From dlee.aus at gmail.com Tue Mar 4 01:57:47 2014 From: dlee.aus at gmail.com (David Lee) Date: Tue, 4 Mar 2014 12:27:47 +1030 Subject: Bad phishing site update script problems Message-ID: Hi All, Is anybody else seeing problems with updates of the 'phishing.bad.sites.conf' file? When I try to run the update script, I see the following: Reading status from /var/MailScanner/phishingupdate/status Checking that /var/MailScanner/phishingupdate/cache/2014-092 exists... no - resetting..... ok Checking that /var/MailScanner/phishingupdate/cache/-1.0 exists... ok Argument "2014-091" isn't numeric in numeric eq (==) at /usr/sbin/update_bad_phishing_sites line 139. I am working with: Current: 2014-092 - 99 and Status: -1 - 0 This is base update Unable to retrieve http://cdn.mailscanner.info/.2014-092 :404 Not Found Update required Retrieving http://cdn.mailscanner.info/2014-092.1 Failed to retrieve http://cdn.mailscanner.info/2014-092.1 at /usr/sbin/update_bad_phishing_sites line 220. Updating live file /etc/MailScanner/phishing.bad.sites.conf cp: cannot stat `/var/MailScanner/phishingupdate/cache//2014-092': No such file or directory Thanks David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140304/8744449b/attachment.html From mark at msapiro.net Tue Mar 4 02:26:47 2014 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 03 Mar 2014 18:26:47 -0800 Subject: Bad phishing site update script problems In-Reply-To: References: Message-ID: <531539E7.1000302@msapiro.net> On 03/03/2014 05:57 PM, David Lee wrote: > Hi All, > > Is anybody else seeing problems with updates of the > 'phishing.bad.sites.conf' file? > When I try to run the update script, I see the following: > ... > I am working with: Current: 2014-092 - 99 and Status: -1 - 0 > This is base update > Unable to retrieve http://cdn.mailscanner.info/.2014-092 :404 Not Found I see it too and also with ScamNailer. The issue is you have the latest (patched) version of /usr/sbin/update_bad_phishing_sites and it tries to guess the latest update if the txt record at emails.msupdate.greylist.bastionmail.com is missing or out of date. The record is still emails.2014-091.13 which is yesterday. There is no record or data (yet?) for today. This may or may not resolve when some server somewhere wakes up, comes back online or whatever the problem is. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From dlee.aus at gmail.com Tue Mar 4 06:10:40 2014 From: dlee.aus at gmail.com (David Lee) Date: Tue, 4 Mar 2014 16:40:40 +1030 Subject: Bad phishing site update script problems In-Reply-To: <531539E7.1000302@msapiro.net> References: <531539E7.1000302@msapiro.net> Message-ID: >On 03/03/2014 05:57 PM, David Lee wrote: >> Hi All, >> >> Is anybody else seeing problems with updates of the >> 'phishing.bad.sites.conf' file? >> When I try to run the update script, I see the following: >> >... >> I am working with: Current: 2014-092 - 99 and Status: -1 - 0 >> This is base update >> Unable to retrieve http://cdn.mailscanner.info/.2014-092 :404 Not Found > > > I see it too and also with ScamNailer. The issue is you have the latest > (patched) version of /usr/sbin/update_bad_phishing_ > sites and it tries to > guess the latest update if the txt record at > emails.msupdate.greylist.bastionmail.comis missing or out of date. The > record is still emails.2014-091.13 which is yesterday. There is no > record or data (yet?) for today. This may or may not resolve when some > server somewhere wakes up, comes back online or whatever the problem is. OK. Thanks for that. -- David On Tue, Mar 4, 2014 at 12:56 PM, Mark Sapiro wrote: > On 03/03/2014 05:57 PM, David Lee wrote: > > Hi All, > > > > Is anybody else seeing problems with updates of the > > 'phishing.bad.sites.conf' file? > > When I try to run the update script, I see the following: > > > ... > > I am working with: Current: 2014-092 - 99 and Status: -1 - 0 > > This is base update > > Unable to retrieve http://cdn.mailscanner.info/.2014-092 :404 Not Found > > > I see it too and also with ScamNailer. The issue is you have the latest > (patched) version of /usr/sbin/update_bad_phishing_sites and it tries to > guess the latest update if the txt record at > emails.msupdate.greylist.bastionmail.com is missing or out of date. The > record is still emails.2014-091.13 which is yesterday. There is no > record or data (yet?) for today. This may or may not resolve when some > server somewhere wakes up, comes back online or whatever the problem is. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140304/4ef9e772/attachment.html From mark at msapiro.net Tue Mar 4 19:10:42 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 04 Mar 2014 11:10:42 -0800 Subject: Bad phishing site update script problems In-Reply-To: <531539E7.1000302@msapiro.net> References: <531539E7.1000302@msapiro.net> Message-ID: <53162532.7030005@msapiro.net> On 03/03/2014 06:26 PM, Mark Sapiro wrote: > On 03/03/2014 05:57 PM, David Lee wrote: >> Hi All, >> >> Is anybody else seeing problems with updates of the >> 'phishing.bad.sites.conf' file? >> When I try to run the update script, I see the following: >> > ... >> I am working with: Current: 2014-092 - 99 and Status: -1 - 0 >> This is base update >> Unable to retrieve http://cdn.mailscanner.info/.2014-092 :404 Not Found If you are seeing these issues with update_bad_phishing_sites and/or Scamnailer, you can avoid this with these patches --- /usr/sbin/update_bad_phishing_sites.mas 2013-10-02 21:25:07.000000000 -0700 +++ /usr/sbin/update_bad_phishing_sites 2014-03-04 10:38:26.000000000 -0800 @@ -145,7 +145,8 @@ my $janone = (gmtime(timegm(0,0,0,1,0,$year-1900)))[6]; my $week = sprintf ("%02d", int (((gmtime)[7] + $janone) / 7)); my $mybase = "$year-$week$day"; -if ($currentbase lt $mybase) { +#if ($currentbase lt $mybase) { +if ($currentbase eq 0) { $currentbase = $mybase; $currentupdate = 99; } --- .cron/ScamNailer.new 2013-06-19 13:08:56.000000000 -0700 +++ .cron/ScamNailer 2014-03-04 10:36:53.000000000 -0800 @@ -226,7 +229,8 @@ my $janone = (gmtime(timegm(0,0,0,1,0,$year-1900)))[6]; my $week = sprintf ("%02d", int (((gmtime)[7] + $janone) / 7)); my $mybase = "$year-$week$day"; - if ($currentbase lt $mybase) { +# if ($currentbase lt $mybase) { + if ($currentbase eq 0) { $currentbase = $mybase; $currentupdate = 99; } These changes will prevent losing the files all together if the data files and the DNS TXT records at msupdate.greylist.bastionmail.com and emails.msupdate.greylist.bastionmail.com are not being updated as is the current case. However, if as was the case a few months ago, only the DNS TXT records are not updated, this will defeat the patch which would correctly guess the updates. Also, if your files do not have the line if ($currentbase lt $mybase) { this doesn't apply to you. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From stef at aoc-uk.com Thu Mar 6 13:45:33 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Thu, 6 Mar 2014 13:45:33 +0000 Subject: Sophos SAVDI interface Message-ID: <92665C7597419742B19470DFA3D5BEA2090D2398@vonLipwig.aoc-uk.com> Hello, Does anyone have any experience running recent (v9) Sophos using SAVDI (presumably with savdid). We've been using v4 and SAVI for years, but v4 is EOL next month and SAVI doesn't work with 64-bit in any case, so time to move along. Thanks Stef From pparsons at techeez.com Thu Mar 6 15:56:45 2014 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 6 Mar 2014 15:56:45 +0000 Subject: Is anyone else getting hammered by Russian spam Message-ID: Any pointers of a rule that can block it ? It is all just Russian words. Thank you P Parsons From richard.siddall at elirion.net Thu Mar 6 16:10:52 2014 From: richard.siddall at elirion.net (Richard Siddall) Date: Thu, 06 Mar 2014 11:10:52 -0500 Subject: Is anyone else getting hammered by Russian spam In-Reply-To: References: Message-ID: <53189E0C.8020606@elirion.net> Philip Parsons wrote: > Any pointers of a rule that can block it ? It is all just Russian words. > > Thank you > P Parsons > This was posted to the list in 2012: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120829/ea410e7b/attachment.obj I haven't tried it. Richard. From campbell at cnpapers.com Thu Mar 6 16:16:34 2014 From: campbell at cnpapers.com (Steve Campbell) Date: Thu, 06 Mar 2014 11:16:34 -0500 Subject: Is anyone else getting hammered by Russian spam In-Reply-To: References: Message-ID: <53189F62.8000209@cnpapers.com> Russian Federation, Ukraine, Taiwan. I put these IP blocks in my firewall since I see them trying to hack email passwords as well, along with user accounts on my other servers. steve On 3/6/2014 10:56 AM, Philip Parsons wrote: > Any pointers of a rule that can block it ? It is all just Russian words. > > Thank you > P Parsons From pparsons at techeez.com Thu Mar 6 17:11:22 2014 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 6 Mar 2014 17:11:22 +0000 Subject: Is anyone else getting hammered by Russian spam In-Reply-To: <53189F62.8000209@cnpapers.com> References: <53189F62.8000209@cnpapers.com> Message-ID: <11D8E491D9562549A61FD3186F36342001D53C4635@exchange.techeez.com> Can you supply the IP lists that you have had success with ? -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell Sent: March-06-14 8:17 AM To: MailScanner discussion Subject: Re: Is anyone else getting hammered by Russian spam Russian Federation, Ukraine, Taiwan. I put these IP blocks in my firewall since I see them trying to hack email passwords as well, along with user accounts on my other servers. steve On 3/6/2014 10:56 AM, Philip Parsons wrote: > Any pointers of a rule that can block it ? It is all just Russian words. > > Thank you > P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Thu Mar 6 17:56:03 2014 From: campbell at cnpapers.com (Steve Campbell) Date: Thu, 06 Mar 2014 12:56:03 -0500 Subject: Is anyone else getting hammered by Russian spam In-Reply-To: <11D8E491D9562549A61FD3186F36342001D53C4635@exchange.techeez.com> References: <53189F62.8000209@cnpapers.com> <11D8E491D9562549A61FD3186F36342001D53C4635@exchange.techeez.com> Message-ID: <5318B6B3.7020703@cnpapers.com> Way too many to even try looking up. Look at the headers of the email, and find a site that lists the IP block for that IP. You sometimes can just do a "whois" and get this information. China is another one that seems to be attempting the hacks as well. steve On 3/6/2014 12:11 PM, Philip Parsons wrote: > Can you supply the IP lists that you have had success with ? > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: March-06-14 8:17 AM > To: MailScanner discussion > Subject: Re: Is anyone else getting hammered by Russian spam > > Russian Federation, Ukraine, Taiwan. I put these IP blocks in my > firewall since I see them trying to hack email passwords as well, along > with user accounts on my other servers. > > steve > On 3/6/2014 10:56 AM, Philip Parsons wrote: >> Any pointers of a rule that can block it ? It is all just Russian words. >> >> Thank you >> P Parsons From terry.hulen at gmail.com Thu Mar 6 18:29:56 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Thu, 6 Mar 2014 13:29:56 -0500 Subject: Is anyone else getting hammered by Russian spam In-Reply-To: <5318B6B3.7020703@cnpapers.com> References: <53189F62.8000209@cnpapers.com> <11D8E491D9562549A61FD3186F36342001D53C4635@exchange.techeez.com> <5318B6B3.7020703@cnpapers.com> Message-ID: The only time I had to start going through and listing IP blocks to be, erm, blocked, was before I was using RBLs. Do you have those configured? If so, are they configured on the MTA's config? If not, put them there. That cut down on so much crap when I started doing that years ago. On Thu, Mar 6, 2014 at 12:56 PM, Steve Campbell wrote: > Way too many to even try looking up. Look at the headers of the email, > and find a site that lists the IP block for that IP. You sometimes can > just do a "whois" and get this information. > > China is another one that seems to be attempting the hacks as well. > > steve > On 3/6/2014 12:11 PM, Philip Parsons wrote: > > Can you supply the IP lists that you have had success with ? > > > > -----Original Message----- > > From: mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell > > Sent: March-06-14 8:17 AM > > To: MailScanner discussion > > Subject: Re: Is anyone else getting hammered by Russian spam > > > > Russian Federation, Ukraine, Taiwan. I put these IP blocks in my > > firewall since I see them trying to hack email passwords as well, along > > with user accounts on my other servers. > > > > steve > > On 3/6/2014 10:56 AM, Philip Parsons wrote: > >> Any pointers of a rule that can block it ? It is all just Russian words. > >> > >> Thank you > >> P Parsons > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140306/a48e16f7/attachment.html From eric.yiu at pacific.net.hk Fri Mar 7 01:23:40 2014 From: eric.yiu at pacific.net.hk (Eric Yiu) Date: Fri, 07 Mar 2014 09:23:40 +0800 Subject: Sophos SAVDI interface In-Reply-To: <92665C7597419742B19470DFA3D5BEA2090D2398@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2090D2398@vonLipwig.aoc-uk.com> Message-ID: <53191F9C.3030204@pacific.net.hk> Hi, No need. You can update your savupd.sh to change from linux.intel.libc6.glibc.2.2.tar.Z to linux.amd64.glibc.2.3.tar.Z, and a few other platform specification in savupd.sh to download the 64bit version, ie http://downloads.sophos.com/dp/full/linux.amd64.glibc.2.3.tar.Z and the perl savi will be able to compile. But this new of sophos v4 lib (both 32 or 64bit version) have a bug of non-stop when it is fork from child. So you need to fine tune SweepViruses.pm that kill itself and need to add "kill 15, $$" after calling "SophosSAVI($subdir, $disinfect);" I contacted Sophos before and new version of Sophos lib of the bug free may be out at next quarter. Eric Stef Morrell: >Hello, > >Does anyone have any experience running recent (v9) Sophos using SAVDI (presumably with savdid). > >We've been using v4 and SAVI for years, but v4 is EOL next month and SAVI doesn't work with 64-bit in any case, so time to move along. > >Thanks > >Stef > > > From richard at fastnet.co.uk Fri Mar 7 05:05:42 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 7 Mar 2014 05:05:42 +0000 Subject: Is anyone else getting hammered by Russian spam In-Reply-To: References: Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EB2ECBE@BTN-EXCHANGE-V1.fastnet.local> Hi Philip, Have you looked at RelayCountry plugin for spamassassin? # Block countries loadplugin Mail::SpamAssassin::Plugin::RelayCountry header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(RU|CN)/ describe RELAYCOUNTRY_BAD foreign spam score RELAYCOUNTRY_BAD 3.0 I also add Russian uri links to a rule and this catches loads of stuff. uri LOCAL_URI_RU m{https?://.{1,40}\.ru\b} describe LOCAL_URI_RU Contains a URI hosted in RU score LOCAL_URI_RU 1.5 Hope this helps, Rich -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: 06 March 2014 15:57 To: MailScanner discussion Subject: Is anyone else getting hammered by Russian spam Any pointers of a rule that can block it ? It is all just Russian words. Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From stef at aoc-uk.com Fri Mar 7 10:10:24 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 7 Mar 2014 10:10:24 +0000 Subject: Sophos SAVDI interface In-Reply-To: References: <92665C7597419742B19470DFA3D5BEA2090D2398@vonLipwig.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA2090D7B9E@vonLipwig.aoc-uk.com> Hi Eric, On 07 March 2014 01:24 Eric Yiu wrote: > No need. You can update your savupd.sh to change from > linux.intel.libc6.glibc.2.2.tar.Z to linux.amd64.glibc.2.3.tar.Z, Yes and I have been doing that as a stopgap. > But this new of sophos v4 lib (both 32 or 64bit version) have a bug > of non-stop when it is fork from child. So you need to fine tune > SweepViruses.pm that kill itself and need to add "kill 15, $$" after > calling "SophosSAVI($subdir, $disinfect);" Two problems here: 1 - Perl-SAVI won't compile under 64-bit at all, so the only option is to use sweep, which is very inefficient. 2 - Sophos v4 on demand scanner is being retired by Sophos on 30th April (http://www.sophos.com/en-us/support/knowledgebase/119018.aspx - click the Linux tab) and will receive no further updates from that date. I spoke to a very clueful guy at Sophos support yesterday. They advised me to switch up to v9, which is fine but obviously it's not ideal to call savscan each time, hence my interest in SAVDI. Stef From eric.yiu at pacific.net.hk Fri Mar 7 16:13:47 2014 From: eric.yiu at pacific.net.hk (Eric Yiu) Date: Sat, 8 Mar 2014 00:13:47 +0800 (HKT) Subject: Sophos SAVDI interface In-Reply-To: <92665C7597419742B19470DFA3D5BEA2090D7B9E@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2090D2398@vonLipwig.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA2090D7B9E@vonLipwig.aoc-uk.com> Message-ID: On Fri, 7 Mar 2014, Stef Morrell wrote: > Hi Eric, > > On 07 March 2014 01:24 Eric Yiu wrote: >> No need. You can update your savupd.sh to change from >> linux.intel.libc6.glibc.2.2.tar.Z to linux.amd64.glibc.2.3.tar.Z, > > Yes and I have been doing that as a stopgap. > >> But this new of sophos v4 lib (both 32 or 64bit version) have a bug >> of non-stop when it is fork from child. So you need to fine tune >> SweepViruses.pm that kill itself and need to add "kill 15, $$" after >> calling "SophosSAVI($subdir, $disinfect);" > > Two problems here: > > 1 - Perl-SAVI won't compile under 64-bit at all, so the only option is to use sweep, which is very inefficient. You have to do the compile with a few tricks: 1. at sophos lib, ln -s libsavi.so.2 libsavi.so 2. export CC="gcc -m64" 3. edit Makefile.PL, add your sophos lib to LIBS, ie 'LIBS' => ['-L/opt/local/lib -R/opt/local/lib -L/opt/sophos-av/lib -lsavi'], 4. # diff sav_if/s_comput.h.old sav_if/s_comput.h 644a645 > # define __i386__ perl Makefile.PL make make install There will be a few minor warning at make but that will be fine > > 2 - Sophos v4 on demand scanner is being retired by Sophos on 30th April (http://www.sophos.com/en-us/support/knowledgebase/119018.aspx - click the Linux tab) and will receive no further updates from that date. > > I spoke to a very clueful guy at Sophos support yesterday. They advised me to switch up to v9, which is fine but obviously it's not ideal to call savscan each time, hence my interest in SAVDI. > > Stef > You can ask Sophos to get it with password python style wget download but I can tell you they are the same lib sav ide structure. I am also testing the download but I am complainting to Sophos the virus update is not as as fast as savupd.sh, sometimes one or two hours delay. And also it download without unzip the packed ides out, which I have to wrap a perl to do it (I am not good at python) Hope it can help. Eric From chris at twinn.co.uk Tue Mar 11 14:55:11 2014 From: chris at twinn.co.uk (Chris Twinn) Date: Tue, 11 Mar 2014 14:55:11 +0000 Subject: Centos Postfix no Notice Signature and exe's delivered Message-ID: <531F23CF.40804@twinn.co.uk> Hi, Hopefully I'm in the right place and someone can help, sorry if not its my first message. I have installed CentOS 6.5 using Minimal, installed the prerequisite rpm's via yum, installed 4.84.6-1 for RedHat/CentOS via rpm. I am using clam for AV and SpamAssassin. Have decided to go with Postfix as MTA and this all works, mail comes in, eicar virus detected and stopped(clam). But sending in exe as an exe is allowed through. Exe hidden in Zip is allowed through. Normal emails just seem to bypass MailScanner even though the logs show MailScanner operating. I also notice that the Notice Signature is not being added to the bottom of emails on clean messages, BUT in I am getting the following in the headers: X-tttttcouk-MailScanner-Information: Please contact the ISP for more information X-tttttcouk-MailScanner-ID: BAF6FC104F.A0BC6 X-tttttcouk-MailScanner: Found to be clean X-tttttcouk-MailScanner-From: mailscanner-bounces at lists.mailscanner.info I have compared the configuration files to my previous server that ran MailScanner fine and everything is the same, except that one used Sendmail rather than Postfix Audit.log does not show any issues (SELinux is enabled, same problem if permissive). MailScanner --lint does not show any issues. I have turned on all the Log options, even tried setting debug = true and seeing what turns up in the maillog, not a lot :-( Mar 11 14:22:28 centos65 MailScanner[3651]: New Batch: Found 3 messages waiting Mar 11 14:22:28 centos65 MailScanner[3651]: New Batch: Scanning 1 messages, 156910 bytes Mar 11 14:22:28 centos65 MailScanner[3651]: Virus and Content Scanning: Starting Mar 11 14:22:37 centos65 MailScanner[3651]: Virus Scanning completed at 16770 bytes per second Mar 11 14:22:37 centos65 MailScanner[3651]: Spam Checks: Starting Mar 11 14:22:37 centos65 MailScanner[3651]: Message 4A318C10B0.A72CD from 127.0.0.1 (root at centos65.localdomain) to centos65 is not spam, SpamAssassin (not cached, score=1.804, required 6, ALL_TRUSTED -1.00, DKIM_ADSP_NXDOMAIN 0.80, NO_DNS_FOR_FROM 0.38, SUBJ_ALL_CAPS 1.62) Mar 11 14:22:37 centos65 MailScanner[3651]: Delivery of nonspam: message 4A318C10B0.A72CD from root at centos65.localdomain to chris at centos65 with subject TEST EMAIL Mar 11 14:22:37 centos65 MailScanner[3651]: Spam Checks completed at 284783 bytes per second Mar 11 14:22:38 centos65 MailScanner[3651]: Requeue: 4A318C10B0.A72CD to C10EEC105F Mar 11 14:22:38 centos65 MailScanner[3651]: Uninfected: Delivered 1 messages Mar 11 14:22:38 centos65 postfix/qmgr[2783]: C10EEC105F: from=, size=156672, nrcpt=1 (queue active) Mar 11 14:22:38 centos65 MailScanner[3651]: Deleted 1 messages from processing-database Mar 11 14:22:38 centos65 MailScanner[3651]: Batch completed at 15603 bytes per second (156910 / 10) Mar 11 14:22:38 centos65 MailScanner[3651]: Batch (1 message) processed in 10.06 seconds Mar 11 14:22:38 centos65 postfix/local[3897]: C10EEC105F: to=, orig_to=, relay=local, delay=11, delays=11/0.03/0/0.04, dsn=2.0.0, status=sent (delivered to maildir) Mar 11 14:22:38 centos65 postfix/qmgr[2783]: C10EEC105F: removed All the .conf are out of the box only other modded file is rules/spam.whitelist.rules From: CUUSIIKKJEMEe at MWKEIEM.co.uk yes From: AAAAs at mILKKKK.co.uk yes From: oIIIIIe at IIRKKE.co.uk yes From: *@MMMMMay.co.uk yes From: *@KKKKKe.com yes From: *@EEEDFFy.com yes FromOrTo: default no ======= MailScanner.conf [edited] Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine MTA = postfix Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Allow Filenames = Deny Filenames = Filename Rules = %etc-dir%/filename.rules.conf Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %etc-dir%/filetype.rules.conf Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = yes Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Log Speed = yes Log Spam = yes Log Non Spam = yes Log Delivery And Non-Delivery = yes Log Permitted Filenames = yes Log Permitted Filetypes = yes Log Permitted File MIME Types = yes Log Silent Viruses = yes Log Dangerous HTML Tags = yes Log SpamAssassin Rule Actions = yes ======= END MailScanner.conf Many apologies for the length and hopefully someone is able to point me in the right direction. Many Thanks, Chris. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140311/df2058e7/attachment.html From pparsons at techeez.com Wed Mar 12 15:40:22 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 12 Mar 2014 15:40:22 +0000 Subject: Messages stuck in Processing database Message-ID: <11D8E491D9562549A61FD3186F36342001D5486E87@exchange.techeez.com> I know this has been around for a while and I have made the change to use the internal TNEF but lately I am getting more and more messages that are hanging up in the processing database.. Has anyone found a way to stop this from happening ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140312/a6ac2b94/attachment.html From jerry.benton at mailborder.com Wed Mar 12 19:24:33 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 12 Mar 2014 20:24:33 +0100 Subject: Messages stuck in Processing database In-Reply-To: <11D8E491D9562549A61FD3186F36342001D5486E87@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D5486E87@exchange.techeez.com> Message-ID: Try this: find /var/spool/MailScanner -type d -exec chmod 0775 {} \; find /var/spool/MailScanner -type f -exec chmod 0660 {} \; If it clears, then you should checks the permissions your configs.? --? Jerry Benton www.mailborder.com On March 12, 2014 at 5:21:49 PM, Philip Parsons (pparsons at techeez.com) wrote: I know this has been around for a while and I have made the change to use the internal TNEF but lately I am getting more and more messages that are hanging up in the processing database..? Has anyone found a way to stop this from happening ? ? ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" ? IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. ? ? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140312/de5f1cd4/attachment.html From pparsons at techeez.com Wed Mar 12 21:31:50 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 12 Mar 2014 21:31:50 +0000 Subject: Messages stuck in Processing database In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5486E87@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F36342001D54889F9@exchange.techeez.com> Thanks for the suggestion but this only happens once a day normally first thing in the morning spam rush around 4 to 5 am and then only to a few emails all of them spam. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: March-12-14 12:25 PM To: MailScanner discussion Subject: Re: Messages stuck in Processing database Try this: find /var/spool/MailScanner -type d -exec chmod 0775 {} \; find /var/spool/MailScanner -type f -exec chmod 0660 {} \; If it clears, then you should checks the permissions your configs. -- Jerry Benton www.mailborder.com On March 12, 2014 at 5:21:49 PM, Philip Parsons (pparsons at techeez.com) wrote: I know this has been around for a while and I have made the change to use the internal TNEF but lately I am getting more and more messages that are hanging up in the processing database.. Has anyone found a way to stop this from happening ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140312/637c2ef4/attachment.html From IversonS at rushville.k12.in.us Thu Mar 13 12:30:55 2014 From: IversonS at rushville.k12.in.us (Shawn Iverson) Date: Thu, 13 Mar 2014 08:30:55 -0400 Subject: Treat Invalid Watermarks with No Sender as Spam In-Reply-To: References: <5307B103020000D50004DD8C@mail.rushville.k12.in.us> <530B9558020000D50004DF21@mail.rushville.k12.in.us> <530D0185020000D50004E03B@mail.rushville.k12.in.us> <530E266F020000D50004E147@mail.rushville.k12.in.us> <530E3A38020000D50004E16D@mail.rushville.k12.in.us> <530F0F67020000D50004E267@mail.rushville.k12.in.us> Message-ID: <53216CBF020000D50004F720@mail.rushville.k12.in.us> I spoke too soon, now I am having the opposite effect. Treat Invalid Watermarks with No Sender As Spam is halting subsequent rule processing on my system. As soon as an email matches this rule, spam checks do not proceed. So, if I set a low score, all matching emails are non-spam (becuase Spamassassin doesn't get a chance to scan further) And, if I set a high score, all matching emails are spam by default. Catch 22 I'm going to dive into the MailScanner code and see what is actually happening.... From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson Sent: Thursday, February 27, 2014 6:12 AM To: 'MailScanner discussion' Subject: RE: Treat Invalid Watermarks with No Sender as Spam Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through. I will make a feature request, though. It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not. Shawn Iverson Rush County Schools District Technology Coordinator iversons at rushville.k12.in.us Shawn Iverson Rush County Schools District Technology Coordinator iversons at rushville.k12.in.us >>> "Shawn Iverson" 2/26/2014 7:02 PM >>> Just set a numeric...will observe and see what happens. Shawn Iverson Rush County Schools District Technology Coordinator iversons at rushville.k12.in.us >>> Kevin Miller 2/26/2014 6:48 PM >>> > When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine. What happens when you assign it a numeric value? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -- This message has been scanned for viruses and dangerous content by E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean. -- This message has been scanned for viruses and dangerous content by E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean. -- This message has been scanned for viruses and dangerous content by E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean. Click here to report this message as spam. ( https://efa.rushville.k12.in.us/cgi-bin/learn-msg.cgi?id=218A3808FF.A2412&token=ac54c1dd7c3f3c9747f5e9ed461934e7 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140313/e1d3fca7/attachment.html From IversonS at rushville.k12.in.us Thu Mar 13 18:57:02 2014 From: IversonS at rushville.k12.in.us (Shawn Iverson) Date: Thu, 13 Mar 2014 14:57:02 -0400 Subject: Treat Invalid Watermarks with No Sender as Spam In-Reply-To: <53216CBF020000D50004F720@mail.rushville.k12.in.us> References: <5307B103020000D50004DD8C@mail.rushville.k12.in.us> <530B9558020000D50004DF21@mail.rushville.k12.in.us> <530D0185020000D50004E03B@mail.rushville.k12.in.us> <530E266F020000D50004E147@mail.rushville.k12.in.us> <530E3A38020000D50004E16D@mail.rushville.k12.in.us> <530F0F67020000D50004E267@mail.rushville.k12.in.us> <53216CBF020000D50004F720@mail.rushville.k12.in.us> Message-ID: <5321C73E020000D50004F838@mail.rushville.k12.in.us> Upon even closer observation....I seem to be insane. If Treat Invalid Watermarks with No Sender as Spam = spam (or high-scoring spam), Messages.pm does indeed exit without moving forward, which makes sense. When it is a number, processing continues. The messages that are getting through are indeed sliding past SpamAssassin undetected and with a 0 score. :/ Specifically, they are forged emails coming from Google, sent out to random recipients, with the DSNs landing squarely on the mail user whose email address was forged. Shawn Iverson Rush County Schools District Technology Coordinator iversons at rushville.k12.in.us >>> "Shawn Iverson" 3/13/2014 8:30 AM >>> I spoke too soon, now I am having the opposite effect. Treat Invalid Watermarks with No Sender As Spam is halting subsequent rule processing on my system. As soon as an email matches this rule, spam checks do not proceed. So, if I set a low score, all matching emails are non-spam (becuase Spamassassin doesn't get a chance to scan further) And, if I set a high score, all matching emails are spam by default. Catch 22 I'm going to dive into the MailScanner code and see what is actually happening.... From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson Sent: Thursday, February 27, 2014 6:12 AM To: 'MailScanner discussion' Subject: RE: Treat Invalid Watermarks with No Sender as Spam Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through. I will make a feature request, though. It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not. Shawn Iverson Rush County Schools District Technology Coordinator iversons at rushville.k12.in.us Shawn Iverson Rush County Schools District Technology Coordinator iversons at rushville.k12.in.us >>> "Shawn Iverson" 2/26/2014 7:02 PM >>> Just set a numeric...will observe and see what happens. Shawn Iverson Rush County Schools District Technology Coordinator iversons at rushville.k12.in.us >>> Kevin Miller 2/26/2014 6:48 PM >>> > When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine. What happens when you assign it a numeric value? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -- This message has been scanned for viruses and dangerous content by E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean. -- This message has been scanned for viruses and dangerous content by E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean. -- This message has been scanned for viruses and dangerous content by E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean. Click here to report this message as spam. ( https://efa.rushville.k12.in.us/cgi-bin/learn-msg.cgi?id=218A3808FF.A2412&token=ac54c1dd7c3f3c9747f5e9ed461934e7 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140313/9d9ccdba/attachment.html From marc at reidclan.com Mon Mar 17 00:04:52 2014 From: marc at reidclan.com (Marc) Date: Sun, 16 Mar 2014 20:04:52 -0400 Subject: Rules multiple conditions Message-ID: <002201cf4174$874065b0$95c13110$@reidclan.com> I'm trying to archive email FromOrTo a domain so have the rule: FromOrTo: *@domain.com /path/to/archive Which works great. However, I'd like to exclude a particular address (one for now, so hoping its easy). FromOrTo: *@domain.com or Not From: user at domain.com How could that work? (I assume the 'Not') won't work in the above line. What is the correct rule? Thanks, Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140316/d4bd927d/attachment.html From jerry.benton at mailborder.com Mon Mar 17 00:55:39 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 17 Mar 2014 01:55:39 +0100 Subject: Rules multiple conditions In-Reply-To: <002201cf4174$874065b0$95c13110$@reidclan.com> References: <002201cf4174$874065b0$95c13110$@reidclan.com> Message-ID: Point the setting to a ruleset file and put it in two rules.? FromOrTo: user at domain.com /dev/null FromOrTo: *@domain.com /path/to/archive This is an All Match rule, so this may or may not work, but it should be easy enough to test.? --? Jerry Benton www.mailborder.com On March 17, 2014 at 1:46:22 AM, Marc (marc at reidclan.com) wrote: I?m trying to archive email FromOrTo a domain so have the rule: ? FromOrTo: *@domain.com /path/to/archive ? Which works great. ? However, I?d like to exclude a particular address (one for now, so hoping its easy). ? FromOrTo: *@domain.com or Not From: user at domain.com ? How could that work? (I assume the ?Not?) won?t work in the above line.? What is the correct rule? Thanks, ? ? Marc ? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140317/feb2a10b/attachment.html From marc at reidclan.com Mon Mar 17 01:23:22 2014 From: marc at reidclan.com (Marc) Date: Sun, 16 Mar 2014 21:23:22 -0400 Subject: archiving email - second issue Message-ID: <002701cf417f$7e2e4f90$7a8aeeb0$@reidclan.com> I just noticed that my archives don't include the spam scanning results. In some situations I think this is good; but for me, I'd like to keep copies of only non-spam email (yes, a false positive could get lost.but not really worried). How can I tell MailScanner to save a copy of emails after Spamassassin has added headers with results? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140316/9b7b7c97/attachment.html From mark at msapiro.net Mon Mar 17 04:29:21 2014 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 16 Mar 2014 21:29:21 -0700 Subject: Rules multiple conditions In-Reply-To: <002201cf4174$874065b0$95c13110$@reidclan.com> References: <002201cf4174$874065b0$95c13110$@reidclan.com> Message-ID: <53267A21.9030001@msapiro.net> Marc wrote: > However, I'd like to exclude a particular address (one for now, so hoping > its easy). > > FromOrTo: *@domain.com or Not From: user at domain.com > > How could that work? (I assume the 'Not') won't work in the above line. > What is the correct rule? First of all, 'or' is not allowed in "two condition" rules. Only 'and' is allowed which is what you want anyway. And yes, 'Not' doesn't work, but you can do this using perl regular expressions with something like FromOrTo: /\@domain\.com$/ and From: /^(?!user\@domain\.com$)/ Note that if the second condition is going to be a perl /.../ regexp, the first must be also. The second condition uses negative lookahead. (?!xxx) matches if and only if the current position is not followed by 'xxx'. In this case we match the beginning of the string, not followed by exactly user at domain.com. The $ inside the lookahead matches the end of string and it must be inside because the lookahead doesn't advance the string. Also the @ and . are escaped so they don't have special meaning. Even simpler, you can use perl's '!' not operator as in FromOrTo: /\@domain\.com$/ and From: !/^user\@domain\.com$/ Here again, for this to work, the first condition must also be a perl regexp. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Mon Mar 17 04:46:51 2014 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 16 Mar 2014 21:46:51 -0700 Subject: Rules multiple conditions In-Reply-To: <53267A21.9030001@msapiro.net> References: <002201cf4174$874065b0$95c13110$@reidclan.com> <53267A21.9030001@msapiro.net> Message-ID: <53267E3B.80802@msapiro.net> On 03/16/2014 09:29 PM, Mark Sapiro wrote: > > Even simpler, you can use perl's '!' not operator as in > > FromOrTo: /\@domain\.com$/ and From: !/^user\@domain\.com$/ Ooops. It appears that doesn't work. I thought I'd tested it, but I'd forgotten to reload MailScanner after changing my test rule. The negative lookahead rule does work as described in my first reply. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From bonivart at opencsw.org Mon Mar 17 09:21:03 2014 From: bonivart at opencsw.org (Peter Bonivart) Date: Mon, 17 Mar 2014 10:21:03 +0100 Subject: archiving email - second issue In-Reply-To: <002701cf417f$7e2e4f90$7a8aeeb0$@reidclan.com> References: <002701cf417f$7e2e4f90$7a8aeeb0$@reidclan.com> Message-ID: On Mon, Mar 17, 2014 at 2:23 AM, Marc wrote: > I just noticed that my archives don't include the spam scanning results. In > some situations I think this is good; but for me, I'd like to keep copies of > only non-spam email (yes, a false positive could get lost...but not really > worried). The archive feature is meant to archive as it arrived, not modified in any way. > How can I tell MailScanner to save a copy of emails after Spamassassin has > added headers with results? Use the Non Spam Actions and so on, there's both store and forward options there. From koby at mksoft.co.il Wed Mar 19 16:58:09 2014 From: koby at mksoft.co.il (Koby Peleg Hen) Date: Wed, 19 Mar 2014 18:58:09 +0200 Subject: Eset antivirus Type Message-ID: <5329CCA1.7080507@mksoft.co.il> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140319/e43ad42e/attachment.html From simon at kmun.gov.kw Sat Mar 22 17:12:18 2014 From: simon at kmun.gov.kw (simon at kmun.gov.kw) Date: Sat, 22 Mar 2014 20:12:18 +0300 Subject: MailScanner marks messages as DOS attact Message-ID: <7ea166175a9a76de86d4c5437a00c76a.squirrel@webmail.baladia.gov.kw> Dear All, I had this issue for sometime but was confused on where actually this issue was from.. Many a times mails were stop and being marked as denial from service attack This was mostly from google groups .. after more investigation i realized the following.. many of the users have subscribed to google groups .. now when a email is received from a user who belongs to the same group as our users belong maybe about 15 to 20 messages are marked clean .. subsequent messages are being marked with RED and the details page shows denial of service attack. Also the System becomes very slow as MailScanner consumes the entire CPU and also the outgoin email takes long time to reach the recipent. it remains in the incomming queue for a long time.. maybe 10 to 15 min at times Now I would like to know any tips and advices as what i could do to make MailScanner process these mails at a much better rate and there by avoid MS marking them as DOS attack mails and there by avoiding the whole system from being slow. regards simon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Sat Mar 22 17:52:25 2014 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 22 Mar 2014 10:52:25 -0700 Subject: MailScanner marks messages as DOS attact In-Reply-To: <7ea166175a9a76de86d4c5437a00c76a.squirrel@webmail.baladia.gov.kw> References: <7ea166175a9a76de86d4c5437a00c76a.squirrel@webmail.baladia.gov.kw> Message-ID: <532DCDD9.5010700@msapiro.net> On 03/22/2014 10:12 AM, simon at kmun.gov.kw wrote: > > after more investigation i realized the following.. > > many of the users have subscribed to google groups .. > now when a email is received from a user who belongs to the same group as > our users belong maybe about 15 to 20 messages are marked clean .. > subsequent messages are being marked with RED and the details page shows > denial of service attack. > Also the System becomes very slow as MailScanner consumes the entire CPU > and also the outgoin email takes long time to reach the recipent. > > it remains in the incomming queue for a long time.. maybe 10 to 15 min at > times I'm not sure what the underlying issue is in this case, but looking at the code I think that the DOS attack is raised when one of your virus scanners times out on a message. You might try looking at logs to see if you can determine why this happens. As a workaround, you could establish a "Virus Scanning" ruleset to skip virus scanning for these messages. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From axisml at gmail.com Tue Mar 25 17:15:41 2014 From: axisml at gmail.com (Chris Stone) Date: Tue, 25 Mar 2014 11:15:41 -0600 Subject: MailScanner marks messages as DOS attact In-Reply-To: <532DCDD9.5010700@msapiro.net> References: <7ea166175a9a76de86d4c5437a00c76a.squirrel@webmail.baladia.gov.kw> <532DCDD9.5010700@msapiro.net> Message-ID: I had a similar issue on a server build on CentOS 6 and the latest MailScanner. Never have found specific messages that cause the problem, but typically 5-6 times a week, I'd get an alert from our Nagios installation stating that there were zombie processes on the filtering server. I'd go look and see MailScanner processing, crashing and looping on messages - after 6 loops through, putting in the quarantine tagged as DoS message. So, I tried disabling the Processing Attempts Database by setting: Maximum Processing Attempts = 0 in MailScanner.conf. I no longer am seeing *any* problem - the crashes have stopped, the looping has stopped (as expected with disabling), no messages marked as DoS sources and none quarantined as a result. All appears to be fine. So, it kind of looks like something with the Processing Attempts Database code - although I do use that on a number of other CentOS 4 and CentOS 5 servers without issue. Chris On Sat, Mar 22, 2014 at 11:52 AM, Mark Sapiro wrote: > On 03/22/2014 10:12 AM, simon at kmun.gov.kw wrote: > > > > after more investigation i realized the following.. > > > > many of the users have subscribed to google groups .. > > now when a email is received from a user who belongs to the same group as > > our users belong maybe about 15 to 20 messages are marked clean .. > > subsequent messages are being marked with RED and the details page shows > > denial of service attack. > > Also the System becomes very slow as MailScanner consumes the entire CPU > > and also the outgoin email takes long time to reach the recipent. > > > > it remains in the incomming queue for a long time.. maybe 10 to 15 min at > > times > > > I'm not sure what the underlying issue is in this case, but looking at > the code I think that the DOS attack is raised when one of your virus > scanners times out on a message. You might try looking at logs to see if > you can determine why this happens. > > As a workaround, you could establish a "Virus Scanning" ruleset to skip > virus scanning for these messages. See > >. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Chris Stone AxisInternet, Inc. www.axint.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140325/d6066bd7/attachment.html From mailscanner at replies.cyways.com Fri Mar 28 14:16:04 2014 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Fri, 28 Mar 2014 10:16:04 -0400 Subject: MCP announcements not forwarded Message-ID: <53358424.6060904@replies.cyways.com> I've been a happy MailScanner user for many years now, but I have encountered a problem that has me stumped. We use MCP to scan outbound mail and have had it working for quite some time. Messages that trip the MCP rules are forwarded to the alias mcpmonitor at localhost which redirects the messages to the relevant staff members for review. Sometime in the past couple of months the forwarding stopped working. The alias works properly since I can send a message to the alias from the command prompt. MailScanner reports in the logs that suspect messages are being forwarded: Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message s2NMLCAK020553 actions are mcpmonitor at localhost,forward However there are no other entries in the log with that message ID, nor is the message sent to the alias. It appears in no queue nor in the quarantine area. It simply disappears. I wondered if there is some conflict among the Perl modules since some of them might have been updated with versions from CenOS or rpmforge. I upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the modules as always, but the problem persists. The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing this would be greatly appreciated! The scanner also uses SpamAssassin and clamd, but those work fine for all messages. Thanks! Peter From brad at comstyle.com Fri Mar 28 21:43:28 2014 From: brad at comstyle.com (Brad Smith) Date: Fri, 28 Mar 2014 17:43:28 -0400 Subject: Rerolling MailScanner-install-4.84.6-1.tar.gz tarball Message-ID: <5335ED00.8090601@comstyle.com> Ok, so who rerolled this tarball and snuck in some changes? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jerry.benton at mailborder.com Fri Mar 28 23:57:56 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 29 Mar 2014 00:57:56 +0100 Subject: Rerolling MailScanner-install-4.84.6-1.tar.gz tarball In-Reply-To: <5335ED00.8090601@comstyle.com> References: <5335ED00.8090601@comstyle.com> Message-ID: Only Jules has the capability at the moment. What do you think has changed? --? Jerry Benton www.mailborder.com On March 28, 2014 at 11:25:24 PM, Brad Smith (brad at comstyle.com) wrote: Ok, so who rerolled this tarball and snuck in some changes? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140329/0c98be4b/attachment.html From brad at comstyle.com Sat Mar 29 00:12:48 2014 From: brad at comstyle.com (Brad Smith) Date: Fri, 28 Mar 2014 20:12:48 -0400 Subject: Rerolling MailScanner-install-4.84.6-1.tar.gz tarball In-Reply-To: References: <5335ED00.8090601@comstyle.com> Message-ID: <53361000.8010703@comstyle.com> On 28/03/14 7:57 PM, Jerry Benton wrote: > Only Jules has the capability at the moment. What do you think has changed? I don't think something has changed. I can see that changes have been snuck in with the bad / safe phishing site config files. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Sat Mar 29 00:53:22 2014 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 28 Mar 2014 17:53:22 -0700 Subject: Rerolling MailScanner-install-4.84.6-1.tar.gz tarball In-Reply-To: <53361000.8010703@comstyle.com> References: <5335ED00.8090601@comstyle.com> <53361000.8010703@comstyle.com> Message-ID: <53361982.70505@msapiro.net> On 03/28/2014 05:12 PM, Brad Smith wrote: > On 28/03/14 7:57 PM, Jerry Benton wrote: >> Only Jules has the capability at the moment. What do you think has changed? > > I don't think something has changed. I can see that changes have been > snuck in with the bad / safe phishing site config files. Those files are dynamic and are updated on your server by /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites which are normally run daily and hourly respectively by /etc/cron.daily/update_phishing_sites and /etc/cron.hourly/update_bad_phishing_sites. If you are saying those files in the tarball are not the same as those on your server, it's probably because the ones on your server have been updated. If you are saying those files in the tarball are not the same as those in an earlier tarball, the tarball was probably repackaged at some point and the latest versions picked up. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From brad at comstyle.com Sat Mar 29 02:12:35 2014 From: brad at comstyle.com (Brad Smith) Date: Fri, 28 Mar 2014 22:12:35 -0400 Subject: Rerolling MailScanner-install-4.84.6-1.tar.gz tarball In-Reply-To: <53361982.70505@msapiro.net> References: <5335ED00.8090601@comstyle.com> <53361000.8010703@comstyle.com> <53361982.70505@msapiro.net> Message-ID: <53362C13.5030008@comstyle.com> On 28/03/14 8:53 PM, Mark Sapiro wrote: > On 03/28/2014 05:12 PM, Brad Smith wrote: >> On 28/03/14 7:57 PM, Jerry Benton wrote: >>> Only Jules has the capability at the moment. What do you think has changed? >> >> I don't think something has changed. I can see that changes have been >> snuck in with the bad / safe phishing site config files. > > > Those files are dynamic and are updated on your server by > /usr/sbin/update_phishing_sites and /usr/sbin/update_bad_phishing_sites > which are normally run daily and hourly respectively by > /etc/cron.daily/update_phishing_sites and > /etc/cron.hourly/update_bad_phishing_sites. > > If you are saying those files in the tarball are not the same as those > on your server, it's probably because the ones on your server have been > updated. > > If you are saying those files in the tarball are not the same as those > in an earlier tarball, the tarball was probably repackaged at some point > and the latest versions picked up. Yes, I am saying the the files in the tarball are not the same as those in an earlier tarball. The rerolling of the tarball happened within the last month or so. This is a big no no and must not be done. If you need to change *anything* you issue a new release and the MailScanner versioning even has a means of indicating minor releases for such changes. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.