From mark at msapiro.net  Tue Oct  1 03:48:27 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 30 Sep 2013 19:48:27 -0700
Subject: Updates missing for update_bad_phishing_sites and ScamNailer
Message-ID: <524A37FB.2080905@msapiro.net>

The files and updates at, http://www.mailscanner.eu/emails.* and the
alternate http://cdn.mailscanner.info/emails.* all seem to be missing.

E.g.

http://www.mailscanner.eu/emails..2013-390
http://www.mailscanner.eu/emails..2013-391
http://www.mailscanner.eu/emails..2013-392
http://www.mailscanner.eu/emails.2013-390.1
http://www.mailscanner.eu/emails.2013-391.1
http://www.mailscanner.eu/emails.2013-392.1

and similarly

http://cdn.mailscanner.info/emails..2013-390
et al

all return 404 even though the 391 (and presumably older) files were
there just a few hours ago.

This causes ScamNailer and update_bad_phishing_sites to fail as they
can't retrieve any data.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mark at msapiro.net  Tue Oct  1 04:00:37 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 30 Sep 2013 20:00:37 -0700
Subject: MailScanner versions
In-Reply-To: <8C148A1461A6D7468D90F49CCD5BCA6204C0D3D8@cptwexc04.za.mhgad.com>
References: <8C148A1461A6D7468D90F49CCD5BCA6204C0D3D8@cptwexc04.za.mhgad.com>
Message-ID: <524A3AD5.4050509@msapiro.net>

Rabie Van der Merwe wrote:
> Does anyone know why the 'current' version on the MailScanner.info site
> is listed as 4.79 Feb 2010, yet I am running 4.84 on my server?


The current version is 4.84-5. It appears that the www.mailscanner.info
web site has recently been reverted to an old version.

There seem to be other issues as well regarding ScamNailer and
update_bad_phishing_sites data, and possibly Mailman's qrunners aren't
running on lists.mailscanner.info either.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mailscanner at barendse.to  Tue Oct  1 04:31:34 2013
From: mailscanner at barendse.to (Remco Barendse)
Date: Tue, 1 Oct 2013 05:31:34 +0200 (CEST)
Subject: MailScanner versions
In-Reply-To: <8C148A1461A6D7468D90F49CCD5BCA6204C0D3D8@cptwexc04.za.mhgad.com>
References: <8C148A1461A6D7468D90F49CCD5BCA6204C0D3D8@cptwexc04.za.mhgad.com>
Message-ID: <alpine.LRH.2.02.1310010529540.12755@raveon.vaag.nu>

It looks like somebody restored an ancient backup from the website.

For a split second i was happy to see some changed in the version, hoping 
it would be newer but unfortunately.....

I thought MailScanner development had almost come to a stop, now it looks 
like it has been put in reverse :)))


On Mon, 30 Sep 2013, Rabie Van der Merwe wrote:

> 
> Hi,
> 
> ?
> 
> Does anyone know why the 'current' version on the MailScanner.info site is listed as 4.79 Feb 2010, yet I am running 4.84 on my server?
> 
> ?
> 
> Regards
> 
> Rabie
> 
> **********************************************************************
> ---------
> NOTICE
> ---------
> 
> This message (including attachments) contains privileged and confidential information intended only for the person or entity to which it is addressed.
> 
> Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the
> intended recipient, is prohibited.
> 
> If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer.
> 
> Metropolitan Health, its subsidiaries or associates, does not accept liability for any personal views expressed in this message.
> 
> Metropolitan Health
> PO Box 4313 Cape Town 8000 Tel: 021 480 4511 Fax: 021 480 4535 www.mhg.co.za
> 
> **********************************************************************
> 
> 
>

From mailscanner at barendse.to  Tue Oct  1 04:39:47 2013
From: mailscanner at barendse.to (Remco Barendse)
Date: Tue, 1 Oct 2013 05:39:47 +0200 (CEST)
Subject: Left over temp and tnef files
In-Reply-To: <5245BBF2.5080502@msapiro.net>
References: <52446D1C0200008E000259B9@GroupWise.Dantumadiel.eu>
	<5245BBF2.5080502@msapiro.net>
Message-ID: <alpine.LRH.2.02.1310010536530.12755@raveon.vaag.nu>

On Fri, 27 Sep 2013, Mark Sapiro wrote:

> On 09/26/2013 08:21 AM, Arjan Melein wrote:
>> Second there are 771806 files under /var/spool/MailScanner/incoming/SpamAssassin-Temp/ (rm is having a hard time cleaning these up, 780k files making up 60MB)
>
>
> See <https://github.com/MailScanner/MailScanner/pull/4>

The link suggests that the problem was found and fixed, does that mean i 
should not get flooded with temp files from MailScanner 4.84.6 to which i 
updated only a couple of weeks ago?

I am using sendmail but i get tons of tmp files in /tmp and 
/var/spool/MailScanner/incoming/SpamAssassin-Temp/

At the moment i am using a cron job to just delete everything in those 
directories on a once per week basis.

A fix would be nice though..... :)

From mailscanner at barendse.to  Tue Oct  1 04:46:17 2013
From: mailscanner at barendse.to (Remco Barendse)
Date: Tue, 1 Oct 2013 05:46:17 +0200 (CEST)
Subject: emails that attempt to kill mailscanner {Scanned}
In-Reply-To: <92665C7597419742B19470DFA3D5BEA246A14C@vonLipwig.aoc-uk.com>
References: <BAY177-W7DCC10F40D8C959E69F17D6440@phx.gbl>
	<CAGDKorJKiehaVWpHPeprVn=fcMp4bedep=NaDEmRArj1zH=nUw@mail.gmail.com>
	<BAY177-W35F5BE533704F8FAB58C88D6440@phx.gbl>
	<CAGDKor+6eUZenaqPW-FVHUeXsMmmr1XBN+6p8LJiahsc6VXMsw@mail.gmail.com>
	<7F5CCC2656447841A7BDF64811DEA91610C39D03@Bart1.MarineSoftware.EXT>
	<e922a5b3-01be-4323-8867-38b956440914@VONLIPWIG.aoc-uk.com>
	<92665C7597419742B19470DFA3D5BEA246A14C@vonLipwig.aoc-uk.com>
Message-ID: <alpine.LRH.2.02.1310010544531.12755@raveon.vaag.nu>

On Fri, 16 Aug 2013, Stef Morrell wrote:

> On 14 August 2013 11:27 Richard Mealing wrote:
>> This issue only happens to me when my server is over loaded. Once I gave
>> it more CPU's and RAM I've not had this problem again.
>> I find that running spamassassin as daemon and restarting that sometimes
>> helps. The -U switch didn't do anything for me. I'm using FreeBSD.
>
> I get something very similar. For whatever reason MS gets upset with a particular email and requeues it for multiple further attempts at scanning, finally dumping it with a "tried to kill me" error.

I have this problem with 2 specific people sending mail to our servers. 
When i open the emails, the mail does look legit and without and weird 
code in it.

> In any event, my workaround is very satisfactory for me and removes the headache in my case.

What was your workaround?

Thanks!

From mailscanner at barendse.to  Tue Oct  1 04:51:48 2013
From: mailscanner at barendse.to (Remco Barendse)
Date: Tue, 1 Oct 2013 05:51:48 +0200 (CEST)
Subject: "Problem Messages" every hour
In-Reply-To: <51D75B02.6050606@veecall.com>
References: <51D44FC5.8070208@veecall.com>
	<CAGDKorKMRiteKbKL+G9V2WxU7-oNF2LLLFJOMbY20TA_0TpvHg@mail.gmail.com>
	<51D75B02.6050606@veecall.com>
Message-ID: <alpine.LRH.2.02.1310010550240.12755@raveon.vaag.nu>

On Fri, 5 Jul 2013, J Gao wrote:

> On 13-07-04 02:07 AM, Martin Hepworth wrote:
>> check you're running MailScanner with the -U flag present
>>
>> also double check all the file permissions in the working and quarantine
>> directories and the MailScanner.conf settings relating to these
>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>
> Thanks a lot. That "-U" works!.
>
> Gao


Just a question, if adding -U to the the first like of 
/usr/sbin/MailScanner helps to solve some issues, why isn't that done 
as default ?

From Amelein at dantumadiel.eu  Tue Oct  1 11:20:37 2013
From: Amelein at dantumadiel.eu (Arjan Melein)
Date: Tue, 01 Oct 2013 12:20:37 +0200
Subject: Betr.: Re: "Problem Messages" every hour
In-Reply-To: <alpine.LRH.2.02.1310010550240.12755@raveon.vaag.nu>
References: <51D44FC5.8070208@veecall.com>
	<CAGDKorKMRiteKbKL+G9V2WxU7-oNF2LLLFJOMbY20TA_0TpvHg@mail.gmail.com>
	<51D75B02.6050606@veecall.com>
	<alpine.LRH.2.02.1310010550240.12755@raveon.vaag.nu>
Message-ID: <524ABE150200008E00025B94@GroupWise.Dantumadiel.eu>

> Just a question, if adding -U to the the first like of 
> /usr/sbin/MailScanner helps to solve some issues, why isn't that done 
> as default ?


If you check 'perl -h' you'll see:
  -U                allow unsafe operations

If I remember correctly some functions got deprecated and changed in the newer Perl versions, the -U is only needed till the actual code that causes the problem is updated.
I think this was a discussion about running MS on an 'enterprise' distro as opposed to a more bleeding edge one too, although I think the latest enterprise distro's will have the problematic Perl version as well. (They already do or they will in the near future).

I'm not 100% sure about the above because it's been a while :-)

-
Arjan


From Amelein at dantumadiel.eu  Tue Oct  1 11:24:58 2013
From: Amelein at dantumadiel.eu (Arjan Melein)
Date: Tue, 01 Oct 2013 12:24:58 +0200
Subject: Betr.: Re: Left over temp and tnef files
In-Reply-To: <alpine.LRH.2.02.1310010536530.12755@raveon.vaag.nu>
References: <52446D1C0200008E000259B9@GroupWise.Dantumadiel.eu>
	<5245BBF2.5080502@msapiro.net>
	<alpine.LRH.2.02.1310010536530.12755@raveon.vaag.nu>
Message-ID: <524ABF1A0200008E00025B99@GroupWise.Dantumadiel.eu>

> The link suggests that the problem was found and fixed, does that mean i 
> should not get flooded with temp files from MailScanner 4.84.6 to which i 
> updated only a couple of weeks ago?
> 
> I am using sendmail but i get tons of tmp files in /tmp and 
> /var/spool/MailScanner/incoming/SpamAssassin-Temp/
> 
> At the moment i am using a cron job to just delete everything in those 
> directories on a once per week basis.
> 
> A fix would be nice though..... :)
> -- 

The 'fix' changed the file names from tmp.something to MailScanner.something for me, I guess that's a start :)
I'm guessing this is related to specific versions of any of the 3rd party stuff which will make it rather hard to debug.

-
Arjan


From chris at techquility.net  Tue Oct  1 14:58:21 2013
From: chris at techquility.net (Chris Barber)
Date: Tue, 1 Oct 2013 13:58:21 +0000
Subject: MailScanner versions
Message-ID: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>

I checked the mailscanner.info site today for downloads and see that the latest stable version of 4.79.11-1

Somehow however, when I do a MailScanner --version, I am getting 4.84.4. A LINT also shows this as correct. The latest beta is only 4.80.

How is it possible I have a newer version installed than is available? I haven't updated in a few months at least also. ???

Thanks,
Chris

From maxsec at gmail.com  Tue Oct  1 16:13:56 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 1 Oct 2013 16:13:56 +0100
Subject: MailScanner versions
In-Reply-To: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
Message-ID: <CAGDKorJuO2iGHpfZvzW19x_QGN1cEd0bZMVw9Hp0s=6Y4hRAwA@mail.gmail.com>

already discussed - looks like someone restored an old version of the
mailscanner web site..

-- 
Martin Hepworth, CISSP
Oxford, UK


On 1 October 2013 14:58, Chris Barber <chris at techquility.net> wrote:

> I checked the mailscanner.info site today for downloads and see that the
> latest stable version of 4.79.11-1
>
> Somehow however, when I do a MailScanner --version, I am getting 4.84.4. A
> LINT also shows this as correct. The latest beta is only 4.80.
>
> How is it possible I have a newer version installed than is available? I
> haven't updated in a few months at least also. ???
>
> Thanks,
> Chris
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131001/9affa2f8/attachment.html 

From richard at fastnet.co.uk  Tue Oct  1 16:30:00 2013
From: richard at fastnet.co.uk (Richard Mealing)
Date: Tue, 1 Oct 2013 15:30:00 +0000
Subject: MailScanner versions
In-Reply-To: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
Message-ID: <6EE47AF64C339A4F8F7F50507241B3795E9A6C0D@BTN-EXCHANGE-V1.fastnet.local>

I imagine the website got hacked or something, as it's been restored to an older version.


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Chris Barber
Sent: 01 October 2013 14:58
To: MailScanner discussion
Subject: MailScanner versions

I checked the mailscanner.info site today for downloads and see that the latest stable version of 4.79.11-1

Somehow however, when I do a MailScanner --version, I am getting 4.84.4. A LINT also shows this as correct. The latest beta is only 4.80.

How is it possible I have a newer version installed than is available? I haven't updated in a few months at least also. ???

Thanks,
Chris
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From Antony.Stone at mailscanner.open.source.it  Tue Oct  1 17:01:24 2013
From: Antony.Stone at mailscanner.open.source.it (Antony Stone)
Date: Tue, 1 Oct 2013 18:01:24 +0200
Subject: MailScanner versions
In-Reply-To: <CAGDKorJuO2iGHpfZvzW19x_QGN1cEd0bZMVw9Hp0s=6Y4hRAwA@mail.gmail.com>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
	<CAGDKorJuO2iGHpfZvzW19x_QGN1cEd0bZMVw9Hp0s=6Y4hRAwA@mail.gmail.com>
Message-ID: <201310011801.24292.Antony.Stone@mailscanner.open.source.it>

On Tuesday 01 October 2013 at 17:13:56, Martin Hepworth wrote:

> already discussed - looks like someone restored an old version of the
> mailscanner web site..

Indeed - see 
http://web.archive.org/web/20130723004013/http://www.mailscanner.info/ for a 
much more encouraging version :)

> > I checked the mailscanner.info site today for downloads and see that the
> > latest stable version of 4.79.11-1
> > 
> > Somehow however, when I do a MailScanner --version, I am getting 4.84.4.
> > A LINT also shows this as correct. The latest beta is only 4.80.
> > 
> > How is it possible I have a newer version installed than is available? I
> > haven't updated in a few months at least also. ???

Regards,


Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

                                                     Please reply to the list;
                                                           please don't CC me.

From sbanderson at impromed.com  Tue Oct  1 17:16:49 2013
From: sbanderson at impromed.com (Scott B. Anderson)
Date: Tue, 1 Oct 2013 16:16:49 +0000
Subject: MailScanner versions
In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795E9A6C0D@BTN-EXCHANGE-V1.fastnet.local>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
	<6EE47AF64C339A4F8F7F50507241B3795E9A6C0D@BTN-EXCHANGE-V1.fastnet.local>
Message-ID: <d95c2e7c23e240bdae2fe8e852a0e665@ES4.impromed.com>

Not sure if this is related or not but, ever since the site went down and then was replaced with the old version, mailscanner 4.84 batches for me are taking 90-120 seconds instead of 5-10 seconds.

Scott


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Mealing
Sent: Tuesday, October 01, 2013 10:30 AM
To: MailScanner discussion
Subject: RE: MailScanner versions

I imagine the website got hacked or something, as it's been restored to an older version.


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Chris Barber
Sent: 01 October 2013 14:58
To: MailScanner discussion
Subject: MailScanner versions

I checked the mailscanner.info site today for downloads and see that the latest stable version of 4.79.11-1

Somehow however, when I do a MailScanner --version, I am getting 4.84.4. A LINT also shows this as correct. The latest beta is only 4.80.

How is it possible I have a newer version installed than is available? I haven't updated in a few months at least also. ???

Thanks,
Chris
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
...

-- 
ImproMed LLC
--


From stephencoxmail at gmail.com  Wed Oct  2 11:26:45 2013
From: stephencoxmail at gmail.com (Stephen Cox)
Date: Wed, 2 Oct 2013 12:26:45 +0200
Subject: MailScanner versions
In-Reply-To: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
Message-ID: <CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>

On Tue, Oct 1, 2013 at 3:58 PM, Chris Barber <chris at techquility.net> wrote:

> I checked the mailscanner.info site today for downloads and see that the
> latest stable version of 4.79.11-1
>

Julian is off sick and my ftp credentials are not working anymore. So I
will have to wait for Julian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131002/b21e4d51/attachment.html 

From maxsec at gmail.com  Wed Oct  2 12:28:15 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Wed, 2 Oct 2013 12:28:15 +0100
Subject: MailScanner versions
In-Reply-To: <CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
	<CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>
Message-ID: <CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>

Let me see if I can wake up the hosting people, may be able to help out.
Jules might be out for a bit, looking at his FB page..but hopefully is well
on the way to recovery.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 2 October 2013 11:26, Stephen Cox <stephencoxmail at gmail.com> wrote:

> On Tue, Oct 1, 2013 at 3:58 PM, Chris Barber <chris at techquility.net>wrote:
>
>> I checked the mailscanner.info site today for downloads and see that the
>> latest stable version of 4.79.11-1
>>
>
> Julian is off sick and my ftp credentials are not working anymore. So I
> will have to wait for Julian.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131002/dbf28315/attachment.html 

From richard.siddall at elirion.net  Wed Oct  2 12:56:37 2013
From: richard.siddall at elirion.net (Richard Siddall)
Date: Wed, 02 Oct 2013 07:56:37 -0400
Subject: MailScanner versions
In-Reply-To: <CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>	<CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>
	<CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>
Message-ID: <524C09F5.2030002@elirion.net>

Martin Hepworth wrote:
> Let me see if I can wake up the hosting people, may be able to help out.
> Jules might be out for a bit, looking at his FB page..but hopefully is well
> on the way to recovery.
>

Martin,

Could you ask them to fix ScamNailer while you're talking to them?  As 
Mark Sapiro reported on Monday, it is completely broken again.  The 
patch he provided after the data delivery network failed in April no 
longer works.

Regards,

	Richard Siddall



From stephencoxmail at gmail.com  Wed Oct  2 12:58:08 2013
From: stephencoxmail at gmail.com (Stephen Cox)
Date: Wed, 2 Oct 2013 13:58:08 +0200
Subject: MailScanner versions
In-Reply-To: <CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
	<CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>
	<CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>
Message-ID: <CAMgku6SiUJU-O5CppuZEMjY+dJ7AtCakDkmY+f57mHgxkK70Sg@mail.gmail.com>

On Wed, Oct 2, 2013 at 1:28 PM, Martin Hepworth <maxsec at gmail.com> wrote:

> Let me see if I can wake up the hosting people, may be able to help out.
> Jules might be out for a bit, looking at his FB page..but hopefully is
> well on the way to recovery.
>

Martin,

Thanks. Got a hold of Julian and he has restored the site.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131002/be982ca7/attachment.html 

From stephencoxmail at gmail.com  Wed Oct  2 13:24:28 2013
From: stephencoxmail at gmail.com (Stephen Cox)
Date: Wed, 2 Oct 2013 14:24:28 +0200
Subject: MailScanner development
Message-ID: <CAMgku6TF29KhCc1y9E3WAgQg7owYcgz97wriBom3q07SZfxUeg@mail.gmail.com>

List,

As you have seen; the development of MailScanner has slowed down to a
complete stop. This is due to me working on my studies and Andrew working
on his product.

Any help would be appreciated, so please contact me off list.

Regards,
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131002/1f9456a9/attachment.html 

From stephencoxmail at gmail.com  Wed Oct  2 13:26:40 2013
From: stephencoxmail at gmail.com (Stephen Cox)
Date: Wed, 2 Oct 2013 14:26:40 +0200
Subject: MailScanner versions
In-Reply-To: <524C09F5.2030002@elirion.net>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
	<CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>
	<CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>
	<524C09F5.2030002@elirion.net>
Message-ID: <CAMgku6S1WLVREM0c4aWka5-X31gbvvCHoiq1aYQD-RATwY=b-w@mail.gmail.com>

On Wed, Oct 2, 2013 at 1:56 PM, Richard Siddall <richard.siddall at elirion.net
> wrote:

> Could you ask them to fix ScamNailer while you're talking to them?  As
> Mark Sapiro reported on Monday, it is completely broken again.  The
> patch he provided after the data delivery network failed in April no
> longer works.
>

Richard,

I spoke to the domain holder a few weeks ago and he reported that
everything is working. What exactly is the problem?

Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131002/c747ffd0/attachment.html 

From richard.siddall at elirion.net  Wed Oct  2 14:13:07 2013
From: richard.siddall at elirion.net (Richard Siddall)
Date: Wed, 02 Oct 2013 09:13:07 -0400
Subject: MailScanner versions
In-Reply-To: <CAMgku6S1WLVREM0c4aWka5-X31gbvvCHoiq1aYQD-RATwY=b-w@mail.gmail.com>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>	<CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>	<CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>	<524C09F5.2030002@elirion.net>
	<CAMgku6S1WLVREM0c4aWka5-X31gbvvCHoiq1aYQD-RATwY=b-w@mail.gmail.com>
Message-ID: <524C1BE3.6070208@elirion.net>

Stephen Cox wrote:
> Richard,
>
> I spoke to the domain holder a few weeks ago and he reported that
> everything is working. What exactly is the problem?
>
> Stephen
>

Stephen,

Thanks for asking.  As Mark Sapiro reported on Monday 
(http://lists.mailscanner.info/pipermail/mailscanner/2013-October/100975.html)

> The files and updates at, http://www.mailscanner.eu/emails.* and the
> alternate http://cdn.mailscanner.info/emails.* all seem to be missing.
>
> E.g.
>
> http://www.mailscanner.eu/emails..2013-390
> http://www.mailscanner.eu/emails..2013-391
> http://www.mailscanner.eu/emails..2013-392
> http://www.mailscanner.eu/emails.2013-390.1
> http://www.mailscanner.eu/emails.2013-391.1
> http://www.mailscanner.eu/emails.2013-392.1
>
> and similarly
>
> http://cdn.mailscanner.info/emails..2013-390
> et al
>
> all return 404 even though the 391 (and presumably older) files were
> there just a few hours ago.
>
> This causes ScamNailer and update_bad_phishing_sites to fail as they
> can't retrieve any data.

I'm still seeing the associated error during the hourly run of ScamNailer:

> Updating live file /var/cache/ScamNailer/phishing.emails.list
> cp: cannot stat `/var/cache/ScamNailer/cache//2013-393': No such file or directory
> Cannot read /var/cache/ScamNailer/phishing.emails.list, No such file or directory

This is the patched version of ScamNailer using Mark Sapiro's patch to 
get around the incomplete repair of the data delivery network ("The DNS 
TXT record for emails.msupdate.greylist.bastionmail.com is still not 
being updated." This is from 
http://lists.mailscanner.info/pipermail/mailscanner/2013-May/100746.html).

If you look in the list archives, you will see that several people 
reported a complete failure of the data delivery system back in April
http://lists.mailscanner.info/pipermail/mailscanner/2013-April/100525.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-April/100529.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-April/100536.html

and the data delivery system was not completely repaired:
http://lists.mailscanner.info/pipermail/mailscanner/2013-April/100612.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-May/100681.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-June/100789.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-June/100818.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-July/100851.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-July/100899.html
http://lists.mailscanner.info/pipermail/mailscanner/2013-August/100932.html

I hope this helps.

The meta problem seems to be that whatever monitoring is in place to 
ensure the data delivery network is operational are ineffective.

Regards,

	Richard Siddall

From andrew at topdog.za.net  Wed Oct  2 15:36:20 2013
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Wed, 2 Oct 2013 16:36:20 +0200
Subject: MailScanner versions
In-Reply-To: <CAMgku6S1WLVREM0c4aWka5-X31gbvvCHoiq1aYQD-RATwY=b-w@mail.gmail.com>
References: <185ED33D2D4C2743B00271D65FB2B79A14635785@SBS2011.techquility.local>
	<CAMgku6SixpHjA4uvhiUrWxG2ZT5e3_an9DSjBRKJqSCT5J9FcQ@mail.gmail.com>
	<CAGDKorLMLsoPFk7kJr+BCc2U=D9gw57jB-sjC16RWO=HjZaO2A@mail.gmail.com>
	<524C09F5.2030002@elirion.net>
	<CAMgku6S1WLVREM0c4aWka5-X31gbvvCHoiq1aYQD-RATwY=b-w@mail.gmail.com>
Message-ID: <FDA27771-029B-42F3-ABE2-F947535EACC1@topdog.za.net>


On 02 Oct 2013, at 2:26 PM, Stephen Cox <stephencoxmail at gmail.com> wrote:

> I spoke to the domain holder a few weeks ago and he reported that everything is working. What exactly is the problem?

I am willing to host a mirror of this if the data is provided. For a CDN it is pretty
unreliable.

- Andrew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131002/db5d0830/attachment.bin 

From mark at msapiro.net  Thu Oct  3 15:10:54 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 03 Oct 2013 07:10:54 -0700
Subject: Updates missing for update_bad_phishing_sites and ScamNailer
In-Reply-To: <524A37FB.2080905@msapiro.net>
References: <524A37FB.2080905@msapiro.net>
Message-ID: <524D7AEE.4000601@msapiro.net>

Mark Sapiro wrote:

> The files and updates at, http://www.mailscanner.eu/emails.* and the
> alternate http://cdn.mailscanner.info/emails.* all seem to be missing.


As of today (2013-394), the current files are back and the patched
versions of ScamNailer and update_bad_phishing_sites are working again.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From jerry.benton at mailborder.com  Fri Oct  4 21:29:11 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Fri, 4 Oct 2013 22:29:11 +0200
Subject: First Match vs All Match
Message-ID: <CAED3VzD1d_8RK3jGO3zhEpeotnRJteK00PSc=kZ8TXh4XXHg4w@mail.gmail.com>

Hello,

So, I found out the hard way after much face-to-keyboard action that "Allow
Webbugs" is an "All Match" rule. So if I have this:

user at domain  yes

acme.com  disarm


If user at domain sends a web bug in an email it will be allowed. Unless of
course he sends it to acme.com where it will be denied. Well, this presents
a problem if you have a valid sender you wish to allow to send web bugs to
your domain while blocking all others.

So, does anyone know if All Match and First Match is a configurable item
for rule sets? I know it is not in the MailScanner.conf, but perhaps a pm
file could be modified?

-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131004/991dbcf6/attachment.html 

From Kevin_Miller at ci.juneau.ak.us  Fri Oct  4 22:03:50 2013
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri, 4 Oct 2013 13:03:50 -0800
Subject: First Match vs All Match
In-Reply-To: <CAED3VzD1d_8RK3jGO3zhEpeotnRJteK00PSc=kZ8TXh4XXHg4w@mail.gmail.com>
References: <CAED3VzD1d_8RK3jGO3zhEpeotnRJteK00PSc=kZ8TXh4XXHg4w@mail.gmail.com>
Message-ID: <C87702B41702834792222AE25D4057B6030D3416@city-exchange07>

Without seeing your actual rule file (in the MailScanner/rules directory) it's hard to say what you're doing, but I'd do this:

In MailScanner.conf
  Allow Webbugs = %rules-dir%/webbugs.rules

In MailScanner/rules directory:
Filename: webbugs.rules

   FromOrTo:    user at domain.com         yes
   FromOrTo:    *@differentdomain.com   yes
   FromOrTo:    default                 disarm

This will let user at domain.com<mailto:user at domain.com> and all users at differentdomain.com send webbugs and disarm all others.  You can also just use From: and/or To: as the first field as appropriate to your environment.

See the EXAMPLES (in the rules directory) file for more details...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: Friday, October 04, 2013 12:29 PM
To: MailScanner discussion
Subject: First Match vs All Match

Hello,

So, I found out the hard way after much face-to-keyboard action that "Allow Webbugs" is an "All Match" rule. So if I have this:

user at domain  yes

acme.com<http://acme.com>  disarm


If user at domain sends a web bug in an email it will be allowed. Unless of course he sends it to acme.com<http://acme.com> where it will be denied. Well, this presents a problem if you have a valid sender you wish to allow to send web bugs to your domain while blocking all others.

So, does anyone know if All Match and First Match is a configurable item for rule sets? I know it is not in the MailScanner.conf, but perhaps a pm file could be modified?

--

--
Jerry Benton
Mailborder Systems
www.mailborder.com<http://www.mailborder.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131004/12ac3cbd/attachment.html 

From jerry.benton at mailborder.com  Fri Oct  4 22:50:52 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Fri, 4 Oct 2013 23:50:52 +0200
Subject: First Match vs All Match
In-Reply-To: <C87702B41702834792222AE25D4057B6030D3416@city-exchange07>
References: <CAED3VzD1d_8RK3jGO3zhEpeotnRJteK00PSc=kZ8TXh4XXHg4w@mail.gmail.com>
	<C87702B41702834792222AE25D4057B6030D3416@city-exchange07>
Message-ID: <CAED3VzDDjxzbX4cMhoVDu5usvC3d2txgBh7KrKJ3Sdyx27wJ7g@mail.gmail.com>

Kevin,

Thank you, but I think you missed the point. Perhaps I didn't explain it
well enough. I am aware how the rules work. The question is if Allow Match
can be altered to First Match because an All Match approach is not as
flexible.



On Fri, Oct 4, 2013 at 11:03 PM, Kevin Miller
<Kevin_Miller at ci.juneau.ak.us>wrote:

> Without seeing your actual rule file (in the MailScanner/rules directory)
> it?s hard to say what you?re doing, but I?d do this:****
>
> ** **
>
> In MailScanner.conf****
>
>   Allow Webbugs = %rules-dir%/webbugs.rules****
>
> ** **
>
> In MailScanner/rules directory:****
>
> Filename: webbugs.rules****
>
> ** **
>
>    FromOrTo:    user at domain.com         yes****
>
>    FromOrTo:    *@differentdomain.com   yes****
>
>    FromOrTo:    default                 disarm****
>
> ** **
>
> This will let user at domain.com and all users at differentdomain.com send
> webbugs and disarm all others.  You can also just use From: and/or To: as
> the first field as appropriate to your environment.****
>
> ** **
>
> See the EXAMPLES (in the rules directory) file for more details?****
>
> ** **
>
>  ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500
> Registered Linux User No: 307357 ****
>
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Jerry Benton
> *Sent:* Friday, October 04, 2013 12:29 PM
> *To:* MailScanner discussion
> *Subject:* First Match vs All Match****
>
> ** **
>
> Hello,****
>
> ** **
>
> So, I found out the hard way after much face-to-keyboard action that
> "Allow Webbugs" is an "All Match" rule. So if I have this:****
>
> ** **
>
> user at domain  yes****
>
> ** **
>
> acme.com  disarm****
>
> ** **
>
> ** **
>
> If user at domain sends a web bug in an email it will be allowed. Unless of
> course he sends it to acme.com where it will be denied. Well, this
> presents a problem if you have a valid sender you wish to allow to send web
> bugs to your domain while blocking all others.****
>
> ** **
>
> So, does anyone know if All Match and First Match is a configurable item
> for rule sets? I know it is not in the MailScanner.conf, but perhaps a pm
> file could be modified?
> ****
>
> ** **
>
> -- ****
>
>
> --****
>
> Jerry Benton****
>
> Mailborder Systems
> www.mailborder.com****
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131004/3de7b0d7/attachment.html 

From stef at aoc-uk.com  Fri Oct 11 14:39:54 2013
From: stef at aoc-uk.com (Stef Morrell)
Date: Fri, 11 Oct 2013 13:39:54 +0000
Subject: khopesh rules
Message-ID: <92665C7597419742B19470DFA3D5BEA208E1964A@vonLipwig.aoc-uk.com>

Does anyone know what's happened to the khopesh.com spamassassin channel. It appears to have gone dead and been dropped from zoneedit's DNS.

Stef

From melecom at adam.com.au  Sat Oct 12 01:17:28 2013
From: melecom at adam.com.au (Rodney Mitchell)
Date: Sat, 12 Oct 2013 10:47:28 +1030
Subject: Testing 1 2 3?
Message-ID: <52589518.3010601@adam.com.au>

Check 1 2   1 2

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Supported by melecom with a Fedora server.


From maillists at conactive.com  Sun Oct 13 14:20:41 2013
From: maillists at conactive.com (Kai Schaetzl)
Date: Sun, 13 Oct 2013 15:20:41 +0200
Subject: SA 3.4.0 anyone?
Message-ID: <VA.000040c0.00876178@news.conactive.com>

The (probably) last release candidate of SA 3.4.0 is now available. Has 
anyone already tested MS with it? It builds and test fine on my Centos 5 
installation, but I'm vary of actually installing it. There seem to be 
changes in the Bayes handling and also with the way that other 
applications can invoke it which may affect MS directly.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From mark at msapiro.net  Sun Oct 13 17:59:01 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Sun, 13 Oct 2013 09:59:01 -0700
Subject: SA 3.4.0 anyone?
In-Reply-To: <VA.000040c0.00876178@news.conactive.com>
References: <VA.000040c0.00876178@news.conactive.com>
Message-ID: <525AD155.1070701@msapiro.net>

On 10/13/2013 06:20 AM, Kai Schaetzl wrote:
> The (probably) last release candidate of SA 3.4.0 is now available. Has 
> anyone already tested MS with it?


I've been running SA 3.4.0-rc2 on my CentOS 5 server with MailScanner
4.84.5 and 4.84.6 since last June. I've had no problems.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From melecom at adam.com.au  Sun Oct 13 22:33:06 2013
From: melecom at adam.com.au (Rodney Mitchell)
Date: Mon, 14 Oct 2013 08:03:06 +1030
Subject: SPAM by same email as recipient?
Message-ID: <272204d2bfd849d4c1ead8a84d528f19fb189156@webmail.adam.com.au>


 Hiyas,

Maybe there is a quick fix here? 

If the email is  many spam emails come into the INBOX and they are
from , any suggestions?

Thanks, Rod.
---- Message sent via Adam Internet WebMail - http://www.adam.com.au/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131014/b534d356/attachment.html 

From john at tradoc.fr  Mon Oct 14 07:14:36 2013
From: john at tradoc.fr (John Wilcock)
Date: Mon, 14 Oct 2013 08:14:36 +0200
Subject: SPAM by same email as recipient?
In-Reply-To: <272204d2bfd849d4c1ead8a84d528f19fb189156@webmail.adam.com.au>
References: <272204d2bfd849d4c1ead8a84d528f19fb189156@webmail.adam.com.au>
Message-ID: <525B8BCC.2070508@tradoc.fr>

Le 13/10/2013 23:33, Rodney Mitchell a ?crit :
> If the email is <testing at melecom.com.au> many spam emails come into the
> INBOX and they are from <testing at melecom.com.au>, any suggestions?

By far the best solution is to configure your SMTP server not to accept 
unauthenticated mail from domains that it serves.

If this isn't possible in your setup, have a look at the __TO_EQ_FROM 
rule in the standard ruleset. This is only used in other meta rules, but 
you could experiment with scoring it, making sure you exclude any 
genuine messages that you might send to yourself, for example:
meta TO_EQ_FROM_UNTRUSTED	meta	__TO_EQ_FROM && !ALL_TRUSTED

John.

-- 
-- Over 5000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

From maxsec at gmail.com  Mon Oct 14 12:46:21 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Mon, 14 Oct 2013 12:46:21 +0100
Subject: SPAM by same email as recipient?
In-Reply-To: <525B8BCC.2070508@tradoc.fr>
References: <272204d2bfd849d4c1ead8a84d528f19fb189156@webmail.adam.com.au>
	<525B8BCC.2070508@tradoc.fr>
Message-ID: <CAGDKorK0JaDUxd2zrgDHk7CjJCviA5JOHjUe6NDB92nH03YCuA@mail.gmail.com>

Also do NOT whitelist the domains you serve in MailScanner.conf (is
definitely not spam) or spamassassin

Also having the list of any rules hit is always useful in the headers so
you can see why it's getting through.. (or not)

I always add the SA info into email headers to see what the score and rule
hits are ( helps with debug), in MailScanner.conf make sure the follow are
set thus:

Spam Score Number Format = %5.2f

Detailed Spam Report = yes

Include Scores In SpamAssassin Report = yes

Always Include SpamAssassin Report = yes

Spam Score Number Format = %5.2f


-- 
Martin Hepworth, CISSP
Oxford, UK


On 14 October 2013 07:14, John Wilcock <john at tradoc.fr> wrote:

> Le 13/10/2013 23:33, Rodney Mitchell a ?crit :
> > If the email is <testing at melecom.com.au> many spam emails come into the
> > INBOX and they are from <testing at melecom.com.au>, any suggestions?
>
> By far the best solution is to configure your SMTP server not to accept
> unauthenticated mail from domains that it serves.
>
> If this isn't possible in your setup, have a look at the __TO_EQ_FROM
> rule in the standard ruleset. This is only used in other meta rules, but
> you could experiment with scoring it, making sure you exclude any
> genuine messages that you might send to yourself, for example:
> meta TO_EQ_FROM_UNTRUSTED       meta    __TO_EQ_FROM && !ALL_TRUSTED
>
> John.
>
> --
> -- Over 5000 webcams from ski resorts around the world - www.snoweye.com
> -- Translate your technical documents and web pages    - www.tradoc.fr
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131014/17d6f8a7/attachment.html 

From rlopezcnm at gmail.com  Mon Oct 14 22:16:12 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Mon, 14 Oct 2013 15:16:12 -0600
Subject: Could not parse Outlook Rich Text attachment
Message-ID: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>

I am seeing a lot of log lines like these:

Oct 14 13:37:15 mg08 MailScanner[22850]: Expanding TNEF archive at
/var/spool/MailScanner/incoming/22850/B30054C0007.A33A0/winmail.dat
Oct 14 13:37:15 mg08 MailScanner[22850]: Trying to unpack nwinmail.dat in
message B30054C0007.A33A0, could not create subdirectory
B30054C0007.A33A0//tnefncr7nY, failed to unpack TNEF message
Oct 14 13:37:15 mg08 MailScanner[22850]: Corrupt TNEF winmail.dat that
cannot be analysed in message B30054C0007.A33A0

I have been looking through the source of MailScanner-4.84.5-3 and I do not
recognize any answers to my questions.

Can the attachment really be named "nwinmail.dat" or is that first "n" a
typographical error?

Any hints on how to find why the directory cannot be created? By the time I
find log lines and take a look the parent directory is already gone.

If the winmail.dat file is removed will the email lose information?  If
not, how is MailScanner told to remove it without trying to scan it?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131014/3d550222/attachment.html 

From maillists at conactive.com  Tue Oct 15 10:01:16 2013
From: maillists at conactive.com (Kai Schaetzl)
Date: Tue, 15 Oct 2013 11:01:16 +0200
Subject: Could not parse Outlook Rich Text attachment
In-Reply-To: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
References: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
Message-ID: <VA.000040c6.09e65425@news.conactive.com>

Robert Lopez wrote on Mon, 14 Oct 2013 15:16:12 -0600:

> I have been looking through the source of MailScanner-4.84.5-3 and I do not
> recognize any answers to my questions.

There is a 4.84.6 that specifically lists a TNEF patch.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From maillists at conactive.com  Tue Oct 15 10:38:42 2013
From: maillists at conactive.com (Kai Schaetzl)
Date: Tue, 15 Oct 2013 11:38:42 +0200
Subject: SA 3.4.0 anyone?
In-Reply-To: <525AD155.1070701@msapiro.net>
References: <VA.000040c0.00876178@news.conactive.com>
	<525AD155.1070701@msapiro.net>
Message-ID: <VA.000040c7.0a089966@news.conactive.com>

Mark Sapiro wrote on Sun, 13 Oct 2013 09:59:01 -0700:

> 3.4.0-rc2

I've upgraded to rc3 on two systems with 4.84.5 now and it seems to be 
working fine. sa-update and compiling rules works, too. One can definitely 
just replace it and run a quick sa-update to make it work.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From maxsec at gmail.com  Tue Oct 15 10:49:19 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 15 Oct 2013 10:49:19 +0100
Subject: Could not parse Outlook Rich Text attachment
In-Reply-To: <VA.000040c6.09e65425@news.conactive.com>
References: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
	<VA.000040c6.09e65425@news.conactive.com>
Message-ID: <CAGDKorKA6GprWcxJ3hz5w0s4CwSfPhjitrGpFJDbAV4=dpsZ6A@mail.gmail.com>

about time people dropped rtf emails from outlook and went to html....
security aside nothing else other than outleek can parse the email properly.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 15 October 2013 10:01, Kai Schaetzl <maillists at conactive.com> wrote:

> Robert Lopez wrote on Mon, 14 Oct 2013 15:16:12 -0600:
>
> > I have been looking through the source of MailScanner-4.84.5-3 and I do
> not
> > recognize any answers to my questions.
>
> There is a 4.84.6 that specifically lists a TNEF patch.
>
> Kai
>
> --
> Get your web at Conactive Internet Services: http://www.conactive.com
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131015/b18b0d67/attachment.html 

From mark at msapiro.net  Tue Oct 15 18:23:17 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 15 Oct 2013 10:23:17 -0700
Subject: Could not parse Outlook Rich Text attachment
In-Reply-To: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
References: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
Message-ID: <525D7A05.1050805@msapiro.net>

On 10/14/2013 02:16 PM, Robert Lopez wrote:
> I am seeing a lot of log lines like these:
> 
> Oct 14 13:37:15 mg08 MailScanner[22850]: Expanding TNEF archive at
> /var/spool/MailScanner/incoming/22850/B30054C0007.A33A0/winmail.dat
> Oct 14 13:37:15 mg08 MailScanner[22850]: Trying to unpack nwinmail.dat
> in message B30054C0007.A33A0, could not create subdirectory
> B30054C0007.A33A0//tnefncr7nY, failed to unpack TNEF message
> Oct 14 13:37:15 mg08 MailScanner[22850]: Corrupt TNEF winmail.dat that
> cannot be analysed in message B30054C0007.A33A0


The 4.84.6-1 MailScanner/TNEF.pm contains the following at line 232

  my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir,
UNLINK => 0);

This doesn't do anything reasonable. It creates a file, not a directory,
and TMPDIR is a boolean, not a path so this causes the file to be
created in the "File::Spec->tmpdir" directory, not $dir.

I'm not sure in what version this was introduced. It's not in
<https://github.com/MailScanner/MailScanner/blob/master/mailscanner/bin/MailScanner/TNEF.pm>

It should probably be something like

  my $unpackdir = tempdir("tnefXXXXXX", DIR => $dir);

but this is untested.


> I have been looking through the source of MailScanner-4.84.5-3 and I do
> not recognize any answers to my questions.
> 
> Can the attachment really be named "nwinmail.dat" or is that first "n" a
> typographical error?


nwinmail.dat is not the attachment name, it is a MailScanner name for
the file where the attachment will be stored for decoding/scanning.


> Any hints on how to find why the directory cannot be created? By the
> time I find log lines and take a look the parent directory is already gone.


Try the above suggested replacement and see if it helps.


> If the winmail.dat file is removed will the email lose information?  If
> not, how is MailScanner told to remove it without trying to scan it?


I don't understand this question. I think what "should" happen with this
message is the winmail.dat is unscanned and the mail with the
winmail.dat is delivered.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From rlopezcnm at gmail.com  Tue Oct 15 18:50:26 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Tue, 15 Oct 2013 11:50:26 -0600
Subject: Could not parse Outlook Rich Text attachment
In-Reply-To: <CAGDKorKA6GprWcxJ3hz5w0s4CwSfPhjitrGpFJDbAV4=dpsZ6A@mail.gmail.com>
References: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
	<VA.000040c6.09e65425@news.conactive.com>
	<CAGDKorKA6GprWcxJ3hz5w0s4CwSfPhjitrGpFJDbAV4=dpsZ6A@mail.gmail.com>
Message-ID: <CAAJHbArpNtU77RW3t+k9snaOqv=Kmq376EhJeWhWL4B7Zb6M3w@mail.gmail.com>

On Tue, Oct 15, 2013 at 3:49 AM, Martin Hepworth <maxsec at gmail.com> wrote:

> about time people dropped rtf emails from outlook and went to html....
> security aside nothing else other than outleek can parse the email properly.
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 15 October 2013 10:01, Kai Schaetzl <maillists at conactive.com> wrote:
>
>> Robert Lopez wrote on Mon, 14 Oct 2013 15:16:12 -0600:
>>
>> > I have been looking through the source of MailScanner-4.84.5-3 and I do
>> not
>> > recognize any answers to my questions.
>>
>> There is a 4.84.6 that specifically lists a TNEF patch.
>>
>> Kai
>>
>> --
>> Get your web at Conactive Internet Services: http://www.conactive.com
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
Kai,
Thanks for that. In the archives there is also email saying some patch did
not fix the problem. I need to see if the one you point to is newer.

Martin,

I agree with your statement and the sentiment. It may not be that easy. Ie,
the choice may not be a personal one and the choice may not be honoured
even when made.

I am becoming convinced there might be bugs in Exchange and/or Outlook.
We have done some experiments and email composed in HTML when forwarded by
a person who is set up to default to HTML end up forwarding "HTML" email
with winmail.dat attached.

It is not clear to me if it is our implementation of Exchange that is
messed up or if it is all Exchange because suddenly the problem is growing
very fast on incoming email from outside our college.

We are also struggling with our phone system that is running on a UNIX box
which sends voice messages to employees who are on Exchange. When Exchange
forwards that message it has a winmail.dat attached.

Right now many persons are complaining about the sender.error.report.txt
info.
My thinking is until I get things fixed as per Kai's suggestion I need to
stop the sending of the report, which I think means stop the scanning of
the winmail.dat file by discarding it instead of scanning it.

I just do not know if that means a loss of information.

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131015/23723b35/attachment.html 

From mark at msapiro.net  Tue Oct 15 19:35:25 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 15 Oct 2013 11:35:25 -0700
Subject: bad phishing sites/Scamnailer updates missing?
Message-ID: <525D8AED.1080106@msapiro.net>

There have been several issues with the bad phishing sites/Scamnailer
updates since last April.

The first issue was that the DNS TXT record for
emails.msupdate.greylist.bastionmail.com was not being updated (See
<http://lists.mailscanner.info/pipermail/mailscanner/2013-April/100612.html>
and then later it disappeared altogether. I developed patches to work
around this. See
<http://lists.mailscanner.info/pipermail/mailscanner/2013-May/100746.html>
and
<http://lists.mailscanner.info/pipermail/mailscanner/2013-June/100828.html>.

More recently, there was a problem with the updates themselves being
missing. See
<http://lists.mailscanner.info/pipermail/mailscanner/2013-October/100975.html>.
This was only temporary. This issue was fixed and also the issue of the
missing/not updated DNS TXT record was fixed as well.

Now there is a new problem: All the data and updates are working, but
there have been no new sites/domains added to the list since "This file
was generated at Thu Oct 10 00:44:45 BST 2013" (over 5 days ago).

In my experience, new domains are added multiple times every day. Thus,
it appears that the underlying process which collects these names and
updates the list may not be getting its data.

Can anyone investigate this?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From rlopezcnm at gmail.com  Tue Oct 15 20:10:14 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Tue, 15 Oct 2013 13:10:14 -0600
Subject: Could not parse Outlook Rich Text attachment
In-Reply-To: <525D7A05.1050805@msapiro.net>
References: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
	<525D7A05.1050805@msapiro.net>
Message-ID: <CAAJHbAoT1oANgFV2Ar_vcDFLShJa4RM9OBQYGEXzECqCCyvZbA@mail.gmail.com>

Mark,

With respect to your statement "I think what 'should' happen with this
message is the winmail.dat is unscanned and the mail with the
winmail.dat is delivered."

Will these configuration statements do what you think "should" happen?:

Expand TNEF = no
Use TNEF Contents = no
Deliver Unparsable TNEF = yes

Would I need to make any other related changes?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131015/8eb3a94c/attachment.html 

From mark at msapiro.net  Wed Oct 16 00:08:37 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 15 Oct 2013 16:08:37 -0700
Subject: Could not parse Outlook Rich Text attachment
In-Reply-To: <CAAJHbAoT1oANgFV2Ar_vcDFLShJa4RM9OBQYGEXzECqCCyvZbA@mail.gmail.com>
References: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>	<525D7A05.1050805@msapiro.net>
	<CAAJHbAoT1oANgFV2Ar_vcDFLShJa4RM9OBQYGEXzECqCCyvZbA@mail.gmail.com>
Message-ID: <525DCAF5.6060208@msapiro.net>

On 10/15/2013 12:10 PM, Robert Lopez wrote:
> Mark,
> 
> With respect to your statement "I think what 'should' happen with this
> message is the winmail.dat is unscanned and the mail with the
> winmail.dat is delivered."
> 
> Will these configuration statements do what you think "should" happen?:
> 
> Expand TNEF = no
> Use TNEF Contents = no
> Deliver Unparsable TNEF = yes


Those will do, and I just tested and just

Expand TNEF = no

is sufficient.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From tlarco at polr.com  Wed Oct 16 14:30:37 2013
From: tlarco at polr.com (Tony Larco)
Date: Wed, 16 Oct 2013 09:30:37 -0400
Subject: ZIP file attachment not recognized and therefore no file check
	performed
Message-ID: <525E94FD.4050700@polr.com>

I apologize if this has been answered in another thread.  I did spend
quite some time poking through the archived mailing list articles, the
MailScanner docs, and googling around, but we are just stumped and are
hoping a MailScanner guru could enlighten us about this situation.

First, we are running the following (from /usr/sbin/MailScanner -v) -
This is SUSE Linux Enterprise Server 10 (x86_64)
This is Perl version 5.008008 (5.8.8)
This is MailScanner version 4.78.17
Using F-Prot for AV scanning

High level overview - We use Barracuda's for our mail gateways that hand
off to MailScanner before getting routed to the appropriate mail server
for delivery.  This solution has worked great for years, but last week
something strange happened that we cannot figure out.

On Friday we started receiving emails that contained some kind of 0-day
malware.  The Barracudas were blocking some of these email, but based on
score and not on the emails containing a virus.  Later in the day
Barracuda started recognizing the virus so the problem was mitigated at
the mail gateway, but some did slip by the first line of defense and
were passed to MailScanner. 

The attachment was a zipped up EXE file, but something was unique about
these messages.  We block ZIP and EXE files to most of our users, but
our MailScanner instance was not acknowledging these emails contained a
ZIP file and therefore not doing the "Filename Check".  What is very
interesting is when MailScanner delivered the email to an invalid
recipient and it was bounced back to the sender, MailScanner detected
the existence of a ZIP file and blocked it on the way out!  But not on
the way in!  This is the heart of the issue... how can we determine why
these messages were not interrogated while other (legit) zip files were
being rejected at the same time?

We observed these emails were encoded with windows-1251 encoding
(http://en.wikipedia.org/wiki/Windows-1251) and the content type of the
attachment was simply "Content Type ;"  Other than that, we did not see
anything out of the ordinary with these emails. 

We tried to create a zip file of the same name as the malware and send
it from gmail and the ZIP file was detected immediately by MailScanner,
so we were not able to reproduce the problem strictly by name.  Now that
F-prot is detecting this, its getting dropped for containing a virus,
and we can really cannot test further in our production environment.  We
took this into our lab, but we were not testing with the exact same
version of MailScanner and we were not able to recreate the problem.  In
our minds, whether MailScanner could detect the virus or not, it should
have detected the ZIP and/or EXE and rejected it for this reason alone. 

Any information about this issue would be greatly appreciated. 
Management is now questioning the usefulness of MailScanner versus some
commercial offering, but I believe in FOSS.  Thank you in advance for
taking the time to read this post!

Regards,

Tony      




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131016/3bfe2168/attachment.html 

From maxsec at gmail.com  Wed Oct 16 15:21:01 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Wed, 16 Oct 2013 15:21:01 +0100
Subject: ZIP file attachment not recognized and therefore no file check
	performed
In-Reply-To: <525E94FD.4050700@polr.com>
References: <525E94FD.4050700@polr.com>
Message-ID: <CAGDKorJV+jcY9uTV6PO-X_2_q70vLSgVHVBzUUJZqy=SBYkEfg@mail.gmail.com>

umm well the mailscanner version you are using is 4 years old. i know the
releases arent coming as fast and furious we  they used to but still..

blocking invalid recipients should be done up front anyway

I'd look at your rulesets in MailScanner to make sure you're not trusting
the Baracuda to some level and there for missing the checks. You should be
able to trace the messages causing problems in the mail logs .

Given you're already scanning with baracuda's and they still delivered the
malware how is their commercial offereing any better??

Martin


-- 
Martin Hepworth, CISSP
Oxford, UK


On 16 October 2013 14:30, Tony Larco <tlarco at polr.com> wrote:

>  I apologize if this has been answered in another thread.  I did spend
> quite some time poking through the archived mailing list articles, the
> MailScanner docs, and googling around, but we are just stumped and are
> hoping a MailScanner guru could enlighten us about this situation.
>
> First, we are running the following (from /usr/sbin/MailScanner -v) -
> This is SUSE Linux Enterprise Server 10 (x86_64)
> This is Perl version 5.008008 (5.8.8)****
> This is MailScanner version 4.78.17
> Using F-Prot for AV scanning
>
> High level overview - We use Barracuda's for our mail gateways that hand
> off to MailScanner before getting routed to the appropriate mail server for
> delivery.  This solution has worked great for years, but last week
> something strange happened that we cannot figure out.
>
> On Friday we started receiving emails that contained some kind of 0-day
> malware.  The Barracudas were blocking some of these email, but based on
> score and not on the emails containing a virus.  Later in the day Barracuda
> started recognizing the virus so the problem was mitigated at the mail
> gateway, but some did slip by the first line of defense and were passed to
> MailScanner.
>
> The attachment was a zipped up EXE file, but something was unique about
> these messages.  We block ZIP and EXE files to most of our users, but our
> MailScanner instance was not acknowledging these emails contained a ZIP
> file and therefore not doing the "Filename Check".  What is very
> interesting is when MailScanner delivered the email to an invalid recipient
> and it was bounced back to the sender, MailScanner detected the existence
> of a ZIP file and blocked it on the way out!  But not on the way in!  This
> is the heart of the issue... how can we determine why these messages were
> not interrogated while other (legit) zip files were being rejected at the
> same time?
>
> We observed these emails were encoded with windows-1251 encoding (
> http://en.wikipedia.org/wiki/Windows-1251) and the content type of the
> attachment was simply "Content Type ;"  Other than that, we did not see
> anything out of the ordinary with these emails.
>
> We tried to create a zip file of the same name as the malware and send it
> from gmail and the ZIP file was detected immediately by MailScanner, so we
> were not able to reproduce the problem strictly by name.  Now that F-prot
> is detecting this, its getting dropped for containing a virus, and we can
> really cannot test further in our production environment.  We took this
> into our lab, but we were not testing with the exact same version of
> MailScanner and we were not able to recreate the problem.  In our minds,
> whether MailScanner could detect the virus or not, it should have detected
> the ZIP and/or EXE and rejected it for this reason alone.
>
> Any information about this issue would be greatly appreciated.  Management
> is now questioning the usefulness of MailScanner versus some commercial
> offering, but I believe in FOSS.  Thank you in advance for taking the time
> to read this post!
>
> Regards,
>
> Tony
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131016/6e30d629/attachment.html 

From steve.freegard at fsl.com  Wed Oct 16 15:24:15 2013
From: steve.freegard at fsl.com (Steve Freegard)
Date: Wed, 16 Oct 2013 15:24:15 +0100
Subject: ZIP file attachment not recognized and therefore no file check
	performed
In-Reply-To: <525E94FD.4050700@polr.com>
References: <525E94FD.4050700@polr.com>
Message-ID: <l3m7ge$94u$1@ger.gmane.org>

Tony,

On 16/10/13 14:30, Tony Larco wrote:
> The attachment was a zipped up EXE file, but something was unique about
> these messages.  We block ZIP and EXE files to most of our users, but
> our MailScanner instance was not acknowledging these emails contained a
> ZIP file and therefore not doing the "Filename Check".  What is very
> interesting is when MailScanner delivered the email to an invalid
> recipient and it was bounced back to the sender, MailScanner detected
> the existence of a ZIP file and blocked it on the way out!  But not on
> the way in!  This is the heart of the issue... how can we determine why
> these messages were not interrogated while other (legit) zip files were
> being rejected at the same time?
> 
> We observed these emails were encoded with windows-1251 encoding
> (http://en.wikipedia.org/wiki/Windows-1251) and the content type of the
> attachment was simply "Content Type ;"  Other than that, we did not see
> anything out of the ordinary with these emails. 
> 
> We tried to create a zip file of the same name as the malware and send
> it from gmail and the ZIP file was detected immediately by MailScanner,
> so we were not able to reproduce the problem strictly by name.  Now that
> F-prot is detecting this, its getting dropped for containing a virus,
> and we can really cannot test further in our production environment.  We
> took this into our lab, but we were not testing with the exact same
> version of MailScanner and we were not able to recreate the problem.  In
> our minds, whether MailScanner could detect the virus or not, it should
> have detected the ZIP and/or EXE and rejected it for this reason alone. 

Being as MailScanner caught it on the way out - I suspect you have a
ruleset somewhere that was bypassing the scans for the hosts that were
sending them.

Look for rulesets on:

Dangerous Content Scanning
Maximum Archive Depth (make sure this isn't set to 0)
Find Archives By Content
Archives: Allow Filenames
Archives: Deny Filesname
Archives: Filename Rules

If that doesn't yield anything - then I would set:

Log Permitted Filenames = yes

And then if one comes through you can simply look at the logs and see if
the file was even noticed by MailScanner (which it wouldn't be if
Maximum Archive Depth = 0 or if the file is hitting an allow rule).

The important thing when testing is that you emulate the client that
send the message exactly.   Same IP, HELO/EHLO, MAIL FROM, RCPT TO and
message data.   If you are using Postfix then you can use XCLIENT to
emulate the IP of the sender e.g.  XCLIENT ADDR=1.2.3.4

Alternatively - you can use the ruleset tester, but then you're only
testing one rule by hand e.g.:

[root at mta41 ~]# MailScanner --value="Maximum Archive Depth"
--from=foo at bar.com --to=smf at fsl.com --ip 1.2.3.4
Looked up internal option name "maxzipdepth"
With sender = foo at bar.com
  recipient = smf at fsl.com
Client IP = 1.2.3.4
Virus =
Result is "3"

Hope that points you in the right direction.

Kind regards,
Steve.




From sbanderson at impromed.com  Wed Oct 16 15:29:01 2013
From: sbanderson at impromed.com (Scott B. Anderson)
Date: Wed, 16 Oct 2013 14:29:01 +0000
Subject: ZIP file attachment not recognized and therefore no file check
	performed
In-Reply-To: <525E94FD.4050700@polr.com>
References: <525E94FD.4050700@polr.com>
Message-ID: <0ae585a47b1f4bcb9db78887b617b344@ES4.impromed.com>



> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Tony Larco
> Sent: Wednesday, October 16, 2013 8:31 AM
> To: mailscanner at lists.mailscanner.info
> Subject: ZIP file attachment not recognized and therefore no file check
> performed
>
> I apologize if this has been answered in another thread.  I did spend quite some
> time poking through the archived mailing list articles, the MailScanner docs, and
> googling around, but we are just stumped and are hoping a MailScanner guru
> could enlighten us about this situation.
>
> First, we are running the following (from /usr/sbin/MailScanner -v) - This is SUSE
> Linux Enterprise Server 10 (x86_64) This is Perl version 5.008008 (5.8.8) This is
> MailScanner version 4.78.17 Using F-Prot for AV scanning
>
> High level overview - We use Barracuda's for our mail gateways that hand off to
> MailScanner before getting routed to the appropriate mail server for delivery.
> This solution has worked great for years, but last week something strange
> happened that we cannot figure out.
>
> On Friday we started receiving emails that contained some kind of 0-day
> malware.  The Barracudas were blocking some of these email, but based on score
> and not on the emails containing a virus.  Later in the day Barracuda started
> recognizing the virus so the problem was mitigated at the mail gateway, but some
> did slip by the first line of defense and were passed to MailScanner.
>
> The attachment was a zipped up EXE file, but something was unique about these
> messages.  We block ZIP and EXE files to most of our users, but our MailScanner
> instance was not acknowledging these emails contained a ZIP file and therefore
> not doing the "Filename Check".  What is very interesting is when MailScanner
> delivered the email to an invalid recipient and it was bounced back to the sender,
> MailScanner detected the existence of a ZIP file and blocked it on the way out!
> But not on the way in!  This is the heart of the issue... how can we determine why
> these messages were not interrogated while other (legit) zip files were being
> rejected at the same time?
>
> We observed these emails were encoded with windows-1251 encoding
> (http://en.wikipedia.org/wiki/Windows-1251) and the content type of the
> attachment was simply "Content Type ;"  Other than that, we did not see
> anything out of the ordinary with these emails.
>
> We tried to create a zip file of the same name as the malware and send it from
> gmail and the ZIP file was detected immediately by MailScanner, so we were not
> able to reproduce the problem strictly by name.  Now that F-prot is detecting
> this, its getting dropped for containing a virus, and we can really cannot test
> further in our production environment.  We took this into our lab, but we were
> not testing with the exact same version of MailScanner and we were not able to
> recreate the problem.  In our minds, whether MailScanner could detect the virus
> or not, it should have detected the ZIP and/or EXE and rejected it for this reason
> alone.
>
> Any information about this issue would be greatly appreciated.
> Management is now questioning the usefulness of MailScanner versus some
> commercial offering, but I believe in FOSS.  Thank you in advance for taking the
> time to read this post!
>
> Regards,
>
> Tony
>

I believe I have had the same behavior from MailScanner 4.84.3 and 4.84.5 recently. -- However, since I use ESET, it is unpacking and scanning the archives even if TNEF or other MS-related perl module is failing to do so.  The other thing I set is to not deliver password protected archives.  (I quarantine just in case someone needs one)
Can you extract the 0day executable to your Mailscanner server and run the 'file' command on it?  I wonder if the magic detection in file is failing to see it as either an executable or an archive file.


Scott

...

-- 
ImproMed LLC
--


From alex at vidadigital.com.pa  Wed Oct 16 15:53:38 2013
From: alex at vidadigital.com.pa (Alex Neuman van der Hans)
Date: Wed, 16 Oct 2013 09:53:38 -0500
Subject: ZIP file attachment not recognized and therefore no file check
	performed
In-Reply-To: <525E94FD.4050700@polr.com>
References: <525E94FD.4050700@polr.com>
Message-ID: <B0FF36C7-F208-4B9E-BD84-30B481D62B86@vidadigital.com.pa>

<! rant>
It's not the first time I've encountered problems with a similar setup.

Barracuda gateways mangle the e-mails in unpredictable, nonstandard ways - first of which being that all e-mail appears to come from the gateway, making IP-based blocklists using "fail2ban" difficult, just to give one example.

I'd personally rather depend on an open source system that *does* work, like MailScanner; I would question the usefulness of a Barracuda mail gateway that not only is useless against 0-day exploits, but also mangles e-mail in unpredictable ways "breaking" other lines of defense instead of working in tandem.

MailScanner does archiving, MCP, and a bunch of other things that Barracuda either doesn't do outright or charges through the nose to do.

</rant !>

Your lab may have a different configuration; it may be that you have a rule such as "accept e-mail from 192.168.x.y as is" and you're not really scanning the way you believe you are. Assume nothing.

You mention you've tried sending from GMail. Have you tried reproducing the actual, real environment the originals were sent in? GMail is probably "doing things right" and not sending "weird" e-mails. Perhaps you'd have to go as far as infecting a VM and seeing what it does.

Do you accept TNEF? It's also unpredictable enough to be used by some virus writers since only Microsoft understands it - and not 100% at that. Is the exploit TNEF-encoded?

Perhaps with some additional details regarding the nature of the "0-day" we can look further into it.

<! rant>
? and at least, with MailScanner, you get real help from real users, not boilerplate "it's not my problem" e-mails from a manufacturer that doesn't really care about your problems.
</rant !>

--

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital



On Oct 16, 2013, at 8:30 AM, Tony Larco <tlarco at polr.com> wrote:

> I apologize if this has been answered in another thread.  I did spend quite some time poking through the archived mailing list articles, the MailScanner docs, and googling around, but we are just stumped and are hoping a MailScanner guru could enlighten us about this situation.
> 
> First, we are running the following (from /usr/sbin/MailScanner -v) - 
> This is SUSE Linux Enterprise Server 10 (x86_64)
> This is Perl version 5.008008 (5.8.8)
> This is MailScanner version 4.78.17
> Using F-Prot for AV scanning
> 
> High level overview - We use Barracuda's for our mail gateways that hand off to MailScanner before getting routed to the appropriate mail server for delivery.  This solution has worked great for years, but last week something strange happened that we cannot figure out.
> 
> On Friday we started receiving emails that contained some kind of 0-day malware.  The Barracudas were blocking some of these email, but based on score and not on the emails containing a virus.  Later in the day Barracuda started recognizing the virus so the problem was mitigated at the mail gateway, but some did slip by the first line of defense and were passed to MailScanner.  
> 
> The attachment was a zipped up EXE file, but something was unique about these messages.  We block ZIP and EXE files to most of our users, but our MailScanner instance was not acknowledging these emails contained a ZIP file and therefore not doing the "Filename Check".  What is very interesting is when MailScanner delivered the email to an invalid recipient and it was bounced back to the sender, MailScanner detected the existence of a ZIP file and blocked it on the way out!  But not on the way in!  This is the heart of the issue... how can we determine why these messages were not interrogated while other (legit) zip files were being rejected at the same time?
> 
> We observed these emails were encoded with windows-1251 encoding (http://en.wikipedia.org/wiki/Windows-1251) and the content type of the attachment was simply "Content Type ;"  Other than that, we did not see anything out of the ordinary with these emails.  
> 
> We tried to create a zip file of the same name as the malware and send it from gmail and the ZIP file was detected immediately by MailScanner, so we were not able to reproduce the problem strictly by name.  Now that F-prot is detecting this, its getting dropped for containing a virus, and we can really cannot test further in our production environment.  We took this into our lab, but we were not testing with the exact same version of MailScanner and we were not able to recreate the problem.  In our minds, whether MailScanner could detect the virus or not, it should have detected the ZIP and/or EXE and rejected it for this reason alone.  
> 
> Any information about this issue would be greatly appreciated.  Management is now questioning the usefulness of MailScanner versus some commercial offering, but I believe in FOSS.  Thank you in advance for taking the time to read this post!
> 
> Regards, 
> 
> Tony       
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 


From rlopezcnm at gmail.com  Wed Oct 16 19:24:37 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Wed, 16 Oct 2013 12:24:37 -0600
Subject: Could not parse Outlook Rich Text attachment
In-Reply-To: <525DCAF5.6060208@msapiro.net>
References: <CAAJHbAp_chRR_CPcyk326qSJGKZdqZyp_DUc=_kNnUE-nOc8DQ@mail.gmail.com>
	<525D7A05.1050805@msapiro.net>
	<CAAJHbAoT1oANgFV2Ar_vcDFLShJa4RM9OBQYGEXzECqCCyvZbA@mail.gmail.com>
	<525DCAF5.6060208@msapiro.net>
Message-ID: <CAAJHbApApX2GSCteMoK7g0+uG+oDVbPYLVu-mdpOUXgyjhrB2g@mail.gmail.com>

Mark, thanks for the testing. I used all three. It is good to know less is
sufficient.


On Tue, Oct 15, 2013 at 5:08 PM, Mark Sapiro <mark at msapiro.net> wrote:

> On 10/15/2013 12:10 PM, Robert Lopez wrote:
> > Mark,
> >
> > With respect to your statement "I think what 'should' happen with this
> > message is the winmail.dat is unscanned and the mail with the
> > winmail.dat is delivered."
> >
> > Will these configuration statements do what you think "should" happen?:
> >
> > Expand TNEF = no
> > Use TNEF Contents = no
> > Deliver Unparsable TNEF = yes
>
>
> Those will do, and I just tested and just
>
> Expand TNEF = no
>
> is sufficient.
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131016/edb009a7/attachment.html 

From steveb_clamav at sanesecurity.com  Wed Oct 16 20:28:35 2013
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Wed, 16 Oct 2013 20:28:35 +0100
Subject: ZIP file attachment not recognized and therefore no file check
	performed
In-Reply-To: <525E94FD.4050700@polr.com>
References: <525E94FD.4050700@polr.com>
Message-ID: <4c7a509d2b543f17bb24a497f2aa76ec.squirrel@sanesecurity.com>



> On Friday we started receiving emails that contained some kind of 0-day
> malware.  The Barracudas were blocking some of these email, but based on
> score and not on the emails containing a virus.  Later in the day
> Barracuda started recognizing the virus so the problem was mitigated at
> the mail gateway, but some did slip by the first line of defense and
> were passed to MailScanner.
>

No sure this is what you want to do but you could add-in ClamAV and then
add-on Sanesecurity signatures:

rogue.hdb is updated at least hourly with md5 of current emailed malware,
phish.hdb will block known and some simple guess-worked content of bad
stuff in zip/rar files.

If you want to go one stage further... add-in foxhole_generic.cdb to block
double extensions in zip/rar/7zip or foxhole_all.cdb which will block
anything bad in zip/rar/7zip... more info here:
http://sanesecurity.com/foxhole-databases/

More sig databases here:
http://sanesecurity.com/usage/signatures/

Download Scripts here:
http://sanesecurity.com/usage/linux-scripts/

If you have a full/header of the missed/mangled malware and you can give me
a download link for it (pastebin etc.) I'll take a look... see if any sigs
could be tweaked to detect it in the future...

Here's an example stat of stuff being detected:
http://comms.oucs.ox.ac.uk/images/stats/relay/virus-day.png

Sorry for the length of post... or it's it a little off-topic...

Cheers,

Steve
Sanesecurity.com


From stephencoxmail at gmail.com  Thu Oct 17 12:56:08 2013
From: stephencoxmail at gmail.com (Stephen Cox)
Date: Thu, 17 Oct 2013 13:56:08 +0200
Subject: bad phishing sites/Scamnailer updates missing?
In-Reply-To: <525D8AED.1080106@msapiro.net>
References: <525D8AED.1080106@msapiro.net>
Message-ID: <CAMgku6TXyQdPfheEBcuNPfJuwXgbbCywEG3xkOMqXeymY6CVRQ@mail.gmail.com>

On Tue, Oct 15, 2013 at 8:35 PM, Mark Sapiro <mark at msapiro.net> wrote:

> Now there is a new problem: All the data and updates are working, but
> there have been no new sites/domains added to the list since "This file
> was generated at Thu Oct 10 00:44:45 BST 2013" (over 5 days ago).
>

There was a hosting fault again and the problem should now be fixed with
the next scheduled generation if not already.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131017/7b73a295/attachment.html 

From mark at msapiro.net  Thu Oct 17 15:13:24 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 17 Oct 2013 07:13:24 -0700
Subject: bad phishing sites/Scamnailer updates missing?
In-Reply-To: <CAMgku6TXyQdPfheEBcuNPfJuwXgbbCywEG3xkOMqXeymY6CVRQ@mail.gmail.com>
References: <525D8AED.1080106@msapiro.net>
	<CAMgku6TXyQdPfheEBcuNPfJuwXgbbCywEG3xkOMqXeymY6CVRQ@mail.gmail.com>
Message-ID: <525FF084.3070907@msapiro.net>

On 10/17/2013 04:56 AM, Stephen Cox wrote:
> On Tue, Oct 15, 2013 at 8:35 PM, Mark Sapiro <mark at msapiro.net
> <mailto:mark at msapiro.net>> wrote:
> 
>     Now there is a new problem: All the data and updates are working, but
>     there have been no new sites/domains added to the list since "This file
>     was generated at Thu Oct 10 00:44:45 BST 2013" (over 5 days ago).
> 
> 
> There was a hosting fault again and the problem should now be fixed with
> the next scheduled generation if not already.


Yes, it is working again.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From rlopezcnm at gmail.com  Fri Oct 18 19:47:41 2013
From: rlopezcnm at gmail.com (Robert Lopez)
Date: Fri, 18 Oct 2013 12:47:41 -0600
Subject: I need help from system admin of www.mailscanner.info
Message-ID: <CAAJHbArALSkyQhLdbDpSQXrf=Lc85OBHH+UmB77mWkOWjWEn0A@mail.gmail.com>

For over 4 weeks I have not been able to connect to
www.mailscanner.infofrom any system that uses my colleges' main campus
Time Warner Internet
circuits. Some remote CNM campuses which use CenturyLink Internet circuits
are able to connect to mailscanner.info.

Time Warner suggest the problem is possibly at
ae-6-6.car1.dublin3.level3.net (4.69.148.53)

Level Three Communications in USA say I must get traceroute output executed
on 78.153.201.155
and tracing the routes to CNM addresses 198.133.178.17 and 198.133.178.18.

Would someone please do that and send me the output?


Thank you.

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131018/60d7340a/attachment.html 

From email at ace.net.au  Sat Oct 19 15:57:31 2013
From: email at ace.net.au (Peter Nitschke)
Date: Sun, 20 Oct 2013 01:27:31 +1030
Subject: bad phishing sites/Scamnailer updates missing?
In-Reply-To: <CAMgku6TXyQdPfheEBcuNPfJuwXgbbCywEG3xkOMqXeymY6CVRQ@mail.gmail.com>
References: <525D8AED.1080106@msapiro.net>
	<CAMgku6TXyQdPfheEBcuNPfJuwXgbbCywEG3xkOMqXeymY6CVRQ@mail.gmail.com>
Message-ID: <201310200127310569.396A2BB0@web.ace.net.au>

I had just about given up on this.

Many thanks!



*********** REPLY SEPARATOR  ***********

On 17/10/2013 at 1:56 PM Stephen Cox wrote:

>On Tue, Oct 15, 2013 at 8:35 PM, Mark Sapiro <mark at msapiro.net> wrote:
>
>> Now there is a new problem: All the data and updates are working, but
>> there have been no new sites/domains added to the list since "This file
>> was generated at Thu Oct 10 00:44:45 BST 2013" (over 5 days ago).
>>
>
>There was a hosting fault again and the problem should now be fixed with
>the next scheduled generation if not already.
>
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!




From ryan.virgo at gmail.com  Mon Oct 21 10:21:08 2013
From: ryan.virgo at gmail.com (Ryan Braganza)
Date: Mon, 21 Oct 2013 14:51:08 +0530
Subject: unknown string gstimedout
Message-ID: <CAEaVHLU--2iEBrihvu3BSG9g7=FTAukN3KMtVHOejDFobujhDg@mail.gmail.com>

Dear All,
 I see the below line in my maillogs, could someone please help me in
understanding what it means?

"Looked up unknown string gstimedout in language translation file
/etc/MailScanner/reports/en/languages.conf

Custom Spam Scanner for message 0765027766C.AF19F from 123.161.215.134 (
xyz at abc.com <lgznr at vk.org>) to qwer.com report is 0 gstimedout"

The MS version that am running is mailscanner-4.84.6-1

-- 
--------------------------------------------------------------------------------------------------------------------------------------
*?Motorcycle scars have the strange power to remind us that our past is
real.? *
--------------------------------------------------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131021/9c762dca/attachment.html 

From housey at sme-ecom.co.uk  Tue Oct 22 14:06:25 2013
From: housey at sme-ecom.co.uk (housey at sme-ecom.co.uk)
Date: Tue, 22 Oct 2013 14:06:25 +0100
Subject: Using DetectPUA yes in clamd.conf
Message-ID: <d57da23adf07004f819ee9e2957a90fd@sme-ecom.co.uk>

Hi

I use MailScanner with clamd

Ive had a few instances recently (2 today) where some emails with 
infected msword attachments got through to some end users.

Sophos running on the users desktops detected Exp/20120158-A in the 
attachments.

I got hold of the attachments and ran through clamdscan which didn't 
detect any viruses

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK

I then enabled "DetectPUA yes" in clamd.conf and now it detects a 
possible virus

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND

I found this on the clamav web site - its quite an old article and does 
say not to use in production environments.

http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/

Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to 
the directive "Virus Names Which Are Spam" in 
/etc/MailScanner/MailScanner.conf -  so its treated as spam rather than 
a virus (so its quarantined as I delete viruses).

Has anyone any experience of using DetectPUA?

Thanks

Paul






From maxsec at gmail.com  Tue Oct 22 15:31:00 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 22 Oct 2013 15:31:00 +0100
Subject: Using DetectPUA yes in clamd.conf
In-Reply-To: <d57da23adf07004f819ee9e2957a90fd@sme-ecom.co.uk>
References: <d57da23adf07004f819ee9e2957a90fd@sme-ecom.co.uk>
Message-ID: <CAGDKorLKLq9Vw4syy7KHwfC+9+CKT+sq5=yJUb+ONi3x1Gp7kQ@mail.gmail.com>

had the same question to the clamav list about a month ago, and also about
what the heck the different settings you can use are.

basically safe to use, but the documentation is sorely lacking as to what
PUA types you might want to scan for.....eg dailies show..


PUA.Crypt.ScriptCryptor
PUA.CVE_2007_0214
PUA.CVE_2007_0325
PUA.CVE_2007_1498
PUA.CVE_2011_3397
PUA.CVE_2012_1419
PUA.CVE_2012_1421
PUA.CVE_2012_1423
PUA.CVE_2012_1430
PUA.CVE_2012_1431
PUA.EmbeddedJSinOCXinWordDoc
PUA.Everyzone
PUA.Exploit.HeapSpray
PUA.EXPLOIT_CVE_2006_4701
PUA.Game
PUA.HTML
PUA.IRC
PUA.JS
PUA.Keylogger-1
PUA.Keylogger-2
PUA.Keylogger-3
PUA.Keylogger-4
PUA.Liveplayer
PUA.Liveplayer-1
PUA.Liveplayer-2
PUA.Mydoomer
PUA.NetTool
PUA.OLE.EmbeddedPDF
PUA.Packed
PUA.PDF
PUA.PwTool
PUA.RAT
PUA.Reboot
PUA.RelevantKnowledge
PUA.RelevantKnowledge-1
PUA.RFT.EmbeddedOLE
PUA.Script
PUA.Server.PsyBNC
PUA.Spy
PUA.Tool
PUA.Trojan.PHP
PUA.USBCillin
PUA.VmAvoid
PUA.Win32.Packer.22bAn

some are obviusly named but 'reboot'?????


-- 
Martin Hepworth, CISSP
Oxford, UK


On 22 October 2013 14:06, <housey at sme-ecom.co.uk> wrote:

> Hi
>
> I use MailScanner with clamd
>
> Ive had a few instances recently (2 today) where some emails with
> infected msword attachments got through to some end users.
>
> Sophos running on the users desktops detected Exp/20120158-A in the
> attachments.
>
> I got hold of the attachments and ran through clamdscan which didn't
> detect any viruses
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK
>
> I then enabled "DetectPUA yes" in clamd.conf and now it detects a
> possible virus
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND
>
> I found this on the clamav web site - its quite an old article and does
> say not to use in production environments.
>
>
> http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/
>
> Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to
> the directive "Virus Names Which Are Spam" in
> /etc/MailScanner/MailScanner.conf -  so its treated as spam rather than
> a virus (so its quarantined as I delete viruses).
>
> Has anyone any experience of using DetectPUA?
>
> Thanks
>
> Paul
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131022/bae9c53d/attachment.html 

From richard at fastnet.co.uk  Thu Oct 24 11:59:35 2013
From: richard at fastnet.co.uk (Richard Mealing)
Date: Thu, 24 Oct 2013 10:59:35 +0000
Subject: Using DetectPUA yes in clamd.conf
In-Reply-To: <CAGDKorLKLq9Vw4syy7KHwfC+9+CKT+sq5=yJUb+ONi3x1Gp7kQ@mail.gmail.com>
References: <d57da23adf07004f819ee9e2957a90fd@sme-ecom.co.uk>
	<CAGDKorLKLq9Vw4syy7KHwfC+9+CKT+sq5=yJUb+ONi3x1Gp7kQ@mail.gmail.com>
Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EA02D0E@BTN-EXCHANGE-V1.fastnet.local>

Hi Martin,

This is quite interesting to me. I've previously added PUA support but it's always been too aggressive.

Are the below all the rules that PUA uses, or are these recommended ones to include?


Thanks,
Rich


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: 22 October 2013 15:31
To: MailScanner discussion
Subject: Re: Using DetectPUA yes in clamd.conf

had the same question to the clamav list about a month ago, and also about what the heck the different settings you can use are.
basically safe to use, but the documentation is sorely lacking as to what PUA types you might want to scan for.....eg dailies show..

PUA.Crypt.ScriptCryptor
PUA.CVE_2007_0214
PUA.CVE_2007_0325
PUA.CVE_2007_1498
PUA.CVE_2011_3397
PUA.CVE_2012_1419
PUA.CVE_2012_1421
PUA.CVE_2012_1423
PUA.CVE_2012_1430
PUA.CVE_2012_1431
PUA.EmbeddedJSinOCXinWordDoc
PUA.Everyzone
PUA.Exploit.HeapSpray
PUA.EXPLOIT_CVE_2006_4701
PUA.Game
PUA.HTML
PUA.IRC
PUA.JS
PUA.Keylogger-1
PUA.Keylogger-2
PUA.Keylogger-3
PUA.Keylogger-4
PUA.Liveplayer
PUA.Liveplayer-1
PUA.Liveplayer-2
PUA.Mydoomer
PUA.NetTool
PUA.OLE.EmbeddedPDF
PUA.Packed
PUA.PDF
PUA.PwTool
PUA.RAT
PUA.Reboot
PUA.RelevantKnowledge
PUA.RelevantKnowledge-1
PUA.RFT.EmbeddedOLE
PUA.Script
PUA.Server.PsyBNC
PUA.Spy
PUA.Tool
PUA.Trojan.PHP
PUA.USBCillin
PUA.VmAvoid
PUA.Win32.Packer.22bAn
some are obviusly named but 'reboot'?????


--
Martin Hepworth, CISSP
Oxford, UK

On 22 October 2013 14:06, <housey at sme-ecom.co.uk<mailto:housey at sme-ecom.co.uk>> wrote:
Hi

I use MailScanner with clamd

Ive had a few instances recently (2 today) where some emails with
infected msword attachments got through to some end users.

Sophos running on the users desktops detected Exp/20120158-A in the
attachments.

I got hold of the attachments and ran through clamdscan which didn't
detect any viruses

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK

I then enabled "DetectPUA yes" in clamd.conf and now it detects a
possible virus

[root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
/tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND

I found this on the clamav web site - its quite an old article and does
say not to use in production environments.

http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/

Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to
the directive "Virus Names Which Are Spam" in
/etc/MailScanner/MailScanner.conf -  so its treated as spam rather than
a virus (so its quarantined as I delete viruses).

Has anyone any experience of using DetectPUA?

Thanks

Paul





--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131024/2a6b8019/attachment.html 

From maxsec at gmail.com  Thu Oct 24 14:54:31 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Thu, 24 Oct 2013 14:54:31 +0100
Subject: Using DetectPUA yes in clamd.conf
In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EA02D0E@BTN-EXCHANGE-V1.fastnet.local>
References: <d57da23adf07004f819ee9e2957a90fd@sme-ecom.co.uk>
	<CAGDKorLKLq9Vw4syy7KHwfC+9+CKT+sq5=yJUb+ONi3x1Gp7kQ@mail.gmail.com>
	<6EE47AF64C339A4F8F7F50507241B3795EA02D0E@BTN-EXCHANGE-V1.fastnet.local>
Message-ID: <CAGDKorLW18V+3VjXu_9dzdKHSMEFJd+qzEp-GyMBit=f4it2bw@mail.gmail.com>

Those were all the test names from a couple of weeks ago. No explanation of
what the tests look for just the names..

I'd like to tweek mine up a bit and use the PUA's but without adequate
doc/info it's hard to decide just want I to test against.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 24 October 2013 11:59, Richard Mealing <richard at fastnet.co.uk> wrote:

> Hi Martin,****
>
> ** **
>
> This is quite interesting to me. I?ve previously added PUA support but
> it?s always been too aggressive. ****
>
> ** **
>
> Are the below all the rules that PUA uses, or are these recommended ones
> to include? ****
>
> ** **
>
> ** **
>
> Thanks,****
>
> Rich****
>
> ** **
>
> ** **
>
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth
> *Sent:* 22 October 2013 15:31
> *To:* MailScanner discussion
> *Subject:* Re: Using DetectPUA yes in clamd.conf****
>
> ** **
>
> had the same question to the clamav list about a month ago, and also about
> what the heck the different settings you can use are.****
>
> basically safe to use, but the documentation is sorely lacking as to what
> PUA types you might want to scan for.....eg dailies show..****
>
>
> PUA.Crypt.ScriptCryptor
> PUA.CVE_2007_0214
> PUA.CVE_2007_0325
> PUA.CVE_2007_1498
> PUA.CVE_2011_3397
> PUA.CVE_2012_1419
> PUA.CVE_2012_1421
> PUA.CVE_2012_1423
> PUA.CVE_2012_1430
> PUA.CVE_2012_1431
> PUA.EmbeddedJSinOCXinWordDoc
> PUA.Everyzone
> PUA.Exploit.HeapSpray
> PUA.EXPLOIT_CVE_2006_4701
> PUA.Game
> PUA.HTML
> PUA.IRC
> PUA.JS
> PUA.Keylogger-1
> PUA.Keylogger-2
> PUA.Keylogger-3
> PUA.Keylogger-4
> PUA.Liveplayer
> PUA.Liveplayer-1
> PUA.Liveplayer-2
> PUA.Mydoomer
> PUA.NetTool
> PUA.OLE.EmbeddedPDF
> PUA.Packed
> PUA.PDF
> PUA.PwTool
> PUA.RAT
> PUA.Reboot
> PUA.RelevantKnowledge
> PUA.RelevantKnowledge-1
> PUA.RFT.EmbeddedOLE
> PUA.Script
> PUA.Server.PsyBNC
> PUA.Spy
> PUA.Tool
> PUA.Trojan.PHP
> PUA.USBCillin
> PUA.VmAvoid
> PUA.Win32.Packer.22bAn****
>
> some are obviusly named but 'reboot'?????****
>
> ** **
>
>
> ****
>
> --
> Martin Hepworth, CISSP
> Oxford, UK****
>
> ** **
>
> On 22 October 2013 14:06, <housey at sme-ecom.co.uk> wrote:****
>
> Hi
>
> I use MailScanner with clamd
>
> Ive had a few instances recently (2 today) where some emails with
> infected msword attachments got through to some end users.
>
> Sophos running on the users desktops detected Exp/20120158-A in the
> attachments.
>
> I got hold of the attachments and ran through clamdscan which didn't
> detect any viruses
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: OK
>
> I then enabled "DetectPUA yes" in clamd.conf and now it detects a
> possible virus
>
> [root at servera ~]# clamdscan -v /tmp/invoiceBQW8OYJDDGXIPN8H63.doc
> /tmp/invoiceBQW8OYJDDGXIPN8H63.doc: PUA.RFT.EmbeddedOLE FOUND
>
> I found this on the clamav web site - its quite an old article and does
> say not to use in production environments.
>
>
> http://www.clamav.net/lang/en/2007/09/03/detection-of-potentially-unwanted-applications/
>
> Im thinking about enabled DetectPUA in clamd.conf but adding PUA* to
> the directive "Virus Names Which Are Spam" in
> /etc/MailScanner/MailScanner.conf -  so its treated as spam rather than
> a virus (so its quarantined as I delete viruses).
>
> Has anyone any experience of using DetectPUA?
>
> Thanks
>
> Paul
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!****
>
> ** **
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131024/7909c545/attachment.html 

From mark at msapiro.net  Thu Oct 24 23:18:46 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 24 Oct 2013 15:18:46 -0700
Subject: unknown string gstimedout
In-Reply-To: <CAEaVHLU--2iEBrihvu3BSG9g7=FTAukN3KMtVHOejDFobujhDg@mail.gmail.com>
References: <CAEaVHLU--2iEBrihvu3BSG9g7=FTAukN3KMtVHOejDFobujhDg@mail.gmail.com>
Message-ID: <52699CC6.8080205@msapiro.net>

On 10/21/2013 02:21 AM, Ryan Braganza wrote:
> Dear All,
>  I see the below line in my maillogs, could someone please help me in
> understanding what it means?
> 
> Custom Spam Scanner for message 0765027766C.AF19F from 123.161.215.134
> (xyz at abc.com <mailto:lgznr at vk.org>) to qwer.com <http://qwer.com> report
> is 0 gstimedout"


You have configured the Custom Spam Scanner Plugin in your MailScanner
configuration, i.e.

Use Custom Spam Scanner = yes

and the invocation of MailScanner/CustomFunctions/GenericSpamScanner.pm
apparently timed out.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From firas73737 at yahoo.com  Sun Oct 27 17:25:18 2013
From: firas73737 at yahoo.com (Golden Shadow)
Date: Sun, 27 Oct 2013 10:25:18 -0700 (PDT)
Subject: MailScanner with sendmail configured to use a smart host
Message-ID: <1382894718.9602.YahooMailNeo@web162602.mail.bf1.yahoo.com>

Hello there,

I'm using sendmail as the MTA on my mail server. I have installed MailScanner with SpamAssassin and everything is working well.?

Now, I'd like to configure my MTA to send mail to a smart host, I know this can be done by adding the following to sendmail.mc:
define(`SMART_HOST', `smtp.your.provider')dnl


But I have one question: Would that affect the work of MailScanner?

Thanks in advance for your help guys!
Regards,
Firas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131027/e4c134d3/attachment.html 

From alex at vidadigital.com.pa  Mon Oct 28 00:12:47 2013
From: alex at vidadigital.com.pa (Alex Neuman van der Hans)
Date: Sun, 27 Oct 2013 19:12:47 -0500
Subject: MailScanner with sendmail configured to use a smart host
In-Reply-To: <1382894718.9602.YahooMailNeo@web162602.mail.bf1.yahoo.com>
References: <1382894718.9602.YahooMailNeo@web162602.mail.bf1.yahoo.com>
Message-ID: <605C29CB-32F2-4368-88F6-E38246822102@vidadigital.com.pa>

It would not affect MailScanner at all.

--

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital



On Oct 27, 2013, at 12:25 PM, Golden Shadow <firas73737 at yahoo.com> wrote:

> Hello there,
> 
> I'm using sendmail as the MTA on my mail server. I have installed MailScanner with SpamAssassin and everything is working well. 
> 
> Now, I'd like to configure my MTA to send mail to a smart host, I know this can be done by adding the following to sendmail.mc:
> define(`SMART_HOST', `smtp.your.provider')dnl
> 
> But I have one question: Would that affect the work of MailScanner?
> 
> Thanks in advance for your help guys!
> Regards,
> Firas
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 


From mogens at fumlersoft.dk  Thu Oct 31 00:02:53 2013
From: mogens at fumlersoft.dk (Mogens Melander)
Date: Thu, 31 Oct 2013 01:02:53 +0100 (CET)
Subject: No subject
Message-ID: <42036.ab040c73.1383177773.nsm@mail.trader-internet.dk>

Guys,

Did I miss something? I got this in my inbox today,
and thats clearly a very poor phishing attempt.

</head><frameset cols="270, *" id="fs1">
<frame src="left_main.php" name="left" frameborder="1">
<frame src="right_main.php" name="right" frameborder="1">
<noframes>

I think I have all scanners 0N, local and remote ??

The offending text "Vi afg?r, at nogen kan bruge dit kort uden din
tilladelse. Til din beskyttelse, har vi sp?rret dit kreditkort. For at
reaktivere dit kort:<br> -
?ben, vil du blive bedt om at f?lge et s?t af instruktioner. <br> Bem?rk:
Hvis dette ikke er afsluttet, vil vi blive tvunget til p? ubestemt tid
afbryde dit
kort, fordi det kan bruges til svindel."

In very poor Danish language.

Me, personally, I don't give a .... about stuff like this, but
there are causalities in this war.

If you need information, I will not delete the thing for a few days.

-- 
Mogens Melander
+66 8701 33224

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mogens at fumlersoft.dk  Thu Oct 31 07:18:13 2013
From: mogens at fumlersoft.dk (Mogens Melander)
Date: Thu, 31 Oct 2013 08:18:13 +0100 (CET)
Subject: Poor attempt not caught by MS
In-Reply-To: <42036.ab040c73.1383177773.nsm@mail.trader-internet.dk>
References: <42036.ab040c73.1383177773.nsm@mail.trader-internet.dk>
Message-ID: <49982.ab040c73.1383203893.nsm@mail.trader-internet.dk>

This is what the offending message should have looked like:

RFC822 Message body

Return-Path: <anonymous at vs1145129.vserver.de>
Received: from host.example.com ([unix socket])
by host (Cyrus v2.4.8)
with LMTPA; Wed, 30 Oct 2013 10:27:33 +0100
X-Sieve: CMU Sieve 2.4
TIT-Spam-Status: No
X-MCP-Status: No
X-SERVER-MailScanner-Watermark: 1383730033.43434 at EC969u/D5IrTzzq2yL0YFQ
X-SERVER-MailScanner-From: anonymous at vs1145129.vserver.de
X-SERVER-MailScanner-SpamScore: 3.39
X-SERVER-MailScanner-SpamCheck: not spam,
SpamAssassin (not cached, score=3.393,
required 5, BAYES_50 2.00, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.38,
MIME_HEADER_CTYPE_ONLY 0.72, MIME_HTML_ONLY 0.72, RP_MATCHES_RCVD -0.44,
T_KHOP_FOREIGN_CLICK 0.01, URIBL_BLOCKED 0.00)
X-SERVER-MailScanner-MCPCheck: MCP-Clean, MCP-Checker (score=0, required 1)
X-SERVER-MailScanner: Found to be clean
X-SERVER-MailScanner-ID: r9U9R7BA001135
X-SERVER-MailScanner-Information: Please contact ISP
for more information
Received: from vs1145129.vserver.de (vs1145129.vserver.de [62.75.145.129])
by host.example.com (8.14.4/8.14.4)
with ESMTP id r9U9R7BA001135 for <user at example.com>;
Wed, 30 Oct 2013 10:27:07 +0100
Received: (qmail 32708 invoked by uid 30);
30 Oct 2013 08:08:46 +0100 Date: 30 Oct 2013 08:08:46 +0100
Message-ID: <20131030070846.32706.qmail at vs1145129.vserver.de>
To: user at example.com Subject: Reaktivere dit kort !
From: security <noreply at bank-email.37.dk> Content-Type: text/html
X-Greylist: delayed for 01:29:57 at (host.example.com [111.222.333.444])
for <user at example.com> by smf-grey v2.1.0 - http://smfs.sf.net/
MIME-Version: 1.0
<td style="font-weight: normal; font-size: 0.9em; color: #00249f;
font-family: Arial,helvetica,sans; padding:6px; text-align:left;"
width="324"> K?re kunde, <br>
<br> Vi afg?r, at nogen kan bruge dit kort uden din tilladelse.
Til din beskyttelse, har vi sp?rret dit kreditkort. For at reaktivere dit
kort:<br>
 - ?ben, vil du blive bedt om at f?lge et s?t af instruktioner. <br>
  Bem?rk: Hvis dette ikke er afsluttet, vil vi blive tvunget til p? ubestemt
  tid afbryde dit kort, fordi det kan bruges til svindel.
  <p align="center">
  <a href="http://glennwilliamsconstruction.com/.dr/dr.php">Klik
Her</a></p><br>
  <br> Vi s?tter pris p? dit samarbejde i denne sag. <br> Tak! <br>
   </td> </tr> <br />-- <br />

On Thu, October 31, 2013 01:02, Mogens Melander wrote:
> Guys,
>
> Did I miss something? I got this in my inbox today,
> and thats clearly a very poor phishing attempt.
>
> </head><frameset cols="270, *" id="fs1">
> <frame src="left_main.php" name="left" frameborder="1">
> <frame src="right_main.php" name="right" frameborder="1">
> <noframes>
>
> I think I have all scanners 0N, local and remote ??
>
> The offending text "Vi afg?r, at nogen kan bruge dit kort uden din
> tilladelse. Til din beskyttelse, har vi sp?rret dit kreditkort. For at
> reaktivere dit kort:<br> -
> ?ben, vil du blive bedt om at f?lge et s?t af instruktioner. <br> Bem?rk:
> Hvis dette ikke er afsluttet, vil vi blive tvunget til p? ubestemt tid
> afbryde dit
> kort, fordi det kan bruges til svindel."
>
> In very poor Danish language.
>
> Me, personally, I don't give a .... about stuff like this, but
> there are causalities in this war.
>
> If you need information, I will not delete the thing for a few days.
>
> --
> Mogens Melander
> +66 8701 33224
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


-- 
Mogens Melander
+66 8701 33224

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mejaz at cyberia.net.sa  Thu Oct 31 09:41:49 2013
From: mejaz at cyberia.net.sa (Ejaz)
Date: Thu, 31 Oct 2013 12:41:49 +0300
Subject: mails-processing-problem
Message-ID: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ>

 

 

Our mail scanners has started behaving very strange. It's not processing g
any emails anymore only saying for each mail in the queue and with the below
error. 

 

 

Our setup,

 

Mailscanner/postfix/clamav/spamassasin. 

Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message
p8JHBZlF011310 as it has been attempted too many times
Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as
it caused MailScanner to crash several times
Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to
/var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310



1. MailScanner --lint  (reports  below problem)

 
> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
> ERROR: is not correct, it should match X-mydomain-MailScanner-From
 

2. spamassassin -lint (silently comes to next prompt)

 

Any help would highly appreciated. 

 

Regards, 
__________________
Mohammed Ejaz 
Sr,Systems Administrator
Middle East Internet Company (CYBERIA)
Riyadh, Saudi Arabia
Phone: +966-1-4647114  Ext: 140
Mobile +966-562311787
Fax: +966-1-4654735
E-mail: mejaz at cyberia.net.sa

 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/5db520c4/attachment.html 

From maxsec at gmail.com  Thu Oct 31 11:12:26 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Thu, 31 Oct 2013 11:12:26 +0000
Subject: mails-processing-problem
In-Reply-To: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ>
References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ>
Message-ID: <CAGDKorLFM35_GLHMiKPOe+1u=xJ+7pVJy71AbDHtCCxkU9u6Kw@mail.gmail.com>

Whats changed? updated the server?
what does a debug show you and fix that error in the MailScanner Lint..

-- 
Martin Hepworth, CISSP
Oxford, UK


On 31 October 2013 09:41, Ejaz <mejaz at cyberia.net.sa> wrote:

> ** ** **
>
> ** **
>
> ** **
>
> Our mail scanners has started behaving very strange. It?s not processing g
> any emails anymore only saying for each mail in the queue and with the
> below error. ****
>
> ** **
>
> ** **
>
> Our setup,****
>
> ** **
>
> Mailscanner/postfix/clamav/spamassasin.
>
> Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message
> p8JHBZlF011310 as it has been attempted too many times
> Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310
> as it caused MailScanner to crash several times
> Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to
> /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310
>
>
>
> 1. MailScanner --lint  (reports  below problem)****
>
> ** **
>
> > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf****
>
> > ERROR: is not correct, it should match X-mydomain-MailScanner-From****
>
> ** **
>
> 2. spamassassin ?lint (silently comes to next prompt)****
>
> ** **
>
> Any help would highly appreciated. ****
>
> ** **
>
> Regards,
> __________________
> Mohammed Ejaz
> Sr,Systems Administrator
> Middle East Internet Company (CYBERIA)
> ****Riyadh**, **Saudi Arabia****
> Phone: +966-1-4647114  Ext: 140
> Mobile +966-562311787
> Fax: +966-1-4654735
> E-mail: mejaz at cyberia.net.sa****
>
> ** **
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/fccfb272/attachment.html 

From mejaz at cyberia.net.sa  Thu Oct 31 11:36:12 2013
From: mejaz at cyberia.net.sa (Ejaz)
Date: Thu, 31 Oct 2013 14:36:12 +0300
Subject: mails-processing-problem
In-Reply-To: <CAGDKorLFM35_GLHMiKPOe+1u=xJ+7pVJy71AbDHtCCxkU9u6Kw@mail.gmail.com>
References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ>
	<CAGDKorLFM35_GLHMiKPOe+1u=xJ+7pVJy71AbDHtCCxkU9u6Kw@mail.gmail.com>
Message-ID: <A8D7714A632D4B4CB9FCB852F73EEAC1@EJAZ>

Thanks for your answer.

 

Newly installed server with Redhat linux 6.  and MailScanner version is
4.84.6-1

 

When I ran the Mailscanner -debug 

 

I got below,  rest is fine, 

 

Insecure dependency in open while running with -T switch at
/usr/lib64/perl5/IO/File.pm line 185

 

Ejaz 

  _____  

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin
Hepworth
Sent: Thursday, October 31, 2013 2:12 PM
To: MailScanner discussion
Subject: Re: mails-processing-problem

 

Whats changed? updated the server?

what does a debug show you and fix that error in the MailScanner Lint..




-- 
Martin Hepworth, CISSP
Oxford, UK

 

On 31 October 2013 09:41, Ejaz <mejaz at cyberia.net.sa> wrote:

 

 

Our mail scanners has started behaving very strange. It's not processing g
any emails anymore only saying for each mail in the queue and with the below
error. 

 

 

Our setup,

 

Mailscanner/postfix/clamav/spamassasin. 

Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message
p8JHBZlF011310 as it has been attempted too many times
Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as
it caused MailScanner to crash several times
Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to
/var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310



1. MailScanner --lint  (reports  below problem)

 
> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf
> ERROR: is not correct, it should match X-mydomain-MailScanner-From
 

2. spamassassin -lint (silently comes to next prompt)

 

Any help would highly appreciated. 

 

Regards, 
__________________
Mohammed Ejaz 
Sr,Systems Administrator
Middle East Internet Company (CYBERIA)
Riyadh, Saudi Arabia
Phone: +966-1-4647114  Ext: 140
Mobile +966-562311787 <tel:%2B966-562311787> 
Fax: +966-1-4654735
E-mail: mejaz at cyberia.net.sa

 


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/bc27b93d/attachment.html 

From Denis.Beauchemin at usherbrooke.ca  Thu Oct 31 12:31:46 2013
From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin)
Date: Thu, 31 Oct 2013 12:31:46 +0000
Subject: phishing.bad.sites.conf
Message-ID: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>

Hello,

I just found out that the phishing.bad.sites.conf contains www.facebook.com. This file is kept up to date by /usr/sbin/update_bad_phishing_sites.

Now who can remove www.facebook.com from the master file? If nobody can I will have to stop the auto-update.

Thanks.

Denis



From phil.randal at hoopleltd.co.uk  Thu Oct 31 13:26:26 2013
From: phil.randal at hoopleltd.co.uk (Randal, Phil)
Date: Thu, 31 Oct 2013 13:26:26 +0000
Subject: phishing.bad.sites.conf
In-Reply-To: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>
References: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>
Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B8541C177EE@HC-EXMBX04.herefordshire.gov.uk>

Does adding it to phishing.safe.sites.conf have the required effect?

Phil


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Denis Beauchemin
Sent: 31 October 2013 12:32
To: 'MailScanner discussion'
Subject: phishing.bad.sites.conf

Hello,

I just found out that the phishing.bad.sites.conf contains www.facebook.com. This file is kept up to date by /usr/sbin/update_bad_phishing_sites.

Now who can remove www.facebook.com from the master file? If nobody can I will have to stop the auto-update.

Thanks.

Denis


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
Hoople Ltd, Registered in England and Wales No. 7556595
Registered office: Plough Lane, Hereford, HR4 0LE

"Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it."

From Denis.Beauchemin at usherbrooke.ca  Thu Oct 31 13:41:54 2013
From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin)
Date: Thu, 31 Oct 2013 13:41:54 +0000
Subject: phishing.bad.sites.conf
In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B8541C177EE@HC-EXMBX04.herefordshire.gov.uk>
References: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>
	<7CA580B59C1ABD45B4614ED90D4C7B8541C177EE@HC-EXMBX04.herefordshire.gov.uk>
Message-ID: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477EABA@XMBX03.sti.usherbrooke.ca>

Good idea! I will add it to the file right away.

Thanks.

Denis

-----Message d'origine-----
De?: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Randal, Phil
Envoy??: 31 octobre 2013 09:34
??: MailScanner discussion
Objet?: RE: phishing.bad.sites.conf

Does adding it to phishing.safe.sites.conf have the required effect?

Phil


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Denis Beauchemin
Sent: 31 October 2013 12:32
To: 'MailScanner discussion'
Subject: phishing.bad.sites.conf

Hello,

I just found out that the phishing.bad.sites.conf contains www.facebook.com. This file is kept up to date by /usr/sbin/update_bad_phishing_sites.

Now who can remove www.facebook.com from the master file? If nobody can I will have to stop the auto-update.

Thanks.

Denis


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE

"Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it."
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From barryc at rjlsystems.com  Thu Oct 31 14:04:17 2013
From: barryc at rjlsystems.com (Barry Callahan)
Date: Thu, 31 Oct 2013 10:04:17 -0400
Subject: phishing.bad.sites.conf
In-Reply-To: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>
References: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>
Message-ID: <52726361.6070709@rjlsystems.com>

Uhh... yes. Yes, it contains www.facebook.com.
It also contains www.facebookprofileviewer.com

You should not be getting any legitimate emails from facebook 
originating from either of those machine names. The email should be 
coming from a @facebookmail.com address. And chances are, the machine 
handing it off  to your server will be mx-out.facebook.com.

So, if you're getting email traffic claiming to come from 
www.facebook.com.... I doubt it's legitimate.

#/*****************************\
#* Barry Callahan
#* Technologist
#* RJL Systems
#* phone: 1 586 790 - 0200 x112
#*        1 800 528 - 4513 x112
#* fax:   1 586 790 - 0205
#\*****************************/

On 10/31/2013 8:31 AM, Denis Beauchemin wrote:
> Hello,
>
> I just found out that the phishing.bad.sites.conf contains www.facebook.com. This file is kept up to date by /usr/sbin/update_bad_phishing_sites.
>
> Now who can remove www.facebook.com from the master file? If nobody can I will have to stop the auto-update.
>
> Thanks.
>
> Denis
>
>


From Peter.Vroegop at compaxo.nl  Thu Oct 31 14:14:16 2013
From: Peter.Vroegop at compaxo.nl (Peter Vroegop)
Date: Thu, 31 Oct 2013 15:14:16 +0100
Subject: I Have a problem with installing Mailscanner
Message-ID: <79EB1E4DC355EA49A85F5463BB25C45837C88E@srvexch02.compaxo.local>

I Installed a centos 6.4 server.

 

Installed 

sendmail-8.14.4-8.el6.x86_64

perl-5.10.1-131.el6_4.x86_64

wget-1.12-1.8.el6.x86_64

unzip-6.0-1.el6.x86_64

gcc-4.4.7-3.el6.x86_64

 

I downloaded MailScanner-4.84.6-1.rpm.tar.gz from the mailscanner
website

 

I followed the install instructions from MailScanner-Guide.pdf also
downloaded from the mailscanner website

 

After the command "tar zxf MailScanner-4.84.6-1.rpm.tar.gz" and the
extraction of 50 files

 

The following messages appear:

 

>gzip: stdin: unexpected end of file

>tar: Unexpected EOF in archive

>tar: Unexpected EOF in archive

>tar: Error is not recoverable: exiting now

 

Can someone help me?

 

Thanks

 

Peter


###############################################
Dit bericht is gescand door MailMarshal.
###############################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/56ce37e5/attachment.html 

From Denis.Beauchemin at usherbrooke.ca  Thu Oct 31 14:24:32 2013
From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin)
Date: Thu, 31 Oct 2013 14:24:32 +0000
Subject: phishing.bad.sites.conf
In-Reply-To: <52726361.6070709@rjlsystems.com>
References: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>
	<52726361.6070709@rjlsystems.com>
Message-ID: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477EBF2@XMBX03.sti.usherbrooke.ca>

Barry,

The phishing.bad.sites.conf is used to flag URLs in emails. It is not uncommon to use www.facebook.com/SiteName in emails nor should it be flagged as a phishing attempt.

Denis

-----Message d'origine-----
De?: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Barry Callahan
Envoy??: 31 octobre 2013 10:11
??: MailScanner discussion
Objet?: Re: phishing.bad.sites.conf

Uhh... yes. Yes, it contains www.facebook.com.
It also contains www.facebookprofileviewer.com

You should not be getting any legitimate emails from facebook originating from either of those machine names. The email should be coming from a @facebookmail.com address. And chances are, the machine handing it off  to your server will be mx-out.facebook.com.

So, if you're getting email traffic claiming to come from www.facebook.com.... I doubt it's legitimate.

#/*****************************\
#* Barry Callahan
#* Technologist
#* RJL Systems
#* phone: 1 586 790 - 0200 x112
#*        1 800 528 - 4513 x112
#* fax:   1 586 790 - 0205
#\*****************************/

On 10/31/2013 8:31 AM, Denis Beauchemin wrote:
> Hello,
>
> I just found out that the phishing.bad.sites.conf contains www.facebook.com. This file is kept up to date by /usr/sbin/update_bad_phishing_sites.
>
> Now who can remove www.facebook.com from the master file? If nobody can I will have to stop the auto-update.
>
> Thanks.
>
> Denis
>
>

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From maxsec at gmail.com  Thu Oct 31 14:45:15 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Thu, 31 Oct 2013 14:45:15 +0000
Subject: mails-processing-problem
In-Reply-To: <A8D7714A632D4B4CB9FCB852F73EEAC1@EJAZ>
References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ>
	<CAGDKorLFM35_GLHMiKPOe+1u=xJ+7pVJy71AbDHtCCxkU9u6Kw@mail.gmail.com>
	<A8D7714A632D4B4CB9FCB852F73EEAC1@EJAZ>
Message-ID: <CAGDKorJSUCrdf28R5E2Q_NSETCeQbpRU2XO6p3yGy0FPUcXk8w@mail.gmail.com>

OK you need to make sure you've  -U switch at the top of the main
MailScanner script ..

-- 
Martin Hepworth, CISSP
Oxford, UK


On 31 October 2013 11:36, Ejaz <mejaz at cyberia.net.sa> wrote:

> ** ** ** **
>
> Thanks for your answer.****
>
> ** **
>
> Newly installed server with Redhat linux 6.  and MailScanner version is
> 4.84.6-1****
>
> ** **
>
> When I ran the Mailscanner ?debug ****
>
> ** **
>
> I got below,  rest is fine, ****
>
> ** **
>
> Insecure dependency in open while running with -T switch at
> /usr/lib64/perl5/IO/File.pm line 185****
>
> ** **
>
> Ejaz ****
>  ------------------------------
>
> *From:* **mailscanner-bounces at lists.mailscanner.info** [mailto:**
> mailscanner-bounces at lists.mailscanner.info**] *On Behalf Of *Martin
> Hepworth
> *Sent:* Thursday, October 31, 2013 2:12 PM
> *To:* **MailScanner discussion**
> *Subject:* Re: mails-processing-problem****
>
> ** **
>
> Whats changed? updated the server?****
>
> what does a debug show you and fix that error in the MailScanner Lint..***
> *
>
>
> ****
>
> --
> Martin Hepworth, CISSP
> ****Oxford**, **UK********
>
> ** **
>
> On 31 October 2013 09:41, Ejaz <mejaz at cyberia.net.sa> wrote:****
>
>  ****
>
>  ****
>
> Our mail scanners has started behaving very strange. It?s not processing g
> any emails anymore only saying for each mail in the queue and with the
> below error. ****
>
>  ****
>
>  ****
>
> Our setup,****
>
>  ****
>
> Mailscanner/postfix/clamav/spamassasin.
>
> Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message
> p8JHBZlF011310 as it has been attempted too many times
> Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310
> as it caused MailScanner to crash several times
> Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to
> /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310
>
>
>
> 1. MailScanner --lint  (reports  below problem)****
>
>  ****
>
> > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf****
>
> > ERROR: is not correct, it should match X-mydomain-MailScanner-From****
>
>  ****
>
> 2. spamassassin ?lint (silently comes to next prompt)****
>
>  ****
>
> Any help would highly appreciated. ****
>
>  ****
>
> Regards,
> __________________
> Mohammed Ejaz
> Sr,Systems Administrator
> Middle East Internet Company (CYBERIA)
> ****Riyadh**, **Saudi Arabia****
> Phone: +966-1-4647114  Ext: 140
> Mobile +966-562311787
> Fax: +966-1-4654735
> E-mail: mejaz at cyberia.net.sa****
>
>  ****
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!****
>
> ** **
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/b0ff9041/attachment.html 

From maxsec at gmail.com  Thu Oct 31 14:47:21 2013
From: maxsec at gmail.com (Martin Hepworth)
Date: Thu, 31 Oct 2013 14:47:21 +0000
Subject: I Have a problem with installing Mailscanner
In-Reply-To: <79EB1E4DC355EA49A85F5463BB25C45837C88E@srvexch02.compaxo.local>
References: <79EB1E4DC355EA49A85F5463BB25C45837C88E@srvexch02.compaxo.local>
Message-ID: <CAGDKor+wSMCQS_378sZZv1KeJS8Khi3FF=+VGiNFmpARE0tr=Q@mail.gmail.com>

try the download again..
also check the pgp sig on the files to make sure you've got them fully and
correctly.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 31 October 2013 14:14, Peter Vroegop <Peter.Vroegop at compaxo.nl> wrote:

>  I Installed a centos 6.4 server.****
>
> ** **
>
> Installed ****
>
> sendmail-8.14.4-8.el6.x86_64****
>
> perl-5.10.1-131.el6_4.x86_64****
>
> wget-1.12-1.8.el6.x86_64****
>
> unzip-6.0-1.el6.x86_64****
>
> gcc-4.4.7-3.el6.x86_64****
>
> ** **
>
> I downloaded MailScanner-4.84.6-1.rpm.tar.gz from the mailscanner website*
> ***
>
> ** **
>
> I followed the install instructions from MailScanner-Guide.pdf also
> downloaded from the mailscanner website****
>
> ** **
>
> After the command ?tar zxf MailScanner-4.84.6-1.rpm.tar.gz? and the
> extraction of 50 files****
>
> ** **
>
> The following messages appear:****
>
> ** **
>
> >gzip: stdin: unexpected end of file****
>
> >tar: Unexpected EOF in archive****
>
> >tar: Unexpected EOF in archive****
>
> >tar: Error is not recoverable: exiting now****
>
> ** **
>
> Can someone help me?****
>
> ** **
>
> Thanks****
>
> ** **
>
> Peter****
>
> ------------------------------
> Dit bericht is gescand door *MailMarshal.*
>
> ------------------------------
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/31cee652/attachment.html 

From richard at fastnet.co.uk  Thu Oct 31 14:48:26 2013
From: richard at fastnet.co.uk (Richard Mealing)
Date: Thu, 31 Oct 2013 14:48:26 +0000
Subject: mails-processing-problem
In-Reply-To: <A8D7714A632D4B4CB9FCB852F73EEAC1@EJAZ>
References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ>
	<CAGDKorLFM35_GLHMiKPOe+1u=xJ+7pVJy71AbDHtCCxkU9u6Kw@mail.gmail.com>
	<A8D7714A632D4B4CB9FCB852F73EEAC1@EJAZ>
Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EA06971@BTN-EXCHANGE-V1.fastnet.local>

How is your server load?

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz
Sent: 31 October 2013 11:36
To: 'MailScanner discussion'
Subject: RE: mails-processing-problem

Thanks for your answer.

Newly installed server with Redhat linux 6.  and MailScanner version is 4.84.6-1

When I ran the Mailscanner -debug

I got below,  rest is fine,

Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185

Ejaz
________________________________
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: Thursday, October 31, 2013 2:12 PM
To: MailScanner discussion
Subject: Re: mails-processing-problem

Whats changed? updated the server?
what does a debug show you and fix that error in the MailScanner Lint..

--
Martin Hepworth, CISSP
Oxford, UK

On 31 October 2013 09:41, Ejaz <mejaz at cyberia.net.sa<mailto:mejaz at cyberia.net.sa>> wrote:


Our mail scanners has started behaving very strange. It's not processing g any emails anymore only saying for each mail in the queue and with the below error.


Our setup,

Mailscanner/postfix/clamav/spamassasin.

Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times
Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times
Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310



1. MailScanner --lint  (reports  below problem)



> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf

> ERROR: is not correct, it should match X-mydomain-MailScanner-From


2. spamassassin -lint (silently comes to next prompt)

Any help would highly appreciated.

Regards,
__________________
Mohammed Ejaz
Sr,Systems Administrator
Middle East Internet Company (CYBERIA)
Riyadh, Saudi Arabia
Phone: +966-1-4647114  Ext: 140
Mobile +966-562311787<tel:%2B966-562311787>
Fax: +966-1-4654735
E-mail: mejaz at cyberia.net.sa<mailto:mejaz at cyberia.net.sa>


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/b99c9da9/attachment.html 

From barryc at rjlsystems.com  Thu Oct 31 14:54:44 2013
From: barryc at rjlsystems.com (Barry Callahan)
Date: Thu, 31 Oct 2013 10:54:44 -0400
Subject: phishing.bad.sites.conf
In-Reply-To: <52726361.6070709@rjlsystems.com>
References: <E4CD9F6A1A6FF745BCABA56BBD1008D5A477D8A8@XMBX03.sti.usherbrooke.ca>
	<52726361.6070709@rjlsystems.com>
Message-ID: <52726F34.4030802@rjlsystems.com>

.... except the phishing checks are applied against the BODY of the 
email, not the headers.

Nevermind. I need more coffee.

Sorry for lowering the SNR.


On 10/31/2013 10:04 AM, Barry Callahan wrote:
> Uhh... yes. Yes, it contains www.facebook.com.
> It also contains www.facebookprofileviewer.com
>
> You should not be getting any legitimate emails from facebook
> originating from either of those machine names. The email should be
> coming from a @facebookmail.com address. And chances are, the machine
> handing it off  to your server will be mx-out.facebook.com.
>
> So, if you're getting email traffic claiming to come from
> www.facebook.com.... I doubt it's legitimate.
>
> #/*****************************\
> #* Barry Callahan
> #* Technologist
> #* RJL Systems
> #* phone: 1 586 790 - 0200 x112
> #*        1 800 528 - 4513 x112
> #* fax:   1 586 790 - 0205
> #\*****************************/
>
> On 10/31/2013 8:31 AM, Denis Beauchemin wrote:
>> Hello,
>>
>> I just found out that the phishing.bad.sites.conf contains www.facebook.com. This file is kept up to date by /usr/sbin/update_bad_phishing_sites.
>>
>> Now who can remove www.facebook.com from the master file? If nobody can I will have to stop the auto-update.
>>
>> Thanks.
>>
>> Denis
>>
>>


From mark at msapiro.net  Thu Oct 31 15:06:30 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 31 Oct 2013 08:06:30 -0700
Subject: I Have a problem with installing Mailscanner
In-Reply-To: <79EB1E4DC355EA49A85F5463BB25C45837C88E@srvexch02.compaxo.local>
References: <79EB1E4DC355EA49A85F5463BB25C45837C88E@srvexch02.compaxo.local>
Message-ID: <527271F6.9000401@msapiro.net>

On 10/31/2013 07:14 AM, Peter Vroegop wrote:
> 
> After the command ?tar zxf MailScanner-4.84.6-1.rpm.tar.gz? and the
> extraction of 50 files
> 
>  
> 
> The following messages appear:
> 
>  
> 
>>gzip: stdin: unexpected end of file
> 
>>tar: Unexpected EOF in archive
> 
>>tar: Unexpected EOF in archive
> 
>>tar: Error is not recoverable: exiting now


50 files is the correct number, but it appears your download may have
been truncated. The downloaded MailScanner-4.84.6-1.rpm.tar.gz should be
5874351 bytes. if yours is not this size, try downloading again.

Also, 'gunzip MailScanner-4.84.6-1.rpm.tar.gz' should produce
MailScanner-4.84.6-1.rpm.tar with size 6021120 bytes and no error.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mark at msapiro.net  Thu Oct 31 15:11:34 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 31 Oct 2013 08:11:34 -0700
Subject: I Have a problem with installing Mailscanner
In-Reply-To: <CAGDKor+wSMCQS_378sZZv1KeJS8Khi3FF=+VGiNFmpARE0tr=Q@mail.gmail.com>
References: <79EB1E4DC355EA49A85F5463BB25C45837C88E@srvexch02.compaxo.local>
	<CAGDKor+wSMCQS_378sZZv1KeJS8Khi3FF=+VGiNFmpARE0tr=Q@mail.gmail.com>
Message-ID: <52727326.9050100@msapiro.net>

On 10/31/2013 07:47 AM, Martin Hepworth wrote:
> also check the pgp sig on the files to make sure you've got them fully
> and correctly.


It's been years since the links to the sigs on the download page at
<http://www.mailscanner.info/downloads.html> have returned anything but
a 404. Are you finding them somewhere?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From jerry.benton at mailborder.com  Thu Oct 31 15:23:52 2013
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 31 Oct 2013 16:23:52 +0100
Subject: mails-processing-problem
In-Reply-To: <CAGDKorJSUCrdf28R5E2Q_NSETCeQbpRU2XO6p3yGy0FPUcXk8w@mail.gmail.com>
References: <2CE7838EB6C148A2ADBC721AEDDF7E93@EJAZ>
	<CAGDKorLFM35_GLHMiKPOe+1u=xJ+7pVJy71AbDHtCCxkU9u6Kw@mail.gmail.com>
	<A8D7714A632D4B4CB9FCB852F73EEAC1@EJAZ>
	<CAGDKorJSUCrdf28R5E2Q_NSETCeQbpRU2XO6p3yGy0FPUcXk8w@mail.gmail.com>
Message-ID: <CAED3VzC07EQS9FyrbzPkr7FZ8myRn5FERid5Wbh4LZJoXQP61A@mail.gmail.com>

And make sure that the MailScanner AV user is the same as the user your in
virus scanner ? and that the permissions are set correctly on your
quarantine dir.


On Thu, Oct 31, 2013 at 3:45 PM, Martin Hepworth <maxsec at gmail.com> wrote:

> OK you need to make sure you've  -U switch at the top of the main
> MailScanner script ..
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 31 October 2013 11:36, Ejaz <mejaz at cyberia.net.sa> wrote:
>
>> ** ** ** **
>>
>> Thanks for your answer.****
>>
>> ** **
>>
>> Newly installed server with Redhat linux 6.  and MailScanner version is
>> 4.84.6-1****
>>
>> ** **
>>
>> When I ran the Mailscanner ?debug ****
>>
>> ** **
>>
>> I got below,  rest is fine, ****
>>
>> ** **
>>
>> Insecure dependency in open while running with -T switch at
>> /usr/lib64/perl5/IO/File.pm line 185****
>>
>> ** **
>>
>> Ejaz ****
>>  ------------------------------
>>
>> *From:* **mailscanner-bounces at lists.mailscanner.info** [mailto:**
>> mailscanner-bounces at lists.mailscanner.info**] *On Behalf Of *Martin
>> Hepworth
>> *Sent:* Thursday, October 31, 2013 2:12 PM
>> *To:* **MailScanner discussion**
>> *Subject:* Re: mails-processing-problem****
>>
>> ** **
>>
>> Whats changed? updated the server?****
>>
>> what does a debug show you and fix that error in the MailScanner Lint..**
>> **
>>
>>
>> ****
>>
>> --
>> Martin Hepworth, CISSP
>> ****Oxford**, **UK********
>>
>> ** **
>>
>> On 31 October 2013 09:41, Ejaz <mejaz at cyberia.net.sa> wrote:****
>>
>>  ****
>>
>>  ****
>>
>> Our mail scanners has started behaving very strange. It?s not processing
>> g any emails anymore only saying for each mail in the queue and with the
>> below error. ****
>>
>>  ****
>>
>>  ****
>>
>> Our setup,****
>>
>>  ****
>>
>> Mailscanner/postfix/clamav/spamassasin.
>>
>> Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message
>> p8JHBZlF011310 as it has been attempted too many times
>> Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310
>> as it caused MailScanner to crash several times
>> Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to
>> /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310
>>
>>
>>
>> 1. MailScanner --lint  (reports  below problem)****
>>
>>  ****
>>
>> > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf****
>>
>> > ERROR: is not correct, it should match X-mydomain-MailScanner-From****
>>
>>  ****
>>
>> 2. spamassassin ?lint (silently comes to next prompt)****
>>
>>  ****
>>
>> Any help would highly appreciated. ****
>>
>>  ****
>>
>> Regards,
>> __________________
>> Mohammed Ejaz
>> Sr,Systems Administrator
>> Middle East Internet Company (CYBERIA)
>> ****Riyadh**, **Saudi Arabia****
>> Phone: +966-1-4647114  Ext: 140
>> Mobile +966-562311787
>> Fax: +966-1-4654735
>> E-mail: mejaz at cyberia.net.sa****
>>
>>  ****
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!****
>>
>> ** **
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131031/12d4dfa5/attachment.html 

From mark at msapiro.net  Thu Oct 31 16:04:28 2013
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 31 Oct 2013 09:04:28 -0700
Subject: I Have a problem with installing Mailscanner
In-Reply-To: <527271F6.9000401@msapiro.net>
References: <79EB1E4DC355EA49A85F5463BB25C45837C88E@srvexch02.compaxo.local>
	<527271F6.9000401@msapiro.net>
Message-ID: <52727F8C.1000305@msapiro.net>

On 10/31/2013 08:06 AM, Mark Sapiro wrote:
> 
> 50 files is the correct number, but it appears your download may have
> been truncated. The downloaded MailScanner-4.84.6-1.rpm.tar.gz should be
> 5874351 bytes. if yours is not this size, try downloading again.


It seems that the current MailScanner-4.84.6-1.rpm.tar.gz is larger than
the one I downloaded previously. The size of the current file is 5893091
bytes.


> Also, 'gunzip MailScanner-4.84.6-1.rpm.tar.gz' should produce
> MailScanner-4.84.6-1.rpm.tar with size 6021120 bytes and no error.


And the size of the tar is 6041600 bytes.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan