cnm.edu>:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!
"

On Wed, Mar 20, 2013 at 10:20 AM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
For what you're trying to do, SPF is a better option.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242<tel:%28907%29%20586-0242>, Fax: (907) 586-4500<tel:%28907%29%20586-4500>
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Robert Lopez
Sent: Tuesday, March 19, 2013 3:58 PM
To: MailScanner discussion
Subject: Watermarking and spoofed sender address

I understand watermarking is to defend against "joe job blowback". I think I understand that blowback problem is when email is sent, using for example my address, to many other domains and all the flack (blow back) comes back to me.
I am wondering if this watermarking is of any use in a type of SPAM we now frequently see. It is where email is sent to a list of addresses, all at our domain, and the from address is also the first address in the address list. Everyone else thinks the first person sent it. Our gateways send such email to Exchange and any communication back to the sender is entirely within Exchange and never comes back through the gateways again.

In this kind of SPAM I have always considered it of no use. Am I wrong in my thinking?

--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/b49d04df/attachment.html 

From maxsec at gmail.com  Thu Mar 21 09:55:32 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Thu, 21 Mar 2013 09:55:32 +0000
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAAJHbApV1ro7Acdh-RJY78nkvM+CD7GnhQ2jsbU=uMSrpiLQzw@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<CAGDKorLhA6CUOdUrKf_G3VcX=kXDw9dvm-rm-o=cB+_0vVgJNw@mail.gmail.com>
	<CAAJHbApV1ro7Acdh-RJY78nkvM+CD7GnhQ2jsbU=uMSrpiLQzw@mail.gmail.com>
Message-ID: <CAGDKorL+A-nFcy3+aLUwvucZoT_46rZeNv1n5KkKJ1rLxEEsGg@mail.gmail.com>

The point there sounds like the issue - IF you are whitelisting emails by
address and NOT adding in a directional element, ie emails from marketing
BUT only FROM the inside valid servers, then you'll open up holes for spam
to get by

If you're scanning outbound emails then the best way in higher volumes is
to use a separate server(s) with the same watermarking keys as the incoming
scanner. Then you can start to use watermarking to help resolve the invalid
bounce back issue, but also protect all users against spam.


-- 
Martin Hepworth, CISSP
Oxford, UK


On 20 March 2013 17:35, Robert Lopez <rlopezcnm at gmail.com> wrote:

> Martin,
>
> We do not white list the cnm.edu domain. We do white list some
> departments (example, The Marketing and Communications Office, The Office
> of the President, etc.) because they sent such high volume of email it
> takes too much time to inspect them all. They are white listed via
> .../rules/spam.whitelist.rules and not in the white list postfix uses.
>
> -Robert
>
>
> On Wed, Mar 20, 2013 at 7:40 AM, Martin Hepworth <maxsec at gmail.com> wrote:
>
>> the 'watermaking' is based on the ability of mailScanner to addin an
>> extra header containing a (I think) hash of your Org-name salted with the
>> predefined secret in your MailScanner.conf
>>
>> http://www.mailscanner.info/MailScanner.conf.index.html#Watermark%20Header
>>
>> Not any use for this case and it's purely for use in MailScanner code.
>>
>> I would check your whitelisting rules (definitely no spam etc) and make
>> sure you're not whitelisting your own domain, this is a common mistake and
>> lets alot of spam through that would normally be detected. If you need to
>> whitelist your domain then use the ip-addresses of the internal email
>> servers and not your domain.
>>
>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>>
>> On 19 March 2013 23:57, Robert Lopez <rlopezcnm at gmail.com> wrote:
>>
>>> I understand watermarking is to defend against "joe job blowback". I
>>> think I understand that blowback problem is when email is sent, using for
>>> example my address, to many other domains and all the flack (blow back)
>>> comes back to me.
>>>
>>> I am wondering if this watermarking is of any use in a type of SPAM we
>>> now frequently see. It is where email is sent to a list of addresses, all
>>> at our domain, and the from address is also the first address in the
>>> address list. Everyone else thinks the first person sent it. Our gateways
>>> send such email to Exchange and any communication back to the sender is
>>> entirely within Exchange and never comes back through the gateways again.
>>>
>>> In this kind of SPAM I have always considered it of no use. Am I wrong
>>> in my thinking?
>>>
>>> --
>>> Robert Lopez
>>> Unix Systems Administrator
>>> Central New Mexico Community College (CNM)
>>> 525 Buena Vista SE
>>> Albuquerque, New Mexico 87106
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130321/ac612ad3/attachment.html 

From email at ace.net.au  Thu Mar 21 15:05:11 2013
From: email at ace.net.au (Peter Nitschke)
Date: Fri, 22 Mar 2013 01:35:11 +1030
Subject: TNEF external expander vs internal
In-Reply-To: <710D4D6CE160654C87478D18385BB9972579808E2F@MDC-MAIL-CMS01.ubisoft.org>
References: <710D4D6CE160654C87478D18385BB9972579808DDA@MDC-MAIL-CMS01.ubisoft.org>
	<710D4D6CE160654C87478D18385BB9972579808E2F@MDC-MAIL-CMS01.ubisoft.org>
Message-ID: <201303220135110655.0D96ED68@web.ace.net.au>

Hi Dave,

I too am frustrated that after all these years the TNEF issue still isn't
reliably resolved.

Unfortunately I lack the skills to make a useful contribution to the
problem.

Peter



*********** REPLY SEPARATOR  ***********

On 20/03/2013 at 1:42 PM David Hill wrote:

>Hi,
>
>                Here is a patch for the bug with 4.84.5-3 !
>
>
>--- TNEF.pm.broken      2013-03-20 16:26:35.026843525 +0000
>+++ TNEF.pm     2013-03-20 17:37:45.030484881 +0000
>@@ -230,7 +230,7 @@
>   # Create the subdir to unpack it into
>   #my $unpackdir = "tnef.$$";
>   my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir, UNLINK
>=> 0);
>-  $dir =~ s,^.*/,,;
>+#  $dir =~ s,^.*/,,;
>   $unpackdir = $message->MakeNameSafe($unpackdir, $dir);
>  unless (mkdir "$dir/$unpackdir", 0777) {
>     MailScanner::Log::WarnLog("Trying to unpack %s in message %s, could
>not create subdirectory %s, failed to unpack TNEF message", $tnefname,
>$message->{id},
>
>I don't understand why we're getting rid of the full path in this part of
>MailScanner code!  Did it solve anything for anybody?  It breaks TNEF
>expansion in my actual configuration !
>
>
>Dave
>
>
>From: mailscanner-bounces at lists.mailscanner.info
>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of David
Hill
>Sent: March-20-13 12:35 PM
>To: mailscanner at lists.mailscanner.info
>Subject: RE: TNEF external expander vs internal
>
>Hi guys,
>
>                I may have < found > the problem but I'm not sure :
>
>2013-03-20T16:28:26.021724+00:00 mailserver  MailScanner[11855]: Corrupt
>TNEF winmail.dat that cannot be analysed in message 4E5601ED1.AD737
>2013-03-20T16:30:00.824823+00:00 mailserver MailScanner[12178]: Expanding
>TNEF archive at
>/var/spool/MailScanner/incoming/12178/D07311ED1.A0ADA/winmail.dat
>2013-03-20T16:30:00.826306+00:00 mailserver MailScanner[12178]: Trying to
>unpack nwinmail.dat in message D07311ED1.A0ADA, could not create
>subdirectory D07311ED1.A0ADA//tnef6sGA3q, failed to unpack TNEF message -
>/var/spool/postfix/hold
>2013-03-20T16:30:00.826566+00:00 mailserver MailScanner[12178]: Corrupt
>TNEF winmail.dat that cannot be analysed in message D07311ED1.A0ADA
>
>I hacked the code a bit and seems like we're in /var/spool/postfix/hold
>instead of /var/spool/MailScanner/incoming/ !
>
>If that's the case, perhaps the patch will be easily done?
>
>Dave
>
>
>
>From: David Hill
>Sent: March-20-13 12:24 PM
>To: 'mailscanner at lists.mailscanner.info'
>Subject: TNEF external expander vs internal
>
>Hi guys,
>
>                We've upgraded from mailscanner 4.71.10-1 to 4.84.5-3 and
>we're running into an issue.
>Some people said that TNEF external expander was broken, that they applied
>a patch and/or updated to tnef 1.4.9 but this doesn't
>seem to solve our problem.     If we switch to internal, it's definitely
>solving the issue  but I think this is a hack for something that's broken.
>
>So, just to leave a trace, external is broken, internal works well.
>
>Thank you very much,
>
>Dave
>
>
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!




From david.hill at ubisoft.com  Thu Mar 21 16:37:13 2013
From: david.hill at ubisoft.com (David Hill)
Date: Thu, 21 Mar 2013 12:37:13 -0400
Subject: TNEF external expander vs internal
In-Reply-To: <201303220135110655.0D96ED68@web.ace.net.au>
References: <710D4D6CE160654C87478D18385BB9972579808DDA@MDC-MAIL-CMS01.ubisoft.org>
	<710D4D6CE160654C87478D18385BB9972579808E2F@MDC-MAIL-CMS01.ubisoft.org>
	<201303220135110655.0D96ED68@web.ace.net.au>
Message-ID: <710D4D6CE160654C87478D18385BB997257980920D@MDC-MAIL-CMS01.ubisoft.org>

Hello Peter,

	This patch solves it for us.

Dave


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Nitschke
Sent: March-21-13 11:05 AM
To: mailscanner at lists.mailscanner.info
Subject: RE: TNEF external expander vs internal

Hi Dave,

I too am frustrated that after all these years the TNEF issue still isn't
reliably resolved.

Unfortunately I lack the skills to make a useful contribution to the
problem.

Peter



*********** REPLY SEPARATOR  ***********

On 20/03/2013 at 1:42 PM David Hill wrote:

>Hi,
>
>                Here is a patch for the bug with 4.84.5-3 !
>
>
>--- TNEF.pm.broken      2013-03-20 16:26:35.026843525 +0000
>+++ TNEF.pm     2013-03-20 17:37:45.030484881 +0000
>@@ -230,7 +230,7 @@
>   # Create the subdir to unpack it into
>   #my $unpackdir = "tnef.$$";
>   my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir, UNLINK
>=> 0);
>-  $dir =~ s,^.*/,,;
>+#  $dir =~ s,^.*/,,;
>   $unpackdir = $message->MakeNameSafe($unpackdir, $dir);
>  unless (mkdir "$dir/$unpackdir", 0777) {
>     MailScanner::Log::WarnLog("Trying to unpack %s in message %s, could
>not create subdirectory %s, failed to unpack TNEF message", $tnefname,
>$message->{id},
>
>I don't understand why we're getting rid of the full path in this part of
>MailScanner code!  Did it solve anything for anybody?  It breaks TNEF
>expansion in my actual configuration !
>
>
>Dave
>
>
>From: mailscanner-bounces at lists.mailscanner.info
>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of David
Hill
>Sent: March-20-13 12:35 PM
>To: mailscanner at lists.mailscanner.info
>Subject: RE: TNEF external expander vs internal
>
>Hi guys,
>
>                I may have < found > the problem but I'm not sure :
>
>2013-03-20T16:28:26.021724+00:00 mailserver  MailScanner[11855]: Corrupt
>TNEF winmail.dat that cannot be analysed in message 4E5601ED1.AD737
>2013-03-20T16:30:00.824823+00:00 mailserver MailScanner[12178]: Expanding
>TNEF archive at
>/var/spool/MailScanner/incoming/12178/D07311ED1.A0ADA/winmail.dat
>2013-03-20T16:30:00.826306+00:00 mailserver MailScanner[12178]: Trying to
>unpack nwinmail.dat in message D07311ED1.A0ADA, could not create
>subdirectory D07311ED1.A0ADA//tnef6sGA3q, failed to unpack TNEF message -
>/var/spool/postfix/hold
>2013-03-20T16:30:00.826566+00:00 mailserver MailScanner[12178]: Corrupt
>TNEF winmail.dat that cannot be analysed in message D07311ED1.A0ADA
>
>I hacked the code a bit and seems like we're in /var/spool/postfix/hold
>instead of /var/spool/MailScanner/incoming/ !
>
>If that's the case, perhaps the patch will be easily done?
>
>Dave
>
>
>
>From: David Hill
>Sent: March-20-13 12:24 PM
>To: 'mailscanner at lists.mailscanner.info'
>Subject: TNEF external expander vs internal
>
>Hi guys,
>
>                We've upgraded from mailscanner 4.71.10-1 to 4.84.5-3 and
>we're running into an issue.
>Some people said that TNEF external expander was broken, that they applied
>a patch and/or updated to tnef 1.4.9 but this doesn't
>seem to solve our problem.     If we switch to internal, it's definitely
>solving the issue  but I think this is a hack for something that's broken.
>
>So, just to leave a trace, external is broken, internal works well.
>
>Thank you very much,
>
>Dave
>
>
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From rlopezcnm at gmail.com  Thu Mar 21 23:48:35 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Thu, 21 Mar 2013 17:48:35 -0600
Subject: No subject
Message-ID: <CAAJHbAoeeNb_zGkAjf5R=XmZXXNFGf92CQdSwBaL5sSXeubs5A@mail.gmail.com>

MailScanner version 4.84.5

NAME="Ubuntu"
VERSION="12.04.2 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.2 LTS)"
VERSION_ID="12.04"

None of the configuration parameters in
/etc/MailScanner/conf.d/CNM-MailScanner.conf are incorporated.
Last of /etc/MailScanner/MailScanner.conf still says:

include /etc/MailScanner/conf.d/*

For each startup log file says:

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf

What have I done wrong?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130321/20b6d556/attachment.html 

From agi at mbs.co.id  Fri Mar 22 10:07:57 2013
From: agi at mbs.co.id (Agi Subagio)
Date: Fri, 22 Mar 2013 17:07:57 +0700
Subject: MailScanner: No programs allowed (workbook.bin)
Message-ID: <514C2D7D.50300@mbs.co.id>

Hi,

I'm using mailscanner version 4.84.5.
I want to allow Excel Binary Workbook (.xlsb) to be sent out to other 
domain/server.
I added in /etc/MailScanner/filename.rules.conf:

allow \.xlsb$    -    -

And I also disable /etc/MailScanner/filetype.rules.conf in 
/etc/MailScanner/MailScanner.conf:

# Allow any attachment filetypes matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Allow Filetypes =

But the file .xlsb is always blocked by MailScanner with error:

Report: MailScanner: No programs allowed (workbook.bin)

I'm searching through google, but never found the right solution.
Is there any workarround to allow this file?

regards,
Agi

-- 
This message has been scanned for viruses and dangerous content
by MBS MailScanner, and is believed to be clean and safe.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/1f58f633/attachment.html 

From mailscanner at joolee.nl  Fri Mar 22 11:13:40 2013
From: mailscanner at joolee.nl (Joolee)
Date: Fri, 22 Mar 2013 12:13:40 +0100
Subject: MailScanner: No programs allowed (workbook.bin)
In-Reply-To: <514C2D7D.50300@mbs.co.id>
References: <514C2D7D.50300@mbs.co.id>
Message-ID: <CA+Q-w8Vhc8srRzQtAOEJsJWq=tfE-UAPj6qkCgm_qd3mu+Owag@mail.gmail.com>

xlsb files are probably zip files. Try renaming one to zip and see what's
inside.

On 22 March 2013 11:07, Agi Subagio <agi at mbs.co.id> wrote:

>  Hi,
>
> I'm using mailscanner version 4.84.5.
> I want to allow Excel Binary Workbook (.xlsb) to be sent out to other
> domain/server.
> I added in /etc/MailScanner/filename.rules.conf:
>
> allow    \.xlsb$    -    -
>
> And I also disable /etc/MailScanner/filetype.rules.conf in
> /etc/MailScanner/MailScanner.conf:
>
> # Allow any attachment filetypes matching any of the patterns listed here.
> # If this setting is empty, it is ignored and no matches are made.
> # This can also be the filename of a ruleset.
> Allow Filetypes =
>
> But the file .xlsb is always blocked by MailScanner with error:
>
> Report: MailScanner: No programs allowed (workbook.bin)
>
> I'm searching through google, but never found the right solution.
> Is there any workarround to allow this file?
>
> regards,
> Agi
>
> --
> This message has been scanned for viruses and dangerous content
> by MBS MailScanner, and is believed to be clean and safe.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/3dd01ce7/attachment.html 

From david.hill at ubisoft.com  Fri Mar 22 11:18:23 2013
From: david.hill at ubisoft.com (David Hill)
Date: Fri, 22 Mar 2013 07:18:23 -0400
Subject: MailScanner: No programs allowed (workbook.bin)
In-Reply-To: <514C2D7D.50300@mbs.co.id>
References: <514C2D7D.50300@mbs.co.id>
Message-ID: <710D4D6CE160654C87478D18385BB9972579809474@MDC-MAIL-CMS01.ubisoft.org>

Hello Agi,

                This means that your workbook.bin has the same signature as an executable :

deny    -       executable      No executables  No programs allowed
deny    -       x-dosexec       No executables  No programs allowed
deny    -       ELF     No executables  No programs allowed

You will need to allow workbook.bin instead of the .xlsb file.

Dave



From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Agi Subagio
Sent: March-22-13 6:08 AM
To: mailscanner at lists.mailscanner.info
Subject: MailScanner: No programs allowed (workbook.bin)

Hi,

I'm using mailscanner version 4.84.5.
I want to allow Excel Binary Workbook (.xlsb) to be sent out to other domain/server.
I added in /etc/MailScanner/filename.rules.conf:

allow    \.xlsb$    -    -

And I also disable /etc/MailScanner/filetype.rules.conf in /etc/MailScanner/MailScanner.conf:

# Allow any attachment filetypes matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Allow Filetypes =

But the file .xlsb is always blocked by MailScanner with error:

Report: MailScanner: No programs allowed (workbook.bin)

I'm searching through google, but never found the right solution.
Is there any workarround to allow this file?

regards,
Agi

--
This message has been scanned for viruses and dangerous content
by MBS MailScanner, and is believed to be clean and safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/150b87cb/attachment.html 

From maxsec at gmail.com  Fri Mar 22 11:40:48 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Fri, 22 Mar 2013 11:40:48 +0000
Subject: MailScanner: No programs allowed (workbook.bin)
In-Reply-To: <514C2D7D.50300@mbs.co.id>
References: <514C2D7D.50300@mbs.co.id>
Message-ID: <CAGDKor+1=6xQf_LbxF+2dL+V80DF=DeUxXk2ZTsaOQy5uGF6tQ@mail.gmail.com>

and you restarted MailScanner after you made the changes?

-- 
Martin Hepworth, CISSP
Oxford, UK


On 22 March 2013 10:07, Agi Subagio <agi at mbs.co.id> wrote:

>  Hi,
>
> I'm using mailscanner version 4.84.5.
> I want to allow Excel Binary Workbook (.xlsb) to be sent out to other
> domain/server.
> I added in /etc/MailScanner/filename.rules.conf:
>
> allow    \.xlsb$    -    -
>
> And I also disable /etc/MailScanner/filetype.rules.conf in
> /etc/MailScanner/MailScanner.conf:
>
> # Allow any attachment filetypes matching any of the patterns listed here.
> # If this setting is empty, it is ignored and no matches are made.
> # This can also be the filename of a ruleset.
> Allow Filetypes =
>
> But the file .xlsb is always blocked by MailScanner with error:
>
> Report: MailScanner: No programs allowed (workbook.bin)
>
> I'm searching through google, but never found the right solution.
> Is there any workarround to allow this file?
>
> regards,
> Agi
>
> --
> This message has been scanned for viruses and dangerous content
> by MBS MailScanner, and is believed to be clean and safe.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/e0caf631/attachment.html 

From maxsec at gmail.com  Fri Mar 22 11:43:00 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Fri, 22 Mar 2013 11:43:00 +0000
Subject: 
In-Reply-To: <CAAJHbAoeeNb_zGkAjf5R=XmZXXNFGf92CQdSwBaL5sSXeubs5A@mail.gmail.com>
References: <CAAJHbAoeeNb_zGkAjf5R=XmZXXNFGf92CQdSwBaL5sSXeubs5A@mail.gmail.com>
Message-ID: <CAGDKor+uoqkmwptVW02QUt9noPu5z_rLK8+6p+mG2cFB4-Z_HA@mail.gmail.com>

run in debug mode and see if you've a problem with the info in the include
directory

also try a "MailScanner --lint" as well.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 21 March 2013 23:48, Robert Lopez <rlopezcnm at gmail.com> wrote:

> MailScanner version 4.84.5
>
> NAME="Ubuntu"
> VERSION="12.04.2 LTS, Precise Pangolin"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu precise (12.04.2 LTS)"
> VERSION_ID="12.04"
>
> None of the configuration parameters in
> /etc/MailScanner/conf.d/CNM-MailScanner.conf are incorporated.
> Last of /etc/MailScanner/MailScanner.conf still says:
>
> include /etc/MailScanner/conf.d/*
>
> For each startup log file says:
>
> Reading configuration file /etc/MailScanner/MailScanner.conf
> Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
>
> What have I done wrong?
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/080aaacf/attachment.html 

From jerry.benton at mailborder.com  Fri Mar 22 12:23:35 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Fri, 22 Mar 2013 13:23:35 +0100
Subject: MailScanner: No programs allowed (workbook.bin)
In-Reply-To: <CAGDKor+1=6xQf_LbxF+2dL+V80DF=DeUxXk2ZTsaOQy5uGF6tQ@mail.gmail.com>
References: <514C2D7D.50300@mbs.co.id>
	<CAGDKor+1=6xQf_LbxF+2dL+V80DF=DeUxXk2ZTsaOQy5uGF6tQ@mail.gmail.com>
Message-ID: <CAED3VzAHwxnZWy-z2gZCFO51WYz8N4vd55tSm500cr45SxvpUQ@mail.gmail.com>

Check the obvious:

File Command = /usr/bin/file


On Fri, Mar 22, 2013 at 12:40 PM, Martin Hepworth <maxsec at gmail.com> wrote:

> and you restarted MailScanner after you made the changes?
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 22 March 2013 10:07, Agi Subagio <agi at mbs.co.id> wrote:
>
>>  Hi,
>>
>> I'm using mailscanner version 4.84.5.
>> I want to allow Excel Binary Workbook (.xlsb) to be sent out to other
>> domain/server.
>> I added in /etc/MailScanner/filename.rules.conf:
>>
>> allow    \.xlsb$    -    -
>>
>> And I also disable /etc/MailScanner/filetype.rules.conf in
>> /etc/MailScanner/MailScanner.conf:
>>
>> # Allow any attachment filetypes matching any of the patterns listed here.
>> # If this setting is empty, it is ignored and no matches are made.
>> # This can also be the filename of a ruleset.
>> Allow Filetypes =
>>
>> But the file .xlsb is always blocked by MailScanner with error:
>>
>> Report: MailScanner: No programs allowed (workbook.bin)
>>
>> I'm searching through google, but never found the right solution.
>> Is there any workarround to allow this file?
>>
>> regards,
>> Agi
>>
>> --
>> This message has been scanned for viruses and dangerous content
>> by MBS MailScanner, and is believed to be clean and safe.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/a80f62dc/attachment.html 

From tomayengo at gmail.com  Fri Mar 22 12:36:17 2013
From: tomayengo at gmail.com (Kizito Thomas)
Date: Fri, 22 Mar 2013 15:36:17 +0300
Subject: Spamassassin seems to be in an incomplete loop
Message-ID: <1363955777.2192.0.camel@ICT>

Dear Good people,
I am a newbie on Mailscanner so any pointer is well appreciated before
hand.
I have spent the recent days trying to get Mailscanner, Clamav and
Spamassassin work on a Ubuntu 10.04.3 LTS running postfix 2.7.0 but
something is keeping on stopping it from working.
The MTA is working fine with out Mailscanner (when I comment out
header_checks = regexp:/etc/postfix/header_checks
from /etc/postfix/main.cf, mails get delivered).
At first I installed and configured mailscanner according to
http://www.linuxmail.info/mailscanner-postfix-clamav-spamassassin-howto-ubuntu-10-04/  but I couldn't have mails leaving the mail queue. When I check '/var/log/mail.log', I find a serie of repetitive logs, making me think there is some sort of incomplete loop spamassassin enters. (the logs are at the end of the mail)
When I tried to read about this, I found Mohammed Alli saying that the
Mailscanner provided by Ubuntu is broken.
http://www.mailscanner.info/ubuntu.html 
But even when I followed the step up there, there was no change.
I have tried to read the Mailscanner_manual_version 1.0.1 which talks
about auto_whitelist under /etc/MailScanner/spam.assassin.prefs.conf but
it doesn't make any difference setting 'use_auto_whitelist' to 0 or 1.
More reading dropped me to
http://wiki.apache.org/spamassassin/AutoWhitelist which talks about
loadplugin Mail::SpamAssassain::Plugin::AWL
in  /etc/mail/spamassassin/v310.pre but i found it commented out, even
uncommenting it didn't change a thing.
I hope I have provided enough information on my problem for help.
Thank you in advance.
######LOGs:###########
# tail -f /var/log/mail.log 
Mar 15 11:31:05 mail MailScanner[2712]: SpamAssassin cache hit for
message 873FB3A25E8.1D67D
Mar 15 11:31:08 mail MailScanner[2714]: MailScanner E-Mail Virus Scanner
version 4.74.16 starting...
Mar 15 11:31:08 mail MailScanner[2714]: Read 848 hostnames from the
phishing whitelist
Mar 15 11:31:08 mail MailScanner[2714]: Read 4278 hostnames from the
phishing blacklist
Mar 15 11:31:08 mail MailScanner[2714]: Using SpamAssassin results cache
Mar 15 11:31:08 mail MailScanner[2714]: Connected to SpamAssassin cache
database
Mar 15 11:31:08 mail MailScanner[2714]: Enabling SpamAssassin
auto-whitelist functionality...
Mar 15 11:31:10 mail MailScanner[2714]: Using locktype = flock
Mar 15 11:31:10 mail MailScanner[2714]: New Batch: Scanning 1 messages,
589 bytes
Mar 15 11:31:10 mail MailScanner[2714]: SpamAssassin cache hit for
message 873FB3A25E8.34EEF
Mar 15 11:31:13 mail MailScanner[2717]: MailScanner E-Mail Virus Scanner
version 4.74.16 starting...
Mar 15 11:31:13 mail MailScanner[2717]: Read 848 hostnames from the
phishing whitelist
Mar 15 11:31:13 mail MailScanner[2717]: Read 4278 hostnames from the
phishing blacklist
Mar 15 11:31:13 mail MailScanner[2717]: Using SpamAssassin results cache
Mar 15 11:31:13 mail MailScanner[2717]: Connected to SpamAssassin cache
database
Mar 15 11:31:13 mail MailScanner[2717]: Enabling SpamAssassin
auto-whitelist functionality...
Mar 15 11:31:15 mail MailScanner[2717]: Using locktype = flock
Mar 15 11:31:15 mail MailScanner[2717]: New Batch: Scanning 1 messages,
589 bytes
Mar 15 11:31:15 mail MailScanner[2717]: SpamAssassin cache hit for
message 873FB3A25E8.A6F2
-- 
Kind regards;
Kizito Tom Mayengo (KTM)
+256752602550||+256782062708





From Nikolaos.Pavlidis at beds.ac.uk  Fri Mar 22 15:09:12 2013
From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis)
Date: Fri, 22 Mar 2013 15:09:12 +0000
Subject: Filetype Checks: No executables on Greek Emails
Message-ID: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>

Hello all,

I'm having an issue with Mailscanner which weirdly enough has been already discussed here
http://markmail.org/message/56fofuvh4tzde7hz#query:+page:1+mid:mu77m5qs6zjhh2jx+state:results

The problem is:

Mar 22 15:00:18 smtp1 MailScanner[17935]: Filetype Checks: No executables (r2JAPluH011324 ) 
Mar 22 15:00:46 smtp1 MailScanner[17935]: Saved entire message to /var/spool/MailScanner/quarantine/20130322/r2JAPluH011324

And:

[root at smtp1 r2JAPluH011324]# pwd
/var/spool/MailScanner/quarantine/20130322/r2JAPluH011324
[root at smtp1 r2JAPluH011324]# ll
total 28K
-rw------- 1 root root  22K Mar 22 15:00 dfr2JAPluH011324
-rw------- 1 root root 3.7K Mar 22 15:00 qfr2JAPluH011324
[root at smtp1 r2JAPluH011324]# file -i *
dfr2JAPluH011324: text/plain; charset=us-ascii
qfr2JAPluH011324: text/plain; charset=unknown

But I have also added the lines suggested in the previous thread so my filetype.rules.conf looks like:

<snip>
allow   text            -                       -
allow   -       text/plain      -                       -
allow   -       text/x-mail     -                       -
allow   -       message/rfc822  -                       -
allow   \bscript        -                       -
allow   archive         -                       -
allow   postscript      -                       -
deny    self-extract    No self-extracting archives     No self-extracting archives allowed
deny    executable      No executables          No programs allowed
<snip>

I have restarted mailscanner before re-queuing the message but always the same result... 

Any ideas/recommendations would be much appreciated,

Kind regards,

Nik


From agi at mbs.co.id  Fri Mar 22 15:52:33 2013
From: agi at mbs.co.id (Agi Subagio)
Date: Fri, 22 Mar 2013 22:52:33 +0700
Subject: MailScanner: No programs allowed (workbook.bin)
In-Reply-To: <CAED3VzAHwxnZWy-z2gZCFO51WYz8N4vd55tSm500cr45SxvpUQ@mail.gmail.com>
References: <514C2D7D.50300@mbs.co.id>
	<CAGDKor+1=6xQf_LbxF+2dL+V80DF=DeUxXk2ZTsaOQy5uGF6tQ@mail.gmail.com>
	<CAED3VzAHwxnZWy-z2gZCFO51WYz8N4vd55tSm500cr45SxvpUQ@mail.gmail.com>
Message-ID: <514C7E41.6090400@mbs.co.id>

Thanks a lot, it's working now after I turn-off filetype checking 
completely.
I must activate and change filename.rules.conf to prevent unwanted file.

On 22/03/2013 7:23 PM, Jerry Benton wrote:
> Check the obvious:
>
> File Command = /usr/bin/file
>
>
> On Fri, Mar 22, 2013 at 12:40 PM, Martin Hepworth <maxsec at gmail.com 
> <mailto:maxsec at gmail.com>> wrote:
>
>     and you restarted MailScanner after you made the changes?
>
>     -- 
>     Martin Hepworth, CISSP
>     Oxford, UK
>
>
>     On 22 March 2013 10:07, Agi Subagio <agi at mbs.co.id
>     <mailto:agi at mbs.co.id>> wrote:
>
>         Hi,
>
>         I'm using mailscanner version 4.84.5.
>         I want to allow Excel Binary Workbook (.xlsb) to be sent out
>         to other domain/server.
>         I added in /etc/MailScanner/filename.rules.conf:
>
>         allow \.xlsb$    -    -
>
>         And I also disable /etc/MailScanner/filetype.rules.conf in
>         /etc/MailScanner/MailScanner.conf:
>
>         # Allow any attachment filetypes matching any of the patterns
>         listed here.
>         # If this setting is empty, it is ignored and no matches are made.
>         # This can also be the filename of a ruleset.
>         Allow Filetypes =
>
>         But the file .xlsb is always blocked by MailScanner with error:
>
>         Report: MailScanner: No programs allowed (workbook.bin)
>
>         I'm searching through google, but never found the right solution.
>         Is there any workarround to allow this file?
>
>         regards,
>         Agi
>
>         -- 
>         This message has been scanned for viruses and dangerous content
>         by MBS MailScanner, and is believed to be clean and safe.
>
>         --
>         MailScanner mailing list
>         mailscanner at lists.mailscanner.info
>         <mailto:mailscanner at lists.mailscanner.info>
>         http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>         Before posting, read http://wiki.mailscanner.info/posting
>
>         Support MailScanner development - buy the book off the website!
>
>
>
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>     Before posting, read http://wiki.mailscanner.info/posting
>
>     Support MailScanner development - buy the book off the website!
>
>
>
>
> -- 
>
> --
> Jerry Benton
> Mailborder Systems
> www.mailborder.com <http://www.mailborder.com>
>
> -- 
> This message has been scanned for viruses and dangerous content
> by MBS MailScanner, and is believed to be clean and safe.
>
>


-- 
This message has been scanned for viruses and dangerous content
by MBS MailScanner, and is believed to be clean and safe.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/6523f6d8/attachment.html 

From rlopezcnm at gmail.com  Fri Mar 22 16:20:59 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Fri, 22 Mar 2013 10:20:59 -0600
Subject: 
In-Reply-To: <CAGDKor+uoqkmwptVW02QUt9noPu5z_rLK8+6p+mG2cFB4-Z_HA@mail.gmail.com>
References: <CAAJHbAoeeNb_zGkAjf5R=XmZXXNFGf92CQdSwBaL5sSXeubs5A@mail.gmail.com>
	<CAGDKor+uoqkmwptVW02QUt9noPu5z_rLK8+6p+mG2cFB4-Z_HA@mail.gmail.com>
Message-ID: <CAAJHbArTQ9c2J+avHpEPdzjjqUbhyruHmcrpYkySQ17NZnwbiw@mail.gmail.com>

Martin,

I had done that. There are some "errors"; part related to the fact the
local conf file is not loaded.

The first error is
ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
ERROR: is not correct, it should match
X-unconfigured-debian-site-MailScanner-From
and it is because the /etc/MailScanner/conf.d/CNM-MailScanner.conf file
sets
envelope_sender_header X-CNM-MailScanner-From

The second error/warning is
config: failed to parse line, skipping, in
"/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
SpamAssassin reported an error.
which I have never been able to understand, but is there because I want the
whitelist off. Also
I assume the "SpamAssassin reported an error" refers to the line above it.

The result of the run is below.



# MailScanner -debug --lint
Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
Read 869 hostnames from the phishing whitelist
Read 5414 hostnames from the phishing blacklists

Checking version numbers...
Version number in MailScanner.conf (4.84.5) is correct.

ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
ERROR: is not correct, it should match
X-unconfigured-debian-site-MailScanner-From

MailScanner setting GID to  (117)
MailScanner setting UID to  (108)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
config: failed to parse line, skipping, in
"/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
SpamAssassin reported an error.
I have found clamd scanners installed, and will use them all by default.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = auto"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.





On Fri, Mar 22, 2013 at 5:43 AM, Martin Hepworth <maxsec at gmail.com> wrote:

> run in debug mode and see if you've a problem with the info in the include
> directory
>
> also try a "MailScanner --lint" as well.
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 21 March 2013 23:48, Robert Lopez <rlopezcnm at gmail.com> wrote:
>
>> MailScanner version 4.84.5
>>
>> NAME="Ubuntu"
>> VERSION="12.04.2 LTS, Precise Pangolin"
>> ID=ubuntu
>> ID_LIKE=debian
>> PRETTY_NAME="Ubuntu precise (12.04.2 LTS)"
>> VERSION_ID="12.04"
>>
>> None of the configuration parameters in
>> /etc/MailScanner/conf.d/CNM-MailScanner.conf are incorporated.
>> Last of /etc/MailScanner/MailScanner.conf still says:
>>
>> include /etc/MailScanner/conf.d/*
>>
>> For each startup log file says:
>>
>> Reading configuration file /etc/MailScanner/MailScanner.conf
>> Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
>>
>> What have I done wrong?
>>
>> --
>> Robert Lopez
>> Unix Systems Administrator
>> Central New Mexico Community College (CNM)
>> 525 Buena Vista SE
>> Albuquerque, New Mexico 87106
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/5b62471d/attachment.html 

From rlopezcnm at gmail.com  Fri Mar 22 16:50:46 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Fri, 22 Mar 2013 10:50:46 -0600
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAGDKorL+A-nFcy3+aLUwvucZoT_46rZeNv1n5KkKJ1rLxEEsGg@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<CAGDKorLhA6CUOdUrKf_G3VcX=kXDw9dvm-rm-o=cB+_0vVgJNw@mail.gmail.com>
	<CAAJHbApV1ro7Acdh-RJY78nkvM+CD7GnhQ2jsbU=uMSrpiLQzw@mail.gmail.com>
	<CAGDKorL+A-nFcy3+aLUwvucZoT_46rZeNv1n5KkKJ1rLxEEsGg@mail.gmail.com>
Message-ID: <CAAJHbAr+nnXeyPAM9_kQMxhQkVzumG0OjaqZ0NE3UwJcCdZUtQ@mail.gmail.com>

Martin,

> IF you are whitelisting emails by address and NOT adding in a directional
element

I have been looking at the MailScanner book.
I see the Rule Sets Example section and the "Contains a 'direction'".
It has not yet hit me how and where to write such a rule.
Would this take a custom function or do you believe it may be done with (a)
rule(s)?


On Thu, Mar 21, 2013 at 3:55 AM, Martin Hepworth <maxsec at gmail.com> wrote:

> The point there sounds like the issue - IF you are whitelisting emails by
> address and NOT adding in a directional element, ie emails from marketing
> BUT only FROM the inside valid servers, then you'll open up holes for spam
> to get by
>
> If you're scanning outbound emails then the best way in higher volumes is
> to use a separate server(s) with the same watermarking keys as the incoming
> scanner. Then you can start to use watermarking to help resolve the invalid
> bounce back issue, but also protect all users against spam.
>
>
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 20 March 2013 17:35, Robert Lopez <rlopezcnm at gmail.com> wrote:
>
>> Martin,
>>
>> We do not white list the cnm.edu domain. We do white list some
>> departments (example, The Marketing and Communications Office, The
>> Office of the President, etc.) because they sent such high volume of email
>> it takes too much time to inspect them all. They are white listed via
>> .../rules/spam.whitelist.rules and not in the white list postfix uses.
>>
>> -Robert
>>
>>
>> On Wed, Mar 20, 2013 at 7:40 AM, Martin Hepworth <maxsec at gmail.com>wrote:
>>
>>> the 'watermaking' is based on the ability of mailScanner to addin an
>>> extra header containing a (I think) hash of your Org-name salted with the
>>> predefined secret in your MailScanner.conf
>>>
>>>
>>> http://www.mailscanner.info/MailScanner.conf.index.html#Watermark%20Header
>>>
>>> Not any use for this case and it's purely for use in MailScanner code.
>>>
>>> I would check your whitelisting rules (definitely no spam etc) and make
>>> sure you're not whitelisting your own domain, this is a common mistake and
>>> lets alot of spam through that would normally be detected. If you need to
>>> whitelist your domain then use the ip-addresses of the internal email
>>> servers and not your domain.
>>>
>>>
>>> --
>>> Martin Hepworth, CISSP
>>> Oxford, UK
>>>
>>>
>>> On 19 March 2013 23:57, Robert Lopez <rlopezcnm at gmail.com> wrote:
>>>
>>>> I understand watermarking is to defend against "joe job blowback". I
>>>> think I understand that blowback problem is when email is sent, using for
>>>> example my address, to many other domains and all the flack (blow back)
>>>> comes back to me.
>>>>
>>>> I am wondering if this watermarking is of any use in a type of SPAM we
>>>> now frequently see. It is where email is sent to a list of addresses, all
>>>> at our domain, and the from address is also the first address in the
>>>> address list. Everyone else thinks the first person sent it. Our gateways
>>>> send such email to Exchange and any communication back to the sender is
>>>> entirely within Exchange and never comes back through the gateways again.
>>>>
>>>> In this kind of SPAM I have always considered it of no use. Am I wrong
>>>> in my thinking?
>>>>
>>>> --
>>>> Robert Lopez
>>>> Unix Systems Administrator
>>>> Central New Mexico Community College (CNM)
>>>> 525 Buena Vista SE
>>>> Albuquerque, New Mexico 87106
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>>
>> --
>> Robert Lopez
>> Unix Systems Administrator
>> Central New Mexico Community College (CNM)
>> 525 Buena Vista SE
>> Albuquerque, New Mexico 87106
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/696e04ca/attachment.html 

From bonivart at opencsw.org  Fri Mar 22 17:47:04 2013
From: bonivart at opencsw.org (Peter Bonivart)
Date: Fri, 22 Mar 2013 18:47:04 +0100
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAAJHbAr+nnXeyPAM9_kQMxhQkVzumG0OjaqZ0NE3UwJcCdZUtQ@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<CAGDKorLhA6CUOdUrKf_G3VcX=kXDw9dvm-rm-o=cB+_0vVgJNw@mail.gmail.com>
	<CAAJHbApV1ro7Acdh-RJY78nkvM+CD7GnhQ2jsbU=uMSrpiLQzw@mail.gmail.com>
	<CAGDKorL+A-nFcy3+aLUwvucZoT_46rZeNv1n5KkKJ1rLxEEsGg@mail.gmail.com>
	<CAAJHbAr+nnXeyPAM9_kQMxhQkVzumG0OjaqZ0NE3UwJcCdZUtQ@mail.gmail.com>
Message-ID: <CABY0g1U8Jew6TZEf3_OdpYsNmcVjhSBH=fNUkUzfxCrHegJaLA@mail.gmail.com>

On Fri, Mar 22, 2013 at 5:50 PM, Robert Lopez <rlopezcnm at gmail.com> wrote:
>> IF you are whitelisting emails by address and NOT adding in a directional
>> element
>
> I have been looking at the MailScanner book.
> I see the Rule Sets Example section and the "Contains a 'direction'".
> It has not yet hit me how and where to write such a rule.
> Would this take a custom function or do you believe it may be done with (a)
> rule(s)?

If you use a rule like "From: marketing at cnm.edu yes" for whitelisting
you risk letting spammers in if they use that address when they mail
you (from internet). You need to add "direction" like "From:
marketing at cnm.edu and From: 1.2.3.4 yes", 1.2.3.4 in this example is
the IP address of your mailbox server, e.g. Exchange. If it has that
address and comes from your own server it's safe to whitelist. Ok?

From Kevin_Miller at ci.juneau.ak.us  Fri Mar 22 18:12:30 2013
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri, 22 Mar 2013 10:12:30 -0800
Subject: Watermarking and spoofed sender address
In-Reply-To: <CAAJHbAqJHXYGA5EZ84-xX2f1Ynsm0n9Lmwzg2UE-iXqMAw1YPg@mail.gmail.com>
References: <CAAJHbArRW+PT9wGG-C0azOZiBGgshzkZ9-eU-585LiR1HE2xCg@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66593@city-exchange07>
	<CAAJHbAoT4jBPHr6j+FQjZCDEtFxmjjn2Y2LrR++b4ZKvPbA84g@mail.gmail.com>
	<C87702B41702834792222AE25D4057B66597@city-exchange07>
	<CAAJHbAqJHXYGA5EZ84-xX2f1Ynsm0n9Lmwzg2UE-iXqMAw1YPg@mail.gmail.com>
Message-ID: <C87702B41702834792222AE25D4057B665A7@city-exchange07>

Just occurred to me to tell you where the SPF list is:  http://www.openspf.org/Forums
The spf-help list is the one you'll want to subscribe to.
I should have done that the other day...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez
Sent: Wednesday, March 20, 2013 2:22 PM
To: MailScanner discussion
Subject: Re: Watermarking and spoofed sender address


Kevin,
You have pointed to several things I need to look into.  All our senders send and receive as someone at cnm.edu<mailto:someone at cnm.edu>.  The email gateways forward all email to anyone who is a students on to gmail.
No there is no specific SPF milter on inbound server. Yes MailScanner is accepting mail from the outside for all users.
I will contact the SPF mailing list. Thanks.

On Wed, Mar 20, 2013 at 12:48 PM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
It's not clear to me how you're sending/receiving mail.  Do users send/receive as someone at gmail.com<mailto:someone at gmail.com> or someone at cnm.edu<mailto:someone at cnm.edu>?

Also, you have SPF set to softfail. That will flag a message as a fail, but doesn't actually deny it.  Are you running an SPF milter on your inbound server?  I presume that you have a MailScanner host that is accepting mail from the outside for your users.

There's an SPF mailing list, similar to this list.  Probably best to jump onto it.  There's some sharp guys over there...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242<tel:%28907%29%20586-0242>, Fax: (907) 586-4500<tel:%28907%29%20586-4500>
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Robert Lopez
Sent: Wednesday, March 20, 2013 9:28 AM
To: MailScanner discussion
Subject: Re: Watermarking and spoofed sender address

Kevin,
If we do use SPF could there be something in the way we use it that it does not help?  We added it as part of our out soucing student email.

>From http://www.kitterman.com/getspf2.py as of Wed Mar 20 2013:
"
SPF record lookup and validation for: cnm.edu<http://cnm.edu>
SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

SPF records should also be published in DNS as type SPF records.

Type SPF records found for the domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

Checking to see if there is a valid SPF record.

Results - Record may be valid, but ambiguous: v=spf1 records of both type TXT and SPF (type 99) present, but not identical

Found v=spf1 record for cnm.edu<http://cnm.edu>:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!
"

On Wed, Mar 20, 2013 at 10:20 AM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
For what you're trying to do, SPF is a better option.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242<tel:%28907%29%20586-0242>, Fax: (907) 586-4500<tel:%28907%29%20586-4500>
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Robert Lopez
Sent: Tuesday, March 19, 2013 3:58 PM
To: MailScanner discussion
Subject: Watermarking and spoofed sender address

I understand watermarking is to defend against "joe job blowback". I think I understand that blowback problem is when email is sent, using for example my address, to many other domains and all the flack (blow back) comes back to me.
I am wondering if this watermarking is of any use in a type of SPAM we now frequently see. It is where email is sent to a list of addresses, all at our domain, and the from address is also the first address in the address list. Everyone else thinks the first person sent it. Our gateways send such email to Exchange and any communication back to the sender is entirely within Exchange and never comes back through the gateways again.

In this kind of SPAM I have always considered it of no use. Am I wrong in my thinking?

--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/1548d444/attachment-0001.html 

From rlopezcnm at gmail.com  Fri Mar 22 22:19:03 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Fri, 22 Mar 2013 16:19:03 -0600
Subject: 
In-Reply-To: <CAAJHbArTQ9c2J+avHpEPdzjjqUbhyruHmcrpYkySQ17NZnwbiw@mail.gmail.com>
References: <CAAJHbAoeeNb_zGkAjf5R=XmZXXNFGf92CQdSwBaL5sSXeubs5A@mail.gmail.com>
	<CAGDKor+uoqkmwptVW02QUt9noPu5z_rLK8+6p+mG2cFB4-Z_HA@mail.gmail.com>
	<CAAJHbArTQ9c2J+avHpEPdzjjqUbhyruHmcrpYkySQ17NZnwbiw@mail.gmail.com>
Message-ID: <CAAJHbApZuVL1JEO47AJx11CY2qWwxMS_t4jHOqt-jgyAB0cOWw@mail.gmail.com>

I am terribly wrong.
I have been able to prove to myself the configuration file
/etc/MailScanner/conf.d/CNM-MailScanner.conf is read and affects many
configuration parameters.

However this line:
%org-name% = CNM
does not take precedence over this line in
/etc/MailScanner/MailScanner.conf:
 %org-name% = unconfigured-debian-site
So all the places it should modify other configuration parameters they are
not modified.
When I look in the internet headers of email passed through I see lines
like these:
X-unconfigured-debian-site-MailScanner-From: xxxxxxxxxx at yyyyyyyy.zzzz
X-unconfigured-debian-site-MailScanner: Found to be clean
X-unconfigured-debian-site-MailScanner-ID: 7E9D75F8D.AA75F



On Fri, Mar 22, 2013 at 10:20 AM, Robert Lopez <rlopezcnm at gmail.com> wrote:

> Martin,
>
> I had done that. There are some "errors"; part related to the fact the
> local conf file is not loaded.
>
> The first error is
> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
> ERROR: is not correct, it should match
> X-unconfigured-debian-site-MailScanner-From
> and it is because the /etc/MailScanner/conf.d/CNM-MailScanner.conf file
> sets
> envelope_sender_header X-CNM-MailScanner-From
>
> The second error/warning is
> config: failed to parse line, skipping, in
> "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
> SpamAssassin reported an error.
> which I have never been able to understand, but is there because I want
> the whitelist off. Also
> I assume the "SpamAssassin reported an error" refers to the line above it.
>
> The result of the run is below.
>
>
>
> # MailScanner -debug --lint
> Trying to setlogsock(unix)
>
>
> Reading configuration file /etc/MailScanner/MailScanner.conf
> Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
> Read 869 hostnames from the phishing whitelist
> Read 5414 hostnames from the phishing blacklists
>
> Checking version numbers...
> Version number in MailScanner.conf (4.84.5) is correct.
>
> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
> ERROR: is not correct, it should match
> X-unconfigured-debian-site-MailScanner-From
>
> MailScanner setting GID to  (117)
> MailScanner setting UID to  (108)
>
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> config: failed to parse line, skipping, in
> "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
> SpamAssassin reported an error.
> I have found clamd scanners installed, and will use them all by default.
> Connected to Processing Attempts Database
> Created Processing Attempts Database successfully
> There are 0 messages in the Processing Attempts Database
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: clamd
> ===========================================================================
> Filename Checks: Windows/DOS Executable (1 eicar.com)
> Other Checks: Found 1 problems
> Virus and Content Scanning: Starting
> Clamd::INFECTED::Eicar-Test-Signature :: ./1/
> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 2 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 2 viruses
> ===========================================================================
> Virus Scanner test reports:
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>
> If any of your virus scanners (clamd)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its virus.scanners.conf.
>
>
>
>
>
> On Fri, Mar 22, 2013 at 5:43 AM, Martin Hepworth <maxsec at gmail.com> wrote:
>
>> run in debug mode and see if you've a problem with the info in the
>> include directory
>>
>> also try a "MailScanner --lint" as well.
>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>>
>> On 21 March 2013 23:48, Robert Lopez <rlopezcnm at gmail.com> wrote:
>>
>>> MailScanner version 4.84.5
>>>
>>> NAME="Ubuntu"
>>> VERSION="12.04.2 LTS, Precise Pangolin"
>>> ID=ubuntu
>>> ID_LIKE=debian
>>> PRETTY_NAME="Ubuntu precise (12.04.2 LTS)"
>>> VERSION_ID="12.04"
>>>
>>> None of the configuration parameters in
>>> /etc/MailScanner/conf.d/CNM-MailScanner.conf are incorporated.
>>> Last of /etc/MailScanner/MailScanner.conf still says:
>>>
>>> include /etc/MailScanner/conf.d/*
>>>
>>> For each startup log file says:
>>>
>>> Reading configuration file /etc/MailScanner/MailScanner.conf
>>> Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
>>>
>>> What have I done wrong?
>>>
>>> --
>>> Robert Lopez
>>> Unix Systems Administrator
>>> Central New Mexico Community College (CNM)
>>> 525 Buena Vista SE
>>> Albuquerque, New Mexico 87106
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>



-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/2b016f00/attachment.html 

From rlopezcnm at gmail.com  Fri Mar 22 22:32:30 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Fri, 22 Mar 2013 16:32:30 -0600
Subject: 
In-Reply-To: <CAAJHbApZuVL1JEO47AJx11CY2qWwxMS_t4jHOqt-jgyAB0cOWw@mail.gmail.com>
References: <CAAJHbAoeeNb_zGkAjf5R=XmZXXNFGf92CQdSwBaL5sSXeubs5A@mail.gmail.com>
	<CAGDKor+uoqkmwptVW02QUt9noPu5z_rLK8+6p+mG2cFB4-Z_HA@mail.gmail.com>
	<CAAJHbArTQ9c2J+avHpEPdzjjqUbhyruHmcrpYkySQ17NZnwbiw@mail.gmail.com>
	<CAAJHbApZuVL1JEO47AJx11CY2qWwxMS_t4jHOqt-jgyAB0cOWw@mail.gmail.com>
Message-ID: <CAAJHbApMxAAMRkCvizf1D3NpDHqVtUR72Ja-RJJ=UsWnqch16A@mail.gmail.com>

Here is the definitive answer for anyone who later finds this thread.
It is from the file /usr/share/doc/mailscanner/examples/conf.d/README


# In this directory, you can put files that will be automatically included
# as if they were inserted at the end of the main MailScanner.conf file
# in the directory above this one.
#
# They should be read in alphabetical order.
#
# NOTE: If you change the value of a %variable% then you must redefine all
# the settings that use that %variable% here, as the %variable%
# substitutions are done when the files are initially read, not later when
# settings are looked up when MailScanner is processing messages.
# So if, for example, you change the value of %rules-dir% in an included
# file here, you must reset the values of the settings
#        Maximum Message Size
#        Is Definitely Not Spam
#        Enable Spam Bounce
# in order for them all to use the new value of %rules-dir%.
# My apologies for this, but it is only possible to know the values of
# each %variable% when the configuration files are read, and not when
# the settings are evaluated as they could be set at any point within the
# files, giving an unknown value of the %variable% at that point.
#
# --
# Jules
# MailScanner at ecs.soton.ac.uk

So before modifying any %something% line in a conf.d/ file grep for
that %something% string in the .../MailScanner/MailScanner.conf file
and modify all of them.



On Fri, Mar 22, 2013 at 4:19 PM, Robert Lopez <rlopezcnm at gmail.com> wrote:

> I am terribly wrong.
> I have been able to prove to myself the configuration file
> /etc/MailScanner/conf.d/CNM-MailScanner.conf is read and affects many
> configuration parameters.
>
> However this line:
> %org-name% = CNM
> does not take precedence over this line in
> /etc/MailScanner/MailScanner.conf:
>  %org-name% = unconfigured-debian-site
> So all the places it should modify other configuration parameters they are
> not modified.
> When I look in the internet headers of email passed through I see lines
> like these:
> X-unconfigured-debian-site-MailScanner-From: xxxxxxxxxx at yyyyyyyy.zzzz
> X-unconfigured-debian-site-MailScanner: Found to be clean
> X-unconfigured-debian-site-MailScanner-ID: 7E9D75F8D.AA75F
>
>
>
> On Fri, Mar 22, 2013 at 10:20 AM, Robert Lopez <rlopezcnm at gmail.com>wrote:
>
>> Martin,
>>
>> I had done that. There are some "errors"; part related to the fact the
>> local conf file is not loaded.
>>
>> The first error is
>> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
>> ERROR: is not correct, it should match
>> X-unconfigured-debian-site-MailScanner-From
>> and it is because the /etc/MailScanner/conf.d/CNM-MailScanner.conf file
>> sets
>> envelope_sender_header X-CNM-MailScanner-From
>>
>> The second error/warning is
>> config: failed to parse line, skipping, in
>> "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
>> SpamAssassin reported an error.
>> which I have never been able to understand, but is there because I want
>> the whitelist off. Also
>> I assume the "SpamAssassin reported an error" refers to the line above it.
>>
>> The result of the run is below.
>>
>>
>>
>> # MailScanner -debug --lint
>> Trying to setlogsock(unix)
>>
>>
>> Reading configuration file /etc/MailScanner/MailScanner.conf
>> Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
>> Read 869 hostnames from the phishing whitelist
>> Read 5414 hostnames from the phishing blacklists
>>
>> Checking version numbers...
>> Version number in MailScanner.conf (4.84.5) is correct.
>>
>> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
>> ERROR: is not correct, it should match
>> X-unconfigured-debian-site-MailScanner-From
>>
>> MailScanner setting GID to  (117)
>> MailScanner setting UID to  (108)
>>
>> Checking for SpamAssassin errors (if you use it)...
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database
>> config: failed to parse line, skipping, in
>> "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
>> SpamAssassin reported an error.
>> I have found clamd scanners installed, and will use them all by default.
>> Connected to Processing Attempts Database
>> Created Processing Attempts Database successfully
>> There are 0 messages in the Processing Attempts Database
>> Using locktype = posix
>> MailScanner.conf says "Virus Scanners = auto"
>> Found these virus scanners installed: clamd
>>
>> ===========================================================================
>> Filename Checks: Windows/DOS Executable (1 eicar.com)
>> Other Checks: Found 1 problems
>> Virus and Content Scanning: Starting
>> Clamd::INFECTED::Eicar-Test-Signature :: ./1/
>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 2 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 2 viruses
>>
>> ===========================================================================
>> Virus Scanner test reports:
>> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>>
>> If any of your virus scanners (clamd)
>> are not listed there, you should check that they are installed correctly
>> and that MailScanner is finding them correctly via its
>> virus.scanners.conf.
>>
>>
>>
>>
>>
>> On Fri, Mar 22, 2013 at 5:43 AM, Martin Hepworth <maxsec at gmail.com>wrote:
>>
>>> run in debug mode and see if you've a problem with the info in the
>>> include directory
>>>
>>> also try a "MailScanner --lint" as well.
>>>
>>> --
>>> Martin Hepworth, CISSP
>>> Oxford, UK
>>>
>>>
>>> On 21 March 2013 23:48, Robert Lopez <rlopezcnm at gmail.com> wrote:
>>>
>>>> MailScanner version 4.84.5
>>>>
>>>> NAME="Ubuntu"
>>>> VERSION="12.04.2 LTS, Precise Pangolin"
>>>> ID=ubuntu
>>>> ID_LIKE=debian
>>>> PRETTY_NAME="Ubuntu precise (12.04.2 LTS)"
>>>> VERSION_ID="12.04"
>>>>
>>>> None of the configuration parameters in
>>>> /etc/MailScanner/conf.d/CNM-MailScanner.conf are incorporated.
>>>> Last of /etc/MailScanner/MailScanner.conf still says:
>>>>
>>>> include /etc/MailScanner/conf.d/*
>>>>
>>>> For each startup log file says:
>>>>
>>>> Reading configuration file /etc/MailScanner/MailScanner.conf
>>>> Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
>>>>
>>>> What have I done wrong?
>>>>
>>>> --
>>>> Robert Lopez
>>>> Unix Systems Administrator
>>>> Central New Mexico Community College (CNM)
>>>> 525 Buena Vista SE
>>>> Albuquerque, New Mexico 87106
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>>
>> --
>> Robert Lopez
>> Unix Systems Administrator
>> Central New Mexico Community College (CNM)
>> 525 Buena Vista SE
>> Albuquerque, New Mexico 87106
>>
>
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>



-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130322/8a18f7b1/attachment.html 

From mark at msapiro.net  Sat Mar 23 00:42:32 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 22 Mar 2013 17:42:32 -0700
Subject: ScamNailer
In-Reply-To: <PC1993201303170705490384eed1e871@Notebook-09>
References: <PC1993201303170705490384eed1e871@Notebook-09>
Message-ID: <514CFA78.9010907@msapiro.net>

ScamNailer has been updating normally again for about the last 24 hours.
The file base in the DNS txt record for
emails.msupdate.greylist.bastionmail.com jumped in my case from
"emails.2013-103.8" to "emails.2013-115.something" and there are
apparently no files on the cdn.mailscanner.info host between
emails.2013-103.8 and emails.2013-114.

So my question is what happened? Was this a hardware or a software or
network glitch or a neglected manual step or what? And if this should
happen again, what's the appropriate way to get a timely resolution?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From maxsec at gmail.com  Sat Mar 23 09:40:32 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Sat, 23 Mar 2013 09:40:32 +0000
Subject: 
In-Reply-To: <CAAJHbApMxAAMRkCvizf1D3NpDHqVtUR72Ja-RJJ=UsWnqch16A@mail.gmail.com>
References: <CAAJHbAoeeNb_zGkAjf5R=XmZXXNFGf92CQdSwBaL5sSXeubs5A@mail.gmail.com>
	<CAGDKor+uoqkmwptVW02QUt9noPu5z_rLK8+6p+mG2cFB4-Z_HA@mail.gmail.com>
	<CAAJHbArTQ9c2J+avHpEPdzjjqUbhyruHmcrpYkySQ17NZnwbiw@mail.gmail.com>
	<CAAJHbApZuVL1JEO47AJx11CY2qWwxMS_t4jHOqt-jgyAB0cOWw@mail.gmail.com>
	<CAAJHbApMxAAMRkCvizf1D3NpDHqVtUR72Ja-RJJ=UsWnqch16A@mail.gmail.com>
Message-ID: <CAGDKorL-rNbOJ1uWYYPRkc50dugcsK=6vjKq8AXdLi9G0Q2p+Q@mail.gmail.com>

The autowhitelist is depreciated for a long time now

Just disable that plugin in the spamassasin config files

On Friday, 22 March 2013, Robert Lopez wrote:

> Here is the definitive answer for anyone who later finds this thread.
> It is from the file /usr/share/doc/mailscanner/examples/conf.d/README
>
>
> # In this directory, you can put files that will be automatically included
> # as if they were inserted at the end of the main MailScanner.conf file
> # in the directory above this one.
> #
> # They should be read in alphabetical order.
> #
> # NOTE: If you change the value of a %variable% then you must redefine all
> # the settings that use that %variable% here, as the %variable%
> # substitutions are done when the files are initially read, not later when
> # settings are looked up when MailScanner is processing messages.
> # So if, for example, you change the value of %rules-dir% in an included
> # file here, you must reset the values of the settings
> #        Maximum Message Size
> #        Is Definitely Not Spam
> #        Enable Spam Bounce
> # in order for them all to use the new value of %rules-dir%.
> # My apologies for this, but it is only possible to know the values of
> # each %variable% when the configuration files are read, and not when
> # the settings are evaluated as they could be set at any point within the
> # files, giving an unknown value of the %variable% at that point.
> #
> # --
> # Jules
> # MailScanner at ecs.soton.ac.uk <javascript:_e({}, 'cvml',
> 'MailScanner at ecs.soton.ac.uk');>
>
> So before modifying any %something% line in a conf.d/ file grep for
> that %something% string in the .../MailScanner/MailScanner.conf file
> and modify all of them.
>
>
>
> On Fri, Mar 22, 2013 at 4:19 PM, Robert Lopez <rlopezcnm at gmail.com> wrote:
>
> I am terribly wrong.
> I have been able to prove to myself the configuration file
> /etc/MailScanner/conf.d/CNM-MailScanner.conf is read and affects many
> configuration parameters.
>
> However this line:
> %org-name% = CNM
> does not take precedence over this line in
> /etc/MailScanner/MailScanner.conf:
>  %org-name% = unconfigured-debian-site
> So all the places it should modify other configuration parameters they are
> not modified.
> When I look in the internet headers of email passed through I see lines
> like these:
> X-unconfigured-debian-site-MailScanner-From: xxxxxxxxxx at yyyyyyyy.zzzz
> X-unconfigured-debian-site-MailScanner: Found to be clean
> X-unconfigured-debian-site-MailScanner-ID: 7E9D75F8D.AA75F
>
>
>
> On Fri, Mar 22, 2013 at 10:20 AM, Robert Lopez <rlopezcnm at gmail.com>wrote:
>
> Martin,
>
> I had done that. There are some "errors"; part related to the fact the
> local conf file is not loaded.
>
> The first error is
> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
> ERROR: is not correct, it should match
> X-unconfigured-debian-site-MailScanner-From
> and it is because the /etc/MailScanner/conf.d/CNM-MailScanner.conf file
> sets
> envelope_sender_header X-CNM-MailScanner-From
>
> The second error/warning is
> config: failed to parse line, skipping, in
> "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
> SpamAssassin reported an error.
> which I have never been able to understand, but is there because I want
> the whitelist off. Also
> I assume the "SpamAssassin reported an error" refers to the line above it.
>
> The result of the run is below.
>
>
>
> # MailScanner -debug --lint
> Trying to setlogsock(unix)
>
>
> Reading configuration file /etc/MailScanner/MailScanner.conf
> Reading configuration file /etc/MailScanner/conf.d/CNM-MailScanner.conf
> Read 869 hostnames from the phishing whitelist
> Read 5414 hostnames from the phishing blacklists
>
> Checking version numbers...
> Version number in MailScanner.conf (4.84.5) is correct.
>
> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
> ERROR: is not correct, it should match
> X-unconfigured-debian-site-MailScanner-From
>
> MailScanner setting GID to  (117)
> MailScanner setting UID to  (108)
>
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> config: failed to parse line, skipping, in
> "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0
> SpamAssassin reported an error.
> I have found clamd scanners installed, and will use them all by default.
> Connected to Processing Attempts Database
> Created Processing Attempts Database successfully
> There are 0 messages in the Processing Attempts Database
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: clamd
> ===========================================================================
> Filename Checks: Windows/DOS Executable (1 eicar.com)
> Other Checks: Found 1 problems
> Virus and Content Scanning: Starting
> Clamd::INFECTED::Eicar-Test-Signature :: ./1/
> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 2 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 2 viruses
> ===========================================================================
> Virus Scanner test reports:
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>
> If any of your virus scanners (clamd)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its virus.scanners.conf.
>
>
>
>
>
> On Fri, Mar 22, 2013 at 5:43 AM, Martin Hepworth
>
>

-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130323/bbd4d356/attachment.html 

From maxsec at gmail.com  Sat Mar 23 09:42:30 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Sat, 23 Mar 2013 09:42:30 +0000
Subject: Filetype Checks: No executables on Greek Emails
In-Reply-To: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>
References: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>
Message-ID: <CAGDKorKyPjeMcza7ya+=2JOSd2zYMoWH9jVQO-=-8eCM0ST4uQ@mail.gmail.com>

What version of mailscanner?


On Friday, 22 March 2013, Nikolaos Pavlidis wrote:

> Hello all,
>
> I'm having an issue with Mailscanner which weirdly enough has been already
> discussed here
>
> http://markmail.org/message/56fofuvh4tzde7hz#query:+page:1+mid:mu77m5qs6zjhh2jx+state:results
>
> The problem is:
>
> Mar 22 15:00:18 smtp1 MailScanner[17935]: Filetype Checks: No executables
> (r2JAPluH011324 )
> Mar 22 15:00:46 smtp1 MailScanner[17935]: Saved entire message to
> /var/spool/MailScanner/quarantine/20130322/r2JAPluH011324
>
> And:
>
> [root at smtp1 r2JAPluH011324]# pwd
> /var/spool/MailScanner/quarantine/20130322/r2JAPluH011324
> [root at smtp1 r2JAPluH011324]# ll
> total 28K
> -rw------- 1 root root  22K Mar 22 15:00 dfr2JAPluH011324
> -rw------- 1 root root 3.7K Mar 22 15:00 qfr2JAPluH011324
> [root at smtp1 r2JAPluH011324]# file -i *
> dfr2JAPluH011324: text/plain; charset=us-ascii
> qfr2JAPluH011324: text/plain; charset=unknown
>
> But I have also added the lines suggested in the previous thread so my
> filetype.rules.conf looks like:
>
> <snip>
> allow   text            -                       -
> allow   -       text/plain      -                       -
> allow   -       text/x-mail     -                       -
> allow   -       message/rfc822  -                       -
> allow   \bscript        -                       -
> allow   archive         -                       -
> allow   postscript      -                       -
> deny    self-extract    No self-extracting archives     No self-extracting
> archives allowed
> deny    executable      No executables          No programs allowed
> <snip>
>
> I have restarted mailscanner before re-queuing the message but always the
> same result...
>
> Any ideas/recommendations would be much appreciated,
>
> Kind regards,
>
> Nik
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <javascript:;>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130323/2d223a4b/attachment.html 

From Nikolaos.Pavlidis at beds.ac.uk  Mon Mar 25 08:28:03 2013
From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis)
Date: Mon, 25 Mar 2013 08:28:03 +0000
Subject: Filetype Checks: No executables on Greek Emails
In-Reply-To: <CAGDKorKyPjeMcza7ya+=2JOSd2zYMoWH9jVQO-=-8eCM0ST4uQ@mail.gmail.com>
References: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>
	<CAGDKorKyPjeMcza7ya+=2JOSd2zYMoWH9jVQO-=-8eCM0ST4uQ@mail.gmail.com>
Message-ID: <2EA68A4ECC41C14B9B45A730D7E95F731F270C89@AMSPRD0611MB548.eurprd06.prod.outlook.com>

Hello all,

Yes valid point, sorry

fsl-mailscanner-4.84.5-3

Kind regards,

Nik

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: 23 March 2013 09:43
To: MailScanner discussion
Subject: Re: Filetype Checks: No executables on Greek Emails

What version of mailscanner?


On Friday, 22 March 2013, Nikolaos Pavlidis wrote:
Hello all,

I'm having an issue with Mailscanner which weirdly enough has been already discussed here
http://markmail.org/message/56fofuvh4tzde7hz#query:+page:1+mid:mu77m5qs6zjhh2jx+state:results

The problem is:

Mar 22 15:00:18 smtp1 MailScanner[17935]: Filetype Checks: No executables (r2JAPluH011324 )
Mar 22 15:00:46 smtp1 MailScanner[17935]: Saved entire message to /var/spool/MailScanner/quarantine/20130322/r2JAPluH011324

And:

[root at smtp1 r2JAPluH011324]# pwd
/var/spool/MailScanner/quarantine/20130322/r2JAPluH011324
[root at smtp1 r2JAPluH011324]# ll
total 28K
-rw------- 1 root root  22K Mar 22 15:00 dfr2JAPluH011324
-rw------- 1 root root 3.7K Mar 22 15:00 qfr2JAPluH011324
[root at smtp1 r2JAPluH011324]# file -i *
dfr2JAPluH011324: text/plain; charset=us-ascii
qfr2JAPluH011324: text/plain; charset=unknown

But I have also added the lines suggested in the previous thread so my filetype.rules.conf looks like:

<snip>
allow   text            -                       -
allow   -       text/plain      -                       -
allow   -       text/x-mail     -                       -
allow   -       message/rfc822  -                       -
allow   \bscript        -                       -
allow   archive         -                       -
allow   postscript      -                       -
deny    self-extract    No self-extracting archives     No self-extracting archives allowed
deny    executable      No executables          No programs allowed
<snip>

I have restarted mailscanner before re-queuing the message but always the same result...

Any ideas/recommendations would be much appreciated,

Kind regards,

Nik

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<javascript:;>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!


--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130325/087b151e/attachment.html 

From steve.freegard at fsl.com  Mon Mar 25 08:59:21 2013
From: steve.freegard at fsl.com (Steve Freegard)
Date: Mon, 25 Mar 2013 08:59:21 +0000
Subject: Filetype Checks: No executables on Greek Emails
In-Reply-To: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>
References: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>
Message-ID: <kip3jj$ngv$1@ger.gmane.org>

Nik,

On 22/03/13 15:09, Nikolaos Pavlidis wrote:
> [root at smtp1 r2JAPluH011324]# file -i *
> dfr2JAPluH011324: text/plain; charset=us-ascii
> qfr2JAPluH011324: text/plain; charset=unknown
>

Run the same command without the '-i' as a different magic set is used. 
  MailScanner runs both 'file' and 'file -i', so I suspect the former is 
returning 'executable' whilst the latter is not.

Regards,
Steve.



From richard.coombe at taffhousing.co.uk  Mon Mar 25 15:01:48 2013
From: richard.coombe at taffhousing.co.uk (Richard Coombe)
Date: Mon, 25 Mar 2013 15:01:48 +0000
Subject: NJABL is dead
Message-ID: <0427164E24A7BE458A5A26E2F4EA73572DB49513@taff-mail2.taffhousing.local>

> Date: Sun, 3 Mar 2013 09:33:40 -0500 From: Alex Neuman <alex at vidadigital.com.pa>
> Subject: Re: NJABL is dead
>
> In order to stop using NJABL we need to:

> 1. Get rid of the following line from "spam.lists.conf" (or comment it out like other lists that have been deactivated):
> NJABL                           dnsbl.njabl.org.
> 2. Remove "NJABL" from the "Spam List =" parameter if you're using it, in /etc/MailScanner/MailScanner.conf or your designated config file.
> 3. Add the following to your /etc/mail/spamassassin/local.cf score RCVD_IN_NJABL_CGI 0 score RCVD_IN_NJABL_MULTI 0 score RCVD_IN_NJABL_PROXY 0 score
> RCVD_IN_NJABL_RELAY 0 score RCVD_IN_NJABL_SPAM 0 4. Restart/reload your services.

Just a note for those that are copy and pasting, if you do the above you will  get an error from spamassassin --lint and sa-compile fails --

spamassassin --lint
Mar 25 14:54:43.341 [12757] warn: config: SpamAssassin failed to parse line, no value provided for "score", skipping: score RCVD_IN_NJABL_SPAM 0 4
Mar 25 14:54:44.233 [12757] warn: lint: 1 issues detected, please rerun with debug enabled for more information

So
RCVD_IN_NJABL_SPAM 0 4
should be
RCVD_IN_NJABL_SPAM 0

Sorry to be picky, but it tripped me up!

Rich

IT Manager

Cyfeiriad       Address Alexandra House
307-315 Cowbridge Road East
Cardiff
CF5 1JD
Ffon    Phone   02920259182
07966807318
Ffacs   Fax     02920259199
Safle We        Web     [http://www.taffhousing.co.uk/sites/default/files/taff/twitter.jpg] <http://www.twitter.com/taffhousing>   [http://www.taffhousing.co.uk/sites/default/files/taff/fb.gif] <www.facebook.com/taffhousing>   [http://www.taffhousing.co.uk/sites/default/files/taff/www.gif] <www.taffhousing.co.uk>

[http://www.taffhousing.co.uk/sites/default/files/taff/wag.gif]    [http://www.taffhousing.co.uk/sites/default/files/taff/pad.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/sw.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/iipg.gif]
[http://www.taffhousing.co.uk/sites/default/files/taff/gptw11.gif]  [http://www.taffhousing.co.uk/sites/default/files/taff/gptw.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/gd.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/iipg_w.gif]
MEDDYLIWCH CYN I CHI ARGRAFFU! - THINK BEFORE YOU PRINT!


________________________________
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
Please consider the environment before printing this email.

Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated.

Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65.

From shuttlebox at gmail.com  Mon Mar 25 15:40:38 2013
From: shuttlebox at gmail.com (shuttlebox)
Date: Mon, 25 Mar 2013 16:40:38 +0100
Subject: NJABL is dead
In-Reply-To: <0427164E24A7BE458A5A26E2F4EA73572DB49513@taff-mail2.taffhousing.local>
References: <0427164E24A7BE458A5A26E2F4EA73572DB49513@taff-mail2.taffhousing.local>
Message-ID: <CABY0g1WfVV3U++iFg-EfOj1h7uUhfWmunNHA4HmHPKtH+5CZ=A@mail.gmail.com>

On Mon, Mar 25, 2013 at 4:01 PM, Richard Coombe
<richard.coombe at taffhousing.co.uk> wrote:
>> Date: Sun, 3 Mar 2013 09:33:40 -0500 From: Alex Neuman <alex at vidadigital.com.pa>
>> Subject: Re: NJABL is dead
>>
>> In order to stop using NJABL we need to:
>
>> 1. Get rid of the following line from "spam.lists.conf" (or comment it out like other lists that have been deactivated):
>> NJABL                           dnsbl.njabl.org.
>> 2. Remove "NJABL" from the "Spam List =" parameter if you're using it, in /etc/MailScanner/MailScanner.conf or your designated config file.
>> 3. Add the following to your /etc/mail/spamassassin/local.cf score RCVD_IN_NJABL_CGI 0 score RCVD_IN_NJABL_MULTI 0 score RCVD_IN_NJABL_PROXY 0 score
>> RCVD_IN_NJABL_RELAY 0 score RCVD_IN_NJABL_SPAM 0 4. Restart/reload your services.
>
> Just a note for those that are copy and pasting, if you do the above you will  get an error from spamassassin --lint and sa-compile fails --
>
> spamassassin --lint
> Mar 25 14:54:43.341 [12757] warn: config: SpamAssassin failed to parse line, no value provided for "score", skipping: score RCVD_IN_NJABL_SPAM 0 4
> Mar 25 14:54:44.233 [12757] warn: lint: 1 issues detected, please rerun with debug enabled for more information
>
> So
> RCVD_IN_NJABL_SPAM 0 4
> should be
> RCVD_IN_NJABL_SPAM 0

And that's what it says in the original post, you included the "4"
from the next line, "4. Restart/reload your services.".

From dpaelinck at gmail.com  Mon Mar 25 17:18:58 2013
From: dpaelinck at gmail.com (Daniel Paelinck)
Date: Mon, 25 Mar 2013 18:18:58 +0100
Subject: Installing under Debian Testing (currently Wheezy)
Message-ID: <CAOuY7ZHTL15y1i9RpmB0ObvUAp+-_-8fdajbyG1Ks3Cy7b9cew@mail.gmail.com>

Hi,

I recently upgraded my Debian server to Testing, currently Wheezy, but
there are no more packages for mailscanner available in Testing.

Older packages from Debian Squeeze don't work because of dependency
problems (libdigest-sha1-perl).
Also those package are really out of date, latest is 4.79.11-2.2
I am really amazed that MailScanner has disappeared from the official
Debian repos.

What is my best option to install MailScanner on this machine now?
Are there any non official Debian repos that contain MailScanner?

greetings,

Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130325/4e4a9097/attachment.html 

From jerry.benton at mailborder.com  Mon Mar 25 18:01:18 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 25 Mar 2013 19:01:18 +0100
Subject: Installing under Debian Testing (currently Wheezy)
In-Reply-To: <CAOuY7ZHTL15y1i9RpmB0ObvUAp+-_-8fdajbyG1Ks3Cy7b9cew@mail.gmail.com>
References: <CAOuY7ZHTL15y1i9RpmB0ObvUAp+-_-8fdajbyG1Ks3Cy7b9cew@mail.gmail.com>
Message-ID: <CAED3VzCgVno8O2EncTn6brPpe_Ci7f=b0VJnpVNULQ=K2LRxuA@mail.gmail.com>

http://apt.baruwa.org/ maintains current ubuntu and debian packages for
mailscanner


On Mon, Mar 25, 2013 at 6:18 PM, Daniel Paelinck <dpaelinck at gmail.com>wrote:

> Hi,
>
> I recently upgraded my Debian server to Testing, currently Wheezy, but
> there are no more packages for mailscanner available in Testing.
>
> Older packages from Debian Squeeze don't work because of dependency
> problems (libdigest-sha1-perl).
> Also those package are really out of date, latest is 4.79.11-2.2
> I am really amazed that MailScanner has disappeared from the official
> Debian repos.
>
> What is my best option to install MailScanner on this machine now?
> Are there any non official Debian repos that contain MailScanner?
>
> greetings,
>
> Daniel
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130325/7d3d4fba/attachment.html 

From jerry.benton at mailborder.com  Mon Mar 25 18:02:24 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 25 Mar 2013 19:02:24 +0100
Subject: Installing under Debian Testing (currently Wheezy)
In-Reply-To: <CAOuY7ZHTL15y1i9RpmB0ObvUAp+-_-8fdajbyG1Ks3Cy7b9cew@mail.gmail.com>
References: <CAOuY7ZHTL15y1i9RpmB0ObvUAp+-_-8fdajbyG1Ks3Cy7b9cew@mail.gmail.com>
Message-ID: <CAED3VzAPB0xqUnuEmnkcEQDZ6WVDH-Cs0g=9+sM=FP--NcjxuA@mail.gmail.com>

Oh yeah, use "apt-get install mailscanner" just to install mailscanner if
you do not want the entire baruwa package.


On Mon, Mar 25, 2013 at 6:18 PM, Daniel Paelinck <dpaelinck at gmail.com>wrote:

> Hi,
>
> I recently upgraded my Debian server to Testing, currently Wheezy, but
> there are no more packages for mailscanner available in Testing.
>
> Older packages from Debian Squeeze don't work because of dependency
> problems (libdigest-sha1-perl).
> Also those package are really out of date, latest is 4.79.11-2.2
> I am really amazed that MailScanner has disappeared from the official
> Debian repos.
>
> What is my best option to install MailScanner on this machine now?
> Are there any non official Debian repos that contain MailScanner?
>
> greetings,
>
> Daniel
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130325/6043faaa/attachment.html 

From alex at vidadigital.com.pa  Mon Mar 25 18:31:14 2013
From: alex at vidadigital.com.pa (Alex Neuman)
Date: Mon, 25 Mar 2013 13:31:14 -0500
Subject: NJABL is dead
In-Reply-To: <0427164E24A7BE458A5A26E2F4EA73572DB49513@taff-mail2.taffhousing.local>
References: <0427164E24A7BE458A5A26E2F4EA73572DB49513@taff-mail2.taffhousing.local>
Message-ID: <CANyE0PpyD7vwB3wDku2fu3BdYsjk5pwLxqWAgma0rky9O1MCrA@mail.gmail.com>

You copied it wrong. The "4" was from the next step. You probably have
the "digest" set up and your mail client munged it.

On Mon, Mar 25, 2013 at 10:01 AM, Richard Coombe
<richard.coombe at taffhousing.co.uk> wrote:
>> Date: Sun, 3 Mar 2013 09:33:40 -0500 From: Alex Neuman <alex at vidadigital.com.pa>
>> Subject: Re: NJABL is dead
>>
>> In order to stop using NJABL we need to:
>
>> 1. Get rid of the following line from "spam.lists.conf" (or comment it out like other lists that have been deactivated):
>> NJABL                           dnsbl.njabl.org.
>> 2. Remove "NJABL" from the "Spam List =" parameter if you're using it, in /etc/MailScanner/MailScanner.conf or your designated config file.
>> 3. Add the following to your /etc/mail/spamassassin/local.cf score RCVD_IN_NJABL_CGI 0 score RCVD_IN_NJABL_MULTI 0 score RCVD_IN_NJABL_PROXY 0 score
>> RCVD_IN_NJABL_RELAY 0 score RCVD_IN_NJABL_SPAM 0 4. Restart/reload your services.
>
> Just a note for those that are copy and pasting, if you do the above you will  get an error from spamassassin --lint and sa-compile fails --
>
> spamassassin --lint
> Mar 25 14:54:43.341 [12757] warn: config: SpamAssassin failed to parse line, no value provided for "score", skipping: score RCVD_IN_NJABL_SPAM 0 4
> Mar 25 14:54:44.233 [12757] warn: lint: 1 issues detected, please rerun with debug enabled for more information
>
> So
> RCVD_IN_NJABL_SPAM 0 4
> should be
> RCVD_IN_NJABL_SPAM 0
>
> Sorry to be picky, but it tripped me up!
>
> Rich
>
> IT Manager
>
> Cyfeiriad       Address Alexandra House
> 307-315 Cowbridge Road East
> Cardiff
> CF5 1JD
> Ffon    Phone   02920259182
> 07966807318
> Ffacs   Fax     02920259199
> Safle We        Web     [http://www.taffhousing.co.uk/sites/default/files/taff/twitter.jpg] <http://www.twitter.com/taffhousing>   [http://www.taffhousing.co.uk/sites/default/files/taff/fb.gif] <www.facebook.com/taffhousing>   [http://www.taffhousing.co.uk/sites/default/files/taff/www.gif] <www.taffhousing.co.uk>
>
> [http://www.taffhousing.co.uk/sites/default/files/taff/wag.gif]    [http://www.taffhousing.co.uk/sites/default/files/taff/pad.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/sw.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/iipg.gif]
> [http://www.taffhousing.co.uk/sites/default/files/taff/gptw11.gif]  [http://www.taffhousing.co.uk/sites/default/files/taff/gptw.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/gd.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/iipg_w.gif]
> MEDDYLIWCH CYN I CHI ARGRAFFU! - THINK BEFORE YOU PRINT!
>
>
> ________________________________
> This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
> Please consider the environment before printing this email.
>
> Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated.
>
> Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!



-- 

--

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital

From dpaelinck at gmail.com  Mon Mar 25 19:03:25 2013
From: dpaelinck at gmail.com (Daniel Paelinck)
Date: Mon, 25 Mar 2013 20:03:25 +0100
Subject: Installing under Debian Testing (currently Wheezy)
In-Reply-To: <CAED3VzCgVno8O2EncTn6brPpe_Ci7f=b0VJnpVNULQ=K2LRxuA@mail.gmail.com>
References: <CAOuY7ZHTL15y1i9RpmB0ObvUAp+-_-8fdajbyG1Ks3Cy7b9cew@mail.gmail.com>
	<CAED3VzCgVno8O2EncTn6brPpe_Ci7f=b0VJnpVNULQ=K2LRxuA@mail.gmail.com>
Message-ID: <CAOuY7ZH7AhsNeqnDMUGv3w-4mJWXq5Z9tpmF5GuPYsBB1=H0hw@mail.gmail.com>

Hi,

This worked like a charm, million thanks for this.

On Mon, Mar 25, 2013 at 7:01 PM, Jerry Benton
<jerry.benton at mailborder.com>wrote:

> http://apt.baruwa.org/ maintains current ubuntu and debian packages for
> mailscanner
>
>
> On Mon, Mar 25, 2013 at 6:18 PM, Daniel Paelinck <dpaelinck at gmail.com>wrote:
>
>> Hi,
>>
>> I recently upgraded my Debian server to Testing, currently Wheezy, but
>> there are no more packages for mailscanner available in Testing.
>>
>> Older packages from Debian Squeeze don't work because of dependency
>> problems (libdigest-sha1-perl).
>> Also those package are really out of date, latest is 4.79.11-2.2
>> I am really amazed that MailScanner has disappeared from the official
>> Debian repos.
>>
>> What is my best option to install MailScanner on this machine now?
>> Are there any non official Debian repos that contain MailScanner?
>>
>> greetings,
>>
>> Daniel
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
>
> --
>
> --
> Jerry Benton
> Mailborder Systems
> www.mailborder.com
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130325/f9f9dcda/attachment.html 

From richard.coombe at taffhousing.co.uk  Tue Mar 26 10:58:57 2013
From: richard.coombe at taffhousing.co.uk (Richard Coombe)
Date: Tue, 26 Mar 2013 10:58:57 +0000
Subject: NJABL is dead 
Message-ID: <0427164E24A7BE458A5A26E2F4EA73572DB4C930@taff-mail2.taffhousing.local>

Date: Mon, 25 Mar 2013 13:31:14 -0500 From: Alex Neuman <alex at vidadigital.com.pa>
> You copied it wrong. The "4" was from the next step. You probably have the "digest" set up and your mail client munged it.

Yes, I'm on digest.  Suddenly it all becomes clear...

Rich

> On Mon, Mar 25, 2013 at 10:01 AM, Richard Coombe <richard.coombe at taffhousing.co.uk> wrote:
>>> Date: Sun, 3 Mar 2013 09:33:40 -0500 From: Alex Neuman
>>> <alex at vidadigital.com.pa>
>>> Subject: Re: NJABL is dead
>>>
>>> In order to stop using NJABL we need to:
>>
>>> 1. Get rid of the following line from "spam.lists.conf" (or comment it out like other lists that have been deactivated):
>>> NJABL                           dnsbl.njabl.org.
>>> 2. Remove "NJABL" from the "Spam List =" parameter if you're using it, in /etc/MailScanner/MailScanner.conf or your designated config file.
>>> 3. Add the following to your /etc/mail/spamassassin/local.cf score
>>> RCVD_IN_NJABL_CGI 0 score RCVD_IN_NJABL_MULTI 0 score RCVD_IN_NJABL_PROXY 0 score RCVD_IN_NJABL_RELAY 0 score RCVD_IN_NJABL_SPAM 0 4.
> Restart/reload your services.
>>
>> Just a note for those that are copy and pasting, if you do the above
>> you will  get an error from spamassassin --lint and sa-compile fails

IT Manager

Cyfeiriad       Address Alexandra House
307-315 Cowbridge Road East
Cardiff
CF5 1JD
Ffon    Phone   02920259182
07966807318
Ffacs   Fax     02920259199
Safle We        Web     [http://www.taffhousing.co.uk/sites/default/files/taff/twitter.jpg] <http://www.twitter.com/taffhousing>   [http://www.taffhousing.co.uk/sites/default/files/taff/fb.gif] <www.facebook.com/taffhousing>   [http://www.taffhousing.co.uk/sites/default/files/taff/www.gif] <www.taffhousing.co.uk>

[http://www.taffhousing.co.uk/sites/default/files/taff/wag.gif]    [http://www.taffhousing.co.uk/sites/default/files/taff/pad.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/sw.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/iipg.gif]
[http://www.taffhousing.co.uk/sites/default/files/taff/gptw11.gif]  [http://www.taffhousing.co.uk/sites/default/files/taff/gptw.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/gd.gif]   [http://www.taffhousing.co.uk/sites/default/files/taff/iipg_w.gif]
MEDDYLIWCH CYN I CHI ARGRAFFU! - THINK BEFORE YOU PRINT!


________________________________
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
Please consider the environment before printing this email.

Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated.

Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65.

From Nikolaos.Pavlidis at beds.ac.uk  Wed Mar 27 08:43:47 2013
From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis)
Date: Wed, 27 Mar 2013 08:43:47 +0000
Subject: Filetype Checks: No executables on Greek Emails
In-Reply-To: <kip3jj$ngv$1@ger.gmane.org>
References: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>
	<kip3jj$ngv$1@ger.gmane.org>
Message-ID: <2EA68A4ECC41C14B9B45A730D7E95F731F29587F@AMSPRD0611MB548.eurprd06.prod.outlook.com>

Hello all,

Many thanks for your reply Steve,

As per your request: 

[root at smtp1 r2JAPluH011324]# file *
dfr2JAPluH011324: ASCII text
qfr2JAPluH011324: Non-ISO extended-ASCII text, with very long lines

Thoughts/ideas?

Kind regards,

Nik
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Freegard
Sent: 25 March 2013 08:59
To: mailscanner at lists.mailscanner.info
Subject: Re: Filetype Checks: No executables on Greek Emails

Nik,

On 22/03/13 15:09, Nikolaos Pavlidis wrote:
> [root at smtp1 r2JAPluH011324]# file -i *
> dfr2JAPluH011324: text/plain; charset=us-ascii
> qfr2JAPluH011324: text/plain; charset=unknown
>

Run the same command without the '-i' as a different magic set is used. 
  MailScanner runs both 'file' and 'file -i', so I suspect the former is returning 'executable' whilst the latter is not.

Regards,
Steve.


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 



From mark at msapiro.net  Wed Mar 27 16:22:33 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 27 Mar 2013 09:22:33 -0700
Subject: ScamNailer
In-Reply-To: <PC1993201303170705490384eed1e871@Notebook-09>
References: <PC1993201303170705490384eed1e871@Notebook-09>
Message-ID: <51531CC9.2010907@msapiro.net>

ScamNailer update is again not working. This time it is the server at
cdn.mailscanner.info not accepting connects.

This began some time between 27 March 2013 00:16 GMT and 27 March 2013
06:16 GMT.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From paul at welshfamily.com  Wed Mar 27 21:32:06 2013
From: paul at welshfamily.com (Paul Welsh)
Date: Wed, 27 Mar 2013 21:32:06 +0000
Subject: NJABL is dead
Message-ID: <CAA510g5nr24HYYvoEWfHB5OsrnOGL+NwmXQm+gm=d-iv-h9Kqg@mail.gmail.com>

On my server, the last time any reference to NJABL occurred was on 25
Feb.  I've carried out the steps below but just wondering if it was
necessary?

 On Mon, Mar 25, 2013 at 10:01 AM, Richard Coombe
<richard.coombe at taffhousing.co.uk> wrote:
>>> Date: Sun, 3 Mar 2013 09:33:40 -0500 From: Alex Neuman
>>> <alex at vidadigital.com.pa>
>>> Subject: Re: NJABL is dead
>>>
>>> In order to stop using NJABL we need to:
>>
>>> 1. Get rid of the following line from "spam.lists.conf" (or comment it out like other lists that have been deactivated):
>>> NJABL                           dnsbl.njabl.org.
>>> 2. Remove "NJABL" from the "Spam List =" parameter if you're using it, in /etc/MailScanner/MailScanner.conf or your designated config file.
>>> 3. Add the following to your /etc/mail/spamassassin/local.cf score
>>> RCVD_IN_NJABL_CGI 0 score RCVD_IN_NJABL_MULTI 0 score RCVD_IN_NJABL_PROXY 0 score RCVD_IN_NJABL_RELAY 0 score RCVD_IN_NJABL_SPAM 0 4.
> Restart/reload your services.

From mailscanner at joolee.nl  Thu Mar 28 10:42:26 2013
From: mailscanner at joolee.nl (Joolee)
Date: Thu, 28 Mar 2013 11:42:26 +0100
Subject: Filetype Checks: No executables on Greek Emails
In-Reply-To: <2EA68A4ECC41C14B9B45A730D7E95F731F29587F@AMSPRD0611MB548.eurprd06.prod.outlook.com>
References: <2EA68A4ECC41C14B9B45A730D7E95F731F250690@AMSPRD0611MB548.eurprd06.prod.outlook.com>
	<kip3jj$ngv$1@ger.gmane.org>
	<2EA68A4ECC41C14B9B45A730D7E95F731F29587F@AMSPRD0611MB548.eurprd06.prod.outlook.com>
Message-ID: <CA+Q-w8VZmWeGFhqcJTt=ZRq9vqdwbmCFyMhZgQ6Wd3vbVO3s_A@mail.gmail.com>

Try the suggestions in
http://lists.mailscanner.info/pipermail/mailscanner/2012-August/thread.html#99801(Help
Request SPAM Asian
characters.<http://lists.mailscanner.info/pipermail/mailscanner/2012-August/099801.html>
)
and
http://lists.mailscanner.info/pipermail/mailscanner/2012-June/thread.html#99632(Russian
KOI8-R from GMail users
blocked<http://lists.mailscanner.info/pipermail/mailscanner/2012-June/099632.html>
)


On 27 March 2013 09:43, Nikolaos Pavlidis <Nikolaos.Pavlidis at beds.ac.uk>wrote:

> Hello all,
>
> Many thanks for your reply Steve,
>
> As per your request:
>
> [root at smtp1 r2JAPluH011324]# file *
> dfr2JAPluH011324: ASCII text
> qfr2JAPluH011324: Non-ISO extended-ASCII text, with very long lines
>
> Thoughts/ideas?
>
> Kind regards,
>
> Nik
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Freegard
> Sent: 25 March 2013 08:59
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Filetype Checks: No executables on Greek Emails
>
> Nik,
>
> On 22/03/13 15:09, Nikolaos Pavlidis wrote:
> > [root at smtp1 r2JAPluH011324]# file -i *
> > dfr2JAPluH011324: text/plain; charset=us-ascii
> > qfr2JAPluH011324: text/plain; charset=unknown
> >
>
> Run the same command without the '-i' as a different magic set is used.
>   MailScanner runs both 'file' and 'file -i', so I suspect the former is
> returning 'executable' whilst the latter is not.
>
> Regards,
> Steve.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130328/4410377d/attachment.html 

From Kevin_Miller at ci.juneau.ak.us  Thu Mar 28 18:30:00 2013
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Thu, 28 Mar 2013 10:30:00 -0800
Subject: Bad phishing sites URL broken?
Message-ID: <C87702B41702834792222AE25D4057B665C6@city-exchange07>

The script to update bad phishing sites has been reporting an error since last evening.  Trying to go to http://cdn.mailscanner.info/ renders the following:

  The following error was encountered while trying to retrieve the URL: http://cdn.mailscanner.info/
    Connection to 50.23.99.148 failed.
  The system returned: (111) Connection refused
  The remote host or network may be down. Please try the request again.

Is anyone else seeing this?  Any ETA on when it'll return?

?...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 


From dgottsc at emory.edu  Thu Mar 28 18:46:35 2013
From: dgottsc at emory.edu (Gottschalk, David)
Date: Thu, 28 Mar 2013 18:46:35 +0000
Subject: Bad phishing sites URL broken?
In-Reply-To: <C87702B41702834792222AE25D4057B665C6@city-exchange07>
References: <C87702B41702834792222AE25D4057B665C6@city-exchange07>
Message-ID: <29C400C10C01FA4C8405D52684332F694A25F35A@e14mbx15n.Enterprise.emory.net>

I'm seeing this as well.

David Gottschalk
Emory University
UTS Messaging Team

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller
Sent: Thursday, March 28, 2013 2:30 PM
To: MailScanner List (mailscanner at lists.mailscanner.info)
Subject: Bad phishing sites URL broken?

The script to update bad phishing sites has been reporting an error since last evening.  Trying to go to http://cdn.mailscanner.info/ renders the following:

  The following error was encountered while trying to retrieve the URL: http://cdn.mailscanner.info/
    Connection to 50.23.99.148 failed.
  The system returned: (111) Connection refused
  The remote host or network may be down. Please try the request again.

Is anyone else seeing this?  Any ETA on when it'll return?

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

From pparsons at techeez.com  Fri Mar 29 00:47:06 2013
From: pparsons at techeez.com (Philip Parsons)
Date: Fri, 29 Mar 2013 00:47:06 +0000
Subject: Remove the inline tag that the message was scanner
Message-ID: <11D8E491D9562549A61FD3186F36342001B46FBF52@exchange.techeez.com>

I have someone asking if I can remove the tags.  Does anyone know of what I can change to do that ? thought I would ask before I go through the conf line by line ?


Thank you.
Philip Parsons
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130329/be332d67/attachment.html 

From jerry.benton at mailborder.com  Fri Mar 29 02:42:52 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Fri, 29 Mar 2013 03:42:52 +0100
Subject: Remove the inline tag that the message was scanner
In-Reply-To: <11D8E491D9562549A61FD3186F36342001B46FBF52@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F36342001B46FBF52@exchange.techeez.com>
Message-ID: <CAED3VzAPghU8sg5xm05NFxkyOMSNrP6wjUk3bLcyRxmEhgB1ZQ@mail.gmail.com>

Sign Clean Messages =


On Fri, Mar 29, 2013 at 1:47 AM, Philip Parsons <pparsons at techeez.com>wrote:

>  I have someone asking if I can remove the tags.  Does anyone know of
> what I can change to do that ? thought I would ask before I go through the
> conf line by line ?****
>
> ** **
>
> ** **
>
> Thank you. ****
>
> Philip Parsons****
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130329/c18f734e/attachment.html 

From mark at msapiro.net  Fri Mar 29 16:21:49 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 29 Mar 2013 09:21:49 -0700
Subject: ScamNailer
In-Reply-To: <51531CC9.2010907@msapiro.net>
References: <51531CC9.2010907@msapiro.net>
Message-ID: <5155BF9D.1020504@msapiro.net>

Mark Sapiro wrote:
> ScamNailer update is again not working. This time it is the server at
> cdn.mailscanner.info not accepting connects.
> 
> This began some time between 27 March 2013 00:16 GMT and 27 March 2013
> 06:16 GMT.


The server does answer pings but still doesn't accept my http connects.

Do others have this problem?

Does anyone care?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From dgottsc at emory.edu  Fri Mar 29 16:42:26 2013
From: dgottsc at emory.edu (Gottschalk, David)
Date: Fri, 29 Mar 2013 16:42:26 +0000
Subject: ScamNailer
In-Reply-To: <5155BF9D.1020504@msapiro.net>
References: <51531CC9.2010907@msapiro.net> <5155BF9D.1020504@msapiro.net>
Message-ID: <29C400C10C01FA4C8405D52684332F694A2600D2@e14mbx15n.Enterprise.emory.net>

I know there were issues with ScamNailer about a week ago, maybe this is related?

I do care too, as I find this service very useful.

David Gottschalk
Emory University
UTS Messaging Team


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Friday, March 29, 2013 12:22 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: ScamNailer

Mark Sapiro wrote:
> ScamNailer update is again not working. This time it is the server at
> cdn.mailscanner.info not accepting connects.
>
> This began some time between 27 March 2013 00:16 GMT and 27 March 2013
> 06:16 GMT.


The server does answer pings but still doesn't accept my http connects.

Do others have this problem?

Does anyone care?

--
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

From jesjen2001 at yahoo.dk  Fri Mar 29 17:50:04 2013
From: jesjen2001 at yahoo.dk (Jesper Jensen)
Date: Fri, 29 Mar 2013 17:50:04 +0000 (GMT)
Subject: cdn.mailscanner.info is broken, no access to mail adresses
In-Reply-To: <mailman.1.1364558402.13991.mailscanner@lists.mailscanner.info>
References: <mailman.1.1364558402.13991.mailscanner@lists.mailscanner.info>
Message-ID: <1364579404.55903.YahooMailNeo@web171502.mail.ir2.yahoo.com>

yes same for us, it tries to get the mail address but no access..?

/Jesper






________________________________
 Fra: "mailscanner-request at lists.mailscanner.info" <mailscanner-request at lists.mailscanner.info>
Til: mailscanner at lists.mailscanner.info 
Sendt: 13:00 fredag den 29. marts 2013
Emne: MailScanner Digest, Vol 87, Issue 25
 
Send MailScanner mailing list submissions to
??? mailscanner at lists.mailscanner.info

To subscribe or unsubscribe via the World Wide Web, visit
??? http://lists.mailscanner.info/mailman/listinfo/mailscanner
or, via email, send a message with subject or body 'help' to
??? mailscanner-request at lists.mailscanner.info

You can reach the person managing the list at
??? mailscanner-owner at lists.mailscanner.info

When replying, please edit your Subject line so it is more specific
than "Re: Contents of MailScanner digest..."


Today's Topics:

?  1. Re: Filetype Checks: No executables on Greek Emails (Joolee)
?  2. Bad phishing sites URL broken? (Kevin Miller)
?  3. RE: Bad phishing sites URL broken? (Gottschalk, David)
?  4. Remove the inline tag that the message was scanner
? ? ? (Philip Parsons)
?  5. Re: Remove the inline tag that the message was scanner
? ? ? (Jerry Benton)


----------------------------------------------------------------------

Message: 1
Date: Thu, 28 Mar 2013 11:42:26 +0100
From: Joolee <mailscanner at joolee.nl>
Subject: Re: Filetype Checks: No executables on Greek Emails
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
??? <CA+Q-w8VZmWeGFhqcJTt=ZRq9vqdwbmCFyMhZgQ6Wd3vbVO3s_A at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Try the suggestions in
http://lists.mailscanner.info/pipermail/mailscanner/2012-August/thread.html#99801(Help
Request SPAM Asian
characters.<http://lists.mailscanner.info/pipermail/mailscanner/2012-August/099801.html>
)
and
http://lists.mailscanner.info/pipermail/mailscanner/2012-June/thread.html#99632(Russian
KOI8-R from GMail users
blocked<http://lists.mailscanner.info/pipermail/mailscanner/2012-June/099632.html>
)


On 27 March 2013 09:43, Nikolaos Pavlidis <Nikolaos.Pavlidis at beds.ac.uk>wrote:

> Hello all,
>
> Many thanks for your reply Steve,
>
> As per your request:
>
> [root at smtp1 r2JAPluH011324]# file *
> dfr2JAPluH011324: ASCII text
> qfr2JAPluH011324: Non-ISO extended-ASCII text, with very long lines
>
> Thoughts/ideas?
>
> Kind regards,
>
> Nik
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Freegard
> Sent: 25 March 2013 08:59
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Filetype Checks: No executables on Greek Emails
>
> Nik,
>
> On 22/03/13 15:09, Nikolaos Pavlidis wrote:
> > [root at smtp1 r2JAPluH011324]# file -i *
> > dfr2JAPluH011324: text/plain; charset=us-ascii
> > qfr2JAPluH011324: text/plain; charset=unknown
> >
>
> Run the same command without the '-i' as a different magic set is used.
>?  MailScanner runs both 'file' and 'file -i', so I suspect the former is
> returning 'executable' whilst the latter is not.
>
> Regards,
> Steve.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130328/4410377d/attachment-0001.html 

------------------------------

Message: 2
Date: Thu, 28 Mar 2013 10:30:00 -0800
From: Kevin Miller <Kevin_Miller at ci.juneau.ak.us>
Subject: Bad phishing sites URL broken?
To: "MailScanner List (mailscanner at lists.mailscanner.info)"
??? <mailscanner at lists.mailscanner.info>
Message-ID: <C87702B41702834792222AE25D4057B665C6 at city-exchange07>
Content-Type: text/plain; charset="iso-8859-1"

The script to update bad phishing sites has been reporting an error since last evening.? Trying to go to http://cdn.mailscanner.info/ renders the following:

? The following error was encountered while trying to retrieve the URL: http://cdn.mailscanner.info/
? ? Connection to 50.23.99.148 failed.
? The system returned: (111) Connection refused
? The remote host or network may be down. Please try the request again.

Is anyone else seeing this?? Any ETA on when it'll return?

?...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 



------------------------------

Message: 3
Date: Thu, 28 Mar 2013 18:46:35 +0000
From: "Gottschalk, David" <dgottsc at emory.edu>
Subject: RE: Bad phishing sites URL broken?
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
??? <29C400C10C01FA4C8405D52684332F694A25F35A at e14mbx15n.Enterprise.emory.net>
??? 
Content-Type: text/plain; charset="iso-8859-1"

I'm seeing this as well.

David Gottschalk
Emory University
UTS Messaging Team

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller
Sent: Thursday, March 28, 2013 2:30 PM
To: MailScanner List (mailscanner at lists.mailscanner.info)
Subject: Bad phishing sites URL broken?

The script to update bad phishing sites has been reporting an error since last evening.? Trying to go to http://cdn.mailscanner.info/ renders the following:

? The following error was encountered while trying to retrieve the URL: http://cdn.mailscanner.info/
? ? Connection to 50.23.99.148 failed.
? The system returned: (111) Connection refused
? The remote host or network may be down. Please try the request again.

Is anyone else seeing this?? Any ETA on when it'll return?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).


------------------------------

Message: 4
Date: Fri, 29 Mar 2013 00:47:06 +0000
From: Philip Parsons <pparsons at techeez.com>
Subject: Remove the inline tag that the message was scanner
To: "mailscanner at lists.mailscanner.info"
??? <mailscanner at lists.mailscanner.info>
Message-ID:
??? <11D8E491D9562549A61FD3186F36342001B46FBF52 at exchange.techeez.com>
Content-Type: text/plain; charset="us-ascii"

I have someone asking if I can remove the tags.? Does anyone know of what I can change to do that ? thought I would ask before I go through the conf line by line ?


Thank you.
Philip Parsons
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130329/be332d67/attachment-0001.html 

------------------------------

Message: 5
Date: Fri, 29 Mar 2013 03:42:52 +0100
From: Jerry Benton <jerry.benton at mailborder.com>
Subject: Re: Remove the inline tag that the message was scanner
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
??? <CAED3VzAPghU8sg5xm05NFxkyOMSNrP6wjUk3bLcyRxmEhgB1ZQ at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Sign Clean Messages =


On Fri, Mar 29, 2013 at 1:47 AM, Philip Parsons <pparsons at techeez.com>wrote:

>? I have someone asking if I can remove the tags.? Does anyone know of
> what I can change to do that ? thought I would ask before I go through the
> conf line by line ?****
>
> ** **
>
> ** **
>
> Thank you. ****
>
> Philip Parsons****
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130329/c18f734e/attachment-0001.html 

------------------------------

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read the Wiki (http://wiki.mailscanner.info/).

Support MailScanner development - buy the book off the website! 


End of MailScanner Digest, Vol 87, Issue 25
*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130329/de3dcde9/attachment.html