From mejaz at cyberia.net.sa Fri Nov 1 00:03:02 2013 From: mejaz at cyberia.net.sa (Ejaz) Date: Fri, 1 Nov 2013 03:03:02 +0300 Subject: mails-processing-problem In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EA06971@BTN-EXCHANGE-V1.fastnet.local> References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ> <6EE47AF64C339A4F8F7F50507241B3795EA06971@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <00f501ced695$be1213d0$3a363b70$@cyberia.net.sa> There is no load on the server, One thing it has been noticed when I stopped using spamassain everthing back to the normal. Processing of emails are very fast no more Mail scanner get crashes, Any clue how I can make sure my spamassasin. Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Mealing Sent: Thursday, October 31, 2013 5:48 PM To: 'MailScanner discussion' Subject: RE: mails-processing-problem How is your server load? From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz Sent: 31 October 2013 11:36 To: 'MailScanner discussion' Subject: RE: mails-processing-problem Thanks for your answer. Newly installed server with Redhat linux 6. and MailScanner version is 4.84.6-1 When I ran the Mailscanner -debug I got below, rest is fine, Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185 Ejaz _____ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Thursday, October 31, 2013 2:12 PM To: MailScanner discussion Subject: Re: mails-processing-problem Whats changed? updated the server? what does a debug show you and fix that error in the MailScanner Lint.. -- Martin Hepworth, CISSP Oxford, UK On 31 October 2013 09:41, Ejaz > wrote: Our mail scanners has started behaving very strange. It's not processing g any emails anymore only saying for each mail in the queue and with the below error. Our setup, Mailscanner/postfix/clamav/spamassasin. Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 1. MailScanner --lint (reports below problem) > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-mydomain-MailScanner-From 2. spamassassin -lint (silently comes to next prompt) Any help would highly appreciated. Regards, __________________ Mohammed Ejaz Sr,Systems Administrator Middle East Internet Company (CYBERIA) Riyadh, Saudi Arabia Phone: +966-1-4647114 Ext: 140 Mobile +966-562311787 Fax: +966-1-4654735 E-mail: mejaz at cyberia.net.sa -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131101/95274f1f/attachment.html From mejaz at cyberia.net.sa Fri Nov 1 07:06:40 2013 From: mejaz at cyberia.net.sa (Ejaz) Date: Fri, 1 Nov 2013 10:06:40 +0300 Subject: mail-doesn-process Message-ID: As per the spamassain docs , I got to know that after every 100th spam message, when the next message which will be 101 would be consider as spam. Is that true. Below phrases, from the spamassin.org webiste If I've handed 100 messages to sa-learn that have the phrase penis enlargement and told it that those are all spam, when the 101st message comes in with the words penis and enlargment, the Bayesian classifier will be pretty sure that the new message is spam and will increase the spam score of that message. Also I have noticed that my mailscanner gets crash after processing few number of emails, and also to legimate messages it consdiering and spam and keeping t all of them into Qurantine directory.. Any help would be highly apprecitaed , Thanks so much in advance Ejaz _____ From: Ejaz [mailto:mejaz at cyberia.net.sa] Sent: Thursday, October 31, 2013 12:44 PM To: 'users-help at spamassassin.apache.org' Subject: mail-doesn-process Our mail scanners have started behaving very strange. It's not processing g any emails anymore only saying for each mail in the queue and with the below error. Our setup, Mailscanner/postfix/clamav/spamassasin. Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 1. MailScanner --lint (reports below problem) > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-mydomain-MailScanner-From 2. spamassassin -lint (silently comes to next prompt) Any help would highly appreciated. Regards, __________________ Mohammed Ejaz Sr,Systems Administrator Middle East Internet Company (CYBERIA) Riyadh, Saudi Arabia Phone: +966-1-4647114 Ext: 140 Mobile +966-562311787 Fax: +966-1-4654735 E-mail: mejaz at cyberia.net.sa -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131101/271b3e49/attachment.html From richard at fastnet.co.uk Fri Nov 1 17:29:57 2013 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 1 Nov 2013 17:29:57 +0000 Subject: mail-doesn-process In-Reply-To: References: Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EA0734A@BTN-EXCHANGE-V1.fastnet.local> You can use MailScanner --debug-sa Or if you search for 'debug' in Mailscanner.conf then you can turn it on. Or you can run the spamassassin command with the -D -lint flags. spamassassin -D -lint Thanks. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz Sent: 01 November 2013 07:07 To: 'Ejaz'; users-help at spamassassin.apache.org Cc: 'MailScanner discussion' Subject: RE: mail-doesn-process As per the spamassain docs , I got to know that after every 100th spam message, when the next message which will be 101 would be consider as spam. Is that true. Below phrases, from the spamassin.org webiste If I've handed 100 messages to sa-learn that have the phrase penis enlargement and told it that those are all spam, when the 101st message comes in with the words penis and enlargment, the Bayesian classifier will be pretty sure that the new message is spam and will increase the spam score of that message. Also I have noticed that my mailscanner gets crash after processing few number of emails, and also to legimate messages it consdiering and spam and keeping t all of them into Qurantine directory.. Any help would be highly apprecitaed , Thanks so much in advance Ejaz ________________________________ From: Ejaz [mailto:mejaz at cyberia.net.sa] Sent: Thursday, October 31, 2013 12:44 PM To: 'users-help at spamassassin.apache.org' Subject: mail-doesn-process Our mail scanners have started behaving very strange. It's not processing g any emails anymore only saying for each mail in the queue and with the below error. Our setup, Mailscanner/postfix/clamav/spamassasin. Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 1. MailScanner --lint (reports below problem) > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-mydomain-MailScanner-From 2. spamassassin -lint (silently comes to next prompt) Any help would highly appreciated. Regards, __________________ Mohammed Ejaz Sr,Systems Administrator Middle East Internet Company (CYBERIA) Riyadh, Saudi Arabia Phone: +966-1-4647114 Ext: 140 Mobile +966-562311787 Fax: +966-1-4654735 E-mail: mejaz at cyberia.net.sa -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131101/f30b1a9d/attachment.html From mejaz at cyberia.net.sa Sat Nov 2 10:04:22 2013 From: mejaz at cyberia.net.sa (Ejaz) Date: Sat, 2 Nov 2013 13:04:22 +0300 Subject: mail-doesn-process In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EA0734A@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EA0734A@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <000001ced7b2$eb82c710$c2885530$@cyberia.net.sa> Attached is the debug file, would you please hint me where I went wrong. Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Mealing Sent: Friday, November 1, 2013 8:30 PM To: 'MailScanner discussion'; 'users-help at spamassassin.apache.org' Subject: RE: mail-doesn-process You can use MailScanner --debug-sa Or if you search for 'debug' in Mailscanner.conf then you can turn it on. Or you can run the spamassassin command with the -D -lint flags. spamassassin -D -lint Thanks. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz Sent: 01 November 2013 07:07 To: 'Ejaz'; users-help at spamassassin.apache.org Cc: 'MailScanner discussion' Subject: RE: mail-doesn-process As per the spamassain docs , I got to know that after every 100th spam message, when the next message which will be 101 would be consider as spam. Is that true. Below phrases, from the spamassin.org webiste If I've handed 100 messages to sa-learn that have the phrase penis enlargement and told it that those are all spam, when the 101st message comes in with the words penis and enlargment, the Bayesian classifier will be pretty sure that the new message is spam and will increase the spam score of that message. Also I have noticed that my mailscanner gets crash after processing few number of emails, and also to legimate messages it consdiering and spam and keeping t all of them into Qurantine directory.. Any help would be highly apprecitaed , Thanks so much in advance Ejaz _____ From: Ejaz [mailto:mejaz at cyberia.net.sa] Sent: Thursday, October 31, 2013 12:44 PM To: 'users-help at spamassassin.apache.org' Subject: mail-doesn-process Our mail scanners have started behaving very strange. It's not processing g any emails anymore only saying for each mail in the queue and with the below error. Our setup, Mailscanner/postfix/clamav/spamassasin. Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 1. MailScanner --lint (reports below problem) > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-mydomain-MailScanner-From 2. spamassassin -lint (silently comes to next prompt) Any help would highly appreciated. Regards, __________________ Mohammed Ejaz Sr,Systems Administrator Middle East Internet Company (CYBERIA) Riyadh, Saudi Arabia Phone: +966-1-4647114 Ext: 140 Mobile +966-562311787 Fax: +966-1-4654735 E-mail: mejaz at cyberia.net.sa -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131102/341ff3ed/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: deblog Type: application/octet-stream Size: 65081 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131102/341ff3ed/attachment-0001.obj From maxsec at gmail.com Sat Nov 2 12:49:20 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Sat, 2 Nov 2013 12:49:20 +0000 Subject: mails-processing-problem In-Reply-To: <00f501ced695$be1213d0$3a363b70$@cyberia.net.sa> References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ> <6EE47AF64C339A4F8F7F50507241B3795EA06971@BTN-EXCHANGE-V1.fastnet.local> <00f501ced695$be1213d0$3a363b70$@cyberia.net.sa> Message-ID: What do you mean by stop using spamassain , how are you disabling this? Martin On Friday, 1 November 2013, Ejaz wrote: > There is no load on the server,**** > > ** ** > > One thing it has been noticed when I stopped using spamassain everthing > back to the normal. Processing of emails are very fast no more Mail scanner > get crashes, **** > > ** ** > > Any clue how I can make sure my spamassasin. **** > > ** ** > > Regards,**** > > *Mohammed Ejaz* > > *CYBERIA?** SAUDI ARABIA* > > P.O.Box 301079, Riyadh 11372, Saudi Arabia**** > > Tel: +966 11 464 7114 Ext. 140**** > > Fax: +966 11 465 4735**** > > ** ** > > *From:* mailscanner-bounces at lists.mailscanner.info 'cvml', 'mailscanner-bounces at lists.mailscanner.info');> [mailto: > mailscanner-bounces at lists.mailscanner.info 'mailscanner-bounces at lists.mailscanner.info');>] *On Behalf Of *Richard > Mealing > *Sent:* Thursday, October 31, 2013 5:48 PM > *To:* 'MailScanner discussion' > *Subject:* RE: mails-processing-problem**** > > ** ** > > How is your server load?**** > > ** ** > > *From:* mailscanner-bounces at lists.mailscanner.info [ > mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Ejaz > *Sent:* 31 October 2013 11:36 > *To:* 'MailScanner discussion' > *Subject:* RE: mails-processing-problem**** > > ** ** > > Thanks for your answer.**** > > ** ** > > Newly installed server with Redhat linux 6. and MailScanner version is > 4.84.6-1**** > > ** ** > > When I ran the Mailscanner ?debug **** > > ** ** > > I got below, rest is fine, **** > > ** ** > > Insecure dependency in open while running with -T switch at > /usr/lib64/perl5/IO/File.pm line 185**** > > ** ** > > Ejaz **** > ------------------------------ > > *From:* mailscanner-bounces at lists.mailscanner.info [ > mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin > Hepworth > *Sent:* Thursday, October 31, 2013 2:12 PM > *To:* MailScanner discussion > *Subject:* Re: mails-processing-problem**** > > ** ** > > Whats changed? updated the server?**** > > what does a debug show you and fix that error in the MailScanner Lint..*** > * > > > **** > > -- > Martin Hepworth, CISSP > Oxford, UK**** > > ** ** > > On 31 October 2013 09:41, Ejaz wrote:**** > > **** > > **** > > Our mail scanners has started behaving very strange. It?s not processing g > any emails anymore only saying for each mail in the queue and with the > below error. **** > > **** > > **** > > Our setup,**** > > **** > > Mailscanner/postfix/clamav/spamassasin. > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message > p8JHBZlF011310 as it has been attempted too many times > Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF0 > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131102/4d48b0cc/attachment.html From mejaz at cyberia.net.sa Sat Nov 2 16:06:19 2013 From: mejaz at cyberia.net.sa (Ejaz) Date: Sat, 2 Nov 2013 19:06:19 +0300 Subject: mails-processing-problem In-Reply-To: References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ> <6EE47AF64C339A4F8F7F50507241B3795EA06971@BTN-EXCHANGE-V1.fastnet.local> <00f501ced695$be1213d0$3a363b70$@cyberia.net.sa> Message-ID: <000801ced7e5$7b944400$72bccc00$@cyberia.net.sa> In my mailscanner.conf saying "use spamassasin = no" Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Saturday, November 2, 2013 3:49 PM To: MailScanner discussion Subject: Re: mails-processing-problem What do you mean by stop using spamassain , how are you disabling this? Martin On Friday, 1 November 2013, Ejaz wrote: There is no load on the server, One thing it has been noticed when I stopped using spamassain everthing back to the normal. Processing of emails are very fast no more Mail scanner get crashes, Any clue how I can make sure my spamassasin. Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info ] On Behalf Of Richard Mealing Sent: Thursday, October 31, 2013 5:48 PM To: 'MailScanner discussion' Subject: RE: mails-processing-problem How is your server load? From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz Sent: 31 October 2013 11:36 To: 'MailScanner discussion' Subject: RE: mails-processing-problem Thanks for your answer. Newly installed server with Redhat linux 6. and MailScanner version is 4.84.6-1 When I ran the Mailscanner -debug I got below, rest is fine, Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185 Ejaz _____ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Thursday, October 31, 2013 2:12 PM To: MailScanner discussion Subject: Re: mails-processing-problem Whats changed? updated the server? what does a debug show you and fix that error in the MailScanner Lint.. -- Martin Hepworth, CISSP Oxford, UK On 31 October 2013 09:41, Ejaz > wrote: Our mail scanners has started behaving very strange. It's not processing g any emails anymore only saying for each mail in the queue and with the below error. Our setup, Mailscanner/postfix/clamav/spamassasin. Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF0 -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131102/cf02259c/attachment.html From jerry.benton at mailborder.com Sun Nov 3 17:53:58 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sun, 3 Nov 2013 18:53:58 +0100 Subject: Memory Leaks Message-ID: Hello, Has anyone noticed memory leaks in MailScanner? After a few days of a server that is not actually doing anything and just sitting there, memory becomes consumed. Ideas? -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131103/7b5ffc0e/attachment.html From pas at unh.edu Sun Nov 3 18:51:00 2013 From: pas at unh.edu (Paul Sand) Date: Sun, 3 Nov 2013 13:51:00 -0500 Subject: Memory Leaks In-Reply-To: References: Message-ID: <20131103185100.GA34277@cisunix.unh.edu> * Jerry Benton [2013-11-03 13:04]: > > Has anyone noticed memory leaks in MailScanner? After a few days of a > server that is not actually doing anything and just sitting there, memory > becomes consumed. Ideas? > Not seeing it here. But (on the other hand) this may be why this is in MailScanner.conf: # To avoid resource leaks, re-start periodically. Forces a re-read of all # the configuration files too, so new updates to the bad phishing sites list # are read frequently. Restart Every = 14400 Is this parameter enabled for you? -- -- Paul A Sand -- Information Technology / University of New Hampshire -- http://pubpages.unh.edu/~pas -- Objects on screen may be closer than they appear. From alex at vidadigital.com.pa Sun Nov 3 19:47:16 2013 From: alex at vidadigital.com.pa (Alex Neuman) Date: Sun, 3 Nov 2013 14:47:16 -0500 Subject: Memory Leaks In-Reply-To: References: Message-ID: 1. Consumed by what? 2. Are you sure it's not caching and such? Ideally, a Unix system should *not* have "unused" memory - it should use as much as possible between system processes and the cache. On Sun, Nov 3, 2013 at 12:53 PM, Jerry Benton wrote: > Hello, > > Has anyone noticed memory leaks in MailScanner? After a few days of a > server that is not actually doing anything and just sitting there, memory > becomes consumed. Ideas? > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131103/0121c1dc/attachment.html From mejaz at cyberia.net.sa Mon Nov 4 13:07:43 2013 From: mejaz at cyberia.net.sa (Ejaz) Date: Mon, 4 Nov 2013 16:07:43 +0300 Subject: spam-emails Message-ID: <719C9765D8154ACF8AAFB890EADC317D@EJAZ> How can I block spam messages, below is the header of one of the spam message. So many such emails I am receiving and I wanted to control it. My setups are redhat/mailscanner/postfix/clamav/spamassassin. Any help would be highly appreciated. Received: from mail9.atl51.rsgsv.net (mail9.atl51.rsgsv.net [205.201.135.9]) by mailgate5.cyberia.net.sa (Postfix) with ESMTP id 2F353A48C42 for ; Mon, 4 Nov 2013 15:47:21 +0300 (AST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail9.atl51.rsgsv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-T ype:MIME-Version; i=e.mar=3Dksa-courses.com at mail9.atl51.rsgsv.net; bh=5HHALciK6EJmpLR92xc+LiuVads=; b=eOxxPdNKA1rrRjKNOvYp6lT1p2VkSnBqwdmJ+sZCLROasZpQiL3E7XPlVfvfjBEwSi0BH4wryD rp ZUUHy38sV/AfyZWZd6uZbnSaHRG9xSMRzymqr6z6MtHWeOYva92QZeal06+qdKE6aYkkMmUF64er CcuENRoqgeC2jMNbAEw= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail9.atl51.rsgsv.net; b=Ylftdm7BoX2FUEStpAbT9ovOEikSGMSDiMpFi4Jzt2MljFiDe3RbD1WrNdbaWfPPJ8rjYGzo3U m2 rt3oCsok7K33L0wEOAYf7ER9ep67R4oWWqIJzS3fuf20Ofn9j/2Y9cOHuXmFtxVuNdkerxUlONfr 54v8oQ1DYTFir7rcCKs=; Received: from (127.0.0.1) by mail9.atl51.rsgsv.net id heuc0c1mr1ok for ; Mon, 4 Nov 2013 12:50:04 +0000 (envelope-from ) Subject: =?utf-8?Q?Development=20managerial=20and=20supervisory=20skill?= From: =?utf-8?Q?Integrated=20for=20Training?= Reply-To: =?utf-8?Q?Integrated=20for=20Training?= To: =?utf-8?Q??= Date: Mon, 4 Nov 2013 12:50:04 +0000 Message-ID: <8766c1f2ecb17c88da70599b73dc3f41543.20131104124906 at mail9.atl51.rsgsv.net> X-Mailer: MailChimp Mailer - **CIDd31b95ad2d3dc3f41543** X-Campaign: mailchimp8766c1f2ecb17c88da70599b7.d31b95ad2d X-campaignid: mailchimp8766c1f2ecb17c88da70599b7.d31b95ad2d X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=8766c1f2ecb17c88da70599b7&id=d3 1b95ad2d&e=3dc3f41543 X-MC-User: 8766c1f2ecb17c88da70599b7 x-accounttype: pd List-Unsubscribe: , Sender: "Integrated for Training" x-mcda: FALSE Content-Type: multipart/alternative; boundary="_----------=_MCPart_950342113" MIME-Version: 1.0 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131104/b34e50fb/attachment.html From steve.freegard at fsl.com Mon Nov 4 13:43:13 2013 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon, 04 Nov 2013 13:43:13 +0000 Subject: spam-emails In-Reply-To: <719C9765D8154ACF8AAFB890EADC317D@EJAZ> References: <719C9765D8154ACF8AAFB890EADC317D@EJAZ> Message-ID: On 04/11/13 13:07, Ejaz wrote: > > > > > How can I block spam messages, below is the header of one of the spam > message. So many such emails I am receiving and I wanted to control it. > > > > Received: from mail9.atl51.rsgsv.net (mail9.atl51.rsgsv.net [205.201.135.9]) > by mailgate5.cyberia.net.sa (Postfix) with ESMTP id 2F353A48C42 > for ; Mon, 4 Nov 2013 15:47:21 +0300 (AST) > DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; > d=mail9.atl51.rsgsv.net; > h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; > i=e.mar=3Dksa-courses.com at mail9.atl51.rsgsv.net; > bh=5HHALciK6EJmpLR92xc+LiuVads=; > b=eOxxPdNKA1rrRjKNOvYp6lT1p2VkSnBqwdmJ+sZCLROasZpQiL3E7XPlVfvfjBEwSi0BH4wryDrp > ZUUHy38sV/AfyZWZd6uZbnSaHRG9xSMRzymqr6z6MtHWeOYva92QZeal06+qdKE6aYkkMmUF64er > CcuENRoqgeC2jMNbAEw= > List-Unsubscribe: > , > > Sender: "Integrated for Training" > This message is a genuine e-mail from MailChimp (one of the better ESPs). I suggest you use the unsubscribe mechanism rather than trying to write rules to block this. http://itc.us5.list-manage.com/unsubscribe?u=8766c1f2ecb17c88da70599b7&id=f8000d1db1&e=3dc3f41543&c=d31b95ad2d Regards, Steve. From mejaz at cyberia.net.sa Mon Nov 4 15:26:48 2013 From: mejaz at cyberia.net.sa (mejaz at cyberia.net.sa) Date: Mon, 04 Nov 2013 18:26:48 +0300 Subject: spam-emails In-Reply-To: References: <719C9765D8154ACF8AAFB890EADC317D@EJAZ> Message-ID: Thanks for your help. here is another one it should have blocked it by mailscanner/spamassasin but it accepted. and send to user inbox with spam tag only here is the header. eturn-Path: Received: from mailgate5.cyberia.net.sa ([212.119.64.173] verified) by fmbx02.cyberia.net.sa (CommuniGate Pro SMTP 6.0.5) ? with ESMTP id 6486307 for imad at cyberia.net.sa; Mon, 04 Nov 2013 15:05:57 +0300 Received: from _SharXan_ (unknown [109.254.184.24]) by mailgate5.cyberia.net.sa (Postfix) with SMTP id 4A78BA40364 for ; Mon, ?4 Nov 2013 15:05:12 +0300 (AST) Received: (qmail 2739 by uid 199); Mon, 4 Nov 2013 12:08:06 -0300 From: "Free trial sample enlargement" To: Subject: {Spam?} New genetical engineering breakthrough published Date: Mon, 4 Nov 2013 11:37:13 -0300 Message-ID: <000301ced96f$a9989730$fcc9c590$@com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0066_01CED96F.A9989730" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcjmY7DS5mKb/xHlZVm6OhpABGdjSw== Content-Language: en-us X--MailScanner-Information: Please contact the ISP for more information X--MailScanner-ID: 4A78BA40364.A3D8C X--MailScanner: Found to be clean X--MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.385, required 6, BAYES_60 1.50, FSL_HELO_NON_FQDN_1 0.00, HTML_MESSAGE 0.00, RCVD_IN_BRBL_LASTEXT 1.45, RDNS_NONE 0.79, SPF_SOFTFAIL 0.67, TVD_SPACE_RATIO 0.00, URIBL_BLACK 1.73, URIBL_JP_SURBL 1.25) X--MailScanner-SpamScore: sssssss X--MailScanner-From: preferringinference at creativecommons.org X-Spam-Status: Yes This is a multipart message in MIME format. ------=_NextPart_000_0066_01CED96F.A9989730 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Christina Aguilera undressed http://affiliateathomereview.com/magistrateimpeller/ --? This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------=_NextPart_000_0066_01CED96F.A9989730 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Christina Aguilera undressed

http://affiliateathomereview.com/magistrateimpeller/

--=20
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. ------=_NextPart_000_0066_01CED96F.A9989730-- On Mon, 04 Nov 2013 13:43:13 +0000 Steve Freegard wrote: > On 04/11/13 13:07, Ejaz wrote: >> >> >> >> >> How can I block spam messages, below is the header of one of the >>spam >> message. So many such emails I am receiving and I wanted to control >>it. >> >> >> >> Received: from mail9.atl51.rsgsv.net (mail9.atl51.rsgsv.net >>[205.201.135.9]) >> by mailgate5.cyberia.net.sa (Postfix) with ESMTP id 2F353A48C42 >> for ; Mon, 4 Nov 2013 15:47:21 +0300 (AST) >> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; >> d=mail9.atl51.rsgsv.net; >> h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; >> i=e.mar=3Dksa-courses.com at mail9.atl51.rsgsv.net; >> bh=5HHALciK6EJmpLR92xc+LiuVads=; >> b=eOxxPdNKA1rrRjKNOvYp6lT1p2VkSnBqwdmJ+sZCLROasZpQiL3E7XPlVfvfjBEwSi0BH4wryDrp >> ZUUHy38sV/AfyZWZd6uZbnSaHRG9xSMRzymqr6z6MtHWeOYva92QZeal06+qdKE6aYkkMmUF64er >> CcuENRoqgeC2jMNbAEw= >> List-Unsubscribe: >> , >> >> Sender: "Integrated for Training" >> > > This message is a genuine e-mail from MailChimp (one of the better >ESPs). > > I suggest you use the unsubscribe mechanism rather than trying to >write > rules to block this. > > http://itc.us5.list-manage.com/unsubscribe?u=8766c1f2ecb17c88da70599b7&id=f8000d1db1&e=3dc3f41543&c=d31b95ad2d > > Regards, > Steve. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From steve.freegard at fsl.com Mon Nov 4 16:20:15 2013 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon, 04 Nov 2013 16:20:15 +0000 Subject: spam-emails In-Reply-To: References: <719C9765D8154ACF8AAFB890EADC317D@EJAZ>

Message-ID: On 04/11/13 15:26, mejaz at cyberia.net.sa wrote: > Thanks for your help. here is another one it should have blocked it by > mailscanner/spamassasin but it accepted. and send to user inbox with spam > tag only > > here is the header. > > X--MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.385, > required 6, BAYES_60 1.50, FSL_HELO_NON_FQDN_1 0.00, > HTML_MESSAGE 0.00, RCVD_IN_BRBL_LASTEXT 1.45, RDNS_NONE 0.79, > SPF_SOFTFAIL 0.67, TVD_SPACE_RATIO 0.00, URIBL_BLACK 1.73, > URIBL_JP_SURBL 1.25) SpamAssassin considered that this message was spam. It's your configured Spam Actions that delivered the message to the mailbox tagged. You can either: 1) Change the Spam Actions to 'store' and put messages considered to be spam in the quarantine. 2) Increase the scores of the pertinent tests to make these spams high scoring (e.g. URIBL_*) 3) You could add some extra software and reject this at the SMTP stage (as it contained blacklisted URIs). Regards, Steve. From lhaig at haigmail.com Mon Nov 4 16:37:44 2013 From: lhaig at haigmail.com (Lance Haig) Date: Mon, 04 Nov 2013 18:37:44 +0200 Subject: What to migrate to. Message-ID: <5277CD58.6040402@haigmail.com> Hi All, I have been an avid mailscanner user for many years now and I have recently been running a MS server with Baruwa front-end. Recently no matter what I do I seem to be letting SPAM and Virus mail through, and loads of russian spam. So I think it is time to rebuild my server as it has been running for more than 2 years and I do like to rebuild the OS from time to time. So my question is: What is a good combination of MS / Front End/ addition scripts and rules that will make a good MS solution for my small installation. I only use this for personal mail domains so don't have budget for a paid solution. I host my current server on a kvm host on my main server. I would really appreciate some guidance Thanks Lance -- Lance Haig Cape Town -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jerry.benton at mailborder.com Mon Nov 4 17:42:09 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 4 Nov 2013 18:42:09 +0100 Subject: What to migrate to. In-Reply-To: <5277CD58.6040402@haigmail.com> References: <5277CD58.6040402@haigmail.com> Message-ID: The three primary ones are: - Baruwa - Mailborder - Mailwatch I am the creator for Mailborder, so my opinion is of course biased towards my own product. Baruwa is the most mature in a production environment. I do know that if you use Debian or a variant such as Ubuntu, it it relatively easy to install. As far as I know, all of the source is open. There are both free and commercial versions. I'd suggest looking into it more for comparisons. However, I am sure you are aware of its features since you have been using it for a while. Mailborder has been used privately for about 8 years and available to the public for about a year. The latest version (v4) is a total redesign of v3 based on customer feedback. While also easy to install and setup, you need to have a good understanding of MailScanner and MTAs to configure the advanced layering of policies. There is both a free and paid version. Paid versions allow for more domains, clustering, etc. Most of the source is open, but part of it is closed and encoded. (PHP files for the web interface, etc.) If you speak a language that there is currently not a GUI translation for, you can get free unlimited licenses by maintaining the translation for that language. (Easy after the first translation.) Mailwatch is the oldest of the three. However, as far as I know, it is not as actively developed as Mailborder and Baruwa. Support is also limited as Mailborder and Baruwa have websites with free and paid support options where Mailwatch does not. (As far as I know of anyway.) You can test all of them for free. I would suggest doing that and then deciding for yourself. While all of them are similar in several areas, each of them have various features not available in the other. Jerry Benton www.mailborder.com On Mon, Nov 4, 2013 at 5:37 PM, Lance Haig wrote: > Hi All, > > I have been an avid mailscanner user for many years now and I have > recently been running a MS server with Baruwa front-end. > Recently no matter what I do I seem to be letting SPAM and Virus mail > through, and loads of russian spam. > > So I think it is time to rebuild my server as it has been running for > more than 2 years and I do like to rebuild the OS from time to time. > > So my question is: > > What is a good combination of MS / Front End/ addition scripts and rules > that will make a good MS solution for my small installation. > > I only use this for personal mail domains so don't have budget for a > paid solution. > > I host my current server on a kvm host on my main server. > > I would really appreciate some guidance > > Thanks > > Lance > > -- > Lance Haig > > Cape Town > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131104/b7165f57/attachment.html From bntidd at gmail.com Mon Nov 4 18:08:50 2013 From: bntidd at gmail.com (Bryan Tidd) Date: Mon, 4 Nov 2013 13:08:50 -0500 Subject: Fwd: Sign Clean Messages In-Reply-To: References: Message-ID: I have set Sign Clean Messages set to yes, but still do not get the appended message. I have verified the files exist in the correct language directory for the inline messages. Is this a bug? I noticed a few others had this issue with older versions. I would appreciate some way to trace this error or a solution.... Thanks Bryan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131104/c64b19a0/attachment.html From mailscanner-list at okla.com Mon Nov 4 19:58:10 2013 From: mailscanner-list at okla.com (Tracy Greggs) Date: Mon, 4 Nov 2013 13:58:10 -0600 Subject: What to migrate to. In-Reply-To: <5277CD58.6040402@haigmail.com> References: <5277CD58.6040402@haigmail.com> Message-ID: <027401ced998$33ebc970$9bc35c50$@okla.com> I have been using the same setup on Centos 6.x, MS with Baruwa for quite some time, with SA, Razor, Pyzor and DCC. Additionally I use the xtables-addons for iptables to do geoip blocking of Russia, China and some others. Its free and works well and only really needs an geoip update once a month as that is about as often as Maxmind updates their data, and easy enough to crontab a job to do that for you. Not only does the geoip blocking get rid of the spam, it also stops the unauthorized access attempts to your other services such as POP3 etc. Fail2ban is something you might also want to look at if you have a lot of hacking attempts at your POP3, SSH, FTP or whatever. I also wonder if you are using any RBL at the MTA level or only scoring them with SA? Best wishes, Tracy Greggs -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Lance Haig Sent: Monday, November 04, 2013 10:38 AM To: MailScanner discussion Subject: What to migrate to. Hi All, I have been an avid mailscanner user for many years now and I have recently been running a MS server with Baruwa front-end. Recently no matter what I do I seem to be letting SPAM and Virus mail through, and loads of russian spam. So I think it is time to rebuild my server as it has been running for more than 2 years and I do like to rebuild the OS from time to time. So my question is: What is a good combination of MS / Front End/ addition scripts and rules that will make a good MS solution for my small installation. I only use this for personal mail domains so don't have budget for a paid solution. I host my current server on a kvm host on my main server. I would really appreciate some guidance Thanks Lance -- Lance Haig Cape Town -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rlopezcnm at gmail.com Tue Nov 5 23:07:20 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue, 5 Nov 2013 16:07:20 -0700 Subject: What to migrate to. In-Reply-To: <027401ced998$33ebc970$9bc35c50$@okla.com> References: <5277CD58.6040402@haigmail.com> <027401ced998$33ebc970$9bc35c50$@okla.com> Message-ID: Lance, If you have been running Baruwa and you still are getting more SPAM it seems that either more is being emailed to you and it is successful at bypassing well known filter methods or perhaps the Baruwa set of tools is of such complexity that you are overlooking how it is actually working. I am seeing a lot more phishing and "voice mail" spam carrying active code lately. I have had times where some tools have failed in their accessing external web site components which did not manifest is clear ways. It simply was not obvious from maillogs what was happening. A corrupted data base drove me crazy for weeks. Jerry Benton wrote the three primary ones are: - Baruwa - Mailborder - Mailwatch I have tested all three. The Mailwatch seems to have more development lately but the time of little activity puts it behind in my opinion. I found Baruwa had so much going on it was difficult to comprehend which features were causing problems I encountered. Mailborder is to me a reasonable tool. I have not tested the newest releases and I do plan to. There were a few short comings I believe Jerry may have now addressed and I do want to see them. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131105/999120b5/attachment.html From rlopezcnm at gmail.com Tue Nov 5 23:33:20 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue, 5 Nov 2013 16:33:20 -0700 Subject: Memory Leaks In-Reply-To: References:

Message-ID: Jerry I have seen on very busy systems the number of MS child processes continue to increase well beyond the Max Children and when that happens the numbers in /proc/meminfo all start to change. At this time I am watching them but not really understanding what is happening. I see Committed_AS really starts to increase when the number of children increase. As to a machine that is actually not doing anything. I have two of them associated to back burner projects. Postfix and MailScanner are running and the only email that is processed is a few root cron jobs per day. On them the /proc/meminfo numbers do not noticeably change. I know leakage, if it does exist, may come from routines not used by these two systems. Paul makes a good point. I run with Restart Every = 7200 on all gateways. However, when big spikes hit I find manually restarting helps. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131105/28a159b1/attachment.html From rlopezcnm at gmail.com Wed Nov 6 00:08:52 2013 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue, 5 Nov 2013 17:08:52 -0700 Subject: mail-doesn-process In-Reply-To: <000001ced7b2$eb82c710$c2885530$@cyberia.net.sa> References: <6EE47AF64C339A4F8F7F50507241B3795EA0734A@BTN-EXCHANGE-V1.fastnet.local> <000001ced7b2$eb82c710$c2885530$@cyberia.net.sa> Message-ID: Focus on this line of your deblog: "12:54:30 Nov 2 12:54:30.426 [19224] info: pyzor: [19250] error: exit 6" and do a web search on "pyzor exit 6" -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131105/1dee7dd1/attachment.html From lhaig at haigmail.com Wed Nov 6 11:19:13 2013 From: lhaig at haigmail.com (Lance Haig) Date: Wed, 06 Nov 2013 13:19:13 +0200 Subject: What to migrate to. In-Reply-To: References: <5277CD58.6040402@haigmail.com> Message-ID: <527A25B1.1020901@haigmail.com> Hi Jerry, I have not tried MailBorder yet and perhaps I need to give that version a go. Thanks for replying Regards Lance On 04/11/2013 19:42, Jerry Benton wrote: > The three primary ones are: > > - Baruwa > - Mailborder > - Mailwatch > > > I am the creator for Mailborder, so my opinion is of course biased > towards my own product. > > Baruwa is the most mature in a production environment. I do know that > if you use Debian or a variant such as Ubuntu, it it relatively easy > to install. As far as I know, all of the source is open. There are > both free and commercial versions. I'd suggest looking into it more > for comparisons. However, I am sure you are aware of its features > since you have been using it for a while. > > Mailborder has been used privately for about 8 years and available to > the public for about a year. The latest version (v4) is a total > redesign of v3 based on customer feedback. While also easy to install > and setup, you need to have a good understanding of MailScanner and > MTAs to configure the advanced layering of policies. There is both a > free and paid version. Paid versions allow for more domains, > clustering, etc. Most of the source is open, but part of it is closed > and encoded. (PHP files for the web interface, etc.) If you speak a > language that there is currently not a GUI translation for, you can > get free unlimited licenses by maintaining the translation for that > language. (Easy after the first translation.) > > Mailwatch is the oldest of the three. However, as far as I know, it is > not as actively developed as Mailborder and Baruwa. Support is also > limited as Mailborder and Baruwa have websites with free and paid > support options where Mailwatch does not. (As far as I know of anyway.) > > > You can test all of them for free. I would suggest doing that and then > deciding for yourself. While all of them are similar in several areas, > each of them have various features not available in the other. > > > Jerry Benton > www.mailborder.com > > > > > > On Mon, Nov 4, 2013 at 5:37 PM, Lance Haig > wrote: > > Hi All, > > I have been an avid mailscanner user for many years now and I have > recently been running a MS server with Baruwa front-end. > Recently no matter what I do I seem to be letting SPAM and Virus mail > through, and loads of russian spam. > > So I think it is time to rebuild my server as it has been running for > more than 2 years and I do like to rebuild the OS from time to time. > > So my question is: > > What is a good combination of MS / Front End/ addition scripts and > rules > that will make a good MS solution for my small installation. > > I only use this for personal mail domains so don't have budget for a > paid solution. > > I host my current server on a kvm host on my main server. > > I would really appreciate some guidance > > Thanks > > Lance > > -- > Lance Haig > > Cape Town > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- Lance Haig 0799078000 Cape Town -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131106/784d8222/attachment.html From lhaig at haigmail.com Wed Nov 6 11:21:33 2013 From: lhaig at haigmail.com (Lance Haig) Date: Wed, 06 Nov 2013 13:21:33 +0200 Subject: What to migrate to. In-Reply-To: <027401ced998$33ebc970$9bc35c50$@okla.com> References: <5277CD58.6040402@haigmail.com> <027401ced998$33ebc970$9bc35c50$@okla.com> Message-ID: <527A263D.6000900@haigmail.com> Hi Tracy, I will need to perhaps get a fresh install going and then look to add the extras you have. I last time I ran the DCC pyzor Razor additions was when I ran MailWatch. Thanks for responding Regards Lance On 04/11/2013 21:58, Tracy Greggs wrote: > I have been using the same setup on Centos 6.x, MS with Baruwa for quite > some time, with SA, Razor, Pyzor and DCC. Additionally I use the > xtables-addons for iptables to do geoip blocking of Russia, China and some > others. Its free and works well and only really needs an geoip update once > a month as that is about as often as Maxmind updates their data, and easy > enough to crontab a job to do that for you. Not only does the geoip > blocking get rid of the spam, it also stops the unauthorized access attempts > to your other services such as POP3 etc. Fail2ban is something you might > also want to look at if you have a lot of hacking attempts at your POP3, > SSH, FTP or whatever. > > I also wonder if you are using any RBL at the MTA level or only scoring them > with SA? > > Best wishes, > Tracy Greggs > > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Lance Haig > Sent: Monday, November 04, 2013 10:38 AM > To: MailScanner discussion > Subject: What to migrate to. > > Hi All, > > I have been an avid mailscanner user for many years now and I have recently > been running a MS server with Baruwa front-end. > Recently no matter what I do I seem to be letting SPAM and Virus mail > through, and loads of russian spam. > > So I think it is time to rebuild my server as it has been running for more > than 2 years and I do like to rebuild the OS from time to time. > > So my question is: > > What is a good combination of MS / Front End/ addition scripts and rules > that will make a good MS solution for my small installation. > > I only use this for personal mail domains so don't have budget for a paid > solution. > > I host my current server on a kvm host on my main server. > > I would really appreciate some guidance > > Thanks > > Lance > > -- > Lance Haig > > Cape Town > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- Lance Haig 0799078000 Cape Town -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lhaig at haigmail.com Wed Nov 6 11:24:24 2013 From: lhaig at haigmail.com (Lance Haig) Date: Wed, 06 Nov 2013 13:24:24 +0200 Subject: What to migrate to. In-Reply-To: References: <5277CD58.6040402@haigmail.com> <027401ced998$33ebc970$9bc35c50$@okla.com> Message-ID: <527A26E8.9040905@haigmail.com> Hi Robert, Thanks for responding. I also get "voicemail" spam quite a bit it seems the spammers are getting better and better at making our spamassasin setups less effective. Thanks for the advice I will definitely look at them when I rebuild my servers. Regards Lance On 06/11/2013 01:07, Robert Lopez wrote: > > > > > Lance, > > > If you have been running Baruwa and you still are getting more SPAM it > seems that either more is being emailed to you and it is successful at > bypassing well known filter methods or perhaps the Baruwa set of tools > is of such complexity that you are overlooking how it is actually working. > > I am seeing a lot more phishing and "voice mail" spam carrying active > code lately. I have had times where some tools have failed in their > accessing external web site components which did not manifest is clear > ways. It simply was not obvious from maillogs what was happening. A > corrupted data base drove me crazy for weeks. > > Jerry Benton wrote the three primary ones are: > > - Baruwa > - Mailborder > - Mailwatch > > I have tested all three. The Mailwatch seems to have more development > lately but the time of little activity puts it behind in my opinion. > I found Baruwa had so much going on it was difficult to comprehend > which features were causing problems I encountered. Mailborder is to > me a reasonable tool. I have not tested the newest releases and I do > plan to. There were a few short comings I believe Jerry may have now > addressed and I do want to see them. > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- Lance Haig 0799078000 Cape Town -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131106/40b63f68/attachment.html From ci at holmco.de Thu Nov 7 11:45:04 2013 From: ci at holmco.de (ci at holmco.de) Date: Thu, 7 Nov 2013 12:45:04 +0100 Subject: Mailscanner / Sophos does not block viruses Message-ID: <20131107114504.GA21182@edv6.holmco.de> Hello, we are running Mailscanner with Sophos Antivirus as virus scanner. So far it's working, but Mailscanner does not block the attachment. I made sure that sophos-wrapper is executed by Mailscanner. The resulting sophos command line scans and detects files in the spool directory and delivers exit status > 0. Mailscanner notices that the mail is infected. The admin gets information mail from Mailscanner: ------------------------------------------------------------------------ Subject: [SAV-LINUX] Threat detected during on-demand scan on To: admin at domain.tld A threat was detected during an on-demand scan. Details follow: 3 files scanned. Number of infections detected: 1 Number of infected files detected: 1 /var/spool/MailScanner/incoming/10458/1VeN1P-0002nK-8i/neicar.txt is infected with EICAR-AV-Test. ------------------------------------------------------------------------ The mail reaches the receiptient *with* eicar still attached. What's going wrong here? Greetings, -- R. Cirksena From Amelein at dantumadiel.eu Thu Nov 7 12:33:10 2013 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Thu, 07 Nov 2013 13:33:10 +0100 Subject: Betr.: Mailscanner / Sophos does not block viruses In-Reply-To: <20131107114504.GA21182@edv6.holmco.de> References: <20131107114504.GA21182@edv6.holmco.de> Message-ID: <527B96960200008E000263E6@GroupWise.Dantumadiel.eu> Check the config if it says: Deliver Disinfected Files = no Still Deliver Silent Viruses = no That's pretty much all I can come up with right now. - Arjan >>> Op 7-11-2013 om 12:45 is door geschreven: > Hello, > > we are running Mailscanner with Sophos Antivirus as virus scanner. > So far it's working, but Mailscanner does not block the attachment. > I made sure that sophos-wrapper is executed by Mailscanner. The > resulting sophos command line scans and detects files in the spool > directory and delivers exit status > 0. > > Mailscanner notices that the mail is infected. The admin gets > information mail from Mailscanner: > > ------------------------------------------------------------------------ > Subject: [SAV-LINUX] Threat detected during on-demand scan on > To: admin at domain.tld > > A threat was detected during an on-demand scan. Details follow: > 3 files scanned. > Number of infections detected: 1 > Number of infected files detected: 1 > /var/spool/MailScanner/incoming/10458/1VeN1P-0002nK-8i/neicar.txt is infected > with EICAR-AV-Test. > ------------------------------------------------------------------------ > > The mail reaches the receiptient *with* eicar still attached. > > What's going wrong here? > > > Greetings, > -- > R. Cirksena From jerry.benton at mailborder.com Thu Nov 7 12:39:47 2013 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 7 Nov 2013 13:39:47 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <20131107114504.GA21182@edv6.holmco.de> References: <20131107114504.GA21182@edv6.holmco.de> Message-ID: Check: Quarantine Infections in /etc/MailScanner/MailScanner.conf On Thu, Nov 7, 2013 at 12:45 PM, wrote: > Hello, > > we are running Mailscanner with Sophos Antivirus as virus scanner. > So far it's working, but Mailscanner does not block the attachment. > I made sure that sophos-wrapper is executed by Mailscanner. The > resulting sophos command line scans and detects files in the spool > directory and delivers exit status > 0. > > Mailscanner notices that the mail is infected. The admin gets > information mail from Mailscanner: > > ------------------------------------------------------------------------ > Subject: [SAV-LINUX] Threat detected during on-demand scan on > To: admin at domain.tld > > A threat was detected during an on-demand scan. Details follow: > 3 files scanned. > Number of infections detected: 1 > Number of infected files detected: 1 > /var/spool/MailScanner/incoming/10458/1VeN1P-0002nK-8i/neicar.txt is > infected > with EICAR-AV-Test. > ------------------------------------------------------------------------ > > The mail reaches the receiptient *with* eicar still attached. > > What's going wrong here? > > > Greetings, > -- > R. Cirksena > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131107/d947a287/attachment.html From ci at holmco.de Thu Nov 7 13:37:38 2013 From: ci at holmco.de (ci at holmco.de) Date: Thu, 7 Nov 2013 14:37:38 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <527B96960200008E000263E6@GroupWise.Dantumadiel.eu> References: <20131107114504.GA21182@edv6.holmco.de> <527B96960200008E000263E6@GroupWise.Dantumadiel.eu> Message-ID: <20131107133738.GA3458@edv6.holmco.de> On Thu, Nov 07, 2013 at 01:33:10PM +0100 you wrote: > Check the config if it says: > > Deliver Disinfected Files = no > Still Deliver Silent Viruses = no Thank you, but that's already set to "no". Greetings, -- R. Cirksena From ci at holmco.de Thu Nov 7 13:38:50 2013 From: ci at holmco.de (ci at holmco.de) Date: Thu, 7 Nov 2013 14:38:50 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: References: <20131107114504.GA21182@edv6.holmco.de> Message-ID: <20131107133850.GB3458@edv6.holmco.de> On Thu, Nov 07, 2013 at 01:39:47PM +0100 you wrote: > Check: Quarantine Infections in /etc/MailScanner/MailScanner.conf Setting is: Quarantine Infections = yes Seems to be o.k. Greetings, -- R. Cirksena From mark at msapiro.net Fri Nov 8 02:00:31 2013 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 07 Nov 2013 18:00:31 -0800 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <20131107133850.GB3458@edv6.holmco.de> References: <20131107133850.GB3458@edv6.holmco.de> Message-ID: <527C45BF.4040306@msapiro.net> ci at holmco.de wrote: > On Thu, Nov 07, 2013 at 01:39:47PM +0100 you wrote: > >> Check: Quarantine Infections in /etc/MailScanner/MailScanner.conf > > Setting is: > > Quarantine Infections = yes > > Seems to be o.k. Have you also checked all the included files in /etc/MailScanner/conf.d/? What does 'MailScanner --lint' report? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ci at holmco.de Fri Nov 8 06:44:21 2013 From: ci at holmco.de (ci at holmco.de) Date: Fri, 8 Nov 2013 07:44:21 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <527C45BF.4040306@msapiro.net> References: <20131107133850.GB3458@edv6.holmco.de> <527C45BF.4040306@msapiro.net> Message-ID: <20131108064421.GA14586@edv6.holmco.de> On Thu, Nov 07, 2013 at 06:00:31PM -0800 you wrote: > Have you also checked all the included files in /etc/MailScanner/conf.d/? The directory is empty. Mailscanner ist set up to use a monolithic configuration file. > What does 'MailScanner --lint' report? ------------------------------------------------------------------------ Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Read 858 hostnames from the phishing whitelist Read 5500 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.79.11) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (102) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database bayes: cannot write to /var/lib/MailScanner/bayes_journal, bayes db update ignored: Permission denied SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 30 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = sophos" Found these virus scanners installed: clamav, sophos =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting =========================================================================== If any of your virus scanners (clamav,sophos) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. ------------------------------------------------------------------------ Looks good so far (?). Greetings, -- R. Cirksena From mejaz at cyberia.net.sa Fri Nov 8 07:51:30 2013 From: mejaz at cyberia.net.sa (Ejaz) Date: Fri, 8 Nov 2013 10:51:30 +0300 Subject: spam- Message-ID: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> Pls, help to stop spam messages, below header for one of the example of spam messages our users keep receiving huge number of such messages. My setup mailscaner/postfix/clamav/spamassasin/mailwatch. Any help would be highly appreciated. Received on: 08/11/13 10:08:17 Received by: mailgate5.cyberia.net.sa Received from: 178.76.217.156 [Add to Whitelist | Add to Blacklist] Received Via: IP Address Hostname Country RBL Spam Virus All 178.76.217.156 (Reverse Lookup Failed) (GeoIP Lookup Failed) [ ] [ ] [ ] [ ] ID: 5E90EAE6CC1.A5345 Message Headers: Received: from clonx (unknown [178.76.217.156]) by mailgate5.cyberia.net.sa (Postfix) with SMTP id 5E90EAE6CC1 for ; Fri, 8 Nov 2013 10:08:10 +0300 (AST) Received: (qmail 5455 by uid 393); Fri, 8 Nov 2013 07:11:18 -0300 From: "Enlargement pils Free trial sample" To: Subject: Uncensored models pics Date: Fri, 8 Nov 2013 06:47:39 -0300 Message-ID: <005b01cedc73$8debbe70$a9c33b50$@org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_005A_01CEDC73.8DEBBE70" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcjkztUsBXgoB+tXKZk5ZYQYXbRHBg== Content-Language: en-us From: guernseyparticiple at wikimedia.org [Add to Whitelist | Add to Blacklist] To: mejaz at cyberia.net.sa Subject: Uncensored models pics Size: 6.4Kb Anti-Virus/Dangerous Content Protection Virus: N Blocked File: N Other Infection: N SpamAssassin Spam: N Action(s): deliver, header, "X-Spam-Status:, No" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score: 5.07 Spam Report: Score Matching Rule Description 0.80 BAYES_50 0.00 FSL_HELO_NON_FQDN_1 0.00 HTML_MESSAGE 1.45 RCVD_IN_BRBL_LASTEXT 0.79 RDNS_NONE 0.78 SPF_NEUTRAL 1.25 URIBL_JP_SURBL Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/ac19092c/attachment.html From richard at fastnet.co.uk Fri Nov 8 13:46:39 2013 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 8 Nov 2013 13:46:39 +0000 Subject: spam- In-Reply-To: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> References: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> Hi Ejaz, What do you have set for "Required SpamAssassin Score" in your MailScanner.conf file? Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz Sent: 08 November 2013 07:52 To: 'MailScanner discussion' Cc: users-help at spamassassin.apache.org Subject: spam- Pls, help to stop spam messages, below header for one of the example of spam messages our users keep receiving huge number of such messages. My setup mailscaner/postfix/clamav/spamassasin/mailwatch. Any help would be highly appreciated. Received on: 08/11/13 10:08:17 Received by: mailgate5.cyberia.net.sa Received from: 178.76.217.156 [Add to Whitelist | Add to Blacklist] Received Via: IP Address Hostname Country RBL Spam Virus All 178.76.217.156 (Reverse Lookup Failed) (GeoIP Lookup Failed) [ ] [ ] [ ] [ ] ID: 5E90EAE6CC1.A5345 Message Headers: Received: from clonx (unknown [178.76.217.156]) by mailgate5.cyberia.net.sa (Postfix) with SMTP id 5E90EAE6CC1 for >; Fri, 8 Nov 2013 10:08:10 +0300 (AST) Received: (qmail 5455 by uid 393); Fri, 8 Nov 2013 07:11:18 -0300 From: "Enlargement pils Free trial sample" > To: > Subject: Uncensored models pics Date: Fri, 8 Nov 2013 06:47:39 -0300 Message-ID: <005b01cedc73$8debbe70$a9c33b50$@org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_005A_01CEDC73.8DEBBE70" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcjkztUsBXgoB+tXKZk5ZYQYXbRHBg== Content-Language: en-us From: guernseyparticiple at wikimedia.org [Add to Whitelist | Add to Blacklist] To: mejaz at cyberia.net.sa Subject: Uncensored models pics Size: 6.4Kb Anti-Virus/Dangerous Content Protection Virus: N Blocked File: N Other Infection: N SpamAssassin Spam: N Action(s): deliver, header, "X-Spam-Status:, No" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score: 5.07 Spam Report: Score Matching Rule Description 0.80 BAYES_50 0.00 FSL_HELO_NON_FQDN_1 0.00 HTML_MESSAGE 1.45 RCVD_IN_BRBL_LASTEXT 0.79 RDNS_NONE 0.78 SPF_NEUTRAL 1.25 URIBL_JP_SURBL Regards, Mohammed Ejaz CYBERIA(r) SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/6c07d4fe/attachment.html From berge.mattias at gmail.com Fri Nov 8 14:30:33 2013 From: berge.mattias at gmail.com (mattias berge) Date: Fri, 8 Nov 2013 15:30:33 +0100 Subject: HTML5 wbr tag causes phising detection Message-ID: The html5 wbr tags seem to cause MailScanner to think of a link as different from the title.

Min presentation: http://host/kategori_blogg/buzz-kommunikation/somthing-something-i-something-something/

This gives the "MailScanner has detected a possible fraud". Is this a known problem? Mailscanner 4.84.5 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/10d56b00/attachment.html From mejaz at cyberia.net.sa Fri Nov 8 15:39:46 2013 From: mejaz at cyberia.net.sa (Ejaz) Date: Fri, 8 Nov 2013 18:39:46 +0300 Subject: spam- In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> References: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <000e01cedc98$c30cd1a0$492674e0$@cyberia.net.sa> In my Mailscanner.conf the default score was set to 6, now I have reduced to 5. But fears is that some false positive can happen. Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Mealing Sent: Friday, November 8, 2013 4:47 PM To: 'MailScanner discussion' Subject: RE: spam- Hi Ejaz, What do you have set for "Required SpamAssassin Score" in your MailScanner.conf file? Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz Sent: 08 November 2013 07:52 To: 'MailScanner discussion' Cc: users-help at spamassassin.apache.org Subject: spam- Pls, help to stop spam messages, below header for one of the example of spam messages our users keep receiving huge number of such messages. My setup mailscaner/postfix/clamav/spamassasin/mailwatch. Any help would be highly appreciated. Received on: 08/11/13 10:08:17 Received by: mailgate5.cyberia.net.sa Received from: 178.76.217.156 [Add to Whitelist | Add to Blacklist] Received Via: IP Address Hostname Country RBL Spam Virus All 178.76.217.156 (Reverse Lookup Failed) (GeoIP Lookup Failed) [ ] [ ] [ ] [ ] ID: 5E90EAE6CC1.A5345 Message Headers: Received: from clonx (unknown [178.76.217.156]) by mailgate5.cyberia.net.sa (Postfix) with SMTP id 5E90EAE6CC1 for >; Fri, 8 Nov 2013 10:08:10 +0300 (AST) Received: (qmail 5455 by uid 393); Fri, 8 Nov 2013 07:11:18 -0300 From: "Enlargement pils Free trial sample" > To: > Subject: Uncensored models pics Date: Fri, 8 Nov 2013 06:47:39 -0300 Message-ID: <005b01cedc73$8debbe70$a9c33b50$@org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_005A_01CEDC73.8DEBBE70" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcjkztUsBXgoB+tXKZk5ZYQYXbRHBg== Content-Language: en-us From: guernseyparticiple at wikimedia.org [Add to Whitelist | Add to Blacklist] To: mejaz at cyberia.net.sa Subject: Uncensored models pics Size: 6.4Kb Anti-Virus/Dangerous Content Protection Virus: N Blocked File: N Other Infection: N SpamAssassin Spam: N Action(s): deliver, header, "X-Spam-Status:, No" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score: 5.07 Spam Report: Score Matching Rule Description 0.80 BAYES_50 0.00 FSL_HELO_NON_FQDN_1 0.00 HTML_MESSAGE 1.45 RCVD_IN_BRBL_LASTEXT 0.79 RDNS_NONE 0.78 SPF_NEUTRAL 1.25 URIBL_JP_SURBL Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/3d94f8b4/attachment.html From mark at msapiro.net Fri Nov 8 16:06:47 2013 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 08 Nov 2013 08:06:47 -0800 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <20131108064421.GA14586@edv6.holmco.de> References: <20131107133850.GB3458@edv6.holmco.de> <527C45BF.4040306@msapiro.net> <20131108064421.GA14586@edv6.holmco.de> Message-ID: <527D0C17.3010909@msapiro.net> On 11/07/2013 10:44 PM, ci at holmco.de wrote: > On Thu, Nov 07, 2013 at 06:00:31PM -0800 you wrote: > >> What does 'MailScanner --lint' report? > > Checking version numbers... > Version number in MailScanner.conf (4.79.11) is correct. Current version is 4.84.6. 4.79.11 is almost 4 years old. There's nothing specific about this issue at , but upgrading may help. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Nov 8 16:18:20 2013 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 08 Nov 2013 08:18:20 -0800 Subject: spam- In-Reply-To: <000e01cedc98$c30cd1a0$492674e0$@cyberia.net.sa> References: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> <000e01cedc98$c30cd1a0$492674e0$@cyberia.net.sa> Message-ID: <527D0ECC.5070102@msapiro.net> On 11/08/2013 07:39 AM, Ejaz wrote: > In my Mailscanner.conf the default score was set to 6, now I have > reduced to 5. But fears is that some false positive can happen. Spam detection is not an exact science. There will always be false positives, false negatives or both. Make sure your SpamAssassin rules are up to date and maybe try adding some additional rules. See -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From terry.hulen at gmail.com Fri Nov 8 16:34:13 2013 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Fri, 8 Nov 2013 11:34:13 -0500 Subject: spam- In-Reply-To: <527D0ECC.5070102@msapiro.net> References: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> <000e01cedc98$c30cd1a0$492674e0$@cyberia.net.sa> <527D0ECC.5070102@msapiro.net> Message-ID: The first thing I would do is use your MTA to use the most common BL sites. If you follow this link you will notice that the first IP that you sent is listed on many BL databases: http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a178.76.217.156&run=toolpage I would at least use Barracuda's BL database to block these at the MTA. On Fri, Nov 8, 2013 at 11:18 AM, Mark Sapiro wrote: > On 11/08/2013 07:39 AM, Ejaz wrote: > > In my Mailscanner.conf the default score was set to 6, now I have > > reduced to 5. But fears is that some false positive can happen. > > > Spam detection is not an exact science. There will always be false > positives, false negatives or both. > > Make sure your SpamAssassin rules are up to date and maybe try adding > some additional rules. > > See > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/2a8acee5/attachment.html From dgottsc at emory.edu Fri Nov 8 21:33:37 2013 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri, 8 Nov 2013 21:33:37 +0000 Subject: bad phishing sites/Scamnailer updates missing? In-Reply-To: <201310200127310569.396A2BB0@web.ace.net.au> References: <525D8AED.1080106@msapiro.net> <201310200127310569.396A2BB0@web.ace.net.au> Message-ID: ScamNailer has been broken for me, for a while. It seem to be getting a different error, that doesn't seem to be related to the issues reported since April. Reading status from /var/cache/ScamNailer/status Checking that /var/cache/ScamNailer/cache/2013-444 exists... no - resetting..... ok Checking that /var/cache/ScamNailer/cache/-1.0 exists... ok I am working with: Current: 2013-445 - 10 and Status: -1 - 0 This is base update Unable to retrieve http://www.mailscanner.tv/emails..2013-445 :404 Not Found Update required Retrieving http://www.mailscanner.tv/emails.2013-445.1 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.1 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.2 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.2 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.3 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.3 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.4 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.4 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.5 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.5 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.6 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.6 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.7 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.7 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.8 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.8 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.9 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.9 at ./ScamNailer line 276. Retrieving http://www.mailscanner.tv/emails.2013-445.10 Failed to retrieve http://www.mailscanner.tv/emails.2013-445.10 at ./ScamNailer line 276. Unable to open base file (/var/cache/ScamNailer/cache//2013-445) Can someone help me figure this out? It seems mailscanner.tv doesn't host this file anymore, but the script doesn't have anywhere else to look. Thanks. David Gottschalk Emory University UTS Messaging Team 404.727.9744 -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Nitschke Sent: Saturday, October 19, 2013 10:58 AM To: mailscanner at lists.mailscanner.info Subject: Re: bad phishing sites/Scamnailer updates missing? I had just about given up on this. Many thanks! *********** REPLY SEPARATOR *********** On 17/10/2013 at 1:56 PM Stephen Cox wrote: >On Tue, Oct 15, 2013 at 8:35 PM, Mark Sapiro wrote: > >> Now there is a new problem: All the data and updates are working, but >> there have been no new sites/domains added to the list since "This >> file was generated at Thu Oct 10 00:44:45 BST 2013" (over 5 days ago). >> > >There was a hosting fault again and the problem should now be fixed >with the next scheduled generation if not already. > >-- >MailScanner mailing list >mailscanner at lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner-list at okla.com Fri Nov 8 23:13:41 2013 From: mailscanner-list at okla.com (Tracy Greggs) Date: Fri, 8 Nov 2013 17:13:41 -0600 Subject: spam- In-Reply-To: References: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> <000e01cedc98$c30cd1a0$492674e0$@cyberia.net.sa> <527D0ECC.5070102@msapiro.net> Message-ID: <005901cedcd8$2d8b8cd0$88a2a670$@okla.com> I 2nd that! Very few false positives with Barracuda in my experience. You can also look at what IS being scored in SA on these spams and perhaps increase the score for some of the items. My personal opinion is that the default SA score is too low for quite a few of the rules. Razor, Pyzor and DCC? They are a must IMO. It truly is a balancing act and you are NEVER going to stop all spam from getting through, but you can catch the vast majority of it with some diligence. I am personally a proponent of using geoip blocking with xtables addon for iptables and blocking all of the major offending countries that I never have legit email from. I do understand for the global corporate scenario that is largely not possible to do. Tracy Greggs From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Terry Hulen Jr Sent: Friday, November 08, 2013 10:34 AM To: MailScanner discussion Subject: Re: spam- The first thing I would do is use your MTA to use the most common BL sites. If you follow this link you will notice that the first IP that you sent is listed on many BL databases: http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a178.76.217.156 &run=toolpage I would at least use Barracuda's BL database to block these at the MTA. On Fri, Nov 8, 2013 at 11:18 AM, Mark Sapiro wrote: On 11/08/2013 07:39 AM, Ejaz wrote: > In my Mailscanner.conf the default score was set to 6, now I have > reduced to 5. But fears is that some false positive can happen. Spam detection is not an exact science. There will always be false positives, false negatives or both. Make sure your SpamAssassin rules are up to date and maybe try adding some additional rules. See -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/7fb6f0e1/attachment.html From mark at msapiro.net Fri Nov 8 23:25:23 2013 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 08 Nov 2013 15:25:23 -0800 Subject: bad phishing sites/Scamnailer updates missing? In-Reply-To: References: <525D8AED.1080106@msapiro.net> <201310200127310569.396A2BB0@web.ace.net.au> Message-ID: <527D72E3.2000103@msapiro.net> On 11/08/2013 01:33 PM, Gottschalk, David wrote: > Unable to retrieve http://www.mailscanner.tv/emails..2013-445 :404 Not Found ... > Can someone help me figure this out? It seems mailscanner.tv doesn't host this file anymore, but the script doesn't have anywhere else to look. The current ScamNailer version is 2.10. Apparently the web site at got rolled back at some point and shows 2.09, but this is out of date. Line 140 in version 2.10 is my $urlbase = "http://cdn.mailscanner.info/emails."; This also works my $urlbase = "http://www.mailscanner.eu/emails."; The only change from 2.09 to 2.10 is the replacement of www.mailscanner.tv with cdn.mailscanner.info, but 2.10 was released over a year and a half ago. with this change. The web site needs to be fixed. Also, I just checked and appears to have been rolled back too. These need to be fixed. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kens at kensnet.org Sat Nov 9 00:09:41 2013 From: kens at kensnet.org (Ken Smith) Date: Sat, 09 Nov 2013 00:09:41 +0000 Subject: New process for every day the machine has been running Message-ID: <527D7D45.5070807@kensnet.org> Hi all Running Centos 6.4, mailscanner-4.84.5-3, sendmail-8.14.4-8.el6.x86_64, SELinux enabled The machine has one of these processes for each day it has been running. smmsp 18382 0.0 0.0 78164 2064 ? SNs Oct25 0:00 sendmail: Queue runner at 00:15:00 for /var/spool/clientmqueue Should they be getting killed off somehow. I don't see any SELinux messages about it. I'm sure I've probably missed some simple thing. Guidance much appreciated Thanks Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at vidadigital.com.pa Sat Nov 9 00:16:28 2013 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Fri, 8 Nov 2013 19:16:28 -0500 Subject: spam- In-Reply-To: <005901cedcd8$2d8b8cd0$88a2a670$@okla.com> References: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> <000e01cedc98$c30cd1a0$492674e0$@cyberia.net.sa> <527D0ECC.5070102@msapiro.net> <005901cedcd8$2d8b8cd0$88a2a670$@okla.com> Message-ID: In my experience a well tuned MailScanner has far more accuracy and performance than a Barracuda machine. -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital On Nov 8, 2013, at 6:13 PM, Tracy Greggs wrote: > I 2nd that! Very few false positives with Barracuda in my experience. > > You can also look at what IS being scored in SA on these spams and perhaps increase the score for some of the items. My personal opinion is that the default SA score is too low for quite a few of the rules. > > Razor, Pyzor and DCC? They are a must IMO. It truly is a balancing act and you are NEVER going to stop all spam from getting through, but you can catch the vast majority of it with some diligence. > > I am personally a proponent of using geoip blocking with xtables addon for iptables and blocking all of the major offending countries that I never have legit email from. I do understand for the global corporate scenario that is largely not possible to do. > From mark at msapiro.net Sat Nov 9 01:29:05 2013 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 08 Nov 2013 17:29:05 -0800 Subject: HTML5 wbr tag causes phising detection In-Reply-To: References: Message-ID: <527D8FE1.1030604@msapiro.net> On 11/08/2013 06:30 AM, mattias berge wrote: > The html5 wbr tags seem to cause MailScanner to think of a link as > different from the title. > >

Min presentation: href="http://host/kategori_blogg/buzz-kommunikation/something-something-i-something-something" > target="_blank">http://host/kategori_blogg/buzz-kommunikation/somthing-something-i-something-something style="">/

> > This gives the "MailScanner has detected a possible fraud". Is this a > known problem? > > Mailscanner 4.84.5 I'm running MailScanner 4.84.6 which shouldn't be different from 4.84.5 in this respect, but I tested with a message containing exactly the above HTML but with 'host' replaced by 'msapiro.net' in both cases, and it did not trigger the possible fraud detection. I then retested with 'msapiro.net' as the host in the href and 'ms2.msapiro.net' as the host in the text, and it did trigger the possible fraud detection. In both cases, there was a tag in the text, i.e. 'http://msapiro.net/...' in the first case and 'http://ms2.msapiro.net/...' in the second. Thus, I have to conclude this is not an issue in MS 4.84.6. Aside: Why would Microsoft Office or whatever generated this HTML in the first place want to allow breaking the text in the middle of a representation of a URL? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner-list at okla.com Sat Nov 9 03:00:40 2013 From: mailscanner-list at okla.com (Tracy Greggs) Date: Fri, 8 Nov 2013 21:00:40 -0600 Subject: spam- In-Reply-To: References: <000001cedc57$5df2ecf0$19d8c6d0$@cyberia.net.sa> <6EE47AF64C339A4F8F7F50507241B3795EA0BFC5@BTN-EXCHANGE-V1.fastnet.local> <000e01cedc98$c30cd1a0$492674e0$@cyberia.net.sa> <527D0ECC.5070102@msapiro.net> <005901cedcd8$2d8b8cd0$88a2a670$@okla.com> Message-ID: <007001cedcf7$e2fae790$a8f0b6b0$@okla.com> I was referring to the Barracuda RBL at the MTA or scored with SA. Tracy Greggs -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Friday, November 08, 2013 6:16 PM To: MailScanner discussion Subject: Re: spam- In my experience a well tuned MailScanner has far more accuracy and performance than a Barracuda machine. -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital On Nov 8, 2013, at 6:13 PM, Tracy Greggs wrote: > I 2nd that! Very few false positives with Barracuda in my experience. > > You can also look at what IS being scored in SA on these spams and perhaps increase the score for some of the items. My personal opinion is that the default SA score is too low for quite a few of the rules. > > Razor, Pyzor and DCC? They are a must IMO. It truly is a balancing act and you are NEVER going to stop all spam from getting through, but you can catch the vast majority of it with some diligence. > > I am personally a proponent of using geoip blocking with xtables addon for iptables and blocking all of the major offending countries that I never have legit email from. I do understand for the global corporate scenario that is largely not possible to do. > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pas at unh.edu Sat Nov 9 09:47:02 2013 From: pas at unh.edu (Paul Sand) Date: Sat, 9 Nov 2013 04:47:02 -0500 Subject: New process for every day the machine has been running In-Reply-To: <527D7D45.5070807@kensnet.org> References: <527D7D45.5070807@kensnet.org> Message-ID: <20131109094702.GA12949@cisunix.unh.edu> * Ken Smith [2013-11-08 19:17]: > Running Centos 6.4, mailscanner-4.84.5-3, sendmail-8.14.4-8.el6.x86_64, > SELinux enabled > > The machine has one of these processes for each day it has been running. > > smmsp 18382 0.0 0.0 78164 2064 ? SNs Oct25 0:00 > sendmail: Queue runner at 00:15:00 for /var/spool/clientmqueue > > Should they be getting killed off somehow. I am running pretty much the same setup (except no SELinux). I only see one of these processes, started when MailScanner starts. So they shouldn?t be getting killed, but you shouldn?t have more than the first one. The Mailscanner startup script is supposed to start the sendmail processes itself. (I.e., not through the normal /etc/init.d/sendmail script.) So one thing to look at: # chkconfig --list sendmail Should be: sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Just guessing. -- -- Paul A Sand -- Information Technology / University of New Hampshire -- http://pubpages.unh.edu/~pas -- Trademarks mentioned in this message appear for identification purposes only. From kens at kensnet.org Sat Nov 9 22:55:41 2013 From: kens at kensnet.org (Ken Smith) Date: Sat, 09 Nov 2013 22:55:41 +0000 Subject: New process for every day the machine has been running In-Reply-To: <20131109094702.GA12949@cisunix.unh.edu> References: <527D7D45.5070807@kensnet.org> <20131109094702.GA12949@cisunix.unh.edu> Message-ID: <527EBD6D.8060000@kensnet.org> Paul Sand wrote: > * Ken Smith [2013-11-08 19:17]: > >> Running Centos 6.4, mailscanner-4.84.5-3, sendmail-8.14.4-8.el6.x86_64, >> SELinux enabled >> >> The machine has one of these processes for each day it has been running. >> >> smmsp 18382 0.0 0.0 78164 2064 ? SNs Oct25 0:00 >> sendmail: Queue runner at 00:15:00 for /var/spool/clientmqueue >> >> Should they be getting killed off somehow. >> > I am running pretty much the same setup (except no SELinux). I only > see one of these processes, started when MailScanner starts. So they > shouldn?t be getting killed, but you shouldn?t have more than the first > one. > > The Mailscanner startup script is supposed to start the sendmail processes > itself. (I.e., not through the normal /etc/init.d/sendmail script.) > So one thing to look at: > > # chkconfig --list sendmail > > Should be: > > sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off > > Just guessing. > > Indeed chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off # chkconfig --list MailScanner MailScanner 0:off 1:off 2:on 3:on 4:on 5:on 6:off # What puzzles me is what starts a new process every day. Nothing in crom that I can see. Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Sun Nov 10 07:55:00 2013 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 09 Nov 2013 23:55:00 -0800 Subject: New process for every day the machine has been running In-Reply-To: <527EBD6D.8060000@kensnet.org> References: <527D7D45.5070807@kensnet.org> <20131109094702.GA12949@cisunix.unh.edu> <527EBD6D.8060000@kensnet.org> Message-ID: <527F3BD4.6070703@msapiro.net> On 11/09/2013 02:55 PM, Ken Smith wrote: > > What puzzles me is what starts a new process every day. Nothing in crom > that I can see. Have you looked in /var/log/cron for what runs at the time these start or for crond pids just a small bit less than those of the new processes? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kens at kensnet.org Sun Nov 10 17:28:48 2013 From: kens at kensnet.org (Ken Smith) Date: Sun, 10 Nov 2013 17:28:48 +0000 Subject: New process for every day the machine has been running In-Reply-To: <527F3BD4.6070703@msapiro.net> References: <527D7D45.5070807@kensnet.org> <20131109094702.GA12949@cisunix.unh.edu> <527EBD6D.8060000@kensnet.org> <527F3BD4.6070703@msapiro.net> Message-ID: <527FC250.3000805@kensnet.org> Mark Sapiro wrote: > On 11/09/2013 02:55 PM, Ken Smith wrote: > >> {snip}. >> > > Have you looked in /var/log/cron for what runs at the time these start > or for crond pids just a small bit less than those of the new processes? > > I'm on the trail now. I backup the Cyrus files in a daily cron that stops MailScanner first then shuts Cyrus down, does the backup and starts them up again. The command "service MailScanner stop" does not stop the incoming sendmail processes completely. I'm looking through the script in init.d Thanks Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ci at holmco.de Mon Nov 11 09:01:23 2013 From: ci at holmco.de (ci at holmco.de) Date: Mon, 11 Nov 2013 10:01:23 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <527D0C17.3010909@msapiro.net> References: <20131107133850.GB3458@edv6.holmco.de> <527C45BF.4040306@msapiro.net> <20131108064421.GA14586@edv6.holmco.de> <527D0C17.3010909@msapiro.net> Message-ID: <20131111090123.GA4818@edv6.holmco.de> On Fri, Nov 08, 2013 at 08:06:47AM -0800 you wrote: > Current version is 4.84.6. 4.79.11 is almost 4 years old. There's > nothing specific about this issue at > , but upgrading may help. It's the latest stabile version for Debian (as linked from mailscanner.info). Debian is the distribution we use for our mail server. I hope that critical updates have been backported to the Debian package. Here are a few log entries of my eicar test mail: mail.log: Nov 11 09:49:02 mail MailScanner[27197]: New Batch: Scanning 1 messages, 1281 bytes Nov 11 09:49:02 mail MailScanner[27197]: Virus and Content Scanning: Starting Nov 11 09:49:09 mail MailScanner[27197]: Delivery of nonspam: message 1VfnB6-00076E-DC from ci at holmco.de to ci at holmco.de with subject eicar Nov 11 09:49:09 mail MailScanner[27197]: Uninfected: Delivered 1 messages Nov 11 09:49:09 mail MailScanner[27197]: Deleted 1 messages from processing-database exim mainlog: 2013-11-11 09:49:00 1VfnB6-00076E-DC <= ci at holmco.de H=(xxx.domain.tld) [IP] P=esmtp S=907 id=20131111084900.GB19422 at xxx.domain.tld T="eicar" from for ci at holmco.de 2013-11-11 09:49:10 1VfnB6-00076E-DC => ci F= R=procmail T=procmail_pipe S=1351 QT=10s DT=1s 2013-11-11 09:49:10 1VfnB6-00076E-DC Completed QT=10s Sophos mails the administrator that it has detected a virus: ------------------------------------------------------------------------ A threat was detected during an on-demand scan. Details follow: 3 files scanned. Number of infections detected: 1 Number of infected files detected: 1 /var/spool/MailScanner/incoming/27197/1VfnB6-00076E-DC/neicar.txt is infected with EICAR-AV-Test. ------------------------------------------------------------------------ But mailscanner delivers the mail stating it's "uninfected". What is going wrong? Greetings, -- R. Cirksena From Antony.Stone at mailscanner.open.source.it Mon Nov 11 09:54:08 2013 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Mon, 11 Nov 2013 10:54:08 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <20131111090123.GA4818@edv6.holmco.de> References: <20131107133850.GB3458@edv6.holmco.de> <527D0C17.3010909@msapiro.net> <20131111090123.GA4818@edv6.holmco.de> Message-ID: <201311111054.08832.Antony.Stone@mailscanner.open.source.it> On Monday 11 November 2013 at 10:01:23, ci at holmco.de wrote: > On Fri, Nov 08, 2013 at 08:06:47AM -0800 you wrote: > > Current version is 4.84.6. 4.79.11 is almost 4 years old. There's > > nothing specific about this issue at > > , but upgrading may help. > > It's the latest stable version for Debian (as linked from > mailscanner.info). Debian is the distribution we use for our mail > server. I hope that critical updates have been backported to the > Debian package. According to http://packages.debian.org/search?keywords=mailscanner there is no mailscanner package for the current Debian stable release (wheezy). Version 4.79.11 is for Oldstable (squeeze), and is therefore not only an old version of Mailscanner, but also for an old version of Debian. The Debian package maintainer appears to be simon.walter at hp-factory.de - you might want to ask him about plans for a release for Debian stable, and/or whether critical updates get backported. Regards, Antony. -- There's no such thing as bad weather - only the wrong clothes. - Billy Connolly Please reply to the list; please don't CC me. From mark at msapiro.net Mon Nov 11 18:04:19 2013 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 11 Nov 2013 10:04:19 -0800 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <20131108064421.GA14586@edv6.holmco.de> References: <20131108064421.GA14586@edv6.holmco.de> Message-ID: <52811C23.3060108@msapiro.net> ci at holmco.de wrote: > On Thu, Nov 07, 2013 at 06:00:31PM -0800 you wrote: > >> What does 'MailScanner --lint' report? ... > MailScanner.conf says "Virus Scanners = sophos" > Found these virus scanners installed: clamav, sophos > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > =========================================================================== > > If any of your virus scanners (clamav,sophos) > are not listed there, you should check that they are installed > correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > ------------------------------------------------------------------------ > > Looks good so far (?). Actually not. The above should look like (with sophos instead of Clamd) =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners ... It seems from your other posts that sophos is being properly invoked and detects the infection as it mails the admin about it, but the detection is not being picked up by MailScanner. What do you have in the "Options specific to Sophos Anti-Virus" section of MailScanner.conf? In particular, Allowed Sophos Error Messages = -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From dgottsc at emory.edu Mon Nov 11 19:07:22 2013 From: dgottsc at emory.edu (Gottschalk, David) Date: Mon, 11 Nov 2013 19:07:22 +0000 Subject: bad phishing sites/Scamnailer updates missing? In-Reply-To: <527D72E3.2000103@msapiro.net> References: <525D8AED.1080106@msapiro.net> <201310200127310569.396A2BB0@web.ace.net.au> <527D72E3.2000103@msapiro.net> Message-ID: Thanks Mark. I tried to update to the latest version via the website before I posted this, but now I understand why it didn't fix the problem! David Gottschalk Emory University UTS Messaging Team 404.727.9744 -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, November 08, 2013 6:25 PM To: mailscanner at lists.mailscanner.info Subject: Re: bad phishing sites/Scamnailer updates missing? On 11/08/2013 01:33 PM, Gottschalk, David wrote: > Unable to retrieve http://www.mailscanner.tv/emails..2013-445 :404 Not > Found ... > Can someone help me figure this out? It seems mailscanner.tv doesn't host this file anymore, but the script doesn't have anywhere else to look. The current ScamNailer version is 2.10. Apparently the web site at got rolled back at some point and shows 2.09, but this is out of date. Line 140 in version 2.10 is my $urlbase = "http://cdn.mailscanner.info/emails."; This also works my $urlbase = "http://www.mailscanner.eu/emails."; The only change from 2.09 to 2.10 is the replacement of www.mailscanner.tv with cdn.mailscanner.info, but 2.10 was released over a year and a half ago. with this change. The web site needs to be fixed. Also, I just checked and appears to have been rolled back too. These need to be fixed. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ci at holmco.de Tue Nov 12 07:33:22 2013 From: ci at holmco.de (ci at holmco.de) Date: Tue, 12 Nov 2013 08:33:22 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <52811C23.3060108@msapiro.net> References: <20131108064421.GA14586@edv6.holmco.de> <52811C23.3060108@msapiro.net> Message-ID: <20131112073322.GA5340@edv6.holmco.de> On Mon, Nov 11, 2013 at 10:04:19AM -0800 you wrote: > [output of MailScanner --lint] > > Actually not. The above should look like (with sophos instead of Clamd) > > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED::Eicar-Test-Signature :: ./1/ > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > Virus Scanner test reports: > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > If any of your virus scanners ... > > It seems from your other posts that sophos is being properly invoked and > detects the infection as it mails the admin about it, but the detection > is not being picked up by MailScanner. > > What do you have in the "Options specific to Sophos Anti-Virus" section > of MailScanner.conf? In particular, > > Allowed Sophos Error Messages = It is: Allowed Sophos Error Messages = (no value) Greetings, -- R. Cirksena From jyoung71 at gmail.com Wed Nov 13 23:35:33 2013 From: jyoung71 at gmail.com (Jason Young) Date: Thu, 14 Nov 2013 09:35:33 +1000 Subject: Issue with MailScanner not blocking incoming attachments that SHOULD be denied. Message-ID: <021501cee0c9$0e652100$2b2f6300$@gmail.com> Hi Everyone, I am wondering if anyone would have any ideas as to why my mailscanners (I have 4 in total) would not block / quarantine attachments like .exe etc. I have been through all the configs and log files but I can't find anything that points to a problem in my setup. I am running Mailscanner on Centos 6. MailScanner is version 4.84.6 and ClamAV is the Anti-Virus installed. Once the MailScanner works its magic on the incoming emails they are then relayed internally to an Exchange Server. I have not really changed much in the standard MailScanner.conf file. I have verified : Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf And the 2 "default" Rules files exist and are standard out of the box. They contain : # These 2 added by popular demand - Very often used by viruses deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email My testing has so far been to use an external mail server to send an attached windows executable file (.exe) to an internal exchange account. I have tried both using an outlook external client and also a native Linux based web client with the same result (i.e. the exe file is delivered to the exchange account). The maillog contains the follow entries when I send the test email in: Nov 14 09:14:04 mailscanner postfix/smtpd[27736]: connect from unknown[XXX.XXX.XXX.XXX] Nov 14 09:14:05 mailscanner postfix/smtpd[27736]: B32DF300F7A: client=unknown[XXX.XXX.XXX.XXX] Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A: hold: header Received: from XXXXX.XXX (unknown [XXX.XXX.XXX.XXX])??by mailscanner.XXXXX.XXX (Postfix) with SMTP id B32DF300F7A??for ; Thu, 14 Nov 2013 09:14:05 +100 from unknown[XXX.XXX.XXX.XXX]; from= to= proto=SMTP helo= Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A: message-id=<70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX> Nov 14 09:14:08 mailscanner postfix/smtpd[27736]: disconnect from unknown[XXX.XXX.XXX.XXX] Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Found 1 messages waiting Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Scanning 1 messages, 151691 bytes Nov 14 09:14:09 mailscanner MailScanner[27843]: Virus and Content Scanning: Starting Nov 14 09:14:10 mailscanner MailScanner[27843]: Requeue: B32DF300F7A.AE0C2 to CCE03300F7F Nov 14 09:14:10 mailscanner MailScanner[27843]: Uninfected: Delivered 1 messages Nov 14 09:14:10 mailscanner postfix/qmgr[16933]: CCE03300F7F: from=, size=151040, nrcpt=1 (queue active) Nov 14 09:14:10 mailscanner MailScanner[27843]: Deleted 1 messages from processing-database Nov 14 09:14:10 mailscanner MailScanner[27843]: Logging message B32DF300F7A.AE0C2 to SQL Nov 14 09:14:10 mailscanner MailScanner[20512]: B32DF300F7A.AE0C2: Logged to MailWatch SQL Nov 14 09:14:11 mailscanner postfix/smtp[27944]: CCE03300F7F: to=, relay=10.10.10.12[10.10.10.12]:25, delay=5.9, delays=5.1/0/0/0.78, dsn=2.6.0, status=sent (250 2.6.0 <70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX> [InternalId=20096151978059] Queued mail for delivery) Nov 14 09:14:11 mailscanner postfix/qmgr[16933]: CCE03300F7F: removed And the email that arrives has the following header (extract): Content-Type: multipart/mixed; boundary="----=_20131114101356_40730" X-Priority: 3 (Normal) Importance: Normal X-SXXXXXXXX-MailScanner-Information: Please contact the ISP for more information X-SXXXXXXXX-MailScanner-ID: D5DB6FF800A.AF88E X-SXXXXXXXX-MailScanner: Found to be clean X-SXXXXXXXX-MailScanner-From: jason at XXXXX.XXX X-Spam-Status: No, No X-RXXXXXXXX -MailScanner-Information: Please contact the ISP for more information X-RXXXXXXXX -MailScanner-ID: B32DF300F7A.AE0C2 X-RXXXXXXXX -MailScanner: Found to be clean X-RXXXXXXXX -MailScanner-From: jason at XXXXX.XXX Running MailScanner -lint gives the following output : [root at mailscanner ~]# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 872 hostnames from the phishing whitelist Read 6957 hostnames from the phishing blacklists Config: calling custom init function MailWatchLogging Started SQL Logging child Checking version numbers... Version number in MailScanner.conf (4.84.6) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (48) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 4 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging Does anyone have any ideas or suggestions as to why the attached files inbound are not being blocked. I am of course making the assumption that .exe file should by default be blocked J Regards Jason Young --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131114/249d5887/attachment.html From mark at msapiro.net Thu Nov 14 00:24:51 2013 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 13 Nov 2013 16:24:51 -0800 Subject: Issue with MailScanner not blocking incoming attachments that SHOULD be denied. In-Reply-To: <021501cee0c9$0e652100$2b2f6300$@gmail.com> References: <021501cee0c9$0e652100$2b2f6300$@gmail.com> Message-ID: <52841853.6010003@msapiro.net> On 11/13/2013 03:35 PM, Jason Young wrote: > > My testing has so far been to use an external mail server to send an > attached windows executable file (.exe) to an internal exchange > account. I have tried both using an outlook external client and also a > native Linux based web client with the same result (i.e. the exe file is > delivered to the exchange account). Is the file actually a DOS executable file, i.e., what does the CentOS 'file' command say it is? > And the email that arrives has the following header (extract): > > > > Content-Type: multipart/mixed; boundary="----=_20131114101356_40730" And what are the part headers for the attached file? I.e. does it have a name and does the name end in .exe? > Running MailScanner ?lint gives the following output : ... > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) Here MailScanner recognizes a .com. Have you tried a .com in your testing. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jyoung71 at gmail.com Thu Nov 14 01:24:50 2013 From: jyoung71 at gmail.com (Jason Young) Date: Thu, 14 Nov 2013 11:24:50 +1000 Subject: Issue with MailScanner not blocking incoming attachments that SHOULD be denied. In-Reply-To: <52841853.6010003@msapiro.net> References: <021501cee0c9$0e652100$2b2f6300$@gmail.com> <52841853.6010003@msapiro.net> Message-ID: <003601cee0d8$527db190$f77914b0$@gmail.com> Hi Mark, The file is a windows executable ... I have tried a .exe and now also a .com file wit hteh same result (mail is not blocked / quarantined). I put the test files onto the centos box and ran the "file" & "file -i" command over them [root at mailscanner ~]# file test.exe test.exe: PE32+ executable for MS Windows (console) Mono/.Net assembly [root at mailscanner ~]# file test.com test.com: PE32 executable for MS Windows (console) Intel 80386 32-bit [root at mailscanner ~]# file -i test.com test.com: application/octet-stream; charset=binary [root at mailscanner ~]# file -i test.exe test.exe: application/octet-stream; charset=binary I had read on a forum somewhere that someone recommended changing the MailScanner.conf file command to file -i .. But it does not seem to make any difference. There does not seem to be anything in the headers about a .exe or anything about attachments. But outlook knows there is a .exe or .com attachment and it blocks it with itself. Regards Jason Young -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Thursday, 14 November 2013 10:25 AM To: mailscanner at lists.mailscanner.info Subject: Re: Issue with MailScanner not blocking incoming attachments that SHOULD be denied. On 11/13/2013 03:35 PM, Jason Young wrote: > > My testing has so far been to use an external mail server to send an > attached windows executable file (.exe) to an internal exchange > account. I have tried both using an outlook external client and also > a native Linux based web client with the same result (i.e. the exe > file is delivered to the exchange account). Is the file actually a DOS executable file, i.e., what does the CentOS 'file' command say it is? > And the email that arrives has the following header (extract): > > > > Content-Type: multipart/mixed; boundary="----=_20131114101356_40730" And what are the part headers for the attached file? I.e. does it have a name and does the name end in .exe? > Running MailScanner -lint gives the following output : ... > ====================================================================== > ===== > > Filename Checks: Windows/DOS Executable (1 eicar.com) Here MailScanner recognizes a .com. Have you tried a .com in your testing. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com From mark at msapiro.net Thu Nov 14 06:52:03 2013 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 13 Nov 2013 22:52:03 -0800 Subject: Issue with MailScanner not blocking incoming attachments that SHOULD be denied. In-Reply-To: <003601cee0d8$527db190$f77914b0$@gmail.com> References: <021501cee0c9$0e652100$2b2f6300$@gmail.com> <52841853.6010003@msapiro.net> <003601cee0d8$527db190$f77914b0$@gmail.com> Message-ID: <52847313.9020906@msapiro.net> On 11/13/2013 05:24 PM, Jason Young wrote: > > The file is a windows executable ... I have tried a .exe and now also a .com > file wit hteh same result (mail is not blocked / quarantined). > > I put the test files onto the centos box and ran the "file" & "file -i" > command over them > > [root at mailscanner ~]# file test.exe > test.exe: PE32+ executable for MS Windows (console) Mono/.Net assembly > [root at mailscanner ~]# file test.com > test.com: PE32 executable for MS Windows (console) Intel 80386 32-bit > [root at mailscanner ~]# file -i test.com > test.com: application/octet-stream; charset=binary > [root at mailscanner ~]# file -i test.exe > test.exe: application/octet-stream; charset=binary > > I had read on a forum somewhere that someone recommended changing the > MailScanner.conf file command to file -i .. But it does not seem to make any > difference. It makes a difference in what is reported. I.e., file reports the files as executable which matches 'deny executable' in filetype.rules.conf, but file -i reports then as application/octet-stream which is not mentioned in filetype.rules.conf and thus allowed. man file says in part i, --mime Causes the file command to output mime type strings rather than the more traditional human readable ones. Thus it may say ??text/plain; charset=us-ascii?? rather than ??ASCII text??. > There does not seem to be anything in the headers about a .exe or anything > about attachments. But outlook knows there is a .exe or .com attachment and > it blocks it with itself. The original headers you posted contained >> Content-Type: multipart/mixed; boundary="----=_20131114101356_40730" If you examine the raw message body of that message, you should see things like ------=_20131114101356_40730 Content-Type: text/plain; charset="..." (message 'body') ------=_20131114101356_40730 Content-Type: application/octet-stream; name="xxx.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="xxx.exe" (base 64 encoded data) ------=_20131114101356_40730-- What do those Content-Type: and Content-Disposition: headers look like for your attached file? (Sorry, I can't tell you how to view the raw message in Outlook.) If they do have the expected .exe or .com extension, then I don't know what the problem might be. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From bonivart at opencsw.org Thu Nov 14 08:12:57 2013 From: bonivart at opencsw.org (Peter Bonivart) Date: Thu, 14 Nov 2013 09:12:57 +0100 Subject: Issue with MailScanner not blocking incoming attachments that SHOULD be denied. In-Reply-To: <003601cee0d8$527db190$f77914b0$@gmail.com> References: <021501cee0c9$0e652100$2b2f6300$@gmail.com> <52841853.6010003@msapiro.net> <003601cee0d8$527db190$f77914b0$@gmail.com> Message-ID: On Thu, Nov 14, 2013 at 2:24 AM, Jason Young wrote: > There does not seem to be anything in the headers about a .exe or anything > about attachments. But outlook knows there is a .exe or .com attachment and > it blocks it with itself. Set this in MailScanner.conf: Log Permitted Filenames = yes Log Permitted Filetypes = yes Also add archiving of the addresses you're sending to, then you can check how the mail came in like Mark suggests. From ci at holmco.de Thu Nov 14 09:08:09 2013 From: ci at holmco.de (ci at holmco.de) Date: Thu, 14 Nov 2013 10:08:09 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <52811C23.3060108@msapiro.net> References: <20131108064421.GA14586@edv6.holmco.de> <52811C23.3060108@msapiro.net> Message-ID: <20131114090809.GA13595@edv6.holmco.de> On Mon, Nov 11, 2013 at 10:04:19AM -0800 you wrote: > Actually not. The above should look like (with sophos instead of Clamd) > > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED::Eicar-Test-Signature :: ./1/ > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > Virus Scanner test reports: > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > If any of your virus scanners ... > > It seems from your other posts that sophos is being properly invoked and > detects the infection as it mails the admin about it, but the detection > is not being picked up by MailScanner. > > What do you have in the "Options specific to Sophos Anti-Virus" section > of MailScanner.conf? In particular, > > Allowed Sophos Error Messages = I installed and activated clamav to see if it is an issue with Mailscanner itself or with calling the virus scanner. In short: clamav works, the attachment (eicar) has been removed from the "infected" mail: Part of MailScanner --lint: =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== mail.log: ------------------------------------------------------------------------ Nov 14 09:50:40 mail MailScanner[22738]: Virus and Content Scanning: Starting Nov 14 09:50:54 mail MailScanner[22725]: ./1Vgsd5-0006tl-Ja/eicar.txt: Eicar-Test-Signature FOUND Nov 14 09:50:54 mail MailScanner[22725]: Virus Scanning: ClamAV found 1 infections Nov 14 09:50:54 mail MailScanner[22725]: Infected message 1Vgsd5-0006tl-Ja came from xxx.xxx.xxx.xxx Nov 14 09:50:54 mail MailScanner[22725]: Virus Scanning: Found 1 viruses Nov 14 09:50:54 mail MailScanner[22725]: Saved entire message to /var/spool/MailScanner/quarantine/20131114/1Vgsd5-0006tl-Ja Nov 14 09:50:55 mail MailScanner[22725]: Saved infected "eicar.txt" to /var/spool/MailScanner/quarantine/20131114/1Vgsd5-0006tl-Ja Nov 14 09:50:55 mail MailScanner[22725]: Delivery of nonspam: message 1Vgsd5-0006tl-Ja from ci at holmco.de to ci at holmco.de with subject eicar Nov 14 09:50:55 mail MailScanner[22725]: Cleaned: Delivered 1 cleaned messages Nov 14 09:50:55 mail MailScanner[22725]: Notices: Warned about 1 messages Nov 14 09:50:55 mail MailScanner[22725]: Deleted 1 messages from processing-database ------------------------------------------------------------------------ I hope its o.k. that just clamav scans the mail? Is it correct that, as clamav did remove the attachment, sophos does not see the infection? What can I do to get Mailscanner working with sophos? Greetings, -- R. Cirksena From mark at msapiro.net Fri Nov 15 01:47:04 2013 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 14 Nov 2013 17:47:04 -0800 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <20131114090809.GA13595@edv6.holmco.de> References: <20131108064421.GA14586@edv6.holmco.de> <52811C23.3060108@msapiro.net> <20131114090809.GA13595@edv6.holmco.de> Message-ID: <52857D18.5080709@msapiro.net> On 11/14/2013 01:08 AM, ci at holmco.de wrote: > > I hope its o.k. that just clamav scans the mail? Is it correct that, > as clamav did remove the attachment, sophos does not see the > infection? Based on what you've previously posted, MailScanner invoked sophos and sophos saw the infection. We know this because sophos emailed the admin about the infection. The problem is MailScanner is not getting or recognizing the report from sophos. > What can I do to get Mailscanner working with sophos? MailScanner looks for various specific patterns on the output from sophos. See sub ProcessSophosOutput at about line 1764 in /usr/lib/MailScanner/MailScanner/SweepViruses.pm What version of sophos do you have? What output do you get if you manually run sophos on an infected file? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ci at holmco.de Fri Nov 15 07:44:54 2013 From: ci at holmco.de (ci at holmco.de) Date: Fri, 15 Nov 2013 08:44:54 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <52857D18.5080709@msapiro.net> References: <20131108064421.GA14586@edv6.holmco.de> <52811C23.3060108@msapiro.net> <20131114090809.GA13595@edv6.holmco.de> <52857D18.5080709@msapiro.net> Message-ID: <20131115074454.GA663@edv6.holmco.de> On Thu, Nov 14, 2013 at 05:47:04PM -0800 you wrote: > Based on what you've previously posted, MailScanner invoked sophos and > sophos saw the infection. We know this because sophos emailed the admin > about the infection. > > The problem is MailScanner is not getting or recognizing the report from > sophos. Yes. > MailScanner looks for various specific patterns on the output from > sophos. See sub ProcessSophosOutput at about line 1764 in > /usr/lib/MailScanner/MailScanner/SweepViruses.pm That is part of the solution. Someone (not me!) set locale to German. I corrected that now. To be sure I added "export LC_ALL=en_GB" at the beginning of /etc/MailScanner/wrapper/sophos-wrapper. > What version of sophos do you have? Product version : 4.94.0 Engine version : 3.48.0 Virus data version : 4.95 User interface version : 2.03.048 Platform : Linux/Intel Released : 13 November 2013 Total viruses (with IDEs) : 5980697 > What output do you get if you manually run sophos on an infected file? from "savscan eicar.txt": (...long list of .ide...) Verwende IDE Datei age-aess.ide Verwende IDE Datei age-aest.ide Verwende IDE Datei vb-gwy.ide Normale ?berpr?fung >>> Virus 'EICAR-AV-Test' gefunden in Datei /usr/local/src/eicar.txt 1 Datei ?berpr?ft in 6 Sekunden. 1 Virus wurde gefunden. 1 Datei von 1 war infiziert. Wenn Sie weitere Unterst?tzung zu Erkennungen ben?tigen, rufen Sie bitte unser Threat Center unter http://www.sophos.com/de-de/threat-center.aspx auf. Ende von Scan. After changing locale (see above) it is: (...long list of .ide...) Using IDE file age-aesq.ide Using IDE file age-aess.ide Using IDE file age-aest.ide Using IDE file vb-gwy.ide Quick Scanning >>> Virus 'EICAR-AV-Test' found in file eicar.txt 1 file scanned in 6 seconds. 1 virus was discovered. 1 file out of 1 was infected. If you need further advice regarding any detections please visit our Threat Center at: http://www.sophos.com/en-us/threat-center.aspx End of Scan. Seems that the problem is solved. Thank you and greetings from Berlin to San Francisco. -- R. Cirksena From ci at holmco.de Fri Nov 15 09:16:35 2013 From: ci at holmco.de (ci at holmco.de) Date: Fri, 15 Nov 2013 10:16:35 +0100 Subject: Mailscanner / Sophos does not block viruses In-Reply-To: <20131115074454.GA663@edv6.holmco.de> References: <20131108064421.GA14586@edv6.holmco.de> <52811C23.3060108@msapiro.net> <20131114090809.GA13595@edv6.holmco.de> <52857D18.5080709@msapiro.net> <20131115074454.GA663@edv6.holmco.de> Message-ID: <20131115091635.GB15178@edv6.holmco.de> On Fri, Nov 15, 2013 at 08:44:54AM +0100 I wrote: > That is part of the solution. Someone (not me!) set locale to German. > I corrected that now. > To be sure I added "export LC_ALL=en_GB" at the beginning of > /etc/MailScanner/wrapper/sophos-wrapper. It seems to be necessary to nail locale to en_GB in the wrapper script. Greetings, -- R. Cirksena From ram at netcore.co.in Wed Nov 27 09:49:02 2013 From: ram at netcore.co.in (Ram) Date: Wed, 27 Nov 2013 15:19:02 +0530 Subject: OT: What antivirus to use Message-ID: <5295C00E.20909@netcore.co.in> I am looking for a server license for my outbound email server , running MailScanner Most commercial antivirus vendors have a per user license. I dont have fixed number of users .. this is just a outbound relay server I already use clam , but I need to use one more AV to prevent zero hour attacks What do most people use ? Thanks Ram From steveb_clamav at sanesecurity.com Wed Nov 27 10:57:24 2013 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Wed, 27 Nov 2013 10:57:24 -0000 Subject: OT: What antivirus to use In-Reply-To: <5295C00E.20909@netcore.co.in> References: <5295C00E.20909@netcore.co.in> Message-ID: <5f82977c86758f6a7e5c3c2bd9dfbeaf.squirrel@sirius.servers.eqx.misp.co.uk> > I already use clam , but I need to use one more AV to prevent zero hour > attacks > Hi Ram, Not sure if you are using Sanesecurity signatures with ClamAV: These will extension block: http://sanesecurity.com/foxhole-databases/ phish.ndb, rogue.hdb from this list will help: http://sanesecurity.com/usage/signatures/ Cheers, Steve Sanesecurity From armando.montiel at gmail.com Wed Nov 27 13:21:53 2013 From: armando.montiel at gmail.com (Armando Montiel) Date: Wed, 27 Nov 2013 07:21:53 -0600 Subject: MailScanner + Postfix + Cyrus-Imapd delays 5 minutes Message-ID: Hi, Any clue about why this combination of software spends 300 seconds (5 minutes) to process and deliver email? This is like my server take a look in my queues and process this in a batch way, not individually. The best time I get in this scenario is when a email is received in the queue 15 or 20 seconds before the last processing cycle of 5 minutes has been performed. Do you need some config files? Where do I need review first? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131127/470323bc/attachment.html From Amelein at dantumadiel.eu Fri Nov 29 11:57:35 2013 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Fri, 29 Nov 2013 12:57:35 +0100 Subject: DCC and false positives Message-ID: <52988F3F0200008E000268D5@GroupWise.Dantumadiel.eu> I'm getting a few (more then acceptable) false positives where DCC is to blame as the factor for pushing the score over the limit. Obviously its not just DCC that is causing the bad score, I'm also seeing 50% bayes scores a lot for normal e-mail so I'm thinking our mail server has been flooded by spam filled with normal words (I forgot the term for this) at some point. This is something I also need to look at and possibly run a bit more aggressive expiration for a while. Any advice on this would be appreciated :-) Most of the false positives I am seeing have been sent from normal ISP servers and are not (legit) bulk mail which makes me wonder why they are listed on DCC. People do seem to be getting the habit of sending blank e-mails with just an attachment which isn't helping. Is anyone else seeing this with DCC ? I've been thinking of disabling it for a while. - Arjan From armando.montiel at gmail.com Fri Nov 29 12:16:10 2013 From: armando.montiel at gmail.com (Armando Montiel) Date: Fri, 29 Nov 2013 06:16:10 -0600 Subject: MailScanner is processing queue every 300 seconds. Message-ID: Hi, I am using a mail server solution where MailScanner is used with postfix + cyrus-imapd. Any clue about why this combination of software spends 300 seconds (5 minutes) to process and deliver email? This is like my server take a look in the queue and process this in a batch way, not individually. The best time I get in this scenario is when a email is received in the queue 15 or 20 seconds before the last processing cycle of 5 minutes has been performed. Sometime in the past this didn't happened but I am lost looking for a possible reason. Which MailScanner variables could make this effect? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131129/5e94d8e7/attachment.html From maxsec at gmail.com Fri Nov 29 21:27:12 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 29 Nov 2013 21:27:12 +0000 Subject: MailScanner is processing queue every 300 seconds. In-Reply-To: References: Message-ID: Batch is the clue word there specifically the setting is http://www.mailscanner.info/MailScanner.conf.index.html#Delivery%20Method This is how is should work in batches but a 5 min interval isnt right I'd check the setting to call the second mta (sendmail2) setting is correct Martin On Friday, 29 November 2013, Armando Montiel wrote: > > Hi, > > I am using a mail server solution where MailScanner is used with postfix + > cyrus-imapd. > > Any clue about why this combination of software spends 300 seconds (5 > minutes) to process and deliver email? > > This is like my server take a look in the queue and process this in a > batch way, not individually. > > The best time I get in this scenario is when a email is received in the > queue 15 or 20 seconds before the last processing cycle of 5 minutes has > been performed. > > Sometime in the past this didn't happened but I am lost looking for a > possible reason. > > Which MailScanner variables could make this effect? > > Thank you. > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131129/b9412759/attachment.html From armando.montiel at gmail.com Sat Nov 30 13:20:29 2013 From: armando.montiel at gmail.com (Armando Montiel) Date: Sat, 30 Nov 2013 07:20:29 -0600 Subject: SOLVED: Re: MailScanner is processing queue every 300 seconds. Message-ID: Hi, Thank you Martin. You have pointed me to the right direction, but I would like to share why I never think in this value before: My "Delivery Method" was in "queue", so I was mind blocked about not change this parameter. I was convinced that this value have no relationship with my "batch" behavior. Another value hat was necessary to change was not in MailScanner but master.cf in Postfix: cleanup, flush, pickup and qmgr values was setup to "unix", but the new delivery method was unable to handle. I need to change qmgr value to "fifo" in order to get this working. Now I have delays with less than 20 seconds, which is pretty good, but I dont know already if this will handle my users the next monday. I will investigate which "fifo|unix" values have better performance under Postfix and a heavy imap usage under Cyrus-imapd. Thank you again. El nov 29, 2013 3:53 PM, "Martin Hepworth" escribi?: > Batch is the clue word there specifically the setting is > http://www.mailscanner.info/MailScanner.conf.index.html#Delivery%20Method > > This is how is should work in batches but a 5 min interval isnt right > > I'd check the setting to call the second mta (sendmail2) setting is correct > > Martin > > On Friday, 29 November 2013, Armando Montiel wrote: > >> >> Hi, >> >> I am using a mail server solution where MailScanner is used with postfix >> + cyrus-imapd. >> >> Any clue about why this combination of software spends 300 seconds (5 >> minutes) to process and deliver email? >> >> This is like my server take a look in the queue and process this in a >> batch way, not individually. >> >> The best time I get in this scenario is when a email is received in the >> queue 15 or 20 seconds before the last processing cycle of 5 minutes has >> been performed. >> >> Sometime in the past this didn't happened but I am lost looking for a >> possible reason. >> >> Which MailScanner variables could make this effect? >> >> Thank you. >> > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131130/d43a0549/attachment.html From maxsec at gmail.com Sat Nov 30 15:40:21 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Sat, 30 Nov 2013 15:40:21 +0000 Subject: SOLVED: Re: MailScanner is processing queue every 300 seconds. In-Reply-To: References: Message-ID: Might be best to have the scanner part running on a separate machine to the mail server. Reduces issues with performance queries but also means internal email (between your own users) doesnt get scanned which keeps performance up Also means if the mailscanner bit fails uou can still transit internal email On Saturday, 30 November 2013, Armando Montiel wrote: > Hi, > > Thank you Martin. > > You have pointed me to the right direction, but I would like to share why > I never think in this value before: > > My "Delivery Method" was in "queue", so I was mind blocked about not > change this parameter. I was convinced that this value have no relationship > with my "batch" behavior. > Another value hat was necessary to change was not in MailScanner but > master.cf in Postfix: > > cleanup, flush, pickup and qmgr values was setup to "unix", but the new > delivery method was unable to handle. I need to change qmgr value to "fifo" > in order to get this working. > > Now I have delays with less than 20 seconds, which is pretty good, but I > dont know already if this will handle my users the next monday. > > I will investigate which "fifo|unix" values have better performance under > Postfix and a heavy imap usage under Cyrus-imapd. > > Thank you again. > El nov 29, 2013 3:53 PM, "Martin Hepworth" > > escribi?: > >> Batch is the clue word there specifically the setting is >> http://www.mailscanner.info/MailScanner.conf.index.html#Delivery%20Method >> >> This is how is should work in batches but a 5 min interval isnt right >> >> I'd check the setting to call the second mta (sendmail2) setting is >> correct >> >> Martin >> >> On Friday, 29 November 2013, Armando Montiel wrote: >> >>> >>> Hi, >>> >>> I am using a mail server solution where MailScanner is used with postfix >>> + cyrus-imapd. >>> >>> Any clue about why this combination of software spends 300 seconds (5 >>> minutes) to process and deliver email? >>> >>> This is like my server take a look in the queue and process this in a >>> batch way, not individually. >>> >>> The best time I get in this scenario is when a email is received in the >>> queue 15 or 20 seconds before the last processing cycle of 5 minutes has >>> been performed. >>> >>> Sometime in the past this didn't happened but I am lost looking for a >>> possible reason. >>> >>> Which MailScanner variables could make this effect? >>> >>> Thank you. >>> >> >> >> -- >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info > 'mailscanner at lists.mailscanner.info');> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131130/7ccc8c2f/attachment.html