From Bryan.Laurila at dchs.org Tue Jun 3 15:50:58 2014 From: Bryan.Laurila at dchs.org (Bryan Laurila) Date: Tue, 3 Jun 2014 09:50:58 -0500 Subject: Failed update_bad_phishing_sites Message-ID: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local> I have been receiving these messages from my hourly cron job for a while now and I am struggling to find the solution. running hourly cronjob scripts SCRIPT: update_bad_phishing_sites exited with RETURNCODE = 2. Running the update_bad_phishing_sites script from the command line I see the following indicating that cdn.mailscanner.info doesn't resolve. DCMXRLY2:~ # update_bad_phishing_sites Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2014-222 exists... no - resetting..... ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/-1.0 exists... ok I am working with: Current: 2014-222 - 20 and Status: -1 - 0 This is base update Unable to retrieve http://cdn.mailscanner.info/.2014-222 :500 Can't connect to cdn.mailscanner.info:80 (Bad hostname) Update required Retrieving http://cdn.mailscanner.info/2014-222.1 Failed to retrieve http://cdn.mailscanner.info/2014-222.1 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.2 Failed to retrieve http://cdn.mailscanner.info/2014-222.2 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.3 Failed to retrieve http://cdn.mailscanner.info/2014-222.3 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.4 Failed to retrieve http://cdn.mailscanner.info/2014-222.4 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.5 Failed to retrieve http://cdn.mailscanner.info/2014-222.5 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.6 Failed to retrieve http://cdn.mailscanner.info/2014-222.6 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.7 Failed to retrieve http://cdn.mailscanner.info/2014-222.7 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.8 Failed to retrieve http://cdn.mailscanner.info/2014-222.8 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.9 Failed to retrieve http://cdn.mailscanner.info/2014-222.9 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.10 Failed to retrieve http://cdn.mailscanner.info/2014-222.10 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.11 Failed to retrieve http://cdn.mailscanner.info/2014-222.11 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.12 Failed to retrieve http://cdn.mailscanner.info/2014-222.12 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.13 Failed to retrieve http://cdn.mailscanner.info/2014-222.13 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.14 Failed to retrieve http://cdn.mailscanner.info/2014-222.14 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.15 Failed to retrieve http://cdn.mailscanner.info/2014-222.15 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.16 Failed to retrieve http://cdn.mailscanner.info/2014-222.16 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.17 Failed to retrieve http://cdn.mailscanner.info/2014-222.17 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.18 Failed to retrieve http://cdn.mailscanner.info/2014-222.18 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.19 Failed to retrieve http://cdn.mailscanner.info/2014-222.19 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.20 Failed to retrieve http://cdn.mailscanner.info/2014-222.20 at /usr/sbin/update_bad_phishing_sites line 198. Unable to open base file (/var/spool/MailScanner/quarantine/phishingupdate/cache//2014-222) I read the "State of cdn.mailscanner.info?" thread from late May in which Glenn Steen suggested a CNAME to point the cdn.mailscanner.info to www.mailscanner.eu. www.mailscanner.eu resolves to 78.153.201.155 so I added "78.153.201.155 cdn.mailscanner.info" to my local hosts file. Now running the update_bad_phishing_sites resolves but doesn't seem to find the necessary update. DCMXRLY2:~ # update_bad_phishing_sites Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2014-222 exists... no - resetting..... ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/-1.0 exists... ok I am working with: Current: 2014-222 - 20 and Status: -1 - 0 This is base update Unable to retrieve http://cdn.mailscanner.info/.2014-222 :404 Not Found Update required Retrieving http://cdn.mailscanner.info/2014-222.1 Failed to retrieve http://cdn.mailscanner.info/2014-222.1 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.2 Failed to retrieve http://cdn.mailscanner.info/2014-222.2 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.3 Failed to retrieve http://cdn.mailscanner.info/2014-222.3 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.4 Failed to retrieve http://cdn.mailscanner.info/2014-222.4 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.5 Failed to retrieve http://cdn.mailscanner.info/2014-222.5 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.6 Failed to retrieve http://cdn.mailscanner.info/2014-222.6 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.7 Failed to retrieve http://cdn.mailscanner.info/2014-222.7 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.8 Failed to retrieve http://cdn.mailscanner.info/2014-222.8 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.9 Failed to retrieve http://cdn.mailscanner.info/2014-222.9 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.10 Failed to retrieve http://cdn.mailscanner.info/2014-222.10 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.11 Failed to retrieve http://cdn.mailscanner.info/2014-222.11 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.12 Failed to retrieve http://cdn.mailscanner.info/2014-222.12 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.13 Failed to retrieve http://cdn.mailscanner.info/2014-222.13 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.14 Failed to retrieve http://cdn.mailscanner.info/2014-222.14 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.15 Failed to retrieve http://cdn.mailscanner.info/2014-222.15 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.16 Failed to retrieve http://cdn.mailscanner.info/2014-222.16 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.17 Failed to retrieve http://cdn.mailscanner.info/2014-222.17 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.18 Failed to retrieve http://cdn.mailscanner.info/2014-222.18 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.19 Failed to retrieve http://cdn.mailscanner.info/2014-222.19 at /usr/sbin/update_bad_phishing_sites line 198. Retrieving http://cdn.mailscanner.info/2014-222.20 Failed to retrieve http://cdn.mailscanner.info/2014-222.20 at /usr/sbin/update_bad_phishing_sites line 198. Unable to open base file (/var/spool/MailScanner/quarantine/phishingupdate/cache//2014-222) Can someone please give me some suggestions. Thanks! Bryan S. Laurila Senior Network Support Analyst Dickinson County Healthcare System 1721 South Stephenson Avenue Iron Mountain, Michigan 49801 "Life begins at the end of your comfort zone!" Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. As required by federal and state laws, you need to hold this information as privileged and confidential. This message may contain Protected Health Information (PHI). PHI is personal and sensitive information related to a person's health care. It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited. If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments. Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140603/cbc0a006/attachment.html From mark at msapiro.net Tue Jun 3 20:14:31 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 03 Jun 2014 12:14:31 -0700 Subject: Failed update_bad_phishing_sites In-Reply-To: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local> Message-ID: <538E1E97.1040608@msapiro.net> On 06/03/2014 07:50 AM, Bryan Laurila wrote: > I have been receiving these messagesfrom my hourly cron jobfor a while > nowand I am struggling to find the solution. ... > *Unable to retrieve http://cdn.mailscanner.info/.2014-222 :500 Can't > connect to cdn.mailscanner.info:80 (Bad hostname)* The cdn.mailscanner.info site is no longer viable. You need to edit /usr/sbin/update_bad_phishing_sites and replace my $urlbase = "http://cdn.mailscanner.info/"; with my $urlbase = "http://www.mailscanner.eu/"; -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Bryan.Laurila at dchs.org Tue Jun 3 20:45:55 2014 From: Bryan.Laurila at dchs.org (Bryan Laurila) Date: Tue, 3 Jun 2014 14:45:55 -0500 Subject: Failed update_bad_phishing_sites In-Reply-To: <538E1E97.1040608@msapiro.net> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local> <538E1E97.1040608@msapiro.net> Message-ID: <462D865B978B49479822BC40268BCC820CF312ED@mail.dchs.local> Thank you Mark, that appears to have worked! Bryan S. Laurila Senior Network Support Analyst Dickinson County Healthcare System -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Tuesday, June 03, 2014 2:15 PM To: mailscanner at lists.mailscanner.info Subject: Re: Failed update_bad_phishing_sites On 06/03/2014 07:50 AM, Bryan Laurila wrote: > I have been receiving these messagesfrom my hourly cron jobfor a while > nowand I am struggling to find the solution. ... > *Unable to retrieve http://cdn.mailscanner.info/.2014-222 :500 Can't > connect to cdn.mailscanner.info:80 (Bad hostname)* The cdn.mailscanner.info site is no longer viable. You need to edit /usr/sbin/update_bad_phishing_sites and replace my $urlbase = "http://cdn.mailscanner.info/"; with my $urlbase = "http://www.mailscanner.eu/"; -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. As required by federal and state laws, you need to hold this information as privileged and confidential. This message may contain Protected Health Information (PHI). PHI is personal and sensitive information related to a person's health care. It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited. If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments. Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org From glenn.steen at gmail.com Thu Jun 5 21:30:37 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 5 Jun 2014 22:30:37 +0200 Subject: Failed update_bad_phishing_sites In-Reply-To: <462D865B978B49479822BC40268BCC820CF312ED@mail.dchs.local> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local> <538E1E97.1040608@msapiro.net> <462D865B978B49479822BC40268BCC820CF312ED@mail.dchs.local> Message-ID: Also note that you need do similar changes for the webbug replacement thing in Mailscanner.conf, if you use that and use the default replacement url. Cheers! -- -- Glenn Den 3 jun 2014 22:19 skrev "Bryan Laurila" : > Thank you Mark, that appears to have worked! > > Bryan S. Laurila > Senior Network Support Analyst > Dickinson County Healthcare System > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark > Sapiro > Sent: Tuesday, June 03, 2014 2:15 PM > To: mailscanner at lists.mailscanner.info > Subject: Re: Failed update_bad_phishing_sites > > On 06/03/2014 07:50 AM, Bryan Laurila wrote: > > I have been receiving these messagesfrom my hourly cron jobfor a while > > > nowand I am struggling to find the solution. > ... > > *Unable to retrieve http://cdn.mailscanner.info/.2014-222 :500 Can't > > connect to cdn.mailscanner.info:80 (Bad hostname)* > > > The cdn.mailscanner.info site is no longer viable. You need to edit > /usr/sbin/update_bad_phishing_sites and replace > > my $urlbase = "http://cdn.mailscanner.info/"; > > with > > my $urlbase = "http://www.mailscanner.eu/"; > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Confidentiality Notice: > > This e-mail communication and any attachments may contain confidential and > privileged information for the use of the designated recipients named > above. If you are not the intended recipient, you are hereby notified that > you have received this communication in error and that any review, > disclosure, dissemination, distribution or copying of it or its contents is > prohibited. As required by federal and state laws, you need to hold this > information as privileged and confidential. > > This message may contain Protected Health Information (PHI). PHI is > personal and sensitive information related to a person's health care. It is > being emailed to you after appropriate authorization from the patient or > under circumstances that do not require patient authorization. You, the > recipient, are obligated to maintain it in a safe, secure and confidential > manner. Re-disclosure without additional patient consent or as permitted by > law is prohibited. Unauthorized re-disclosure or failure to maintain > confidentiality could subject you to penalties described in federal and > state law. > > If you are not the intended recipient, or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that any disclosure, copying or distribution of this information > is Strictly Prohibited. If you have received this communication in error, > please notify the sender and destroy all copies of this communication and > any attachments. > > Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, > MI 49801, www.dchs.org > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140605/26b89166/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Jun 6 00:28:53 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu, 5 Jun 2014 15:28:53 -0800 Subject: tnef madness Message-ID: I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following: " I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF." It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on. Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories: mxg:/var/spool/MailScanner/quarantine/20140605 # l total 145 drwxrwx--- 6 root www 160 Jun 5 13:05 ./ drwxrwx--- 33 root www 800 Jun 5 09:47 ../ drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/ drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/ drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/ drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/ Normally I just see nonspam and spam. Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5 I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact. TNEF settings in MailScanner.conf: Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = internal TNEF Timeout = 120 In Mailwatch, I see this when looking at the message: message/rfc822 20140605/nonspam/s55Kkmnf026492 message/rfc822\0117bit 20140605/s55Kkmnf026492/message No idea what rfc822\0117bit indicates but suspect it's a clue... ?...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From maxsec at gmail.com Fri Jun 6 09:00:21 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 6 Jun 2014 09:00:21 +0100 Subject: tnef madness In-Reply-To: References: Message-ID: you tried using the external tnef scanner at all? -- Martin Hepworth, CISSP Oxford, UK On 6 June 2014 00:28, Kevin Miller wrote: > I've been having trouble with tnef attachements from one person. Most get > through OK, but this one is stumping me. The sender is not using rich text > format. The mail administrator at her site sent me the following: > > " I have deleted Anita's outlook profile and recreated it and have also > checked the Exchange settings to see if it is enforcing rich-text format > over the user's settings (it is not). Her email still gets bounced back > when sent as HTML with or without an attachment. Her email is successful > as plain text without an attachment, but fails with an attachment. The > attachment is a PDF." > > It works for other users at this site - it's just her email that is acting > oddly. She's using Outlook - I'm not sure what version or which version of > Exchange they're on. > > Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple > of odd directories: > mxg:/var/spool/MailScanner/quarantine/20140605 # l > total 145 > drwxrwx--- 6 root www 160 Jun 5 13:05 ./ > drwxrwx--- 33 root www 800 Jun 5 09:47 ../ > drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/ > drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/ > drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/ > drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/ > > Normally I just see nonspam and spam. > Within s55K40Y6019591/ is a single file named message. Contents are at > http://pastebin.com/kGrmSpN5 > I munged the email addresses, and stripped out the middle of the > attachment but all else is otherwise intact. > > TNEF settings in MailScanner.conf: > > Expand TNEF = yes > Use TNEF Contents = replace > Deliver Unparsable TNEF = no > TNEF Expander = internal > TNEF Timeout = 120 > > In Mailwatch, I see this when looking at the message: > message/rfc822 20140605/nonspam/s55Kkmnf026492 > message/rfc822\0117bit 20140605/s55Kkmnf026492/message > > No idea what rfc822\0117bit indicates but suspect it's a clue... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 > Registered Linux User No: 307357 > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/f310ba26/attachment.html From phil.randal at hoopleltd.co.uk Fri Jun 6 10:04:23 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Fri, 6 Jun 2014 09:04:23 +0000 Subject: tnef madness In-Reply-To: References: Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857EA37388@HC-EXMBX04.herefordshire.gov.uk> It?s also worth reminding people to use the TNEF.pm from the MailScanner git repo, if they?re not already. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.randal at hoopleltd.co.uk From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 06 June 2014 09:00 To: MailScanner discussion Subject: Re: tnef madness you tried using the external tnef scanner at all? -- Martin Hepworth, CISSP Oxford, UK On 6 June 2014 00:28, Kevin Miller > wrote: I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following: " I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF." It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on. Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories: mxg:/var/spool/MailScanner/quarantine/20140605 # l total 145 drwxrwx--- 6 root www 160 Jun 5 13:05 ./ drwxrwx--- 33 root www 800 Jun 5 09:47 ../ drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/ drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/ drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/ drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/ Normally I just see nonspam and spam. Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5 I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact. TNEF settings in MailScanner.conf: Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = internal TNEF Timeout = 120 In Mailwatch, I see this when looking at the message: message/rfc822 20140605/nonspam/s55Kkmnf026492 message/rfc822\0117bit 20140605/s55Kkmnf026492/message No idea what rfc822\0117bit indicates but suspect it's a clue... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/4eaea742/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Jun 6 18:39:02 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri, 6 Jun 2014 09:39:02 -0800 Subject: tnef madness In-Reply-To: References: Message-ID: I switched to it yesterday afternoon after posting. I?m waiting for test messages from the sender to see how it behaves. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, June 06, 2014 12:00 AM To: MailScanner discussion Subject: Re: tnef madness you tried using the external tnef scanner at all? -- Martin Hepworth, CISSP Oxford, UK On 6 June 2014 00:28, Kevin Miller > wrote: I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following: " I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF." It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on. Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories: mxg:/var/spool/MailScanner/quarantine/20140605 # l total 145 drwxrwx--- 6 root www 160 Jun 5 13:05 ./ drwxrwx--- 33 root www 800 Jun 5 09:47 ../ drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/ drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/ drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/ drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/ Normally I just see nonspam and spam. Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5 I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact. TNEF settings in MailScanner.conf: Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = internal TNEF Timeout = 120 In Mailwatch, I see this when looking at the message: message/rfc822 20140605/nonspam/s55Kkmnf026492 message/rfc822\0117bit 20140605/s55Kkmnf026492/message No idea what rfc822\0117bit indicates but suspect it's a clue... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/7bafbbcd/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Jun 6 18:54:54 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri, 6 Jun 2014 09:54:54 -0800 Subject: tnef madness In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B857EA37388@HC-EXMBX04.herefordshire.gov.uk> References: <7CA580B59C1ABD45B4614ED90D4C7B857EA37388@HC-EXMBX04.herefordshire.gov.uk> Message-ID: I believe am. The preamble shows: # $Id: TNEF.pm 5119 2013-06-17 13:29:15Z sysjkf $ Which is the same as I saw on the github site. Unless I was looking in the wrong place. Running MailScanner ?V, I?m showing: MailScanner version 4.84.3 0.17 Convert::TNEF I?m unsure of the relationship between Convert::TNEF and the TNEF.pm packages. I show the following when doing a locate for tnef: /usr/bin/tnef /usr/lib/MailScanner/MailScanner/TNEF.pm /usr/lib/perl5/vendor_perl/5.8.8/Convert/TNEF.pm The external version is 1.4.5, circa 2008. We?ll see how it works. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Friday, June 06, 2014 1:04 AM To: MailScanner discussion Subject: RE: tnef madness It?s also worth reminding people to use the TNEF.pm from the MailScanner git repo, if they?re not already. Cheers, Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/58a3f3cb/attachment.html From Bryan.Laurila at dchs.org Fri Jun 6 20:08:18 2014 From: Bryan.Laurila at dchs.org (Bryan Laurila) Date: Fri, 6 Jun 2014 14:08:18 -0500 Subject: Failed update_bad_phishing_sites In-Reply-To: References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local><538E1E97.1040608@msapiro.net><462D865B978B49479822BC40268BCC820CF312ED@mail.dchs.local> Message-ID: <462D865B978B49479822BC40268BCC820CFB90DE@mail.dchs.local> What is the ?webbug replacement thing? you speak of? I am not familiar with that. Bryan S. Laurila Senior Network Support Analyst Dickinson County Healthcare System From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Thursday, June 05, 2014 3:31 PM To: MailScanner discussion Subject: RE: Failed update_bad_phishing_sites Also note that you need do similar changes for the webbug replacement thing in Mailscanner.conf, if you use that and use the default replacement url. Cheers! -- -- Glenn Den 3 jun 2014 22:19 skrev "Bryan Laurila" : Thank you Mark, that appears to have worked! Bryan S. Laurila Senior Network Support Analyst Dickinson County Healthcare System -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Tuesday, June 03, 2014 2:15 PM To: mailscanner at lists.mailscanner.info Subject: Re: Failed update_bad_phishing_sites On 06/03/2014 07:50 AM, Bryan Laurila wrote: > I have been receiving these messagesfrom my hourly cron jobfor a while > nowand I am struggling to find the solution. ... > *Unable to retrieve http://cdn.mailscanner.info/.2014-222 :500 Can't > connect to MailScanner has detected a possible fraud attempt from "cdn.mailscanner.info" claiming to be cdn.mailscanner.info:80 (Bad hostname)* The cdn.mailscanner.info site is no longer viable. You need to edit /usr/sbin/update_bad_phishing_sites and replace my $urlbase = "http://cdn.mailscanner.info/"; with my $urlbase = "http://www.mailscanner.eu/"; -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. As required by federal and state laws, you need to hold this information as privileged and confidential. This message may contain Protected Health Information (PHI). PHI is personal and sensitive information related to a person's health care. It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited. If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments. Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. As required by federal and state laws, you need to hold this information as privileged and confidential. This message may contain Protected Health Information (PHI). PHI is personal and sensitive information related to a person's health care. It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited. If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments. Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/deafb0c1/attachment.html From jeremy at fluxlabs.net Fri Jun 6 20:32:49 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri, 6 Jun 2014 19:32:49 +0000 Subject: Failed update_bad_phishing_sites In-Reply-To: <538E1E97.1040608@msapiro.net> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local>, <538E1E97.1040608@msapiro.net> Message-ID: <347F90E2-CBC0-4AF8-9213-D88A23FEC1D4@fluxlabs.net> .eu fails as well --2014-06-06 13:32:31-- http://www.mailscanner.eu/scamnailer.ndb Resolving www.mailscanner.eu... 78.153.201.155 Connecting towww.mailscanner.eu|78.153.201.155|:80... failed: Connection timed out. Retrying. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 3, 2014, at 2:27 PM, "Mark Sapiro" > wrote: The cdn.mailscanner.info site is no longer viable. You need to edit /usr/sbin/update_bad_phishing_sites and replace my $urlbase = "http://cdn.mailscanner.info/"; with my $urlbase = "http://www.mailscanner.eu/"; -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/53f73154/attachment.html From mark at msapiro.net Fri Jun 6 20:53:01 2014 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 06 Jun 2014 12:53:01 -0700 Subject: Failed update_bad_phishing_sites In-Reply-To: <462D865B978B49479822BC40268BCC820CFB90DE@mail.dchs.local> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local><538E1E97.1040608@msapiro.net><462D865B978B49479822BC40268BCC820CF312ED@mail.dchs.local> <462D865B978B49479822BC40268BCC820CFB90DE@mail.dchs.local> Message-ID: <53921C1D.9020400@msapiro.net> On 06/06/2014 12:08 PM, Bryan Laurila wrote: > What is the ?webbug replacement thing? you speak of? I am not familiar > with that. A web bug is an 'invisible' 1x1 pixel image put into an HTML message with a src= URL which is encoded with information that tells the sender of the message which recipient of the message has opened it when the recipient's MUA attempts to retrieve the image. As part of disarming HTML message parts, MailScanner replaces the src= URL with one defined in the config by Web Bug Replacement. The default config for this is Web Bug Replacement = http://cdn.mailscanner.info/1x1spacer.gif That URL currently doesn't work. I think the easiest thing to do is what I've done which is create the file /etc/MailScanner/conf.d/web_bug containing the line Web Bug Replacement = http://www.mailscanner.eu/1x1spacer.gif -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Jun 6 22:04:02 2014 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 06 Jun 2014 14:04:02 -0700 Subject: www.mailscanner.eu not responding - was: Failed update_bad_phishing_sites In-Reply-To: <347F90E2-CBC0-4AF8-9213-D88A23FEC1D4@fluxlabs.net> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local>, <538E1E97.1040608@msapiro.net> <347F90E2-CBC0-4AF8-9213-D88A23FEC1D4@fluxlabs.net> Message-ID: <53922CC2.3040205@msapiro.net> On 06/06/2014 12:32 PM, Jeremy McSpadden wrote: > .eu fails as well > > --2014-06-06 13:32:31-- http://www.mailscanner.eu/scamnailer.ndb > Resolving www.mailscanner.eu ... 78.153.201.155 > Connecting towww.mailscanner.eu > |78.153.201.155|:80... failed: Connection > timed out. Bummer! The server is there and responds to ping, but not to port 80 connects. Let's hope it's only temporary. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Fri Jun 6 23:35:04 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 7 Jun 2014 00:35:04 +0200 Subject: www.mailscanner.eu not responding - was: Failed update_bad_phishing_sites In-Reply-To: <53922CC2.3040205@msapiro.net> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local>, <538E1E97.1040608@msapiro.net> <347F90E2-CBC0-4AF8-9213-D88A23FEC1D4@fluxlabs.net> <53922CC2.3040205@msapiro.net> Message-ID: <8F689476-31A8-4947-977C-D1FB2C4F558D@mailborder.com> I spoke to Jules about this today. His words: "So, put simply, it's only the bit in the middle that's ever likely to go down (turning the email messages into lists of patches to the phishing list). However, some time in the next few months I should finally be able to move that VM onto a much more reliable VM platform so it should become much more stable. It seems as if the CDN dns setup is still broken, however. I'll get onto Matt Hampton about that (who gives me free use of his CDN).? - Jerry Benton www.mailborder.com On Jun 6, 2014, at 11:04 PM, Mark Sapiro wrote: > On 06/06/2014 12:32 PM, Jeremy McSpadden wrote: >> .eu fails as well >> >> --2014-06-06 13:32:31-- http://www.mailscanner.eu/scamnailer.ndb >> Resolving www.mailscanner.eu ... 78.153.201.155 >> Connecting towww.mailscanner.eu >> |78.153.201.155|:80... failed: Connection >> timed out. > > > Bummer! The server is there and responds to ping, but not to port 80 > connects. > > Let's hope it's only temporary. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140607/aa4feb7f/attachment.html From email at ace.net.au Sat Jun 7 05:59:53 2014 From: email at ace.net.au (Peter Nitschke) Date: Sat, 07 Jun 2014 14:29:53 +0930 Subject: www.mailscanner.eu not responding - was: Failed update_bad_phishing_sites In-Reply-To: <8F689476-31A8-4947-977C-D1FB2C4F558D@mailborder.com> References: <462D865B978B49479822BC40268BCC820CF310B9@mail.dchs.local> <538E1E97.1040608@msapiro.net> <347F90E2-CBC0-4AF8-9213-D88A23FEC1D4@fluxlabs.net> <53922CC2.3040205@msapiro.net> <8F689476-31A8-4947-977C-D1FB2C4F558D@mailborder.com> Message-ID: <201406071429530835.5C8D66CD@web.ace.net.au> It appears to be the DNS info for cdn.mailscanner.info that is broken. There is an IP for www.mailscanner.info, but not for cdn.mailscanner.info *********** REPLY SEPARATOR *********** On 7/06/2014 at 12:35 AM Jerry Benton wrote: >I spoke to Jules about this today. His words: > > >"So, put simply, it's only the bit in the middle that's ever likely to go >down (turning the email messages into lists of patches to the phishing >list). > >However, some time in the next few months I should finally be able to move >that VM onto a much more reliable VM platform so it should become much >more stable. > >It seems as if the CDN dns setup is still broken, however. I'll get onto >Matt Hampton about that (who gives me free use of his CDN).? > > >- >Jerry Benton >www.mailborder.com > > > >On Jun 6, 2014, at 11:04 PM, Mark Sapiro wrote: > >> On 06/06/2014 12:32 PM, Jeremy McSpadden wrote: >>> .eu fails as well >>> >>> --2014-06-06 13:32:31-- http://www.mailscanner.eu/scamnailer.ndb >>> Resolving www.mailscanner.eu ... >78.153.201.155 >>> Connecting towww.mailscanner.eu >>> |78.153.201.155|:80... failed: Connection >>> timed out. >> >> >> Bummer! The server is there and responds to ping, but not to port 80 >> connects. >> >> Let's hope it's only temporary. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > >-- >MailScanner mailing list >mailscanner at lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From paul at welshfamily.com Sat Jun 7 16:43:31 2014 From: paul at welshfamily.com (Paul Welsh) Date: Sat, 7 Jun 2014 16:43:31 +0100 Subject: www.mailscanner.eu not responding - was: Failed update_bad_phishing_sites Message-ID: So since neither http://www.mailscanner.eu/1x1spacer.gif nor http://cdn.mailscanner.info/1x1spacer.gif are available then does anyone have the gif handy? I have no objection to hosting it on my server so others can make the change to MailScanner.conf and point to it or safer we can just put it on our own sites. Apologies if I have missed something here. By the way, my conf file points to the mailscanner.tv site which is also down. In fact mailscanner.info seems down currently, ie, pings but web site not up. # grep spacer /etc/MailScanner/MailScanner.conf Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140607/05a02f31/attachment.html From pas at unh.edu Sat Jun 7 17:10:31 2014 From: pas at unh.edu (Paul A Sand) Date: Sat, 7 Jun 2014 12:10:31 -0400 Subject: www.mailscanner.eu not responding - was: Failed update_bad_phishing_sites In-Reply-To: References: Message-ID: <20140607161031.GA33550@cisunix.unh.edu> * Paul Welsh [2014-06-07 11:52]: > So since neither http://www.mailscanner.eu/1x1spacer.gif nor > http://cdn.mailscanner.info/1x1spacer.gif are available then does anyone > have the gif handy? Anyone is welcome to http://pubpages.unh.edu/images/onepixel.gif (43 bytes). -- -- Paul A Sand -- Information Technology / University of New Hampshire -- http://pubpages.unh.edu/~pas -- Warning: Contents under pressure From mark at msapiro.net Sat Jun 7 17:39:07 2014 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 07 Jun 2014 09:39:07 -0700 Subject: www.mailscanner.eu not responding - was: Failed update_bad_phishing_sites In-Reply-To: References: Message-ID: <5393402B.6090605@msapiro.net> On 06/07/2014 08:43 AM, Paul Welsh wrote: > So since neither http://www.mailscanner.eu/1x1spacer.gif > nor http://cdn.mailscanner.info/1x1spacer.gif are available then does > anyone have the gif handy? You really don't need it. Mailscanner will change something that looks like and turn it into Web Bug from http://ad.doubleclick.net/ad/some_encoded_info/...;sz=1x1;ord=[1402020420606]? At worst, when the user views the mail and http://www.mailscanner.eu/1x1spacer.gif cannot be retrieved, the user may see the alt=text, but in many cases, the user's MUA won't load remote images by default and the user sees nothing. > Apologies if I have missed something here. By the way, my conf file > points to the mailscanner.tv site which is also > down. In fact mailscanner.info seems down > currently, ie, pings but web site not up. www.mailscanner.info, www.mailscanner.eu, www.mailscanner.tv and jules.mailscanner.info are all the same machine, IP 78.153.201.155. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From paul at welshfamily.com Sun Jun 8 13:06:20 2014 From: paul at welshfamily.com (Paul Welsh) Date: Sun, 8 Jun 2014 13:06:20 +0100 Subject: www.mailscanner.info [78.153.201.155] site refusing http requests Message-ID: Thanks for the http://pubpages.unh.edu/images/onepixel.gif Paul and thanks for the explanation, Mark. I note the www.mailscanner.info [78.153.201.155] site is still refusing http requests. # wget www.mailscanner.info --2014-06-08 13:03:24-- http://www.mailscanner.info/ Resolving www.mailscanner.info... 78.153.201.155 Connecting to www.mailscanner.info|78.153.201.155|:80... failed: Connection timed out. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140608/227336a8/attachment.html From mark at msapiro.net Sun Jun 8 16:14:55 2014 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 08 Jun 2014 08:14:55 -0700 Subject: URGENT: www.mailscanner.info [78.153.201.155] site refusing http requests In-Reply-To: References: Message-ID: <53947DEF.5030601@msapiro.net> On 06/08/2014 05:06 AM, Paul Welsh wrote: > > I note the www.mailscanner.info > [78.153.201.155] site is still refusing http requests. Yes, that server, aka mailscanner.info, jules.mailscanner.info, www.mailscanner.tv, www.mailscanner.eu, mailscanner.eu is not responding to port 80 connects, although it does respond to pings. This is a serious issue for MailScanner. Does anyone know if anything is being done to fix this? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From terry.hulen at gmail.com Sun Jun 8 16:55:33 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Sun, 8 Jun 2014 11:55:33 -0400 Subject: URGENT: www.mailscanner.info [78.153.201.155] site refusing http requests In-Reply-To: <53947DEF.5030601@msapiro.net> References: <53947DEF.5030601@msapiro.net> Message-ID: They all seem to be working and responding for me (from the Midwest, US). On Sun, Jun 8, 2014 at 11:14 AM, Mark Sapiro wrote: > On 06/08/2014 05:06 AM, Paul Welsh wrote: >> >> I note the www.mailscanner.info >> [78.153.201.155] site is still refusing http requests. > > > Yes, that server, aka mailscanner.info, jules.mailscanner.info, > www.mailscanner.tv, www.mailscanner.eu, mailscanner.eu is not responding > to port 80 connects, although it does respond to pings. > > This is a serious issue for MailScanner. Does anyone know if anything is > being done to fix this? > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mark at msapiro.net Sun Jun 8 17:36:33 2014 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 08 Jun 2014 09:36:33 -0700 Subject: URGENT: www.mailscanner.info [78.153.201.155] site refusing http requests In-Reply-To: References: <53947DEF.5030601@msapiro.net> Message-ID: <53949111.4080001@msapiro.net> On 06/08/2014 08:55 AM, Terry Hulen Jr wrote: > They all seem to be working and responding for me (from the Midwest, US). > > On Sun, Jun 8, 2014 at 11:14 AM, Mark Sapiro wrote: >> On 06/08/2014 05:06 AM, Paul Welsh wrote: >>> >>> I note the www.mailscanner.info >>> [78.153.201.155] site is still refusing http requests. >> >> >> Yes, that server, aka mailscanner.info, jules.mailscanner.info, >> www.mailscanner.tv, www.mailscanner.eu, mailscanner.eu is not responding >> to port 80 connects, although it does respond to pings. Yes, the server seems to be working now. There are still some missing files for ScamNailer and bad phishing sites, but hopefully that will resolve soon. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Sun Jun 8 21:20:03 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sun, 8 Jun 2014 22:20:03 +0200 Subject: Ubuntu 14 Spamassassin Message-ID: <7917307F-E389-4E51-A4CE-3C42BA9728F7@mailborder.com> Has any setup an Ubuntu 14.04 LTS box and come across SA permission errors when running a MailScanner ?lint ? I am seeing this even after I grant very loose permissions: Connected to SpamAssassin cache database plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 115) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at (eval 116) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WhiteListSubject.pm: Permission denied at (eval 117) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEHeader.pm: Permission denied at (eval 118) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ReplaceTags.pm: Permission denied at (eval 119) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DKIM.pm: Permission denied at (eval 120) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Check.pm: Permission denied at (eval 121) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTTPSMismatch.pm: Permission denied at (eval 122) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIDetail.pm: Permission denied at (eval 123) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Bayes.pm: Permission denied at (eval 124) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/BodyEval.pm: Permission denied at (eval 125) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DNSEval.pm: Permission denied at (eval 126) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTMLEval.pm: Permission denied at (eval 127) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HeaderEval.pm: Permission denied at (eval 128) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEEval.pm: Permission denied at (eval 129) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/RelayEval.pm: Permission denied at (eval 130) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIEval.pm: Permission denied at (eval 131) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission denied at (eval 132) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 133) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm: Permission denied at (eval 134) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/FreeMail.pm: Permission denied at (eval 135) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AskDNS.pm: Permission denied at (eval 136) line 1. Mail::SpamAssassin::Locker::Flock error: Can't locate Mail/SpamAssassin/Locker/Flock.pm: Permission denied at (eval 954) line 2. - Jerry Benton www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140608/087a91d1/attachment.html From jeremy at fluxlabs.net Sun Jun 8 21:32:37 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Sun, 8 Jun 2014 20:32:37 +0000 Subject: Ubuntu 14 Spamassassin In-Reply-To: <7917307F-E389-4E51-A4CE-3C42BA9728F7@mailborder.com> References: <7917307F-E389-4E51-A4CE-3C42BA9728F7@mailborder.com> Message-ID: <71C31FA4-760D-4EBB-9992-DE49D63B937C@fluxlabs.net> Perm denied .... Who is running MS? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 8, 2014, at 3:30 PM, "Jerry Benton" > wrote: Has any setup an Ubuntu 14.04 LTS box and come across SA permission errors when running a MailScanner -lint ? I am seeing this even after I grant very loose permissions: Connected to SpamAssassin cache database plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 115) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at (eval 116) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WhiteListSubject.pm: Permission denied at (eval 117) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEHeader.pm: Permission denied at (eval 118) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ReplaceTags.pm: Permission denied at (eval 119) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DKIM.pm: Permission denied at (eval 120) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Check.pm: Permission denied at (eval 121) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTTPSMismatch.pm: Permission denied at (eval 122) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIDetail.pm: Permission denied at (eval 123) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Bayes.pm: Permission denied at (eval 124) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/BodyEval.pm: Permission denied at (eval 125) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DNSEval.pm: Permission denied at (eval 126) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTMLEval.pm: Permission denied at (eval 127) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HeaderEval.pm: Permission denied at (eval 128) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEEval.pm: Permission denied at (eval 129) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/RelayEval.pm: Permission denied at (eval 130) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIEval.pm: Permission denied at (eval 131) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission denied at (eval 132) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 133) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm: Permission denied at (eval 134) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/FreeMail.pm: Permission denied at (eval 135) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AskDNS.pm: Permission denied at (eval 136) line 1. Mail::SpamAssassin::Locker::Flock error: Can't locate Mail/SpamAssassin/Locker/Flock.pm: Permission denied at (eval 954) line 2. - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140608/da72515b/attachment.html From jerry.benton at mailborder.com Sun Jun 8 22:16:20 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sun, 8 Jun 2014 23:16:20 +0200 Subject: Ubuntu 14 Spamassassin In-Reply-To: <71C31FA4-760D-4EBB-9992-DE49D63B937C@fluxlabs.net> References: <7917307F-E389-4E51-A4CE-3C42BA9728F7@mailborder.com> <71C31FA4-760D-4EBB-9992-DE49D63B937C@fluxlabs.net> Message-ID: <2EFE67BB-28AE-430B-A919-09F76B27D15A@mailborder.com> postfix I changed permissions and the errors seemed to have vanished. Just wondering why this is an issue in 14.04 but not 12.04. - Jerry Benton www.mailborder.com On Jun 8, 2014, at 10:32 PM, Jeremy McSpadden wrote: > Perm denied .... Who is running MS? > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 > > On Jun 8, 2014, at 3:30 PM, "Jerry Benton" wrote: > >> Has any setup an Ubuntu 14.04 LTS box and come across SA permission errors when running a MailScanner ?lint ? I am seeing this even after I grant very loose permissions: >> >> >> Connected to SpamAssassin cache database >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 115) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at (eval 116) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WhiteListSubject.pm: Permission denied at (eval 117) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEHeader.pm: Permission denied at (eval 118) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ReplaceTags.pm: Permission denied at (eval 119) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DKIM.pm: Permission denied at (eval 120) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Check.pm: Permission denied at (eval 121) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTTPSMismatch.pm: Permission denied at (eval 122) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIDetail.pm: Permission denied at (eval 123) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Bayes.pm: Permission denied at (eval 124) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/BodyEval.pm: Permission denied at (eval 125) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DNSEval.pm: Permission denied at (eval 126) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTMLEval.pm: Permission denied at (eval 127) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HeaderEval.pm: Permission denied at (eval 128) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEEval.pm: Permission denied at (eval 129) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/RelayEval.pm: Permission denied at (eval 130) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIEval.pm: Permission denied at (eval 131) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission denied at (eval 132) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 133) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm: Permission denied at (eval 134) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/FreeMail.pm: Permission denied at (eval 135) line 1. >> plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AskDNS.pm: Permission denied at (eval 136) line 1. >> Mail::SpamAssassin::Locker::Flock error: Can't locate Mail/SpamAssassin/Locker/Flock.pm: Permission denied at (eval 954) line 2. >> >> >> - >> Jerry Benton >> www.mailborder.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140608/2a22e064/attachment.html From jerry.benton at mailborder.com Mon Jun 9 07:34:34 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 9 Jun 2014 08:34:34 +0200 Subject: Ubuntu 14 Spamassassin In-Reply-To: <2EFE67BB-28AE-430B-A919-09F76B27D15A@mailborder.com> References: <7917307F-E389-4E51-A4CE-3C42BA9728F7@mailborder.com> <71C31FA4-760D-4EBB-9992-DE49D63B937C@fluxlabs.net> <2EFE67BB-28AE-430B-A919-09F76B27D15A@mailborder.com> Message-ID: The problem came from running MailScanner --lint from the /root directory. Change to any other directory and the error goes away. I assume that SA 3.4 is trying is find configs in the current directory which causes the error. On Sun, Jun 8, 2014 at 11:16 PM, Jerry Benton wrote: > postfix > > I changed permissions and the errors seemed to have vanished. Just > wondering why this is an issue in 14.04 but not 12.04. > > > > - > Jerry Benton > www.mailborder.com > > > > On Jun 8, 2014, at 10:32 PM, Jeremy McSpadden wrote: > > Perm denied .... Who is running MS? > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 <850-250-5590;501> | Cell : 850-890-2543 | Fax > : 850-254-2955 > > On Jun 8, 2014, at 3:30 PM, "Jerry Benton" > wrote: > > Has any setup an Ubuntu 14.04 LTS box and come across SA permission > errors when running a MailScanner ?lint ? I am seeing this even after I > grant very loose permissions: > > > Connected to SpamAssassin cache database > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 115) line > 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at > (eval 116) line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/WhiteListSubject.pm: Permission denied at (eval > 117) line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/MIMEHeader.pm: Permission denied at (eval 118) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/ReplaceTags.pm: Permission denied at (eval 119) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/DKIM.pm: Permission denied at (eval 120) line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/Check.pm: Permission denied at (eval 121) line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/HTTPSMismatch.pm: Permission denied at (eval > 122) line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/URIDetail.pm: Permission denied at (eval 123) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/Bayes.pm: Permission denied at (eval 124) line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/BodyEval.pm: Permission denied at (eval 125) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/DNSEval.pm: Permission denied at (eval 126) line > 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/HTMLEval.pm: Permission denied at (eval 127) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/HeaderEval.pm: Permission denied at (eval 128) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/MIMEEval.pm: Permission denied at (eval 129) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/RelayEval.pm: Permission denied at (eval 130) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/URIEval.pm: Permission denied at (eval 131) line > 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission denied at (eval 132) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 133) line > 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/ImageInfo.pm: Permission denied at (eval 134) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/FreeMail.pm: Permission denied at (eval 135) > line 1. > plugin: failed to parse plugin (from @INC): Can't locate > Mail/SpamAssassin/Plugin/AskDNS.pm: Permission denied at (eval 136) line > 1. > Mail::SpamAssassin::Locker::Flock error: Can't locate > Mail/SpamAssassin/Locker/Flock.pm: Permission denied at (eval 954) line 2. > > > - > Jerry Benton > www.mailborder.com > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140609/fa4e92c1/attachment.html From Kevin_Miller at ci.juneau.ak.us Mon Jun 9 18:32:06 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon, 9 Jun 2014 09:32:06 -0800 Subject: tnef madness In-Reply-To: References: Message-ID: Just a quick followup. After experimenting with the internal and external TNEF decoders in MailScanner to no avail we narrowed down the issue to only messages sent to my internal user. The sender was able to email me in both plain and html formats with and without attachments. It turns out that having her delete her nickname entry in Outlook for Jane (the internal user) was the cure. Apparently whatever is cached there will override default or run-time settings. TNEF is still problematic in some cases, but in this case it was yet another odd Microsoft command decision to behave oddly that hindered the troubleshooting. I stumbled across this page: http://www.officeformachelp.com/office/glossary/winmail-dat/ which provided the necessary clue to at least work around the problem. Hope it is helpful to others? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, June 06, 2014 12:00 AM To: MailScanner discussion Subject: Re: tnef madness you tried using the external tnef scanner at all? -- Martin Hepworth, CISSP Oxford, UK On 6 June 2014 00:28, Kevin Miller > wrote: I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following: " I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF." It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on. Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories: mxg:/var/spool/MailScanner/quarantine/20140605 # l total 145 drwxrwx--- 6 root www 160 Jun 5 13:05 ./ drwxrwx--- 33 root www 800 Jun 5 09:47 ../ drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/ drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/ drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/ drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/ Normally I just see nonspam and spam. Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5 I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact. TNEF settings in MailScanner.conf: Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = internal TNEF Timeout = 120 In Mailwatch, I see this when looking at the message: message/rfc822 20140605/nonspam/s55Kkmnf026492 message/rfc822\0117bit 20140605/s55Kkmnf026492/message No idea what rfc822\0117bit indicates but suspect it's a clue... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140609/a11863c3/attachment.html From email at ace.net.au Mon Jun 9 19:13:14 2014 From: email at ace.net.au (Peter Nitschke) Date: Tue, 10 Jun 2014 03:43:14 +0930 Subject: URGENT: www.mailscanner.info [78.153.201.155] site refusing http requests In-Reply-To: <53949111.4080001@msapiro.net> References: <53947DEF.5030601@msapiro.net> <53949111.4080001@msapiro.net> Message-ID: <201406100343140741.69B073D7@web.ace.net.au> cdn.mailscanner.info has lost it's IP again. *********** REPLY SEPARATOR *********** On 8/06/2014 at 9:36 AM Mark Sapiro wrote: >On 06/08/2014 08:55 AM, Terry Hulen Jr wrote: >> They all seem to be working and responding for me (from the Midwest, US). >> >> On Sun, Jun 8, 2014 at 11:14 AM, Mark Sapiro wrote: >>> On 06/08/2014 05:06 AM, Paul Welsh wrote: >>>> >>>> I note the www.mailscanner.info >>>> [78.153.201.155] site is still refusing http requests. >>> >>> >>> Yes, that server, aka mailscanner.info, jules.mailscanner.info, >>> www.mailscanner.tv, www.mailscanner.eu, mailscanner.eu is not responding >>> to port 80 connects, although it does respond to pings. > > >Yes, the server seems to be working now. There are still some missing >files for ScamNailer and bad phishing sites, but hopefully that will >resolve soon. > >-- >Mark Sapiro The highway is for gamblers, >San Francisco Bay Area, California better use your sense - B. Dylan >-- >MailScanner mailing list >mailscanner at lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From mailbag at partnersolutions.ca Tue Jun 10 14:37:37 2014 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Tue, 10 Jun 2014 13:37:37 +0000 Subject: tnef madness In-Reply-To: References: <7CA580B59C1ABD45B4614ED90D4C7B857EA37388@HC-EXMBX04.herefordshire.gov.uk> Message-ID: > I believe am.? The preamble shows: > ? # $Id: TNEF.pm 5119 2013-06-17 13:29:15Z sysjkf $ > Which is the same as I saw on the github site.? Unless I was looking in the wrong place. Don?t trust the preamble.. Most of the GIT sources haven?t updated them, effectively making those tags useless. > Just a quick followup.? After experimenting with the internal and external TNEF decoders in MailScanner > to no avail we narrowed down the issue to only messages sent to my internal user. The sender was able > to email me in both plain and html formats with and without attachments. It turns out that having her > delete her nickname entry in Outlook for Jane (the internal user) was the cure. I've run into this before too. It can also be controlled by a "Contact" object in AD, overriding the global settings from Exchange. Outlook thinks it's an internal object at that point and blissfully sends in rich text. Very annoying to track down sometimes, especially when you're trying to prevent TNEF from escaping out to the Internet. Cheers -Joshua From joh.hendriks at gmail.com Wed Jun 11 14:41:49 2014 From: joh.hendriks at gmail.com (Johan Hendriks) Date: Wed, 11 Jun 2014 15:41:49 +0200 Subject: Rechnung offline Spam Message-ID: <53985C9D.3040406@gmail.com> Hello all. I am trying to stop some spam but it seems MailScanner just lets them pass... It is about mail with the following Subject. RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728) So i made a custum.cf file with the following header TELECOM_SUBJECT Subject =~ /RechnungOnline/i score TELECOM_SUBJECT 5.1 describe TELECOM_SUBJECT Telekom spam Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline ?? Secondly the mail contains a Trojan and that also is getting through? Could someone please help me. regards Johan From Bryan.Laurila at dchs.org Wed Jun 11 19:43:07 2014 From: Bryan.Laurila at dchs.org (Bryan Laurila) Date: Wed, 11 Jun 2014 13:43:07 -0500 Subject: Rechnung offline Spam In-Reply-To: <53985C9D.3040406@gmail.com> References: <53985C9D.3040406@gmail.com> Message-ID: <462D865B978B49479822BC40268BCC820CFB9D27@mail.dchs.local> From what I have read, when writing custom rules these lines should be added to the /etc/mail/spamassassin/local.cf file. Below is an example of one of my custom rules to subtract 2.0 from the spam score for messages coming through our mail encryption service. You may want to consider "ALL" instead of just "Subject" in your test line for broader coverage but I believe that your syntax is correct. # #Subtract 2.0 from Spam Score for any ZIX processed message header ZIX_MESSAGE ALL =~ /zixvpm/ score ZIX_MESSAGE -2.0 -2.0 -2.0 -2.0 describe ZIX_MESSAGE Lower Score of ZIX Messages # See also: http://wiki.apache.org/spamassassin/WritingRules Bryan S. Laurila Senior Network Support Analyst Dickinson County Healthcare System -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Johan Hendriks Sent: Wednesday, June 11, 2014 8:42 AM To: MailScanner List (mailscanner at lists.mailscanner.info) Subject: Rechnung offline Spam Hello all. I am trying to stop some spam but it seems MailScanner just lets them pass... It is about mail with the following Subject. RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728) So i made a custum.cf file with the following header TELECOM_SUBJECT Subject =~ /RechnungOnline/i score TELECOM_SUBJECT 5.1 describe TELECOM_SUBJECT Telekom spam Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline ?? Secondly the mail contains a Trojan and that also is getting through? Could someone please help me. regards Johan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. As required by federal and state laws, you need to hold this information as privileged and confidential. This message may contain Protected Health Information (PHI). PHI is personal and sensitive information related to a person's health care. It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited. If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments. Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140611/a41bdf14/attachment.html From mailscanner at joolee.nl Wed Jun 11 21:07:26 2014 From: mailscanner at joolee.nl (Joolee) Date: Wed, 11 Jun 2014 22:07:26 +0200 Subject: Rechnung offline Spam In-Reply-To: <462D865B978B49479822BC40268BCC820CFB9D27@mail.dchs.local> References: <53985C9D.3040406@gmail.com> <462D865B978B49479822BC40268BCC820CFB9D27@mail.dchs.local> Message-ID: Also notice that your spamassassin folder probably has a special configuration file to be used by MailScanner. You can identify this file by examining the symbolic link in the configuration folder for MailScanner. On 11 June 2014 20:43, Bryan Laurila wrote: > From what I have read, when writing custom rules these lines should be > added to the /etc/mail/spamassassin/local.cf file. Below is an example > of one of my custom rules to subtract 2.0 from the spam score for messages > coming through our mail encryption service. You may want to consider > "ALL" instead of just "Subject" in your test line for broader coverage > but I believe that your syntax is correct. > > # > > #Subtract 2.0 from Spam Score for any ZIX processed message > > header ZIX_MESSAGE ALL =~ /zixvpm/ > > score ZIX_MESSAGE -2.0 -2.0 -2.0 -2.0 > > describe ZIX_MESSAGE Lower Score of ZIX Messages > > # > > See also: *http://wiki.apache.org/spamassassin/WritingRules* > > > Bryan S. Laurila > > Senior Network Support Analyst > > Dickinson County Healthcare System > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [ > mailto:mailscanner-bounces at lists.mailscanner.info > ] On Behalf Of Johan Hendriks > Sent: Wednesday, June 11, 2014 8:42 AM > To: MailScanner List (mailscanner at lists.mailscanner.info) > Subject: Rechnung offline Spam > > Hello all. > > I am trying to stop some spam but it seems MailScanner just lets them > pass... > > It is about mail with the following Subject. > > RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728) > > So i made a custum.cf file with the following > > header TELECOM_SUBJECT Subject =~ /RechnungOnline/i > > score TELECOM_SUBJECT 5.1 > > describe TELECOM_SUBJECT Telekom spam > > Is my rule not ok, and is it looking for a subject ONLY with > RechnungOnline ?? > > Secondly the mail contains a Trojan and that also is getting through? > > Could someone please help me. > > regards > > Johan > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > * Confidentiality Notice: * > > This e-mail communication and any attachments may contain confidential > and privileged information for the use of the designated recipients named > above. If you are not the intended recipient, you are hereby notified that > you have received this communication in error and that any review, > disclosure, dissemination, distribution or copying of it or its contents is > prohibited. As required by federal and state laws, you need to hold this > information as privileged and confidential. > > This message may contain Protected Health Information (PHI). PHI is > personal and sensitive information related to a person's health care. It > is being emailed to you after appropriate authorization from the patient or > under circumstances that do not require patient authorization. You, the > recipient, are obligated to maintain it in a safe, secure and confidential > manner. Re-disclosure without additional patient consent or as permitted > by law is prohibited. Unauthorized re-disclosure or failure to maintain > confidentiality could subject you to penalties described in federal and > state law. > > If you are not the intended recipient, or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that any disclosure, copying or distribution of this information > is *Strictly Prohibited*. If you have received this communication in > error, please notify the sender and destroy all copies of this > communication and any attachments. > > Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron > Mountain, MI 49801, www.dchs.org > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140611/3323dbed/attachment.html From joh.hendriks at gmail.com Thu Jun 12 10:08:02 2014 From: joh.hendriks at gmail.com (Johan Hendriks) Date: Thu, 12 Jun 2014 11:08:02 +0200 Subject: Rechnung offline Spam In-Reply-To: References: <53985C9D.3040406@gmail.com> <462D865B978B49479822BC40268BCC820CFB9D27@mail.dchs.local> Message-ID: <53996DF2.5030605@gmail.com> op 11-06-14 22:07, Joolee schreef: > Also notice that your spamassassin folder probably has a special > configuration file to be used by MailScanner. You can identify this > file by examining the symbolic link in the configuration folder for > MailScanner. > > On 11 June 2014 20:43, Bryan Laurila > wrote: > > From what I have read,when writing custom rules these lines should > be added to the /etc/mail/spamassassin/local.cf > file. Below is an example of one of my custom rules to subtract > 2.0 from the spam score for messages coming through our mail > encryption service. You may want to consider "ALL" instead of > just "Subject" in your test linefor broader coveragebut I believe > that your syntax is correct. > > # > > #Subtract 2.0 from Spam Score for any ZIX processed message > > header ZIX_MESSAGE ALL =~ /zixvpm/ > > score ZIX_MESSAGE -2.0 -2.0 -2.0 -2.0 > > describe ZIX_MESSAGE Lower Score of ZIX Messages > > # > > See also:_http://wiki.apache.org/spamassassin/WritingRules_ > > Bryan S. Laurila > > Senior Network Support Analyst > > Dickinson County Healthcare System > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of > Johan Hendriks > Sent: Wednesday, June 11, 2014 8:42 AM > To: MailScanner List (mailscanner at lists.mailscanner.info > ) > Subject: Rechnung offline Spam > > Hello all. > > I am trying to stop some spam but it seems MailScanner just lets > them pass... > > It is about mail with the following Subject. > > RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728) > > So i made a custum.cf file with the following > > > header TELECOM_SUBJECT Subject =~ /RechnungOnline/i > > score TELECOM_SUBJECT 5.1 > > describe TELECOM_SUBJECT Telekom spam > > > Is my rule not ok, and is it looking for a subject ONLY with > RechnungOnline ?? > > Secondly the mail contains a Trojan and that also is getting through? > > Could someone please help me. > > regards > > Johan > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, readhttp://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > *Confidentiality Notice: * > > This e-mail communication and any attachments may contain > confidential and privileged information for the use of the > designated recipients named above. If you are not the intended > recipient, you are hereby notified that you have received this > communication in error and that any review, disclosure, > dissemination, distribution or copying of it or its contents is > prohibited. As required by federal and state laws, you need to > hold this information as privileged and confidential. > > This message may contain Protected Health Information (PHI). PHI > is personal and sensitive information related to a person's health > care. It is being emailed to you after appropriate authorization > from the patient or under circumstances that do not require > patient authorization. You, the recipient, are obligated to > maintain it in a safe, secure and confidential manner. > Re-disclosure without additional patient consent or as permitted > by law is prohibited. Unauthorized re-disclosure or failure to > maintain confidentiality could subject you to penalties described > in federal and state law. > > If you are not the intended recipient, or the employee or agent > responsible to deliver it to the intended recipient, you are > hereby notified that any disclosure, copying or distribution of > this information is *Strictly Prohibited*. If you have received > this communication in error, please notify the sender and destroy > all copies of this communication and any attachments. > > Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron > Mountain, MI 49801, www.dchs.org > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > Thank you for the reply's I will look into it a little more. regards Johan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140612/4a4593cb/attachment.html From holger at gebhardweb.de Fri Jun 13 10:06:06 2014 From: holger at gebhardweb.de (Holger Gebhard) Date: Fri, 13 Jun 2014 11:06:06 +0200 Subject: AW: Rechnung offline Spam In-Reply-To: <53985C9D.3040406@gmail.com> References: <53985C9D.3040406@gmail.com> Message-ID: <000e01cf86e6$b5e49410$21adbc30$@gebhardweb.de> Hi Johan, this is my current anti-phishing rule for the telekom spams. If the spammers change the messages from time to time you must tweak the regex a little bit. header __PHISHING_TXT_14060401 Subject =~ /RechnungOnline Monat/i body __PHISHING_TXT_14060402 /(?:als Anlage (?:ist|erhalten Sie)|diese Nachricht finden Sie) die Rechnung \d+ als PDF.{1,5}(?:Datei|Anhang)/i body __PHISHING_TXT_14060403 /rechnung(?:_|-)(?:januar|februar|m.rz|april|mai|juni|juli|august|september| oktober|november|dezember)((?:_|-)201\d)?(?:_|-)(?:\d|-)+((?:_|-)sign?)?\.zi p/i meta TELEKOM_PHISHING_01 (__PHISHING_TXT_14060401 && __PHISHING_TXT_14060402 && __PHISHING_TXT_14060403) score TELEKOM_PHISHING_01 5.0 describe TELEKOM_PHISHING_01 Typical phishing message parts Best regards Holger -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Johan Hendriks Gesendet: Mittwoch, 11. Juni 2014 15:42 An: MailScanner List (mailscanner at lists.mailscanner.info) Betreff: Rechnung offline Spam Hello all. I am trying to stop some spam but it seems MailScanner just lets them pass... It is about mail with the following Subject. RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728) So i made a custum.cf file with the following header TELECOM_SUBJECT Subject =~ /RechnungOnline/i score TELECOM_SUBJECT 5.1 describe TELECOM_SUBJECT Telekom spam Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline ?? Secondly the mail contains a Trojan and that also is getting through? Could someone please help me. regards Johan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maillists at conactive.com Fri Jun 13 10:33:47 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 13 Jun 2014 11:33:47 +0200 Subject: Rechnung offline Spam In-Reply-To: <53985C9D.3040406@gmail.com> References: <53985C9D.3040406@gmail.com> Message-ID: Johan Hendriks wrote on Wed, 11 Jun 2014 15:41:49 +0200: > I am trying to stop some spam but it seems MailScanner just lets them > pass... Check if it hits. You can do this with SA --lint. If SA hits, then check if MS runs it with the same config. An easy check if your custrom rule is in the right place (e.g. you are doing it the first time ...) is to place a deliberately *wrong* rule there and then run SA --lint. It should bark about it. e.g. header whatever alone should be sufficient to trigger a warning or even an error with SA. If it does you know it's in the right place, then do the same with MS. If you put your .cf file in the SA rules directory (usually /etc/mail/spamassassin), then it will get picked up. There is no need to add it to another file. Please note, that the *real* invoices by Deutsche Telekom have the *same* subject! A good way to identify this spam is to look for the mailer software (/^X- Mailer:.*Blat.*/ or /^X-MimeOLE:.*Produced by Blat.*/). This spam (also the big spam run in January) is getting sent from Windows zombies with the help of Blat (you could also look just for a specific version, I think it's always 3.1.1). So you can have a meta rule for them. Also, if these messages (sometimes they come in really big quantitites) pose a problem for your mail system you can enforce a (temporary) header check with postfix and reject them right-away. Of course, this will reject legitimate mailing list mail sent by Blat as well (but it's rare). So, use it only as a temporary measure. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From holger at gebhardweb.de Fri Jun 13 11:05:35 2014 From: holger at gebhardweb.de (Holger Gebhard) Date: Fri, 13 Jun 2014 12:05:35 +0200 Subject: WG: Rechnung offline Spam In-Reply-To: <000e01cf86e6$b5e49410$21adbc30$@gebhardweb.de> References: <53985C9D.3040406@gmail.com> <000e01cf86e6$b5e49410$21adbc30$@gebhardweb.de> Message-ID: <001001cf86ef$05d0cef0$11726cd0$@gebhardweb.de> Hi Johan, the copy/paste destroyed my rule... The right rule is attached in a text now ;-) Best regards Holger -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Holger Gebhard Gesendet: Freitag, 13. Juni 2014 11:06 An: 'MailScanner discussion' Betreff: AW: Rechnung offline Spam Hi Johan, this is my current anti-phishing rule for the telekom spams. If the spammers change the messages from time to time you must tweak the regex a little bit. header __PHISHING_TXT_14060401 Subject =~ /RechnungOnline Monat/i body __PHISHING_TXT_14060402 /(?:als Anlage (?:ist|erhalten Sie)|diese Nachricht finden Sie) die Rechnung \d+ als PDF.{1,5}(?:Datei|Anhang)/i body __PHISHING_TXT_14060403 /rechnung(?:_|-)(?:januar|februar|m.rz|april|mai|juni|juli|august|september| oktober|november|dezember)((?:_|-)201\d)?(?:_|-)(?:\d|-)+((?:_|-)sign?)? oktober|november|\.zi p/i meta TELEKOM_PHISHING_01 (__PHISHING_TXT_14060401 && __PHISHING_TXT_14060402 && __PHISHING_TXT_14060403) score TELEKOM_PHISHING_01 5.0 describe TELEKOM_PHISHING_01 Typical phishing message parts Best regards Holger -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Johan Hendriks Gesendet: Mittwoch, 11. Juni 2014 15:42 An: MailScanner List (mailscanner at lists.mailscanner.info) Betreff: Rechnung offline Spam Hello all. I am trying to stop some spam but it seems MailScanner just lets them pass... It is about mail with the following Subject. RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728) So i made a custum.cf file with the following header TELECOM_SUBJECT Subject =~ /RechnungOnline/i score TELECOM_SUBJECT 5.1 describe TELECOM_SUBJECT Telekom spam Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline ?? Secondly the mail contains a Trojan and that also is getting through? Could someone please help me. regards Johan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rule.txt Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140613/77bcd4c6/attachment.txt From stef at aoc-uk.com Fri Jun 13 11:38:47 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 13 Jun 2014 10:38:47 +0000 Subject: Password protected zips into quarantine by ruleset Message-ID: <92665C7597419742B19470DFA3D5BEA2091D2E7B@vonLipwig.aoc-uk.com> Hi guys, I'm struggling a bit with how MS deals with password protected zipfiles, so any of the below could be complete misinterpretation, feel free to correct my ignorance! It seems to me that MS detects password protected zips by means of being informed by the virus scanner and then treating it as a virus, using the special keyword Zip-Password in various MailScanner.conf settings. And then there is the Allow Password-Protected Archives = setting. Somewhere in all this I would like to be able to have a ruleset which says for password protected zipfiles, I can allow them to pass (for users who get them all the time), quarantine (for users who get them occasionally), or default block. And I can't for the life of me work out how to achieve this. Can anyone advise? Thanks Stef From joh.hendriks at gmail.com Fri Jun 13 12:18:07 2014 From: joh.hendriks at gmail.com (Johan Hendriks) Date: Fri, 13 Jun 2014 13:18:07 +0200 Subject: Rechnung offline Spam In-Reply-To: References: <53985C9D.3040406@gmail.com> Message-ID: <539ADDEF.8020908@gmail.com> op 13-06-14 11:33, Kai Schaetzl schreef: > Johan Hendriks wrote on Wed, 11 Jun 2014 15:41:49 +0200: > >> I am trying to stop some spam but it seems MailScanner just lets them >> pass... > Check if it hits. You can do this with SA --lint. If SA hits, then check > if MS runs it with the same config. An easy check if your custrom rule is > in the right place (e.g. you are doing it the first time ...) is to place > a deliberately *wrong* rule there and then run SA --lint. It should bark > about it. e.g. > > header whatever > > alone should be sufficient to trigger a warning or even an error with SA. > If it does you know it's in the right place, then do the same with MS. > > If you put your .cf file in the SA rules directory (usually > /etc/mail/spamassassin), then it will get picked up. There is no need to > add it to another file. > > Please note, that the *real* invoices by Deutsche Telekom have the *same* > subject! > > A good way to identify this spam is to look for the mailer software (/^X- > Mailer:.*Blat.*/ or /^X-MimeOLE:.*Produced by Blat.*/). This spam (also > the big spam run in January) is getting sent from Windows zombies with the > help of Blat (you could also look just for a specific version, I think > it's always 3.1.1). So you can have a meta rule for them. > > Also, if these messages (sometimes they come in really big quantitites) > pose a problem for your mail system you can enforce a (temporary) header > check with postfix and reject them right-away. Of course, this will reject > legitimate mailing list mail sent by Blat as well (but it's rare). So, use > it only as a temporary measure. > > > Kai > Thanks for the answers again.. and Holger for the rules I put the file in /usr/local/etc/mail/spamassassin/ If i make a mistake like you said spamassassin --lint indeed barks spamassassin --lint Jun 13 12:25:05.692 [72537] warn: config: SpamAssassin failed to parse line, no value provided for "header", skipping: header whatever Jun 13 12:25:06.793 [72537] warn: lint: 1 issues detected, please rerun with debug enabled for more information So spamassassin reads the rule Mailscanner --lint does not show me much about spamassassin. In the directory where I have the custum_rule.cf file there is also a file for the FuzzyOCR rules and that gets laoded also. I will look and see if it all works now. regards Johan From jerry.benton at mailborder.com Fri Jun 13 12:23:24 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 13 Jun 2014 13:23:24 +0200 Subject: Password protected zips into quarantine by ruleset In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091D2E7B@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091D2E7B@vonLipwig.aoc-uk.com> Message-ID: I created a sample in the Mailborder GUI. This is what the MailScanner output looks like: Allow Password-Protected Archives = %rules-dir%/pid6.rules And the contents of pid6.rules: # Built by Mailborder Systems # Build Time: Fri, 13 Jun 14 13:19:27 +0200 # Mailborder version: 4.1.2 build: 1 # Custom object processing rules From: support at mailborder.com yes # Domain processing rules FromOrTo: linuxref.com no # Default for unmatched objects FromOrTo: default no - Jerry Benton www.mailborder.com On Jun 13, 2014, at 12:38 PM, Stef Morrell wrote: > Hi guys, > > I'm struggling a bit with how MS deals with password protected zipfiles, so any of the below could be complete misinterpretation, feel free to correct my ignorance! > > It seems to me that MS detects password protected zips by means of being informed by the virus scanner and then treating it as a virus, using the special keyword Zip-Password in various MailScanner.conf settings. > > And then there is the > > Allow Password-Protected Archives = > > setting. > > Somewhere in all this I would like to be able to have a ruleset which says for password protected zipfiles, I can allow them to pass (for users who get them all the time), quarantine (for users who get them occasionally), or default block. > > And I can't for the life of me work out how to achieve this. > > Can anyone advise? > > Thanks > > Stef > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140613/115c857e/attachment.html From maxsec at gmail.com Fri Jun 13 12:29:44 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 13 Jun 2014 12:29:44 +0100 Subject: Password protected zips into quarantine by ruleset In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091D2E7B@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091D2E7B@vonLipwig.aoc-uk.com> Message-ID: Check out the http://www.mailscanner.info/MailScanner.conf.index.html#Silent%20Viruses setting Personally i double check these as this is still a well used attack vector for the bad guys and every now and again you get a sudden increase of the stupid things. -- Martin Hepworth, CISSP Oxford, UK On 13 June 2014 11:38, Stef Morrell wrote: > Hi guys, > > I'm struggling a bit with how MS deals with password protected zipfiles, > so any of the below could be complete misinterpretation, feel free to > correct my ignorance! > > It seems to me that MS detects password protected zips by means of being > informed by the virus scanner and then treating it as a virus, using the > special keyword Zip-Password in various MailScanner.conf settings. > > And then there is the > > Allow Password-Protected Archives = > > setting. > > Somewhere in all this I would like to be able to have a ruleset which says > for password protected zipfiles, I can allow them to pass (for users who > get them all the time), quarantine (for users who get them occasionally), > or default block. > > And I can't for the life of me work out how to achieve this. > > Can anyone advise? > > Thanks > > Stef > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140613/db51e193/attachment.html From Antony.Stone at mailscanner.open.source.it Fri Jun 13 12:55:23 2014 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Fri, 13 Jun 2014 13:55:23 +0200 Subject: Password protected zips into quarantine by ruleset In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091D2E7B@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091D2E7B@vonLipwig.aoc-uk.com> Message-ID: <201406131355.23661.Antony.Stone@mailscanner.open.source.it> On Friday 13 June 2014 at 12:38:47, Stef Morrell wrote: > Hi guys, > > I'm struggling a bit with how MS deals with password protected zipfiles, so > any of the below could be complete misinterpretation, feel free to correct > my ignorance! > > It seems to me that MS detects password protected zips by means of being > informed by the virus scanner and then treating it as a virus, using the > special keyword Zip-Password in various MailScanner.conf settings. > > And then there is the > > Allow Password-Protected Archives = > > setting. > > Somewhere in all this I would like to be able to have a ruleset which says > for password protected zipfiles, I can allow them to pass (for users who > get them all the time), quarantine (for users who get them occasionally), > or default block. > > And I can't for the life of me work out how to achieve this. > > Can anyone advise? Well, that setting can be a ruleset, so for Allow=yes/no for different users, you could try: Allow Password-Protected Archives = %rules-dir%/passprotarchive.rules and then inside passprotarchive.rules: To: safeuser1 at mydomain.tld yes To: safeuser2 at myother.tld yes FromOrTo: default no I can't think of a way to do your 3-way choice (yes for some, quarantine for others, no by default), but this should at least give you a 2-way choice. Regards, Antony. -- BASIC is to computer languages what Roman numerals are to arithmetic. Please reply to the list; please don't CC me. From stef at aoc-uk.com Fri Jun 13 13:42:45 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 13 Jun 2014 12:42:45 +0000 Subject: Password protected zips into quarantine by ruleset In-Reply-To: <4c4c347a-59c3-4a8f-ab97-90aa1bde1927@VONLIPWIG.aoc-uk.com> References: <4c4c347a-59c3-4a8f-ab97-90aa1bde1927@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA2091D2EDB@vonLipwig.aoc-uk.com> Thanks for the thoughts guys. Martin - Silent Viruses refers to sender notifications. Jerry/Antony - I can get as far as yes/no config. If it comes down to it, I can live with quarantining them all, as this is the highest priority requirement. So, if the 3-way choice I would prefer is unavailable, how can I quarantine them? From Antony.Stone at mailscanner.open.source.it Fri Jun 13 14:43:04 2014 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Fri, 13 Jun 2014 15:43:04 +0200 Subject: Password protected zips into quarantine by ruleset In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091D2EDB@vonLipwig.aoc-uk.com> References: <4c4c347a-59c3-4a8f-ab97-90aa1bde1927@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA2091D2EDB@vonLipwig.aoc-uk.com> Message-ID: <201406131543.04213.Antony.Stone@mailscanner.open.source.it> On Friday 13 June 2014 at 14:42:45, Stef Morrell wrote: > Thanks for the thoughts guys. > > Martin - Silent Viruses refers to sender notifications. > Jerry/Antony - I can get as far as yes/no config. > > If it comes down to it, I can live with quarantining them all, as this is > the highest priority requirement. > > So, if the 3-way choice I would prefer is unavailable, how can I quarantine > them? I think http://lists.mailscanner.info/pipermail/mailscanner/2009- August/093051.html contains the clue: Add "Zip-Password" to the setting for "Non-Forging Viruses". That should apparently then make them get quarantined. Regards, Antony. -- It is also possible that putting the birds in a laboratory setting inadvertently renders them relatively incompetent. - Daniel C Dennett Please reply to the list; please don't CC me. From stef at aoc-uk.com Fri Jun 13 14:58:31 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 13 Jun 2014 13:58:31 +0000 Subject: Password protected zips into quarantine by ruleset In-Reply-To: References: <4c4c347a-59c3-4a8f-ab97-90aa1bde1927@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA2091D2EDB@vonLipwig.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA2091D3065@vonLipwig.aoc-uk.com> On 13 June 2014 14:43 Antony Stone wrote: > On Friday 13 June 2014 at 14:42:45, Stef Morrell wrote: > > So, if the 3-way choice I would prefer is unavailable, how can I > quarantine > > them? > > I think http://lists.mailscanner.info/pipermail/mailscanner/2009- > August/093051.html contains the clue: > > Add "Zip-Password" to the setting for "Non-Forging Viruses". > > That should apparently then make them get quarantined. Your google-fu is stronger than mine :) So, if I'm reading that correctly by having Zip-Password in the Non-Forging Viruses it will change the behaviour of the yes/no ruleset for "Allow Password-Protected Archives" from allow/block to allow/quarantine. And I could live with that - but would someone be kind enough to check my work? It's Friday afternoon and I have brain strain. From jerry.benton at mailborder.com Sun Jun 15 19:27:32 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sun, 15 Jun 2014 20:27:32 +0200 Subject: Need Updated Install Guides Message-ID: I am creating the new MailScanner wiki on Github. As you can imagine, some of the guides are out of date. I am not an expert in Gentoo, SUSE or Free BSD and could use some help with the install guides for these two operating systems. The current guides are here: Free BSD http://www.mailscanner.info/FreeBSD.html SUSE and Others http://wiki.mailscanner.info/doku.php?id=&idx=documentation:install_upgrade:install I will be writing the Debian, Ubuntu, Red Hat, CentOS guides. I will also be including an install script that will help with installing prerequisites and updating various system settings. If someone else could do the same for the other operating systems, I would appreciate the help. - Jerry Benton www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140615/a618267e/attachment.html From jerry.benton at mailborder.com Sun Jun 15 20:00:20 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sun, 15 Jun 2014 21:00:20 +0200 Subject: Need Web Developer Volunteer for MailScanner Message-ID: I have had revamping the MailScanner website on the back burner for a while. If someone is willing, we need a basic template using Bootstrap 3 and jQuery. The current MailScanner site is static HTML, and we are going to leave it that way for now. For the foreseeable future we are going to use resources on Github for collaboration, so www.mailscanner.info will mostly be informational with download links, etc. Example base template: http://getbootstrap.com/examples/navbar-fixed-top/ Components - Fixed navbar (like the example page) - Sticky footer - Scroll to top (bottom right) Theme - Grey, white, some yellow. - I have the images (eps, etc.), which Jules wants me to keep private. Just use placeholders until deployment. Content - Main page: ? general description, etc. ? a block for Jules? online shop items ? Quick links for install, guides ? News Release - Documentation page (mostly links) - Support (see current site) - Other items you might think relevant If I can get a volunteer, that would be great. However, if you volunteer I ask that you be timely and responsive. - Jerry Benton www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140615/4f32895c/attachment.html From mailinglist at mindconnect.nl Mon Jun 16 00:17:58 2014 From: mailinglist at mindconnect.nl (Martijn) Date: Mon, 16 Jun 2014 01:17:58 +0200 Subject: Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS Message-ID: <539E29A6.8000904@mindconnect.nl> I'm running tests for upgrading a system to a newer version of Ubuntu LTS, and during my tests I found a difference in behaviour between the MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS. The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS install. MailScanner version is: 4.84.5 from the apt.baruwa.org repository, both before and after the upgrade. The MailScanner configuration between the two systems is completely identical. MailScanner --debug --lint shows no issues. I've found two seperate issues: Issue #1: The install on 10.04 doesn't send blocked filename notifications but the install on 12.04 does. Deny Filenames list is configured as: Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$ \.scr$ \.dll$ \.reg$ And: Notify Senders Of Blocked Filenames Or Filetypes = yes On 10.04, when sending an eicar test file, the mail is considered to contain a virus and therefor deleted. No notification mail is sent, although the configuration would suggest it should. The logs say this: New Batch: Scanning 1 messages, 1965 bytes Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/ Virus Scanning: Clamd found 1 infections Infected message DECEF36C443.ACC6F came from 195.241.145.230 Virus Scanning: Found 1 viruses Virus Scanning completed at 10980 bytes per second Saved entire message to /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F Spam Checks: Starting Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext) to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228, required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00 -1.90) Spam Checks completed at 271 bytes per second Cleaned: Delivered 1 cleaned messages Deleted 1 messages from processing-database Batch completed at 264 bytes per second (1965 / 7) Batch (1 message) processed in 7.42 seconds After upgrading to 12.04, the difference in behaviour is that MailScanner now suddenly DOES sends a notification message to notify of a deleted attachment. The log now has this: New Batch: Scanning 1 messages, 1841 bytes Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/ Virus Scanning: Clamd found 1 infections Infected message 7CE27442AE.AFD34 came from 10.0.3.2 Virus Scanning: Found 1 viruses Virus Scanning completed at 2784 bytes per second Saved entire message to /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 Saved infected "eicar.com" to /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 Spam Checks: Starting Expired 1 records from the SpamAssassin cache Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext) to testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12) Spam Checks completed at 209 bytes per second Requeue: 7CE27442AE.AFD34 to 0BD61442B7 Cleaned: Delivered 1 cleaned messages Virus Processing completed at 3872 bytes per second Deleted 1 messages from processing-database Batch completed at 185 bytes per second (1841 / 9) Batch (1 message) processed in 9.92 seconds Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com)". This notice wasn't there on 10.04 LTS. Question: does anyone know what the cause of this difference in behaviour is, as the MailScanner version and configuration are the same? Issue #2: So, notifications are sent on 12.04, but: The option called "Notify Senders Of Blocked Filenames Or Filetypes" doesn't send a notification to the sender. It sends the notification to the _receiver_ of the message. Questions: Is this expected behaviour and should all those options actually be called 'Notify Recipient *' or am I missing something here ;-) Thanks, - Martijn From jerry.benton at mailborder.com Mon Jun 16 00:58:29 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 16 Jun 2014 01:58:29 +0200 Subject: Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS In-Reply-To: <539E29A6.8000904@mindconnect.nl> References: <539E29A6.8000904@mindconnect.nl> Message-ID: <187B427A-B212-4C78-A58C-3DC52C4017E1@mailborder.com> Did you add the -U option to your /usr/sbin/MailScanner? #!/usr/bin/perl -U -I/usr/share/MailScanner/ - Jerry Benton www.mailborder.com On Jun 16, 2014, at 1:17 AM, Martijn wrote: > I'm running tests for upgrading a system to a newer version of Ubuntu > LTS, and during my tests I found a difference in behaviour between the > MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS. > > The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS > install. MailScanner version is: 4.84.5 from the apt.baruwa.org > repository, both before and after the upgrade. > > The MailScanner configuration between the two systems is completely > identical. MailScanner --debug --lint shows no issues. > > > I've found two seperate issues: > > Issue #1: The install on 10.04 doesn't send blocked filename > notifications but the install on 12.04 does. > > Deny Filenames list is configured as: > Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$ > \.scr$ \.dll$ \.reg$ > > And: > Notify Senders Of Blocked Filenames Or Filetypes = yes > > On 10.04, when sending an eicar test file, the mail is considered to > contain a virus and therefor deleted. No notification mail is sent, > although the configuration would suggest it should. The logs say this: > > New Batch: Scanning 1 messages, 1965 bytes > Virus and Content Scanning: Starting > Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/ > Virus Scanning: Clamd found 1 infections > Infected message DECEF36C443.ACC6F came from 195.241.145.230 > Virus Scanning: Found 1 viruses > Virus Scanning completed at 10980 bytes per second > Saved entire message to > /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F > Spam Checks: Starting > Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext) > to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228, > required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00 > -1.90) > Spam Checks completed at 271 bytes per second > Cleaned: Delivered 1 cleaned messages > Deleted 1 messages from processing-database > Batch completed at 264 bytes per second (1965 / 7) > Batch (1 message) processed in 7.42 seconds > > After upgrading to 12.04, the difference in behaviour is that > MailScanner now suddenly DOES sends a notification message to notify of > a deleted attachment. The log now has this: > > New Batch: Scanning 1 messages, 1841 bytes > Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/ > Virus Scanning: Clamd found 1 infections > Infected message 7CE27442AE.AFD34 came from 10.0.3.2 > Virus Scanning: Found 1 viruses > Virus Scanning completed at 2784 bytes per second > Saved entire message to > /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 > Saved infected "eicar.com" to > /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 > Spam Checks: Starting > Expired 1 records from the SpamAssassin cache > Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext) to > testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, > required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12) > Spam Checks completed at 209 bytes per second > Requeue: 7CE27442AE.AFD34 to 0BD61442B7 > Cleaned: Delivered 1 cleaned messages > Virus Processing completed at 3872 bytes per second > Deleted 1 messages from processing-database > Batch completed at 185 bytes per second (1841 / 9) > Batch (1 message) processed in 9.92 seconds > > Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 > eicar.com)". This notice wasn't there on 10.04 LTS. > > Question: does anyone know what the cause of this difference in > behaviour is, as the MailScanner version and configuration are the same? > > Issue #2: > So, notifications are sent on 12.04, but: > The option called "Notify Senders Of Blocked Filenames Or Filetypes" > doesn't send a notification to the sender. It sends the notification to > the _receiver_ of the message. > > Questions: Is this expected behaviour and should all those options > actually be called 'Notify Recipient *' or am I missing something here ;-) > > Thanks, > - Martijn > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140616/9be0dab1/attachment.html From mailinglist at mindconnect.nl Mon Jun 16 08:52:07 2014 From: mailinglist at mindconnect.nl (Martijn) Date: Mon, 16 Jun 2014 09:52:07 +0200 Subject: Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS In-Reply-To: <187B427A-B212-4C78-A58C-3DC52C4017E1@mailborder.com> References: <539E29A6.8000904@mindconnect.nl> <187B427A-B212-4C78-A58C-3DC52C4017E1@mailborder.com> Message-ID: <539EA227.1040702@mindconnect.nl> I checked, and -U is not added to /usr/sbin/MailScanner. The file now starts with: #!/usr/bin/perl -I/usr/share/MailScanner/ Are you saying the -U is needed for MailScanner to work properly on 10.04, or for both 10.04 and 12.04? Perl on 10.04 is version 5.10.x and on 12.04 it's 5.14.x. I wasn't aware that the packages from the Baruwa repository needed changes after installation. Thanks, - Martijn On 16-6-2014 1:58, Jerry Benton wrote: > Did you add the -U option to your /usr/sbin/MailScanner? > > #!/usr/bin/perl -U -I/usr/share/MailScanner/ > > - > Jerry Benton > www.mailborder.com > > > > On Jun 16, 2014, at 1:17 AM, Martijn > wrote: > >> I'm running tests for upgrading a system to a newer version of Ubuntu >> LTS, and during my tests I found a difference in behaviour between the >> MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS. >> >> The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS >> install. MailScanner version is: 4.84.5 from the apt.baruwa.org >> >> repository, both before and after the upgrade. >> >> The MailScanner configuration between the two systems is completely >> identical. MailScanner --debug --lint shows no issues. >> >> >> I've found two seperate issues: >> >> Issue #1: The install on 10.04 doesn't send blocked filename >> notifications but the install on 12.04 does. >> >> Deny Filenames list is configured as: >> Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$ >> \.scr$ \.dll$ \.reg$ >> >> And: >> Notify Senders Of Blocked Filenames Or Filetypes = yes >> >> On 10.04, when sending an eicar test file, the mail is considered to >> contain a virus and therefor deleted. No notification mail is sent, >> although the configuration would suggest it should. The logs say this: >> >> New Batch: Scanning 1 messages, 1965 bytes >> Virus and Content Scanning: Starting >> Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/ >> Virus Scanning: Clamd found 1 infections >> Infected message DECEF36C443.ACC6F came from 195.241.145.230 >> Virus Scanning: Found 1 viruses >> Virus Scanning completed at 10980 bytes per second >> Saved entire message to >> /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F >> Spam Checks: Starting >> Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext >> ) >> to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228, >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00 >> -1.90) >> Spam Checks completed at 271 bytes per second >> Cleaned: Delivered 1 cleaned messages >> Deleted 1 messages from processing-database >> Batch completed at 264 bytes per second (1965 / 7) >> Batch (1 message) processed in 7.42 seconds >> >> After upgrading to 12.04, the difference in behaviour is that >> MailScanner now suddenly DOES sends a notification message to notify of >> a deleted attachment. The log now has this: >> >> New Batch: Scanning 1 messages, 1841 bytes >> Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com >> ) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/ >> Virus Scanning: Clamd found 1 infections >> Infected message 7CE27442AE.AFD34 came from 10.0.3.2 >> Virus Scanning: Found 1 viruses >> Virus Scanning completed at 2784 bytes per second >> Saved entire message to >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 >> Saved infected "eicar.com " to >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 >> Spam Checks: Starting >> Expired 1 records from the SpamAssassin cache >> Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext >> ) to >> testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12) >> Spam Checks completed at 209 bytes per second >> Requeue: 7CE27442AE.AFD34 to 0BD61442B7 >> Cleaned: Delivered 1 cleaned messages >> Virus Processing completed at 3872 bytes per second >> Deleted 1 messages from processing-database >> Batch completed at 185 bytes per second (1841 / 9) >> Batch (1 message) processed in 9.92 seconds >> >> Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 >> eicar.com )". This notice wasn't there on 10.04 LTS. >> >> Question: does anyone know what the cause of this difference in >> behaviour is, as the MailScanner version and configuration are the same? >> >> Issue #2: >> So, notifications are sent on 12.04, but: >> The option called "Notify Senders Of Blocked Filenames Or Filetypes" >> doesn't send a notification to the sender. It sends the notification to >> the _receiver_ of the message. >> >> Questions: Is this expected behaviour and should all those options >> actually be called 'Notify Recipient *' or am I missing something here ;-) >> >> Thanks, >> - Martijn >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > From mailinglist at mindconnect.nl Mon Jun 16 10:45:10 2014 From: mailinglist at mindconnect.nl (Martijn) Date: Mon, 16 Jun 2014 11:45:10 +0200 Subject: Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS In-Reply-To: <187B427A-B212-4C78-A58C-3DC52C4017E1@mailborder.com> References: <539E29A6.8000904@mindconnect.nl> <187B427A-B212-4C78-A58C-3DC52C4017E1@mailborder.com> Message-ID: <539EBCA6.8080707@mindconnect.nl> For the record: This install of MailScanner on Ubuntu 10.04 LTS has been functioning without any noticable problems (except for the notification mails) or errors in the logs for about 2 years now, and that is without the perl -U switch. Should I've noticed anything else with this parameter missing? This may lead to me writing more tests to ensure proper functioning. Thanks, - Martijn On 16-6-2014 1:58, Jerry Benton wrote: > Did you add the -U option to your /usr/sbin/MailScanner? > > #!/usr/bin/perl -U -I/usr/share/MailScanner/ > > - > Jerry Benton > www.mailborder.com > > > > On Jun 16, 2014, at 1:17 AM, Martijn > wrote: > >> I'm running tests for upgrading a system to a newer version of Ubuntu >> LTS, and during my tests I found a difference in behaviour between the >> MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS. >> >> The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS >> install. MailScanner version is: 4.84.5 from the apt.baruwa.org >> >> repository, both before and after the upgrade. >> >> The MailScanner configuration between the two systems is completely >> identical. MailScanner --debug --lint shows no issues. >> >> >> I've found two seperate issues: >> >> Issue #1: The install on 10.04 doesn't send blocked filename >> notifications but the install on 12.04 does. >> >> Deny Filenames list is configured as: >> Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$ >> \.scr$ \.dll$ \.reg$ >> >> And: >> Notify Senders Of Blocked Filenames Or Filetypes = yes >> >> On 10.04, when sending an eicar test file, the mail is considered to >> contain a virus and therefor deleted. No notification mail is sent, >> although the configuration would suggest it should. The logs say this: >> >> New Batch: Scanning 1 messages, 1965 bytes >> Virus and Content Scanning: Starting >> Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/ >> Virus Scanning: Clamd found 1 infections >> Infected message DECEF36C443.ACC6F came from 195.241.145.230 >> Virus Scanning: Found 1 viruses >> Virus Scanning completed at 10980 bytes per second >> Saved entire message to >> /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F >> Spam Checks: Starting >> Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext >> ) >> to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228, >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00 >> -1.90) >> Spam Checks completed at 271 bytes per second >> Cleaned: Delivered 1 cleaned messages >> Deleted 1 messages from processing-database >> Batch completed at 264 bytes per second (1965 / 7) >> Batch (1 message) processed in 7.42 seconds >> >> After upgrading to 12.04, the difference in behaviour is that >> MailScanner now suddenly DOES sends a notification message to notify of >> a deleted attachment. The log now has this: >> >> New Batch: Scanning 1 messages, 1841 bytes >> Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com >> ) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/ >> Virus Scanning: Clamd found 1 infections >> Infected message 7CE27442AE.AFD34 came from 10.0.3.2 >> Virus Scanning: Found 1 viruses >> Virus Scanning completed at 2784 bytes per second >> Saved entire message to >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 >> Saved infected "eicar.com " to >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 >> Spam Checks: Starting >> Expired 1 records from the SpamAssassin cache >> Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext >> ) to >> testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12) >> Spam Checks completed at 209 bytes per second >> Requeue: 7CE27442AE.AFD34 to 0BD61442B7 >> Cleaned: Delivered 1 cleaned messages >> Virus Processing completed at 3872 bytes per second >> Deleted 1 messages from processing-database >> Batch completed at 185 bytes per second (1841 / 9) >> Batch (1 message) processed in 9.92 seconds >> >> Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 >> eicar.com )". This notice wasn't there on 10.04 LTS. >> >> Question: does anyone know what the cause of this difference in >> behaviour is, as the MailScanner version and configuration are the same? >> >> Issue #2: >> So, notifications are sent on 12.04, but: >> The option called "Notify Senders Of Blocked Filenames Or Filetypes" >> doesn't send a notification to the sender. It sends the notification to >> the _receiver_ of the message. >> >> Questions: Is this expected behaviour and should all those options >> actually be called 'Notify Recipient *' or am I missing something here ;-) >> >> Thanks, >> - Martijn >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > From jerry.benton at mailborder.com Mon Jun 16 12:28:15 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 16 Jun 2014 13:28:15 +0200 Subject: Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS In-Reply-To: <539EBCA6.8080707@mindconnect.nl> References: <539E29A6.8000904@mindconnect.nl> <187B427A-B212-4C78-A58C-3DC52C4017E1@mailborder.com> <539EBCA6.8080707@mindconnect.nl> Message-ID: It is after 5.10. http://lists.mailscanner.info/pipermail/mailscanner/2011-May/097870.html On Mon, Jun 16, 2014 at 11:45 AM, Martijn wrote: > For the record: > This install of MailScanner on Ubuntu 10.04 LTS has been functioning > without any noticable problems (except for the notification mails) or > errors in the logs for about 2 years now, and that is without the perl > -U switch. > > Should I've noticed anything else with this parameter missing? This may > lead to me writing more tests to ensure proper functioning. > > Thanks, > - Martijn > > On 16-6-2014 1:58, Jerry Benton wrote: > > Did you add the -U option to your /usr/sbin/MailScanner? > > > > #!/usr/bin/perl -U -I/usr/share/MailScanner/ > > > > - > > Jerry Benton > > www.mailborder.com > > > > > > > > On Jun 16, 2014, at 1:17 AM, Martijn > > wrote: > > > >> I'm running tests for upgrading a system to a newer version of Ubuntu > >> LTS, and during my tests I found a difference in behaviour between the > >> MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS. > >> > >> The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS > >> install. MailScanner version is: 4.84.5 from the apt.baruwa.org > >> > >> repository, both before and after the upgrade. > >> > >> The MailScanner configuration between the two systems is completely > >> identical. MailScanner --debug --lint shows no issues. > >> > >> > >> I've found two seperate issues: > >> > >> Issue #1: The install on 10.04 doesn't send blocked filename > >> notifications but the install on 12.04 does. > >> > >> Deny Filenames list is configured as: > >> Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$ > >> \.scr$ \.dll$ \.reg$ > >> > >> And: > >> Notify Senders Of Blocked Filenames Or Filetypes = yes > >> > >> On 10.04, when sending an eicar test file, the mail is considered to > >> contain a virus and therefor deleted. No notification mail is sent, > >> although the configuration would suggest it should. The logs say this: > >> > >> New Batch: Scanning 1 messages, 1965 bytes > >> Virus and Content Scanning: Starting > >> Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/ > >> Virus Scanning: Clamd found 1 infections > >> Infected message DECEF36C443.ACC6F came from 195.241.145.230 > >> Virus Scanning: Found 1 viruses > >> Virus Scanning completed at 10980 bytes per second > >> Saved entire message to > >> /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F > >> Spam Checks: Starting > >> Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext > >> ) > >> to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228, > >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00 > >> -1.90) > >> Spam Checks completed at 271 bytes per second > >> Cleaned: Delivered 1 cleaned messages > >> Deleted 1 messages from processing-database > >> Batch completed at 264 bytes per second (1965 / 7) > >> Batch (1 message) processed in 7.42 seconds > >> > >> After upgrading to 12.04, the difference in behaviour is that > >> MailScanner now suddenly DOES sends a notification message to notify of > >> a deleted attachment. The log now has this: > >> > >> New Batch: Scanning 1 messages, 1841 bytes > >> Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com > >> ) > >> Other Checks: Found 1 problems > >> Virus and Content Scanning: Starting > >> Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/ > >> Virus Scanning: Clamd found 1 infections > >> Infected message 7CE27442AE.AFD34 came from 10.0.3.2 > >> Virus Scanning: Found 1 viruses > >> Virus Scanning completed at 2784 bytes per second > >> Saved entire message to > >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 > >> Saved infected "eicar.com " to > >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 > >> Spam Checks: Starting > >> Expired 1 records from the SpamAssassin cache > >> Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext > >> ) to > >> testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, > >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12) > >> Spam Checks completed at 209 bytes per second > >> Requeue: 7CE27442AE.AFD34 to 0BD61442B7 > >> Cleaned: Delivered 1 cleaned messages > >> Virus Processing completed at 3872 bytes per second > >> Deleted 1 messages from processing-database > >> Batch completed at 185 bytes per second (1841 / 9) > >> Batch (1 message) processed in 9.92 seconds > >> > >> Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 > >> eicar.com )". This notice wasn't there on 10.04 LTS. > >> > >> Question: does anyone know what the cause of this difference in > >> behaviour is, as the MailScanner version and configuration are the same? > >> > >> Issue #2: > >> So, notifications are sent on 12.04, but: > >> The option called "Notify Senders Of Blocked Filenames Or Filetypes" > >> doesn't send a notification to the sender. It sends the notification to > >> the _receiver_ of the message. > >> > >> Questions: Is this expected behaviour and should all those options > >> actually be called 'Notify Recipient *' or am I missing something here > ;-) > >> > >> Thanks, > >> - Martijn > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140616/58ade3e9/attachment.html From mailinglist at mindconnect.nl Mon Jun 16 20:43:15 2014 From: mailinglist at mindconnect.nl (Martijn) Date: Mon, 16 Jun 2014 21:43:15 +0200 Subject: Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS In-Reply-To: References: <539E29A6.8000904@mindconnect.nl> <187B427A-B212-4C78-A58C-3DC52C4017E1@mailborder.com> <539EBCA6.8080707@mindconnect.nl> Message-ID: <539F48D3.6040102@mindconnect.nl> Thank you for your suggestion. The MailScanner running on 12.04 LTS doesn't seem to need the -U for the notifications to work, but it may need it for other things to work, so I guess it's best to add it in there as well. Adding -U on the MailScanner running on 10.04 LTS does make both installs behave the same, so that seems like good news. However... On second thought, the behaviour now displayed by both installs seems faulty as well, looking at these comments in the configuration file: Notify Senders = no [...] # *If* "Notify Senders" is set to yes, do you want to notify people # who sent you messages [...] Notify Senders Of Blocked Filenames Or Filetypes = yes Summing this all up would mean that even though the second option is set to yes, the notification shouldn't be send at all, since Notify Senders is set to no. I'll have a look at the bug tracker to see if this is a known issue. Can you (or anyone else) shed some light on my second question?: The option called "Notify Senders Of Blocked Filenames Or Filetypes" doesn't send a notification to the sender. It sends the notification to the _receiver_ of the message. If this is expected, shouldn't those options actually be called 'Notify Recipient *'? Am I interpreting this option the wrong way? Thanks, - Martijn On 16-6-2014 13:28, Jerry Benton wrote: > It is after 5.10. > > http://lists.mailscanner.info/pipermail/mailscanner/2011-May/097870.html > > > > > On Mon, Jun 16, 2014 at 11:45 AM, Martijn > wrote: > > For the record: > This install of MailScanner on Ubuntu 10.04 LTS has been functioning > without any noticable problems (except for the notification mails) or > errors in the logs for about 2 years now, and that is without the perl > -U switch. > > Should I've noticed anything else with this parameter missing? This may > lead to me writing more tests to ensure proper functioning. > > Thanks, > - Martijn > > On 16-6-2014 1:58, Jerry Benton wrote: > > Did you add the -U option to your /usr/sbin/MailScanner? > > > > #!/usr/bin/perl -U -I/usr/share/MailScanner/ > > > > - > > Jerry Benton > > www.mailborder.com > > > > > > > > > On Jun 16, 2014, at 1:17 AM, Martijn > > >> wrote: > > > >> I'm running tests for upgrading a system to a newer version of > Ubuntu > >> LTS, and during my tests I found a difference in behaviour > between the > >> MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS. > >> > >> The 12.04 LTS system is an upgraded install of a copy of the > 10.04 LTS > >> install. MailScanner version is: 4.84.5 from the apt.baruwa.org > > >> > >> repository, both before and after the upgrade. > >> > >> The MailScanner configuration between the two systems is completely > >> identical. MailScanner --debug --lint shows no issues. > >> > >> > >> I've found two seperate issues: > >> > >> Issue #1: The install on 10.04 doesn't send blocked filename > >> notifications but the install on 12.04 does. > >> > >> Deny Filenames list is configured as: > >> Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ > \.vbs$ \.vb$ > >> \.scr$ \.dll$ \.reg$ > >> > >> And: > >> Notify Senders Of Blocked Filenames Or Filetypes = yes > >> > >> On 10.04, when sending an eicar test file, the mail is considered to > >> contain a virus and therefor deleted. No notification mail is sent, > >> although the configuration would suggest it should. The logs say > this: > >> > >> New Batch: Scanning 1 messages, 1965 bytes > >> Virus and Content Scanning: Starting > >> Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/ > >> Virus Scanning: Clamd found 1 infections > >> Infected message DECEF36C443.ACC6F came from 195.241.145.230 > >> Virus Scanning: Found 1 viruses > >> Virus Scanning completed at 10980 bytes per second > >> Saved entire message to > >> /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F > >> Spam Checks: Starting > >> Message DECEF36C443.ACC6F from 195.241.145.230 > (victim at testdomain.ext > >> >) > >> to testdomain.ext is not spam, SpamAssassin (not cached, > score=-3.228, > >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, > BAYES_00 > >> -1.90) > >> Spam Checks completed at 271 bytes per second > >> Cleaned: Delivered 1 cleaned messages > >> Deleted 1 messages from processing-database > >> Batch completed at 264 bytes per second (1965 / 7) > >> Batch (1 message) processed in 7.42 seconds > >> > >> After upgrading to 12.04, the difference in behaviour is that > >> MailScanner now suddenly DOES sends a notification message to > notify of > >> a deleted attachment. The log now has this: > >> > >> New Batch: Scanning 1 messages, 1841 bytes > >> Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 > eicar.com > >> ) > >> Other Checks: Found 1 problems > >> Virus and Content Scanning: Starting > >> Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/ > >> Virus Scanning: Clamd found 1 infections > >> Infected message 7CE27442AE.AFD34 came from 10.0.3.2 > >> Virus Scanning: Found 1 viruses > >> Virus Scanning completed at 2784 bytes per second > >> Saved entire message to > >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 > >> Saved infected "eicar.com " to > >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34 > >> Spam Checks: Starting > >> Expired 1 records from the SpamAssassin cache > >> Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext > >> >) to > >> testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, > >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12) > >> Spam Checks completed at 209 bytes per second > >> Requeue: 7CE27442AE.AFD34 to 0BD61442B7 > >> Cleaned: Delivered 1 cleaned messages > >> Virus Processing completed at 3872 bytes per second > >> Deleted 1 messages from processing-database > >> Batch completed at 185 bytes per second (1841 / 9) > >> Batch (1 message) processed in 9.92 seconds > >> > >> Notice the "Filename Checks: Blocked Filename Detected > (7CE27442AE.AFD34 > >> eicar.com )". This notice > wasn't there on 10.04 LTS. > >> > >> Question: does anyone know what the cause of this difference in > >> behaviour is, as the MailScanner version and configuration are > the same? > >> > >> Issue #2: > >> So, notifications are sent on 12.04, but: > >> The option called "Notify Senders Of Blocked Filenames Or Filetypes" > >> doesn't send a notification to the sender. It sends the > notification to > >> the _receiver_ of the message. > >> > >> Questions: Is this expected behaviour and should all those options > >> actually be called 'Notify Recipient *' or am I missing > something here ;-) > >> > >> Thanks, > >> - Martijn > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > > >> > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > From mailscanner at barendse.to Wed Jun 18 12:44:49 2014 From: mailscanner at barendse.to (Remco Barendse) Date: Wed, 18 Jun 2014 13:44:49 +0200 (CEST) Subject: ClamAV stopped working with ClamAV Module ERROR:: Could not load databases from /var/clamav Message-ID: Hi list! It seems ClamAV got updated on my CentOS 5.x machine but since the update, it stopped working. I see this error from the /var/log/maillog: MailScanner[16618]: MailScanner E-Mail Virus Scanner version 4.84.6 starting... MailScanner[16618]: Reading configuration file /etc/MailScanner/MailScanner.conf MailScanner[16618]: Reading configuration file /etc/MailScanner/conf.d/README MailScanner[16618]: Read 875 hostnames from the phishing whitelist MailScanner[16618]: Read 0 hostnames from the phishing blacklists MailScanner[16618]: Using SpamAssassin results cache MailScanner[16618]: Connected to SpamAssassin cache database MailScanner[16618]: Enabling SpamAssassin auto-whitelist functionality... MailScanner[16618]: I have found clamavmodule scanners installed, and will use them all by default. MailScanner[16618]: ClamAV Module ERROR:: Could not load databases from /var/clamav I checked /var/clamav it looks ok, also wiped out the databases there and then ren freshclam but no luck. Permissions also seem to be ok Ideas anyone? From jerry.benton at mailborder.com Wed Jun 18 13:30:02 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 18 Jun 2014 14:30:02 +0200 Subject: ClamAV stopped working with ClamAV Module ERROR:: Could not load databases from /var/clamav In-Reply-To: References: Message-ID: Is clamd running as the same user as before? They moved from clam to clamav at some version not too long ago. On Wed, Jun 18, 2014 at 1:44 PM, Remco Barendse wrote: > Hi list! > > It seems ClamAV got updated on my CentOS 5.x machine but since the update, > it stopped working. > > I see this error from the /var/log/maillog: > MailScanner[16618]: MailScanner E-Mail Virus Scanner version 4.84.6 > starting... > MailScanner[16618]: Reading configuration file > /etc/MailScanner/MailScanner.conf > MailScanner[16618]: Reading configuration file > /etc/MailScanner/conf.d/README > MailScanner[16618]: Read 875 hostnames from the phishing whitelist > MailScanner[16618]: Read 0 hostnames from the phishing blacklists > MailScanner[16618]: Using SpamAssassin results cache > MailScanner[16618]: Connected to SpamAssassin cache database > MailScanner[16618]: Enabling SpamAssassin auto-whitelist functionality... > MailScanner[16618]: I have found clamavmodule scanners installed, and will > use them all by default. > MailScanner[16618]: ClamAV Module ERROR:: Could not load databases from > /var/clamav > > I checked /var/clamav it looks ok, also wiped out the databases there and > then ren freshclam but no luck. Permissions also seem to be ok > > Ideas anyone? > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/11fa40db/attachment.html From foxb at abv.bg Wed Jun 18 14:37:51 2014 From: foxb at abv.bg (Hristo Benev) Date: Wed, 18 Jun 2014 16:37:51 +0300 (EEST) Subject: ClamAV stopped working with ClamAV Module ERROR:: Could not load databases from /var/clamav Message-ID: <1943037655.87528.1403098671529.JavaMail.apache@nm51.abv.bg> What is ClamAV version? What user MailScanner uses to run? What are folder permissions? Hristo >-------- ?????????? ????? -------- >??: Remco Barendse mailscanner at barendse.to >???????: ClamAV stopped working with ClamAV Module ERROR:: Could not load databases from /var/clamav >??: MailScanner mailing list >????????? ??: ?????, 2014, ??? 18 14:44:49 EEST > Hi list! > > It seems ClamAV got updated on my CentOS 5.x machine but since the update, > it stopped working. > > I see this error from the /var/log/maillog: > MailScanner[16618]: MailScanner E-Mail Virus Scanner version 4.84.6 starting... > MailScanner[16618]: Reading configuration file /etc/MailScanner/MailScanner.conf > MailScanner[16618]: Reading configuration file /etc/MailScanner/conf.d/README > MailScanner[16618]: Read 875 hostnames from the phishing whitelist > MailScanner[16618]: Read 0 hostnames from the phishing blacklists > MailScanner[16618]: Using SpamAssassin results cache > MailScanner[16618]: Connected to SpamAssassin cache database > MailScanner[16618]: Enabling SpamAssassin auto-whitelist functionality... > MailScanner[16618]: I have found clamavmodule scanners installed, and will use them all by default. > MailScanner[16618]: ClamAV Module ERROR:: Could not load databases from /var/clamav > > I checked /var/clamav it looks ok, also wiped out the databases there and > then ren freshclam but no luck. Permissions also seem to be ok > > Ideas anyone? > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rcooper at dwford.com Wed Jun 18 15:46:04 2014 From: rcooper at dwford.com (Rick Cooper) Date: Wed, 18 Jun 2014 10:46:04 -0400 Subject: ClamAV stopped working with ClamAV Module ERROR:: Could not loaddatabases from /var/clamav In-Reply-To: References: Message-ID: <458A44215508407991B5215A0F209364@SAHOMELT> Bear in mind this same error will occur during the creation of the initial object and if anything changed in the exports part of the perl module all manner of issues can occur. That is why Julian finally agreed to include the clamd code after having asked so many times, anything changes in certain internal parts of libclamav and the clamav module is broken until the maintainer gets around to modifying the constants imports and functions Switch to clamd and you will likely have no issue and use a lot fewer resources -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Remco Barendse Sent: Wednesday, June 18, 2014 7:45 AM To: MailScanner mailing list Subject: ClamAV stopped working with ClamAV Module ERROR:: Could not loaddatabases from /var/clamav Hi list! It seems ClamAV got updated on my CentOS 5.x machine but since the update, it stopped working. I see this error from the /var/log/maillog: MailScanner[16618]: MailScanner E-Mail Virus Scanner version 4.84.6 starting... MailScanner[16618]: Reading configuration file /etc/MailScanner/MailScanner.conf MailScanner[16618]: Reading configuration file /etc/MailScanner/conf.d/README MailScanner[16618]: Read 875 hostnames from the phishing whitelist MailScanner[16618]: Read 0 hostnames from the phishing blacklists MailScanner[16618]: Using SpamAssassin results cache MailScanner[16618]: Connected to SpamAssassin cache database MailScanner[16618]: Enabling SpamAssassin auto-whitelist functionality... MailScanner[16618]: I have found clamavmodule scanners installed, and will use them all by default. MailScanner[16618]: ClamAV Module ERROR:: Could not load databases from /var/clamav I checked /var/clamav it looks ok, also wiped out the databases there and then ren freshclam but no luck. Permissions also seem to be ok Ideas anyone? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Jun 18 17:28:18 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed, 18 Jun 2014 08:28:18 -0800 Subject: ClamAV stopped working with ClamAV Module ERROR:: Could not load databases from /var/clamav In-Reply-To: References: Message-ID: Also check the location of clamav. When I updated a few weeks ago, in addition to the user change from clam to clamav they moved the packages from /var/lib/clamav to /var/clamav. I found clue in the logs in /var/log/clamav/. Check the freshclam.conf and/or clamd.conf files ? they specify the location of the databases. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Wednesday, June 18, 2014 4:30 AM To: MailScanner discussion Subject: Re: ClamAV stopped working with ClamAV Module ERROR:: Could not load databases from /var/clamav Is clamd running as the same user as before? They moved from clam to clamav at some version not too long ago. On Wed, Jun 18, 2014 at 1:44 PM, Remco Barendse > wrote: Hi list! It seems ClamAV got updated on my CentOS 5.x machine but since the update, it stopped working. I see this error from the /var/log/maillog: MailScanner[16618]: MailScanner E-Mail Virus Scanner version 4.84.6 starting... MailScanner[16618]: Reading configuration file /etc/MailScanner/MailScanner.conf MailScanner[16618]: Reading configuration file /etc/MailScanner/conf.d/README MailScanner[16618]: Read 875 hostnames from the phishing whitelist MailScanner[16618]: Read 0 hostnames from the phishing blacklists MailScanner[16618]: Using SpamAssassin results cache MailScanner[16618]: Connected to SpamAssassin cache database MailScanner[16618]: Enabling SpamAssassin auto-whitelist functionality... MailScanner[16618]: I have found clamavmodule scanners installed, and will use them all by default. MailScanner[16618]: ClamAV Module ERROR:: Could not load databases from /var/clamav I checked /var/clamav it looks ok, also wiped out the databases there and then ren freshclam but no luck. Permissions also seem to be ok Ideas anyone? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/c72acb19/attachment.html From pparsons at techeez.com Wed Jun 18 19:04:33 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 18 Jun 2014 18:04:33 +0000 Subject: 2 fold question Message-ID: <11D8E491D9562549A61FD3186F36342001D559F902@exchange.techeez.com> Can anyone let me know what the difference is between using clamav or clamavmodule The reason I ask is because after upgrading to clamav 0.98.4 and using clamavmodule I get cannot load database memory issue but not when I use clamav ? Did not have this issue with clamav 0.98.3 The system is running 4 gig's of memory.. Thank you. Philip Parsons IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/3515134c/attachment.html From pparsons at techeez.com Wed Jun 18 19:07:27 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 18 Jun 2014 18:07:27 +0000 Subject: 2 fold question Message-ID: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> The exact error I get is MailScanner -debug --lint LibClamAV Error: Can't load /usr/local/share/clamav/daily.cvd: Can't allocate memory From: Philip Parsons Sent: June-18-14 11:05 AM To: MailScanner discussion Subject: 2 fold question Can anyone let me know what the difference is between using clamav or clamavmodule The reason I ask is because after upgrading to clamav 0.98.4 and using clamavmodule I get cannot load database memory issue but not when I use clamav ? Did not have this issue with clamav 0.98.3 The system is running 4 gig's of memory.. Thank you. Philip Parsons IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/4f8726f0/attachment.html From jeremy at fluxlabs.net Wed Jun 18 19:20:59 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Wed, 18 Jun 2014 18:20:59 +0000 Subject: 2 fold question In-Reply-To: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> Message-ID: <17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net> Apparmor or selinux ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 18, 2014, at 1:17 PM, "Philip Parsons" > wrote: The exact error I get is MailScanner -debug --lint LibClamAV Error: Can't load /usr/local/share/clamav/daily.cvd: Can't allocate memory From: Philip Parsons Sent: June-18-14 11:05 AM To: MailScanner discussion Subject: 2 fold question Can anyone let me know what the difference is between using clamav or clamavmodule The reason I ask is because after upgrading to clamav 0.98.4 and using clamavmodule I get cannot load database memory issue but not when I use clamav ? Did not have this issue with clamav 0.98.3 The system is running 4 gig's of memory.. Thank you. Philip Parsons IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/17ec9c93/attachment.html From pparsons at techeez.com Wed Jun 18 20:43:51 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 18 Jun 2014 19:43:51 +0000 Subject: 2 fold question In-Reply-To: <17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> <17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net> Message-ID: <11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com> No selinux is disabled and it just started in version 0.98.4 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: June-18-14 11:21 AM To: MailScanner discussion Subject: Re: 2 fold question Apparmor or selinux ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 18, 2014, at 1:17 PM, "Philip Parsons" > wrote: The exact error I get is MailScanner -debug --lint LibClamAV Error: Can't load /usr/local/share/clamav/daily.cvd: Can't allocate memory From: Philip Parsons Sent: June-18-14 11:05 AM To: MailScanner discussion Subject: 2 fold question Can anyone let me know what the difference is between using clamav or clamavmodule The reason I ask is because after upgrading to clamav 0.98.4 and using clamavmodule I get cannot load database memory issue but not when I use clamav ? Did not have this issue with clamav 0.98.3 The system is running 4 gig's of memory.. Thank you. Philip Parsons IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/d102b7f2/attachment.html From jeremy at fluxlabs.net Wed Jun 18 21:00:32 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Wed, 18 Jun 2014 20:00:32 +0000 Subject: 2 fold question In-Reply-To: <11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> <17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net> <11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com> Message-ID: <3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net> You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 18, 2014, at 2:43 PM, Philip Parsons > wrote: No selinux is disabled and it just started in version 0.98.4 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/f992c2cf/attachment.html From pparsons at techeez.com Wed Jun 18 21:55:41 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 18 Jun 2014 20:55:41 +0000 Subject: 2 fold question In-Reply-To: <3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> <17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net> <11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com> <3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net> Message-ID: <11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> Did that no go same error. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: June-18-14 1:01 PM To: MailScanner discussion Subject: Re: 2 fold question You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 18, 2014, at 2:43 PM, Philip Parsons > wrote: No selinux is disabled and it just started in version 0.98.4 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/ff0889b0/attachment.html From pparsons at techeez.com Wed Jun 18 23:26:54 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 18 Jun 2014 22:26:54 +0000 Subject: 2 fold question In-Reply-To: <11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> <17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net> <11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com> <3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net> <11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> Anyone able to answer the first part of my question ? whats the diff between using clamav or clamavmodule From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: June-18-14 1:56 PM To: MailScanner discussion Subject: RE: 2 fold question Did that no go same error. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: June-18-14 1:01 PM To: MailScanner discussion Subject: Re: 2 fold question You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 18, 2014, at 2:43 PM, Philip Parsons > wrote: No selinux is disabled and it just started in version 0.98.4 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/9bc4de2e/attachment-0001.html From alex at vidadigital.com.pa Thu Jun 19 01:10:02 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Wed, 18 Jun 2014 19:10:02 -0500 Subject: 2 fold question In-Reply-To: <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com> <17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net> <11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com> <3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net> <11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> Message-ID: Clamavmodule used to be a (now deprecated) way to do clam scanning from within perl, thus lessening the footprint, requirements, and "time to scan". Nowadays - and since I believe clamavmodule hasn't been updated in some time - people tend to use clamd as it only needs to load once. *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Skype: AlexNeuman Don't miss Vida Digital on LiveStream ! Saturdays 8am-10am on 104.3FM Panama Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Wed, Jun 18, 2014 at 5:26 PM, Philip Parsons wrote: > Anyone able to answer the first part of my question ? whats the diff > between using clamav or clamavmodule > > > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Philip Parsons > *Sent:* June-18-14 1:56 PM > *To:* MailScanner discussion > *Subject:* RE: 2 fold question > > > > Did that no go same error. > > > > *From:* mailscanner-bounces at lists.mailscanner.info [ > mailto:mailscanner-bounces at lists.mailscanner.info > ] *On Behalf Of *Jeremy > McSpadden > *Sent:* June-18-14 1:01 PM > *To:* MailScanner discussion > *Subject:* Re: 2 fold question > > > > You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ > and run freshclam .. see if it starts then. > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 > > > > On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: > > > > No selinux is disabled and it just started in version 0.98.4 > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/e68fcf4d/attachment.html From rcooper at dwford.com Thu Jun 19 04:42:49 2014 From: rcooper at dwford.com (Rick Cooper) Date: Wed, 18 Jun 2014 23:42:49 -0400 Subject: 2 fold question In-Reply-To: <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com><17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com><3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> Message-ID: <4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT> ClamAV uses the command line clamscan for scanning, is slow (have to load dbs) and a bit of a resource hog, ClamAV module is a perl interface to libclamav and is also a hog because it loads a copy of the db into memory for each child but only has to do it when MailScanner loads that child the first time. The best choice is neither, use clamd. clamd shares the resources between children and thus the real memory per child is much less and a far less load, is not perl. When MailScanner uses clamd it talks directly to the clam daemon and doesn't have to load anything at all, just tell the daemon where/what to scan IMHO the same thing should be done with spamd, I wrote the code years ago and it's really no faster (or at least negligibly so) but far less memory and resources once again, than using the perl interface. It was difficult to get Julian to incorporate the clamd code but he never did incorporate the spamd code unfortunatly. Rick _____ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: Wednesday, June 18, 2014 6:27 PM To: MailScanner discussion Subject: RE: 2 fold question Anyone able to answer the first part of my question ? whats the diff between using clamav or clamavmodule From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: June-18-14 1:56 PM To: MailScanner discussion Subject: RE: 2 fold question Did that no go same error. From: mailscanner-bounces at lists.mailscanner.info [ mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: June-18-14 1:01 PM To: MailScanner discussion Subject: Re: 2 fold question You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: No selinux is disabled and it just started in version 0.98.4 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140618/16431e8e/attachment.html From mark at msapiro.net Thu Jun 19 06:02:38 2014 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 18 Jun 2014 22:02:38 -0700 Subject: Problem with TXT records for ScamNailer and bad_phishing_sites updates Message-ID: <53A26EEE.8040303@msapiro.net> The update processes for ScamNailer and update_bad_phishing_sites depend on DNS TXT records for the domains emails.msupdate.greylist.bastionmail.com and msupdate.greylist.bastionmail.com respectively giving data about the current updates. At present, these TXT records don't exist (there are still SPF TXT records, but not the updates ones). We saw a similar issue last year when the bastionmail.com domain registration expired, and it just expired again on 17 June 2014, but was apparently renewed on 18 June. There are workaround patches at and . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner at barendse.to Thu Jun 19 15:52:00 2014 From: mailscanner at barendse.to (Remco Barendse) Date: Thu, 19 Jun 2014 16:52:00 +0200 (CEST) Subject: 2 fold question In-Reply-To: <4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com><17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com><3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> <4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT> Message-ID: What a pity, before i wouldn't care about how much memory any given app would use, now that i have virtualized everything, it starts to matter :)) There are some people still working on MailScanner (believe they moved the sources to github) but have never seen a new release. Maybe the way forward would be to fork the code, supposedly there are some fixes in github that would also resolve the problem of the huge pileup of tmp files. Thanks for explaining the differences between the 3 different ways of calling clamav! On Wed, 18 Jun 2014, Rick Cooper wrote: > ClamAV uses the command line clamscan for scanning, is slow (have to load dbs) and a bit of a resource hog, ClamAV module is a perl interface to > libclamav and is also a hog because it loads a copy of the db into memory for each child but only has to do it when MailScanner loads that child the > first time. The best choice is neither, use clamd. > ? > clamd shares the resources between children and thus the real memory per child is much less and a far less load, is not perl. When MailScanner uses clamd > it talks directly to the clam daemon and doesn't have to load anything at all, just tell the daemon where/what to scan > ? > IMHO the same thing should be done with spamd, I wrote the code years ago and it's really no faster (or at least negligibly so) but far less memory and > resources once again, than using the perl interface. It was difficult to get Julian to incorporate the clamd code but he never did incorporate the spamd > code unfortunatly. > ? > Rick > > _________________________________________________________________________________________________________________________________________________________ > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons > Sent: Wednesday, June 18, 2014 6:27 PM > To: MailScanner discussion > Subject: RE: 2 fold question > > Anyone able to answer the first part of my question ? whats the diff between using clamav or clamavmodule > > ? > > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons > Sent: June-18-14 1:56 PM > To: MailScanner discussion > Subject: RE: 2 fold question > > ? > > Did that no go same error. > > ? > > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden > Sent: June-18-14 1:01 PM > To: MailScanner discussion > Subject: Re: 2 fold question > > ? > > You could have a corrupted db file. wipe all files in?/usr/local/share/clamav/ and run freshclam .. see if it starts then. > > -- > Jeremy McSpadden > Flux Labs |?http://www.fluxlabs.net?| Endless Solutions > Office : 850-250-5590x501?| Cell : 850-890-2543?| Fax : 850-254-2955 > > ? > > On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: > > ? > > No selinux is disabled and it just started in version 0.98.4 > > ? > > ? > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > From phil.randal at hoopleltd.co.uk Thu Jun 19 16:31:35 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Thu, 19 Jun 2014 15:31:35 +0000 Subject: 2 fold question In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com><17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com><3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> <4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857EA6FB76@HC-EXMBX04.herefordshire.gov.uk> A spamd failure could let a lot of spam through (or a backlog of unprocessed email, depending on how it was implemented). Memory leaks in spamd could also prove problematic, unless it had scheduled restarts, assuming that MailScanner could cope with that. Nonetheless, it would be interesting to compare the performance of a spamd version with the current implementation. Slower, I suspect, but less of a memory hog. Cheers, Phil -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Remco Barendse Sent: 19 June 2014 15:52 To: MailScanner discussion Subject: RE: 2 fold question What a pity, before i wouldn't care about how much memory any given app would use, now that i have virtualized everything, it starts to matter :)) There are some people still working on MailScanner (believe they moved the sources to github) but have never seen a new release. Maybe the way forward would be to fork the code, supposedly there are some fixes in github that would also resolve the problem of the huge pileup of tmp files. Thanks for explaining the differences between the 3 different ways of calling clamav! On Wed, 18 Jun 2014, Rick Cooper wrote: > ClamAV uses the command line clamscan for scanning, is slow (have to > load dbs) and a bit of a resource hog, ClamAV module is a perl > interface to libclamav and is also a hog because it loads a copy of the db into memory for each child but only has to do it when MailScanner loads that child the first time. The best choice is neither, use clamd. > > clamd shares the resources between children and thus the real memory > per child is much less and a far less load, is not perl. When > MailScanner uses clamd it talks directly to the clam daemon and > doesn't have to load anything at all, just tell the daemon where/what > to scan > > IMHO the same thing should be done with spamd, I wrote the code years > ago and it's really no faster (or at least negligibly so) but far less > memory and resources once again, than using the perl interface. It was difficult to get Julian to incorporate the clamd code but he never did incorporate the spamd code unfortunatly. > > Rick > > ______________________________________________________________________ > ______________________________________________________________________ > _____________ > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of > Philip Parsons > Sent: Wednesday, June 18, 2014 6:27 PM > To: MailScanner discussion > Subject: RE: 2 fold question > > Anyone able to answer the first part of my question ? whats the diff > between using clamav or clamavmodule > > > > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of > Philip Parsons > Sent: June-18-14 1:56 PM > To: MailScanner discussion > Subject: RE: 2 fold question > > > > Did that no go same error. > > > > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of > Jeremy McSpadden > Sent: June-18-14 1:01 PM > To: MailScanner discussion > Subject: Re: 2 fold question > > > > You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : > 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 > > > > On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: > > > > No selinux is disabled and it just started in version 0.98.4 > > > > > > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > > Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." From jerry.benton at mailborder.com Thu Jun 19 16:35:16 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 19 Jun 2014 17:35:16 +0200 Subject: 2 fold question In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com><17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com><3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com> <4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT> Message-ID: <646C376C-8049-4953-9DA4-CE164EF2545B@mailborder.com> I am working on a release for the end of the month or mid July. - Jerry Benton www.mailborder.com On Jun 19, 2014, at 4:52 PM, Remco Barendse wrote: > What a pity, before i wouldn't care about how much memory any given app would use, now that i have virtualized everything, it starts to matter :)) > > There are some people still working on MailScanner (believe they moved the sources to github) but have never seen a new release. Maybe the way forward would be to fork the code, supposedly there are some fixes in github that would also resolve the problem of the huge pileup of tmp files. > > Thanks for explaining the differences between the 3 different ways of calling clamav! > > On Wed, 18 Jun 2014, Rick Cooper wrote: > >> ClamAV uses the command line clamscan for scanning, is slow (have to load dbs) and a bit of a resource hog, ClamAV module is a perl interface to >> libclamav and is also a hog because it loads a copy of the db into memory for each child but only has to do it when MailScanner loads that child the >> first time. The best choice is neither, use clamd. >> >> clamd shares the resources between children and thus the real memory per child is much less and a far less load, is not perl. When MailScanner uses clamd >> it talks directly to the clam daemon and doesn't have to load anything at all, just tell the daemon where/what to scan >> >> IMHO the same thing should be done with spamd, I wrote the code years ago and it's really no faster (or at least negligibly so) but far less memory and >> resources once again, than using the perl interface. It was difficult to get Julian to incorporate the clamd code but he never did incorporate the spamd >> code unfortunatly. >> >> Rick >> _________________________________________________________________________________________________________________________________________________________ >> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons >> Sent: Wednesday, June 18, 2014 6:27 PM >> To: MailScanner discussion >> Subject: RE: 2 fold question >> Anyone able to answer the first part of my question ? whats the diff between using clamav or clamavmodule >> >> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons >> Sent: June-18-14 1:56 PM >> To: MailScanner discussion >> Subject: RE: 2 fold question >> >> Did that no go same error. >> >> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden >> Sent: June-18-14 1:01 PM >> To: MailScanner discussion >> Subject: Re: 2 fold question >> >> You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. >> -- >> Jeremy McSpadden >> Flux Labs | http://www.fluxlabs.net | Endless Solutions >> Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 >> >> On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: >> >> >> No selinux is disabled and it just started in version 0.98.4 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140619/5ed0a354/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Jun 19 17:18:37 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu, 19 Jun 2014 08:18:37 -0800 Subject: Timeouts & display... Message-ID: When I run the 'Spamassassin Rule Hits' report, it times out. Anybody know where I can increase the timeout from 30 seconds to maybe a minute or so? Also, is there a variable that I can change to display more than 50 records per page? TIA... ?...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From rcooper at dwford.com Thu Jun 19 19:36:59 2014 From: rcooper at dwford.com (Rick Cooper) Date: Thu, 19 Jun 2014 14:36:59 -0400 Subject: 2 fold question In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B857EA6FB76@HC-EXMBX04.herefordshire.gov.uk> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com><17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com><3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com><11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com><4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT> <7CA580B59C1ABD45B4614ED90D4C7B857EA6FB76@HC-EXMBX04.herefordshire.gov.uk> Message-ID: <91AAB2E847614652926F30CB0F8BD143@SAHOMELT> Mailscanner is fine with spamd restarting same as when clamd reloads, when spamd restarts (IIRC) it's children finish processing before dying. I used spamd with MailScanner for several years now and have had not issues, same score and as far as performance (speed) it's pretty much six of one and half dozen of the other. I origianlly setup timers on both and ran both on each email and one might be a very bit faster on a given email and then flip so pretty much even, would say over all no difference, resource wise very big difference. Now I don't have 200,000 emails a day but I would bet that spamd would out perform the MailScanner implemenation on a very busy server -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Thursday, June 19, 2014 11:32 AM To: MailScanner discussion Subject: RE: 2 fold question A spamd failure could let a lot of spam through (or a backlog of unprocessed email, depending on how it was implemented). Memory leaks in spamd could also prove problematic, unless it had scheduled restarts, assuming that MailScanner could cope with that. Nonetheless, it would be interesting to compare the performance of a spamd version with the current implementation. Slower, I suspect, but less of a memory hog. Cheers, Phil -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Remco Barendse Sent: 19 June 2014 15:52 To: MailScanner discussion Subject: RE: 2 fold question What a pity, before i wouldn't care about how much memory any given app would use, now that i have virtualized everything, it starts to matter :)) There are some people still working on MailScanner (believe they moved the sources to github) but have never seen a new release. Maybe the way forward would be to fork the code, supposedly there are some fixes in github that would also resolve the problem of the huge pileup of tmp files. Thanks for explaining the differences between the 3 different ways of calling clamav! On Wed, 18 Jun 2014, Rick Cooper wrote: > ClamAV uses the command line clamscan for scanning, is slow (have to > load dbs) and a bit of a resource hog, ClamAV module is a perl > interface to libclamav and is also a hog because it loads a copy of the db into memory for each child but only has to do it when MailScanner loads that child the first time. The best choice is neither, use clamd. > > clamd shares the resources between children and thus the real memory > per child is much less and a far less load, is not perl. When > MailScanner uses clamd it talks directly to the clam daemon and > doesn't have to load anything at all, just tell the daemon where/what > to scan > > IMHO the same thing should be done with spamd, I wrote the code years > ago and it's really no faster (or at least negligibly so) but far less > memory and resources once again, than using the perl interface. It was difficult to get Julian to incorporate the clamd code but he never did incorporate the spamd code unfortunatly. > > Rick > > ______________________________________________________________________ > ______________________________________________________________________ > _____________ > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of > Philip Parsons > Sent: Wednesday, June 18, 2014 6:27 PM > To: MailScanner discussion > Subject: RE: 2 fold question > > Anyone able to answer the first part of my question ? whats the diff > between using clamav or clamavmodule > > > > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of > Philip Parsons > Sent: June-18-14 1:56 PM > To: MailScanner discussion > Subject: RE: 2 fold question > > > > Did that no go same error. > > > > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of > Jeremy McSpadden > Sent: June-18-14 1:01 PM > To: MailScanner discussion > Subject: Re: 2 fold question > > > > You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : > 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 > > > > On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: > > > > No selinux is disabled and it just started in version 0.98.4 > > > > > > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > > Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jerry.benton at mailborder.com Thu Jun 19 20:30:02 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 19 Jun 2014 21:30:02 +0200 Subject: 2 fold question In-Reply-To: <91AAB2E847614652926F30CB0F8BD143@SAHOMELT> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com><17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com><3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com><11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com><4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT> <7CA580B59C1ABD45B4614ED90D4C7B857EA6FB76@HC-EXMBX04.herefordshire.gov.uk> <91AAB2E847614652926F30CB0F8BD143@SAHOMELT> Message-ID: <892DC208-01CB-4920-B4BF-991B2426B67D@mailborder.com> - A spamd failure failure results in email not being scanned for spam as I just fixed this on a client?s servers. Nothing was getting marked as spam and it turns out that spamd was not even running on his system. Email was still being processed and delivered by MailScanner. OF course, I have also seen systems continue to retry over and over again when the socket isn?t available. - spamd is faster because it doesn?t have to spin up every time. There is a big difference on a server processing 300k emails a day. - I have never seen memory leaks with spamd. It is a rather solid product. - If your server is using all of its memory, it is supposed to. That is what linux does. It is normal behavior. - Jerry Benton www.mailborder.com On Jun 19, 2014, at 8:36 PM, Rick Cooper wrote: > Mailscanner is fine with spamd restarting same as when clamd reloads, when > spamd restarts (IIRC) it's children finish processing before dying. I used > spamd with MailScanner for several years now and have had not issues, same > score and as far as performance (speed) it's pretty much six of one and half > dozen of the other. I origianlly setup timers on both and ran both on each > email and one might be a very bit faster on a given email and then flip so > pretty much even, would say over all no difference, resource wise very big > difference. Now I don't have 200,000 emails a day but I would bet that spamd > would out perform the MailScanner implemenation on a very busy server > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, > Phil > Sent: Thursday, June 19, 2014 11:32 AM > To: MailScanner discussion > Subject: RE: 2 fold question > > A spamd failure could let a lot of spam through (or a backlog of unprocessed > email, depending on how it was implemented). > > Memory leaks in spamd could also prove problematic, unless it had scheduled > restarts, assuming that MailScanner could cope with that. > > Nonetheless, it would be interesting to compare the performance of a spamd > version with the current implementation. > > Slower, I suspect, but less of a memory hog. > > Cheers, > > Phil > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Remco > Barendse > Sent: 19 June 2014 15:52 > To: MailScanner discussion > Subject: RE: 2 fold question > > What a pity, before i wouldn't care about how much memory any given app > would use, now that i have virtualized everything, it starts to matter :)) > > There are some people still working on MailScanner (believe they moved the > sources to github) but have never seen a new release. Maybe the way forward > would be to fork the code, supposedly there are some fixes in github that > would also resolve the problem of the huge pileup of tmp files. > > Thanks for explaining the differences between the 3 different ways of > calling clamav! > > On Wed, 18 Jun 2014, Rick Cooper wrote: > >> ClamAV uses the command line clamscan for scanning, is slow (have to >> load dbs) and a bit of a resource hog, ClamAV module is a perl >> interface to libclamav and is also a hog because it loads a copy of the db > into memory for each child but only has to do it when MailScanner loads that > child the first time. The best choice is neither, use clamd. >> >> clamd shares the resources between children and thus the real memory >> per child is much less and a far less load, is not perl. When >> MailScanner uses clamd it talks directly to the clam daemon and >> doesn't have to load anything at all, just tell the daemon where/what >> to scan >> >> IMHO the same thing should be done with spamd, I wrote the code years >> ago and it's really no faster (or at least negligibly so) but far less >> memory and resources once again, than using the perl interface. It was > difficult to get Julian to incorporate the clamd code but he never did > incorporate the spamd code unfortunatly. >> >> Rick >> >> ______________________________________________________________________ >> ______________________________________________________________________ >> _____________ >> From: mailscanner-bounces at lists.mailscanner.info >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of >> Philip Parsons >> Sent: Wednesday, June 18, 2014 6:27 PM >> To: MailScanner discussion >> Subject: RE: 2 fold question >> >> Anyone able to answer the first part of my question ? whats the diff >> between using clamav or clamavmodule >> >> >> >> From: mailscanner-bounces at lists.mailscanner.info >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of >> Philip Parsons >> Sent: June-18-14 1:56 PM >> To: MailScanner discussion >> Subject: RE: 2 fold question >> >> >> >> Did that no go same error. >> >> >> >> From: mailscanner-bounces at lists.mailscanner.info >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of >> Jeremy McSpadden >> Sent: June-18-14 1:01 PM >> To: MailScanner discussion >> Subject: Re: 2 fold question >> >> >> >> You could have a corrupted db file. wipe all files in > /usr/local/share/clamav/ and run freshclam .. see if it starts then. >> >> -- >> Jeremy McSpadden >> Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : >> 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 >> >> >> >> On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: >> >> >> >> No selinux is disabled and it just started in version 0.98.4 >> >> >> >> >> >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> >> >> > Hoople Ltd, Registered in England and Wales No. 7556595 > Registered office: Plough Lane, Hereford, HR4 0LE > > "Any opinion expressed in this e-mail or any attached files are those of the > individual and not necessarily those of Hoople Ltd. You should be aware that > Hoople Ltd. monitors its email service. This e-mail and any attached files > are confidential and intended solely for the use of the addressee. This > communication may contain material protected by law from being passed on. If > you are not the intended recipient and have received this e-mail in error, > you are advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this e-mail in > error please contact the sender immediately and destroy all copies of it." > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140619/934c4c79/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Jun 19 20:39:42 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu, 19 Jun 2014 11:39:42 -0800 Subject: Timeouts & display... In-Reply-To: References: Message-ID: Opps - this was meant to go to the MailWatch list. Sorry for the noise... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Thursday, June 19, 2014 8:19 AM To: MailScanner List (mailscanner at lists.mailscanner.info) Subject: Timeouts & display... When I run the 'Spamassassin Rule Hits' report, it times out. Anybody know where I can increase the timeout from 30 seconds to maybe a minute or so? Also, is there a variable that I can change to display more than 50 records per page? TIA... ?...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 MailScanner development - buy the book off the website! From jerry.benton at mailborder.com Fri Jun 20 23:53:58 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 21 Jun 2014 00:53:58 +0200 Subject: New Bad Phishing Sites Service for MailScanner Message-ID: I have created a new update service for updating your bad phishing sites. You can download the bash script here: http://data.mailborder.com/update_bad_phishing_sites Set your cron accordingly, etc. The file gets updated once per day around 04:30 UTC from phishtank.com, so no need to run it more than once per day. - Jerry Benton www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140621/d2d1b63b/attachment.html From jerry.benton at mailborder.com Sat Jun 21 02:22:49 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 21 Jun 2014 03:22:49 +0200 Subject: Phishing Update Service Message-ID: Ok, I went a little further. There are now updated ?safe? and ?bad? phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140621/a6c2bb79/attachment.html From rcooper at dwford.com Sat Jun 21 17:44:49 2014 From: rcooper at dwford.com (Rick Cooper) Date: Sat, 21 Jun 2014 12:44:49 -0400 Subject: 2 fold question In-Reply-To: <892DC208-01CB-4920-B4BF-991B2426B67D@mailborder.com> References: <11D8E491D9562549A61FD3186F36342001D559F965@exchange.techeez.com><17F71FE9-E3A8-40C0-B485-A1F00B90BB59@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D559FFE1@exchange.techeez.com><3B167114-56A7-4165-88EF-99F1420FC677@fluxlabs.net><11D8E491D9562549A61FD3186F36342001D55A0322@exchange.techeez.com><11D8E491D9562549A61FD3186F36342001D55A06BA@exchange.techeez.com><4D5CD16A76F346CC9B9429822ABCD09C@SAHOMELT><7CA580B59C1ABD45B4614ED90D4C7B857EA6FB76@HC-EXMBX04.herefordshire.gov.uk><91AAB2E847614652926F30CB0F8BD143@SAHOMELT> <892DC208-01CB-4920-B4BF-991B2426B67D@mailborder.com> Message-ID: <164313268B9941619E93E32C734C2CEE@SAHOMELT> My setup results in a 40x code if spamd is down, any sysyem running *any* daemon that is important should be using monitoring of some kind to make sure the processes are up and running, that includes MailScanner. I actualy ping spamd as well as checking for the running process just incase. _____ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Thursday, June 19, 2014 3:30 PM To: MailScanner discussion Subject: Re: 2 fold question - A spamd failure failure results in email not being scanned for spam as I just fixed this on a client's servers. Nothing was getting marked as spam and it turns out that spamd was not even running on his system. Email was still being processed and delivered by MailScanner. OF course, I have also seen systems continue to retry over and over again when the socket isn't available. - spamd is faster because it doesn't have to spin up every time. There is a big difference on a server processing 300k emails a day. - I have never seen memory leaks with spamd. It is a rather solid product. - If your server is using all of its memory, it is supposed to. That is what linux does. It is normal behavior. - Jerry Benton www.mailborder.com On Jun 19, 2014, at 8:36 PM, Rick Cooper wrote: Mailscanner is fine with spamd restarting same as when clamd reloads, when spamd restarts (IIRC) it's children finish processing before dying. I used spamd with MailScanner for several years now and have had not issues, same score and as far as performance (speed) it's pretty much six of one and half dozen of the other. I origianlly setup timers on both and ran both on each email and one might be a very bit faster on a given email and then flip so pretty much even, would say over all no difference, resource wise very big difference. Now I don't have 200,000 emails a day but I would bet that spamd would out perform the MailScanner implemenation on a very busy server -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Thursday, June 19, 2014 11:32 AM To: MailScanner discussion Subject: RE: 2 fold question A spamd failure could let a lot of spam through (or a backlog of unprocessed email, depending on how it was implemented). Memory leaks in spamd could also prove problematic, unless it had scheduled restarts, assuming that MailScanner could cope with that. Nonetheless, it would be interesting to compare the performance of a spamd version with the current implementation. Slower, I suspect, but less of a memory hog. Cheers, Phil -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Remco Barendse Sent: 19 June 2014 15:52 To: MailScanner discussion Subject: RE: 2 fold question What a pity, before i wouldn't care about how much memory any given app would use, now that i have virtualized everything, it starts to matter :)) There are some people still working on MailScanner (believe they moved the sources to github) but have never seen a new release. Maybe the way forward would be to fork the code, supposedly there are some fixes in github that would also resolve the problem of the huge pileup of tmp files. Thanks for explaining the differences between the 3 different ways of calling clamav! On Wed, 18 Jun 2014, Rick Cooper wrote: ClamAV uses the command line clamscan for scanning, is slow (have to load dbs) and a bit of a resource hog, ClamAV module is a perl interface to libclamav and is also a hog because it loads a copy of the db into memory for each child but only has to do it when MailScanner loads that child the first time. The best choice is neither, use clamd. clamd shares the resources between children and thus the real memory per child is much less and a far less load, is not perl. When MailScanner uses clamd it talks directly to the clam daemon and doesn't have to load anything at all, just tell the daemon where/what to scan IMHO the same thing should be done with spamd, I wrote the code years ago and it's really no faster (or at least negligibly so) but far less memory and resources once again, than using the perl interface. It was difficult to get Julian to incorporate the clamd code but he never did incorporate the spamd code unfortunatly. Rick ______________________________________________________________________ ______________________________________________________________________ _____________ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: Wednesday, June 18, 2014 6:27 PM To: MailScanner discussion Subject: RE: 2 fold question Anyone able to answer the first part of my question ? whats the diff between using clamav or clamavmodule From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: June-18-14 1:56 PM To: MailScanner discussion Subject: RE: 2 fold question Did that no go same error. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: June-18-14 1:01 PM To: MailScanner discussion Subject: Re: 2 fold question You could have a corrupted db file. wipe all files in /usr/local/share/clamav/ and run freshclam .. see if it starts then. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 18, 2014, at 2:43 PM, Philip Parsons wrote: No selinux is disabled and it just started in version 0.98.4 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140621/109be498/attachment.html From rcooper at dwford.com Sun Jun 22 23:00:20 2014 From: rcooper at dwford.com (Rick Cooper) Date: Sun, 22 Jun 2014 18:00:20 -0400 Subject: Phishing Update Service In-Reply-To: References: Message-ID: Could I suggest the following, it will accomidate /opt/MailScanner installs as well as /etc/MailScanner installs, and it also will not overwright the files if there is not a successful download. It also leaves the temp file there if there is an issue. I removed the --no-check-certificate part because it's not an ssl site so there is no point in the parameter. Of course this could be greatly shortened by just checking for the files and creating the links in the same fashion as the directory and if you really want to be clean MS_DIR= If [ -f /opt/MailScanner/etc/phishing.safe.sites.conf ]; then MS_DIR=/opt/MailScanner/etc/phishing.safe.sites.conf fi If [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then MS_DIR=/etc/MailScanner/phishing.safe.sites.conf Fi If [ "${MS_DIR}" == "" ]; then echo phishing.safe.sites.conf cannot be found echo EXITING exit 1 fi Then use MS_DIR in a mv command since there is no chance of over writing a symlink #!/bin/bash # # Mailborder update safe phishing sites # v4.1.3 # 20 June 2014 # # Run this script as a user with write permissions # to /etc/MailScanner/phishing.safe.sites.conf if [ ! -d /etc/MailScanner ]; then echo etc/MailScanner does not exist, creating it mkdir /etc/MailScanner chmod 0644 /etc/MailScanner fi if [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi else echo Linking opt Based MailScanner Files ln -s /opt/MailScanner/etc/phishing.safe.sites.conf /etc/MailScanner/ /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi fi ________________________________ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Friday, June 20, 2014 9:23 PM To: MailScanner discussion Subject: Phishing Update Service Ok, I went a little further. There are now updated "safe" and "bad" phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com From jerry.benton at mailborder.com Sun Jun 22 23:36:58 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 23 Jun 2014 00:36:58 +0200 Subject: Phishing Update Service In-Reply-To: References: Message-ID: <6FBE3024-C22D-4A0E-9BCA-0FDDAA33A6F7@mailborder.com> Rick, I will update it later. For now I would suggest just updating the links in the script for you /opt install. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 12:00 AM, Rick Cooper wrote: > Could I suggest the following, it will accomidate /opt/MailScanner installs > as well as /etc/MailScanner installs, and it also will not overwright the > files if there is not a successful download. It also leaves the temp file > there if there is an issue. I removed the --no-check-certificate part > because it's not an ssl site so there is no point in the parameter. Of > course this could be greatly shortened by just checking for the files and > creating the links in the same fashion as the directory and if you really > want to be clean > > MS_DIR= > If [ -f /opt/MailScanner/etc/phishing.safe.sites.conf ]; then > MS_DIR=/opt/MailScanner/etc/phishing.safe.sites.conf > fi > If [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then > MS_DIR=/etc/MailScanner/phishing.safe.sites.conf > Fi > > If [ "${MS_DIR}" == "" ]; then > echo phishing.safe.sites.conf cannot be found > echo EXITING > exit 1 > fi > > Then use MS_DIR in a mv command since there is no chance of over writing a > symlink > > #!/bin/bash > # # Mailborder update safe phishing sites > # v4.1.3 # 20 June 2014 > # # Run this script as a user with write permissions > # to /etc/MailScanner/phishing.safe.sites.conf > if [ ! -d /etc/MailScanner ]; then > echo etc/MailScanner does not exist, creating it > mkdir /etc/MailScanner > chmod 0644 /etc/MailScanner > fi > > if [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then > /usr/bin/wget -O /tmp/phishing.safe.sites.conf > http://phishing.mailborder.com/phishing.safe.sites.conf > ERR_CODE=$? > if [ "$ERR_CODE" == "0" ]; then > cp -f /tmp/phishing.safe.sites.conf > /etc/MailScanner/phishing.safe.sites.conf > chmod 0644 /etc/MailScanner/phishing.bad.sites.conf > rm -f /tmp/phishing.safe.sites.conf > else > echo Had a problem downloading phishing.safe.sites.conf error code was > $ERR_CODE > fi > else > echo Linking opt Based MailScanner Files > ln -s /opt/MailScanner/etc/phishing.safe.sites.conf /etc/MailScanner/ > /usr/bin/wget -O /tmp/phishing.safe.sites.conf > http://phishing.mailborder.com/phishing.safe.sites.conf > ERR_CODE=$? > if [ "$ERR_CODE" == "0" ]; then > cp -f /tmp/phishing.safe.sites.conf > /etc/MailScanner/phishing.safe.sites.conf > chmod 0644 /etc/MailScanner/phishing.bad.sites.conf > rm -f /tmp/phishing.safe.sites.conf > else > echo Had a problem downloading phishing.safe.sites.conf error code was > $ERR_CODE > fi > fi > > ________________________________ > > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry > Benton > Sent: Friday, June 20, 2014 9:23 PM > To: MailScanner discussion > Subject: Phishing Update Service > > > Ok, I went a little further. There are now updated "safe" and "bad" phishing > sites once per day. Read more and get the scripts here if you want them. > > http://phishing.mailborder.com/ > > > > - > Jerry Benton > www.mailborder.com > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/5cb004e4/attachment.html From rcooper at dwford.com Sun Jun 22 23:56:04 2014 From: rcooper at dwford.com (Rick Cooper) Date: Sun, 22 Jun 2014 18:56:04 -0400 Subject: Phishing Update Service In-Reply-To: <6FBE3024-C22D-4A0E-9BCA-0FDDAA33A6F7@mailborder.com> References: <6FBE3024-C22D-4A0E-9BCA-0FDDAA33A6F7@mailborder.com> Message-ID: <1C9E896D9C0141638E2ED533F7F46DB6@SAHOMELT> Oh, I already change the script, I actually have a mix of /opt and redhat rpm installs _____ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Sunday, June 22, 2014 6:37 PM To: MailScanner discussion Subject: Re: Phishing Update Service Rick, I will update it later. For now I would suggest just updating the links in the script for you /opt install. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 12:00 AM, Rick Cooper wrote: Could I suggest the following, it will accomidate /opt/MailScanner installs as well as /etc/MailScanner installs, and it also will not overwright the files if there is not a successful download. It also leaves the temp file there if there is an issue. I removed the --no-check-certificate part because it's not an ssl site so there is no point in the parameter. Of course this could be greatly shortened by just checking for the files and creating the links in the same fashion as the directory and if you really want to be clean MS_DIR= If [ -f /opt/MailScanner/etc/phishing.safe.sites.conf ]; then MS_DIR=/opt/MailScanner/etc/phishing.safe.sites.conf fi If [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then MS_DIR=/etc/MailScanner/phishing.safe.sites.conf Fi If [ "${MS_DIR}" == "" ]; then echo phishing.safe.sites.conf cannot be found echo EXITING exit 1 fi Then use MS_DIR in a mv command since there is no chance of over writing a symlink #!/bin/bash # # Mailborder update safe phishing sites # v4.1.3 # 20 June 2014 # # Run this script as a user with write permissions # to /etc/MailScanner/phishing.safe.sites.conf if [ ! -d /etc/MailScanner ]; then echo etc/MailScanner does not exist, creating it mkdir /etc/MailScanner chmod 0644 /etc/MailScanner fi if [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi else echo Linking opt Based MailScanner Files ln -s /opt/MailScanner/etc/phishing.safe.sites.conf /etc/MailScanner/ /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi fi ________________________________ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Friday, June 20, 2014 9:23 PM To: MailScanner discussion Subject: Phishing Update Service Ok, I went a little further. There are now updated "safe" and "bad" phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140622/30768a02/attachment.html From jerry.benton at mailborder.com Mon Jun 23 09:10:24 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 23 Jun 2014 10:10:24 +0200 Subject: Phishing Update Service In-Reply-To: References: Message-ID: Rick, Can you email me the complete script you came up with please? Would save me some time. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 12:00 AM, Rick Cooper > wrote: Could I suggest the following, it will accomidate /opt/MailScanner installs as well as /etc/MailScanner installs, and it also will not overwright the files if there is not a successful download. It also leaves the temp file there if there is an issue. I removed the --no-check-certificate part because it's not an ssl site so there is no point in the parameter. Of course this could be greatly shortened by just checking for the files and creating the links in the same fashion as the directory and if you really want to be clean MS_DIR= If [ -f /opt/MailScanner/etc/phishing.safe.sites.conf ]; then MS_DIR=/opt/MailScanner/etc/phishing.safe.sites.conf fi If [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then MS_DIR=/etc/MailScanner/phishing.safe.sites.conf Fi If [ "${MS_DIR}" == "" ]; then echo phishing.safe.sites.conf cannot be found echo EXITING exit 1 fi Then use MS_DIR in a mv command since there is no chance of over writing a symlink #!/bin/bash # # Mailborder update safe phishing sites # v4.1.3 # 20 June 2014 # # Run this script as a user with write permissions # to /etc/MailScanner/phishing.safe.sites.conf if [ ! -d /etc/MailScanner ]; then echo etc/MailScanner does not exist, creating it mkdir /etc/MailScanner chmod 0644 /etc/MailScanner fi if [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi else echo Linking opt Based MailScanner Files ln -s /opt/MailScanner/etc/phishing.safe.sites.conf /etc/MailScanner/ /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi fi ________________________________ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info ] On Behalf Of Jerry Benton Sent: Friday, June 20, 2014 9:23 PM To: MailScanner discussion Subject: Phishing Update Service Ok, I went a little further. There are now updated "safe" and "bad" phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/70c370b7/attachment.html From phil.randal at hoopleltd.co.uk Mon Jun 23 09:53:22 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Mon, 23 Jun 2014 08:53:22 +0000 Subject: Phishing Update Service In-Reply-To: References: Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857EA7CC59@HC-EXMBX04.herefordshire.gov.uk> Hi Jerry, You need to look at the original /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites. The retrieved content was merged with the user's file, which may have been edited to add locally whitelisted / blacklisted URLs. Your script just clobbers the files. Bad move! Phil From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 21 June 2014 02:23 To: MailScanner discussion Subject: Phishing Update Service Ok, I went a little further. There are now updated "safe" and "bad" phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/dc037fcf/attachment.html From steveb_clamav at sanesecurity.com Mon Jun 23 10:27:21 2014 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon, 23 Jun 2014 10:27:21 +0100 Subject: Phishing Update Service In-Reply-To: References: Message-ID: <95f78a778986921a97bcee81eaf94a61.squirrel@sirius.servers.eqx.misp.co.uk> On Mon, June 23, 2014 9:10 am, Jerry Benton wrote: > Rick, > > > Can you email me the complete script you came up with please? Would save > me some time. Hi Rick, It did occur, script wise...Depending on your resources, cpu vs bandwidth you could use gzip... get -S --header="accept-encoding: gzip" but then with -S option, noted that it's not supported... HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Mon, 23 Jun 2014 09:22:32 GMT Server: Apache Last-Modified: Mon, 23 Jun 2014 08:15:04 GMT Accept-Ranges: bytes Content-Length: 208113 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Length: 208,113 (203K) Back to more coffee ;) Cheers, Steve Sanesecurity.com From jerry.benton at mailborder.com Mon Jun 23 10:58:33 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 23 Jun 2014 11:58:33 +0200 Subject: Phishing Update Service In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B857EA7CC59@HC-EXMBX04.herefordshire.gov.uk> References: <7CA580B59C1ABD45B4614ED90D4C7B857EA7CC59@HC-EXMBX04.herefordshire.gov.uk> Message-ID: <35879628-2D0C-4816-A065-7F4B63C4A951@mailborder.com> Phil, If you would like to contribute a better update script, I will be happy to add it. You could also just update your current script to point to the one at phishing.mailborder.com. Alternatively, you can continue to use the current MailScanner default. In short, I am the only one actively contributing to the MailScanner project with time, resources, and funds at the moment. If you have a better solution, give it to me or send it to this list. Simply telling me ?it sucks? doesn?t really accomplish or improve anything. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 10:53 AM, Randal, Phil wrote: > Hi Jerry, > > You need to look at the original /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites. > > The retrieved content was merged with the user?s file, which may have been edited to add locally whitelisted / blacklisted URLs. > > Your script just clobbers the files. > > Bad move! > > Phil > > > > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: 21 June 2014 02:23 > To: MailScanner discussion > Subject: Phishing Update Service > > Ok, I went a little further. There are now updated ?safe? and ?bad? phishing sites once per day. Read more and get the scripts here if you want them. > > http://phishing.mailborder.com/ > > > > - > Jerry Benton > www.mailborder.com > > > > Hoople Ltd, Registered in England and Wales No. 7556595 > Registered office: Plough Lane, Hereford, HR4 0LE > > "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/856fd2cc/attachment.html From jerry.benton at mailborder.com Mon Jun 23 11:26:05 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 23 Jun 2014 12:26:05 +0200 Subject: Phishing Update Service In-Reply-To: <95f78a778986921a97bcee81eaf94a61.squirrel@sirius.servers.eqx.misp.co.uk> References: <95f78a778986921a97bcee81eaf94a61.squirrel@sirius.servers.eqx.misp.co.uk> Message-ID: <8DD13869-9C7D-4A24-A48A-224AFDB6544F@mailborder.com> Steve, The server was not compressing that file for some reason. It is now. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 11:27 AM, Steve Basford wrote: > > On Mon, June 23, 2014 9:10 am, Jerry Benton wrote: >> Rick, >> >> >> Can you email me the complete script you came up with please? Would save >> me some time. > > Hi Rick, > > It did occur, script wise...Depending on your resources, cpu vs bandwidth > you could use gzip... > > get -S --header="accept-encoding: gzip" > > but then with -S option, noted that it's not supported... > > HTTP request sent, awaiting response... > HTTP/1.1 200 OK > Date: Mon, 23 Jun 2014 09:22:32 GMT > Server: Apache > Last-Modified: Mon, 23 Jun 2014 08:15:04 GMT > Accept-Ranges: bytes > Content-Length: 208113 > Keep-Alive: timeout=5, max=100 > Connection: Keep-Alive > Length: 208,113 (203K) > > Back to more coffee ;) > > Cheers, > > Steve > Sanesecurity.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/7132d431/attachment.html From jflowers at ezo.net Mon Jun 23 13:15:47 2014 From: jflowers at ezo.net (Jim Flowers) Date: Mon, 23 Jun 2014 08:15:47 -0400 Subject: Archive Mail Problem In MailScanner-4.84 Message-ID: I regularly use a ruleset for directing copies of messages for particular addresses to alternate recipients. Until 4.84, that is. If I enter a ruleset with: Archive Mail = /var/spool/MailScanner/rules/archive.rules or %rules-dir%/archive.rules copies of all messages as files are stored in archive.rules as a directory. If I first create a archive.rules file with my desired copying rules, all messages are appended to the file. I would like to have this useful functionality back. Thanks for any information. -- Jim Flowers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/7f0b7f1c/attachment.html From phil.randal at hoopleltd.co.uk Mon Jun 23 14:53:15 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Mon, 23 Jun 2014 13:53:15 +0000 Subject: Phishing Update Service In-Reply-To: <35879628-2D0C-4816-A065-7F4B63C4A951@mailborder.com> References: <7CA580B59C1ABD45B4614ED90D4C7B857EA7CC59@HC-EXMBX04.herefordshire.gov.uk> <35879628-2D0C-4816-A065-7F4B63C4A951@mailborder.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857EA7F8EE@HC-EXMBX04.herefordshire.gov.uk> Hi Jerry, If and when I get the time, I shall. But in the meantime people might get upset finding that their fine-tuned rules have been clobbered. Personally, I wish MailScanner had been designed to have system and 'local' phishing files, with the latter taking precedence, so that the system files are just plain downloads. Retrofitting that concept would probably break things for everyone, so we're stuck with a compromise. Cheers, Phil From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 23 June 2014 10:59 To: MailScanner discussion Subject: Re: Phishing Update Service Phil, If you would like to contribute a better update script, I will be happy to add it. You could also just update your current script to point to the one at phishing.mailborder.com. Alternatively, you can continue to use the current MailScanner default. In short, I am the only one actively contributing to the MailScanner project with time, resources, and funds at the moment. If you have a better solution, give it to me or send it to this list. Simply telling me "it sucks" doesn't really accomplish or improve anything. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 10:53 AM, Randal, Phil > wrote: Hi Jerry, You need to look at the original /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites. The retrieved content was merged with the user's file, which may have been edited to add locally whitelisted / blacklisted URLs. Your script just clobbers the files. Bad move! Phil From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 21 June 2014 02:23 To: MailScanner discussion Subject: Phishing Update Service Ok, I went a little further. There are now updated "safe" and "bad" phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/52da1e3c/attachment.html From maxsec at gmail.com Mon Jun 23 15:36:36 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 23 Jun 2014 15:36:36 +0100 Subject: Archive Mail Problem In MailScanner-4.84 In-Reply-To: References: Message-ID: so what's the archive.rules look like? remember these are like firewall rules and evaluated in order till it finds a 'hit' then stops processing the ruleset at that point, so make sure any default line is at the end of the file. -- Martin Hepworth, CISSP Oxford, UK On 23 June 2014 13:15, Jim Flowers wrote: > I regularly use a ruleset for directing copies of messages for particular > addresses to alternate recipients. Until 4.84, that is. > > If I enter a ruleset with: > > Archive Mail = /var/spool/MailScanner/rules/archive.rules > or > %rules-dir%/archive.rules > > copies of all messages as files are stored in archive.rules as a directory. > > If I first create a archive.rules file with my desired copying rules, all > messages are appended to the file. > > I would like to have this useful functionality back. > > Thanks for any information. > > > -- > Jim Flowers > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/1e85d497/attachment.html From jerry.benton at mailborder.com Mon Jun 23 15:54:52 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 23 Jun 2014 16:54:52 +0200 Subject: Phishing Update Service In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B857EA7F8EE@HC-EXMBX04.herefordshire.gov.uk> References: <7CA580B59C1ABD45B4614ED90D4C7B857EA7CC59@HC-EXMBX04.herefordshire.gov.uk> <35879628-2D0C-4816-A065-7F4B63C4A951@mailborder.com> <7CA580B59C1ABD45B4614ED90D4C7B857EA7F8EE@HC-EXMBX04.herefordshire.gov.uk> Message-ID: <8F61FA00-94AA-4F38-AF61-5D795DF56B2E@mailborder.com> I was thinking about your comments and considering an option, which would be to have a custom rules file that get prepended to those that are automatically generated. Example: custom.phishing.bad.sites.conf would get appended or prepended to phishing.bad.sites.conf by the update script. In this way your custom items would never be overwritten. I am looking into it. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 3:53 PM, Randal, Phil wrote: > Hi Jerry, > > If and when I get the time, I shall. > > But in the meantime people might get upset finding that their fine-tuned rules have been clobbered. > > Personally, I wish MailScanner had been designed to have system and ?local? phishing files, with the latter taking precedence, so that the system files are just plain downloads. > > Retrofitting that concept would probably break things for everyone, so we?re stuck with a compromise. > > Cheers, > > Phil > > > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: 23 June 2014 10:59 > To: MailScanner discussion > Subject: Re: Phishing Update Service > > Phil, > > If you would like to contribute a better update script, I will be happy to add it. You could also just update your current script to point to the one at phishing.mailborder.com. Alternatively, you can continue to use the current MailScanner default. > > In short, I am the only one actively contributing to the MailScanner project with time, resources, and funds at the moment. If you have a better solution, give it to me or send it to this list. Simply telling me ?it sucks? doesn?t really accomplish or improve anything. > > - > Jerry Benton > www.mailborder.com > > > > On Jun 23, 2014, at 10:53 AM, Randal, Phil wrote: > > > Hi Jerry, > > You need to look at the original /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites. > > The retrieved content was merged with the user?s file, which may have been edited to add locally whitelisted / blacklisted URLs. > > Your script just clobbers the files. > > Bad move! > > Phil > > > > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: 21 June 2014 02:23 > To: MailScanner discussion > Subject: Phishing Update Service > > Ok, I went a little further. There are now updated ?safe? and ?bad? phishing sites once per day. Read more and get the scripts here if you want them. > > http://phishing.mailborder.com/ > > > > - > Jerry Benton > www.mailborder.com > > > > Hoople Ltd, Registered in England and Wales No. 7556595 > Registered office: Plough Lane, Hereford, HR4 0LE > > "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/23bf843c/attachment.html From alex at vidadigital.com.pa Mon Jun 23 15:57:37 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Mon, 23 Jun 2014 09:57:37 -0500 Subject: Archive Mail Problem In MailScanner-4.84 In-Reply-To: References: Message-ID: Are you sure you're using .rules at the end? On Jun 23, 2014 9:29 AM, "Jim Flowers" wrote: > I regularly use a ruleset for directing copies of messages for particular > addresses to alternate recipients. Until 4.84, that is. > > If I enter a ruleset with: > > Archive Mail = /var/spool/MailScanner/rules/archive.rules > or > %rules-dir%/archive.rules > > copies of all messages as files are stored in archive.rules as a directory. > > If I first create a archive.rules file with my desired copying rules, all > messages are appended to the file. > > I would like to have this useful functionality back. > > Thanks for any information. > > > -- > Jim Flowers > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/3030950f/attachment.html From phil.randal at hoopleltd.co.uk Mon Jun 23 17:11:01 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Mon, 23 Jun 2014 16:11:01 +0000 Subject: Phishing Update Service In-Reply-To: <8F61FA00-94AA-4F38-AF61-5D795DF56B2E@mailborder.com> References: <7CA580B59C1ABD45B4614ED90D4C7B857EA7CC59@HC-EXMBX04.herefordshire.gov.uk> <35879628-2D0C-4816-A065-7F4B63C4A951@mailborder.com> <7CA580B59C1ABD45B4614ED90D4C7B857EA7F8EE@HC-EXMBX04.herefordshire.gov.uk> <8F61FA00-94AA-4F38-AF61-5D795DF56B2E@mailborder.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857EA80A10@HC-EXMBX04.herefordshire.gov.uk> The original /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites already had the correct logic in them. We'd have to check the MailScanner logic to see how it handles duplicates which could result from a simple append. Cheers, Phil From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 23 June 2014 15:55 To: MailScanner discussion Subject: Re: Phishing Update Service I was thinking about your comments and considering an option, which would be to have a custom rules file that get prepended to those that are automatically generated. Example: custom.phishing.bad.sites.conf would get appended or prepended to phishing.bad.sites.conf by the update script. In this way your custom items would never be overwritten. I am looking into it. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 3:53 PM, Randal, Phil > wrote: Hi Jerry, If and when I get the time, I shall. But in the meantime people might get upset finding that their fine-tuned rules have been clobbered. Personally, I wish MailScanner had been designed to have system and 'local' phishing files, with the latter taking precedence, so that the system files are just plain downloads. Retrofitting that concept would probably break things for everyone, so we're stuck with a compromise. Cheers, Phil From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 23 June 2014 10:59 To: MailScanner discussion Subject: Re: Phishing Update Service Phil, If you would like to contribute a better update script, I will be happy to add it. You could also just update your current script to point to the one at phishing.mailborder.com. Alternatively, you can continue to use the current MailScanner default. In short, I am the only one actively contributing to the MailScanner project with time, resources, and funds at the moment. If you have a better solution, give it to me or send it to this list. Simply telling me "it sucks" doesn't really accomplish or improve anything. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 10:53 AM, Randal, Phil > wrote: Hi Jerry, You need to look at the original /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites. The retrieved content was merged with the user's file, which may have been edited to add locally whitelisted / blacklisted URLs. Your script just clobbers the files. Bad move! Phil From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 21 June 2014 02:23 To: MailScanner discussion Subject: Phishing Update Service Ok, I went a little further. There are now updated "safe" and "bad" phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/3b018ac9/attachment.html From rcooper at dwford.com Mon Jun 23 18:44:57 2014 From: rcooper at dwford.com (Rick Cooper) Date: Mon, 23 Jun 2014 13:44:57 -0400 Subject: Phishing Update Service In-Reply-To: References: Message-ID: <7B6BCFBAB5114F149B1373B21798C1AF@SAHOMELT> I am going to be tied up tight for a while, had a major server drop and am placing the backup as I type so I dunno how long I am going to be with a new template server and data backups _____ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Monday, June 23, 2014 4:10 AM To: MailScanner discussion Subject: Phishing Update Service Rick, Can you email me the complete script you came up with please? Would save me some time. - Jerry Benton www.mailborder.com On Jun 23, 2014, at 12:00 AM, Rick Cooper > wrote: Could I suggest the following, it will accomidate /opt/MailScanner installs as well as /etc/MailScanner installs, and it also will not overwright the files if there is not a successful download. It also leaves the temp file there if there is an issue. I removed the --no-check-certificate part because it's not an ssl site so there is no point in the parameter. Of course this could be greatly shortened by just checking for the files and creating the links in the same fashion as the directory and if you really want to be clean MS_DIR= If [ -f /opt/MailScanner/etc/phishing.safe.sites.conf ]; then MS_DIR=/opt/MailScanner/etc/phishing.safe.sites.conf fi If [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then MS_DIR=/etc/MailScanner/phishing.safe.sites.conf Fi If [ "${MS_DIR}" == "" ]; then echo phishing.safe.sites.conf cannot be found echo EXITING exit 1 fi Then use MS_DIR in a mv command since there is no chance of over writing a symlink #!/bin/bash # # Mailborder update safe phishing sites # v4.1.3 # 20 June 2014 # # Run this script as a user with write permissions # to /etc/MailScanner/phishing.safe.sites.conf if [ ! -d /etc/MailScanner ]; then echo etc/MailScanner does not exist, creating it mkdir /etc/MailScanner chmod 0644 /etc/MailScanner fi if [ -f /etc/MailScanner/phishing.safe.sites.conf ]; then /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi else echo Linking opt Based MailScanner Files ln -s /opt/MailScanner/etc/phishing.safe.sites.conf /etc/MailScanner/ /usr/bin/wget -O /tmp/phishing.safe.sites.conf http://phishing.mailborder.com/phishing.safe.sites.conf ERR_CODE=$? if [ "$ERR_CODE" == "0" ]; then cp -f /tmp/phishing.safe.sites.conf /etc/MailScanner/phishing.safe.sites.conf chmod 0644 /etc/MailScanner/phishing.bad.sites.conf rm -f /tmp/phishing.safe.sites.conf else echo Had a problem downloading phishing.safe.sites.conf error code was $ERR_CODE fi fi ________________________________ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info ] On Behalf Of Jerry Benton Sent: Friday, June 20, 2014 9:23 PM To: MailScanner discussion Subject: Phishing Update Service Ok, I went a little further. There are now updated "safe" and "bad" phishing sites once per day. Read more and get the scripts here if you want them. http://phishing.mailborder.com/ - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140623/723884ea/attachment-0001.html From glenn.steen at gmail.com Tue Jun 24 00:13:14 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue, 24 Jun 2014 01:13:14 +0200 Subject: www.mailscanner.eu not responding - was: Failed update_bad_phishing_sites In-Reply-To: <5393402B.6090605@msapiro.net> References: <5393402B.6090605@msapiro.net> Message-ID: Actually no... As I've mentioned befire, at least newer LookOut will hang a bit while waiting to show nothing;-) Reason being the nonfunctioning c name. Cheers -- -- Glenn Den 7 jun 2014 19:06 skrev "Mark Sapiro" : > On 06/07/2014 08:43 AM, Paul Welsh wrote: > > So since neither http://www.mailscanner.eu/1x1spacer.gif > > nor http://cdn.mailscanner.info/1x1spacer.gif are available then does > > anyone have the gif handy? > > > You really don't need it. Mailscanner will change something that looks like > > src=" > http://ad.doubleclick.net/ad/some_encoded_info/...;sz=1x1;ord=[1402020420606] > ?" > /> > > and turn it into > > alt="Web Bug from > > http://ad.doubleclick.net/ad/some_encoded_info/...;sz=1x1;ord=[1402020420606] > ?" > /> > > At worst, when the user views the mail and > http://www.mailscanner.eu/1x1spacer.gif cannot be retrieved, the user > may see the alt=text, but in many cases, the user's MUA won't load > remote images by default and the user sees nothing. > > > > Apologies if I have missed something here. By the way, my conf file > > points to the mailscanner.tv site which is also > > down. In fact mailscanner.info seems down > > currently, ie, pings but web site not up. > > > www.mailscanner.info, www.mailscanner.eu, www.mailscanner.tv and > jules.mailscanner.info are all the same machine, IP 78.153.201.155. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140624/2ced067c/attachment.html From jflowers at ezo.net Wed Jun 25 03:08:13 2014 From: jflowers at ezo.net (Jim Flowers) Date: Tue, 24 Jun 2014 22:08:13 -0400 Subject: Archive Mail Problem In MailScanner-4.84 In-Reply-To: References: Message-ID: Further information: If I set permissions on the archive.rules file to read only, I can stop messages from being appended. Unfortunately, the rules in the file still don't work to forward copies to other accounts in accordance with the rules included so I'm not really gaining. This is a new install on FreeBSD-10.0-RELEASE with MailScanner -4.84 and perl v5.18.2 (threaded) running on an AM64 host. If this problem is unknown to the community, how would I set about debugging it? I'm not at all familiar with the MailScanner code. On Mon, Jun 23, 2014 at 8:15 AM, Jim Flowers wrote: > I regularly use a ruleset for directing copies of messages for particular > addresses to alternate recipients. Until 4.84, that is. > > If I enter a ruleset with: > > Archive Mail = /var/spool/MailScanner/rules/archive.rules > or > %rules-dir%/archive.rules > > copies of all messages as files are stored in archive.rules as a directory. > > If I first create a archive.rules file with my desired copying rules, all > messages are appended to the file. > > I would like to have this useful functionality back. > > Thanks for any information. > > > -- > Jim Flowers > -- Jim Flowers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140624/a8e9cfbe/attachment.html From max at inmindlabs.com Fri Jun 27 16:06:42 2014 From: max at inmindlabs.com (Max Kipness) Date: Fri, 27 Jun 2014 10:06:42 -0500 Subject: Score on attachments Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> Hi, I've asked this before, but never got an answer and thought I would give it another shot. I sometimes get spam with attachments that are usually SCR files. For example just a few minutes ago I received about 401k fund participants/performance. Everything on my MailScanner system is setup correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, you name it. So this message received a Bayes 999, which is correct. But nothing else was triggered. I'm looking at some type of custom rule, but I sure would be nice if we could score on an attachment present in general, or certain extensions like an SCR. Or if we could score on the fact that the message was caught by MailScanner with an attachment warning. Any ideas? Thanks, Max From pas at unh.edu Fri Jun 27 16:35:50 2014 From: pas at unh.edu (Paul A Sand) Date: Fri, 27 Jun 2014 11:35:50 -0400 Subject: Score on attachments In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> Message-ID: <20140627153550.GA8469@cisunix.unh.edu> * Max Kipness [2014-06-27 11:15]: > I sometimes get spam with attachments that are usually SCR files. For > example just a few minutes ago I received about 401k fund > participants/performance. Everything on my MailScanner system is setup > correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, > you name it. So this message received a Bayes 999, which is correct. But > nothing else was triggered. I'm looking at some type of custom rule, but > I sure would be nice if we could score on an attachment present in > general, or certain extensions like an SCR. Or if we could score on the > fact that the message was caught by MailScanner with an attachment > warning. It?s been awhile since I looked at this, but I was under the impression that this was covered by normal, uncustomized, rules: 1) MailScanner.conf has Filename Rules = %etc-dir%/filename.rules.conf 2) filename.rules.conf has deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses But you say that everything is set up correctly, so I?m almost certainly missing something. -- -- Paul A Sand -- Information Technology / University of New Hampshire -- http://pubpages.unh.edu/~pas -- No electrons were harmed in the transmission of this message. From max at inmindlabs.com Fri Jun 27 17:27:52 2014 From: max at inmindlabs.com (Max Kipness) Date: Fri, 27 Jun 2014 11:27:52 -0500 Subject: Score on attachments Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> >>* Max Kipness [2014-06-27 11:15]: >> I sometimes get spam with attachments that are usually SCR files. For >> example just a few minutes ago I received about 401k fund >> participants/performance. Everything on my MailScanner system is setup >> correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, >> you name it. So this message received a Bayes 999, which is correct. But >> nothing else was triggered. I'm looking at some type of custom rule, but >> I sure would be nice if we could score on an attachment present in >> general, or certain extensions like an SCR. Or if we could score on the >> fact that the message was caught by MailScanner with an attachment >> warning. >It's been awhile since I looked at this, but I was under the impression >that this was covered by normal, uncustomized, rules: > >1) MailScanner.conf has > > Filename Rules = %etc-dir%/filename.rules.conf > >2) filename.rules.conf has > > deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses > >But you say that everything is set up correctly, so I'm almost certainly >missing something. Thanks for the response Paul. MailScanner is indeed blocking the SCR and sending a report about the attachment. The problem is, this email was a spam message, it's score was 3.7(bayes 999 only) so it still got through (but with the SCR stripped). So I'm looking to add a score on the SCR, adding 1.0. In reality you could add 20.0 for SCR because I don't ever see a legitimate need to send these. If I had an extra score to add to the bayes 999 it would not have gotten through. Or better yet, how about adding a score on (Filename?) attachment warning? That would probably be best. Add 1.0 score to any of those. If anyone know how this can be achieved please let me know. In the past I've had many of these having to do with Fax, Xerox spam, etc. Max From alex at vidadigital.com.pa Fri Jun 27 17:29:51 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 27 Jun 2014 11:29:51 -0500 Subject: Score on attachments In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> Message-ID: You should just disallow SCR files since there is probably no need for them to be sent to your users. If I recall correctly, SCR (like .EXE) is one of the extensions MailScanner doesn't let through by default. *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Skype: AlexNeuman Don't miss Vida Digital on LiveStream ! Saturdays 8am-10am on 104.3FM Panama Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Fri, Jun 27, 2014 at 10:06 AM, Max Kipness wrote: > Hi, > > I've asked this before, but never got an answer and thought I would give > it another shot. > > I sometimes get spam with attachments that are usually SCR files. For > example just a few minutes ago I received about 401k fund > participants/performance. Everything on my MailScanner system is setup > correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, > you name it. So this message received a Bayes 999, which is correct. But > nothing else was triggered. I'm looking at some type of custom rule, but > I sure would be nice if we could score on an attachment present in > general, or certain extensions like an SCR. Or if we could score on the > fact that the message was caught by MailScanner with an attachment > warning. > > Any ideas? > > Thanks, > Max > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/6b4e5d5c/attachment.html From alex at vidadigital.com.pa Fri Jun 27 18:07:31 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 27 Jun 2014 12:07:31 -0500 Subject: Score on attachments In-Reply-To: <20140627153550.GA8469@cisunix.unh.edu> References: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> <20140627153550.GA8469@cisunix.unh.edu> Message-ID: It may be possible that he's skipping scanning on certain users out of convenience, but opening the door to trojans in the process. *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Skype: AlexNeuman Don't miss Vida Digital on LiveStream ! Saturdays 8am-10am on 104.3FM Panama Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Fri, Jun 27, 2014 at 10:35 AM, Paul A Sand wrote: > * Max Kipness [2014-06-27 11:15]: > > I sometimes get spam with attachments that are usually SCR files. For > > example just a few minutes ago I received about 401k fund > > participants/performance. Everything on my MailScanner system is setup > > correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, > > you name it. So this message received a Bayes 999, which is correct. But > > nothing else was triggered. I'm looking at some type of custom rule, but > > I sure would be nice if we could score on an attachment present in > > general, or certain extensions like an SCR. Or if we could score on the > > fact that the message was caught by MailScanner with an attachment > > warning. > > It?s been awhile since I looked at this, but I was under the impression > that this was covered by normal, uncustomized, rules: > > 1) MailScanner.conf has > > Filename Rules = %etc-dir%/filename.rules.conf > > 2) filename.rules.conf has > > deny \.scr$ Possible virus hidden in a screensaver Windows > Screensavers are often used to hide viruses > > But you say that everything is set up correctly, so I?m almost certainly > missing something. > > -- > -- Paul A Sand > -- Information Technology / University of New Hampshire > -- http://pubpages.unh.edu/~pas > -- No electrons were harmed in the transmission of this message. > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/9d92e77b/attachment.html From pas at unh.edu Fri Jun 27 18:08:44 2014 From: pas at unh.edu (Paul A Sand) Date: Fri, 27 Jun 2014 13:08:44 -0400 Subject: Score on attachments In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> Message-ID: <20140627170844.GA9137@cisunix.unh.edu> * Max Kipness [2014-06-27 12:35]: > MailScanner is indeed blocking the SCR and sending a report about the > attachment. The problem is, this email was a spam message, it's score > was 3.7(bayes 999 only) so it still got through (but with the SCR > stripped). > > So I'm looking to add a score on the SCR, adding 1.0. In reality you > could add 20.0 for SCR because I don't ever see a legitimate need to > send these. If I had an extra score to add to the bayes 999 it would not > have gotten through. > > Or better yet, how about adding a score on (Filename?) attachment > warning? That would probably be best. Add 1.0 score to any of those. Sorry for misunderstanding. How about adapting the scheme here (which adds a score on zip file attachment) : http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/ I haven?t tried this myself. -- -- Paul A Sand -- Information Technology / University of New Hampshire -- http://pubpages.unh.edu/~pas -- Contents may have settled during shipment. From alex at vidadigital.com.pa Fri Jun 27 18:57:23 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 27 Jun 2014 12:57:23 -0500 Subject: Score on attachments In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> Message-ID: What about not allowing messages with forbidden attachments through at all? In any case, you might want to try something like this: mimeheader SCR_ATTACHED Content-Type =~ /scr/i describe SCR_ATTACHED email contains an scr file attachment score SCR_ATTACHED 1.0 In *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Skype: AlexNeuman Don't miss Vida Digital on LiveStream ! Saturdays 8am-10am on 104.3FM Panama Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Fri, Jun 27, 2014 at 11:27 AM, Max Kipness wrote: > >>* Max Kipness [2014-06-27 11:15]: > >> I sometimes get spam with attachments that are usually SCR files. For > >> example just a few minutes ago I received about 401k fund > >> participants/performance. Everything on my MailScanner system is > setup > >> correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, > >> you name it. So this message received a Bayes 999, which is correct. > But > >> nothing else was triggered. I'm looking at some type of custom rule, > but > >> I sure would be nice if we could score on an attachment present in > >> general, or certain extensions like an SCR. Or if we could score on > the > >> fact that the message was caught by MailScanner with an attachment > >> warning. > > >It's been awhile since I looked at this, but I was under the impression > >that this was covered by normal, uncustomized, rules: > > > >1) MailScanner.conf has > > > > Filename Rules = %etc-dir%/filename.rules.conf > > > >2) filename.rules.conf has > > > > deny \.scr$ Possible virus hidden in a screensaver Windows > Screensavers are often used to hide viruses > > > >But you say that everything is set up correctly, so I'm almost > certainly > >missing something. > > Thanks for the response Paul. > > MailScanner is indeed blocking the SCR and sending a report about the > attachment. The problem is, this email was a spam message, it's score > was 3.7(bayes 999 only) so it still got through (but with the SCR > stripped). > > So I'm looking to add a score on the SCR, adding 1.0. In reality you > could add 20.0 for SCR because I don't ever see a legitimate need to > send these. If I had an extra score to add to the bayes 999 it would not > have gotten through. > > Or better yet, how about adding a score on (Filename?) attachment > warning? That would probably be best. Add 1.0 score to any of those. > > If anyone know how this can be achieved please let me know. In the past > I've had many of these having to do with Fax, Xerox spam, etc. > > Max > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/c273ef51/attachment.html From alex at vidadigital.com.pa Fri Jun 27 18:57:47 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 27 Jun 2014 12:57:47 -0500 Subject: Score on attachments In-Reply-To: References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> Message-ID: Sorry, hit wrong key. I was going to say "in any case, the rule is probably wrong but someone could help correct it". *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Skype: AlexNeuman Don't miss Vida Digital on LiveStream ! Saturdays 8am-10am on 104.3FM Panama Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Fri, Jun 27, 2014 at 12:57 PM, Alex Neuman wrote: > What about not allowing messages with forbidden attachments through at > all? > > In any case, you might want to try something like this: > > mimeheader SCR_ATTACHED Content-Type =~ /scr/i > describe SCR_ATTACHED email contains an scr file attachment > score SCR_ATTACHED 1.0 > In > > > > > *Alex Neuman van der Hans*Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > Mobile: +507-6781-9505 > Work: +507-832-6725 > Work (USA): +1-440-253-9789 > Skype: AlexNeuman > > Don't miss Vida Digital on LiveStream > ! > Saturdays 8am-10am on 104.3FM Panama > > Follow *@AlexNeuman * on Twitter > Like Vida Digital on Facebook > Follow VidaDigital on Instagram > Subscribe to Vida Digital on Youtube > > > On Fri, Jun 27, 2014 at 11:27 AM, Max Kipness wrote: > >> >>* Max Kipness [2014-06-27 11:15]: >> >> I sometimes get spam with attachments that are usually SCR files. For >> >> example just a few minutes ago I received about 401k fund >> >> participants/performance. Everything on my MailScanner system is >> setup >> >> correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, >> >> you name it. So this message received a Bayes 999, which is correct. >> But >> >> nothing else was triggered. I'm looking at some type of custom rule, >> but >> >> I sure would be nice if we could score on an attachment present in >> >> general, or certain extensions like an SCR. Or if we could score on >> the >> >> fact that the message was caught by MailScanner with an attachment >> >> warning. >> >> >It's been awhile since I looked at this, but I was under the impression >> >that this was covered by normal, uncustomized, rules: >> > >> >1) MailScanner.conf has >> > >> > Filename Rules = %etc-dir%/filename.rules.conf >> > >> >2) filename.rules.conf has >> > >> > deny \.scr$ Possible virus hidden in a screensaver Windows >> Screensavers are often used to hide viruses >> > >> >But you say that everything is set up correctly, so I'm almost >> certainly >> >missing something. >> >> Thanks for the response Paul. >> >> MailScanner is indeed blocking the SCR and sending a report about the >> attachment. The problem is, this email was a spam message, it's score >> was 3.7(bayes 999 only) so it still got through (but with the SCR >> stripped). >> >> So I'm looking to add a score on the SCR, adding 1.0. In reality you >> could add 20.0 for SCR because I don't ever see a legitimate need to >> send these. If I had an extra score to add to the bayes 999 it would not >> have gotten through. >> >> Or better yet, how about adding a score on (Filename?) attachment >> warning? That would probably be best. Add 1.0 score to any of those. >> >> If anyone know how this can be achieved please let me know. In the past >> I've had many of these having to do with Fax, Xerox spam, etc. >> >> Max >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/9322ba85/attachment.html From max at inmindlabs.com Fri Jun 27 19:05:19 2014 From: max at inmindlabs.com (Max Kipness) Date: Fri, 27 Jun 2014 13:05:19 -0500 Subject: Score on attachments References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> <20140627170844.GA9137@cisunix.unh.edu> Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B9E7061@addc01.assuredata.local> >Sorry for misunderstanding. How about adapting the scheme here (which adds a score on zip file attachment) : > >http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/ > >I haven?t tried this myself. Wow, beautiful. I've already tested it and it works great. I guess I overlooked the mimeheader rules. I now see Alex has responded with the same. Thanks to both. Max From maxsec at gmail.com Fri Jun 27 19:08:53 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 27 Jun 2014 19:08:53 +0100 Subject: Score on attachments In-Reply-To: <20140627170844.GA9137@cisunix.unh.edu> References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> <20140627170844.GA9137@cisunix.unh.edu> Message-ID: Are you setting mailscanner.conf so every email gets its spam scores in the header? Could be somethings missfiring like autowhitelisting (which i always disable anyway) Make sure following are set so youll get that in the headers Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score Number Format = %5.2f On Friday, 27 June 2014, Paul A Sand wrote: > * Max Kipness > [2014-06-27 12:35]: > > MailScanner is indeed blocking the SCR and sending a report about the > > attachment. The problem is, this email was a spam message, it's score > > was 3.7(bayes 999 only) so it still got through (but with the SCR > > stripped). > > > > So I'm looking to add a score on the SCR, adding 1.0. In reality you > > could add 20.0 for SCR because I don't ever see a legitimate need to > > send these. If I had an extra score to add to the bayes 999 it would not > > have gotten through. > > > > Or better yet, how about adding a score on (Filename?) attachment > > warning? That would probably be best. Add 1.0 score to any of those. > > Sorry for misunderstanding. How about adapting the scheme here > (which adds a score on zip file attachment) : > > http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/ > > I haven?t tried this myself. > > -- > -- Paul A Sand > > -- Information Technology / University of New Hampshire > -- http://pubpages.unh.edu/~pas > -- Contents may have settled during shipment. > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/9751d62a/attachment.html From rcooper at dwford.com Fri Jun 27 22:01:06 2014 From: rcooper at dwford.com (Rick Cooper) Date: Fri, 27 Jun 2014 17:01:06 -0400 Subject: Score on attachments In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> Message-ID: Max Kipness wrote: > Hi, > > I've asked this before, but never got an answer and thought I would > give it another shot. > > I sometimes get spam with attachments that are usually SCR files. For > example just a few minutes ago I received about 401k fund > participants/performance. Everything on my MailScanner system is setup > correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules, > you name it. So this message received a Bayes 999, which is correct. > But nothing else was triggered. I'm looking at some type of custom > rule, but I sure would be nice if we could score on an attachment > present in general, or certain extensions like an SCR. Or if we could > score on the fact that the message was caught by MailScanner with an > attachment warning. > > Any ideas? > > Thanks, > Max You do not say what your MTA is but I have to assume postfix or sendmail (I use exim) have some kind of mime type blocking as does exim so it's easy to either reject or dev/null any email that has a .scr file attached (or any other type for that matter) and it never get's to MailScanner or the user. I dump about 1/2 dozen different file types that should never be sent (un archived) including .src, right at the MTA level Rick From max at inmindlabs.com Fri Jun 27 22:12:34 2014 From: max at inmindlabs.com (Max Kipness) Date: Fri, 27 Jun 2014 16:12:34 -0500 Subject: Score on attachments References: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B9E706D@addc01.assuredata.local> >You do not say what your MTA is but I have to assume postfix or sendmail (I use exim) have some kind of mime type blocking as does exim so it's easy to either reject or dev/null any email that has a .scr file >attached (or any other type for that matter) and it never get's to MailScanner or the user. I dump about 1/2 dozen different file types that should never be sent (un >archived) including .src, right at the MTA level > >Rick Good point there. I use Sendmail. For the SCR files there really is not a legimate reason to send them so you would assume the whole email should be trashed. I'm going to look into this. But what if the SCR is zipped? That is the way I'm getting them. Max From max at inmindlabs.com Fri Jun 27 22:16:35 2014 From: max at inmindlabs.com (Max Kipness) Date: Fri, 27 Jun 2014 16:16:35 -0500 Subject: Score on attachments References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B9E706E@addc01.assuredata.local> >What about not allowing messages with forbidden attachments through at all?? >In any case, you might want to try something like this: >mimeheader SCR_ATTACHED Content-Type =~ /scr/i >describe SCR_ATTACHED email contains an scr file attachment >score SCR_ATTACHED 1.0 I actually spoke a little soon. Although this works great on the actual SCR files. I realized later they are sent inside of zip files. This doesn't work for an SCR inside of a zip, of course because the mime header has no mention of the inside file. For now I'm giving zip files a low score, but enough to take the email to definite "is spam" with a Bayes 999. I'm also reviewing Rick's suggestion. Thanks all, Max From alex at vidadigital.com.pa Sat Jun 28 00:10:12 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 27 Jun 2014 18:10:12 -0500 Subject: Score on attachments In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B9E706E@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local> <11375BD8FE838A409E10DB32B9BFFE9B9E706E@addc01.assuredata.local> Message-ID: Or you could just let MailScanner do its job and not deliver these files - along with the e-mails with the dangerous attachments. *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Skype: AlexNeuman Don't miss Vida Digital on LiveStream ! Saturdays 8am-10am on 104.3FM Panama Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Fri, Jun 27, 2014 at 4:16 PM, Max Kipness wrote: > > >What about not allowing messages with forbidden attachments through at > all? > >In any case, you might want to try something like this: > >mimeheader SCR_ATTACHED Content-Type =~ /scr/i > >describe SCR_ATTACHED email contains an scr file attachment > >score SCR_ATTACHED 1.0 > > I actually spoke a little soon. > > Although this works great on the actual SCR files. I realized later they > are sent inside of zip files. This doesn't work for an SCR inside of a zip, > of course because the mime header has no mention of the inside file. > > For now I'm giving zip files a low score, but enough to take the email to > definite "is spam" with a Bayes 999. > > I'm also reviewing Rick's suggestion. > > Thanks all, > Max > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/5c52834b/attachment.html From max at inmindlabs.com Sat Jun 28 01:08:31 2014 From: max at inmindlabs.com (Max Kipness) Date: Fri, 27 Jun 2014 19:08:31 -0500 Subject: Score on attachments References: <11375BD8FE838A409E10DB32B9BFFE9B9E705B@addc01.assuredata.local><11375BD8FE838A409E10DB32B9BFFE9B9E706E@addc01.assuredata.local> Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B9E7072@addc01.assuredata.local> >Or you could just let MailScanner do its job and not deliver these files - along with the e-mails with the dangerous attachments. Is there a way in MailScanner to not send the email if the attachment is an SCR (or zip with enclosed SCR)? Currently MailScanner is stripping the SCR/ZIP, but sending the email anyway with the attached text file warning that the SCR is on the unacceptable list. I think this was the original path I was trying to take to resolve this problem, but could not find a way to do it. Max From rcooper at dwford.com Sat Jun 28 18:51:46 2014 From: rcooper at dwford.com (Rick Cooper) Date: Sat, 28 Jun 2014 13:51:46 -0400 Subject: Score on attachments In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B9E706D@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B9E7054@addc01.assuredata.local> <11375BD8FE838A409E10DB32B9BFFE9B9E706D@addc01.assuredata.local> Message-ID: <6F153035AEC94B349F5E454EA99E666E@SAHOMELT> Max Kipness wrote: >> You do not say what your MTA is but I have to assume postfix or > sendmail (I use exim) have some kind of mime type blocking as does > exim so it's easy to either reject or dev/null any email that has a > .scr file >> attached (or any other type for that matter) and it never get's to > MailScanner or the user. I dump about 1/2 dozen different file types > that should never be sent (un >> archived) including .src, right at the MTA level >> >> Rick > > Good point there. I use Sendmail. > > For the SCR files there really is not a legimate reason to send them > so you would assume the whole email should be trashed. I'm going to > look into this. But what if the SCR is zipped? That is the way I'm > getting them. > > Max The answer is yes Exim can, but you have to write a rather simple script to be called on the file to handle the processing of files inside archives. I only block the those that are outside archives and let mailscanner handle those that are inside as it seems cleaner to me. I don't think you want to hold up the MTA while something unpacks all the attachments, and their children looking for a specific file type, better to let MailScanner do that in the background Mailscanner, use the archive file name/type rules and set to deny. You can see what happens if you set deliver cleaned to no, I don't know if that applies to messages with files removed or not.