From maxsec at gmail.com Wed May 1 12:49:03 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 1 May 2013 12:49:03 +0100 Subject: MailScanner stop checking mail In-Reply-To: References: Message-ID: Check whats in the message queue folder to scan. make sure there are no hidden (dot) files in there -- Martin Hepworth, CISSP Oxford, UK On 30 April 2013 23:18, Carlos Ra?l Laguna wrote: > > Hi everyone after a few hour trying to figureout what went wrong i am here > both of my server with mailscanner dosent process any mail anymore the > server start and then it sit there waiting > > postfix 5555 0.0 1.2 188364 33268 ? SNs 17:39 0:00 MailScanner: starting > child > postfix 11024 5.1 3.3 259944 87880 ? SN 17:59 0:51 MailScanner: waiting > for messages > > I see no log in mail.log or what so ever that actually pointme somewhere > to look > MailScanner --debug i freeze in > > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > and that it > > any idea what is goin on ? > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130501/f77f7e14/attachment.html From Amelein at dantumadiel.eu Wed May 1 15:31:42 2013 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Wed, 01 May 2013 16:31:42 +0200 Subject: Mailscanner performance monitoring ? Message-ID: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> We're currently getting flooded by spam and every so often our mailscanner is having trouble seems to have trouble keeping up causing our inbound queue to hit 3000+ messages and I am trying to figure out where the processing time is going. I am getting the impression *something* is causing a delay, I am unsure as to what but I'm thinking in the way of RBL's or DNS... The server is a quadcore with 20 MS threads and it can churn through 10-30 average mails per second depending on their size so either e-mails are being delivered faster then they can be scanned or there is indeed a delay somewhere. Its a 'new' install (few months old) on FC18. I've seen it clear the 3000 message queue in 5 - 10 minutes after manually stopping and starting mailscanner. Any ideas anyone ? - Arjan From maxsec at gmail.com Wed May 1 16:35:17 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 1 May 2013 16:35:17 +0100 Subject: Mailscanner performance monitoring ? In-Reply-To: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> Message-ID: local caching DNS server only run a couple of RBL's (no need to run lots) drop unknown recipients on the incoming MTA -- Martin Hepworth, CISSP Oxford, UK On 1 May 2013 15:31, Arjan Melein wrote: > We're currently getting flooded by spam and every so often our mailscanner > is having trouble seems to have trouble keeping up causing our inbound > queue to hit 3000+ messages and I am trying to figure out where the > processing time is going. > I am getting the impression *something* is causing a delay, I am unsure as > to what but I'm thinking in the way of RBL's or DNS... > > The server is a quadcore with 20 MS threads and it can churn through 10-30 > average mails per second depending on their size so either e-mails are > being delivered faster then they can be scanned or there is indeed a delay > somewhere. > > Its a 'new' install (few months old) on FC18. I've seen it clear the 3000 > message queue in 5 - 10 minutes after manually stopping and starting > mailscanner. > > Any ideas anyone ? > > - > Arjan > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130501/35bb26b2/attachment.html From alex at vidadigital.com.pa Wed May 1 19:56:13 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Wed, 1 May 2013 13:56:13 -0500 Subject: Mailscanner performance monitoring ? In-Reply-To: References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> Message-ID: An OT recommendation: stick with RH or CentOS instead of Fedora. While Fedora's "bleeding edge" approach works great on the desktop, CentOS might be a better fit since it uses older, more stable (but with security patched backported) components; of course, YMMV. On Wed, May 1, 2013 at 10:35 AM, Martin Hepworth wrote: > local caching DNS server > only run a couple of RBL's (no need to run lots) > drop unknown recipients on the incoming MTA > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 1 May 2013 15:31, Arjan Melein wrote: >> >> We're currently getting flooded by spam and every so often our mailscanner >> is having trouble seems to have trouble keeping up causing our inbound queue >> to hit 3000+ messages and I am trying to figure out where the processing >> time is going. >> I am getting the impression *something* is causing a delay, I am unsure as >> to what but I'm thinking in the way of RBL's or DNS... >> >> The server is a quadcore with 20 MS threads and it can churn through 10-30 >> average mails per second depending on their size so either e-mails are being >> delivered faster then they can be scanned or there is indeed a delay >> somewhere. >> >> Its a 'new' install (few months old) on FC18. I've seen it clear the 3000 >> message queue in 5 - 10 minutes after manually stopping and starting >> mailscanner. >> >> Any ideas anyone ? >> >> - >> Arjan >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From philb at philb.us Thu May 2 06:47:05 2013 From: philb at philb.us (Phil Barnett) Date: Thu, 2 May 2013 01:47:05 -0400 Subject: Mailscanner performance monitoring ? In-Reply-To: References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> Message-ID: I do quite a few things for processing speed. One of the important ones is to create a ramdisk where you unpack your mail for scanning. My recipe is in the following document. It has been updated over the years since I created it in 2007. http://leap-cf.org/presentations/MailScanner/MailScanner.odt On Wed, May 1, 2013 at 2:56 PM, Alex Neuman wrote: > An OT recommendation: stick with RH or CentOS instead of Fedora. While > Fedora's "bleeding edge" approach works great on the desktop, CentOS > might be a better fit since it uses older, more stable (but with > security patched backported) components; of course, YMMV. > > On Wed, May 1, 2013 at 10:35 AM, Martin Hepworth wrote: > > local caching DNS server > > only run a couple of RBL's (no need to run lots) > > drop unknown recipients on the incoming MTA > > > > -- > > Martin Hepworth, CISSP > > Oxford, UK > > > > > > On 1 May 2013 15:31, Arjan Melein wrote: > >> > >> We're currently getting flooded by spam and every so often our > mailscanner > >> is having trouble seems to have trouble keeping up causing our inbound > queue > >> to hit 3000+ messages and I am trying to figure out where the processing > >> time is going. > >> I am getting the impression *something* is causing a delay, I am unsure > as > >> to what but I'm thinking in the way of RBL's or DNS... > >> > >> The server is a quadcore with 20 MS threads and it can churn through > 10-30 > >> average mails per second depending on their size so either e-mails are > being > >> delivered faster then they can be scanned or there is indeed a delay > >> somewhere. > >> > >> Its a 'new' install (few months old) on FC18. I've seen it clear the > 3000 > >> message queue in 5 - 10 minutes after manually stopping and starting > >> mailscanner. > >> > >> Any ideas anyone ? > >> > >> - > >> Arjan > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130502/9217683e/attachment.html From glenn.steen at gmail.com Thu May 2 14:47:14 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 2 May 2013 15:47:14 +0200 Subject: mailscanner + exim release from out queue In-Reply-To: References: Message-ID: On 30 April 2013 09:49, Jonas Akrouh Larsen wrote: > Hi Glenn**** > > ** ** > > >That MailScanner doesn't operate at SMTP-time is exactly what sets it > apart... It is the fundamental difference that make MailScanner perform so > >much better, and suffer from so much less risk of DoS:ing, than amavisd ... > **** > > >Sure, you cannot do "on the fly rejections", but ... AV/Anti-UCE scanning > is to expensive at that stage anyway (IMO)... apart from the simple >things > you can do in the MTA, that is (recipient verification, rfc strictness, > graylisting etc). But the benefits of not doing it in one go, as amavisd > >does, far outweigh that drawback.**** > > >If one were to somehow wrangle MailScanner into action during SMTP... one > could as well use amavisd instead;-).**** > > >** ** > > >As for choice of MTA, one should always stick with the one one is most > comfortable with ... You're far less likely to foobar things if you know > >what you're doing:-). If one starts from scratch, taking into account what > happens to be the default on the system you use seem like a very sound > >strategy:-).**** > > ** ** > > I?ve stuck with exim+MS for 5 years so I guess I must be liking it for the > most part J**** > > ** > For the most pat, yes...:-) Have been using Postfix/MS for close to 10 years myself. Still a happy customer;-). ** > > However I do find it annoying not being able to scan at smtp time, it > would be much simpler for bounces and such, and rid my outgoing queue of > mails I can?t return to sender because it was forged etc.**** > > ** > With the numbers you quote in a later response in this thread (20k/day with about 20-40 bouces "living" in your outgoing queue at any given moment), it doesn't sound that bad... Sure, one *could* miss something important in theoutgoing queue, but ... once you look there, you tend to know that you're looking for, wouldn't you say?;-). You mention a few of these are due to systems downstream doing 4xx temp failures, or similar... The way I work around this is by not doing a normal "call ahead recipient verification", but rather maintain a relay recipient file that I recreate (if the downstream hosts are available) every 15 minutes... That way, the normal scanning will take place as long as my MX doesn't run out of disk for the queues. Don't know if this is easily done in exim, but is rather trivial with postfix. And yes, I do realize that doing things like that isn't optimal for a service provider type of setup. But for the corporate side of things... It just works dandily:-) ** > > Also it shouldn?t run in parallel, so it?s no more expensive than running > it post smtp, since you don?t spam scan a virus, you don?t virusscan > something listed on rbl etc.**** > > ** > But the thing is, with the load you describe, you very likely do have batches larger than 1 message/batch... If you do "MS scanning" at SMTP-time, you will not be able to do that. Sure, you'd still "gain" the intelligent order of execution MS has, but ... you'd miss out on the truly impressive performance gain you have in the batching. Also... Don't underestimate the DoS risk... While under fire on a normal MS setup, the queue storage is likely to run out before the system croaks due to processing ... overload ... Do MS at SMTP and the system will likely go into memory deprivation/thrashing or plain run out of CPU before anything like that can happen... IMO, that is:-). ** > > But thanks for the comments J**** > > ** > You're welcome. > ** > > ** ** > > Med venlig hilsen / Best regards**** > > > V?nlig h?lsning till dig med! Cheers -- -- Glenn > **** > > Jonas Akrouh Larsen**** > > **** > > TechBiz ApS**** > > Laplandsgade 4, 2. sal**** > > 2300 K?benhavn S**** > > **** > > Office: 7020 0979**** > > Direct: 3336 9974**** > > Mobile: 5120 1096**** > > Fax: 7020 0978**** > > Web: www.techbiz.dk**** > > ** ** > > ** ** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130502/13b3f09b/attachment.html From magiza83 at hotmail.com Thu May 2 17:22:52 2013 From: magiza83 at hotmail.com (=?iso-8859-1?B?TWFuZWwgR2ltZW5vIFphcmFnb3rh?=) Date: Thu, 2 May 2013 18:22:52 +0200 Subject: mailscanner + exim release from out queue In-Reply-To: References: , , Message-ID: Hello Alex, In my case, I have more experience in postfix, but now we are trying to develop a proyect under exim+Mailscanner+baruwa2 Baruwa2 only has support for exim, so I have to "learn" how to configure properly exim+Mailscanner Manel > Date: Sat, 27 Apr 2013 10:57:50 -0500 > Subject: Re: mailscanner + exim release from out queue > From: alex at vidadigital.com.pa > To: mailscanner at lists.mailscanner.info > > Just for informational purposes - I'm not judging - I'd like to know > why you've chosen Exim over Sendmail or Postfix, for example. If it's > too "off topic" it's ok to answer off-list - y en espa?ol si te es m?s > f?cil :D > > On Thu, Apr 25, 2013 at 5:54 AM, Martin Hepworth wrote: > > In that case maybe you've noy got the two exim instances running. check > > you've started both Exim processes. > > > > Also the Outgoing queue in MailScanner.conf is wrong, this should the queue > > dir that the 'outgoing' exim process is reading. > > > > The main architecture of MailScanner is that it sits between two MTA queues > > and moves 'good' email from one queue to another. So you need to make sure > > yo've got the incoming queue that just holds onto the email for MaiLScanner > > to grab and the outgoing queue that MailScanner will drop scanned email into > > for onward delivery > > > > > > -- > > Martin Hepworth, CISSP > > Oxford, UK > > > > > > On 24 April 2013 16:05, Manel Gimeno Zaragoz? wrote: > >> > >> Hello, > >> > >> I'm working on a proyect using exim + mailscanner. I've followed the > >> installation guide from http://www.mailscanner.info/exim.html and now exim + > >> mailscanner is almost working, the only problem i've found is to release the > >> mails from exim out queue. > >> > >> Reading the documentation I've not found any way to do it, so I create a > >> cron to do it every minute. > >> > >> Is this the way to do it? > >> My conf file looks like: > >> > >> Mailscanner.conf > >> ... > >> Run As User = exim > >> Run As Group = exim > >> Incoming Queue Dir = /var/spool/exim.in/input > >> Outgoing Queue Dir = /var/spool/exim/input > >> MTA = exim > >> Sendmail = /usr/sbin/exim -C /etc/exim/exim.conf.out -oMr MailScanner > >> Sendmail2 = /usr/sbin/exim -C /etc/exim/exim.conf.out -oMr MailScanner > >> Quarantine User = exim > >> ... > >> > >> Thanks & Regards. > >> > >> Manel > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130502/e69263f7/attachment.html From carlosla1987 at gmail.com Thu May 2 20:13:51 2013 From: carlosla1987 at gmail.com (=?ISO-8859-1?Q?Carlos_Ra=FAl_Laguna?=) Date: Thu, 2 May 2013 15:13:51 -0400 Subject: MailScanner stop checking mail In-Reply-To: References: Message-ID: Sorry the delay i was able to solve the main problem but now i have a derived problem from the previous my original problem seems to be a problem of MailScanner o Baruwa not really sure if the option enable_long_queue_ids = no is set to yes, right now is set to no and the mail is been process but no all that all mail with previous long id are been hold not really sure how to get them out of there. 2013/5/1 Martin Hepworth > Check whats in the message queue folder to scan. make sure there are no > hidden (dot) files in there > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 30 April 2013 23:18, Carlos Ra?l Laguna wrote: > >> >> Hi everyone after a few hour trying to figureout what went wrong i am >> here both of my server with mailscanner dosent process any mail anymore >> the server start and then it sit there waiting >> >> postfix 5555 0.0 1.2 188364 33268 ? SNs 17:39 0:00 MailScanner: starting >> child >> postfix 11024 5.1 3.3 259944 87880 ? SN 17:59 0:51 MailScanner: waiting >> for messages >> >> I see no log in mail.log or what so ever that actually pointme somewhere >> to look >> MailScanner --debug i freeze in >> >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> Building a message batch to scan... >> and that it >> >> any idea what is goin on ? >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130502/730e6d61/attachment.html From richard at fastnet.co.uk Fri May 3 09:55:49 2013 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 3 May 2013 08:55:49 +0000 Subject: Mailscanner performance monitoring ? In-Reply-To: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> Message-ID: <6EE47AF64C339A4F8F7F50507241B37948EBBD@BTN-EXCHANGE-V1.fastnet.local> What RBL's are you using? Check your mail logs and you could run a perl script to do a count for the top 10 hosts hitting your server. Check those hosts in particular to see if you are being attacked. If so, implement fail2ban. Also check your SA and MailScanner config (mailscanner --lint) -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Arjan Melein Sent: 01 May 2013 15:32 To: mailscanner at lists.mailscanner.info Subject: Mailscanner performance monitoring ? We're currently getting flooded by spam and every so often our mailscanner is having trouble seems to have trouble keeping up causing our inbound queue to hit 3000+ messages and I am trying to figure out where the processing time is going. I am getting the impression *something* is causing a delay, I am unsure as to what but I'm thinking in the way of RBL's or DNS... The server is a quadcore with 20 MS threads and it can churn through 10-30 average mails per second depending on their size so either e-mails are being delivered faster then they can be scanned or there is indeed a delay somewhere. Its a 'new' install (few months old) on FC18. I've seen it clear the 3000 message queue in 5 - 10 minutes after manually stopping and starting mailscanner. Any ideas anyone ? - Arjan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From max at inmindlabs.com Fri May 3 15:37:22 2013 From: max at inmindlabs.com (Max Kipness) Date: Fri, 3 May 2013 09:37:22 -0500 Subject: Stop Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B7419AA@addc01.assuredata.local> Good morning, We get quite a few of the Citibank/Paymentech and other spam with the exe executable attached. The attachment is stripped and the user gets a warning. Is there a way to stop the message to the user if the file is an executable only? I see in filename.rules.conf there is a deny+delete, but I think that just deletes the file. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130503/d3a5f15d/attachment.html From max at inmindlabs.com Fri May 3 15:51:05 2013 From: max at inmindlabs.com (Max Kipness) Date: Fri, 3 May 2013 09:51:05 -0500 Subject: Stop Executable Warnings Messages only Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B7419AE@addc01.assuredata.local> Good morning, We get quite a few of the Citibank/Paymentech and other spam with the exe executable attached. The attachment is stripped and the user gets a warning. Is there a way to stop the message to the user if the file is an executable only? I see in filename.rules.conf there is a deny+delete, but I think that just deletes the file. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130503/3f7dd061/attachment.html From alex at vidadigital.com.pa Fri May 3 17:06:57 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 3 May 2013 11:06:57 -0500 Subject: Stop Executable Warnings Messages only In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B7419AE@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B7419AE@addc01.assuredata.local> Message-ID: You could set up a SpamAssassin rule where e-mail with a .exe MIME attachment gets scored 1000 points and gets deleted as High Scoring spam, for example. On Fri, May 3, 2013 at 9:51 AM, Max Kipness wrote: > Good morning, > > > > We get quite a few of the Citibank/Paymentech and other spam with the exe > executable attached. The attachment is stripped and the user gets a warning. > > > > Is there a way to stop the message to the user if the file is an executable > only? I see in filename.rules.conf there is a deny+delete, but I think that > just deletes the file. > > > > Thanks, > > Max > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From max at inmindlabs.com Fri May 3 23:54:04 2013 From: max at inmindlabs.com (Max Kipness) Date: Fri, 3 May 2013 17:54:04 -0500 Subject: Stop Executable Warnings Messages only Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B7419C6@addc01.assuredata.local> I had already tried setting up a rule, but it seems like the SA rules get hit after the filename rules, so SA gets ignored in this case. Max >You could set up a SpamAssassin rule where e-mail with a .exe MIME >attachment gets scored 1000 points and gets deleted as High Scoring >spam, for example. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130503/e81bb8f9/attachment.html From mgt at stellarcore.net Sat May 4 02:51:42 2013 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri, 3 May 2013 18:51:42 -0700 Subject: Question regarding whitelisting part of a domain Message-ID: <8197B6DC-52B2-40E7-9558-3B82A7CFD452@stellarcore.net> This is a strange one and I'm not sure how to do it off the top of my head. I've got a domain that wants to try out mailscanner BUT they only want a few [6] addresses filtered. The rest they want to let through untouched. [Yes I know but it's a waste of oxygen to argue sometimes]. Without getting a full list of valid email addresses can anyone think of a clever way to whitelist the domain EXCEPT for the the 6. I don't think the rulesets allow for negation in the matching.... I also assume the biggest rule win so To: thing1 at somedomain.com no To: *@somedomain.com yes Would not work in the spam.whitelist.rules -Mike Tremaine From rcooper at dwford.com Sat May 4 16:52:08 2013 From: rcooper at dwford.com (Rick Cooper) Date: Sat, 4 May 2013 11:52:08 -0400 Subject: Question regarding whitelisting part of a domain In-Reply-To: <8197B6DC-52B2-40E7-9558-3B82A7CFD452@stellarcore.net> References: <8197B6DC-52B2-40E7-9558-3B82A7CFD452@stellarcore.net> Message-ID: <11B61C71493142CA87F41090606EF034@SAHOMELT> Mike Tremaine wrote: > This is a strange one and I'm not sure how to do it off the top of my > head. I've got a domain that wants to try out mailscanner BUT they > only want a few [6] addresses filtered. The rest they want to let > through untouched. [Yes I know but it's a waste of oxygen to argue > sometimes]. Without getting a full list of valid email addresses can > anyone think of a clever way to whitelist the domain EXCEPT for the > the 6. I don't think the rulesets allow for negation in the > matching.... I also assume the biggest rule win so > > To: thing1 at somedomain.com no > To: *@somedomain.com yes > > Would not work in the spam.whitelist.rules > > -Mike Tremaine Look for the following in MailScanner.conf: Scan Messages = Set to something like: Scan Messages = %rules-dir%/ScanMessages.rules In your rules directory (usually MailScanner/etc/rules/) Create a file with lines that look like: To: user1 at domain.com yes To: user2 at domain.com yes FromOrTo: default no Then message scanning will only be performed when the incoming is addressed to user1 at domain.com or user2 at domain.com and will be skipped for all other incoming addresses and ALL outgoing emails. Once the file is created rememeber to restart MailScanner. From gdm at sangabriel.com Sun May 5 00:44:27 2013 From: gdm at sangabriel.com (Gray McCord) Date: Sat, 04 May 2013 18:44:27 -0500 Subject: Sign Clean Messages not working / problem messages? Message-ID: I'm in the midst of a server platform swap and part of it is moving from a sendmail/mailscanner environment to a postfix/mailscanner system. Of course, everything has been updated to the most recent versions for Centos 6.4 from fairly ancient versions? I'm seeing two quirks that are annoying but not impacting delivery: For some reason, even though "sign clean messages" is set to yes and I verified the locations of the inline text, it never shows up in delivered mail I'm getting regular messages from MailScanner complaining about Problem Messages" As I said, these don't seem to be interfering with email, but I can't find anything in the logs that point me to a solution. Any suggestions from the experts? Centos 6.4 Postfix 2.6.6 Mailscanner info from Mainscanner?lint > MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 872 hostnames from the phishing whitelist Read 3966 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.84.5) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. I have found clamd scanners installed, and will use them all by default. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 7 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Thanks! Gray D. McCord -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130504/3d4201a7/attachment.html From mgt at stellarcore.net Sun May 5 01:25:48 2013 From: mgt at stellarcore.net (Mike Tremaine) Date: Sat, 4 May 2013 17:25:48 -0700 Subject: Question regarding whitelisting part of a domain In-Reply-To: <8197B6DC-52B2-40E7-9558-3B82A7CFD452@stellarcore.net> References: <8197B6DC-52B2-40E7-9558-3B82A7CFD452@stellarcore.net> Message-ID: I should add that there is more then 1 domain on the server. So I'm not sure this will work unless I also added each other domain... [I might have to try it that way but..] ##########3 Scan Messages = %rules-dir%/ScanMessages.rules In your rules directory (usually MailScanner/etc/rules/) Create a file with lines that look like: To: user1 at domain.com yes To: user2 at domain.com yes FromOrTo: default no #######3 On May 3, 2013, at 6:51 PM, Mike Tremaine wrote: > > This is a strange one and I'm not sure how to do it off the top of my head. I've got a domain that wants to try out mailscanner BUT they only want a few [6] addresses filtered. The rest they want to let through untouched. [Yes I know but it's a waste of oxygen to argue sometimes]. Without getting a full list of valid email addresses can anyone think of a clever way to whitelist the domain EXCEPT for the the 6. I don't think the rulesets allow for negation in the matching.... I also assume the biggest rule win so > > To: thing1 at somedomain.com no > To: *@somedomain.com yes > > Would not work in the spam.whitelist.rules > > -Mike Tremaine From maxsec at gmail.com Sun May 5 09:24:09 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Sun, 5 May 2013 09:24:09 +0100 Subject: Question regarding whitelisting part of a domain In-Reply-To: References: <8197B6DC-52B2-40E7-9558-3B82A7CFD452@stellarcore.net> Message-ID: Check out the overloading instrctions on the mailscanner wiki Martin On Sunday, 5 May 2013, Mike Tremaine wrote: > > I should add that there is more then 1 domain on the server. > > So I'm not sure this will work unless I also added each other domain... [I > might have to try it that way but..] > > > ##########3 > Scan Messages = %rules-dir%/ScanMessages.rules > > In your rules directory (usually MailScanner/etc/rules/) > > Create a file with lines that look like: > > To: user1 at domain.com yes > To: user2 at domain.com yes > FromOrTo: default no > > #######3 > > On May 3, 2013, at 6:51 PM, Mike Tremaine wrote: > > > > > This is a strange one and I'm not sure how to do it off the top of my > head. I've got a domain that wants to try out mailscanner BUT they only > want a few [6] addresses filtered. The rest they want to let through > untouched. [Yes I know but it's a waste of oxygen to argue sometimes]. > Without getting a full list of valid email addresses can anyone think of a > clever way to whitelist the domain EXCEPT for the the 6. I don't think the > rulesets allow for negation in the matching.... I also assume the biggest > rule win so > > > > To: thing1 at somedomain.com no > > To: *@somedomain.com yes > > > > Would not work in the spam.whitelist.rules > > > > -Mike Tremaine > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130505/5fa3c23f/attachment.html From eli at orbsky.homelinux.org Sun May 5 10:01:07 2013 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Sun, 05 May 2013 12:01:07 +0300 Subject: A Couple of Questions Message-ID: <201305050901.r45912XZ007754@gw.home.local> Hi I was just wondering.... Is anyone running the script on Fedora 18? Are there any pitfalls I should be looking out for? E -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mgt at stellarcore.net Sun May 5 16:16:32 2013 From: mgt at stellarcore.net (Mike Tremaine) Date: Sun, 5 May 2013 08:16:32 -0700 Subject: Question regarding whitelisting part of a domain In-Reply-To: References: <8197B6DC-52B2-40E7-9558-3B82A7CFD452@stellarcore.net> Message-ID: Martin, That's new to me and very interesting... I'll see if I can fiddle with the concept. I might be able to use that in spam.whitelist.rules, except for the fact that I'm using &ByDomainSpamBlacklist and &ByDomainSpamWhitelist ... I did try to mess with Scan Messages setting it to a ruleset which #Who gets scanned FromOrTo: @newdomain.com /etc/MailScanner/rules/domains/newdomain.com/scan.messages.conf FromOrTo: default /etc/MailScanner/rules/domains/default/scan.messages.conf Where the conf file was the list of the domain users to scan [aka yes] and default no then the deault for everyone else was yes. Sadly you can;t seem to use a ruleset in Scan Messages that points to a conf file. Needs to be all in 1 file. -Mike On May 5, 2013, at 1:24 AM, Martin Hepworth wrote: > Check out the overloading instrctions on the mailscanner wiki > > Martin > > On Sunday, 5 May 2013, Mike Tremaine wrote: > > I should add that there is more then 1 domain on the server. > > So I'm not sure this will work unless I also added each other domain... [I might have to try it that way but..] > > > ##########3 > Scan Messages = %rules-dir%/ScanMessages.rules > > In your rules directory (usually MailScanner/etc/rules/) > > Create a file with lines that look like: > > To: user1 at domain.com yes > To: user2 at domain.com yes > FromOrTo: default no > > #######3 > > On May 3, 2013, at 6:51 PM, Mike Tremaine wrote: > > > > > This is a strange one and I'm not sure how to do it off the top of my head. I've got a domain that wants to try out mailscanner BUT they only want a few [6] addresses filtered. The rest they want to let through untouched. [Yes I know but it's a waste of oxygen to argue sometimes]. Without getting a full list of valid email addresses can anyone think of a clever way to whitelist the domain EXCEPT for the the 6. I don't think the rulesets allow for negation in the matching.... I also assume the biggest rule win so > > > > To: thing1 at somedomain.com no > > To: *@somedomain.com yes > > > > Would not work in the spam.whitelist.rules > > > > -Mike Tremaine > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130505/3489fd06/attachment.html From maxsec at gmail.com Sun May 5 16:42:24 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Sun, 5 May 2013 16:42:24 +0100 Subject: A Couple of Questions In-Reply-To: <201305050901.r45912XZ007754@gw.home.local> References: <201305050901.r45912XZ007754@gw.home.local> Message-ID: Few people have reported issues as per normal with the bleeding edge nature od fedora Centos is a better option Martin On Sunday, 5 May 2013, Eli Wapniarski wrote: > Hi > > I was just wondering.... Is anyone running the script on Fedora 18? > > Are there any pitfalls I should be looking out for? > > E > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130505/ef2dec04/attachment.html From eli at orbsky.homelinux.org Sun May 5 18:51:54 2013 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Sun, 05 May 2013 20:51:54 +0300 Subject: A Couple of Questions In-Reply-To: References: <201305050901.r45912XZ007754@gw.home.local> Message-ID: <1936173.cfa47rPVJQ@orbsky1.home.local> Been using Fedora forever.... I'm reluctant to upgrade to 18 because of the changes to the firewall software... Questions still stand... Please.... anyone....l Eli On Sunday 05 May 2013 16:42:24 Martin Hepworth wrote: Few people have reported issues as per normal with the bleeding edge nature od fedora Centos is a better option Martin On Sunday, 5 May 2013, Eli Wapniarski wrote: Hi I was just wondering.... Is anyone running the script on Fedora 18? Are there any pitfalls I should be looking out for? E --This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean. --MailScanner mailing list mailscanner at lists.mailscanner.info[1] http://lists.mailscanner.info/mailman/listinfo/mailscanner[2] http://wiki.mailscanner.info/posting[3] *MailScanner[4]*, and is believed to be clean. -------- [1] javascript:; [2] http://lists.mailscanner.info/mailman/listinfo/mailscanner [3] http://wiki.mailscanner.info/posting [4] http://www.mailscanner.info/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130505/abd950e3/attachment.html From jerry.benton at mailborder.com Sun May 5 21:16:43 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sun, 5 May 2013 22:16:43 +0200 Subject: A Couple of Questions In-Reply-To: <1936173.cfa47rPVJQ@orbsky1.home.local> References: <201305050901.r45912XZ007754@gw.home.local> <1936173.cfa47rPVJQ@orbsky1.home.local> Message-ID: Don't use Fedora for a server. That will more than likely be the answer you get from most everyone on this list. Use CentOS if you want a free Red Hat variant. On Sun, May 5, 2013 at 7:51 PM, Eli Wapniarski wrote: > ** > > Been using Fedora forever.... I'm reluctant to upgrade to 18 because of > the changes to the firewall software... > > > > Questions still stand... > > > > Please.... anyone....l > > > > Eli > > > > On Sunday 05 May 2013 16:42:24 Martin Hepworth wrote: > > Few people have reported issues as per normal with the bleeding edge > nature od fedora > > Centos is a better option > > > Martin > > On Sunday, 5 May 2013, Eli Wapniarski wrote: > > Hi > > I was just wondering.... Is anyone running the script on Fedora 18? > > Are there any pitfalls I should be looking out for? > > E > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130505/982d5904/attachment.html From eli at orbsky.homelinux.org Mon May 6 05:14:36 2013 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Mon, 06 May 2013 07:14:36 +0300 Subject: A Couple of Questions In-Reply-To: References: <201305050901.r45912XZ007754@gw.home.local> <1936173.cfa47rPVJQ@orbsky1.home.local> Message-ID: <26305707.XmdOmQ42Nl@orbsky1.home.local> Again.... I have been using Fedora with Mailscanner since forever without anykind of problem related to the distro. So please, "don't use Fedora," is not an answer to my question. Peoples' silence is actually a better answer then yours in this particular case. Thanks Eli On Sunday 05 May 2013 22:16:43 Jerry Benton wrote: Don't use Fedora for a server. That will more than likely be the answer you get from most everyone on this list. Use CentOS if you want a free Red Hat variant. On Sun, May 5, 2013 at 7:51 PM, Eli Wapniarski wrote: Been using Fedora forever.... I'm reluctant to upgrade to 18 because of the changes to the firewall software... Questions still stand... Please.... anyone....l Eli On Sunday 05 May 2013 16:42:24 Martin Hepworth wrote: Few people have reported issues as per normal with the bleeding edge nature od fedora Centos is a better option Martin On Sunday, 5 May 2013, Eli Wapniarski wrote: Hi I was just wondering.... Is anyone running the script on Fedora 18? Are there any pitfalls I should be looking out for? E --This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean. --MailScanner mailing list _mailscanner at lists.mailscanner.info_ http://lists.mailscanner.info/mailman/listinfo/mailscanner[2] http://wiki.mailscanner.info/posting[3] *MailScanner[4]*, and is believed to be clean. *_MailScanner_*, and is believed to be clean. mailscanner at lists.mailscanner.info[5] http://lists.mailscanner.info/mailman/listinfo/mailscanner[2] http://wiki.mailscanner.info/posting[3] -- Jerry Benton Mailborder Systems www.mailborder.com[6] *MailScanner[4]*, and is believed to be clean. -------- [1] mailto:eli at orbsky.homelinux.org [2] http://lists.mailscanner.info/mailman/listinfo/mailscanner [3] http://wiki.mailscanner.info/posting [4] http://www.mailscanner.info/ [5] mailto:mailscanner at lists.mailscanner.info [6] http://www.mailborder.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130506/83f229d2/attachment.html From jerry.benton at mailborder.com Mon May 6 08:56:35 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 6 May 2013 09:56:35 +0200 Subject: A Couple of Questions In-Reply-To: <26305707.XmdOmQ42Nl@orbsky1.home.local> References: <201305050901.r45912XZ007754@gw.home.local> <1936173.cfa47rPVJQ@orbsky1.home.local> <26305707.XmdOmQ42Nl@orbsky1.home.local> Message-ID: I wasn't going to answer until your second email asking again. So instead of just leaving you wondering, that is why most people won't answer. On Mon, May 6, 2013 at 6:14 AM, Eli Wapniarski wrote: > ** > > Again.... I have been using Fedora with Mailscanner since forever without > anykind of problem related to the distro. So please, "don't use Fedora," is > not an answer to my question. > > > > Peoples' silence is actually a better answer then yours in this particular > case. > > > > Thanks > > > > Eli > > > > On Sunday 05 May 2013 22:16:43 Jerry Benton wrote: > > Don't use Fedora for a server. That will more than likely be the answer > you get from most everyone on this list. Use CentOS if you want a free Red > Hat variant. > > > > > On Sun, May 5, 2013 at 7:51 PM, Eli Wapniarski > wrote: > > Been using Fedora forever.... I'm reluctant to upgrade to 18 because of > the changes to the firewall software... > > > > Questions still stand... > > > > Please.... anyone....l > > > > Eli > > > > On Sunday 05 May 2013 16:42:24 Martin Hepworth wrote: > > Few people have reported issues as per normal with the bleeding edge > nature od fedora > > Centos is a better option > > > Martin > > On Sunday, 5 May 2013, Eli Wapniarski wrote: > > Hi > > I was just wondering.... Is anyone running the script on Fedora 18? > > Are there any pitfalls I should be looking out for? > > E > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > > > -- > > Jerry Benton > > Mailborder Systems > www.mailborder.com > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130506/fe10a496/attachment.html From Amelein at dantumadiel.eu Mon May 6 09:08:03 2013 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Mon, 06 May 2013 10:08:03 +0200 Subject: Betr.: Re: Mailscanner performance monitoring ? In-Reply-To: References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> Message-ID: <518781030200008E00023E70@GroupWise.Dantumadiel.eu> Thanks for this document Phil, I have mine set up in almost the same way so that's always reassuring:-) As to answer everyone else (thanks those who responded) and not send a mail for each, shortly after sending my original mail I noticed the primary (local) dns server and backup (other, older server) dns were switched around in /etc/resolv.conf.. so it was using the backup for all lookups instead of the local machine. So far it has not bogged down again so I'm guessing that was it. I was already using a ramdisk (tmpfs) for the work dir which gave me a huge improvement when I started using it in the past. LDAP would be too complex and would increase processing time too much as I am hosting for multiple sites that have their own directory and mail-server. I'd have to do something like pull all e-mail addresses from each site on a daily basis and cache them locally to check against. - Arjan >>> Op 2-5-2013 om 7:47 is door Phil Barnett geschreven: > I do quite a few things for processing speed. One of the important ones is > to create a ramdisk where you unpack your mail for scanning. My recipe is > in the following document. It has been updated over the years since I > created it in 2007. > > http://leap-cf.org/presentations/MailScanner/MailScanner.odt > From Amelein at dantumadiel.eu Mon May 6 09:12:27 2013 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Mon, 06 May 2013 10:12:27 +0200 Subject: Betr.: Re: A Couple of Questions In-Reply-To: <26305707.XmdOmQ42Nl@orbsky1.home.local> References: <201305050901.r45912XZ007754@gw.home.local> <1936173.cfa47rPVJQ@orbsky1.home.local> <26305707.XmdOmQ42Nl@orbsky1.home.local> Message-ID: <5187820B0200008E00023E7C@GroupWise.Dantumadiel.eu> I'm using Fedora 18, so far the only thing I am really having trouble with is 'systemd' and the bonding interface was a bit more tricky (teamdriver did not work properly) And check your resolv.conf dns server order :-) I currently cannot do 'service MailScanner restart' or the sytemd equivalent, it wont stop MS nor Postfix properly and will just keep going while deleting the pid files. A lack of time and urgency has prevented me from looking into why this is happening but I think I've seen somebody else with the same-ish problem. Going into /etc/init.d and just ./MailScanner stop/start does still work. For Ethernet bonding (if you need it) use the old method. - Arjan >>> Op 6-5-2013 om 6:14 is door Eli Wapniarski geschreven: > Again.... I have been using Fedora with Mailscanner since forever without > anykind of > problem related to the distro. So please, "don't use Fedora," is not an > answer to my > question. > > Peoples' silence is actually a better answer then yours in this particular > case. > > Thanks > > Eli > > On Sunday 05 May 2013 22:16:43 Jerry Benton wrote: > > > Don't use Fedora for a server. That will more than likely be the answer you > get from > most everyone on this list. Use CentOS if you want a free Red Hat variant. > > > > > On Sun, May 5, 2013 at 7:51 PM, Eli Wapniarski > wrote: > > > Been using Fedora forever.... I'm reluctant to upgrade to 18 because of the > changes to > the firewall software... > > Questions still stand... > > Please.... anyone....l > > Eli > > On Sunday 05 May 2013 16:42:24 Martin Hepworth wrote: > > > Few people have reported issues as per normal with the bleeding edge nature > od > fedora > Centos is a better option > > > Martin > > On Sunday, 5 May 2013, Eli Wapniarski wrote: > > > Hi > > I was just wondering.... Is anyone running the script on Fedora 18? > > Are there any pitfalls I should be looking out for? > > E > > > > --This message has been scanned for viruses anddangerous content by > MailScanner, > and isbelieved to be clean. > > --MailScanner mailing list > > _mailscanner at lists.mailscanner.info_ > http://lists.mailscanner.info/mailman/listinfo/mailscanner[2] > http://wiki.mailscanner.info/posting[3] > > > *MailScanner[4]*, and is believed to be clean. > > > > *_MailScanner_*, and is believed to be clean. > > mailscanner at lists.mailscanner.info[5] > http://lists.mailscanner.info/mailman/listinfo/mailscanner[2] > http://wiki.mailscanner.info/posting[3] > > > > > > -- > > > > > Jerry Benton > > > Mailborder Systems > > www.mailborder.com[6] > > > *MailScanner[4]*, and is believed to be clean. > > > > -------- > [1] mailto:eli at orbsky.homelinux.org > [2] http://lists.mailscanner.info/mailman/listinfo/mailscanner > [3] http://wiki.mailscanner.info/posting > [4] http://www.mailscanner.info/ > [5] mailto:mailscanner at lists.mailscanner.info > [6] http://www.mailborder.com > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From alex at vidadigital.com.pa Mon May 6 16:15:20 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Mon, 6 May 2013 10:15:20 -0500 Subject: A Couple of Questions In-Reply-To: <26305707.XmdOmQ42Nl@orbsky1.home.local> References: <201305050901.r45912XZ007754@gw.home.local> <1936173.cfa47rPVJQ@orbsky1.home.local> <26305707.XmdOmQ42Nl@orbsky1.home.local> Message-ID: I don't believe he meant "don't use Fedora". I believe "if you use Fedora you will - as many others - find some small problems here and there which you will have to deal with with a little less help than usual since it's based on very new software which most people choose, out of a bit of caution, avoid using until it's been further tested". Remember people on the list are just trying to help; please don't discourage them. On Sun, May 5, 2013 at 11:14 PM, Eli Wapniarski wrote: > Again.... I have been using Fedora with Mailscanner since forever without > anykind of problem related to the distro. So please, "don't use Fedora," is > not an answer to my question. > > > > Peoples' silence is actually a better answer then yours in this particular > case. > > > > Thanks > > > > Eli > > > > On Sunday 05 May 2013 22:16:43 Jerry Benton wrote: > > Don't use Fedora for a server. That will more than likely be the answer you > get from most everyone on this list. Use CentOS if you want a free Red Hat > variant. > > > > > On Sun, May 5, 2013 at 7:51 PM, Eli Wapniarski > wrote: > > Been using Fedora forever.... I'm reluctant to upgrade to 18 because of the > changes to the firewall software... > > > > Questions still stand... > > > > Please.... anyone....l > > > > Eli > > > > On Sunday 05 May 2013 16:42:24 Martin Hepworth wrote: > > Few people have reported issues as per normal with the bleeding edge nature > od fedora > > Centos is a better option > > > Martin > > On Sunday, 5 May 2013, Eli Wapniarski wrote: > > Hi > > I was just wondering.... Is anyone running the script on Fedora 18? > > Are there any pitfalls I should be looking out for? > > E > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > > > -- > > Jerry Benton > > Mailborder Systems > www.mailborder.com > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From campbell at cnpapers.com Mon May 6 16:22:29 2013 From: campbell at cnpapers.com (Steve Campbell) Date: Mon, 06 May 2013 11:22:29 -0400 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? Message-ID: <5187CAB5.3040905@cnpapers.com> Just wondering, since I've found I have a need for a ruleset: Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It doesn't state that it can in my version (4.84.3). Was this an oversight in the comments or is there a reason for not allowing a ruleset for this parameter? Thanks steve campbell From eli at orbsky.homelinux.org Mon May 6 16:44:39 2013 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Mon, 06 May 2013 18:44:39 +0300 Subject: A Couple of Questions In-Reply-To: <26305707.XmdOmQ42Nl@orbsky1.home.local> References: <201305050901.r45912XZ007754@gw.home.local> <26305707.XmdOmQ42Nl@orbsky1.home.local> Message-ID: <1922691.qE3vbQam6j@orbsky1.home.local> Thanks everyone. The pitfalls mentioned were really very helpful. Eli On Monday 06 May 2013 07:14:36 Eli Wapniarski wrote: Again.... I have been using Fedora with Mailscanner since forever without anykind of problem related to the distro. So please, "don't use Fedora," is not an answer to my question. Peoples' silence is actually a better answer then yours in this particular case. Thanks Eli On Sunday 05 May 2013 22:16:43 Jerry Benton wrote: Don't use Fedora for a server. That will more than likely be the answer you get from most everyone on this list. Use CentOS if you want a free Red Hat variant. On Sun, May 5, 2013 at 7:51 PM, Eli Wapniarski wrote: Been using Fedora forever.... I'm reluctant to upgrade to 18 because of the changes to the firewall software... Questions still stand... Please.... anyone....l Eli On Sunday 05 May 2013 16:42:24 Martin Hepworth wrote: Few people have reported issues as per normal with the bleeding edge nature od fedora Centos is a better option Martin On Sunday, 5 May 2013, Eli Wapniarski wrote: Hi I was just wondering.... Is anyone running the script on Fedora 18? Are there any pitfalls I should be looking out for? E --This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean. --MailScanner mailing list _mailscanner at lists.mailscanner.info_ http://lists.mailscanner.info/mailman/listinfo/mailscanner[2] http://wiki.mailscanner.info/posting[3] *MailScanner[4]*, and is believed to be clean. *_MailScanner_*, and is believed to be clean. mailscanner at lists.mailscanner.info[5] http://lists.mailscanner.info/mailman/listinfo/mailscanner[2] http://wiki.mailscanner.info/posting[3] -- Jerry Benton Mailborder Systems www.mailborder.com[6] *MailScanner[4]*, and is believed to be clean. *_MailScanner_*, and isbelieved to be clean. -------- [1] mailto:eli at orbsky.homelinux.org [2] http://lists.mailscanner.info/mailman/listinfo/mailscanner [3] http://wiki.mailscanner.info/posting [4] http://www.mailscanner.info/ [5] mailto:mailscanner at lists.mailscanner.info [6] http://www.mailborder.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130506/c6336737/attachment.html From alex at vidadigital.com.pa Mon May 6 17:26:27 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Mon, 6 May 2013 11:26:27 -0500 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? In-Reply-To: <5187CAB5.3040905@cnpapers.com> References: <5187CAB5.3040905@cnpapers.com> Message-ID: While someone who knows MailScanner's innards better may answer, I can tell you this: try using a .rules file and see what it gets you. Worst thing that can happen is that it will be exactly as it is right now. On Mon, May 6, 2013 at 10:22 AM, Steve Campbell wrote: > Just wondering, since I've found I have a need for a ruleset: > > Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It > doesn't state that it can in my version (4.84.3). Was this an oversight > in the comments or is there a reason for not allowing a ruleset for this > parameter? > > Thanks > > steve campbell > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From mgt at stellarcore.net Mon May 6 17:58:51 2013 From: mgt at stellarcore.net (Mike Tremaine) Date: Mon, 6 May 2013 09:58:51 -0700 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? In-Reply-To: References: <5187CAB5.3040905@cnpapers.com> Message-ID: <904728AA-8F6B-489C-B622-5EE47FF1D276@stellarcore.net> Also the "MailScanner --lint" is your friend. You can change you configure without reloading and run that. If the rules do not work you will get a config error. No harm no foul. -Mike On May 6, 2013, at 9:26 AM, Alex Neuman wrote: > While someone who knows MailScanner's innards better may answer, I can > tell you this: try using a .rules file and see what it gets you. Worst > thing that can happen is that it will be exactly as it is right now. > > On Mon, May 6, 2013 at 10:22 AM, Steve Campbell wrote: >> Just wondering, since I've found I have a need for a ruleset: >> >> Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It >> doesn't state that it can in my version (4.84.3). Was this an oversight >> in the comments or is there a reason for not allowing a ruleset for this >> parameter? >> >> Thanks >> >> steve campbell >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Mon May 6 18:11:51 2013 From: campbell at cnpapers.com (Steve Campbell) Date: Mon, 06 May 2013 13:11:51 -0400 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? In-Reply-To: References: <5187CAB5.3040905@cnpapers.com> Message-ID: <5187E457.3000209@cnpapers.com> Alex, I'd considered doing just that, only I would run --lint to see what it said before "reloading" MS. There are times, though, when MS will reload itself, so I was hesitant due to breaking one of the servers here. Both are very busy servers. I'd also thought long and hard before submitting the question. In some ways, it doesn't make sense to have a ruleset for this parameter, since the situation that came up involved a message with 75 recipients, and only one of them was for my domains. I don't get many messages with that many recipients usually, so the default of 20 usually worked. The emails involved have the sender's address in my whitelist file. It's listed in the blacklist file as "no" with the following entry being the entire domain listed as "yes". I'm finding that there's a mysterious situation where these blacklisted emails get database corruption at times, and that's the real reason I'm trying to avoid the threshold. It seems that some of these emails end up with a database "date/time" that's about one month after the time it's really received. It appears that I do not have the ability to release them from quarantine through Mailwatch either because the portion of the web page at the bottom where I would release them is missing. By all rights, it should honor the blacklist entry for the specific sender, which is set to "no", but it completely disregards this once the threshold has been broken and blacklists the email anyway. I have a feeling that it's just the result of so many different parameters catching the email in ways I'm not considering. Thanks for the reply. steve On 5/6/2013 12:26 PM, Alex Neuman wrote: > While someone who knows MailScanner's innards better may answer, I can > tell you this: try using a .rules file and see what it gets you. Worst > thing that can happen is that it will be exactly as it is right now. > > On Mon, May 6, 2013 at 10:22 AM, Steve Campbell wrote: >> Just wondering, since I've found I have a need for a ruleset: >> >> Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It >> doesn't state that it can in my version (4.84.3). Was this an oversight >> in the comments or is there a reason for not allowing a ruleset for this >> parameter? >> >> Thanks >> >> steve campbell >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > From campbell at cnpapers.com Mon May 6 18:14:23 2013 From: campbell at cnpapers.com (Steve Campbell) Date: Mon, 06 May 2013 13:14:23 -0400 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? In-Reply-To: <904728AA-8F6B-489C-B622-5EE47FF1D276@stellarcore.net> References: <5187CAB5.3040905@cnpapers.com> <904728AA-8F6B-489C-B622-5EE47FF1D276@stellarcore.net> Message-ID: <5187E4EF.9050509@cnpapers.com> Yep, I agree. See my email answering Alex's reply. Your's was waiting after I sent back to the list. Thanks. steve On 5/6/2013 12:58 PM, Mike Tremaine wrote: > Also the "MailScanner --lint" is your friend. You can change you configure without reloading and run that. If the rules do not work you will get a config error. No harm no foul. > > -Mike > > On May 6, 2013, at 9:26 AM, Alex Neuman wrote: > >> While someone who knows MailScanner's innards better may answer, I can >> tell you this: try using a .rules file and see what it gets you. Worst >> thing that can happen is that it will be exactly as it is right now. >> >> On Mon, May 6, 2013 at 10:22 AM, Steve Campbell wrote: >>> Just wondering, since I've found I have a need for a ruleset: >>> >>> Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It >>> doesn't state that it can in my version (4.84.3). Was this an oversight >>> in the comments or is there a reason for not allowing a ruleset for this >>> parameter? >>> >>> Thanks >>> >>> steve campbell >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> >> -- >> >> -- >> >> Alex Neuman van der Hans >> Reliant Technologies / Vida Digital >> http://vidadigital.com.pa/ >> >> +507-6781-9505 >> +507-832-6725 >> +1-440-253-9789 (USA) >> >> Follow @AlexNeuman on Twitter >> http://facebook.com/vidadigital >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From alex at vidadigital.com.pa Mon May 6 21:47:58 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Mon, 6 May 2013 15:47:58 -0500 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? In-Reply-To: <5187E4EF.9050509@cnpapers.com> References: <5187CAB5.3040905@cnpapers.com> <904728AA-8F6B-489C-B622-5EE47FF1D276@stellarcore.net> <5187E4EF.9050509@cnpapers.com> Message-ID: I agree completely with your concerns; MS will reload itself after an X number of minutes. That being said, if you reload *before* making the changes, then make them and --lint, the next reload will happen, by default, hours from now. This *should* provide enough of a window, I think On Mon, May 6, 2013 at 12:14 PM, Steve Campbell wrote: > Yep, I agree. See my email answering Alex's reply. Your's was waiting > after I sent back to the list. > > Thanks. > > steve > On 5/6/2013 12:58 PM, Mike Tremaine wrote: >> Also the "MailScanner --lint" is your friend. You can change you configure without reloading and run that. If the rules do not work you will get a config error. No harm no foul. >> >> -Mike >> >> On May 6, 2013, at 9:26 AM, Alex Neuman wrote: >> >>> While someone who knows MailScanner's innards better may answer, I can >>> tell you this: try using a .rules file and see what it gets you. Worst >>> thing that can happen is that it will be exactly as it is right now. >>> >>> On Mon, May 6, 2013 at 10:22 AM, Steve Campbell wrote: >>>> Just wondering, since I've found I have a need for a ruleset: >>>> >>>> Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It >>>> doesn't state that it can in my version (4.84.3). Was this an oversight >>>> in the comments or is there a reason for not allowing a ruleset for this >>>> parameter? >>>> >>>> Thanks >>>> >>>> steve campbell >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>> >>> >>> -- >>> >>> -- >>> >>> Alex Neuman van der Hans >>> Reliant Technologies / Vida Digital >>> http://vidadigital.com.pa/ >>> >>> +507-6781-9505 >>> +507-832-6725 >>> +1-440-253-9789 (USA) >>> >>> Follow @AlexNeuman on Twitter >>> http://facebook.com/vidadigital >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From jonas at vrt.dk Tue May 7 11:12:41 2013 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Tue, 7 May 2013 10:12:41 +0000 Subject: SV: Betr.: Re: Mailscanner performance monitoring ? In-Reply-To: <518781030200008E00023E70@GroupWise.Dantumadiel.eu> References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> <518781030200008E00023E70@GroupWise.Dantumadiel.eu> Message-ID: Arjan: If you don't already, you should do what exim calls callouts. It basically checks to see if you backend/receiving server will accept the recipient address. And if not the mailscanner box doesn't accept the mail and its rejected before any av or antispam checks. This saves huge amounts of processing. Also it doesn't require anything like ldap or dayli syncs, only smtp. I'm not sure what postfix and sendmail calls it, but I'm sure they have something similar Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk -----Oprindelig meddelelse----- Fra: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] P? vegne af Arjan Melein Sendt: 6. maj 2013 10:08 Til: MailScanner discussion Emne: Betr.: Re: Mailscanner performance monitoring ? Thanks for this document Phil, I have mine set up in almost the same way so that's always reassuring:-) As to answer everyone else (thanks those who responded) and not send a mail for each, shortly after sending my original mail I noticed the primary (local) dns server and backup (other, older server) dns were switched around in /etc/resolv.conf.. so it was using the backup for all lookups instead of the local machine. So far it has not bogged down again so I'm guessing that was it. I was already using a ramdisk (tmpfs) for the work dir which gave me a huge improvement when I started using it in the past. LDAP would be too complex and would increase processing time too much as I am hosting for multiple sites that have their own directory and mail-server. I'd have to do something like pull all e-mail addresses from each site on a daily basis and cache them locally to check against. - Arjan >>> Op 2-5-2013 om 7:47 is door Phil Barnett geschreven: > I do quite a few things for processing speed. One of the important > ones is to create a ramdisk where you unpack your mail for scanning. > My recipe is in the following document. It has been updated over the > years since I created it in 2007. > > http://leap-cf.org/presentations/MailScanner/MailScanner.odt > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at joolee.nl Tue May 7 13:18:23 2013 From: mailscanner at joolee.nl (Joolee) Date: Tue, 7 May 2013 14:18:23 +0200 Subject: Betr.: Re: Mailscanner performance monitoring ? In-Reply-To: References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> <518781030200008E00023E70@GroupWise.Dantumadiel.eu> Message-ID: As far as I know, by default Exchange servers wil accapt all addresses for their domain so they can bounce a nice cryptic message back to the sender. On 7 May 2013 12:12, Jonas Akrouh Larsen wrote: > Arjan: > > If you don't already, you should do what exim calls callouts. It basically > checks to see if you backend/receiving server will accept the recipient > address. > > And if not the mailscanner box doesn't accept the mail and its rejected > before any av or antispam checks. This saves huge amounts of processing. > Also it doesn't require anything like ldap or dayli syncs, only smtp. > > I'm not sure what postfix and sendmail calls it, but I'm sure they have > something similar > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > > -----Oprindelig meddelelse----- > Fra: mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] P? vegne af Arjan Melein > Sendt: 6. maj 2013 10:08 > Til: MailScanner discussion > Emne: Betr.: Re: Mailscanner performance monitoring ? > > Thanks for this document Phil, I have mine set up in almost the same way > so that's always reassuring:-) > > As to answer everyone else (thanks those who responded) and not send a > mail for each, shortly after sending my original mail I noticed the primary > (local) dns server and backup (other, older server) dns were switched > around in /etc/resolv.conf.. so it was using the backup for all lookups > instead of the local machine. > So far it has not bogged down again so I'm guessing that was it. > > I was already using a ramdisk (tmpfs) for the work dir which gave me a > huge improvement when I started using it in the past. LDAP would be too > complex and would increase processing time too much as I am hosting for > multiple sites that have their own directory and mail-server. > I'd have to do something like pull all e-mail addresses from each site on > a daily basis and cache them locally to check against. > > - > Arjan > > >>> Op 2-5-2013 om 7:47 is door Phil Barnett geschreven: > > I do quite a few things for processing speed. One of the important > > ones is to create a ramdisk where you unpack your mail for scanning. > > My recipe is in the following document. It has been updated over the > > years since I created it in 2007. > > > > http://leap-cf.org/presentations/MailScanner/MailScanner.odt > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130507/bdaa9a7c/attachment.html From Amelein at dantumadiel.eu Tue May 7 13:34:14 2013 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Tue, 07 May 2013 14:34:14 +0200 Subject: SV: Betr.: Re: Mailscanner performance monitoring ? In-Reply-To: References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> <518781030200008E00023E70@GroupWise.Dantumadiel.eu> Message-ID: <518910E60200008E00024067@GroupWise.Dantumadiel.eu> Hi Jonas, Thanks for that one, I had not found that one yet and its working perfectly against GroupWise, exchange seems to be needing a configuration change as it accepts everyone by default, then sends out a bounce message. For postfix it is called 'Recipient address verification' and I rather quickly found out that you need to set a custom error as well or it will send back internal IP's in the error ;-) - Arjan >>> Op 7-5-2013 om 12:12 is door Jonas Akrouh Larsen geschreven: > Arjan: > > If you don't already, you should do what exim calls callouts. It basically > checks to see if you backend/receiving server will accept the recipient > address. > > And if not the mailscanner box doesn't accept the mail and its rejected > before any av or antispam checks. This saves huge amounts of processing. Also > it doesn't require anything like ldap or dayli syncs, only smtp. > > I'm not sure what postfix and sendmail calls it, but I'm sure they have > something similar > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk From jerry.benton at mailborder.com Tue May 7 14:05:52 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 7 May 2013 15:05:52 +0200 Subject: Betr.: Re: Mailscanner performance monitoring ? In-Reply-To: References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> <518781030200008E00023E70@GroupWise.Dantumadiel.eu> Message-ID: This is correct: "As far as I know, by default Exchange servers wil accapt all addresses for their domain so they can bounce a nice cryptic message back to the sender." There is a video on the Mailborder site covering recipient verification. It walks you through how to setup Exchange. The MailScanner portion is Postfix based, but the Exchange part should be useful to you. Jerry Benton www.mailborder.com On Tue, May 7, 2013 at 2:18 PM, Joolee wrote: > As far as I know, by default Exchange servers wil accapt all addresses for > their domain so they can bounce a nice cryptic message back to the sender. > > > On 7 May 2013 12:12, Jonas Akrouh Larsen wrote: > >> Arjan: >> >> If you don't already, you should do what exim calls callouts. It >> basically checks to see if you backend/receiving server will accept the >> recipient address. >> >> And if not the mailscanner box doesn't accept the mail and its rejected >> before any av or antispam checks. This saves huge amounts of processing. >> Also it doesn't require anything like ldap or dayli syncs, only smtp. >> >> I'm not sure what postfix and sendmail calls it, but I'm sure they have >> something similar >> >> >> Med venlig hilsen / Best regards >> >> Jonas Akrouh Larsen >> >> TechBiz ApS >> Laplandsgade 4, 2. sal >> 2300 K?benhavn S >> >> Office: 7020 0979 >> Direct: 3336 9974 >> Mobile: 5120 1096 >> Fax: 7020 0978 >> Web: www.techbiz.dk >> >> >> >> -----Oprindelig meddelelse----- >> Fra: mailscanner-bounces at lists.mailscanner.info [mailto: >> mailscanner-bounces at lists.mailscanner.info] P? vegne af Arjan Melein >> Sendt: 6. maj 2013 10:08 >> Til: MailScanner discussion >> Emne: Betr.: Re: Mailscanner performance monitoring ? >> >> Thanks for this document Phil, I have mine set up in almost the same way >> so that's always reassuring:-) >> >> As to answer everyone else (thanks those who responded) and not send a >> mail for each, shortly after sending my original mail I noticed the primary >> (local) dns server and backup (other, older server) dns were switched >> around in /etc/resolv.conf.. so it was using the backup for all lookups >> instead of the local machine. >> So far it has not bogged down again so I'm guessing that was it. >> >> I was already using a ramdisk (tmpfs) for the work dir which gave me a >> huge improvement when I started using it in the past. LDAP would be too >> complex and would increase processing time too much as I am hosting for >> multiple sites that have their own directory and mail-server. >> I'd have to do something like pull all e-mail addresses from each site on >> a daily basis and cache them locally to check against. >> >> - >> Arjan >> >> >>> Op 2-5-2013 om 7:47 is door Phil Barnett geschreven: >> > I do quite a few things for processing speed. One of the important >> > ones is to create a ramdisk where you unpack your mail for scanning. >> > My recipe is in the following document. It has been updated over the >> > years since I created it in 2007. >> > >> > http://leap-cf.org/presentations/MailScanner/MailScanner.odt >> > >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130507/452ef7b1/attachment.html From Amelein at dantumadiel.eu Tue May 7 14:17:55 2013 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Tue, 07 May 2013 15:17:55 +0200 Subject: Betr.: Re: Mailscanner performance monitoring ? In-Reply-To: References: <5181436E0200008E00023DF7@GroupWise.Dantumadiel.eu> <518781030200008E00023E70@GroupWise.Dantumadiel.eu> Message-ID: <51891B230200008E00024079@GroupWise.Dantumadiel.eu> This creates backscatter though. A decent % of our spam is actually backscatter from exchange servers. >>> Op 7-5-2013 om 14:18 is door Joolee geschreven: > As far as I know, by default Exchange servers wil accapt all addresses for > their domain so they can bounce a nice cryptic message back to the sender. From steve.freegard at fsl.com Tue May 7 14:28:45 2013 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue, 07 May 2013 14:28:45 +0100 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? In-Reply-To: <5187CAB5.3040905@cnpapers.com> References: <5187CAB5.3040905@cnpapers.com> Message-ID: On 06/05/13 16:22, Steve Campbell wrote: > Just wondering, since I've found I have a need for a ruleset: > > Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It > doesn't state that it can in my version (4.84.3). Was this an oversight > in the comments or is there a reason for not allowing a ruleset for this > parameter? > See the 'Ruleset Allowed' column in http://www.mailscanner.info/MailScanner.conf.index.html Regards, Steve. From campbell at cnpapers.com Tue May 7 15:22:54 2013 From: campbell at cnpapers.com (Steve Campbell) Date: Tue, 07 May 2013 10:22:54 -0400 Subject: can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? In-Reply-To: References: <5187CAB5.3040905@cnpapers.com> Message-ID: <51890E3E.7090708@cnpapers.com> Steve, Thanks for that. I couldn't find my bookmark to that page. I knew I'd seen it before. steve On 5/7/2013 9:28 AM, Steve Freegard wrote: > On 06/05/13 16:22, Steve Campbell wrote: >> Just wondering, since I've found I have a need for a ruleset: >> >> Can "Ignore Spam Whitelist If Recipients Exceed" be a ruleset? It >> doesn't state that it can in my version (4.84.3). Was this an oversight >> in the comments or is there a reason for not allowing a ruleset for this >> parameter? >> > See the 'Ruleset Allowed' column in > http://www.mailscanner.info/MailScanner.conf.index.html > > Regards, > Steve. > > From jerry.benton at mailborder.com Tue May 7 22:58:38 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 7 May 2013 23:58:38 +0200 Subject: Multi Depth Rules Message-ID: I am creating the structure for "Scan Messages" and am wondering if anyone has tested this. I am using the MailScanner file name rules structure as a basis, which looks like this: --- *Filename Rules = %etc-dir%/frules/filename.rules:* FromOrTo: domain.com /etc/MailScanner/frules/domain.com.fn.conf When you look at the contents domain.com.fn.conf, it contains the rules for that domain. This setup does work. --- So, what I am looking to do now is the same thing for "Scan Messages". --- *Scan Messages = %rules-dir%/scan.messages.rules* FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf *domain.com.scan.conf* From: pain.customer.com no FromOrTo: default yes --- Has anyone tested this? It is basically a structure 2 levels deep instead of 1. -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130507/5f1fa652/attachment.html From mgt at stellarcore.net Tue May 7 23:32:02 2013 From: mgt at stellarcore.net (Mike Tremaine) Date: Tue, 7 May 2013 15:32:02 -0700 Subject: Multi Depth Rules In-Reply-To: References: Message-ID: <53717064-E809-4625-A307-F0FCBAE6AD30@stellarcore.net> Jerry, I just tried this back thread a bit and it doesn't work sadly. It would be cool but alas it gives you a config error. Might be worth hacking at someday. -Mike On May 7, 2013, at 2:58 PM, Jerry Benton wrote: > I am creating the structure for "Scan Messages" and am wondering if anyone has tested this. I am using the MailScanner file name rules structure as a basis, which looks like this: > > --- > Filename Rules = %etc-dir%/frules/filename.rules: > FromOrTo: domain.com /etc/MailScanner/frules/domain.com.fn.conf > > When you look at the contents domain.com.fn.conf, it contains the rules for that domain. This setup does work. > --- > > > So, what I am looking to do now is the same thing for "Scan Messages". > > --- > Scan Messages = %rules-dir%/scan.messages.rules > FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf > > domain.com.scan.conf > From: pain.customer.com no > FromOrTo: default yes > --- > > > Has anyone tested this? It is basically a structure 2 levels deep instead of 1. > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130507/6070b5f3/attachment.html From jerry.benton at mailborder.com Wed May 8 00:14:09 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 8 May 2013 01:14:09 +0200 Subject: Multi Depth Rules In-Reply-To: <53717064-E809-4625-A307-F0FCBAE6AD30@stellarcore.net> References: <53717064-E809-4625-A307-F0FCBAE6AD30@stellarcore.net> Message-ID: Thanks Mike. I will play with it more later when I get to that part. In short, I am creating templates in a web GUI for the next version of Mailborder. This is part of the passthru template. I may have to make this a server setting rather than a domain setting. I know that will work. On Wed, May 8, 2013 at 12:32 AM, Mike Tremaine wrote: > Jerry, > > I just tried this back thread a bit and it doesn't work sadly. It would > be cool but alas it gives you a config error. Might be worth hacking at > someday. > > -Mike > On May 7, 2013, at 2:58 PM, Jerry Benton wrote: > > I am creating the structure for "Scan Messages" and am wondering if anyone > has tested this. I am using the MailScanner file name rules structure as a > basis, which looks like this: > > --- > *Filename Rules = %etc-dir%/frules/filename.rules:* > FromOrTo: domain.com /etc/MailScanner/frules/domain.com.fn.conf > > When you look at the contents domain.com.fn.conf, it contains the rules > for that domain. This setup does work. > --- > > > So, what I am looking to do now is the same thing for "Scan Messages". > > --- > *Scan Messages = %rules-dir%/scan.messages.rules* > FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf > > *domain.com.scan.conf* > From: pain.customer.com no > FromOrTo: default yes > --- > > > Has anyone tested this? It is basically a structure 2 levels deep instead > of 1. > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130508/84985419/attachment.html From bonivart at opencsw.org Wed May 8 08:52:18 2013 From: bonivart at opencsw.org (Peter Bonivart) Date: Wed, 8 May 2013 09:52:18 +0200 Subject: Multi Depth Rules In-Reply-To: References: Message-ID: On Tue, May 7, 2013 at 11:58 PM, Jerry Benton wrote: > Scan Messages = %rules-dir%/scan.messages.rules > FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf > > domain.com.scan.conf > From: pain.customer.com no > FromOrTo: default yes Wouldn't "From: pain.customer.com And To: domain.com no" do the same thing? From jerry.benton at mailborder.com Wed May 8 09:41:24 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 8 May 2013 10:41:24 +0200 Subject: Multi Depth Rules In-Reply-To: References: Message-ID: No. The scan.messages.rules would define the file to use for rules for domain.com. (domain.com.scan.conf) The file then specifies each rule for that domain. In this case, the domain pain.customer.com would not be scanned if the destination was domain.com. However, according to Mike's results this does not work the same for the setting "Scan Messages" as it does for filename and filetype rules. On Wed, May 8, 2013 at 9:52 AM, Peter Bonivart wrote: > On Tue, May 7, 2013 at 11:58 PM, Jerry Benton > wrote: > > Scan Messages = %rules-dir%/scan.messages.rules > > FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf > > > > domain.com.scan.conf > > From: pain.customer.com no > > FromOrTo: default yes > > Wouldn't "From: pain.customer.com And To: domain.com no" do the same > thing? > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130508/8e7fe84e/attachment.html From bonivart at opencsw.org Wed May 8 10:15:51 2013 From: bonivart at opencsw.org (Peter Bonivart) Date: Wed, 8 May 2013 11:15:51 +0200 Subject: Multi Depth Rules In-Reply-To: References: Message-ID: On Wed, May 8, 2013 at 10:41 AM, Jerry Benton wrote: > In this case, the domain pain.customer.com would not be scanned > if the destination was domain.com. Isn't that exactly what my line would do? From jerry.benton at mailborder.com Wed May 8 12:30:29 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 8 May 2013 13:30:29 +0200 Subject: Multi Depth Rules In-Reply-To: References: Message-ID: Use operands. Good point. On Wed, May 8, 2013 at 11:15 AM, Peter Bonivart wrote: > On Wed, May 8, 2013 at 10:41 AM, Jerry Benton > wrote: > > In this case, the domain pain.customer.com would not be scanned > > if the destination was domain.com. > > Isn't that exactly what my line would do? > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130508/71da506b/attachment.html From rcooper at dwford.com Wed May 8 16:01:48 2013 From: rcooper at dwford.com (Rick Cooper) Date: Wed, 8 May 2013 11:01:48 -0400 Subject: Multi Depth Rules In-Reply-To: References: Message-ID: <7D34D5101999451C81204F46A049F8F5@SAHOMELT> _____ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Tuesday, May 07, 2013 5:59 PM To: MailScanner discussion Subject: Multi Depth Rules I am creating the structure for "Scan Messages" and am wondering if anyone has tested this. I am using the MailScanner file name rules structure as a basis, which looks like this: --- Filename Rules = %etc-dir%/frules/filename.rules: FromOrTo: domain.com /etc/MailScanner/frules/domain.com.fn.conf When you look at the contents domain.com.fn.conf, it contains the rules for that domain. This setup does work. --- So, what I am looking to do now is the same thing for "Scan Messages". --- Scan Messages = %rules-dir%/scan.messages.rules FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf domain.com.scan.conf From: pain.customer.com no FromOrTo: default yes --- It's been a while since I poked about inside mailscanner but IIRC there are two things about rules that must be followed: 1. Must end in .rules 2. Must be in the defined %rules-dir% Now this might not seem incorrect because the filename/type rules point to .conf files in the etc directory but it is as they are the action same as yes/no. If I am recalling this correctly the above should be Scan Messages = %rules-dir%/scan.messages.rules FromOrTo: domain.com %rules-dir%/domain.com.scan.rules domain.com.scan.rules From: pain.customer.com no FromOrTo: default yes I have not the time to test it or take a refresher look at the code but I am pretty sure it would have to be this way to follow the parsing rules for MailScanner to understand it was looking at a rule file Rick Has anyone tested this? It is basically a structure 2 levels deep instead of 1. -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130508/4954cf2b/attachment.html From mark at msapiro.net Wed May 8 19:45:47 2013 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 08 May 2013 11:45:47 -0700 Subject: ScamNailer info not updated In-Reply-To: References: Message-ID: <518A9D5B.4060400@msapiro.net> On Mon Apr 29 16:07:20 IST 2013, Matt Hampton wrote: > On it > > DNS provider reset api keys > > > On 28 April 2013 17:09, Mark Sapiro wrote: > >> At this writing, it appears the latest Scamnailer data files are >> emails.2013-166 and emails.2013-166.15, but the DNS TXT record is still >> >> emails.msupdate.greylist.bastionmail.com. 3600 IN TXT "emails.2013-164.6" >> >> which points to data from 2 days ago. Any estimate on when this might be fixed? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mogens at fumlersoft.dk Wed May 8 20:09:23 2013 From: mogens at fumlersoft.dk (Mogens Melander) Date: Wed, 8 May 2013 21:09:23 +0200 (CEST) Subject: Multi Depth Rules In-Reply-To: References: Message-ID: <25413.31301122.1368040163.nsm@mail.trader-internet.dk> I think it was: Can recursive %file% rules be used for "Scan Messages". If not for this rule, but for that other one, why not ? On Wed, May 8, 2013 09:52, Peter Bonivart wrote: > On Tue, May 7, 2013 at 11:58 PM, Jerry Benton > wrote: >> Scan Messages = %rules-dir%/scan.messages.rules >> FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf >> >> domain.com.scan.conf >> From: pain.customer.com no >> FromOrTo: default yes > > Wouldn't "From: pain.customer.com And To: domain.com no" do the same > thing? > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Mogens Melander +66 8701 33224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jerry.benton at mailborder.com Wed May 8 21:13:00 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 8 May 2013 22:13:00 +0200 Subject: Multi Depth Rules In-Reply-To: <25413.31301122.1368040163.nsm@mail.trader-internet.dk> References: <25413.31301122.1368040163.nsm@mail.trader-internet.dk> Message-ID: I will have to test some different config options in my lab. I am sure I can find a work around if the .rules solution does not work. I was just curious if anyone had definitely done it already. On Wed, May 8, 2013 at 9:09 PM, Mogens Melander wrote: > I think it was: > > Can recursive %file% rules be used for "Scan Messages". > > If not for this rule, but for that other one, why not ? > > > On Wed, May 8, 2013 09:52, Peter Bonivart wrote: > > On Tue, May 7, 2013 at 11:58 PM, Jerry Benton > > wrote: > >> Scan Messages = %rules-dir%/scan.messages.rules > >> FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf > >> > >> domain.com.scan.conf > >> From: pain.customer.com no > >> FromOrTo: default yes > > > > Wouldn't "From: pain.customer.com And To: domain.com no" do the same > > thing? > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > Mogens Melander > +66 8701 33224 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130508/97723872/attachment.html From wayne at cdmsinc.net Thu May 9 15:25:12 2013 From: wayne at cdmsinc.net (Wayne Franz-com) Date: Thu, 9 May 2013 08:25:12 -0600 Subject: How to verify MS is using the RBL Message-ID: <05882937054F4EFF811D757BFA9778DB@CDMSINC.LOCAL> First post. Is there a way to determine if MailScanner is actually using the RBL's I have currently added to the MailScanner.conf Spam List Definitions = %etc-dir%/spam.lists.conf Spam List = barracuda spamcop.net spamhaus-ZEN The spam.list.conf contains spamhaus.org sbl.spamhaus.org. spamhaus-XBL xbl.spamhaus.org. spamhaus-PBL pbl.spamhaus.org. spamhaus-ZEN zen.spamhaus.org. SBL+XBL sbl-xbl.spamhaus.org. spamcop.net bl.spamcop.net. NJABL dnsbl.njabl.org. barracuda b.barracudacentrail.org However, email that do not pass one of the RBL (barracuda) still come through undetected. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130509/3b4d103f/attachment.html From alex at vidadigital.com.pa Thu May 9 20:37:41 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Thu, 9 May 2013 14:37:41 -0500 Subject: Multi Depth Rules In-Reply-To: References: Message-ID: I believe you should use .rules instead of .conf, for consistency. I'm not sure if it's a requirement, though. On Tue, May 7, 2013 at 4:58 PM, Jerry Benton wrote: > I am creating the structure for "Scan Messages" and am wondering if anyone > has tested this. I am using the MailScanner file name rules structure as a > basis, which looks like this: > > --- > Filename Rules = %etc-dir%/frules/filename.rules: > FromOrTo: domain.com /etc/MailScanner/frules/domain.com.fn.conf > > When you look at the contents domain.com.fn.conf, it contains the rules for > that domain. This setup does work. > --- > > > So, what I am looking to do now is the same thing for "Scan Messages". > > --- > Scan Messages = %rules-dir%/scan.messages.rules > FromOrTo: domain.com /etc/MailScanner/scan/domain.com.scan.conf > > domain.com.scan.conf > From: pain.customer.com no > FromOrTo: default yes > --- > > > Has anyone tested this? It is basically a structure 2 levels deep instead of > 1. > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From maillists at conactive.com Fri May 10 11:31:18 2013 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 10 May 2013 12:31:18 +0200 Subject: How to verify MS is using the RBL In-Reply-To: <05882937054F4EFF811D757BFA9778DB@CDMSINC.LOCAL> References: <05882937054F4EFF811D757BFA9778DB@CDMSINC.LOCAL> Message-ID: --lint would tell you. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Fri May 10 12:31:17 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 10 May 2013 12:31:17 +0100 Subject: How to verify MS is using the RBL In-Reply-To: References: <05882937054F4EFF811D757BFA9778DB@CDMSINC.LOCAL> Message-ID: Seems the baracuda RBL requires registration to access.. also make sure you've not got the http://www.mailscanner.info/MailScanner.conf.index.html#Spam%20Lists%20To%20Be%20Spamset to 1 if you really want just to 1 to trigger spam. I always recommend these tests are done as part of the Spamassassin call-out so 1 bad RBL doesnt trigger lots of false positives. -- Martin Hepworth, CISSP Oxford, UK On 10 May 2013 11:31, Kai Schaetzl wrote: > --lint would tell you. > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/bc23d9fa/attachment.html From rsmith at dynamicquest.com Fri May 10 15:45:58 2013 From: rsmith at dynamicquest.com (Ronnie Smith) Date: Fri, 10 May 2013 10:45:58 -0400 Subject: Spam Action: Store Message-ID: <001801ce4d8d$156f0d50$404d27f0$@dynamicquest.com> Version info: This is CentOS release 6.3 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.5 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.90 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.58 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.12 Digest::SHA1 1.01 Encode::Detect 0.17015 Error missing ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.45 Inline 1.08 IO::String 1.09 IO::Zlib 2.27 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query missing Module::Build missing Net::CIDR::Lite 0.65 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP 4.027 NetAddr::IP missing Parse::RecDescent missing SAVI 3.17 Test::Harness missing Test::Manifest 2.0.0 Text::Balanced 1.40 URI 0.77 version missing YAML When I set action to store or any iteration of store my spam message stay in postfix hold queue and maillog just shows the following: May 10 09:38:00 filter01 postfix/smtpd[11712]: 24C2F1E1695: client=digitalsanctuary.com[174.37.94.132] May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: hold: header Received: from mail.digitalsanctuary.com (digitalsanctuary.com [174.37.94.132])??by filter01..com (Postfix) with ESMTP id 24C2F1E1695??for ; Fri, 10 May 2013 from digitalsanctuary.com[174.37.94.132]; from= to= proto=ESMTP helo= May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: message-id=<2046887021.4491368193076851.JavaMail.f174532 at rmqkr.net> May 10 09:38:01 filter01 MailScanner[11656]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin (not cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:38:03 filter01 MailScanner[11656]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header May 10 09:41:01 filter01 MailScanner[11999]: Making attempt 2 at processing message 24C2F1E1695.AAE16 May 10 09:41:01 filter01 MailScanner[11999]: SpamAssassin cache hit for message 24C2F1E1695.AAE16 May 10 09:41:01 filter01 MailScanner[11999]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:41:01 filter01 MailScanner[11999]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header May 10 09:43:47 filter01 MailScanner[11762]: Making attempt 3 at processing message 24C2F1E1695.AAE16 May 10 09:43:47 filter01 MailScanner[11762]: SpamAssassin cache hit for message 24C2F1E1695.AAE16 May 10 09:43:47 filter01 MailScanner[11762]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:43:47 filter01 MailScanner[11762]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header May 10 09:48:16 filter01 MailScanner[12790]: Making attempt 4 at processing message 24C2F1E1695.AAE16 May 10 09:48:16 filter01 MailScanner[12790]: SpamAssassin cache hit for message 24C2F1E1695.AAE16 May 10 09:48:16 filter01 MailScanner[12790]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:48:16 filter01 MailScanner[12790]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header Nothing else to indicate why it won't store. Any ideas? _____ Ronnie Smith // Support Engineer rsmith at dynamicquest.com 336.389.4687 Description: Dynamic Quest IT Solutions // Business Consulting // Marketing // Data Center // Software // Helpdesk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/e3cd3959/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 6679 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/e3cd3959/attachment.jpe From maxsec at gmail.com Fri May 10 16:30:37 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 10 May 2013 16:30:37 +0100 Subject: Spam Action: Store In-Reply-To: <001801ce4d8d$156f0d50$404d27f0$@dynamicquest.com> References: <001801ce4d8d$156f0d50$404d27f0$@dynamicquest.com> Message-ID: can the postfix user write into the store area ? -- Martin Hepworth, CISSP Oxford, UK On 10 May 2013 15:45, Ronnie Smith wrote: > Version info:**** > > ** ** > > This is CentOS release 6.3 (Final)**** > > This is Perl version 5.010001 (5.10.1)**** > > ** ** > > This is MailScanner version 4.84.5**** > > Module versions are:**** > > 1.00 AnyDBM_File**** > > 1.30 Archive::Zip**** > > 0.23 bignum**** > > 1.11 Carp**** > > 2.02 Compress::Zlib**** > > 1.119 Convert::BinHex**** > > 0.17 Convert::TNEF**** > > 2.124 Data::Dumper**** > > 2.27 Date::Parse**** > > 1.03 DirHandle**** > > 1.06 Fcntl**** > > 2.77 File::Basename**** > > 2.14 File::Copy**** > > 2.02 FileHandle**** > > 2.08 File::Path**** > > 0.22 File::Temp**** > > 0.90 Filesys::Df**** > > 3.64 HTML::Entities**** > > 3.64 HTML::Parser**** > > 3.57 HTML::TokeParser**** > > 1.25 IO**** > > 1.14 IO::File**** > > 1.13 IO::Pipe**** > > 2.04 Mail::Header**** > > 1.89 Math::BigInt**** > > 0.22 Math::BigRat**** > > 3.08 MIME::Base64**** > > 5.427 MIME::Decoder**** > > 5.427 MIME::Decoder::UU**** > > 5.427 MIME::Head**** > > 5.427 MIME::Parser**** > > 3.08 MIME::QuotedPrint**** > > 5.427 MIME::Tools**** > > 0.13 Net::CIDR**** > > 1.25 Net::IP**** > > 0.16 OLE::Storage_Lite**** > > 1.04 Pod::Escapes**** > > 3.13 Pod::Simple**** > > 1.17 POSIX**** > > 1.21 Scalar::Util**** > > 1.82 Socket**** > > 2.20 Storable**** > > 1.4 Sys::Hostname::Long**** > > 0.27 Sys::Syslog**** > > 1.40 Test::Pod**** > > 0.92 Test::Simple**** > > 1.9721 Time::HiRes**** > > 1.02 Time::localtime**** > > ** ** > > Optional module versions are:**** > > 1.58 Archive::Tar**** > > 0.23 bignum**** > > missing Business::ISBN**** > > missing Business::ISBN::Data**** > > missing Data::Dump**** > > 1.82 DB_File**** > > 1.27 DBD::SQLite**** > > 1.609 DBI**** > > 1.16 Digest**** > > 1.01 Digest::HMAC**** > > 2.39 Digest::MD5**** > > 2.12 Digest::SHA1**** > > 1.01 Encode::Detect**** > > 0.17015 Error**** > > missing ExtUtils::CBuilder**** > > 2.2203 ExtUtils::ParseXS**** > > 2.38 Getopt::Long**** > > 0.45 Inline**** > > 1.08 IO::String**** > > 1.09 IO::Zlib**** > > 2.27 IP::Country**** > > 0.29 Mail::ClamAV**** > > 3.003001 Mail::SpamAssassin**** > > missing Mail::SPF**** > > missing Mail::SPF::Query**** > > missing Module::Build**** > > missing Net::CIDR::Lite**** > > 0.65 Net::DNS**** > > missing Net::DNS::Resolver::Programmable**** > > missing Net::LDAP**** > > 4.027 NetAddr::IP**** > > missing Parse::RecDescent**** > > missing SAVI**** > > 3.17 Test::Harness**** > > missing Test::Manifest**** > > 2.0.0 Text::Balanced**** > > 1.40 URI**** > > 0.77 version**** > > missing YAML**** > > ** ** > > ** ** > > When I set action to store or any iteration of store my spam message stay > in postfix hold queue and maillog just shows the following:**** > > ** ** > > May 10 09:38:00 filter01 postfix/smtpd[11712]: 24C2F1E1695: client= > digitalsanctuary.com[174.37.94.132]**** > > May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: hold: header > Received: from mail.digitalsanctuary.com (digitalsanctuary.com[174.37.94.132])??by filter01..com (Postfix) with ESMTP id 24C2F1E1695??for > ; Fri, 10 May 2013 from digitalsanctuary.com[174.37.94.132]; > from= to= proto=ESMTP helo=< > mail.digitalsanctuary.com>**** > > May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: message-id=< > 2046887021.4491368193076851.JavaMail.f174532 at rmqkr.net>**** > > May 10 09:38:01 filter01 MailScanner[11656]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin (not > cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:38:03 filter01 MailScanner[11656]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > May 10 09:41:01 filter01 MailScanner[11999]: Making attempt 2 at > processing message 24C2F1E1695.AAE16**** > > May 10 09:41:01 filter01 MailScanner[11999]: SpamAssassin cache hit for > message 24C2F1E1695.AAE16**** > > May 10 09:41:01 filter01 MailScanner[11999]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin > (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:41:01 filter01 MailScanner[11999]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > May 10 09:43:47 filter01 MailScanner[11762]: Making attempt 3 at > processing message 24C2F1E1695.AAE16**** > > May 10 09:43:47 filter01 MailScanner[11762]: SpamAssassin cache hit for > message 24C2F1E1695.AAE16**** > > May 10 09:43:47 filter01 MailScanner[11762]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin > (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:43:47 filter01 MailScanner[11762]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > May 10 09:48:16 filter01 MailScanner[12790]: Making attempt 4 at > processing message 24C2F1E1695.AAE16**** > > May 10 09:48:16 filter01 MailScanner[12790]: SpamAssassin cache hit for > message 24C2F1E1695.AAE16**** > > May 10 09:48:16 filter01 MailScanner[12790]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin > (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:48:16 filter01 MailScanner[12790]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > ** ** > > Nothing else to indicate why it won?t store. Any ideas?**** > > ** ** > ------------------------------ > > *Ronnie Smith* // Support Engineer > rsmith at dynamicquest.com > 336.389.4687**** > > [image: Description: Dynamic Quest]**** > > *IT Solutions // Business Consulting // Marketing // Data Center > // Software // Helpdesk***** > > ** ** > > ** ** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/f8751dcb/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 6679 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/f8751dcb/attachment.jpe From david.hill at ubisoft.com Fri May 10 16:57:49 2013 From: david.hill at ubisoft.com (David Hill) Date: Fri, 10 May 2013 11:57:49 -0400 Subject: Spam Action: Store In-Reply-To: <001801ce4d8d$156f0d50$404d27f0$@dynamicquest.com> References: <001801ce4d8d$156f0d50$404d27f0$@dynamicquest.com> Message-ID: <710D4D6CE160654C87478D18385BB9972673B1EA11@MDC-MAIL-CMS01.ubisoft.org> Hello Ronnie, Did you disable SELinux? Are you sure the permissions of the folders are ok ? Did you try turning on the debugging in MailScanner ? Debug = no Debug SpamAssassin = no Dave From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ronnie Smith Sent: May-10-13 10:46 AM To: mailscanner at lists.mailscanner.info Subject: Spam Action: Store Version info: This is CentOS release 6.3 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.5 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.90 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.58 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.12 Digest::SHA1 1.01 Encode::Detect 0.17015 Error missing ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.45 Inline 1.08 IO::String 1.09 IO::Zlib 2.27 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query missing Module::Build missing Net::CIDR::Lite 0.65 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP 4.027 NetAddr::IP missing Parse::RecDescent missing SAVI 3.17 Test::Harness missing Test::Manifest 2.0.0 Text::Balanced 1.40 URI 0.77 version missing YAML When I set action to store or any iteration of store my spam message stay in postfix hold queue and maillog just shows the following: May 10 09:38:00 filter01 postfix/smtpd[11712]: 24C2F1E1695: client=digitalsanctuary.com[174.37.94.132] May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: hold: header Received: from mail.digitalsanctuary.com (digitalsanctuary.com [174.37.94.132])??by filter01..com (Postfix) with ESMTP id 24C2F1E1695??for >; Fri, 10 May 2013 from digitalsanctuary.com[174.37.94.132]; from=> to=> proto=ESMTP helo= May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: message-id=<2046887021.4491368193076851.JavaMail.f174532 at rmqkr.net> May 10 09:38:01 filter01 MailScanner[11656]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin (not cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:38:03 filter01 MailScanner[11656]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header May 10 09:41:01 filter01 MailScanner[11999]: Making attempt 2 at processing message 24C2F1E1695.AAE16 May 10 09:41:01 filter01 MailScanner[11999]: SpamAssassin cache hit for message 24C2F1E1695.AAE16 May 10 09:41:01 filter01 MailScanner[11999]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:41:01 filter01 MailScanner[11999]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header May 10 09:43:47 filter01 MailScanner[11762]: Making attempt 3 at processing message 24C2F1E1695.AAE16 May 10 09:43:47 filter01 MailScanner[11762]: SpamAssassin cache hit for message 24C2F1E1695.AAE16 May 10 09:43:47 filter01 MailScanner[11762]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:43:47 filter01 MailScanner[11762]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header May 10 09:48:16 filter01 MailScanner[12790]: Making attempt 4 at processing message 24C2F1E1695.AAE16 May 10 09:48:16 filter01 MailScanner[12790]: SpamAssassin cache hit for message 24C2F1E1695.AAE16 May 10 09:48:16 filter01 MailScanner[12790]: Message 24C2F1E1695.AAE16 from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM 5.00) May 10 09:48:16 filter01 MailScanner[12790]: Spam Actions: message 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header Nothing else to indicate why it won't store. Any ideas? ________________________________ Ronnie Smith // Support Engineer rsmith at dynamicquest.com 336.389.4687 [cid:image001.jpg at 01CE4D75.98229A40] IT Solutions // Business Consulting // Marketing // Data Center // Software // Helpdesk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/acce6efe/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 6679 bytes Desc: image001.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/acce6efe/attachment-0001.jpg From jerry.benton at mailborder.com Fri May 10 20:03:39 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 10 May 2013 21:03:39 +0200 Subject: Spam Action: Store In-Reply-To: <001801ce4d8d$156f0d50$404d27f0$@dynamicquest.com> References: <001801ce4d8d$156f0d50$404d27f0$@dynamicquest.com> Message-ID: # ensure MailScanner works with newer versions of perl sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner Add the -U option to /usr/sbin/MailScanner On Fri, May 10, 2013 at 4:45 PM, Ronnie Smith wrote: > Version info:**** > > ** ** > > This is CentOS release 6.3 (Final)**** > > This is Perl version 5.010001 (5.10.1)**** > > ** ** > > This is MailScanner version 4.84.5**** > > Module versions are:**** > > 1.00 AnyDBM_File**** > > 1.30 Archive::Zip**** > > 0.23 bignum**** > > 1.11 Carp**** > > 2.02 Compress::Zlib**** > > 1.119 Convert::BinHex**** > > 0.17 Convert::TNEF**** > > 2.124 Data::Dumper**** > > 2.27 Date::Parse**** > > 1.03 DirHandle**** > > 1.06 Fcntl**** > > 2.77 File::Basename**** > > 2.14 File::Copy**** > > 2.02 FileHandle**** > > 2.08 File::Path**** > > 0.22 File::Temp**** > > 0.90 Filesys::Df**** > > 3.64 HTML::Entities**** > > 3.64 HTML::Parser**** > > 3.57 HTML::TokeParser**** > > 1.25 IO**** > > 1.14 IO::File**** > > 1.13 IO::Pipe**** > > 2.04 Mail::Header**** > > 1.89 Math::BigInt**** > > 0.22 Math::BigRat**** > > 3.08 MIME::Base64**** > > 5.427 MIME::Decoder**** > > 5.427 MIME::Decoder::UU**** > > 5.427 MIME::Head**** > > 5.427 MIME::Parser**** > > 3.08 MIME::QuotedPrint**** > > 5.427 MIME::Tools**** > > 0.13 Net::CIDR**** > > 1.25 Net::IP**** > > 0.16 OLE::Storage_Lite**** > > 1.04 Pod::Escapes**** > > 3.13 Pod::Simple**** > > 1.17 POSIX**** > > 1.21 Scalar::Util**** > > 1.82 Socket**** > > 2.20 Storable**** > > 1.4 Sys::Hostname::Long**** > > 0.27 Sys::Syslog**** > > 1.40 Test::Pod**** > > 0.92 Test::Simple**** > > 1.9721 Time::HiRes**** > > 1.02 Time::localtime**** > > ** ** > > Optional module versions are:**** > > 1.58 Archive::Tar**** > > 0.23 bignum**** > > missing Business::ISBN**** > > missing Business::ISBN::Data**** > > missing Data::Dump**** > > 1.82 DB_File**** > > 1.27 DBD::SQLite**** > > 1.609 DBI**** > > 1.16 Digest**** > > 1.01 Digest::HMAC**** > > 2.39 Digest::MD5**** > > 2.12 Digest::SHA1**** > > 1.01 Encode::Detect**** > > 0.17015 Error**** > > missing ExtUtils::CBuilder**** > > 2.2203 ExtUtils::ParseXS**** > > 2.38 Getopt::Long**** > > 0.45 Inline**** > > 1.08 IO::String**** > > 1.09 IO::Zlib**** > > 2.27 IP::Country**** > > 0.29 Mail::ClamAV**** > > 3.003001 Mail::SpamAssassin**** > > missing Mail::SPF**** > > missing Mail::SPF::Query**** > > missing Module::Build**** > > missing Net::CIDR::Lite**** > > 0.65 Net::DNS**** > > missing Net::DNS::Resolver::Programmable**** > > missing Net::LDAP**** > > 4.027 NetAddr::IP**** > > missing Parse::RecDescent**** > > missing SAVI**** > > 3.17 Test::Harness**** > > missing Test::Manifest**** > > 2.0.0 Text::Balanced**** > > 1.40 URI**** > > 0.77 version**** > > missing YAML**** > > ** ** > > ** ** > > When I set action to store or any iteration of store my spam message stay > in postfix hold queue and maillog just shows the following:**** > > ** ** > > May 10 09:38:00 filter01 postfix/smtpd[11712]: 24C2F1E1695: client= > digitalsanctuary.com[174.37.94.132]**** > > May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: hold: header > Received: from mail.digitalsanctuary.com (digitalsanctuary.com[174.37.94.132])??by filter01..com (Postfix) with ESMTP id 24C2F1E1695??for > ; Fri, 10 May 2013 from digitalsanctuary.com[174.37.94.132]; > from= to= proto=ESMTP helo=< > mail.digitalsanctuary.com>**** > > May 10 09:38:00 filter01 postfix/cleanup[11703]: 24C2F1E1695: message-id=< > 2046887021.4491368193076851.JavaMail.f174532 at rmqkr.net>**** > > May 10 09:38:01 filter01 MailScanner[11656]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin (not > cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:38:03 filter01 MailScanner[11656]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > May 10 09:41:01 filter01 MailScanner[11999]: Making attempt 2 at > processing message 24C2F1E1695.AAE16**** > > May 10 09:41:01 filter01 MailScanner[11999]: SpamAssassin cache hit for > message 24C2F1E1695.AAE16**** > > May 10 09:41:01 filter01 MailScanner[11999]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to.com is spam, SpamAssassin > (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:41:01 filter01 MailScanner[11999]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > May 10 09:43:47 filter01 MailScanner[11762]: Making attempt 3 at > processing message 24C2F1E1695.AAE16**** > > May 10 09:43:47 filter01 MailScanner[11762]: SpamAssassin cache hit for > message 24C2F1E1695.AAE16**** > > May 10 09:43:47 filter01 MailScanner[11762]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin > (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:43:47 filter01 MailScanner[11762]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > May 10 09:48:16 filter01 MailScanner[12790]: Making attempt 4 at > processing message 24C2F1E1695.AAE16**** > > May 10 09:48:16 filter01 MailScanner[12790]: SpamAssassin cache hit for > message 24C2F1E1695.AAE16**** > > May 10 09:48:16 filter01 MailScanner[12790]: Message 24C2F1E1695.AAE16 > from 174.37.94.132 (f174532 at rmqkr.net) to .com is spam, SpamAssassin > (cached, score=4, required 2.5, BAYES_00 -1.00, LOCAL_DEMONSTRATION_FROM > 5.00)**** > > May 10 09:48:16 filter01 MailScanner[12790]: Spam Actions: message > 24C2F1E1695.AAE16 actions are store-/var/spool/spam,header**** > > ** ** > > Nothing else to indicate why it won?t store. Any ideas?**** > > ** ** > ------------------------------ > > *Ronnie Smith* // Support Engineer > rsmith at dynamicquest.com > 336.389.4687**** > > [image: Description: Dynamic Quest]**** > > *IT Solutions // Business Consulting // Marketing // Data Center > // Software // Helpdesk***** > > ** ** > > ** ** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/9567ced6/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 6679 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130510/9567ced6/attachment.jpe From mark at msapiro.net Tue May 14 04:31:34 2013 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 13 May 2013 20:31:34 -0700 Subject: ScamNailer info not updated [solved] In-Reply-To: <518A9D5B.4060400@msapiro.net> References: <518A9D5B.4060400@msapiro.net> Message-ID: <5191B016.4090500@msapiro.net> On Wed May 8 19:45:47 IST 2013, Mark Sapiro wrote: > On Mon Apr 29 16:07:20 IST 2013, Matt Hampton wrote: > >> On it >> >> DNS provider reset api keys >> >> >> On 28 April 2013 17:09, Mark Sapiro wrote: >> >>> At this writing, it appears the latest Scamnailer data files are >>> emails.2013-166 and emails.2013-166.15, but the DNS TXT record is still >>> >>> emails.msupdate.greylist.bastionmail.com. 3600 IN TXT "emails.2013-164.6" >>> >>> which points to data from 2 days ago. > > > Any estimate on when this might be fixed? Since this doesn't seem to be getting fixed, I have patched ScamNailer with the attached patch which attempts to guess the current week and day for the base and then retrieves daily updates until it gets a 404. This is working for me. Caveat: I'm a perl novice. There may be a better way. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- ScamNailer.orig 2013-05-13 20:14:05.000000000 -0700 +++ ScamNailer.new 2013-05-13 20:19:55.000000000 -0700 @@ -18,6 +18,7 @@ use LWP::UserAgent; use FileHandle; use DirHandle; +use Time::Local; # Output filename, goes into SpamAssassin. Can be over-ridden by just # adding the output filename on the command-line when you run this script. @@ -216,6 +217,16 @@ die "Failed to retrieve valid current details\n" if $currentbase eq "-1"; + my $day = (gmtime)[6]; + my $year = (gmtime)[5] + 1900; + my $janone = (gmtime(timegm(0,0,0,1,0,$year-1900)))[6]; + my $week = sprintf ("%02d", int (((gmtime)[7] + $janone) / 7)); + my $mybase = "$year-$week$day"; + if ($currentbase lt $mybase) { + $currentbase = $mybase; + $currentupdate = 99; + } + print "I am working with: Current: $currentbase - $currentupdate and Status: $status_base - $status_update\n" unless $quiet; my $generate=0; @@ -273,8 +284,10 @@ #print "Getting $urlbase . $currentbase.$i\n" unless $quiet; my $req = HTTP::Request->new(GET => $urlbase.$currentbase.".".$i); my $res = $ua->request($req); - warn "Failed to retrieve $urlbase$currentbase.$i" - unless $res->is_success; + unless ($res->is_success) { + warn "Failed to retrieve $urlbase$currentbase.$i"; + $currentupdate = $i - 1; + } my $line; foreach $line (split("\n", $res->content)) { # Is it an addition? From matt.hampton.uk at gmail.com Tue May 14 10:17:58 2013 From: matt.hampton.uk at gmail.com (Matt Hampton) Date: Tue, 14 May 2013 10:17:58 +0100 Subject: ScamNailer info not updated [solved] In-Reply-To: <5191B016.4090500@msapiro.net> References: <518A9D5B.4060400@msapiro.net> <5191B016.4090500@msapiro.net> Message-ID: Hi Mark I sent the details of the required change to Jules (cc'd) as I don't have access to modify the update script. I wasn't aware it wasn't fixed (and I only periodically check this account). Jules - if you didn't get the original email please let me know and I will re-issue the api key. matt On 14 May 2013 04:31, Mark Sapiro wrote: > On Wed May 8 19:45:47 IST 2013, Mark Sapiro wrote: > > On Mon Apr 29 16:07:20 IST 2013, Matt Hampton wrote: > > > >> On it > >> > >> DNS provider reset api keys > >> > >> > >> On 28 April 2013 17:09, Mark Sapiro wrote: > >> > >>> At this writing, it appears the latest Scamnailer data files are > >>> emails.2013-166 and emails.2013-166.15, but the DNS TXT record is still > >>> > >>> emails.msupdate.greylist.bastionmail.com. 3600 IN TXT > "emails.2013-164.6" > >>> > >>> which points to data from 2 days ago. > > > > > > Any estimate on when this might be fixed? > > > Since this doesn't seem to be getting fixed, I have patched ScamNailer > with the attached patch which attempts to guess the current week and day > for the base and then retrieves daily updates until it gets a 404. > > This is working for me. > > Caveat: I'm a perl novice. There may be a better way. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130514/aec7ada2/attachment.html From matt.hampton.uk at gmail.com Tue May 14 11:32:58 2013 From: matt.hampton.uk at gmail.com (Matt Hampton) Date: Tue, 14 May 2013 11:32:58 +0100 Subject: ScamNailer info not updated [solved] In-Reply-To: <5191B016.4090500@msapiro.net> References: <518A9D5B.4060400@msapiro.net> <5191B016.4090500@msapiro.net> Message-ID: All This has been fixed - it may take up to a day for everything to work through the system but I have seen an update go through on the DNS provider. Matt On 14 May 2013 04:31, Mark Sapiro wrote: > On Wed May 8 19:45:47 IST 2013, Mark Sapiro wrote: > > On Mon Apr 29 16:07:20 IST 2013, Matt Hampton wrote: > > > >> On it > >> > >> DNS provider reset api keys > >> > >> > >> On 28 April 2013 17:09, Mark Sapiro wrote: > >> > >>> At this writing, it appears the latest Scamnailer data files are > >>> emails.2013-166 and emails.2013-166.15, but the DNS TXT record is still > >>> > >>> emails.msupdate.greylist.bastionmail.com. 3600 IN TXT > "emails.2013-164.6" > >>> > >>> which points to data from 2 days ago. > > > > > > Any estimate on when this might be fixed? > > > Since this doesn't seem to be getting fixed, I have patched ScamNailer > with the attached patch which attempts to guess the current week and day > for the base and then retrieves daily updates until it gets a 404. > > This is working for me. > > Caveat: I'm a perl novice. There may be a better way. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130514/c812a319/attachment.html From rlopezcnm at gmail.com Wed May 15 18:31:17 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed, 15 May 2013 11:31:17 -0600 Subject: Single email, multiple Spamassassin attempls Message-ID: Do I have a MailScanner configuration problem or is this expected behavior? MailScanner 4.84.5-3 Clamd 0.97.7-1 SpamAssassin 3.3.1 Perl 5.10.1 Postfix 2.10.0 A new email gateway is sending the much discussed "Problem Email" messages. As far as I see there is not a problem with anything other than the emails that are listed in the "Problem Email" messages. However, I see a pattern that looks like this, where there are apparently multiple attempts to scan of each email by SpamAssassin: May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: hold: header Received: from apn-37-7-144-188.dynamic.gprs.plus.pl (unknown [5.174.118.246])??by mg08.cnm.edu (Postfix) with ESMTP id 780574C02AB??for ; Wed, 15 May 2013 10:18:06 -0600 (MDT) from unknown[5.174.118.246]; from= to= proto=ESMTP helo= May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: warning: header Subject: I cant be the only one in this from unknown[5.174.118.246]; from= to= proto=ESMTP helo= May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: message-id=<9BAEEC48-4130-08D1-E84A-F0DF63F3D233 at apn-37-7-144-188.dynamic.gprs.plus.pl> May 15 10:18:13 mg08 MailScanner[4633]: Message 780574C02AB.A2DEA from 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, SpamAssassin (not cached, score=16.991, required 6, autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) May 15 10:18:13 mg08 MailScanner[4633]: Non-delivery of spam: message 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to xxxxxxxx at cnm.edu with subject I cant be the only one in this May 15 10:18:13 mg08 MailScanner[4633]: Spam Actions: message 780574C02AB.A2DEA actions are store May 15 10:20:54 mg08 MailScanner[7342]: Making attempt 2 at processing message 780574C02AB.A2DEA May 15 10:20:54 mg08 MailScanner[7342]: SpamAssassin cache hit for message 780574C02AB.A2DEA May 15 10:20:54 mg08 MailScanner[7342]: Message 780574C02AB.A2DEA from 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) May 15 10:20:54 mg08 MailScanner[7342]: Non-delivery of spam: message 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to xxxxxxxx at cnm.edu with subject I cant be the only one in this May 15 10:20:54 mg08 MailScanner[7342]: Spam Actions: message 780574C02AB.A2DEA actions are store May 15 10:25:16 mg08 MailScanner[4579]: Making attempt 3 at processing message 780574C02AB.A2DEA May 15 10:25:16 mg08 MailScanner[4579]: SpamAssassin cache hit for message 780574C02AB.A2DEA May 15 10:25:16 mg08 MailScanner[4579]: Message 780574C02AB.A2DEA from 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) May 15 10:25:16 mg08 MailScanner[4579]: Non-delivery of spam: message 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to xxxxxxxx at cnm.edu with subject I cant be the only one in this May 15 10:25:16 mg08 MailScanner[4579]: Spam Actions: message 780574C02AB.A2DEA actions are store May 15 10:28:34 mg08 MailScanner[4746]: Making attempt 4 at processing message 780574C02AB.A2DEA May 15 10:28:34 mg08 MailScanner[4746]: SpamAssassin cache hit for message 780574C02AB.A2DEA May 15 10:28:34 mg08 MailScanner[4746]: Message 780574C02AB.A2DEA from 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) May 15 10:28:34 mg08 MailScanner[4746]: Non-delivery of spam: message 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to xxxxxxxx at cnm.edu with subject I cant be the only one in this May 15 10:28:34 mg08 MailScanner[4746]: Spam Actions: message 780574C02AB.A2DEA actions are store May 15 10:30:38 mg08 MailScanner[7382]: Making attempt 5 at processing message 780574C02AB.A2DEA May 15 10:30:38 mg08 MailScanner[7382]: SpamAssassin cache hit for message 780574C02AB.A2DEA May 15 10:30:38 mg08 MailScanner[7382]: Message 780574C02AB.A2DEA from 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) May 15 10:30:38 mg08 MailScanner[7382]: Non-delivery of spam: message 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to xxxxxxxx at cnm.edu with subject I cant be the only one in this May 15 10:30:38 mg08 MailScanner[7382]: Spam Actions: message 780574C02AB.A2DEA actions are store May 15 10:34:24 mg08 MailScanner[7439]: Making attempt 6 at processing message 780574C02AB.A2DEA May 15 10:34:24 mg08 MailScanner[7439]: SpamAssassin cache hit for message 780574C02AB.A2DEA May 15 10:34:24 mg08 MailScanner[7439]: Message 780574C02AB.A2DEA from 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) May 15 10:34:24 mg08 MailScanner[7439]: Non-delivery of spam: message 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to xxxxxxxx at cnm.edu with subject I cant be the only one in this May 15 10:34:24 mg08 MailScanner[7439]: Spam Actions: message 780574C02AB.A2DEA actions are store May 15 10:34:24 mg08 MailScanner[7422]: Warning: skipping message 780574C02AB.A2DEA as it has been attempted too many times May 15 10:34:24 mg08 MailScanner[7422]: Quarantined message 780574C02AB.A2DEA as it caused MailScanner to crash several times May 15 10:34:24 mg08 MailScanner[7422]: Saved entire message to /var/spool/MailScanner/quarantine/20130515/780574C02AB.A2DEA Do I have a MailScanner configuration problem or is this expected behavior? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From GAFaith at asdm.net Wed May 15 21:53:21 2013 From: GAFaith at asdm.net (Gary Faith) Date: Wed, 15 May 2013 16:53:21 -0400 Subject: MailScanner: Message attempted to kill MailScanner Message-ID: <5193BD810200002D00013AEB@sparky.asdm.net> There seems to be a problem with TNEF for this message and others messages from this senter. The sender refuses to disable RTF in Outlook and the receiver wants the messages from the sender. So I am stuck trying to figure out how to fix this problem. - MailScanner is running on SLES 10 SP4 64-bit, MailScanner Version Number = 4.84.5 - Expand TNEF = yes - Use TNEF Contents = replace - TNEF Expander = internal - TNEF Timeout = 120 Any ideas/suggestions? Change to external TNEF expander? Increase the TNEF timeout? May 9 09:57:39 mscan MailScanner[8751]: Expanding TNEF archive at /var/spool/MailScanner/incoming/8751/r49DvZfK008854/winmail.dat May 9 09:57:39 mscan MailScanner[8751]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 09:57:39 mscan MailScanner[8751]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:02:16 mscan MailScanner[19826]: Making attempt 2 at processing message r49DvZfK008854 May 9 10:02:16 mscan MailScanner[19826]: Expanding TNEF archive at /var/spool/MailScanner/incoming/19826/r49DvZfK008854/winmail.dat May 9 10:02:16 mscan MailScanner[19826]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:02:16 mscan MailScanner[19826]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:07:02 mscan MailScanner[9910]: Making attempt 3 at processing message r49DvZfK008854 May 9 10:07:02 mscan MailScanner[9910]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9910/r49DvZfK008854/winmail.dat May 9 10:07:02 mscan MailScanner[9910]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:07:02 mscan MailScanner[9910]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:11:39 mscan MailScanner[9686]: Making attempt 4 at processing message r49DvZfK008854 May 9 10:11:39 mscan MailScanner[9686]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9686/r49DvZfK008854/winmail.dat May 9 10:11:39 mscan MailScanner[9686]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:11:39 mscan MailScanner[9686]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:15:58 mscan MailScanner[10523]: Making attempt 5 at processing message r49DvZfK008854 May 9 10:15:58 mscan MailScanner[10523]: Expanding TNEF archive at /var/spool/MailScanner/incoming/10523/r49DvZfK008854/winmail.dat May 9 10:15:58 mscan MailScanner[10523]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:15:58 mscan MailScanner[10523]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:21:47 mscan MailScanner[9923]: Making attempt 6 at processing message r49DvZfK008854 May 9 10:21:48 mscan MailScanner[9923]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9923/r49DvZfK008854/winmail.dat May 9 10:21:48 mscan MailScanner[9923]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:21:48 mscan MailScanner[9923]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:21:58 mscan MailScanner[11166]: Warning: skipping message r49DvZfK008854 as it has been attempted too many times May 9 10:21:58 mscan MailScanner[11166]: Quarantined message r49DvZfK008854 as it caused MailScanner to crash several times Thanks, Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130515/369aa69c/attachment.html From Kevin_Miller at ci.juneau.ak.us Wed May 15 22:08:02 2013 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed, 15 May 2013 13:08:02 -0800 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <5193BD810200002D00013AEB@sparky.asdm.net> References: <5193BD810200002D00013AEB@sparky.asdm.net> Message-ID: See the following in your MailScanner.conf. I'd try using a ruleset for that joker - let his mail through but use the default action for any others. # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no ?...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Gary Faith Sent: Wednesday, May 15, 2013 12:53 PM To: mailscanner at lists.mailscanner.info Subject: MailScanner: Message attempted to kill MailScanner There seems to be a problem with TNEF for this message and others messages from this senter.? The sender refuses to disable RTF in Outlook and the receiver wants the messages from the sender.? So I am stuck trying to figure out how to fix this problem.? ? -? MailScanner is running on SLES 10 SP4 64-bit, MailScanner Version Number = 4.84.5 -? Expand TNEF = yes -? Use TNEF Contents = replace -? TNEF Expander = internal -? TNEF Timeout = 120 Any ideas/suggestions?? Change to external TNEF expander?? Increase the TNEF timeout?? ? May 9 09:57:39 mscan MailScanner[8751]: Expanding TNEF archive at /var/spool/MailScanner/incoming/8751/r49DvZfK008854/winmail.dat May 9 09:57:39 mscan MailScanner[8751]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 09:57:39 mscan MailScanner[8751]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:02:16 mscan MailScanner[19826]: Making attempt 2 at processing message r49DvZfK008854 May 9 10:02:16 mscan MailScanner[19826]: Expanding TNEF archive at /var/spool/MailScanner/incoming/19826/r49DvZfK008854/winmail.dat May 9 10:02:16 mscan MailScanner[19826]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:02:16 mscan MailScanner[19826]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:07:02 mscan MailScanner[9910]: Making attempt 3 at processing message r49DvZfK008854 May 9 10:07:02 mscan MailScanner[9910]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9910/r49DvZfK008854/winmail.dat May 9 10:07:02 mscan MailScanner[9910]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:07:02 mscan MailScanner[9910]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:11:39 mscan MailScanner[9686]: Making attempt 4 at processing message r49DvZfK008854 May 9 10:11:39 mscan MailScanner[9686]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9686/r49DvZfK008854/winmail.dat May 9 10:11:39 mscan MailScanner[9686]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:11:39 mscan MailScanner[9686]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:15:58 mscan MailScanner[10523]: Making attempt 5 at processing message r49DvZfK008854 May 9 10:15:58 mscan MailScanner[10523]: Expanding TNEF archive at /var/spool/MailScanner/incoming/10523/r49DvZfK008854/winmail.dat May 9 10:15:58 mscan MailScanner[10523]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:15:58 mscan MailScanner[10523]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:21:47 mscan MailScanner[9923]: Making attempt 6 at processing message r49DvZfK008854 May 9 10:21:48 mscan MailScanner[9923]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9923/r49DvZfK008854/winmail.dat May 9 10:21:48 mscan MailScanner[9923]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:21:48 mscan MailScanner[9923]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:21:58 mscan MailScanner[11166]: Warning: skipping message r49DvZfK008854 as it has been attempted too many times May 9 10:21:58 mscan MailScanner[11166]: Quarantined message r49DvZfK008854 as it caused MailScanner to crash several times Thanks, Gary From david.hill at ubisoft.com Wed May 15 23:02:42 2013 From: david.hill at ubisoft.com (David Hill) Date: Wed, 15 May 2013 18:02:42 -0400 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <5193BD810200002D00013AEB@sparky.asdm.net> References: <5193BD810200002D00013AEB@sparky.asdm.net> Message-ID: <710D4D6CE160654C87478D18385BB9972673CE77CE@MDC-MAIL-CMS01.ubisoft.org> Are you using internal or external TNEF expender? If you're using the external one, you need the patch I sent some time ago... Dave From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Gary Faith Sent: May-15-13 4:53 PM To: mailscanner at lists.mailscanner.info Subject: MailScanner: Message attempted to kill MailScanner There seems to be a problem with TNEF for this message and others messages from this senter. The sender refuses to disable RTF in Outlook and the receiver wants the messages from the sender. So I am stuck trying to figure out how to fix this problem. - MailScanner is running on SLES 10 SP4 64-bit, MailScanner Version Number = 4.84.5 - Expand TNEF = yes - Use TNEF Contents = replace - TNEF Expander = internal - TNEF Timeout = 120 Any ideas/suggestions? Change to external TNEF expander? Increase the TNEF timeout? May 9 09:57:39 mscan MailScanner[8751]: Expanding TNEF archive at /var/spool/MailScanner/incoming/8751/r49DvZfK008854/winmail.dat May 9 09:57:39 mscan MailScanner[8751]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 09:57:39 mscan MailScanner[8751]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:02:16 mscan MailScanner[19826]: Making attempt 2 at processing message r49DvZfK008854 May 9 10:02:16 mscan MailScanner[19826]: Expanding TNEF archive at /var/spool/MailScanner/incoming/19826/r49DvZfK008854/winmail.dat May 9 10:02:16 mscan MailScanner[19826]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:02:16 mscan MailScanner[19826]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:07:02 mscan MailScanner[9910]: Making attempt 3 at processing message r49DvZfK008854 May 9 10:07:02 mscan MailScanner[9910]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9910/r49DvZfK008854/winmail.dat May 9 10:07:02 mscan MailScanner[9910]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:07:02 mscan MailScanner[9910]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:11:39 mscan MailScanner[9686]: Making attempt 4 at processing message r49DvZfK008854 May 9 10:11:39 mscan MailScanner[9686]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9686/r49DvZfK008854/winmail.dat May 9 10:11:39 mscan MailScanner[9686]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:11:39 mscan MailScanner[9686]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:15:58 mscan MailScanner[10523]: Making attempt 5 at processing message r49DvZfK008854 May 9 10:15:58 mscan MailScanner[10523]: Expanding TNEF archive at /var/spool/MailScanner/incoming/10523/r49DvZfK008854/winmail.dat May 9 10:15:58 mscan MailScanner[10523]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:15:58 mscan MailScanner[10523]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:21:47 mscan MailScanner[9923]: Making attempt 6 at processing message r49DvZfK008854 May 9 10:21:48 mscan MailScanner[9923]: Expanding TNEF archive at /var/spool/MailScanner/incoming/9923/r49DvZfK008854/winmail.dat May 9 10:21:48 mscan MailScanner[9923]: Message r49DvZfK008854 added TNEF contents RFI265-PlatformPG4PG5ColConns.doc,Picture(DeviceIndependentBitmap) May 9 10:21:48 mscan MailScanner[9923]: Message r49DvZfK008854 has had TNEF winmail.dat removed May 9 10:21:58 mscan MailScanner[11166]: Warning: skipping message r49DvZfK008854 as it has been attempted too many times May 9 10:21:58 mscan MailScanner[11166]: Quarantined message r49DvZfK008854 as it caused MailScanner to crash several times Thanks, Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130515/265cc4e2/attachment.html From maxsec at gmail.com Thu May 16 11:24:13 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 16 May 2013 11:24:13 +0100 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: not normal, but it's telling you whats happening as it can't get a proper scan out of the message. I'd check you're permissions and the like are good to start with then run the problem message through a debug session (loggied in as postfix user first so you get a proper look at any permissions issues) -- Martin Hepworth, CISSP Oxford, UK On 15 May 2013 18:31, Robert Lopez wrote: > Do I have a MailScanner configuration problem or is this expected behavior? > > MailScanner 4.84.5-3 > Clamd 0.97.7-1 > SpamAssassin 3.3.1 > Perl 5.10.1 > Postfix 2.10.0 > > A new email gateway is sending the much discussed "Problem Email" > messages. As far as I see there is not a problem with anything other > than the emails that are listed in the "Problem Email" messages. > > However, I see a pattern that looks like this, where there are > apparently multiple attempts to scan of each email by SpamAssassin: > > May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: hold: header > Received: from apn-37-7-144-188.dynamic.gprs.plus.pl (unknown > [5.174.118.246])??by mg08.cnm.edu (Postfix) with ESMTP id > 780574C02AB??for ; Wed, 15 May 2013 10:18:06 -0600 > (MDT) from unknown[5.174.118.246]; > from= to= > proto=ESMTP helo= > May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: warning: > header Subject: I cant be the only one in this from > unknown[5.174.118.246]; from= > to= proto=ESMTP > helo= > May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: > message-id=< > 9BAEEC48-4130-08D1-E84A-F0DF63F3D233 at apn-37-7-144-188.dynamic.gprs.plus.pl > > > May 15 10:18:13 mg08 MailScanner[4633]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (not cached, score=16.991, required 6, > autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, > RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM > 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:18:13 mg08 MailScanner[4633]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:18:13 mg08 MailScanner[4633]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:20:54 mg08 MailScanner[7342]: Making attempt 2 at processing > message 780574C02AB.A2DEA > May 15 10:20:54 mg08 MailScanner[7342]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:20:54 mg08 MailScanner[7342]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:20:54 mg08 MailScanner[7342]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:20:54 mg08 MailScanner[7342]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:25:16 mg08 MailScanner[4579]: Making attempt 3 at processing > message 780574C02AB.A2DEA > May 15 10:25:16 mg08 MailScanner[4579]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:25:16 mg08 MailScanner[4579]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:25:16 mg08 MailScanner[4579]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:25:16 mg08 MailScanner[4579]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:28:34 mg08 MailScanner[4746]: Making attempt 4 at processing > message 780574C02AB.A2DEA > May 15 10:28:34 mg08 MailScanner[4746]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:28:34 mg08 MailScanner[4746]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:28:34 mg08 MailScanner[4746]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:28:34 mg08 MailScanner[4746]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:30:38 mg08 MailScanner[7382]: Making attempt 5 at processing > message 780574C02AB.A2DEA > May 15 10:30:38 mg08 MailScanner[7382]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:30:38 mg08 MailScanner[7382]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:30:38 mg08 MailScanner[7382]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:30:38 mg08 MailScanner[7382]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:34:24 mg08 MailScanner[7439]: Making attempt 6 at processing > message 780574C02AB.A2DEA > May 15 10:34:24 mg08 MailScanner[7439]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:34:24 mg08 MailScanner[7439]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:34:24 mg08 MailScanner[7439]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:34:24 mg08 MailScanner[7439]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:34:24 mg08 MailScanner[7422]: Warning: skipping message > 780574C02AB.A2DEA as it has been attempted too many times > May 15 10:34:24 mg08 MailScanner[7422]: Quarantined message > 780574C02AB.A2DEA as it caused MailScanner to crash several times > May 15 10:34:24 mg08 MailScanner[7422]: Saved entire message to > /var/spool/MailScanner/quarantine/20130515/780574C02AB.A2DEA > > > Do I have a MailScanner configuration problem or is this expected behavior? > > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130516/35feac7a/attachment.html From johnnyb at marlboro.edu Thu May 16 17:28:20 2013 From: johnnyb at marlboro.edu (John Baker) Date: Thu, 16 May 2013 12:28:20 -0400 Subject: MailScanner debug hanging Message-ID: Hi, I'm finishing a new mailserver build with the last stable MailScanner. I ran MailScanner --debug to check for problems and it keeps hanging after Building a message batch to scan... However MailScanner --lint works ok. How can I get debug information on why debug won't run properly? Any suggestions for sorting this out? -- John Baker Network Administrator Marlboro College Phone: 451-7551 Cell: 490-0066 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130516/a5a3d712/attachment.html From Denis.Beauchemin at usherbrooke.ca Thu May 16 18:25:16 2013 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Thu, 16 May 2013 17:25:16 +0000 Subject: MailScanner debug hanging In-Reply-To: References: Message-ID: John, I believe this is normal as MailScanner waits for some emails to process. It should print debugging information as soon as it receives some emails and then exit. Denis De : mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de John Baker Envoy? : 16 mai 2013 12:37 ? : mailscanner at lists.mailscanner.info Objet : MailScanner debug hanging Hi, I'm finishing a new mailserver build with the last stable MailScanner. I ran MailScanner --debug to check for problems and it keeps hanging after Building a message batch to scan... However MailScanner --lint works ok. How can I get debug information on why debug won't run properly? Any suggestions for sorting this out? -- John Baker Network Administrator Marlboro College Phone: 451-7551 Cell: 490-0066 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130516/7e73652c/attachment.html From rlopezcnm at gmail.com Thu May 16 19:21:50 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu, 16 May 2013 12:21:50 -0600 Subject: MailScanner debug hanging In-Reply-To: References: Message-ID: On Thu, May 16, 2013 at 10:28 AM, John Baker wrote: > Hi, I'm finishing a new mailserver build with the last stable MailScanner. I > ran MailScanner --debug to check for problems and it keeps hanging after > Building a message batch to scan... > > However MailScanner --lint works ok. > > How can I get debug information on why debug won't run properly? Any > suggestions for sorting this out? > > -- > John Baker > Network Administrator > Marlboro College > Phone: 451-7551 Cell: 490-0066 > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > run it again with --lint. These will sit and wait for a batch: MailScanner --debug MailScanner --debug --debug-sa These will not wait for a batch: MailScanner --debug --lint MailScanner --debug --debug-sa --lint There is strace as in: strace MailScanner --debug -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From rlopezcnm at gmail.com Thu May 16 19:35:27 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu, 16 May 2013 12:35:27 -0600 Subject: MailScanner debug hanging In-Reply-To: References: Message-ID: On Thu, May 16, 2013 at 12:21 PM, Robert Lopez wrote: > On Thu, May 16, 2013 at 10:28 AM, John Baker wrote: >> Hi, I'm finishing a new mailserver build with the last stable MailScanner. I >> ran MailScanner --debug to check for problems and it keeps hanging after >> Building a message batch to scan... >> >> However MailScanner --lint works ok. >> >> How can I get debug information on why debug won't run properly? Any >> suggestions for sorting this out? >> >> -- >> John Baker >> Network Administrator >> Marlboro College >> Phone: 451-7551 Cell: 490-0066 >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > run it again with --lint. > > These will sit and wait for a batch: > MailScanner --debug > MailScanner --debug --debug-sa > > These will not wait for a batch: > MailScanner --debug --lint > MailScanner --debug --debug-sa --lint > > There is strace as in: > strace MailScanner --debug > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 I think I must take back the running of lint with debug. I just double checked that and all that really runs is the lint. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From maxsec at gmail.com Thu May 16 20:09:42 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 16 May 2013 20:09:42 +0100 Subject: MailScanner debug hanging In-Reply-To: References: Message-ID: make sure you're permissions are good on the working directories etc -- Martin Hepworth, CISSP Oxford, UK On 16 May 2013 19:35, Robert Lopez wrote: > On Thu, May 16, 2013 at 12:21 PM, Robert Lopez > wrote: > > On Thu, May 16, 2013 at 10:28 AM, John Baker > wrote: > >> Hi, I'm finishing a new mailserver build with the last stable > MailScanner. I > >> ran MailScanner --debug to check for problems and it keeps hanging after > >> Building a message batch to scan... > >> > >> However MailScanner --lint works ok. > >> > >> How can I get debug information on why debug won't run properly? Any > >> suggestions for sorting this out? > >> > >> -- > >> John Baker > >> Network Administrator > >> Marlboro College > >> Phone: 451-7551 Cell: 490-0066 > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > run it again with --lint. > > > > These will sit and wait for a batch: > > MailScanner --debug > > MailScanner --debug --debug-sa > > > > These will not wait for a batch: > > MailScanner --debug --lint > > MailScanner --debug --debug-sa --lint > > > > There is strace as in: > > strace MailScanner --debug > > > > -- > > Robert Lopez > > Unix Systems Administrator > > Central New Mexico Community College (CNM) > > 525 Buena Vista SE > > Albuquerque, New Mexico 87106 > > I think I must take back the running of lint with debug. > I just double checked that and all that really runs is the lint. > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130516/f6317c02/attachment.html From mark at msapiro.net Thu May 16 22:48:36 2013 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 16 May 2013 14:48:36 -0700 Subject: ScamNailer info not updated [solved] In-Reply-To: References: <518A9D5B.4060400@msapiro.net> <5191B016.4090500@msapiro.net> Message-ID: <51955434.8040707@msapiro.net> On 05/14/2013 03:32 AM -0700, Matt Hampton wrote: > All > > This has been fixed - it may take up to a day for everything to work > through the system but I have seen an update go through on the DNS provider. As of now (over 59 hours later), this still doesn't work for me. ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> txt emails.msupdate.greylist.bastionmail.com @ns1.linode.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12860 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 10 ;; QUESTION SECTION: ;emails.msupdate.greylist.bastionmail.com. IN TXT ;; ANSWER SECTION: emails.msupdate.greylist.bastionmail.com. 3600 IN TXT "emails.2013-164.6" Should I be querying a different domain? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From rlopezcnm at gmail.com Fri May 17 01:08:30 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu, 16 May 2013 18:08:30 -0600 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: On Thu, May 16, 2013 at 4:24 AM, Martin Hepworth wrote: > not normal, but it's telling you whats happening as it can't get a proper > scan out of the message. I'd check you're permissions and the like are good > to start with > then run the problem message through a debug session (loggied in as postfix > user first so you get a proper look at any permissions issues) You lost me on "logged in as postfix" ... # grep postfix /etc/passwd postfix:x:89:89::/var/spool/postfix:/sbin/nologin The above is from the new RHEL gateway. All our older Ubuntu gateways are ... # grep postfix /etc/passwd postfix:x:108:116::/var/spool/postfix:/bin/false I never considered that Run As User = postfix Run As Group = postfix actually required the postfix account to support being "logged into". Do you mean sudo -u postfix MailScanner ... ? If I do "sudo -u postfix MailScanner --lint" both this new and the older gateways (which have been working for years) fail but fail differently (different versions of MailScanner as well). How do I "run the problem message through a debug session"? In the man pages and in the book I have failed to see how to do that. -- Robert Lopez From richard at fastnet.co.uk Fri May 17 16:53:21 2013 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 17 May 2013 15:53:21 +0000 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: <6EE47AF64C339A4F8F7F50507241B3794973CE@BTN-EXCHANGE-V1.fastnet.local> Robert, You need to change user to postfix, so - su postfix For Ubuntu, I would normally 'su' to root first, then - su postfix http://manpages.ubuntu.com/manpages/jaunty/man1/su.1.html Thanks, -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez Sent: 17 May 2013 01:09 To: MailScanner discussion Subject: Re: Single email, multiple Spamassassin attempls On Thu, May 16, 2013 at 4:24 AM, Martin Hepworth wrote: > not normal, but it's telling you whats happening as it can't get a > proper scan out of the message. I'd check you're permissions and the > like are good to start with then run the problem message through a > debug session (loggied in as postfix user first so you get a proper > look at any permissions issues) You lost me on "logged in as postfix" ... # grep postfix /etc/passwd postfix:x:89:89::/var/spool/postfix:/sbin/nologin The above is from the new RHEL gateway. All our older Ubuntu gateways are ... # grep postfix /etc/passwd postfix:x:108:116::/var/spool/postfix:/bin/false I never considered that Run As User = postfix Run As Group = postfix actually required the postfix account to support being "logged into". Do you mean sudo -u postfix MailScanner ... ? If I do "sudo -u postfix MailScanner --lint" both this new and the older gateways (which have been working for years) fail but fail differently (different versions of MailScanner as well). How do I "run the problem message through a debug session"? In the man pages and in the book I have failed to see how to do that. -- Robert Lopez -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jerry.benton at mailborder.com Fri May 17 17:52:19 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 17 May 2013 18:52:19 +0200 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: Robert, There are three primary things I check for when dealing with this problem: 1. Selinux. You know the drill for this one. 2. MailScanner Run As and directory ownership and permissions. 3. Making sure you add the -U option to MailScanner for the newer versions of perl. sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner Jerry Benton On Wed, May 15, 2013 at 7:31 PM, Robert Lopez wrote: > Do I have a MailScanner configuration problem or is this expected behavior? > > MailScanner 4.84.5-3 > Clamd 0.97.7-1 > SpamAssassin 3.3.1 > Perl 5.10.1 > Postfix 2.10.0 > > A new email gateway is sending the much discussed "Problem Email" > messages. As far as I see there is not a problem with anything other > than the emails that are listed in the "Problem Email" messages. > > However, I see a pattern that looks like this, where there are > apparently multiple attempts to scan of each email by SpamAssassin: > > May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: hold: header > Received: from apn-37-7-144-188.dynamic.gprs.plus.pl (unknown > [5.174.118.246])??by mg08.cnm.edu (Postfix) with ESMTP id > 780574C02AB??for ; Wed, 15 May 2013 10:18:06 -0600 > (MDT) from unknown[5.174.118.246]; > from= to= > proto=ESMTP helo= > May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: warning: > header Subject: I cant be the only one in this from > unknown[5.174.118.246]; from= > to= proto=ESMTP > helo= > May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: > message-id=< > 9BAEEC48-4130-08D1-E84A-F0DF63F3D233 at apn-37-7-144-188.dynamic.gprs.plus.pl > > > May 15 10:18:13 mg08 MailScanner[4633]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (not cached, score=16.991, required 6, > autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, > RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM > 1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:18:13 mg08 MailScanner[4633]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:18:13 mg08 MailScanner[4633]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:20:54 mg08 MailScanner[7342]: Making attempt 2 at processing > message 780574C02AB.A2DEA > May 15 10:20:54 mg08 MailScanner[7342]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:20:54 mg08 MailScanner[7342]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:20:54 mg08 MailScanner[7342]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:20:54 mg08 MailScanner[7342]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:25:16 mg08 MailScanner[4579]: Making attempt 3 at processing > message 780574C02AB.A2DEA > May 15 10:25:16 mg08 MailScanner[4579]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:25:16 mg08 MailScanner[4579]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:25:16 mg08 MailScanner[4579]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:25:16 mg08 MailScanner[4579]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:28:34 mg08 MailScanner[4746]: Making attempt 4 at processing > message 780574C02AB.A2DEA > May 15 10:28:34 mg08 MailScanner[4746]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:28:34 mg08 MailScanner[4746]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:28:34 mg08 MailScanner[4746]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:28:34 mg08 MailScanner[4746]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:30:38 mg08 MailScanner[7382]: Making attempt 5 at processing > message 780574C02AB.A2DEA > May 15 10:30:38 mg08 MailScanner[7382]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:30:38 mg08 MailScanner[7382]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:30:38 mg08 MailScanner[7382]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:30:38 mg08 MailScanner[7382]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:34:24 mg08 MailScanner[7439]: Making attempt 6 at processing > message 780574C02AB.A2DEA > May 15 10:34:24 mg08 MailScanner[7439]: SpamAssassin cache hit for > message 780574C02AB.A2DEA > May 15 10:34:24 mg08 MailScanner[7439]: Message 780574C02AB.A2DEA from > 5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam, > SpamAssassin (cached, score=16.991, required 6, autolearn=disabled, > CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27, > URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70, > URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66) > May 15 10:34:24 mg08 MailScanner[7439]: Non-delivery of spam: message > 780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to > xxxxxxxx at cnm.edu with subject I cant be the only one in this > May 15 10:34:24 mg08 MailScanner[7439]: Spam Actions: message > 780574C02AB.A2DEA actions are store > May 15 10:34:24 mg08 MailScanner[7422]: Warning: skipping message > 780574C02AB.A2DEA as it has been attempted too many times > May 15 10:34:24 mg08 MailScanner[7422]: Quarantined message > 780574C02AB.A2DEA as it caused MailScanner to crash several times > May 15 10:34:24 mg08 MailScanner[7422]: Saved entire message to > /var/spool/MailScanner/quarantine/20130515/780574C02AB.A2DEA > > > Do I have a MailScanner configuration problem or is this expected behavior? > > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/5dcffdf7/attachment.html From rlopezcnm at gmail.com Fri May 17 20:08:35 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri, 17 May 2013 13:08:35 -0600 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: On Fri, May 17, 2013 at 10:52 AM, Jerry Benton wrote: > Robert, > > There are three primary things I check for when dealing with this problem: > > 1. Selinux. You know the drill for this one. > 2. MailScanner Run As and directory ownership and permissions. > 3. Making sure you add the -U option to MailScanner for the newer versions > of perl. > > sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner > > > Jerry Benton Jerry, I really believe selinux not an issue in this case. /etc/MailScanner/MailScanner.conf: Run As User = /etc/MailScanner/MailScanner.conf:Run As Group = /etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As User = postfix /etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As Group = postfix I have seen you advise the -U many times in this discussion group. I have always been hesitant to allow unsafe operations, favouring fixing them if possible. I do see something is changing group of /var/spool/MailScanner/incoming to: drwxrwxr-x 9 postfix clamav 4096 May 17 12:50 /var/spool/MailScanner/incoming/ I have tried to change it to postfix postfix but it changes back to as above. (To change I stop postfix, MailScanner, and clamd; make changes; start all) Worse, I think, is I see this: drwxr-x--- 2 postfix clamav 4096 May 17 12:45 /var/spool/MailScanner/incoming/17603/ drwxr-x--- 2 postfix clamav 4096 May 17 12:47 /var/spool/MailScanner/incoming/17637/ drwxr-x--- 2 postfix clamav 4096 May 17 12:50 /var/spool/MailScanner/incoming/17661/ ... Are you aware of any unsafe perl code that is involved in this situation that if allowed to run would fix this problem? Kind Regards -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From rlopezcnm at gmail.com Fri May 17 20:20:48 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri, 17 May 2013 13:20:48 -0600 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: > On Fri, May 17, 2013 at 10:52 AM, Jerry Benton >> sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner [root at mg08 ~]# service clamd start Starting Clam AntiVirus Daemon: [ OK ] [root at mg08 ~]# service MailScanner start Starting MailScanner and postfix: postfix: [ OK ] MailScanner: [ OK ] [root at mg08 ~]# find /var/spool -group clamav /var/spool/MailScanner/incoming /var/spool/MailScanner/incoming/18338 /var/spool/MailScanner/incoming/18315 [root at mg08 ~]# find /var/spool -group clamav -exec chgrp postfix {} \; [root at mg08 ~]# find /var/spool -group clamav [root at mg08 ~]# sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner [root at mg08 ~]# head -1 /usr/sbin/MailScanner #!/usr/bin/perl -U -I/usr/lib/MailScanner [root at mg08 ~]# service clamd start Starting Clam AntiVirus Daemon: [ OK ] [root at mg08 ~]# service MailScanner start Starting MailScanner and postfix: postfix: [ OK ] MailScanner: [ OK ] [root at mg08 ~]# find /var/spool -group clamav /var/spool/MailScanner/incoming /var/spool/MailScanner/incoming/18589 -- Robert Lopez From johnnyb at marlboro.edu Fri May 17 20:35:41 2013 From: johnnyb at marlboro.edu (John Baker) Date: Fri, 17 May 2013 15:35:41 -0400 Subject: MailScanner debug hanging In-Reply-To: References: Message-ID: Ok, thanks all. I didn't realize that dbug worked differently than --lint in that way. On Thu, May 16, 2013 at 2:21 PM, Robert Lopez wrote: > On Thu, May 16, 2013 at 10:28 AM, John Baker wrote: > > Hi, I'm finishing a new mailserver build with the last stable > MailScanner. I > > ran MailScanner --debug to check for problems and it keeps hanging after > > Building a message batch to scan... > > > > However MailScanner --lint works ok. > > > > How can I get debug information on why debug won't run properly? Any > > suggestions for sorting this out? > > > > -- > > John Baker > > Network Administrator > > Marlboro College > > Phone: 451-7551 Cell: 490-0066 > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > run it again with --lint. > > These will sit and wait for a batch: > MailScanner --debug > MailScanner --debug --debug-sa > > These will not wait for a batch: > MailScanner --debug --lint > MailScanner --debug --debug-sa --lint > > There is strace as in: > strace MailScanner --debug > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- John Baker Network Administrator Marlboro College Phone: 451-7551 Cell: 490-0066 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/f3b1dbad/attachment.html From jerry.benton at mailborder.com Fri May 17 20:56:16 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 17 May 2013 21:56:16 +0200 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: As for Selinux, I wouldn't know without looking at the logs. I would of course try putting it in permissive mode and testing. If it does turn out to be Selinux, you can build your own policies from the logs. >From what I understand, the newer versions of Perl think some of the stuff MailScanner does is unsafe and therefore does not allow it. Hence adding the -U flag. Same program (MailScanner) as before, just a different version of Perl that will not let it do things it did in previous versions. I could of course be totally wrong. On Fri, May 17, 2013 at 9:08 PM, Robert Lopez wrote: > On Fri, May 17, 2013 at 10:52 AM, Jerry Benton > wrote: > > Robert, > > > > There are three primary things I check for when dealing with this > problem: > > > > 1. Selinux. You know the drill for this one. > > 2. MailScanner Run As and directory ownership and permissions. > > 3. Making sure you add the -U option to MailScanner for the newer > versions > > of perl. > > > > sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' > /usr/sbin/MailScanner > > > > > > Jerry Benton > > Jerry, > > I really believe selinux not an issue in this case. > > /etc/MailScanner/MailScanner.conf: Run As User = > /etc/MailScanner/MailScanner.conf:Run As Group = > /etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As User = postfix > /etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As Group = postfix > > I have seen you advise the -U many times in this discussion group. > I have always been hesitant to allow unsafe operations, favouring > fixing them if possible. > > I do see something is changing group of /var/spool/MailScanner/incoming to: > drwxrwxr-x 9 postfix clamav 4096 May 17 12:50 > /var/spool/MailScanner/incoming/ > > I have tried to change it to postfix postfix but it changes back to as > above. > (To change I stop postfix, MailScanner, and clamd; make changes; start all) > > Worse, I think, is I see this: > drwxr-x--- 2 postfix clamav 4096 May 17 12:45 > /var/spool/MailScanner/incoming/17603/ > drwxr-x--- 2 postfix clamav 4096 May 17 12:47 > /var/spool/MailScanner/incoming/17637/ > drwxr-x--- 2 postfix clamav 4096 May 17 12:50 > /var/spool/MailScanner/incoming/17661/ > ... > > Are you aware of any unsafe perl code that is involved in this > situation that if allowed to run would fix this problem? > > Kind Regards > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/2d4dc8bc/attachment.html From jerry.benton at mailborder.com Fri May 17 21:12:31 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 17 May 2013 22:12:31 +0200 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: Does that mean they cleared? I also use a third group called mtagroup for this. I add both postfix and clamav to that group and in MailScanner.conf use the third group under Run As Group. (WIth permission 0660) This allows both postfix and clamav to access the files with no problem. On Fri, May 17, 2013 at 9:20 PM, Robert Lopez wrote: > > On Fri, May 17, 2013 at 10:52 AM, Jerry Benton > >> sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' > /usr/sbin/MailScanner > > [root at mg08 ~]# service clamd start > Starting Clam AntiVirus Daemon: [ OK ] > [root at mg08 ~]# service MailScanner start > Starting MailScanner and postfix: > postfix: [ OK ] > MailScanner: [ OK ] > [root at mg08 ~]# find /var/spool -group clamav > /var/spool/MailScanner/incoming > /var/spool/MailScanner/incoming/18338 > /var/spool/MailScanner/incoming/18315 > [root at mg08 ~]# find /var/spool -group clamav -exec chgrp postfix {} \; > [root at mg08 ~]# find /var/spool -group clamav > [root at mg08 ~]# sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' > /usr/sbin/MailScanner > [root at mg08 ~]# head -1 /usr/sbin/MailScanner > #!/usr/bin/perl -U -I/usr/lib/MailScanner > [root at mg08 ~]# service clamd start > Starting Clam AntiVirus Daemon: [ OK ] > [root at mg08 ~]# service MailScanner start > Starting MailScanner and postfix: > postfix: [ OK ] > MailScanner: [ OK ] > [root at mg08 ~]# find /var/spool -group clamav > /var/spool/MailScanner/incoming > /var/spool/MailScanner/incoming/18589 > > -- > Robert Lopez > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/17811669/attachment.html From jerry.benton at mailborder.com Fri May 17 21:14:49 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 17 May 2013 22:14:49 +0200 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: Hit send on accident on the last email. Example using the group: Incoming Work Group = mtagroup Quarantine Group = mtagroup Run As Group = mtagroup Incoming Work Permissions = 0660 Quarantine Permissions = 0660 On Fri, May 17, 2013 at 10:12 PM, Jerry Benton wrote: > Does that mean they cleared? > > I also use a third group called mtagroup for this. I add both postfix and > clamav to that group and in MailScanner.conf use the third group under Run > As Group. (WIth permission 0660) This allows both postfix and clamav to > access the files with no problem. > > > > On Fri, May 17, 2013 at 9:20 PM, Robert Lopez wrote: > >> > On Fri, May 17, 2013 at 10:52 AM, Jerry Benton >> >> sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' >> /usr/sbin/MailScanner >> >> [root at mg08 ~]# service clamd start >> Starting Clam AntiVirus Daemon: [ OK ] >> [root at mg08 ~]# service MailScanner start >> Starting MailScanner and postfix: >> postfix: [ OK ] >> MailScanner: [ OK ] >> [root at mg08 ~]# find /var/spool -group clamav >> /var/spool/MailScanner/incoming >> /var/spool/MailScanner/incoming/18338 >> /var/spool/MailScanner/incoming/18315 >> [root at mg08 ~]# find /var/spool -group clamav -exec chgrp postfix {} \; >> [root at mg08 ~]# find /var/spool -group clamav >> [root at mg08 ~]# sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' >> /usr/sbin/MailScanner >> [root at mg08 ~]# head -1 /usr/sbin/MailScanner >> #!/usr/bin/perl -U -I/usr/lib/MailScanner >> [root at mg08 ~]# service clamd start >> Starting Clam AntiVirus Daemon: [ OK ] >> [root at mg08 ~]# service MailScanner start >> Starting MailScanner and postfix: >> postfix: [ OK ] >> MailScanner: [ OK ] >> [root at mg08 ~]# find /var/spool -group clamav >> /var/spool/MailScanner/incoming >> /var/spool/MailScanner/incoming/18589 >> >> -- >> Robert Lopez >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/f06ecfa5/attachment.html From rlopezcnm at gmail.com Fri May 17 23:53:14 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri, 17 May 2013 16:53:14 -0600 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: Jerry, Acknowledge the selinux tips. Logs say no problem there. Made the -U change. No affect on problem. Thanks. -- Robert Lopez From rlopezcnm at gmail.com Sat May 18 01:10:44 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri, 17 May 2013 18:10:44 -0600 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: Commented out #Incoming Work Group = clamav #Incoming Work Permissions = 0640 in /etc/MailScanner/conf.d/CNM-MailScanner.conf The notes in MailScanner.conf still convince me I should those in. However, just went past the hourly time to receive a Problem Email report and there has been none. On Fri, May 17, 2013 at 4:53 PM, Robert Lopez wrote: > Jerry, > > Acknowledge the selinux tips. Logs say no problem there. > > Made the -U change. No affect on problem. Thanks. > > > -- > Robert Lopez -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From jerry.benton at mailborder.com Sat May 18 04:11:39 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 18 May 2013 05:11:39 +0200 Subject: Single email, multiple Spamassassin attempls In-Reply-To: References: Message-ID: If you don't define those in your custom config, it is using what is defined in /etc/MailScanner/MailScanner.conf. On Saturday, May 18, 2013, Robert Lopez wrote: > Commented out > #Incoming Work Group = clamav > #Incoming Work Permissions = 0640 > in /etc/MailScanner/conf.d/CNM-MailScanner.conf > > The notes in MailScanner.conf still convince me I should those in. > However, just went past the hourly time to receive a Problem Email > report and there has been none. > > > On Fri, May 17, 2013 at 4:53 PM, Robert Lopez > > wrote: > > Jerry, > > > > Acknowledge the selinux tips. Logs say no problem there. > > > > Made the -U change. No affect on problem. Thanks. > > > > > > -- > > Robert Lopez > > > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130518/90ae6d91/attachment.html From danc at bluestarshows.com Sat May 18 16:23:53 2013 From: danc at bluestarshows.com (Dan Carl) Date: Sat, 18 May 2013 10:23:53 -0500 Subject: permissions and ownership of /var/spool/incoming Message-ID: <51979D09.6060607@bluestarshows.com> Hi all, I never have any issues with Mailscanner the thing just works and works well. But when it comes to new installs that when you'll see me post here. I'm running a shiny new CentOS 6.4 box with postfix. I've tried everything but still getting error below when running MailScanner --lint. Could not open file >/var/spool/MailScanner/incoming/2614/1.header: Permission denied Cannot create + lock headers file /var/spool/MailScanner/incoming/2614/1.header, Permission denied at /usr/lib/MailScanner/MailScanner/Message.pm line 523 I set the permissions and ownership to: chown -R postfix.clam * chmod -R 750 * But Mailscanner sets the permissions to clam.root Thanks in advance Dan From Kevin_Miller at ci.juneau.ak.us Mon May 20 17:11:29 2013 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon, 20 May 2013 08:11:29 -0800 Subject: permissions and ownership of /var/spool/incoming In-Reply-To: <51979D09.6060607@bluestarshows.com> References: <51979D09.6060607@bluestarshows.com> Message-ID: On both my SLES and CentOS boxes running MailScanner an clamAV the user is clamav not clam. Double check the name of the account that clamav is actually running as. It can vary from distribution to distribution... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Dan Carl Sent: Saturday, May 18, 2013 7:24 AM To: MailScanner discussion Subject: permissions and ownership of /var/spool/incoming Hi all, I never have any issues with Mailscanner the thing just works and works well. But when it comes to new installs that when you'll see me post here. I'm running a shiny new CentOS 6.4 box with postfix. I've tried everything but still getting error below when running MailScanner --lint. Could not open file >/var/spool/MailScanner/incoming/2614/1.header: Permission denied Cannot create + lock headers file /var/spool/MailScanner/incoming/2614/1.header, Permission denied at /usr/lib/MailScanner/MailScanner/Message.pm line 523 I set the permissions and ownership to: chown -R postfix.clam * chmod -R 750 * But Mailscanner sets the permissions to clam.root Thanks in advance Dan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From informatica at astoriapapeis.com.br Mon May 20 18:50:36 2013 From: informatica at astoriapapeis.com.br (=?iso-8859-1?Q?Inform=E1tica_-_Ast=F3ria_Pap=E9is_LTDA?=) Date: Mon, 20 May 2013 14:50:36 -0300 Subject: RES: MailScanner Digest, Vol 89, Issue 18 In-Reply-To: References: Message-ID: <000701ce5582$891c3640$9b54a2c0$@com.br> Sergio, apenas para seu conhecimento, recebi este e-mail, do mailscanner. -----Mensagem original----- De: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] Em nome de mailscanner-request at lists.mailscanner.info Enviada em: domingo, 19 de maio de 2013 08:00 Para: mailscanner at lists.mailscanner.info Assunto: MailScanner Digest, Vol 89, Issue 18 Send MailScanner mailing list submissions to mailscanner at lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request at lists.mailscanner.info You can reach the person managing the list at mailscanner-owner at lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. permissions and ownership of /var/spool/incoming (Dan Carl) ---------------------------------------------------------------------- Message: 1 Date: Sat, 18 May 2013 10:23:53 -0500 From: Dan Carl Subject: permissions and ownership of /var/spool/incoming To: MailScanner discussion Message-ID: <51979D09.6060607 at bluestarshows.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi all, I never have any issues with Mailscanner the thing just works and works well. But when it comes to new installs that when you'll see me post here. I'm running a shiny new CentOS 6.4 box with postfix. I've tried everything but still getting error below when running MailScanner --lint. Could not open file >/var/spool/MailScanner/incoming/2614/1.header: Permission denied Cannot create + lock headers file /var/spool/MailScanner/incoming/2614/1.header, Permission denied at /usr/lib/MailScanner/MailScanner/Message.pm line 523 I set the permissions and ownership to: chown -R postfix.clam * chmod -R 750 * But Mailscanner sets the permissions to clam.root Thanks in advance Dan ------------------------------ -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 89, Issue 18 ******************************************* -- Esta mensagem foi verificada pelo sistema de antivmrus e acredita-se estar livre de perigo. -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From rlopezcnm at gmail.com Wed May 22 00:17:18 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue, 21 May 2013 17:17:18 -0600 Subject: permissions and ownership of /var/spool/incoming In-Reply-To: References: <51979D09.6060607@bluestarshows.com> Message-ID: On Mon, May 20, 2013 at 10:11 AM, Kevin Miller wrote: > On both my SLES and CentOS boxes running MailScanner an clamAV the user is clamav not clam. Double check the name of the account that clamav is actually running as. It can vary from distribution to distribution... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 > Registered Linux User No: 307357 > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Dan Carl > Sent: Saturday, May 18, 2013 7:24 AM > To: MailScanner discussion > Subject: permissions and ownership of /var/spool/incoming > > Hi all, > I never have any issues with Mailscanner the thing just works and works well. > But when it comes to new installs that when you'll see me post here. > I'm running a shiny new CentOS 6.4 box with postfix. > I've tried everything but still getting error below when running MailScanner --lint. > Could not open file >/var/spool/MailScanner/incoming/2614/1.header: > Permission denied > Cannot create + lock headers file > /var/spool/MailScanner/incoming/2614/1.header, Permission denied at /usr/lib/MailScanner/MailScanner/Message.pm line 523 I set the permissions and ownership to: > chown -R postfix.clam * > chmod -R 750 * > But Mailscanner sets the permissions to clam.root Thanks in advance Dan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! I am not at all certain it is related, but also pay attention to the MailScanner.conf (or MailScanner/conf.d/your-conf-file) for the values of Incoming Work Group and Incoming Work Permissions. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From rlopezcnm at gmail.com Wed May 22 02:18:11 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue, 21 May 2013 19:18:11 -0600 Subject: Scan Messages = %rules-dir%/scan.messages.rules Message-ID: wrt "Scan Messages = %rules-dir%/scan.messages.rules" Three questions: 1) Does MailScanner do a case sensitive match when scan.messages.rules file is used? 2) Which "From:" does scan.messages.rules use (Envelope or Email Body)? 3) Does MailScanner directly implement the match and action or is this passed to SpamAssassin to do the match and action? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From maxsec at gmail.com Wed May 22 09:20:51 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 22 May 2013 09:20:51 +0100 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: Message-ID: 1) nope, email addresses are not case sensitive. 2) Envelope, MS always uses the Envelope-from in from parsing. 3) this is the 'big knob' that tells whether MailScanner scans the email or not. Way before it's passed to SA, anti-virus or checked by mailScanner again RBLS (independently of SA). etc. Be very careful with setting as it's basically sending email through with zero scanning. Might want to look at the the "Is definitely Not spam" setting. Normally this is only used for trusted ip-addresses not email 'from' addresses. hope that helps -- Martin Hepworth, CISSP Oxford, UK On 22 May 2013 02:18, Robert Lopez wrote: > wrt "Scan Messages = %rules-dir%/scan.messages.rules" > > Three questions: > > 1) Does MailScanner do a case sensitive match when > scan.messages.rules file is used? > > 2) Which "From:" does scan.messages.rules use (Envelope or Email Body)? > > 3) Does MailScanner directly implement the match and action or is this > passed to SpamAssassin to do the match and action? > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130522/53090ad8/attachment.html From sandro at e-den.it Wed May 22 10:40:32 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Wed, 22 May 2013 11:40:32 +0200 Subject: storing messages Message-ID: <20130522094032.GA8174@ubuntu> Hi, I have several servers where storing messagges just works. Now i'm fighting to get spam and nonspanm messages stored in a new server that was not preared by me but seems correct, nevertheless I cant get messages stored. Relevant configuration directives are: Spam Actions = store High Scoring Spam Actions = store Spam Actions = store deliver header " Non Spam Actions = store deliver header "X-Spam-Status: No" Quarantine dir is /var/spool/MailScanner/quarantine/ and permissions are postfix.www-data root at smtp:/etc/MailScanner# find /var/spool/MailScanner/quarantine/ -ls 262148 4 drwxrwxr-x 3 postfix www-data 4096 May 22 06:25 /var/spool/MailScanner/quarantine/ 262166 4 drwxrwx--- 4 postfix www-data 4096 May 22 06:53 /var/spool/MailScanner/quarantine/20130522 262167 4 drwxrwx--- 2 postfix www-data 4096 May 22 11:37 /var/spool/MailScanner/quarantine/20130522/nonspam 262168 4 drwxrwx--- 2 postfix www-data 4096 May 22 11:38 /var/spool/MailScanner/quarantine/20130522/spam What should I check to understand why mailscanner is not storing them? The systems is debian squeeze: ii mailscanner 4.84.5-4~squeeze ii postfix 2.7.1-1+squeeze1 Thanks in advanced sandro *:-) From Jesper at witzel-vikar.dk Wed May 22 12:55:00 2013 From: Jesper at witzel-vikar.dk (Jesper Jensen) Date: Wed, 22 May 2013 13:55:00 +0200 Subject: Any thing new on missing updates on blacklist in mailscanner / fix or workaround? References: Message-ID: Hello ppl Is there a work around - we are still not getting updates for scamnailer and Mailscanner blacklist Log: ok Checking that /var/cache/ScamNailer/cache/2013-164.6 exists... ok I am working with: Current: 2013-164 - 6 and Status: 2013-164 - 6 No base update required And mailscanner still reads : Read 3966 hostnames from the phishing blacklists Any input is appreciated, Thank you /Jesper -----Oprindelig meddelelse----- Fra: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] P? vegne af mailscanner-request at lists.mailscanner.info Sendt: 22. maj 2013 13:00 Til: mailscanner at lists.mailscanner.info Emne: MailScanner Digest, Vol 89, Issue 20 Send MailScanner mailing list submissions to mailscanner at lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request at lists.mailscanner.info You can reach the person managing the list at mailscanner-owner at lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Re: permissions and ownership of /var/spool/incoming (Robert Lopez) 2. Scan Messages = %rules-dir%/scan.messages.rules (Robert Lopez) 3. Re: Scan Messages = %rules-dir%/scan.messages.rules (Martin Hepworth) ---------------------------------------------------------------------- Message: 1 Date: Tue, 21 May 2013 17:17:18 -0600 From: Robert Lopez Subject: Re: permissions and ownership of /var/spool/incoming To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=ISO-8859-1 On Mon, May 20, 2013 at 10:11 AM, Kevin Miller wrote: > On both my SLES and CentOS boxes running MailScanner an clamAV the user is clamav not clam. Double check the name of the account that clamav is actually running as. It can vary from distribution to distribution... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: > 307357 -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Dan > Carl > Sent: Saturday, May 18, 2013 7:24 AM > To: MailScanner discussion > Subject: permissions and ownership of /var/spool/incoming > > Hi all, > I never have any issues with Mailscanner the thing just works and works well. > But when it comes to new installs that when you'll see me post here. > I'm running a shiny new CentOS 6.4 box with postfix. > I've tried everything but still getting error below when running MailScanner --lint. > Could not open file >/var/spool/MailScanner/incoming/2614/1.header: > Permission denied > Cannot create + lock headers file > /var/spool/MailScanner/incoming/2614/1.header, Permission denied at /usr/lib/MailScanner/MailScanner/Message.pm line 523 I set the permissions and ownership to: > chown -R postfix.clam * > chmod -R 750 * > But Mailscanner sets the permissions to clam.root Thanks in advance > Dan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! I am not at all certain it is related, but also pay attention to the MailScanner.conf (or MailScanner/conf.d/your-conf-file) for the values of Incoming Work Group and Incoming Work Permissions. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 ------------------------------ Message: 2 Date: Tue, 21 May 2013 19:18:11 -0600 From: Robert Lopez Subject: Scan Messages = %rules-dir%/scan.messages.rules To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=ISO-8859-1 wrt "Scan Messages = %rules-dir%/scan.messages.rules" Three questions: 1) Does MailScanner do a case sensitive match when scan.messages.rules file is used? 2) Which "From:" does scan.messages.rules use (Envelope or Email Body)? 3) Does MailScanner directly implement the match and action or is this passed to SpamAssassin to do the match and action? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 ------------------------------ Message: 3 Date: Wed, 22 May 2013 09:20:51 +0100 From: Martin Hepworth Subject: Re: Scan Messages = %rules-dir%/scan.messages.rules To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" 1) nope, email addresses are not case sensitive. 2) Envelope, MS always uses the Envelope-from in from parsing. 3) this is the 'big knob' that tells whether MailScanner scans the email or not. Way before it's passed to SA, anti-virus or checked by mailScanner again RBLS (independently of SA). etc. Be very careful with setting as it's basically sending email through with zero scanning. Might want to look at the the "Is definitely Not spam" setting. Normally this is only used for trusted ip-addresses not email 'from' addresses. hope that helps -- Martin Hepworth, CISSP Oxford, UK On 22 May 2013 02:18, Robert Lopez wrote: > wrt "Scan Messages = %rules-dir%/scan.messages.rules" > > Three questions: > > 1) Does MailScanner do a case sensitive match when > scan.messages.rules file is used? > > 2) Which "From:" does scan.messages.rules use (Envelope or Email Body)? > > 3) Does MailScanner directly implement the match and action or is this > passed to SpamAssassin to do the match and action? > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130522/53090ad8/attachment-0001.html ------------------------------ -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 89, Issue 20 ******************************************* -- Denne meddelelse er blevet skannet for virus og farligt indhold af MailScanner, og er fundet ufarlig. From rlopezcnm at gmail.com Wed May 22 18:45:17 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed, 22 May 2013 11:45:17 -0600 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: Message-ID: On Wed, May 22, 2013 at 2:20 AM, Martin Hepworth wrote: > > 1) nope, email addresses are not case sensitive. > 2) Envelope, MS always uses the Envelope-from in from parsing. > 3) this is the 'big knob' that tells whether MailScanner scans the email or > not. Way before it's passed to SA, anti-virus or checked by mailScanner > again RBLS (independently of SA). etc. Be very careful with setting as it's > basically sending email through with zero scanning. Might want to look at > the the "Is definitely Not spam" setting. Normally this is only used for > trusted ip-addresses not email 'from' addresses. > > hope that helps > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 22 May 2013 02:18, Robert Lopez wrote: >> >> wrt "Scan Messages = %rules-dir%/scan.messages.rules" >> >> Three questions: >> >> 1) Does MailScanner do a case sensitive match when >> scan.messages.rules file is used? >> >> 2) Which "From:" does scan.messages.rules use (Envelope or Email Body)? >> >> 3) Does MailScanner directly implement the match and action or is this >> passed to SpamAssassin to do the match and action? >> >> -- >> Robert Lopez >> Unix Systems Administrator >> Central New Mexico Community College (CNM) >> 525 Buena Vista SE >> Albuquerque, New Mexico 87106 >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Martin, Please clarify to which rule "Normally this" refers. I believe you are stating "Is definitely Not spam" is only used for trusted ip-addresses not email 'from' addresses. The situation I am trying to understand is email being scanned by SpamAssassin when I thought I had the system configured to not scan the email at all. May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B from 198.133.182.29 () to cnm.edu is not spam, SpamAssassin (not cached, score=-1.699, required 6, autolearn=disabled, CNM_EXCUSE 0.30, CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00) -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From campbell at cnpapers.com Wed May 22 19:28:43 2013 From: campbell at cnpapers.com (Steve Campbell) Date: Wed, 22 May 2013 14:28:43 -0400 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: Message-ID: <519D0E5B.20003@cnpapers.com> Perhaps you should send us the "Scan Messages" line from your MailScanner.conf file and what you have in your file that is pointed to in by line above. Have you restarted or reloaded MS since you changed the file? Depending on what you have in that line and file, you probably shouldn't be seeing those lines in your mail log. steve campbell On 5/22/2013 1:45 PM, Robert Lopez wrote: > On Wed, May 22, 2013 at 2:20 AM, Martin Hepworth wrote: >> 1) nope, email addresses are not case sensitive. >> 2) Envelope, MS always uses the Envelope-from in from parsing. >> 3) this is the 'big knob' that tells whether MailScanner scans the email or >> not. Way before it's passed to SA, anti-virus or checked by mailScanner >> again RBLS (independently of SA). etc. Be very careful with setting as it's >> basically sending email through with zero scanning. Might want to look at >> the the "Is definitely Not spam" setting. Normally this is only used for >> trusted ip-addresses not email 'from' addresses. >> >> hope that helps >> >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> >> On 22 May 2013 02:18, Robert Lopez wrote: >>> wrt "Scan Messages = %rules-dir%/scan.messages.rules" >>> >>> Three questions: >>> >>> 1) Does MailScanner do a case sensitive match when >>> scan.messages.rules file is used? >>> >>> 2) Which "From:" does scan.messages.rules use (Envelope or Email Body)? >>> >>> 3) Does MailScanner directly implement the match and action or is this >>> passed to SpamAssassin to do the match and action? >>> >>> -- >>> Robert Lopez >>> Unix Systems Administrator >>> Central New Mexico Community College (CNM) >>> 525 Buena Vista SE >>> Albuquerque, New Mexico 87106 >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > Martin, > > Please clarify to which rule "Normally this" refers. > I believe you are stating "Is definitely Not spam" is only used for > trusted ip-addresses not email 'from' addresses. > > The situation I am trying to understand is email being scanned by > SpamAssassin when I thought > I had the system configured to not scan the email at all. > > May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B > from 198.133.182.29 () to cnm.edu > is not spam, SpamAssassin (not cached, score=-1.699, required 6, > autolearn=disabled, CNM_EXCUSE 0.30, > CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00) > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 From Antony.Stone at mailscanner.open.source.it Wed May 22 19:55:36 2013 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Wed, 22 May 2013 20:55:36 +0200 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: Message-ID: <201305222055.37207.Antony.Stone@mailscanner.open.source.it> On Wednesday 22 May 2013 at 10:20:51, Martin Hepworth wrote: > 1) nope, email addresses are not case sensitive. Not entirely true... From http://tools.ietf.org/html/rfc5321#section-4.1.2 > Local-part = Dot-string / Quoted-string > ; MAY be case-sensitive Which means the part before the @ sign can be case-sensitive, and it's only the authoritative mail server for the domain which can decide whether there's a difference between j.smith and J.Smith. Not often important, I know, but can catch you out when you're not expecting it :) Regards, Antony. -- "I estimate there's a world market for about five computers." - Thomas J Watson, Chairman of IBM From rlopezcnm at gmail.com Wed May 22 22:26:42 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed, 22 May 2013 15:26:42 -0600 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: <201305222055.37207.Antony.Stone@mailscanner.open.source.it> References: <201305222055.37207.Antony.Stone@mailscanner.open.source.it> Message-ID: On Wed, May 22, 2013 at 12:55 PM, Antony Stone wrote: > On Wednesday 22 May 2013 at 10:20:51, Martin Hepworth wrote: > >> 1) nope, email addresses are not case sensitive. > > Not entirely true... > > >From http://tools.ietf.org/html/rfc5321#section-4.1.2 > >> Local-part = Dot-string / Quoted-string >> ; MAY be case-sensitive > > Which means the part before the @ sign can be case-sensitive, and it's only > the authoritative mail server for the domain which can decide whether there's > a difference between j.smith and J.Smith. > > Not often important, I know, but can catch you out when you're not expecting > it :) > > > Regards, > > > Antony. > > -- > "I estimate there's a world market for about five computers." > > - Thomas J Watson, Chairman of IBM > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From rlopezcnm at gmail.com Wed May 22 22:42:49 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed, 22 May 2013 15:42:49 -0600 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: <519D0E5B.20003@cnpapers.com> References: <519D0E5B.20003@cnpapers.com> Message-ID: On Wed, May 22, 2013 at 12:28 PM, Steve Campbell wrote: > Perhaps you should send us the "Scan Messages" line from your > MailScanner.conf file and what you have in your file that is pointed to > in by line above. > > Have you restarted or reloaded MS since you changed the file? > > Depending on what you have in that line and file, you probably shouldn't > be seeing those lines in your mail log. > > steve campbell The situation I am trying to understand is email being scanned by SpamAssassin when I thought I had all the systems configured to not scan the email at all. Email generated by an office where the persons use Outlook to compose email goes to an Exchange server and it is then relayed to an email gateway. These email are from CNM_Official_Info at cnm.edu to students at cnm.edu. The email gateway relays the email to a Mailman ($ postmap -q students /etc/postfix/virtualaliases -> students at listserv) server. Mailman then sends the message to all the students who are members of the students list. So each student has a copy generated that is from students-bounces at cnm.edu to @cnm.edu which is sent back to the email gateways. A Postfix rewrite via a virtualaliases map sends each email from students-bounces at cnm.edu to @...gmail.com. MailScanner.conf and conf.d/CNM-MailScanner.conf (newest gateway) all have "Scan Messages = %rules-dir%/scan.messages.rules". I had put both 'From' in scan.messages.rules: From: students-bounces at cnm.edu no From: cnm_official_info at cnm.edu no #This is not a case match to original This directive and data file have been working for years. However yesterday I noticed the email in this case (students list) do get a SpamAssassin score and my thinking is this should not be happening. Each email has a line such as this example: May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B from 198.133.182.29 () to cnm.edu is not spam, SpamAssassin (not cached, score=-1.699, required 6, autolearn=disabled, CNM_EXCUSE 0.30, CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00) There has been no recent change to any of these files. MailScanner is always restarted or reloaded when ever any configuration file is modified. In fact, the scripts to modify any component and copy them to the gateways do the force-reload and test ($?) to see the return status. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From dongwind at 21cn.com Thu May 23 09:22:10 2013 From: dongwind at 21cn.com (=?UTF-8?B?5Lic6aOO?=) Date: Thu, 23 May 2013 16:22:10 +0800 (CST) Subject: MailScanner SpamAssassin Timeout cause CPU100% Message-ID: <1565076464.142181369297335973.JavaMail.root@webmail5> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130523/04178b15/attachment.html From glenn.steen at gmail.com Thu May 23 09:40:18 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 23 May 2013 10:40:18 +0200 Subject: storing messages In-Reply-To: <20130522094032.GA8174@ubuntu> References: <20130522094032.GA8174@ubuntu> Message-ID: Hello Sandro, On 22 May 2013 11:40, Alessandro Dentella wrote: > > > Hi, > > I have several servers where storing messagges just works. > Now i'm fighting to get spam and nonspanm messages stored in a new server > that was not preared by me but seems correct, nevertheless I cant get > messages stored. > > Relevant configuration directives are: > > Spam Actions = store > High Scoring Spam Actions = store > Spam Actions = store deliver header " > Non Spam Actions = store deliver header "X-Spam-Status: No" You do reaklize that you have quoted two different "Spam Actions", and that the secon one is faulty? It should read something like: Spam Actions = store deliver header "X-Spam-Status: Yes" ... If you do a "MailScanner --lint", that should point you in the right direction. > > Quarantine dir is /var/spool/MailScanner/quarantine/ and permissions are > postfix.www-data > > root at smtp:/etc/MailScanner# find /var/spool/MailScanner/quarantine/ -ls > 262148 4 drwxrwxr-x 3 postfix www-data 4096 May 22 06:25 /var/spool/MailScanner/quarantine/ > 262166 4 drwxrwx--- 4 postfix www-data 4096 May 22 06:53 /var/spool/MailScanner/quarantine/20130522 > 262167 4 drwxrwx--- 2 postfix www-data 4096 May 22 11:37 /var/spool/MailScanner/quarantine/20130522/nonspam > 262168 4 drwxrwx--- 2 postfix www-data 4096 May 22 11:38 /var/spool/MailScanner/quarantine/20130522/spam > The above permissions look OK, provided that the corresponding settings in MailScanner.conf are OK... For me (my web server user is apache, not www-data) it looks like: Quarantine User = postfix Quarantine Group = apache Quarantine Permissions = 0660 > > What should I check to understand why mailscanner is not storing them? Start by running as the postfix user, and try access the quarantine directory. Do something like: su - postfix -s /bin/bash cd /var/spool/MailScanner/quarantine .... If that works, fine... But my money is on there being a "permission problem higher up the filesystem hierarchy", or a misconfig in MailScanner.conf. > > The systems is debian squeeze: > > ii mailscanner 4.84.5-4~squeeze > ii postfix 2.7.1-1+squeeze1 > > > Thanks in advanced > sandro > *:-) Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maxsec at gmail.com Thu May 23 10:20:10 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 23 May 2013 10:20:10 +0100 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: <519D0E5B.20003@cnpapers.com> Message-ID: I'd suggest the scan.messages.rules be amended to cope with the ip-address of the MailMan server. otherwise anyone faking the from address is going to sail straight passed your email scanning. -- Martin Hepworth, CISSP Oxford, UK On 22 May 2013 22:42, Robert Lopez wrote: > On Wed, May 22, 2013 at 12:28 PM, Steve Campbell > wrote: > > Perhaps you should send us the "Scan Messages" line from your > > MailScanner.conf file and what you have in your file that is pointed to > > in by line above. > > > > Have you restarted or reloaded MS since you changed the file? > > > > Depending on what you have in that line and file, you probably shouldn't > > be seeing those lines in your mail log. > > > > steve campbell > > The situation I am trying to understand is email being scanned by > SpamAssassin when I thought > I had all the systems configured to not scan the email at all. > > Email generated by an office where the persons use Outlook to compose > email goes to an Exchange server and it is then relayed to an email > gateway. These email are from CNM_Official_Info at cnm.edu to > students at cnm.edu. The email gateway relays the email to a Mailman ($ > postmap -q students /etc/postfix/virtualaliases -> students at listserv) > server. > > Mailman then sends the message to all the students who are members of > the students list. So each student has a copy generated that is from > students-bounces at cnm.edu to @cnm.edu which is sent > back to the email gateways. > > A Postfix rewrite via a virtualaliases map sends each email from > students-bounces at cnm.edu to @...gmail.com. > > MailScanner.conf and conf.d/CNM-MailScanner.conf (newest gateway) > all have "Scan Messages = %rules-dir%/scan.messages.rules". > I had put both 'From' in scan.messages.rules: > > From: students-bounces at cnm.edu no > From: cnm_official_info at cnm.edu no #This is not a case match to > original > > This directive and data file have been working for years. > However yesterday I noticed the email in this case (students list) > do get a SpamAssassin score and my thinking is this should not be > happening. > > Each email has a line such as this example: > > May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B > from 198.133.182.29 () to cnm.edu is not spam, SpamAssassin (not > cached, score=-1.699, required 6, autolearn=disabled, CNM_EXCUSE 0.30, > CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00) > > There has been no recent change to any of these files. MailScanner is > always > restarted or reloaded when ever any configuration file is modified. In > fact, > the scripts to modify any component and copy them to the gateways do the > force-reload and test ($?) to see the return status. > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130523/3116290d/attachment.html From maxsec at gmail.com Thu May 23 10:29:17 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 23 May 2013 10:29:17 +0100 Subject: MailScanner SpamAssassin Timeout cause CPU100% In-Reply-To: <1565076464.142181369297335973.JavaMail.root@webmail5> References: <1565076464.142181369297335973.JavaMail.root@webmail5> Message-ID: have a look here http://wiki.mailscanner.info/doku.php?id=maq:index#getting_the_best_out_of_spamassassin I'd look at the Bayes expirey options in MailScanner as well, and perhaps not do them here, but use the cron-job method instead -- Martin Hepworth, CISSP Oxford, UK On 23 May 2013 09:22, ?? wrote: > dear all, > Recently my MailScanner do not run very > well.MailScanner SpamAssassin Timeout randomly,and when > SpamAssassin Timeout,the MailScanner process will occupancy CPU 100%,and > after a few minutes ,the MailScanner process will also occupancy all > memery,then the system load is too high ,and the system can't work. > I google it,do as the people said,set spam.assassinprefs.conf : > use_bayes 1 > bayes_auto_expire 0 > But it can't fix the problem.then i run > #MailScanner --debug --debug-sa > I found the point.Every time when the MailScanner process occupancy > CPU 100%,the log is stop at: > > 05:33:31 May 22 05:33:31.411 [5327] dbg: bayes: found bayes db version 3 > > 05:33:31 May 22 05:33:31.411 [5327] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.lock > > 05:33:31 May 22 05:33:31.525 [5327] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.lock > > 05:33:31 May 22 05:33:31.611 [5327] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.lock > > 05:33:31 May 22 05:33:31.694 [5327] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.lock > > 05:33:31 May 22 05:33:31.779 [5327] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.lock > > 05:33:31 May 22 05:33:31.781 [5327] dbg: bayes: synced databases from journal in 0 seconds: 4023 unique entries (5977 total entries) > > 05:33:31 May 22 05:33:31.783 [5327] dbg: bayes: bayes journal sync completed > > 05:33:31 May 22 05:33:31.783 [5327] dbg: plugin: Mail::SpamAssassin::Plugin::Bayes=HASH(0x15c43580) implements 'learner_expire_old_training', priority 0 > 05:33:31 May 22 05:33:31.783 [5327] dbg: bayes: expiry starting > > 05:33:31 May 22 05:33:31.784 [5327] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.lock > > 05:33:31 May 22 05:33:31.784 [5327] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.lock > > 05:33:31 May 22 05:33:31.784 [5327] dbg: bayes: DB expiry: tokens in DB: 16022840, Expiry max size: 150000, Oldest atime: 1346656738, Newest atime: 1369170442, Last expire: 1346700571, Current time: 1369172011 > > 05:33:31 May 22 05:33:31.785 [5327] dbg: bayes: expiry check keep size, 0.75 * max: 112500 > > 05:33:31 May 22 05:33:31.785 [5327] dbg: bayes: token count: 16022840, final goal reduction size: 15910340 > > 05:33:31 May 22 05:33:31.785 [5327] dbg: bayes: first pass? current: 1369172011, Last: 1346700571, atime: 43200, count: 265804, newdelta: 721, ratio: 59.8574137334276, period: 43200 > > 05:33:31 May 22 05:33:31.785 [5327] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) > 05:33:31 May 22 05:33:31.785 [5327] dbg: bayes: expiry max exponent: 9 > > Stop at here ,and the MailScanner process occupancy CPU 100%, then > after 30 seconds(because i set SpamAssassin Timeout = 30 ), the log will > go on: > > > 05:34:45 May 22 05:34:45.809 [5330] dbg: dns: name server: 10.145.199.100, LocalAddr: 0.0.0.0 > > 05:34:45 May 22 05:34:45.810 [5330] dbg: dns: resolver socket rx buffer size is 129024 bytes > 05:34:45 May 22 05:34:45.810 [5330] dbg: config: time limit 300.0 s > > 05:34:45 May 22 05:34:45.812 [5330] dbg: message: main message type: multipart/mixed > > 05:34:45 May 22 05:34:45.812 [5330] dbg: message: ---- MIME PARSER START ---- > > 05:34:45 May 22 05:34:45.813 [5330] dbg: message: parsing multipart, got boundary: part_60947f67_06c3_40e0_b324_b2bcc46f02c2 > ............................... > > I don't know why and how to fix it.And i found when i run > > #MailScanner --debug --debug-sa > > The MailScanner process will release resources after 30 seconds,when i > run(i set Max Children = 5) > #service MailScanner start > > The MailScanner process which occupancy CPU 100% will not release > resources .....And after a few minutes,maybe more MailScanner process will > occupancy resources ,and after all the system is hung.I even set > SpamAssassin Timeout = 10 ,but can't fix either. > > So,are there any friends know how to fix this problem? Thx! > > > --------------------------------------- > 21CN???Android?????????? > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130523/bc470919/attachment.html From sandro at e-den.it Thu May 23 11:04:21 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Thu, 23 May 2013 12:04:21 +0200 Subject: storing messages In-Reply-To: References: <20130522094032.GA8174@ubuntu> Message-ID: <20130523100421.GA17056@ubuntu> Hello Glen, > > Spam Actions = store > > High Scoring Spam Actions = store > > Spam Actions = store deliver header " > > Non Spam Actions = store deliver header "X-Spam-Status: No" > > You do reaklize that you have quoted two different "Spam Actions", and > that the secon one is faulty? It should read something like: > Spam Actions = store deliver header "X-Spam-Status: Yes" Sorry, in fact I have 2 files in conf.d that resulted in 2 directives, then I deleted part of the second one while posting. Now I just have the correct one: Spam Actions = store deliver header "X-Spam-Status: Yes" > Start by running as the postfix user, and try access the quarantine > directory. Do something like: > su - postfix -s /bin/bash > cd /var/spool/MailScanner/quarantine root at smtp:/etc/MailScanner# su - postfix -s /bin/bash postfix at smtp:~$ cd /var/spool/MailScanner/quarantine/ postfix at smtp:/var/spool/MailScanner/quarantine$ mkdir test postfix at smtp:/var/spool/MailScanner/quarantine$ ls -ld test drwxr-xr-x 2 postfix postfix 4096 May 23 11:47 test postfix at smtp:/var/spool/MailScanner/quarantine$ rmdir test It just looks ok to me... BTW, I have the same problem with spam and nonspam, no message in the logs... sandro *:-( From sandro at e-den.it Thu May 23 11:40:10 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Thu, 23 May 2013 12:40:10 +0200 Subject: storing messages - found permission pb... not enought... In-Reply-To: References: <20130522094032.GA8174@ubuntu> Message-ID: <20130523104010.GB17056@ubuntu> > ... If you do a "MailScanner --lint", that should point you in the > right direction. True... I run it and it finds: Could not open file >/var/spool/MailScanner/incoming/28403/1.header: Permission denied Cannot create + lock headers file /var/spool/MailScanner/incoming/28403/1.header, Permission denied at /usr/share/MailScanner/MailScanner/Message.pm line 523 In fact postfix does not have permission to write there. I fixed it and it turns out as a stupid conf problem (Quarantine User = user) Now MailScanner --lint doesn't show any other problem, but still messages doesn't get into quarantine... Any thoughts? TIA sandro *:-) From campbell at cnpapers.com Thu May 23 13:37:36 2013 From: campbell at cnpapers.com (Steve Campbell) Date: Thu, 23 May 2013 08:37:36 -0400 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: <519D0E5B.20003@cnpapers.com> Message-ID: <519E0D90.60401@cnpapers.com> That was going to be my suggestion also. Are there any other emails besides the student mail list that would originate from that IP? You might need a compound rule (using the "and" component) to define the rule a little better if you use IP based lines in the configuration file. steve On 5/23/2013 5:20 AM, Martin Hepworth wrote: > I'd suggest the scan.messages.rules be amended to cope with the > ip-address of the MailMan server. otherwise anyone faking the from > address is going to sail straight passed your email scanning. > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 22 May 2013 22:42, Robert Lopez > wrote: > > On Wed, May 22, 2013 at 12:28 PM, Steve Campbell > > wrote: > > Perhaps you should send us the "Scan Messages" line from your > > MailScanner.conf file and what you have in your file that is > pointed to > > in by line above. > > > > Have you restarted or reloaded MS since you changed the file? > > > > Depending on what you have in that line and file, you probably > shouldn't > > be seeing those lines in your mail log. > > > > steve campbell > > The situation I am trying to understand is email being scanned by > SpamAssassin when I thought > I had all the systems configured to not scan the email at all. > > Email generated by an office where the persons use Outlook to compose > email goes to an Exchange server and it is then relayed to an email > gateway. These email are from CNM_Official_Info at cnm.edu > to > students at cnm.edu . The email gateway > relays the email to a Mailman ($ > postmap -q students /etc/postfix/virtualaliases -> students at listserv) > server. > > Mailman then sends the message to all the students who are members of > the students list. So each student has a copy generated that is from > students-bounces at cnm.edu to > @cnm.edu which is sent > back to the email gateways. > > A Postfix rewrite via a virtualaliases map sends each email from > students-bounces at cnm.edu to > @...gmail.com . > > MailScanner.conf and conf.d/CNM-MailScanner.conf (newest gateway) > all have "Scan Messages = %rules-dir%/scan.messages.rules". > I had put both 'From' in scan.messages.rules: > > From: students-bounces at cnm.edu no > From: cnm_official_info at cnm.edu > no #This is not a case match to original > > This directive and data file have been working for years. > However yesterday I noticed the email in this case (students list) > do get a SpamAssassin score and my thinking is this should not be > happening. > > Each email has a line such as this example: > > May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B > from 198.133.182.29 () to cnm.edu is not spam, > SpamAssassin (not > cached, score=-1.699, required 6, autolearn=disabled, CNM_EXCUSE 0.30, > CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00) > > There has been no recent change to any of these files. MailScanner > is always > restarted or reloaded when ever any configuration file is > modified. In fact, > the scripts to modify any component and copy them to the gateways > do the > force-reload and test ($?) to see the return status. > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130523/2dcd00d4/attachment.html From glenn.steen at gmail.com Thu May 23 14:01:59 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 23 May 2013 15:01:59 +0200 Subject: storing messages - found permission pb... not enought... In-Reply-To: <20130523104010.GB17056@ubuntu> References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> Message-ID: On 23 May 2013 12:40, Alessandro Dentella wrote: >> ... If you do a "MailScanner --lint", that should point you in the >> right direction. > > True... I run it and it finds: > > Could not open file >/var/spool/MailScanner/incoming/28403/1.header: Permission denied > Cannot create + lock headers file /var/spool/MailScanner/incoming/28403/1.header, Permission denied at /usr/share/MailScanner/MailScanner/Message.pm line 523 > > In fact postfix does not have permission to write there. I fixed it and it > turns out as a stupid conf problem (Quarantine User = user) > > Now MailScanner --lint doesn't show any other problem, but still messages > doesn't get into quarantine... > > Any thoughts? > Ok, so now we don't have any syntax errors, That's good:-). Next over to semantics... Best is to do a debug run (this is described in the MAQ/wiki)... Simple steps: stop mailscanner via the init script ("service MailScanner stop", or "/etc/init.d/MailScanner stop") Start postfix/you MTA ... In the default MailScanner init script there's provision for this: service MailScanner startin or /etc/init.d/MailScanner startin start the debug run via "MailScanner --debug". This will start MailScanner without forking any children and without closing stdin/stderr... And it will wait for exactly 1 message (or rather ... one batch), process it and then exit... whilst spewing a bit of debug info onto the screen. Best is to run that as the postfix user (even though it should work perfectly well from root... you could do two runs, one from root, one from postfix.. The process should change user to whatever you have the "Run User" set to... ie postfix:-). After a bit of chatter, it'll hang, waiting for a messagebatch... Which you need provide via normal SMTP methods. We'll see what that gives you. Cheers! -- -- Glenn > TIA > sandro > *:-) > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu May 23 15:05:00 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 23 May 2013 16:05:00 +0200 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: <519D0E5B.20003@cnpapers.com> Message-ID: On 22 May 2013 23:42, Robert Lopez wrote: > On Wed, May 22, 2013 at 12:28 PM, Steve Campbell wrote: >> Perhaps you should send us the "Scan Messages" line from your >> MailScanner.conf file and what you have in your file that is pointed to >> in by line above. >> >> Have you restarted or reloaded MS since you changed the file? >> >> Depending on what you have in that line and file, you probably shouldn't >> be seeing those lines in your mail log. >> >> steve campbell > > The situation I am trying to understand is email being scanned by > SpamAssassin when I thought > I had all the systems configured to not scan the email at all. > > Email generated by an office where the persons use Outlook to compose > email goes to an Exchange server and it is then relayed to an email > gateway. These email are from CNM_Official_Info at cnm.edu to > students at cnm.edu. The email gateway relays the email to a Mailman ($ > postmap -q students /etc/postfix/virtualaliases -> students at listserv) > server. > > Mailman then sends the message to all the students who are members of > the students list. So each student has a copy generated that is from > students-bounces at cnm.edu to @cnm.edu which is sent > back to the email gateways. > > A Postfix rewrite via a virtualaliases map sends each email from > students-bounces at cnm.edu to @...gmail.com. > > MailScanner.conf and conf.d/CNM-MailScanner.conf (newest gateway) > all have "Scan Messages = %rules-dir%/scan.messages.rules". > I had put both 'From' in scan.messages.rules: > > From: students-bounces at cnm.edu no > From: cnm_official_info at cnm.edu no #This is not a case match to original > > This directive and data file have been working for years. > However yesterday I noticed the email in this case (students list) > do get a SpamAssassin score and my thinking is this should not be happening. > > Each email has a line such as this example: > > May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B > from 198.133.182.29 () to cnm.edu is not spam, SpamAssassin (not > cached, score=-1.699, required 6, autolearn=disabled, CNM_EXCUSE 0.30, > CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00) > > There has been no recent change to any of these files. MailScanner is always > restarted or reloaded when ever any configuration file is modified. In fact, > the scripts to modify any component and copy them to the gateways do the > force-reload and test ($?) to see the return status. Hello Robert, Two things come to mind: 1) Go look in the logs (on the MailScanner host) again... Track one of the messages that shouldn't have been scanned to see the actual envelope sender and recipient(s)... Do they match what you have there? 2) Use the eminent inbuilt ruleset checking capabilities of the MailScanner command to check what will actually happen... Do "MailScanner --help" to see the possible things you can do... Then do something like: MailScanner --value=scanmessages --from=students-bounces at cnm.edu to see what the effect would be. I use the Scan Messages setting to do a blanket whitelist for releasing from localhost, so ... Here's an example (run as the postfix user): -bash-3.2$ /usr/sbin/MailScanner --value=scanmessages --from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.1 Looked up internal option name "scanmail" With sender = tony.irving at nowhere.com recipient = glenn.steen at ap1.se Client IP = 127.0.0.1 Virus = Result is "0" 0=No 1=Yes -bash-3.2$ /usr/sbin/MailScanner --value=scanmessages --from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.2 Looked up internal option name "scanmail" With sender = tony.irving at nowhere.com recipient = glenn.steen at ap1.se Client IP = 127.0.0.2 Virus = Result is "1" 0=No 1=Yes -bash-3.2$ You should probably do both the above suggestions:-). Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rlopezcnm at gmail.com Thu May 23 23:58:26 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu, 23 May 2013 16:58:26 -0600 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: <519D0E5B.20003@cnpapers.com> Message-ID: On Thu, May 23, 2013 at 8:05 AM, Glenn Steen wrote: > Hello Robert, > > Two things come to mind: > 1) Go look in the logs (on the MailScanner host) again... Track one of > the messages that shouldn't have been scanned to see the actual > envelope sender and recipient(s)... Do they match what you have there? > 2) Use the eminent inbuilt ruleset checking capabilities of the > MailScanner command to check what will actually happen... Do > "MailScanner --help" to see the possible things you can do... Then do > something like: > MailScanner --value=scanmessages --from=students-bounces at cnm.edu > to see what the effect would be. > > I use the Scan Messages setting to do a blanket whitelist for > releasing from localhost, so ... Here's an example (run as the postfix > user): > -bash-3.2$ /usr/sbin/MailScanner --value=scanmessages > --from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.1 > Looked up internal option name "scanmail" > With sender = tony.irving at nowhere.com > recipient = glenn.steen at ap1.se > Client IP = 127.0.0.1 > Virus = > Result is "0" > > 0=No 1=Yes > -bash-3.2$ /usr/sbin/MailScanner --value=scanmessages > --from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.2 > Looked up internal option name "scanmail" > With sender = tony.irving at nowhere.com > recipient = glenn.steen at ap1.se > Client IP = 127.0.0.2 > Virus = > Result is "1" > > 0=No 1=Yes > -bash-3.2$ > > You should probably do both the above suggestions:-). > Cheers! > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Glenn, 1) You nailed it! Out of the >100,000 email some of them to Gmail bounced back. It was the last step of the bounceback after the return to Mailman and on way to Exchange (the original sender) that was scanned. The bounce back messages were the ones that were scanned and logged. That becomes an separate problem to address. 2) If you write a book on MailScanner I will buy it. All your advice is very good. You opened my mind to features I never considered. Now I see a faster way to determine how to take Martin's advice to "cope with the IP address of the Mailman server" -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From glenn.steen at gmail.com Fri May 24 10:07:08 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 24 May 2013 11:07:08 +0200 Subject: Scan Messages = %rules-dir%/scan.messages.rules In-Reply-To: References: <519D0E5B.20003@cnpapers.com> Message-ID: Hello Robert, On 24 May 2013 00:58, Robert Lopez wrote: > On Thu, May 23, 2013 at 8:05 AM, Glenn Steen wrote: >> Hello Robert, >> >> Two things come to mind: >> 1) Go look in the logs (on the MailScanner host) again... Track one of >> the messages that shouldn't have been scanned to see the actual >> envelope sender and recipient(s)... Do they match what you have there? >> 2) Use the eminent inbuilt ruleset checking capabilities of the >> MailScanner command to check what will actually happen... Do >> "MailScanner --help" to see the possible things you can do... Then do >> something like: >> MailScanner --value=scanmessages --from=students-bounces at cnm.edu >> to see what the effect would be. >> >> I use the Scan Messages setting to do a blanket whitelist for >> releasing from localhost, so ... Here's an example (run as the postfix >> user): >> -bash-3.2$ /usr/sbin/MailScanner --value=scanmessages >> --from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.1 >> Looked up internal option name "scanmail" >> With sender = tony.irving at nowhere.com >> recipient = glenn.steen at ap1.se >> Client IP = 127.0.0.1 >> Virus = >> Result is "0" >> >> 0=No 1=Yes >> -bash-3.2$ /usr/sbin/MailScanner --value=scanmessages >> --from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.2 >> Looked up internal option name "scanmail" >> With sender = tony.irving at nowhere.com >> recipient = glenn.steen at ap1.se >> Client IP = 127.0.0.2 >> Virus = >> Result is "1" >> >> 0=No 1=Yes >> -bash-3.2$ >> >> You should probably do both the above suggestions:-). >> Cheers! >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > Glenn, > > 1) You nailed it! Out of the >100,000 email some of them to Gmail > bounced back. It was the last step of the bounceback after the return > to Mailman and on way to Exchange (the original sender) that was > scanned. The bounce back messages were the ones that were scanned and > logged. That becomes an separate problem to address. Ah, good! Or not:-). Handling bounces "correctly" is a pain:-) > 2) If you write a book on MailScanner I will buy it. All your advice > is very good. You opened my mind to features I never considered. > Now I see a faster way to determine how to take Martin's advice to > "cope with the IP address of the Mailman server" *Blush* You are too kind:-) It's very unlikely I'll ever get the time to even write anything more on the wiki, let alone a book (I work in a very small/slim organization, where I do ... everything... that has anything remotely to do with computers. About 4 years ago the situation went from bad to worse, when we did a "right-sizing" from hell)... Besides, Jules already wrote The Book on MailScanner;-) Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dongwind at 21cn.com Fri May 24 10:50:21 2013 From: dongwind at 21cn.com (=?UTF-8?B?5Lic6aOO?=) Date: Fri, 24 May 2013 17:50:21 +0800 (CST) Subject: MailScanner SpamAssassin Timeout cause CPU100% Message-ID: <5665790.68851369389028104.JavaMail.root@webmail9> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130524/e1f93af6/attachment.html From glenn.steen at gmail.com Fri May 24 13:32:10 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri, 24 May 2013 14:32:10 +0200 Subject: MailScanner SpamAssassin Timeout cause CPU100% In-Reply-To: <5665790.68851369389028104.JavaMail.root@webmail9> References: <5665790.68851369389028104.JavaMail.root@webmail9> Message-ID: On 24 May 2013 11:50, ?? wrote: > hi,Martin,could you tell me more please,i see the url,but can't understand > how to use the cron-job method instead of Bayes expirey options. > (snip) What Martin is getting at is that you can create a cron job that does "sa-learn --force-expire", scheduled to some "off hour" in the middle of the night, and (in spam.assassin.prefs.conf or similar) disable auto-expire of the database. But to see if this is really the problem you have, you can do a couple of manual "sa-learn --force-expire" and time them. If you set the SA timeout too low (which I'm almost certain you have done!), the expiry will never finish ... which leads to more work next time etc. Increase your SA timeout to at least 5 minutes. Also, if you have any files named like bayes_toks.expire, you very likely have the expiry problem. Forcing an expire may be all you need do to alleviate the problem, in which case you needn't bother with the cron job/disabling auto-expiry... Experimentation will be needed to tell which is best in your particular case;-) Another thing to look at, which can have catastrophic ramifications if it has happend, is if you have a bayes_seen file that have grown ... huge... It will grow over time and in the end, updating it will dominate the processing time of bayes... After all, IO in *nix is almost always CPU-bound, so having to wade through a huge file for every message/batch/child can become the thing that brings your system to its knees. If you do have a very large (100 MiB+) bayes_seen file, simply remove it. If you want to play it safe, stop MailScanner, remove it and then restart MailScanner. Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From sandro at e-den.it Fri May 24 16:16:51 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Fri, 24 May 2013 17:16:51 +0200 Subject: storing messages - found permission pb... not enought... In-Reply-To: References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> Message-ID: <20130524151651.GC22476@ubuntu> On Thu, May 23, 2013 at 03:01:59PM +0200, Glenn Steen wrote: > On 23 May 2013 12:40, Alessandro Dentella wrote: > >> ... If you do a "MailScanner --lint", that should point you in the > >> right direction. > > > > True... I run it and it finds: > > > > Could not open file >/var/spool/MailScanner/incoming/28403/1.header: Permission denied > > Cannot create + lock headers file /var/spool/MailScanner/incoming/28403/1.header, Permission denied at /usr/share/MailScanner/MailScanner/Message.pm line 523 > > > > In fact postfix does not have permission to write there. I fixed it and it > > turns out as a stupid conf problem (Quarantine User = user) > > > > Now MailScanner --lint doesn't show any other problem, but still messages > > doesn't get into quarantine... > > > > Any thoughts? > > > Ok, so now we don't have any syntax errors, That's good:-). > Next over to semantics... Best is to do a debug run (this is described > in the MAQ/wiki)... Simple steps: > stop mailscanner via the init script ("service MailScanner stop", or > "/etc/init.d/MailScanner stop") > > Start postfix/you MTA ... In the default MailScanner init script > there's provision for this: > service MailScanner startin > or > /etc/init.d/MailScanner startin > > start the debug run via "MailScanner --debug". This will start > MailScanner without forking any children and without closing > stdin/stderr... And it will wait for exactly 1 message (or rather ... > one batch), process it and then exit... whilst spewing a bit of debug > info onto the screen. > Best is to run that as the postfix user (even though it should work > perfectly well from root... you could do two runs, one from root, one > from postfix.. The process should change user to whatever you have the > "Run User" set to... ie postfix:-). > After a bit of chatter, it'll hang, waiting for a messagebatch... > Which you need provide via normal SMTP methods. > > We'll see what that gives you. Runnng as root: root at smtp:~# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 2 messages. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63, <$fh> line 4. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. Stopping now as you are debugging me. Googling for this message, I understand is related to the perl code not to system setup, correct? So I don't see any interesting message... line 630 is: unlink @{$message->{spamarchive}}; # Wipe the spamarchive files line 63 is: return open($fh, IO::Handle::_open_mode_string($mode), $file); If I run as postfix user, it complains it cannot setgid: postfix at smtp:~$ /usr/sbin/MailScanner --debug Can't set GID 33 at /usr/sbin/MailScanner line 1541. once more I'm you you hands... sandro *;-) PS: I'm using perl 5.10.1-27 ii perl 5.10.1-17squeeze6 From dongwind at 21cn.com Fri May 24 16:26:57 2013 From: dongwind at 21cn.com (=?UTF-8?B?5Lic6aOO?=) Date: Fri, 24 May 2013 23:26:57 +0800 (CST) Subject: MailScanner SpamAssassin Timeout cause CPU100% Message-ID: <2017703291.272091369409231664.JavaMail.root@webmail5> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130524/640116e1/attachment.html From mark at msapiro.net Sun May 26 21:00:36 2013 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 26 May 2013 13:00:36 -0700 Subject: ScamNailer info not updated [solved] In-Reply-To: <5191B016.4090500@msapiro.net> References: <5191B016.4090500@msapiro.net> Message-ID: <51A269E4.9010407@msapiro.net> On Tue May 14 04:31:34 IST 2013, Mark Sapiro wrote: > Since this doesn't seem to be getting fixed, I have patched ScamNailer > with the attached patch which attempts to guess the current week and day > for the base and then retrieves daily updates until it gets a 404. > > This is working for me. > > Caveat: I'm a perl novice. There may be a better way. There is a minor issue with the patch I posted on May 14. Namely if ScamNailer runs after retrieving updates in a prior run and there are no new updates in this run, the cached updated file from the prior run gets erased in this run. This causes a subsequent run to retrieve the base and all the updates. The results are good, but it's extra work. The patch attached here includes the prior patch plus a fix for this issue. And yes this is still an issue. The DNS TXT record for emails.msupdate.greylist.bastionmail.com is still not being updated. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- ScamNailer-2.10 2012-03-05 03:04:14.000000000 -0800 +++ ScamNailer.new 2013-05-26 12:45:21.000000000 -0700 @@ -18,6 +18,7 @@ use LWP::UserAgent; use FileHandle; use DirHandle; +use Time::Local; # Output filename, goes into SpamAssassin. Can be over-ridden by just # adding the output filename on the command-line when you run this script. @@ -216,6 +217,16 @@ die "Failed to retrieve valid current details\n" if $currentbase eq "-1"; + my $day = (gmtime)[6]; + my $year = (gmtime)[5] + 1900; + my $janone = (gmtime(timegm(0,0,0,1,0,$year-1900)))[6]; + my $week = sprintf ("%02d", int (((gmtime)[7] + $janone) / 7)); + my $mybase = "$year-$week$day"; + if ($currentbase lt $mybase) { + $currentbase = $mybase; + $currentupdate = 99; + } + print "I am working with: Current: $currentbase - $currentupdate and Status: $status_base - $status_update\n" unless $quiet; my $generate=0; @@ -273,8 +284,10 @@ #print "Getting $urlbase . $currentbase.$i\n" unless $quiet; my $req = HTTP::Request->new(GET => $urlbase.$currentbase.".".$i); my $res = $ua->request($req); - warn "Failed to retrieve $urlbase$currentbase.$i" - unless $res->is_success; + unless ($res->is_success) { + warn "Failed to retrieve $urlbase$currentbase.$i"; + $currentupdate = $i - 1; + } my $line; foreach $line (split("\n", $res->content)) { # Is it an addition? @@ -299,6 +312,12 @@ } } } + # Because of our guess and retrieve until error strategy, we could be + # here without having retrieved any new updates which will result in + # our cached $status_update being erased. This does no real harm, but + # it causes extra work on the next run. To avoid this we skip the next + # section in that case. + if (!($status_update eq $currentupdate)) { # OK do we have a previous version to work from? if ($status_update>0) { # Yes - we open the most recent version @@ -342,7 +361,7 @@ } close (FILEOUT); } - + } } # Changes have been made From glenn.steen at gmail.com Mon May 27 09:41:36 2013 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon, 27 May 2013 10:41:36 +0200 Subject: storing messages - found permission pb... not enought... In-Reply-To: <20130524151651.GC22476@ubuntu> References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> Message-ID: On 24 May 2013 17:16, Alessandro Dentella wrote: > On Thu, May 23, 2013 at 03:01:59PM +0200, Glenn Steen wrote: >> On 23 May 2013 12:40, Alessandro Dentella wrote: >> >> ... If you do a "MailScanner --lint", that should point you in the >> >> right direction. >> > >> > True... I run it and it finds: >> > >> > Could not open file >/var/spool/MailScanner/incoming/28403/1.header: Permission denied >> > Cannot create + lock headers file /var/spool/MailScanner/incoming/28403/1.header, Permission denied at /usr/share/MailScanner/MailScanner/Message.pm line 523 >> > >> > In fact postfix does not have permission to write there. I fixed it and it >> > turns out as a stupid conf problem (Quarantine User = user) >> > >> > Now MailScanner --lint doesn't show any other problem, but still messages >> > doesn't get into quarantine... >> > >> > Any thoughts? >> > >> Ok, so now we don't have any syntax errors, That's good:-). >> Next over to semantics... Best is to do a debug run (this is described >> in the MAQ/wiki)... Simple steps: >> stop mailscanner via the init script ("service MailScanner stop", or >> "/etc/init.d/MailScanner stop") >> >> Start postfix/you MTA ... In the default MailScanner init script >> there's provision for this: >> service MailScanner startin >> or >> /etc/init.d/MailScanner startin >> >> start the debug run via "MailScanner --debug". This will start >> MailScanner without forking any children and without closing >> stdin/stderr... And it will wait for exactly 1 message (or rather ... >> one batch), process it and then exit... whilst spewing a bit of debug >> info onto the screen. >> Best is to run that as the postfix user (even though it should work >> perfectly well from root... you could do two runs, one from root, one >> from postfix.. The process should change user to whatever you have the >> "Run User" set to... ie postfix:-). >> After a bit of chatter, it'll hang, waiting for a messagebatch... >> Which you need provide via normal SMTP methods. >> >> We'll see what that gives you. > > Runnng as root: > > root at smtp:~# MailScanner --debug > > > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Have a batch of 2 messages. > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63, <$fh> line 4. > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > Stopping now as you are debugging me. > > > Googling for this message, I understand is related to the perl code not to > system setup, correct? > So I don't see any interesting message... > Well, the above probably indicate that any file manipulations done in the perl code, through those "insecure" calls/dependencies, don't get done. Edit your MailScanner executable and change the first line from #!/usr/bin/perl -I/usr/lib/MailScanner to #!/usr/bin/perl -I/usr/lib/MailScanner -U ... just to turn the tainting code (in perl) off. Restart MailScanner after that and see if it works better... Kind of a known issue:-). You can find which file to edit with "which MailScanner", but it likely is /usr/sbin/MailScanner that need be edited. > line 630 is: > unlink @{$message->{spamarchive}}; # Wipe the spamarchive files > line 63 is: > return open($fh, IO::Handle::_open_mode_string($mode), $file); > > If I run as postfix user, it complains it cannot setgid: > > postfix at smtp:~$ /usr/sbin/MailScanner --debug > Can't set GID 33 at /usr/sbin/MailScanner line 1541. > > once more I'm you you hands... > > sandro > *;-) > > PS: I'm using perl 5.10.1-27 > ii perl 5.10.1-17squeeze6 Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From sandro at e-den.it Mon May 27 12:21:25 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Mon, 27 May 2013 13:21:25 +0200 Subject: storing messages - found permission pb... not enought... In-Reply-To: References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> Message-ID: <20130527112125.GA5732@ubuntu> On Mon, May 27, 2013 at 10:41:36AM +0200, Glenn Steen wrote: > >> start the debug run via "MailScanner --debug". This will start > >> MailScanner without forking any children and without closing > >> stdin/stderr... And it will wait for exactly 1 message (or rather ... > >> one batch), process it and then exit... whilst spewing a bit of debug > >> info onto the screen. > >> Best is to run that as the postfix user (even though it should work > >> perfectly well from root... you could do two runs, one from root, one > >> from postfix.. The process should change user to whatever you have the > >> "Run User" set to... ie postfix:-). > >> After a bit of chatter, it'll hang, waiting for a messagebatch... > >> Which you need provide via normal SMTP methods. > >> > >> We'll see what that gives you. > > > > Runnng as root: > > > > root at smtp:~# MailScanner --debug > > > > > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > Building a message batch to scan... > > Have a batch of 2 messages. > > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63, <$fh> line 4. > > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > > Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. > > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > > Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630. > > Stopping now as you are debugging me. > > > > > > Googling for this message, I understand is related to the perl code not to > > system setup, correct? > > So I don't see any interesting message... > > > Well, the above probably indicate that any file manipulations done in > the perl code, through those "insecure" calls/dependencies, don't get > done. > Edit your MailScanner executable and change the first line from > #!/usr/bin/perl -I/usr/lib/MailScanner > to > #!/usr/bin/perl -I/usr/lib/MailScanner -U Well, I'm getting more and more puzzled. 1. I already have -U flag in the shabang 2. the system is derived from an EFA [1] virtual machine that I modified. I reinstalled the original EFA and that does work correctly So I'm checking the two system side-by-side and I can't see the differences... Is there a way to raise the debugging level of MailScanner? sandro *:-) From sandro at e-den.it Mon May 27 19:16:36 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Mon, 27 May 2013 20:16:36 +0200 Subject: storing messages - recap... In-Reply-To: <20130527112125.GA5732@ubuntu> References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> <20130527112125.GA5732@ubuntu> Message-ID: <20130527181636.GA10586@ubuntu> While trying to debug why MailScanner does not save messages in /var/spool/mailScanner/qurantine I compared 2 almost identical machines. One is working correctly (efa) and from that machine I copied MailScanner conf to the other (smtp): smtp# cd /etc smtp# mv MailScanner MailScanner.orig smtp# rsync -a efa:/etc/MailScanner . then restarted MailScanner While 'efa' saves correctly messages 'smtp' does not. My uderstanding of how MailScanner works is probably wrong since otehrwise they should both work. The onlu difference between efa and smtp is in postfix configuration. My understanding is that postfix puts on HOLD via the header_checks = regexp:/etc/postfix/header_checks (/var/spool/postfix/hold/) and from there MailScanner read the message, clean and take any needed action. If this is correct no other agent apart from MailScanner are responsible for copying from postfix/hold to MAilScanner/quarantine. So, How could possibily behave different on 2 identical machines? sandro *:-) From jerry.benton at mailborder.com Mon May 27 20:10:10 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 27 May 2013 21:10:10 +0200 Subject: storing messages - recap... In-Reply-To: <20130527181636.GA10586@ubuntu> References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> <20130527112125.GA5732@ubuntu> <20130527181636.GA10586@ubuntu> Message-ID: These are the primary things I check for when dealing with this problem: 1. Selinux. Put in permissive and then build custom policies. Return to enforcing. 2. MailScanner Run As and directory ownership and permissions. 3. MailScanner store messages as user matches permissions. 4. Making sure you add the -U option to MailScanner for the newer versions of perl. sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner Also regarding permissions, I personally like to create an extra group and then add postfix and clamav to that group. I then use that group in all settings and use group writeable permissions. (0660) YMMV Jerry Benton PS.. run MailScanner --lint and post here if the above does not help. On Mon, May 27, 2013 at 8:16 PM, Alessandro Dentella wrote: > While trying to debug why MailScanner does not save messages in > /var/spool/mailScanner/qurantine I compared 2 almost identical machines. > One is working correctly (efa) and from that machine I copied MailScanner > conf to the other (smtp): > > smtp# cd /etc > smtp# mv MailScanner MailScanner.orig > smtp# rsync -a efa:/etc/MailScanner . > > then restarted MailScanner > > While 'efa' saves correctly messages 'smtp' does not. > My uderstanding of how MailScanner works is probably wrong since otehrwise > they should both work. > > The onlu difference between efa and smtp is in postfix configuration. > > My understanding is that postfix puts on HOLD via the header_checks = > regexp:/etc/postfix/header_checks (/var/spool/postfix/hold/) and from there > MailScanner read the message, clean and take any needed action. > > If this is correct no other agent apart from MailScanner are responsible > for > copying from postfix/hold to MAilScanner/quarantine. > > So, How could possibily behave different on 2 identical machines? > > sandro > *:-) > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130527/050ad6a9/attachment.html From oliveiros at gmail.com Tue May 28 00:13:49 2013 From: oliveiros at gmail.com (Oliveiros Peixoto) Date: Mon, 27 May 2013 20:13:49 -0300 Subject: storing messages - recap... In-Reply-To: <20130527181636.GA10586@ubuntu> References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> <20130527112125.GA5732@ubuntu> <20130527181636.GA10586@ubuntu> Message-ID: <1EB06681-42CC-48A7-B747-AE8E2D492DE5@gmail.com> Can you check permissions in both directory servers. Enviado via iPhone Em 27/05/2013, ?s 15:16, Alessandro Dentella escreveu: > While trying to debug why MailScanner does not save messages in > /var/spool/mailScanner/qurantine I compared 2 almost identical machines. > One is working correctly (efa) and from that machine I copied MailScanner > conf to the other (smtp): > > smtp# cd /etc > smtp# mv MailScanner MailScanner.orig > smtp# rsync -a efa:/etc/MailScanner . > > then restarted MailScanner > > While 'efa' saves correctly messages 'smtp' does not. > My uderstanding of how MailScanner works is probably wrong since otehrwise > they should both work. > > The onlu difference between efa and smtp is in postfix configuration. > > My understanding is that postfix puts on HOLD via the header_checks = > regexp:/etc/postfix/header_checks (/var/spool/postfix/hold/) and from there > MailScanner read the message, clean and take any needed action. > > If this is correct no other agent apart from MailScanner are responsible for > copying from postfix/hold to MAilScanner/quarantine. > > So, How could possibily behave different on 2 identical machines? > > sandro > *:-) > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From sandro at e-den.it Wed May 29 09:51:20 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Wed, 29 May 2013 10:51:20 +0200 Subject: storing messages - strace verdict: keepspamarchiveclean - HOW to FIX? In-Reply-To: References: <20130522094032.GA8174@ubuntu> <20130523104010.GB17056@ubuntu> <20130524151651.GC22476@ubuntu> <20130527112125.GA5732@ubuntu> <20130527181636.GA10586@ubuntu> Message-ID: <20130529085120.GA11830@ubuntu> On Mon, May 27, 2013 at 09:10:10PM +0200, Jerry Benton wrote: > These are the primary things I check for when dealing with this problem: > > 1. Selinux. Put in permissive and then build custom policies. Return to > enforcing. > 2. MailScanner Run As and directory ownership and permissions. > 3. MailScanner store messages as user matches permissions. > 4. Making sure you add the -U option to MailScanner for the newer versions of > perl.? > > sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner > Today I decided to debug using strace, it resulted clearly that the file was correctly written in quarantine but later deleted (unlink). I also found the single line that does that, commenting it I get the mail in quarantine: sub RemoveInfectedSpam { my $this = shift; my($id, $message); while(($id, $message) = each %{$this->{messages}}) { #print STDERR "Message is infected\n" if $message->{infected}; # next unless $message->{infected}; next unless MailScanner::Config::Value('keepspamarchiveclean', $message) =~ /1/; #print STDERR "Deleting " . join(',',@{$message->{spamarchive}}) . "\n"; # unlink @{$message->{spamarchive}}; # Wipe the spamarchive files <<<<< this deletes @{$this->{spamarchive}} = (); # Wipe the spamarchive array } } So the problem is to understand why MailScanner::Config::Value('keepspamarchiveclean', $message) =~ /1/; says that it should be deleted. How is that evaluated? Thanks again for any help sandro *:-) -- Sandro Dentella *:-) http://www.reteisi.org Soluzioni libere per le scuole http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy From sandro at e-den.it Wed May 29 10:12:05 2013 From: sandro at e-den.it (Alessandro Dentella) Date: Wed, 29 May 2013 11:12:05 +0200 Subject: storing messages - SOLVED Message-ID: <20130529091205.GA12312@ubuntu> On Mon, May 27, 2013 at 09:10:10PM +0200, Jerry Benton wrote: > These are the primary things I check for when dealing with this problem: > > 1. Selinux. Put in permissive and then build custom policies. Return to > enforcing. > 2. MailScanner Run As and directory ownership and permissions. > 3. MailScanner store messages as user matches permissions. > 4. Making sure you add the -U option to MailScanner for the newer versions of > perl.? > > sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner > I understood that the problem was that the reported function was in the comment to the line # next unless $message->{infected}; I don't really know why that was there, but in fact was the result of applying an old patch. Thanks for the support tothe list sandro *:-) sub RemoveInfectedSpam { my $this = shift; my($id, $message); while(($id, $message) = each %{$this->{messages}}) { #print STDERR "Message is infected\n" if $message->{infected}; # next unless $message->{infected}; next unless MailScanner::Config::Value('keepspamarchiveclean', $message) =~ /1/; #print STDERR "Deleting " . join(',',@{$message->{spamarchive}}) . "\n"; # unlink @{$message->{spamarchive}}; # Wipe the spamarchive files <<<<< this deletes @{$this->{spamarchive}} = (); # Wipe the spamarchive array } } From peter at farrows.org Wed May 29 13:48:35 2013 From: peter at farrows.org (Peter Farrow) Date: Wed, 29 May 2013 13:48:35 +0100 Subject: Hilton Honors Spam Message-ID: <51A5F923.8090201@farrows.org> Dear All, Is it just me, or is it that once you give the Hilton Hotels chain your email address they send out bucket loads of spam on an almost daily basis, furthermore, the "Unsubscribe function" goes through the motions but the emails keep coming. I have added these to my access file on my mail relay, but I keep finding new ones to add in, as they change the parameters of the spam, does anyone have a rule or a set of access entries to hand that can stop hilton hotels dead in their tracks? hiltonemail.com discard hiltonhonors.com discard hhonorscrm.net discard hilton.com discard Regards Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130529/e97d8340/attachment.html From campbell at cnpapers.com Wed May 29 15:25:10 2013 From: campbell at cnpapers.com (Steve Campbell) Date: Wed, 29 May 2013 10:25:10 -0400 Subject: Hilton Honors Spam In-Reply-To: <51A5F923.8090201@farrows.org> References: <51A5F923.8090201@farrows.org> Message-ID: <51A60FC6.3050600@cnpapers.com> I'd look at the IP addresses these are coming from. I'd make sure they belong to a "hilton" domain. Then I'd block them by IP address if they're not "hilton". I'd also recommend "REJECT" instead of "DISCARD". The former would let them know that you aren't accepting their email any more, which might make it stop. The latter doesn't give them that indication and they might be assuming they are sending to an accepting server. steve campbell On 5/29/2013 8:48 AM, Peter Farrow wrote: > Dear All, > > Is it just me, or is it that once you give the Hilton Hotels chain > your email address they send out bucket loads of spam on an almost > daily basis, furthermore, the "Unsubscribe function" goes through the > motions but the emails keep coming. > > I have added these to my access file on my mail relay, but I keep > finding new ones to add in, as they change the parameters of the spam, > does anyone have a rule or a set of access entries to hand that can > stop hilton hotels dead in their tracks? > > hiltonemail.com discard > hiltonhonors.com discard > hhonorscrm.net discard > hilton.com discard > > Regards > > Pete > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130529/f8d6b3a1/attachment.html From jerry.benton at mailborder.com Wed May 29 16:01:14 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 29 May 2013 17:01:14 +0200 Subject: Hilton Honors Spam In-Reply-To: <51A5F923.8090201@farrows.org> References: <51A5F923.8090201@farrows.org> Message-ID: I have the same problem with Hotel Travel. On Wed, May 29, 2013 at 2:48 PM, Peter Farrow wrote: > Dear All, > > Is it just me, or is it that once you give the Hilton Hotels chain your > email address they send out bucket loads of spam on an almost daily basis, > furthermore, the "Unsubscribe function" goes through the motions but the > emails keep coming. > > I have added these to my access file on my mail relay, but I keep finding > new ones to add in, as they change the parameters of the spam, does anyone > have a rule or a set of access entries to hand that can stop hilton hotels > dead in their tracks? > > hiltonemail.com discard > hiltonhonors.com discard > hhonorscrm.net discard > hilton.com discard > > Regards > > Pete > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130529/f5b6391a/attachment.html From dongwind at 21cn.com Thu May 30 05:12:37 2013 From: dongwind at 21cn.com (=?UTF-8?B?5Lic6aOO?=) Date: Thu, 30 May 2013 12:12:37 +0800 (CST) Subject: Will MailScanner save the original Attachment which the file name is unsafe? Message-ID: <24907158.41251369887162253.JavaMail.root@webmail8> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/f577c566/attachment.html From jerry.benton at mailborder.com Thu May 30 07:03:53 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 30 May 2013 08:03:53 +0200 Subject: Will MailScanner save the original Attachment which the file name is unsafe? In-Reply-To: <24907158.41251369887162253.JavaMail.root@webmail8> References: <24907158.41251369887162253.JavaMail.root@webmail8> Message-ID: /var/spool/MailScanner/quarantine On Thu, May 30, 2013 at 6:12 AM, ?? wrote: > Dear all, > some users tell me ,they receive some mail ,and the attachment replace > by a message( MailScanner: No programs allowed). > I found MailScanner will tell user No programs allowed when > MailScanner scan the attachment by clamd found the attachment file type is > not allowed. > Now I want to find the original Attachment to show it to user,but i > can't find it in the server. > Cound you tell me whether MailScanner save the original Attachment?or > MailScanner will drop it without saving it? > > > --------------------------------------- > 21CN???Android?????????? > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/22bb1d53/attachment.html From dongwind at 21cn.com Thu May 30 07:52:52 2013 From: dongwind at 21cn.com (=?UTF-8?B?5Lic6aOO?=) Date: Thu, 30 May 2013 14:52:52 +0800 (CST) Subject: Will MailScanner save the original Attachment which the file name is unsafe? Message-ID: <1027373594.518501369896778876.JavaMail.root@webmail3> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/50a21fb1/attachment.html From deivishome at gmail.com Thu May 30 09:10:20 2013 From: deivishome at gmail.com (David Valin Alonso) Date: Thu, 30 May 2013 10:10:20 +0200 Subject: Corrupted messages Postfix Message-ID: Hello, i got a server runing ubuntu 10.04 lts x64 + postfix 2.10 + cyrus 2.2 + Mailscanner 4.84 + Spamassasin and all was working really great til a couple of days that began to send mails to corrupt folder /var/spool/postfix/corrupt. It complains about a missing record and it rejects the mail moving from active to corrupt queue. I don't know what happend and the configurations of postfix and mailscanner didn't change as it was working really great. What could happened? Regards, David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/01291ffd/attachment.html From deivishome at gmail.com Thu May 30 09:20:01 2013 From: deivishome at gmail.com (David Valin Alonso) Date: Thu, 30 May 2013 10:20:01 +0200 Subject: Fwd: Corrupted messages Postfix In-Reply-To: References: Message-ID: Hello, i got a server runing ubuntu 10.04 lts x64 + postfix 2.10 + cyrus 2.2 + Mailscanner 4.84 + Spamassasin and all was working really great til a couple of days that began to send mails to corrupt folder /var/spool/postfix/corrupt. It complains about a missing record and it rejects the mail moving from active to corrupt queue. I don't know what happend and the configurations of postfix and mailscanner didn't change as it was working really great. What could happened? Regards, David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/ec2307da/attachment.html From jerry.benton at mailborder.com Thu May 30 09:21:35 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 30 May 2013 10:21:35 +0200 Subject: Will MailScanner save the original Attachment which the file name is unsafe? In-Reply-To: <1027373594.518501369896778876.JavaMail.root@webmail3> References: <1027373594.518501369896778876.JavaMail.root@webmail3> Message-ID: Check these and corresponding settings in MailScanner.conf Quarantine Infections Quarantine Whole Message Quarantine Whole Messages As Queue Files On Thu, May 30, 2013 at 8:52 AM, ?? wrote: > Hi,Jerry,i have seen the path before > "/var/spool/MailScanner/quarantine/20130530/8F6451264166.AFC10",but no > attachment in it,just a file "msg-16026-88.txt" and the content is the mail > content,so i don't know where is the attachment. > > ------------------ ???? ------------------ > > ????Jerry Benton ** > ? ??2013/05/30 14:03:53 ??? > ????MailScanner discussion ** > ???? > ? ??Re: Will MailScanner save the original Attachment which the file name > is unsafe? > > > /var/spool/MailScanner/quarantine > > > On Thu, May 30, 2013 at 6:12 AM, ?? wrote: > >> Dear all, >> some users tell me ,they receive some mail ,and the attachment replace by >> a message( MailScanner: No programs allowed). >> I found MailScanner will tell user No programs allowed when MailScanner >> scan the attachment by clamd found the attachment file type is not allowed. >> Now I want to find the original Attachment to show it to user,but i can't >> find it in the server. >> Cound you tell me whether MailScanner save the original Attachment?or >> MailScanner will drop it without saving it? >> >> >> --------------------------------------- >> 21CN???Android?????????? >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > **** > > --------------------------------------- > 21CN???Android?????????? > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/8a8e2d23/attachment.html From dongwind at 21cn.com Thu May 30 09:36:06 2013 From: dongwind at 21cn.com (=?UTF-8?B?5Lic6aOO?=) Date: Thu, 30 May 2013 16:36:06 +0800 (CST) Subject: Will MailScanner save the original Attachment which the file name is unsafe? Message-ID: <317469085.587471369902973931.JavaMail.root@webmail7> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/a9e4d617/attachment.html From magiza83 at hotmail.com Thu May 30 10:45:06 2013 From: magiza83 at hotmail.com (=?iso-8859-1?B?TWFuZWwgR2ltZW5vIFphcmFnb3rh?=) Date: Thu, 30 May 2013 11:45:06 +0200 Subject: exim/Mailscanner + postfix/dspam header checks Message-ID: Hello, I've a Mailscanner setup with exim and I would like to add dspam. So I though it could be a good idea to have a pre MTA (postfix+dspam) to analize mails and the relay to exim+Mailscanner+spamassasin. I'm not sure If what I've done is not correct or not efficent but I'm used to use dspam and I would like to used. I've seen that spamassasin has bayesian support, but I'm not sure about its performace and accuracy. Anyway, my problem is that I've configured the following spamassasin rules in mailscanner.cf header DSPAM_HEADER X-DSPAM-Result =~ /Spam/i score DSPAM_HEADER 10 describe DSPAM_HEADER DSPAM lo marca como SPAM header FROM_HEADER From =~ /mgimeno/i score FROM_HEADER 20 describe FROM_HEADER message from mgimeno in order to mark as SPAM the mails that DSPAM has defined as Spam, but it's not working. I think the problem comes from that headers of messages comming from postfix are not analize, but If i connect directly to exim, it works. Could you please guide me? Anyway, I'm using exim/mailscanner because I want baruwa2 web support. Thanks Manel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/dfa994bc/attachment.html From jerry.benton at mailborder.com Thu May 30 11:00:35 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 30 May 2013 12:00:35 +0200 Subject: Will MailScanner save the original Attachment which the file name is unsafe? In-Reply-To: <317469085.587471369902973931.JavaMail.root@webmail7> References: <317469085.587471369902973931.JavaMail.root@webmail7> Message-ID: You need to quarantine the whole message. On Thursday, May 30, 2013, ?? wrote: > hi,Jerry,this is my setting. > Quarantine Infections = yes > Quarantine Whole Message = no > Quarantine Whole Messages As Queue Files = no > > If I need to save the attachment,I just need to set Quarantine Whole > Message=yes ? > > ------------------ ???? ------------------ > > ????Jerry Benton ** > ? ??2013/05/30 16:21:35 ??? > ????MailScanner discussion ** > ???? > ? ??Re: Will MailScanner save the original Attachment which the file name > is unsafe? > > Check these and corresponding settings in MailScanner.conf > > Quarantine Infections > Quarantine Whole Message > Quarantine Whole Messages As Queue Files > > > On Thu, May 30, 2013 at 8:52 AM, ?? 'cvml', 'dongwind at 21cn.com');>> wrote: > >> Hi,Jerry,i have seen the path before >> "/var/spool/MailScanner/quarantine/20130530/8F6451264166.AFC10",but no >> attachment in it,just a file "msg-16026-88.txt" and the content is the mail >> content,so i don't know where is the attachment. >> ------------------ ???? ------------------ >> >> ????Jerry Benton ** >> ? ??2013/05/30 14:03:53 ??? >> ????MailScanner discussion ** >> ???? >> ? ??Re: Will MailScanner save the original Attachment which the file name >> is unsafe? >> >> >> /var/spool/MailScanner/quarantine >> >> >> On Thu, May 30, 2013 at 6:12 AM, ?? >> > wrote: >> >>> Dear all, >>> some users tell me ,they receive some mail ,and the attachment replace >>> by a message( MailScanner: No programs allowed). >>> I found MailScanner will tell user No programs allowed when MailScanner >>> scan the attachment by clamd found the attachment file type is not allowed. >>> Now I want to find the original Attachment to show it to user,but i >>> can't find it in the server. >>> Cound you tell me whether MailScanner save the original Attachment?or >>> MailScanner will drop it without saving it? >>> >>> >>> --------------------------------------- >>> 21CN???Android?????????? >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >> 'mailscanner at lists.mailscanner.info');> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> -- >> >> -- >> Jerry Benton >> Mailborder Systems >> www.mailborder.com >> **** >> >> --------------------------------------- >> 21CN???Android?????????? >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info > 'mailscanner at lists.mailscanner.info');> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > **** > > --------------------------------------- > 21CN???Android?????????? > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/ccde2f89/attachment.html From maxsec at gmail.com Thu May 30 12:21:22 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 30 May 2013 12:21:22 +0100 Subject: Corrupted messages Postfix In-Reply-To: References: Message-ID: what do the logs say for the messages in question? check the postfix logs and the mailscanner logs. Also try running mailscanner in debug mode (see the wiki) -- Martin Hepworth, CISSP Oxford, UK On 30 May 2013 09:10, David Valin Alonso wrote: > Hello, > i got a server runing ubuntu 10.04 lts x64 + postfix 2.10 + cyrus 2.2 + > Mailscanner 4.84 + Spamassasin and all was working really great til a > couple of days that began to send mails to corrupt folder > /var/spool/postfix/corrupt. It complains about a missing record and it > rejects the mail moving from active to corrupt queue. > I don't know what happend and the configurations of postfix and > mailscanner didn't change as it was working really great. > > What could happened? > > Regards, > > David > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/1251bb01/attachment.html From phaleintx at gmail.com Thu May 30 20:12:47 2013 From: phaleintx at gmail.com (Phil Hale) Date: Thu, 30 May 2013 14:12:47 -0500 Subject: exim/Mailscanner + postfix/dspam header checks In-Reply-To: References: Message-ID: <1369941167.2328.18.camel@zues.tamucc.edu> Hello Manel, I use the following SpamAssassin plugin to add DSpam scores to my messages: http://eric.lubow.org/projects/dspam-spamassassin-plugin/ Phil - ----Original Message----- From: Manel Gimeno Zaragoz? Reply-to: MailScanner discussion To: mailscanner at lists.mailscanner.info Subject: exim/Mailscanner + postfix/dspam header checks Date: Thu, 30 May 2013 11:45:06 +0200 Hello, I've a Mailscanner setup with exim and I would like to add dspam. So I though it could be a good idea to have a pre MTA (postfix+dspam) to analize mails and the relay to exim+Mailscanner+spamassasin. I'm not sure If what I've done is not correct or not efficent but I'm used to use dspam and I would like to used. I've seen that spamassasin has bayesian support, but I'm not sure about its performace and accuracy. Anyway, my problem is that I've configured the following spamassasin rules in mailscanner.cf header DSPAM_HEADER X-DSPAM-Result =~ /Spam/i score DSPAM_HEADER 10 describe DSPAM_HEADER DSPAM lo marca como SPAM header FROM_HEADER From =~ /mgimeno/i score FROM_HEADER 20 describe FROM_HEADER message from mgimeno in order to mark as SPAM the mails that DSPAM has defined as Spam, but it's not working. I think the problem comes from that headers of messages comming from postfix are not analize, but If i connect directly to exim, it works. Could you please guide me? Anyway, I'm using exim/mailscanner because I want baruwa2 web support. Thanks Manel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130530/575096a1/attachment.html From deivishome at gmail.com Fri May 31 08:18:59 2013 From: deivishome at gmail.com (David Valin Alonso) Date: Fri, 31 May 2013 09:18:59 +0200 Subject: Corrupted messages Postfix In-Reply-To: References: Message-ID: Hi Martin, this is a copy/pste from my mail.log: May 29 11:02:21 server postfix/cleanup[27995]: 19D6CDFD3F: message-id=< 201305290411.3.5607.30342.2445274 at cog.lumata.com> May 29 11:02:21 server postfix/smtpd[27991]: disconnect from unknown[213.92.42.10] May 29 11:02:22 server MailScanner[24390]: New Batch: Scanning 1 messages, 4532 bytes May 29 11:02:22 server MailScanner[24390]: Virus and Content Scanning: Starting May 29 11:02:36 server MailScanner[24390]: Requeue: 19D6CDFD3F.AEAD7 to C6CEEDFD46 May 29 11:02:36 server MailScanner[24390]: Uninfected: Delivered 1 messages May 29 11:02:36 server postfix/qmgr[3507]: C6CEEDFD46: from=<>, size=3885, nrcpt=1 (queue active) May 29 11:02:36 server postfix/qmgr[3507]: warning: C6CEEDFD46: message rejected: missing end record May 29 11:02:36 server postfix/qmgr[3507]: warning: saving corrupt file "C6CEEDFD46" from queue "active" to queue "corrupt" May 29 11:02:36 server MailScanner[24390]: Deleted 1 messages from processing-database Not all mails go to corrupt, for example if a mail comes to 1 person i handles well the first time, the next time it sends to corrupt, i am loosing the 60-75% in the corrupt queue, yesterday i had to stop MailScanner and reconfig headers_checks to bypass the problem till i find a solution because everything was working great. Regards, David 2013/5/30 Martin Hepworth > what do the logs say for the messages in question? > check the postfix logs and the mailscanner logs. > Also try running mailscanner in debug mode (see the wiki) > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 30 May 2013 09:10, David Valin Alonso wrote: > >> Hello, >> i got a server runing ubuntu 10.04 lts x64 + postfix 2.10 + cyrus 2.2 + >> Mailscanner 4.84 + Spamassasin and all was working really great til a >> couple of days that began to send mails to corrupt folder >> /var/spool/postfix/corrupt. It complains about a missing record and it >> rejects the mail moving from active to corrupt queue. >> I don't know what happend and the configurations of postfix and >> mailscanner didn't change as it was working really great. >> >> What could happened? >> >> Regards, >> >> David >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130531/e0fd01e9/attachment.html From q at snj.ca Fri May 31 15:48:21 2013 From: q at snj.ca (Quintin Giesbrecht) Date: Fri, 31 May 2013 14:48:21 +0000 Subject: MailScanner Development Message-ID: <7422D1030AB0A0479EE5090F3702AAF819A4D9@BUGATTI.snjlaw.local> Just curious... We've been using MailScanner for a long time (I have used it at 2 different employers for more than 10 years). At my latest firm, where I have been for 8 years, we took a break for about a year and a half, and tried out a commercial appliance - it was HORRIBLE. In any case, we are back, and fully enjoying MailScanner again :) I do have a question though, that I have searched for, and haven't found an answer to so far. I believe that at one time, new versions of MS came out almost monthly (correct me if I am wrong), and I notice that the latest version available is from November of last year. Is development still continuing? I hope so :) Sorry if this has been asked and answered, I just couldn't find it... Thanks! _______________________________________________________ Quintin Giesbrecht Smith Neufeld Jodoin LLP IT Manager q at snj.ca (204)346-5106 ________________________________ This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130531/89cc9590/attachment.html