From stef at aoc-uk.com Thu May 1 12:07:45 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Thu, 1 May 2014 11:07:45 +0000 Subject: Spamassassin rules not firing correctly Message-ID: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> Hi guys, This is a very strange one. Here is the spamassassin report for an email which passed through MailScanner. score=2.691, required 5, BAYES_50 0.80, DCC_CHECK 1.10, RDNS_NONE 0.79, SPF_HELO_PASS -0.00, SPF_PASS -0.00 Here is the report for the same email, when I run spamassassin manually. MS runs as postfix and I get the below running either as root, or as postfix. X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_40,DCC_CHECK, DIGEST_MULTIPLE,PYZOR_CHECK,RCVD_IN_BL_SPAMCOP_NET,RDNS_NONE,SPF_HELO_PASS, URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no autolearn_force=no version=3.4.0 X-Spam-Report: * 2.5 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: moms-flowersbouquet-nice.me] * 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see ] * 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: moms-flowersbouquet-nice.me] * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40% * [score: 0.2809] * 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) * 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 0.3 DIGEST_MULTIPLE Message hits more than one network digest check * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS As you can see, MS has skipped all the blacklist rules and (for some reason) pyzor. I'm getting a knock on effect with this, where spam is being autolearned as ham, so my bayes is now totalled as well and I'll have to clear and recreate from scratch. I've considered timeouts, but I'm running a cacheing DNS on the LAN and there's certainly when I run manually, the response is instant. I'm at a bit of a loss here how to proceed and would appreciate any ideas anyone has. Linux fedecks.level5.net 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 6.5 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.6 SpamAssassin version 3.4.0 Thanks Stef From maillists at conactive.com Fri May 2 10:15:58 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 02 May 2014 11:15:58 +0200 Subject: Spamassassin rules not firing correctly In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> Message-ID: This is a common misunderstanding. SA via MS may not use the same config files than SA run manually. SA uses /etc/mail/spamassassin MS uses /etc/mail/spamassassin/mailscanner.conf symlinked to /etc/MailScanner/spam.assassin.prefs.conf You may have removed the mailscanner.conf link and changed the path in MailScanner.conf to use /etc/MailScanner/spam.assassin.prefs.conf directly. Or something similar I don't imagine. You may also have some extra user-specific config just for the user root. You can run --lint -v for both (I think) to get an idea of which config files are getting used, this should tell you how to correct it. My general recommendation (if you know SA well enough to configure it yourself) is: - use only the files in /etc/mail/spamassassin for SA config - remove the symlink and touch /etc/mail/mailscanner.conf, so that it becomes a zero-sized file - put the config you want to have in the traditional file /etc/mail/spamassassin/local.cf (e.g. merge what's there with what you want from spam.assassin.prefs.conf) (or use more than one file, as you like, just make sure you don't have conflicting settings, merge resonably) By doing so, you always get the same configuration, no matter which way you run SA. And the MS rpm will not attempt to set the symlink. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From stef at aoc-uk.com Fri May 2 11:13:33 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 2 May 2014 10:13:33 +0000 Subject: Spamassassin rules not firing correctly In-Reply-To: <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> Hello Kai, On 02 May 2014 10:16 Kai Schaetzl wrote: > This is a common misunderstanding. SA via MS may not use the same config Yes, I take on board the technical suggestions. I've basically been through all those checks. :) I am now starting to believe there is actually nothing wrong and that given I'm seeing apparent fails on blacklist rules is because the domains aren't blacklisted at the time the spam is generated. moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived early 01/05/2014 russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 hours ago. So the problem is likely not MS, it's how to detect and deal with spam from brand new domains/ip. From maxsec at gmail.com Fri May 2 15:50:43 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 2 May 2014 15:50:43 +0100 Subject: Spamassassin rules not firing correctly In-Reply-To: <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> Message-ID: Stef also turn off autolearning - found this not great for a population of more than a handful of users. -- Martin Hepworth, CISSP Oxford, UK On 2 May 2014 11:13, Stef Morrell wrote: > Hello Kai, > > On 02 May 2014 10:16 Kai Schaetzl wrote: > > This is a common misunderstanding. SA via MS may not use the same config > > Yes, I take on board the technical suggestions. I've basically been > through all those checks. :) > > I am now starting to believe there is actually nothing wrong and that > given I'm seeing apparent fails on blacklist rules is because the domains > aren't blacklisted at the time the spam is generated. > > moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived > early 01/05/2014 > russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 > hours ago. > > So the problem is likely not MS, it's how to detect and deal with spam > from brand new domains/ip. > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/17c35542/attachment.html From pparsons at techeez.com Fri May 2 15:57:06 2014 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 May 2014 14:57:06 +0000 Subject: Spam from .us domains Message-ID: Is anyone else getting hammered by spam saying it is from .us domains ? If have you figured a way to stop it yet ? Thank you P Parsons From stef at aoc-uk.com Fri May 2 16:07:54 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 2 May 2014 15:07:54 +0000 Subject: Spamassassin rules not firing correctly In-Reply-To: <5f9a2acd-71a2-49e2-bb43-0a38839d6e41@VONLIPWIG.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> <5f9a2acd-71a2-49e2-bb43-0a38839d6e41@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> Would you bother with bayes at all then? It would be impossible to hand sort my corpus. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 02 May 2014 15:51 To: MailScanner discussion Subject: Re: Spamassassin rules not firing correctly Stef also turn off autolearning - found this not great for a population of more than a handful of users. -- Martin Hepworth, CISSP Oxford, UK On 2 May 2014 11:13, Stef Morrell > wrote: Hello Kai, On 02 May 2014 10:16 Kai Schaetzl wrote: > This is a common misunderstanding. SA via MS may not use the same config Yes, I take on board the technical suggestions. I've basically been through all those checks. :) I am now starting to believe there is actually nothing wrong and that given I'm seeing apparent fails on blacklist rules is because the domains aren't blacklisted at the time the spam is generated. moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived early 01/05/2014 russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 hours ago. So the problem is likely not MS, it's how to detect and deal with spam from brand new domains/ip. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This email has been scanned by the Alpha Omega Computers Ltd MailCrusader for viruses, spam and dangerous content. For more information please visit Alpha Omega Computers Ltd. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/e1075baa/attachment.html From terry.hulen at gmail.com Fri May 2 16:32:01 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Fri, 2 May 2014 11:32:01 -0400 Subject: Spam from .us domains In-Reply-To: References: Message-ID: We are not getting hammered at the moment. What are your spam assassin results? What are the sizes of the messages? Do you have RBLs set? On Fri, May 2, 2014 at 10:57 AM, Philip Parsons wrote: > Is anyone else getting hammered by spam saying it is from .us domains ? If have you figured a way to stop it yet ? > > Thank you > P Parsons > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jerry.benton at mailborder.com Fri May 2 17:03:30 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 2 May 2014 18:03:30 +0200 Subject: Spamassassin rules not firing correctly In-Reply-To: <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> <5f9a2acd-71a2-49e2-bb43-0a38839d6e41@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> Message-ID: Stef, Can you post your MailScanner conf? (A sample of your blacklist rules specifically.) Also, I see you have downloaded Mailborder before. If you still have the Mailborder box running, I?d suggest entering some sample rules in the GUI and see how the config files are built. Something as simple as using a space instead of a tab in a rule set can cause issues. On Fri, May 2, 2014 at 5:07 PM, Stef Morrell wrote: > Would you bother with bayes at all then? It would be impossible to hand > sort my corpus. > > > > > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* 02 May 2014 15:51 > *To:* MailScanner discussion > *Subject:* Re: Spamassassin rules not firing correctly > > > > Stef > also turn off autolearning - found this not great for a population of more > than a handful of users. > > > > > -- > Martin Hepworth, CISSP > Oxford, UK > > > > On 2 May 2014 11:13, Stef Morrell wrote: > > Hello Kai, > > > On 02 May 2014 10:16 Kai Schaetzl wrote: > > This is a common misunderstanding. SA via MS may not use the same config > > Yes, I take on board the technical suggestions. I've basically been > through all those checks. :) > > I am now starting to believe there is actually nothing wrong and that > given I'm seeing apparent fails on blacklist rules is because the domains > aren't blacklisted at the time the spam is generated. > > moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived > early 01/05/2014 > russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 > hours ago. > > So the problem is likely not MS, it's how to detect and deal with spam > from brand new domains/ip. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > This email has been scanned by the Alpha Omega Computers Ltd MailCrusader > for > viruses, spam and dangerous content. > For more information please visit *Alpha Omega Computers Ltd*. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/992d59b1/attachment.html From jerry.benton at mailborder.com Fri May 2 17:15:26 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 2 May 2014 18:15:26 +0200 Subject: Spam from .us domains In-Reply-To: References: Message-ID: Got a sample header? On Fri, May 2, 2014 at 4:57 PM, Philip Parsons wrote: > Is anyone else getting hammered by spam saying it is from .us domains ? > If have you figured a way to stop it yet ? > > Thank you > P Parsons > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/566fc9e1/attachment.html From stef at aoc-uk.com Fri May 2 17:18:35 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 2 May 2014 16:18:35 +0000 Subject: Spamassassin rules not firing correctly In-Reply-To: <24e3997d-47fa-4526-95b8-a7a1ba818a34@VONLIPWIG.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> <5f9a2acd-71a2-49e2-bb43-0a38839d6e41@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> <24e3997d-47fa-4526-95b8-a7a1ba818a34@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209165E32@vonLipwig.aoc-uk.com> Really after consideration, I do think my problem is zero day spam and nothing else. The blacklist rules in question are standard SA 3.4.0 rules, nothing special or clever of my own crafting. The problem is that the brand new domains (lots of .me domains) simply hadn?t made it to blacklists in time to match and fire rules. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 02 May 2014 17:04 To: MailScanner discussion Subject: Re: Spamassassin rules not firing correctly Stef, Can you post your MailScanner conf? (A sample of your blacklist rules specifically.) Also, I see you have downloaded Mailborder before. If you still have the Mailborder box running, I?d suggest entering some sample rules in the GUI and see how the config files are built. Something as simple as using a space instead of a tab in a rule set can cause issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/d2f3fca4/attachment.html From pparsons at techeez.com Fri May 2 17:38:08 2014 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 May 2014 16:38:08 +0000 Subject: Spam from .us domains In-Reply-To: References: Message-ID: <11D8E491D9562549A61FD3186F36342001D55396B4@exchange.techeez.com> There is only one rule that is triggerd KAM_INFOUSMEBIZ Yes I have RBLs set and they are not on any lists and the size of the message ? it is small just txt.. example below.. From: Checking Account [mailto:CheckingAccount at try-somewonderfuldealz.us] Sent: Friday, May 02, 2014 4:12 AM Subject: Been-denied for a checking account? We will approve-you Second Chance Checking Account ---------------------------------- Have you been denied for a bank account because of credit issues? Everyone needs a checking account...We accepts all applicants! Go here to find out more: http://host.try-somewonderfuldealz.us -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Terry Hulen Jr Sent: May-02-14 8:32 AM To: MailScanner discussion Subject: Re: Spam from .us domains We are not getting hammered at the moment. What are your spam assassin results? What are the sizes of the messages? Do you have RBLs set? On Fri, May 2, 2014 at 10:57 AM, Philip Parsons wrote: > Is anyone else getting hammered by spam saying it is from .us domains ? If have you figured a way to stop it yet ? > > Thank you > P Parsons > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pas at unh.edu Fri May 2 17:42:30 2014 From: pas at unh.edu (Paul A Sand) Date: Fri, 2 May 2014 12:42:30 -0400 Subject: Spam from .us domains In-Reply-To: References: Message-ID: <20140502164230.GA14875@cisunix.unh.edu> > > Is anyone else getting hammered by spam saying it is from .us domains ? > > If have you figured a way to stop it yet ? I?ve noticed an uptick, but the IPs seem to get listed by SpamHaus pretty quickly, so the damage here is minor. There?s (of course) a lot of valid mail ending in .us. For those of us who are easily amused, a random sample of domains: buildyournew-shednow.us getmoney-whenyouneedto.us trythisnew-kindoftubnow.us younewrate-drop-info.us yourecentpolicy-notice.us yourmustsee-autodealz.us yournewvision-healthinfo.us We?re also seeing the same sort of thing from the .me TLD (Montenegro), but the naming algorithm differs. Some hostnames: algal.futureexplain.me allseed.wrongwisdom.me fumingly.wetpicture.me interwarring.warmrake.me otoneurasthenia.cleandustpan.me polyploidy.amongstalk.me resought.bentwasher.me toyless.hangingexperience.me A toyless hanging experience? Does not sound like fun. -- -- Paul A Sand -- Information Technology / University of New Hampshire -- http://pubpages.unh.edu/~pas -- Get medical attention if symptoms persist. From stef at aoc-uk.com Fri May 2 17:52:15 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 2 May 2014 16:52:15 +0000 Subject: Spam from .us domains In-Reply-To: References: Message-ID: <92665C7597419742B19470DFA3D5BEA209165EAB@vonLipwig.aoc-uk.com> On 02 May 2014 17:43 Paul A Sand wrote: > We?re also seeing the same sort of thing from the .me TLD (Montenegro), That's exactly what I've been seeing. I'm seriously considering a custom rule to add 2-3 points to all .me domains, draconic as it sounds, I don't think that will seriously impact my users with FPs. From stef at aoc-uk.com Fri May 2 17:53:00 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 2 May 2014 16:53:00 +0000 Subject: scan.messages.rules exceptions Message-ID: <92665C7597419742B19470DFA3D5BEA209165EB5@vonLipwig.aoc-uk.com> I have a ruleset for what should and should not be scanned. Scan Messages = %rules-dir%/scan.messages.rules So far, so good. If the ruleset simply reads: # Default no, do not scan. FromOrTo: default no Then when I mail myself from an alternate address, it's not scanned - expected behaviour. Again, when the file reads: # Scan my email To: *@aoc-uk.com yes # Default no, do not scan. FromOrTo: default no Then my email is scanned, again expected behaviour. When I try to create an exception with the following: # Don't scan Stef's email To: stef at aoc-uk.com no # Scan my email To: *@aoc-uk.com yes # Default no, do not scan. FromOrTo: default no Then, unexpectedly my email is still scanned. I thought rulesets were parsed top to bottom and stopped at first match, but that's not the behaviour I'm seeing. What I need to be able to do is make exceptions (ideally using From: And To: syntax) for individual email addresses. I'm doubly confused as I have a server running MailScanner-4.84.5-3 which I'm sure works like that (or has been broken for months without anybody noticing), but the new one I'm setting up with 4.84.6 is behaving as above. From pparsons at techeez.com Fri May 2 18:14:57 2014 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 May 2014 17:14:57 +0000 Subject: Spam from .us domains In-Reply-To: References: Message-ID: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> Return-Path: Received: from try-somewonderfuldealz.us ([31.192.241.106]) by mx1.danada.ca (8.14.4/8.14.4) with ESMTP id s42BGSn5023606 for ; Fri, 2 May 2014 04:17:37 -0700 Date: Fri, 02 May 2014 04:11:38 -0700 Content-Type: text/plain Message-ID: <18291106.13013233 at try-somewonderfuldealz.us> From: "Checking Account" Subject: Been-denied for a checking account? We will approve-you Mime-Version: 1.0 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: May-02-14 9:15 AM To: MailScanner discussion Subject: Re: Spam from .us domains Got a sample header? On Fri, May 2, 2014 at 4:57 PM, Philip Parsons > wrote: Is anyone else getting hammered by spam saying it is from .us domains ? If have you figured a way to stop it yet ? Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/f99b0acc/attachment.html From terry.hulen at gmail.com Fri May 2 18:48:57 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Fri, 2 May 2014 13:48:57 -0400 Subject: Spam from .us domains In-Reply-To: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> Message-ID: What MTA are you using? I use RBLs with my MTA instead of Mailscanner. It stops the spammer from even sending any data. Also, the MTA doesn't care the size of the message because in order to "see" the size, the spammer has to successfully connect first. If he is unable to connect due to being on an RBL, his message won't even be transmitted. On Fri, May 2, 2014 at 1:14 PM, Philip Parsons wrote: > Return-Path: > Received: from try-somewonderfuldealz.us ([31.192.241.106]) > by mx1.danada.ca (8.14.4/8.14.4) with ESMTP id s42BGSn5023606 > for ; Fri, 2 May 2014 04:17:37 -0700 > Date: Fri, 02 May 2014 04:11:38 -0700 > Content-Type: text/plain > Message-ID: <18291106.13013233 at try-somewonderfuldealz.us> > From: "Checking Account" > > > Subject: Been-denied for a checking account? We will approve-you > Mime-Version: 1.0 > > > > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry > Benton > Sent: May-02-14 9:15 AM > > > To: MailScanner discussion > Subject: Re: Spam from .us domains > > > > Got a sample header? > > > > On Fri, May 2, 2014 at 4:57 PM, Philip Parsons wrote: > > Is anyone else getting hammered by spam saying it is from .us domains ? If > have you figured a way to stop it yet ? > > Thank you > P Parsons > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > > -- > > > -- > > Jerry Benton > > Mailborder Systems > www.mailborder.com > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mark at msapiro.net Fri May 2 18:54:58 2014 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 02 May 2014 10:54:58 -0700 Subject: scan.messages.rules exceptions In-Reply-To: <92665C7597419742B19470DFA3D5BEA209165EB5@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA209165EB5@vonLipwig.aoc-uk.com> Message-ID: <5363DBF2.2070105@msapiro.net> On 05/02/2014 09:53 AM, Stef Morrell wrote: > > I thought rulesets were parsed top to bottom and stopped at first match, but that's not the behaviour I'm seeing. What I need to be able to do is make exceptions (ideally using From: And To: syntax) for individual email addresses. Some are and some arren't. What you are describing is a "first match" ruleset. Scan Messages is an "all match" ruleset . For an all match rule set it's somewhat tricky, but basically, any "Yes" rule other than default takes priority over the "No" rules. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From stef at aoc-uk.com Fri May 2 21:15:26 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 2 May 2014 20:15:26 +0000 Subject: scan.messages.rules exceptions In-Reply-To: <30aeda82-62a1-4164-a058-dd5199ea88d5@VONLIPWIG.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA209165EB5@vonLipwig.aoc-uk.com> <30aeda82-62a1-4164-a058-dd5199ea88d5@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209165F2F@vonLipwig.aoc-uk.com> On 02 May 2014 18:55 Mark Sapiro wrote: > Scan Messages is an "all match" ruleset Ah. > For an all match rule set it's somewhat tricky, but > basically, any "Yes" > rule other than default takes priority over the "No" rules. Thanks for setting me straight. I need to have a think about this then. Does anyone have any ideas how I can persuade MS to make exceptions such as I described in my previous? From stef at aoc-uk.com Fri May 2 21:19:50 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 2 May 2014 20:19:50 +0000 Subject: Spam from .us domains In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209165F3A@vonLipwig.aoc-uk.com> On 02 May 2014 18:49 Terry Hulen Jr wrote: > What MTA are you using? I use RBLs with my MTA instead of > Mailscanner. It stops the spammer from even sending any > data. If it's the same stuff I am seeing, then the spam is getting sent out from fresh ips and newly (same day) registered domains. It's getting delivered prior to the RBLs becoming aware of the new sources. For example, today I got spam from russianbrides-dating-great.me only 6-7 hours after the domain was registered. I won't get any tomorrow, because now it's in the RBLs and will be blocked. From pparsons at techeez.com Fri May 2 22:47:37 2014 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 May 2014 21:47:37 +0000 Subject: Spam from .us domains In-Reply-To: <92665C7597419742B19470DFA3D5BEA209165F3A@vonLipwig.aoc-uk.com> References: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> <92665C7597419742B19470DFA3D5BEA209165F3A@vonLipwig.aoc-uk.com> Message-ID: <11D8E491D9562549A61FD3186F36342001D553A3C9@exchange.techeez.com> Yeah that's the one's not certain if someone has written a SA rule or something to catch without having to rely on the RBLS as hundreds get through before the RBLS catchup... -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Stef Morrell Sent: May-02-14 1:20 PM To: 'MailScanner discussion' Subject: RE: Spam from .us domains On 02 May 2014 18:49 Terry Hulen Jr wrote: > What MTA are you using? I use RBLs with my MTA instead of > Mailscanner. It stops the spammer from even sending any > data. If it's the same stuff I am seeing, then the spam is getting sent out from fresh ips and newly (same day) registered domains. It's getting delivered prior to the RBLs becoming aware of the new sources. For example, today I got spam from russianbrides-dating-great.me only 6-7 hours after the domain was registered. I won't get any tomorrow, because now it's in the RBLs and will be blocked. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From terry.hulen at gmail.com Fri May 2 23:38:11 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Fri, 2 May 2014 18:38:11 -0400 Subject: Spam from .us domains In-Reply-To: <11D8E491D9562549A61FD3186F36342001D553A3C9@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> <92665C7597419742B19470DFA3D5BEA209165F3A@vonLipwig.aoc-uk.com> <11D8E491D9562549A61FD3186F36342001D553A3C9@exchange.techeez.com> Message-ID: I only mention because the RBLs are my best line of defense and I have not seen any increase of spam from .us domains. On Fri, May 2, 2014 at 5:47 PM, Philip Parsons wrote: > Yeah that's the one's not certain if someone has written a SA rule or something to catch without having to rely on the RBLS as hundreds get through before the RBLS catchup... > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Stef Morrell > Sent: May-02-14 1:20 PM > To: 'MailScanner discussion' > Subject: RE: Spam from .us domains > > On 02 May 2014 18:49 Terry Hulen Jr wrote: >> What MTA are you using? I use RBLs with my MTA instead of >> Mailscanner. It stops the spammer from even sending any >> data. > > If it's the same stuff I am seeing, then the spam is getting sent out from fresh ips and newly (same day) registered domains. It's getting delivered prior to the RBLs becoming aware of the new sources. > > For example, today I got spam from russianbrides-dating-great.me only 6-7 hours after the domain was registered. I won't get any tomorrow, because now it's in the RBLs and will be blocked. > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maxsec at gmail.com Sat May 3 12:11:22 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Sat, 3 May 2014 12:11:22 +0100 Subject: scan.messages.rules exceptions In-Reply-To: <92665C7597419742B19470DFA3D5BEA209165F2F@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA209165EB5@vonLipwig.aoc-uk.com> <30aeda82-62a1-4164-a058-dd5199ea88d5@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209165F2F@vonLipwig.aoc-uk.com> Message-ID: Is the mail just to you and not anyone else where the ruleset is failing The rules trigger against envelope to header so if you have multiple recipients it will check against the envelope-to recipient Martin On Friday, 2 May 2014, Stef Morrell wrote: > On 02 May 2014 18:55 Mark Sapiro wrote: > > Scan Messages is an "all match" ruleset > > Ah. > > > For an all match rule set it's somewhat tricky, but > > basically, any "Yes" > > rule other than default takes priority over the "No" rules. > > Thanks for setting me straight. > > I need to have a think about this then. > > Does anyone have any ideas how I can persuade MS to make exceptions such > as I described in my previous? > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140503/9ab75927/attachment.html From maxsec at gmail.com Sat May 3 12:13:21 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Sat, 3 May 2014 12:13:21 +0100 Subject: Spamassassin rules not firing correctly In-Reply-To: <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> <5f9a2acd-71a2-49e2-bb43-0a38839d6e41@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> Message-ID: You can hand feed corrections via trusyed users, but Ive found that autolearn just stuffs up the bayes db Martin On Friday, 2 May 2014, Stef Morrell wrote: > Would you bother with bayes at all then? It would be impossible to hand > sort my corpus. > > > > > > *From:* mailscanner-bounces at lists.mailscanner.info[mailto: > mailscanner-bounces at lists.mailscanner.info] > *On Behalf Of *Martin Hepworth > *Sent:* 02 May 2014 15:51 > *To:* MailScanner discussion > *Subject:* Re: Spamassassin rules not firing correctly > > > > Stef > also turn off autolearning - found this not great for a population of more > than a handful of users. > > > > > -- > Martin Hepworth, CISSP > Oxford, UK > > > > On 2 May 2014 11:13, Stef Morrell > > wrote: > > Hello Kai, > > > On 02 May 2014 10:16 Kai Schaetzl wrote: > > This is a common misunderstanding. SA via MS may not use the same config > > Yes, I take on board the technical suggestions. I've basically been > through all those checks. :) > > I am now starting to believe there is actually nothing wrong and that > given I'm seeing apparent fails on blacklist rules is because the domains > aren't blacklisted at the time the spam is generated. > > moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived > early 01/05/2014 > russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 > hours ago. > > So the problem is likely not MS, it's how to detect and deal with spam > from brand new domains/ip. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > This email has been scanned by the Alpha Omega Computers Ltd MailCrusader > for > viruses, spam and dangerous content. > For more information please visit *Alpha Omega Computers Ltd*. > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140503/a67e6421/attachment.html From richard.siddall at elirion.net Sun May 4 00:37:44 2014 From: richard.siddall at elirion.net (Richard Siddall) Date: Sat, 03 May 2014 19:37:44 -0400 Subject: Spam from .us domains In-Reply-To: <11D8E491D9562549A61FD3186F36342001D553A3C9@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> <92665C7597419742B19470DFA3D5BEA209165F3A@vonLipwig.aoc-uk.com> <11D8E491D9562549A61FD3186F36342001D553A3C9@exchange.techeez.com> Message-ID: <53657DC8.50308@elirion.net> Look at greylisting. It may let you defer accepting email from new domains or new IPs until the domains show up in the RBLs. Philip Parsons wrote: > Yeah that's the one's not certain if someone has written a SA rule or something to catch without having to rely on the RBLS as hundreds get through before the RBLS catchup... > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Stef Morrell > Sent: May-02-14 1:20 PM > To: 'MailScanner discussion' > Subject: RE: Spam from .us domains > > On 02 May 2014 18:49 Terry Hulen Jr wrote: >> What MTA are you using? I use RBLs with my MTA instead of >> Mailscanner. It stops the spammer from even sending any >> data. > > If it's the same stuff I am seeing, then the spam is getting sent out from fresh ips and newly (same day) registered domains. It's getting delivered prior to the RBLs becoming aware of the new sources. > > For example, today I got spam from russianbrides-dating-great.me only 6-7 hours after the domain was registered. I won't get any tomorrow, because now it's in the RBLs and will be blocked. > From terry.hulen at gmail.com Sun May 4 20:27:32 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Sun, 4 May 2014 15:27:32 -0400 Subject: Spam from .us domains In-Reply-To: <53657DC8.50308@elirion.net> References: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> <92665C7597419742B19470DFA3D5BEA209165F3A@vonLipwig.aoc-uk.com> <11D8E491D9562549A61FD3186F36342001D553A3C9@exchange.techeez.com> <53657DC8.50308@elirion.net> Message-ID: I forgot to mention, I am using greyfix with postfix as well. That, along with my postfix RBLs, I have not seen any increase in spam. On Sat, May 3, 2014 at 7:37 PM, Richard Siddall wrote: > Look at greylisting. It may let you defer accepting email from new > domains or new IPs until the domains show up in the RBLs. > > Philip Parsons wrote: >> Yeah that's the one's not certain if someone has written a SA rule or something to catch without having to rely on the RBLS as hundreds get through before the RBLS catchup... >> >> -----Original Message----- >> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Stef Morrell >> Sent: May-02-14 1:20 PM >> To: 'MailScanner discussion' >> Subject: RE: Spam from .us domains >> >> On 02 May 2014 18:49 Terry Hulen Jr wrote: >>> What MTA are you using? I use RBLs with my MTA instead of >>> Mailscanner. It stops the spammer from even sending any >>> data. >> >> If it's the same stuff I am seeing, then the spam is getting sent out from fresh ips and newly (same day) registered domains. It's getting delivered prior to the RBLs becoming aware of the new sources. >> >> For example, today I got spam from russianbrides-dating-great.me only 6-7 hours after the domain was registered. I won't get any tomorrow, because now it's in the RBLs and will be blocked. >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alvaro at hostalia.com Mon May 5 10:19:18 2014 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Mon, 05 May 2014 11:19:18 +0200 Subject: Postfix long queue IDs In-Reply-To: <5360D487.9040609@hostalia.com> References: <5360B6FC.6000403@hostalia.com> <5360D487.9040609@hostalia.com> Message-ID: <53675796.4020003@hostalia.com> Hi again, I see that the problem appears using Postfix's long IDs and hash_queue_depth > 1 (I use this feature with "2"). With hash_queue_depth=1 (Postfix's default) and changing the regexp of Postfix.pm, as is said in the thread of the URL I pasted before, runs fine. Regards, On 30/04/14 12:46, Alvaro Mar?n wrote: > Yes, I know that it can be disabled, but I would prefer to use it > (sometimes, Postfix IDs are repeated). > Perhaps someone has a patch to can use it, if not, I'll try to do it. > > Thanks. > Regards, > > On 30/04/14 12:05, Jerry Benton wrote: >> Are you running long queue ID's? If so, try disabling that in Postfix >> until we can get the source updated to handle the long format. >> >> http://www.postfix.org/postconf.5.html#enable_long_queue_ids >> >> >> On Wed, Apr 30, 2014 at 10:40 AM, Alvaro Mar?n > > wrote: >> >> Hi, >> >> I've found this thread: >> >> http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html >> >> about the long queue IDs in Postfix (>2.9). >> Is there any solution to this problem (MailScanner doesn't recognize the >> long Postfix queue IDs)? I've tried that solution but it doesn't work >> for me. >> >> Thanks! >> Regards, >> >> -- >> Alvaro Mar?n Illera >> Hostalia Internet >> www.hostalia.com >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> -- >> >> -- >> Jerry Benton >> Mailborder Systems >> www.mailborder.com >> >> > > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From mailscanner at joolee.nl Mon May 5 11:22:21 2014 From: mailscanner at joolee.nl (Joolee) Date: Mon, 5 May 2014 12:22:21 +0200 Subject: Postfix long queue IDs In-Reply-To: <53675796.4020003@hostalia.com> References: <5360B6FC.6000403@hostalia.com> <5360D487.9040609@hostalia.com> <53675796.4020003@hostalia.com> Message-ID: https://github.com/MailScanner/MailScanner/blob/master/mailscanner/bin/MailScanner/Postfix.pm After line 1500, you'll find a method where the folder depth for postfix is detected. This method seems flawed because it only supports a folder depth of 1 and otherwise returns 2. Around line 1630, there is separate code for when folder depth for postfix queues is 0, 1 or 2. This code should be rewritten to support any depth by using recursion. I'm afraid I don't have time for that now though. On 5 May 2014 11:19, Alvaro Mar?n wrote: > Hi again, > > I see that the problem appears using Postfix's long IDs and > hash_queue_depth > 1 (I use this feature with "2"). > With hash_queue_depth=1 (Postfix's default) and changing the regexp of > Postfix.pm, as is said in the thread of the URL I pasted before, runs fine. > > Regards, > > On 30/04/14 12:46, Alvaro Mar?n wrote: > > Yes, I know that it can be disabled, but I would prefer to use it > > (sometimes, Postfix IDs are repeated). > > Perhaps someone has a patch to can use it, if not, I'll try to do it. > > > > Thanks. > > Regards, > > > > On 30/04/14 12:05, Jerry Benton wrote: > >> Are you running long queue ID's? If so, try disabling that in Postfix > >> until we can get the source updated to handle the long format. > >> > >> http://www.postfix.org/postconf.5.html#enable_long_queue_ids > >> > >> > >> On Wed, Apr 30, 2014 at 10:40 AM, Alvaro Mar?n >> > wrote: > >> > >> Hi, > >> > >> I've found this thread: > >> > >> > http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html > >> > >> about the long queue IDs in Postfix (>2.9). > >> Is there any solution to this problem (MailScanner doesn't > recognize the > >> long Postfix queue IDs)? I've tried that solution but it doesn't > work > >> for me. > >> > >> Thanks! > >> Regards, > >> > >> -- > >> Alvaro Mar?n Illera > >> Hostalia Internet > >> www.hostalia.com > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > >> > >> > >> -- > >> > >> -- > >> Jerry Benton > >> Mailborder Systems > >> www.mailborder.com > >> > >> > > > > > > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140505/03d92048/attachment.html From jerry.benton at mailborder.com Mon May 5 12:12:49 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 5 May 2014 13:12:49 +0200 Subject: Postfix long queue IDs In-Reply-To: References: <5360B6FC.6000403@hostalia.com> <5360D487.9040609@hostalia.com> <53675796.4020003@hostalia.com> Message-ID: If someone has the correction, please send it to me and I will update the repository: jerry.benton at mailborder.com After that I will email Jules about generating a new release package as we have other items that need to be included in a new build anyway. Jerry Benton www.mailborder.com On Mon, May 5, 2014 at 12:22 PM, Joolee wrote: > > https://github.com/MailScanner/MailScanner/blob/master/mailscanner/bin/MailScanner/Postfix.pm > After line 1500, you'll find a method where the folder depth for postfix > is detected. This method seems flawed because it only supports a folder > depth of 1 and otherwise returns 2. > Around line 1630, there is separate code for when folder depth for postfix > queues is 0, 1 or 2. This code should be rewritten to support any depth by > using recursion. I'm afraid I don't have time for that now though. > > > On 5 May 2014 11:19, Alvaro Mar?n wrote: > >> Hi again, >> >> I see that the problem appears using Postfix's long IDs and >> hash_queue_depth > 1 (I use this feature with "2"). >> With hash_queue_depth=1 (Postfix's default) and changing the regexp of >> Postfix.pm, as is said in the thread of the URL I pasted before, runs >> fine. >> >> Regards, >> >> On 30/04/14 12:46, Alvaro Mar?n wrote: >> > Yes, I know that it can be disabled, but I would prefer to use it >> > (sometimes, Postfix IDs are repeated). >> > Perhaps someone has a patch to can use it, if not, I'll try to do it. >> > >> > Thanks. >> > Regards, >> > >> > On 30/04/14 12:05, Jerry Benton wrote: >> >> Are you running long queue ID's? If so, try disabling that in Postfix >> >> until we can get the source updated to handle the long format. >> >> >> >> http://www.postfix.org/postconf.5.html#enable_long_queue_ids >> >> >> >> >> >> On Wed, Apr 30, 2014 at 10:40 AM, Alvaro Mar?n > >> > wrote: >> >> >> >> Hi, >> >> >> >> I've found this thread: >> >> >> >> >> http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html >> >> >> >> about the long queue IDs in Postfix (>2.9). >> >> Is there any solution to this problem (MailScanner doesn't >> recognize the >> >> long Postfix queue IDs)? I've tried that solution but it doesn't >> work >> >> for me. >> >> >> >> Thanks! >> >> Regards, >> >> >> >> -- >> >> Alvaro Mar?n Illera >> >> Hostalia Internet >> >> www.hostalia.com >> >> >> >> -- >> >> MailScanner mailing list >> >> mailscanner at lists.mailscanner.info >> >> >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> -- >> >> Jerry Benton >> >> Mailborder Systems >> >> www.mailborder.com >> >> >> >> >> > >> > >> >> >> -- >> Alvaro Mar?n Illera >> Hostalia Internet >> www.hostalia.com >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140505/53f141e3/attachment.html From alvaro at hostalia.com Mon May 5 13:25:24 2014 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Mon, 05 May 2014 14:25:24 +0200 Subject: Postfix long queue IDs In-Reply-To: References: <5360B6FC.6000403@hostalia.com> <5360D487.9040609@hostalia.com> <53675796.4020003@hostalia.com> Message-ID: <53678334.3020508@hostalia.com> Apart of that, with long queue IDs, Postfix stores messages in a different way. - with enable_long_queue_ids=no and hash_queue_depth = 2 /var/spool/postfix/hold/B/B/BB48D1B9DE7 /var/spool/postfix/hold/2/E/2E4441B9825 (the folder hierarchy is done with first and second characters of the queueID/filename) - with enable_long_queue_ids=yes and hash_queue_depth = 2 /var/spool/postfix/hold/8/8/3gMjXk3z5kzJXNJ reading Postfix's Changelog: 20110321 Performance: with long queue file names, queue hashing now produces the same result as with short names. Postfix uses the hexadecimal representation of the file creation time in microseconds, instead of the beginning of the file name which changes once every year or so, a problem that was reported by Victor Duchovni. The base 16 encoding gives finer control over the number of directories than possible with base 52 encoding. Files: global/mail_queue.[hc]. This change requires "postfix reload". So the code from PFDiskStore.pm: if ($MailScanner::SMDiskStore::HashDirDepth == 2) { $this->{hdname} =~ /^(.)(.)(.*)$/; $this->{hdpath} = "$dir/$1/$2/" . $this->{hdname}; } elsif ($MailScanner::SMDiskStore::HashDirDepth == 1) { $this->{hdname} =~ /^(.)(.*)$/; $this->{hdpath} = "$dir/$1/" . $this->{hdname}; } elsif ($MailScanner::SMDiskStore::HashDirDepth == 0) { $this->{hdname} =~ /^(.*)$/; $this->{hdpath} = "$dir/" . $this->{hdname}; } is not usefull for this case. Regards, On 05/05/14 12:22, Joolee wrote: > https://github.com/MailScanner/MailScanner/blob/master/mailscanner/bin/MailScanner/Postfix.pm > After line 1500, you'll find a method where the folder depth for postfix > is detected. This method seems flawed because it only supports a folder > depth of 1 and otherwise returns 2. > Around line 1630, there is separate code for when folder depth for > postfix queues is 0, 1 or 2. This code should be rewritten to support > any depth by using recursion. I'm afraid I don't have time for that now > though. > > On 5 May 2014 11:19, Alvaro Mar?n > wrote: > > Hi again, > > I see that the problem appears using Postfix's long IDs and > hash_queue_depth > 1 (I use this feature with "2"). > With hash_queue_depth=1 (Postfix's default) and changing the regexp of > Postfix.pm, as is said in the thread of the URL I pasted before, > runs fine. > > Regards, > > On 30/04/14 12:46, Alvaro Mar?n wrote: > > Yes, I know that it can be disabled, but I would prefer to use it > > (sometimes, Postfix IDs are repeated). > > Perhaps someone has a patch to can use it, if not, I'll try to do it. > > > > Thanks. > > Regards, > > > > On 30/04/14 12:05, Jerry Benton wrote: > >> Are you running long queue ID's? If so, try disabling that in Postfix > >> until we can get the source updated to handle the long format. > >> > >> http://www.postfix.org/postconf.5.html#enable_long_queue_ids > >> > >> > >> On Wed, Apr 30, 2014 at 10:40 AM, Alvaro Mar?n > > >> >> wrote: > >> > >> Hi, > >> > >> I've found this thread: > >> > >> > http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html > >> > >> about the long queue IDs in Postfix (>2.9). > >> Is there any solution to this problem (MailScanner doesn't > recognize the > >> long Postfix queue IDs)? I've tried that solution but it > doesn't work > >> for me. > >> > >> Thanks! > >> Regards, > >> > >> -- > >> Alvaro Mar?n Illera > >> Hostalia Internet > >> www.hostalia.com > > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > > >> > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > >> > >> > >> -- > >> > >> -- > >> Jerry Benton > >> Mailborder Systems > >> www.mailborder.com > > >> > >> > > > > > > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From iulianld at gmail.com Tue May 6 08:38:39 2014 From: iulianld at gmail.com (Iulian L Dragomir) Date: Tue, 6 May 2014 10:38:39 +0300 Subject: Spammy content on mailscanner wiki Message-ID: On the first glance it seams that some graffiti exist on the mailscanner wiki Some examples: http://wiki.mailscanner.info/doku.php?id=&idx=a-watch-cases-online http://wiki.mailscanner.info/doku.php?id=a-watch-cases-online:choose-the-right-size-68280 http://wiki.mailscanner.info/doku.php?id=watch-cases-online:choose-the-right-size-03799 http://wiki.mailscanner.info/doku.php?id=a-las-vegas-hotels-for-the-whole-family-58359 http://wiki.mailscanner.info/doku.php?id=a-silk-neckties-for-men-an-age-old-secret-to-look-stylish-and-glamorous-00488 http://wiki.mailscanner.info/doku.php?id=silk-neckties-for-men-an-age-old-secret-to-look-stylish-and-glamorous-35263 http://wiki.mailscanner.info/doku.php?id=the-open-cognition-project-nhi-21692 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140506/b72f9f4c/attachment.html From jerry.benton at mailborder.com Tue May 6 09:58:38 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 6 May 2014 10:58:38 +0200 Subject: Spammy content on mailscanner wiki In-Reply-To: References: Message-ID: Jules, Create an account for me and I will clean it up. Jerry Benton www.mailborder.com On Tue, May 6, 2014 at 9:38 AM, Iulian L Dragomir wrote: > On the first glance it seams that some graffiti exist on the mailscanner > wiki > > Some examples: > > http://wiki.mailscanner.info/doku.php?id=&idx=a-watch-cases-online > > http://wiki.mailscanner.info/doku.php?id=a-watch-cases-online:choose-the-right-size-68280 > > http://wiki.mailscanner.info/doku.php?id=watch-cases-online:choose-the-right-size-03799 > > http://wiki.mailscanner.info/doku.php?id=a-las-vegas-hotels-for-the-whole-family-58359 > > http://wiki.mailscanner.info/doku.php?id=a-silk-neckties-for-men-an-age-old-secret-to-look-stylish-and-glamorous-00488 > > http://wiki.mailscanner.info/doku.php?id=silk-neckties-for-men-an-age-old-secret-to-look-stylish-and-glamorous-35263 > > http://wiki.mailscanner.info/doku.php?id=the-open-cognition-project-nhi-21692 > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140506/7e29daef/attachment.html From mark at msapiro.net Tue May 6 16:41:19 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 06 May 2014 08:41:19 -0700 Subject: Spammy content on mailscanner wiki In-Reply-To: References: Message-ID: <5369029F.1070104@msapiro.net> On 05/06/2014 01:58 AM, Jerry Benton wrote: > Jules, > > Create an account for me and I will clean it up. You can register yourself. That's what the spammers do. Anyway, I've removed the offending pages for now. > On Tue, May 6, 2014 at 9:38 AM, Iulian L Dragomir > wrote: > > On the first glance it seams that some graffiti exist on the > mailscanner wiki Thanks for reporting this. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From peter at farrows.org Tue May 6 18:30:00 2014 From: peter at farrows.org (Peter Farrow) Date: Tue, 06 May 2014 18:30:00 +0100 Subject: Spammy content on mailscanner wiki In-Reply-To: <5369029F.1070104@msapiro.net> References: <5369029F.1070104@msapiro.net> Message-ID: <53691C18.6000503@farrows.org> Is it just me or is it pretty ironic that the mailscanner wiki, is not protected against spammers. Its really not hard to protect it, and rather less complex than filtering emails for spam... Just my 10p worth. On 06/05/2014 16:41, Mark Sapiro wrote: > On 05/06/2014 01:58 AM, Jerry Benton wrote: >> Jules, >> >> Create an account for me and I will clean it up. > > You can register yourself. That's what the spammers do. > > Anyway, I've removed the offending pages for now. > > >> On Tue, May 6, 2014 at 9:38 AM, Iulian L Dragomir > > wrote: >> >> On the first glance it seams that some graffiti exist on the >> mailscanner wiki > > Thanks for reporting this. > From alex at vidadigital.com.pa Tue May 6 19:33:11 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue, 6 May 2014 13:33:11 -0500 Subject: Spammy content on mailscanner wiki In-Reply-To: <53691C18.6000503@farrows.org> References: <5369029F.1070104@msapiro.net> <53691C18.6000503@farrows.org> Message-ID: Is CAPTCHA protection available? *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Tue, May 6, 2014 at 12:30 PM, Peter Farrow wrote: > Is it just me or is it pretty ironic that the mailscanner wiki, is not > protected against spammers. > > Its really not hard to protect it, and rather less complex than > filtering emails for spam... > > Just my 10p worth. > > > > > On 06/05/2014 16:41, Mark Sapiro wrote: > > On 05/06/2014 01:58 AM, Jerry Benton wrote: > >> Jules, > >> > >> Create an account for me and I will clean it up. > > > > You can register yourself. That's what the spammers do. > > > > Anyway, I've removed the offending pages for now. > > > > > >> On Tue, May 6, 2014 at 9:38 AM, Iulian L Dragomir >> > wrote: > >> > >> On the first glance it seams that some graffiti exist on the > >> mailscanner wiki > > > > Thanks for reporting this. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140506/c33da48e/attachment.html From TGFurnish at herffjones.com Tue May 6 20:27:33 2014 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Tue, 6 May 2014 19:27:33 +0000 Subject: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? Message-ID: My company has a subset of users for whom we are still doing "dumb forwards", and this practice is now resulting in undeliverable mail thanks to the recent change of dmarc policy published by AOL and Yahoo. I thought I could work around this by passing the mail for these users through a mailscanner system (just as it was on the verge of finally being decommissioned) and turning all mail into attachments. It looked promising, but it fails, because MailScanner still is using the original From and To message headers on the new message it creates even for attachments. Is there any way anyone can suggest to get around this? At this point I'm even pondering just modifying the mailscanner code directly or trying to hook in an 'always called last' function to modify the message. What's happening now: MailScanner creates a new message and attaches the original. In both the new message and the attached original, there is a "From:" header saying e.g. "From: bob at aol.com". What I wanted to happen: Mailscanner would create a new message and attach the original. In the NEW message the From header would have value "postmaster at mydomain.com" or some such. Any suggestions? -- Trever Furnish, tgfurnish at herffjones.com Solutions Architect Herff Jones Server Solutions Group (SSG) Phone: 317.612.3519 Cell: 317.366.9258 From jerry.benton at mailborder.com Tue May 6 21:09:10 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 6 May 2014 22:09:10 +0200 Subject: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? In-Reply-To: References: Message-ID: I would suggest using your MTA to do this. Much easier. On Tue, May 6, 2014 at 9:27 PM, Furnish, Trever G wrote: > My company has a subset of users for whom we are still doing "dumb > forwards", and this practice is now resulting in undeliverable mail thanks > to the recent change of dmarc policy published by AOL and Yahoo. I thought > I could work around this by passing the mail for these users through a > mailscanner system (just as it was on the verge of finally being > decommissioned) and turning all mail into attachments. It looked > promising, but it fails, because MailScanner still is using the original > From and To message headers on the new message it creates even for > attachments. > > Is there any way anyone can suggest to get around this? At this point I'm > even pondering just modifying the mailscanner code directly or trying to > hook in an 'always called last' function to modify the message. > > What's happening now: > MailScanner creates a new message and attaches the original. In > both the new message and the attached original, there is a "From:" header > saying e.g. "From: bob at aol.com". > > What I wanted to happen: > Mailscanner would create a new message and attach the original. > In the NEW message the From header would have value " > postmaster at mydomain.com" or some such. > > Any suggestions? > > -- > Trever Furnish, tgfurnish at herffjones.com > Solutions Architect > Herff Jones Server Solutions Group (SSG) > Phone: 317.612.3519 Cell: 317.366.9258 > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140506/1a58848c/attachment.html From mark at msapiro.net Tue May 6 21:10:55 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 06 May 2014 13:10:55 -0700 Subject: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? In-Reply-To: References: Message-ID: <536941CF.10800@msapiro.net> On 05/06/2014 12:27 PM, Furnish, Trever G wrote: > My company has a subset of users for whom we are still doing "dumb forwards", and this practice is now resulting in undeliverable mail thanks to the recent change of dmarc policy published by AOL and Yahoo. I thought I could work around this by passing the mail for these users through a mailscanner system (just as it was on the verge of finally being decommissioned) and turning all mail into attachments. It looked promising, but it fails, because MailScanner still is using the original From and To message headers on the new message it creates even for attachments. The real question here is why is your "dumb forward" breaking the original DKIM signature from Yahoo or AOL? I am a Mailman developer, and we've been dealing with the fallout from this for weeks now. But the bottom line is that while I have had to invoke several mitigations in my production lists to operate in spite of DMARC p=reject policies, my forwarders (Postfix aliases) continue to work with no changes, even for mail from Yahoo.com forwarded to addresses in domains known to honor Yahoo's DMARC p=reject, even with the addition of X-...-MailScanner* headers: My suggestion would be to work on whatever in the forwarding process is breaking the original DKIM sig. Certain things like MailScanner "disarming" will do it for sure, but for a message for which MailScanner doesn't modify the body or Subject:, you should be OK. > Any suggestions? We have two basic ways of dealing with this in Mailman. Neither is ideal. Method 1 we call Munge From. We take a message e.g., To: mailscanner at lists.mailscanner.info From: Joe Blow and make it From: Joe Blow via MailScanner discussion and add Reply-To: Joe Blow For Method 2 which we call Wrap Message, ewe basically create a new message with From: and Reply-To: as in Munge From and attach the original message to it. I'm not sure how easy it would be to make MailScanner do this. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From TGFurnish at herffjones.com Wed May 7 04:01:30 2014 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Wed, 7 May 2014 03:01:30 +0000 Subject: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? In-Reply-To: References: Message-ID: Jerry, can you elaborate? The mailscanner is only in the picture as a tool because we couldn?t get the ?normal? MTA to do the job -- the ?normal? MTA is Exchange. For the mailscanner itself, the MTA is sendmail. The envelope sender was easily handled - however that?s not enough, because the receivers are actually looking not just at the envelope but also at several of the message headers. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Tuesday, May 06, 2014 4:09 PM To: MailScanner discussion Subject: Re: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? I would suggest using your MTA to do this. Much easier. On Tue, May 6, 2014 at 9:27 PM, Furnish, Trever G > wrote: My company has a subset of users for whom we are still doing "dumb forwards", and this practice is now resulting in undeliverable mail thanks to the recent change of dmarc policy published by AOL and Yahoo. I thought I could work around this by passing the mail for these users through a mailscanner system (just as it was on the verge of finally being decommissioned) and turning all mail into attachments. It looked promising, but it fails, because MailScanner still is using the original From and To message headers on the new message it creates even for attachments. Is there any way anyone can suggest to get around this? At this point I'm even pondering just modifying the mailscanner code directly or trying to hook in an 'always called last' function to modify the message. What's happening now: MailScanner creates a new message and attaches the original. In both the new message and the attached original, there is a "From:" header saying e.g. "From: bob at aol.com". What I wanted to happen: Mailscanner would create a new message and attach the original. In the NEW message the From header would have value "postmaster at mydomain.com" or some such. Any suggestions? -- Trever Furnish, tgfurnish at herffjones.com Solutions Architect Herff Jones Server Solutions Group (SSG) Phone: 317.612.3519 Cell: 317.366.9258 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140507/d539204b/attachment.html From TGFurnish at herffjones.com Wed May 7 04:03:43 2014 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Wed, 7 May 2014 03:03:43 +0000 Subject: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? In-Reply-To: <536941CF.10800@msapiro.net> References: <536941CF.10800@msapiro.net> Message-ID: Hi, Mark. It's not breaking dkim, it's violating the receiver's implementation of SPF, which appears to be looking not just at the envelope header, but also at message headers -- I wonder whether this means they have actually implemented SenderID rather than SPF. The envelope sender was easily handled - however that's not enough, because the receivers are actually looking not just at the envelope but also at several of the message headers. -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Tuesday, May 06, 2014 4:11 PM To: mailscanner at lists.mailscanner.info Subject: Re: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? On 05/06/2014 12:27 PM, Furnish, Trever G wrote: > My company has a subset of users for whom we are still doing "dumb forwards", and this practice is now resulting in undeliverable mail thanks to the recent change of dmarc policy published by AOL and Yahoo. I thought I could work around this by passing the mail for these users through a mailscanner system (just as it was on the verge of finally being decommissioned) and turning all mail into attachments. It looked promising, but it fails, because MailScanner still is using the original From and To message headers on the new message it creates even for attachments. The real question here is why is your "dumb forward" breaking the original DKIM signature from Yahoo or AOL? I am a Mailman developer, and we've been dealing with the fallout from this for weeks now. But the bottom line is that while I have had to invoke several mitigations in my production lists to operate in spite of DMARC p=reject policies, my forwarders (Postfix aliases) continue to work with no changes, even for mail from Yahoo.com forwarded to addresses in domains known to honor Yahoo's DMARC p=reject, even with the addition of X-...-MailScanner* headers: My suggestion would be to work on whatever in the forwarding process is breaking the original DKIM sig. Certain things like MailScanner "disarming" will do it for sure, but for a message for which MailScanner doesn't modify the body or Subject:, you should be OK. > Any suggestions? We have two basic ways of dealing with this in Mailman. Neither is ideal. Method 1 we call Munge From. We take a message e.g., To: mailscanner at lists.mailscanner.info From: Joe Blow and make it From: Joe Blow via MailScanner discussion and add Reply-To: Joe Blow For Method 2 which we call Wrap Message, ewe basically create a new message with From: and Reply-To: as in Munge From and attach the original message to it. I'm not sure how easy it would be to make MailScanner do this. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mark at msapiro.net Wed May 7 04:35:21 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 06 May 2014 20:35:21 -0700 Subject: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? In-Reply-To: References: <536941CF.10800@msapiro.net> Message-ID: <5369A9F9.5030406@msapiro.net> On 05/06/2014 08:03 PM, Furnish, Trever G wrote: > Hi, Mark. It's not breaking dkim, it's violating the receiver's implementation of SPF, which appears to be looking not just at the envelope header, but also at message headers -- I wonder whether this means they have actually implemented SenderID rather than SPF. If the message is DKIM signed by the domain of the address in From:, it should pass DMARC as long as the signature is valid. The tests are: Is there a valid DKIM signature with a d= domain that "aligns" (a DMARC technical term) with the domain of the From: address or Does the server pass SPF and does the domain of the envelope sender (the SPF domain) "align" with that of the From: header. Forwarding will break SPF alignment, but if there is an original DKIM sig and it is valid, the message should still pass DMARC. See the spec at and lots of descriptive info at -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Wed May 7 06:40:55 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 7 May 2014 07:40:55 +0200 Subject: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions? In-Reply-To: <5369A9F9.5030406@msapiro.net> References: <536941CF.10800@msapiro.net> <5369A9F9.5030406@msapiro.net> Message-ID: Trever, I use Postfix rather than sendmail, but it sounds like this is an issue that can be handled what postfix calls canonical maps. However, I cannot recall if the headers are correctly updated, but I think they are. I do not recall seeing problems with DKIM or SPF when used with canonical maps, but I could be wrong. It happens all the time. Just ask my wife. On Wed, May 7, 2014 at 5:35 AM, Mark Sapiro wrote: > On 05/06/2014 08:03 PM, Furnish, Trever G wrote: > > Hi, Mark. It's not breaking dkim, it's violating the receiver's > implementation of SPF, which appears to be looking not just at the envelope > header, but also at message headers -- I wonder whether this means they > have actually implemented SenderID rather than SPF. > > > If the message is DKIM signed by the domain of the address in From:, it > should pass DMARC as long as the signature is valid. > > The tests are: > Is there a valid DKIM signature with a d= domain that "aligns" (a DMARC > technical term) with the domain of the From: address > > or > > Does the server pass SPF and does the domain of the envelope sender (the > SPF domain) "align" with that of the From: header. > > Forwarding will break SPF alignment, but if there is an original DKIM > sig and it is valid, the message should still pass DMARC. > > See the spec at > and lots > of descriptive info at > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140507/91879cdf/attachment.html From stef at aoc-uk.com Wed May 7 07:35:58 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Wed, 7 May 2014 06:35:58 +0000 Subject: Spam from .us domains In-Reply-To: <5a410166-93a1-4444-a38e-b002a28a54ab@VONLIPWIG.aoc-uk.com> References: <11D8E491D9562549A61FD3186F36342001D553994F@exchange.techeez.com> <92665C7597419742B19470DFA3D5BEA209165F3A@vonLipwig.aoc-uk.com> <11D8E491D9562549A61FD3186F36342001D553A3C9@exchange.techeez.com> <53657DC8.50308@elirion.net> <5a410166-93a1-4444-a38e-b002a28a54ab@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA20917E15D@vonLipwig.aoc-uk.com> I too use greylisting, I presume they are using RFC compliant MTA as it gets by greylisting. Maybe I could increase the delay time, but I'm also conscious I don't want to delay legitimate mail too long. > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf > Of Terry Hulen Jr > Sent: 04 May 2014 20:28 > To: MailScanner discussion > Subject: Re: Spam from .us domains > > I forgot to mention, I am using greyfix with postfix as well. > That, along with my postfix RBLs, I have not seen any > increase in spam. > > On Sat, May 3, 2014 at 7:37 PM, Richard Siddall > wrote: > > Look at greylisting. It may let you defer accepting email from new > > domains or new IPs until the domains show up in the RBLs. From max at inmindlabs.com Thu May 8 13:26:21 2014 From: max at inmindlabs.com (Max Kipness) Date: Thu, 8 May 2014 07:26:21 -0500 Subject: File spam Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B9E6BF3@addc01.assuredata.local> Hi, We are just getting blasted by file spam. Emails with scr,exe, etc. MailScanner stops them fine, but the reports are almost like getting the spam itself. I can't seem to find a way to stop the filename reports, unless I'm simply overlooking it. Also, it would be nice if there was a way to score spam by file name extension. Like SCR, etc. Or is there currently a way to do that? Max From maillists at conactive.com Fri May 9 10:31:04 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 09 May 2014 11:31:04 +0200 Subject: Spamassassin rules not firing correctly In-Reply-To: <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> <5f9a2acd-71a2-49e2-bb43-0a38839d6e41@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> Message-ID: Stef Morrell wrote on Fri, 2 May 2014 15:07:54 +0000: > Would you bother with bayes at all then Bayes is very effective, especially when it comes to spam that cannot be identified otherwise, especially by technical or sender-based (RBL) rules. Anyway, I find that a lot of spam (say 90% or more) is already blocked by technical measures, e.g. do you check for existing hostnames of clients and senders? Or even reverse hostnames? Helos? A lot of the spam gets sent from provider networks that don't even set a hostname for their IP addresses. Also, if there are common characteristics like a lot having senders in the me domain - why don't you add a rule for that. Not to block those senders with just one rule, but to add up with other hits, so it finally reaches the 5.0 threshold. Did you check if you have any legitimate .me senders? Educate your users to stop using wildcard accounts, if you have a client structure that can use wildcard accounts. Actually, might be a good idea to tell people that you stop scanning wildcard accounts. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri May 9 10:31:04 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 09 May 2014 11:31:04 +0200 Subject: Spamassassin rules not firing correctly In-Reply-To: References: <92665C7597419742B19470DFA3D5BEA2091631E0@vonLipwig.aoc-uk.com> <25098640-cc71-4f41-9a3e-3730c41cc4b1@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209164BAB@vonLipwig.aoc-uk.com> <5f9a2acd-71a2-49e2-bb43-0a38839d6e41@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209165DA0@vonLipwig.aoc-uk.com> Message-ID: Martin Hepworth wrote on Sat, 3 May 2014 12:13:21 +0100: > You can hand feed corrections via trusyed users, but Ive found that > autolearn just stuffs up the bayes db Autolearning is effective in many cases. But you may want to adjust the thresholds. e.g. lower especially the ham threshold to something way below zero, so misdetected spam "on the brink" isn't autolearned as ham. Also very effective is the autolearning of spamtrapped spam. One or two accounts that are distributed and surely can only get spam casn already have good impact. I agree that a few users who subscribe just to every list they can find and attract shitloads of "legitimate" advertising spam can be a real nuisance and may spoil the Bayes DB to an extent that it's not helpful. It very much depends on your userbase. With autolearning one has also to remember that it is not the "raw" hit count that gets used. Autolearning discards several rule groups, for instance I think it doesn't count the network rules. So, what you think should be autolearned because the hits are above threshold may not actually hit the required threshold. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From stef at aoc-uk.com Fri May 9 11:22:52 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 9 May 2014 10:22:52 +0000 Subject: All Match Rulesets vs First Match rulesets Message-ID: <92665C7597419742B19470DFA3D5BEA20918A689@vonLipwig.aoc-uk.com> Hi all, I've been looking into an issue with scan.messages.rules which comes down to it being an all match rule, rather than a first match rule - but there are several rulesets which work on the all match basis. Is there any harm that can be done in moving such rulesets from [All,YesNo] into [First,YesNo] within ConfigDefs.pl if the first match behaviour is more useful in any given case (and for me, especially with scan.messages.rules). Stef From maillists at conactive.com Fri May 9 11:31:05 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 09 May 2014 12:31:05 +0200 Subject: {Disarmed} Spammy content on mailscanner wiki In-Reply-To: References: <5369029F.1070104@msapiro.net> <53691C18.6000503@farrows.org> Message-ID: Alex Neuman wrote on Tue, 6 May 2014 13:33:11 -0500: > Is CAPTCHA protection available? Won't help sp much. I think it should not be a problem to put all newly registered users in a group that cannot do anything. There won't be that many new enthusiasts who want to add real content. Just have them mail someone for elevation. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From jerry.benton at mailborder.com Fri May 9 13:26:36 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 9 May 2014 14:26:36 +0200 Subject: {Disarmed} Spammy content on mailscanner wiki In-Reply-To: References: <5369029F.1070104@msapiro.net> <53691C18.6000503@farrows.org> Message-ID: This will be addressed with the new website. I am finishing up development for the release of a user portal for Mailborder. Once that is complete I am going to start to revamp the MailScanner website and transfer the content. On Fri, May 9, 2014 at 12:31 PM, Kai Schaetzl wrote: > Alex Neuman wrote on Tue, 6 May 2014 13:33:11 -0500: > > > Is CAPTCHA protection available? > > Won't help sp much. I think it should not be a problem to put all newly > registered users in a group that cannot do anything. There won't be that > many new enthusiasts who want to add real content. Just have them mail > someone for elevation. > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/4b6c005a/attachment.html From jerry.benton at mailborder.com Fri May 9 17:59:15 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 9 May 2014 18:59:15 +0200 Subject: NDRs marked as spam Message-ID: Has anyone seen NDRs getting marked as spam without even being scanned by SA? I am seeing the behavior and am assuming it is a MailScanner thing since the message never seems to pass through SA. I am assuming the null sender is triggering it. -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/f88f239f/attachment.html From jeremy at fluxlabs.net Fri May 9 19:21:53 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri, 9 May 2014 18:21:53 +0000 Subject: NDRs marked as spam In-Reply-To: References: Message-ID: IP found on an RBL at MTA time ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Fri, May 9, 2014 at 10:06 AM -0700, "Jerry Benton" > wrote: Has anyone seen NDRs getting marked as spam without even being scanned by SA? I am seeing the behavior and am assuming it is a MailScanner thing since the message never seems to pass through SA. I am assuming the null sender is triggering it. -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/084841fd/attachment.html From pparsons at techeez.com Fri May 9 20:03:36 2014 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 9 May 2014 19:03:36 +0000 Subject: RBLS Message-ID: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> I do not want to kick of the discussion about where to use RBLS as we have all read them before, but I am interested in knowing if you are one of the people that use the RBLS within mailscanner instead of the MTA which ones are you using and getting the most results from ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/c88da9c1/attachment.html From jerry.benton at mailborder.com Fri May 9 20:08:55 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 09 May 2014 21:08:55 +0200 Subject: NDRs marked as spam In-Reply-To: References: Message-ID: <536D27C7.1020401@mailborder.com> No, this happens from internal servers relaying emails outbound. The MTA is not performing any ip related checks, but I will review in case I missed something. On 5/9/14, 8:21 PM, Jeremy McSpadden wrote: > IP found on an RBL at MTA time ? > > > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 | Cell : 850-890-2543 > | Fax : 850-254-2955 > > > > > On Fri, May 9, 2014 at 10:06 AM -0700, "Jerry Benton" > > wrote: > > Has anyone seen NDRs getting marked as spam without even being scanned > by SA? I am seeing the behavior and am assuming it is a MailScanner > thing since the message never seems to pass through SA. > > I am assuming the null sender is triggering it. > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/78105a10/attachment.html From jeremy at fluxlabs.net Fri May 9 20:15:45 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri, 9 May 2014 19:15:45 +0000 Subject: RBLS In-Reply-To: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: MTA time is better, doesn't use up useless CPU cycles for MS. Zen, Barracuda, PSBL .. Are usually safe -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Fri, May 9, 2014 at 12:14 PM -0700, "Philip Parsons" > wrote: I do not want to kick of the discussion about where to use RBLS as we have all read them before, but I am interested in knowing if you are one of the people that use the RBLS within mailscanner instead of the MTA which ones are you using and getting the most results from ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/156f47b5/attachment.html From terry.hulen at gmail.com Fri May 9 20:34:25 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Fri, 9 May 2014 15:34:25 -0400 Subject: RBLS In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: What Jeremy said... On Fri, May 9, 2014 at 3:15 PM, Jeremy McSpadden wrote: > MTA time is better, doesn't use up useless CPU cycles for MS. > > Zen, Barracuda, PSBL .. Are usually safe > > > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 > > > > > On Fri, May 9, 2014 at 12:14 PM -0700, "Philip Parsons" > wrote: > > I do not want to kick of the discussion about where to use RBLS as we have > all read them before, but I am interested in knowing if you are one of the > people that use the RBLS within mailscanner instead of the MTA which ones > are you using and getting the most results from ? > > > > > > Thank you. > Philip Parsons > IT and Telecommunication Specialist > > Techeez IT Consulting > > 250-818-2879 > > Skype ID: techeez > www.techeez.com "Making IT easy" > > > > IMPORTANT NOTICE > This e-mail is confidential, may be legally privileged, and is for the > intended recipient only. Access, disclosure, copying and distribution or > reliance on any of it by anyone else is prohibited and may be a criminal > offence. Please delete if obtained in error and e-mail confirmation to the > sender. > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jeremy at fluxlabs.net Fri May 9 20:47:36 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri, 9 May 2014 19:47:36 +0000 Subject: RBLS In-Reply-To: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: One thing to keep in mind with RBLs, are DNS queries. It is not recommended to use public DNS servers. (Google/open dns) Run bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by having too many RBLs .. You'll just up the processing time and queries. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Fri, May 9, 2014 at 12:14 PM -0700, "Philip Parsons" > wrote: I do not want to kick of the discussion about where to use RBLS as we have all read them before, but I am interested in knowing if you are one of the people that use the RBLS within mailscanner instead of the MTA which ones are you using and getting the most results from ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/3e2bab7d/attachment.html From maxsec at gmail.com Fri May 9 21:08:10 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 9 May 2014 21:08:10 +0100 Subject: NDRs marked as spam In-Reply-To: <536D27C7.1020401@mailborder.com> References: <536D27C7.1020401@mailborder.com> Message-ID: So what do the logs say about it? Are you signing the headers outbound or not? -- Martin Hepworth, CISSP Oxford, UK On 9 May 2014 20:08, Jerry Benton wrote: > No, this happens from internal servers relaying emails outbound. The MTA > is not performing any ip related checks, but I will review in case I missed > something. > > > On 5/9/14, 8:21 PM, Jeremy McSpadden wrote: > > IP found on an RBL at MTA time ? > > > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 <850-250-5590;501> | Cell : 850-890-2543 | Fax > : 850-254-2955 > > > > > On Fri, May 9, 2014 at 10:06 AM -0700, "Jerry Benton" < > jerry.benton at mailborder.com> wrote: > > Has anyone seen NDRs getting marked as spam without even being scanned > by SA? I am seeing the behavior and am assuming it is a MailScanner thing > since the message never seems to pass through SA. > > I am assuming the null sender is triggering it. > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/5019af6c/attachment.html From alex at vidadigital.com.pa Fri May 9 21:14:39 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 9 May 2014 15:14:39 -0500 Subject: RBLS In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: Plus, if your MTA is properly set it'll give legitimate senders enough information to get themselves off the RBL. *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Fri, May 9, 2014 at 2:15 PM, Jeremy McSpadden wrote: > MTA time is better, doesn't use up useless CPU cycles for MS. > > Zen, Barracuda, PSBL .. Are usually safe > > > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 <850-250-5590;501> | Cell : 850-890-2543 | Fax > : 850-254-2955 > > > > > On Fri, May 9, 2014 at 12:14 PM -0700, "Philip Parsons" < > pparsons at techeez.com> wrote: > > I do not want to kick of the discussion about where to use RBLS as we > have all read them before, but I am interested in knowing if you are one of > the people that use the RBLS within mailscanner instead of the MTA which > ones are you using and getting the most results from ? > > > > > > Thank you. > Philip Parsons > IT and Telecommunication Specialist > > Techeez IT Consulting > > 250-818-2879 > > Skype ID: techeez > www.techeez.com "Making IT easy" > > > > IMPORTANT NOTICE > This e-mail is confidential, may be legally privileged, and is for the > intended recipient only. Access, disclosure, copying and distribution or > reliance on any of it by anyone else is prohibited and may be a criminal > offence. Please delete if obtained in error and e-mail confirmation to the > sender. > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/539aeaa8/attachment.html From jerry.benton at mailborder.com Fri May 9 21:54:13 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 09 May 2014 22:54:13 +0200 Subject: NDRs marked as spam In-Reply-To: References: <536D27C7.1020401@mailborder.com> Message-ID: <536D4075.4050306@mailborder.com> I am setting up some testing in the lab now. I was just curious if there was some low hanging fruit that someone knew about. On 5/9/14, 10:08 PM, Martin Hepworth wrote: > So what do the logs say about it? > Are you signing the headers outbound or not? > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 9 May 2014 20:08, Jerry Benton > wrote: > > No, this happens from internal servers relaying emails outbound. > The MTA is not performing any ip related checks, but I will review > in case I missed something. > > > On 5/9/14, 8:21 PM, Jeremy McSpadden wrote: >> IP found on an RBL at MTA time ? >> >> >> >> -- >> Jeremy McSpadden >> Flux Labs | http://www.fluxlabs.net | Endless Solutions >> Office : 850-250-5590x501 | Cell : >> 850-890-2543 | Fax : 850-254-2955 >> >> >> >> >> >> On Fri, May 9, 2014 at 10:06 AM -0700, "Jerry Benton" >> > > wrote: >> >> Has anyone seen NDRs getting marked as spam without even being >> scanned by SA? I am seeing the behavior and am assuming it is a >> MailScanner thing since the message never seems to pass through SA. >> >> I am assuming the null sender is triggering it. >> >> -- >> >> -- >> Jerry Benton >> Mailborder Systems >> www.mailborder.com >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/12fbbf8a/attachment.html From jerry.benton at mailborder.com Fri May 9 22:45:24 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 09 May 2014 23:45:24 +0200 Subject: NDRs marked as spam In-Reply-To: References: <536D27C7.1020401@mailborder.com> Message-ID: <536D4C74.9050502@mailborder.com> It was the watermarking. Watermarks + null sender = spam. On 5/9/14, 10:08 PM, Martin Hepworth wrote: > So what do the logs say about it? > Are you signing the headers outbound or not? > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 9 May 2014 20:08, Jerry Benton > wrote: > > No, this happens from internal servers relaying emails outbound. > The MTA is not performing any ip related checks, but I will review > in case I missed something. > > > On 5/9/14, 8:21 PM, Jeremy McSpadden wrote: >> IP found on an RBL at MTA time ? >> >> >> >> -- >> Jeremy McSpadden >> Flux Labs | http://www.fluxlabs.net | Endless Solutions >> Office : 850-250-5590x501 | Cell : >> 850-890-2543 | Fax : 850-254-2955 >> >> >> >> >> >> On Fri, May 9, 2014 at 10:06 AM -0700, "Jerry Benton" >> > > wrote: >> >> Has anyone seen NDRs getting marked as spam without even being >> scanned by SA? I am seeing the behavior and am assuming it is a >> MailScanner thing since the message never seems to pass through SA. >> >> I am assuming the null sender is triggering it. >> >> -- >> >> -- >> Jerry Benton >> Mailborder Systems >> www.mailborder.com >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/4e073c5d/attachment.html From mailscanner-list at okla.com Fri May 9 23:17:00 2014 From: mailscanner-list at okla.com (Tracy Greggs) Date: Fri, 9 May 2014 17:17:00 -0500 Subject: RBLS In-Reply-To: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: <048e01cf6bd4$697cd060$3c767120$@okla.com> I would totally agree with the previous responses. The one big advantage to using them with SA however is you can whitelist senders rather easily with MailWatch or Baruwa that would otherwise get scored high enough to be quarantined where that is not so easy when used at the MTA level. But as previously stated, at the cost of CPU cycles etc. You might also want to consider something like rbldnsd on your server if you desire to implement your own RBL as well. If you want to go the rbldnsd route and need any help with it, feel free to msg me off list. Regards, Tracy Greggs Oklahoma Network Consulting From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: Friday, May 09, 2014 2:04 PM To: MailScanner discussion Subject: RBLS I do not want to kick of the discussion about where to use RBLS as we have all read them before, but I am interested in knowing if you are one of the people that use the RBLS within mailscanner instead of the MTA which ones are you using and getting the most results from ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/49875a68/attachment-0001.html From alex at vidadigital.com.pa Sat May 10 00:51:42 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 9 May 2014 18:51:42 -0500 Subject: RBLS In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: Been there, done that. In my experience dnsmasq has a good light/powerful balance. *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Fri, May 9, 2014 at 2:47 PM, Jeremy McSpadden wrote: > One thing to keep in mind with RBLs, are DNS queries. It is not > recommended to use public DNS servers. (Google/open dns) Run > bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by > having too many RBLs .. You'll just up the processing time and queries. > > > > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 <850-250-5590;501> | Cell : 850-890-2543 | Fax > : 850-254-2955 > > > > > On Fri, May 9, 2014 at 12:14 PM -0700, "Philip Parsons" < > pparsons at techeez.com> wrote: > > I do not want to kick of the discussion about where to use RBLS as we > have all read them before, but I am interested in knowing if you are one of > the people that use the RBLS within mailscanner instead of the MTA which > ones are you using and getting the most results from ? > > > > > > Thank you. > Philip Parsons > IT and Telecommunication Specialist > > Techeez IT Consulting > > 250-818-2879 > > Skype ID: techeez > www.techeez.com "Making IT easy" > > > > IMPORTANT NOTICE > This e-mail is confidential, may be legally privileged, and is for the > intended recipient only. Access, disclosure, copying and distribution or > reliance on any of it by anyone else is prohibited and may be a criminal > offence. Please delete if obtained in error and e-mail confirmation to the > sender. > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140509/c7ba2a4e/attachment.html From jonas at vrt.dk Wed May 14 09:59:57 2014 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Wed, 14 May 2014 08:59:57 +0000 Subject: RBLS In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: > One thing to keep in mind with RBLs, are DNS queries. It is not recommended > to use public DNS servers. (Google/open dns) Run > bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by > having too many RBLs .. You'll just up the processing time and queries. This part I do not agree with. Unless you think all RBL's contains more or less the same IP's, its pretty obvious that your protection improves with more RBL's. Also unless you have resource contention in regards to multiple threads, the slowness RBL's introduce doesn't matter, and the system is just waiting for a response from the network, which almost doesn't consume any system resources. Personally I have RBL's in both the MTA and in mailscanner. In the MTA I greylist based on a few very trustworthy RBL's and in mailscanner I score based on ohh I don't know 10-20 RBL's. It allows you to have a much more fine-tuned system instead of blocking based on a single RBL at the SMTP level. The advantage of having them in mailscanner is mainly that you can whitelist senders, the disadvantage is that senders aren't told that they are listed (but since all the RBL's I use are public db's used in thousands of systesm I trust somebody else will let them know soon enough :) ) Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Web: www.techbiz.dk From peter at farrows.org Wed May 14 10:23:53 2014 From: peter at farrows.org (Peter Farrow) Date: Wed, 14 May 2014 10:23:53 +0100 Subject: RBLS In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: <53733629.7050403@farrows.org> I have to agree with Jonas... I have about 6 Blacklists I routinely use... P. On 14/05/2014 09:59, Jonas Akrouh Larsen wrote: >> One thing to keep in mind with RBLs, are DNS queries. It is not recommended >> to use public DNS servers. (Google/open dns) Run >> bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by >> having too many RBLs .. You'll just up the processing time and queries. > This part I do not agree with. Unless you think all RBL's contains more or less the same IP's, its pretty obvious that your protection improves with more RBL's. > > Also unless you have resource contention in regards to multiple threads, the slowness RBL's introduce doesn't matter, and the system is just waiting for a response from the network, which almost doesn't consume any system resources. > > Personally I have RBL's in both the MTA and in mailscanner. In the MTA I greylist based on a few very trustworthy RBL's and in mailscanner I score based on ohh I don't know 10-20 RBL's. It allows you to have a much more fine-tuned system instead of blocking based on a single RBL at the SMTP level. > > The advantage of having them in mailscanner is mainly that you can whitelist senders, the disadvantage is that senders aren't told that they are listed (but since all the RBL's I use are public db's used in thousands of systesm I trust somebody else will let them know soon enough :) ) > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Web: www.techbiz.dk > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140514/a988ed58/attachment.html From terry.hulen at gmail.com Wed May 14 14:25:13 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Wed, 14 May 2014 09:25:13 -0400 Subject: RBLS In-Reply-To: <53733629.7050403@farrows.org> References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> <53733629.7050403@farrows.org> Message-ID: I do not believe that anyone is wrong in this thread. I have ~3-5 DNSBLs that I use. All of these are utilized at the MTA and I also use Greylisting. I am using postfix as my MTA. With all of that being said... The poster's original question was if I used RBLs with MS, the answer is that I have never needed to. I save machine resources by catching the offenders early in the process and if they cannot make it past the MTA, they cannot get to MS anyway. On Wed, May 14, 2014 at 5:23 AM, Peter Farrow wrote: > I have to agree with Jonas... I have about 6 Blacklists I routinely > use... > > P. > > > > On 14/05/2014 09:59, Jonas Akrouh Larsen wrote: > > One thing to keep in mind with RBLs, are DNS queries. It is not recommended > to use public DNS servers. (Google/open dns) Run > bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by > having too many RBLs .. You'll just up the processing time and queries. > > This part I do not agree with. Unless you think all RBL's contains more or less the same IP's, its pretty obvious that your protection improves with more RBL's. > > Also unless you have resource contention in regards to multiple threads, the slowness RBL's introduce doesn't matter, and the system is just waiting for a response from the network, which almost doesn't consume any system resources. > > Personally I have RBL's in both the MTA and in mailscanner. In the MTA I greylist based on a few very trustworthy RBL's and in mailscanner I score based on ohh I don't know 10-20 RBL's. It allows you to have a much more fine-tuned system instead of blocking based on a single RBL at the SMTP level. > > The advantage of having them in mailscanner is mainly that you can whitelist senders, the disadvantage is that senders aren't told that they are listed (but since all the RBL's I use are public db's used in thousands of systesm I trust somebody else will let them know soon enough :) ) > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Web: www.techbiz.dk > > > > > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140514/ee1b6064/attachment.html From pparsons at techeez.com Wed May 14 17:29:27 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 14 May 2014 16:29:27 +0000 Subject: RBLS In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> <53733629.7050403@farrows.org> Message-ID: <11D8E491D9562549A61FD3186F36342001D554DB73@exchange.techeez.com> Actually the original question was if you use them which ones do you use ? and have had the greatest success with. Hahaha I also said I did not want to kick off the discussion again which has gone through the list many many times? I am just looking for some suggestions to what lists to use. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Terry Hulen Jr Sent: May-14-14 6:25 AM To: MailScanner discussion Subject: Re: RBLS I do not believe that anyone is wrong in this thread. I have ~3-5 DNSBLs that I use. All of these are utilized at the MTA and I also use Greylisting. I am using postfix as my MTA. With all of that being said... The poster's original question was if I used RBLs with MS, the answer is that I have never needed to. I save machine resources by catching the offenders early in the process and if they cannot make it past the MTA, they cannot get to MS anyway. On Wed, May 14, 2014 at 5:23 AM, Peter Farrow > wrote: I have to agree with Jonas... I have about 6 Blacklists I routinely use... P. On 14/05/2014 09:59, Jonas Akrouh Larsen wrote: One thing to keep in mind with RBLs, are DNS queries. It is not recommended to use public DNS servers. (Google/open dns) Run bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by having too many RBLs .. You'll just up the processing time and queries. This part I do not agree with. Unless you think all RBL's contains more or less the same IP's, its pretty obvious that your protection improves with more RBL's. Also unless you have resource contention in regards to multiple threads, the slowness RBL's introduce doesn't matter, and the system is just waiting for a response from the network, which almost doesn't consume any system resources. Personally I have RBL's in both the MTA and in mailscanner. In the MTA I greylist based on a few very trustworthy RBL's and in mailscanner I score based on ohh I don't know 10-20 RBL's. It allows you to have a much more fine-tuned system instead of blocking based on a single RBL at the SMTP level. The advantage of having them in mailscanner is mainly that you can whitelist senders, the disadvantage is that senders aren't told that they are listed (but since all the RBL's I use are public db's used in thousands of systesm I trust somebody else will let them know soon enough :) ) Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Web: www.techbiz.dk -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140514/4eb78e5f/attachment.html From terry.hulen at gmail.com Wed May 14 17:56:50 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Wed, 14 May 2014 12:56:50 -0400 Subject: RBLS In-Reply-To: <11D8E491D9562549A61FD3186F36342001D554DB73@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> <53733629.7050403@farrows.org> <11D8E491D9562549A61FD3186F36342001D554DB73@exchange.techeez.com> Message-ID: "but I am interested in knowing if you are one of the people that use the RBLS within mailscanner instead of the MTA which ones are you using and getting the most results from ?" b.barracudacentral.org zen.spamhaus.org bl.spamcop.net On Wed, May 14, 2014 at 12:29 PM, Philip Parsons wrote: > Actually the original question was if you use them which ones do you use > ? and have had the greatest success with. Hahaha I also said I did not > want to kick off the discussion again which has gone through the list many > many times? > > > > I am just looking for some suggestions to what lists to use. > > > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Terry Hulen Jr > *Sent:* May-14-14 6:25 AM > *To:* MailScanner discussion > *Subject:* Re: RBLS > > > > I do not believe that anyone is wrong in this thread. I have ~3-5 DNSBLs > that I use. All of these are utilized at the MTA and I also use > Greylisting. I am using postfix as my MTA. > > With all of that being said... > > The poster's original question was if I used RBLs with MS, the answer is > that I have never needed to. I save machine resources by catching the > offenders early in the process and if they cannot make it past the MTA, > they cannot get to MS anyway. > > > > On Wed, May 14, 2014 at 5:23 AM, Peter Farrow wrote: > > I have to agree with Jonas... I have about 6 Blacklists I routinely > use... > > P. > > > > > On 14/05/2014 09:59, Jonas Akrouh Larsen wrote: > > One thing to keep in mind with RBLs, are DNS queries. It is not recommended > > to use public DNS servers. (Google/open dns) Run > > bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by > > having too many RBLs .. You'll just up the processing time and queries. > > This part I do not agree with. Unless you think all RBL's contains more or less the same IP's, its pretty obvious that your protection improves with more RBL's. > > > > Also unless you have resource contention in regards to multiple threads, the slowness RBL's introduce doesn't matter, and the system is just waiting for a response from the network, which almost doesn't consume any system resources. > > > > Personally I have RBL's in both the MTA and in mailscanner. In the MTA I greylist based on a few very trustworthy RBL's and in mailscanner I score based on ohh I don't know 10-20 RBL's. It allows you to have a much more fine-tuned system instead of blocking based on a single RBL at the SMTP level. > > > > The advantage of having them in mailscanner is mainly that you can whitelist senders, the disadvantage is that senders aren't told that they are listed (but since all the RBL's I use are public db's used in thousands of systesm I trust somebody else will let them know soon enough :) ) > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Web: www.techbiz.dk > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140514/9c4338dd/attachment.html From alex at nanogherkin.com Wed May 14 19:53:19 2014 From: alex at nanogherkin.com (Alex Crow) Date: Wed, 14 May 2014 19:53:19 +0100 Subject: RBLS In-Reply-To: <11D8E491D9562549A61FD3186F36342001D554DB73@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> <53733629.7050403@farrows.org> <11D8E491D9562549A61FD3186F36342001D554DB73@exchange.techeez.com> Message-ID: <5373BB9F.6090609@nanogherkin.com> I'd not use spamcop in an MTA. Too unreliable for an outright reject as it's based on their users' opinions of what is SPAM and what is not. Unsurprisingly a lot of IPs are blacklisted in SpamCop just because someone signed up for the service, subscribed to something, and then instead of addressing that problem reported it to SpamCop, Zen and Sorbs will kill a lot, add greylisting and rejecting mail for unknown users and it's as good as Gmail for spamlessness. We tried it and had a lot of customer complaints so now we just use it for a moderate + score in MS. Cheers On 14/05/14 17:29, Philip Parsons wrote: > > Actually the original question was if you use them which ones do you > use ? and have had the greatest success with. Hahaha I also said I > did not want to kick off the discussion again which has gone through > the list many many times... > > I am just looking for some suggestions to what lists to use. > > *From:*mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of > *Terry Hulen Jr > *Sent:* May-14-14 6:25 AM > *To:* MailScanner discussion > *Subject:* Re: RBLS > > I do not believe that anyone is wrong in this thread. I have ~3-5 > DNSBLs that I use. All of these are utilized at the MTA and I also > use Greylisting. I am using postfix as my MTA. > > With all of that being said... > > The poster's original question was if I used RBLs with MS, the answer > is that I have never needed to. I save machine resources by catching > the offenders early in the process and if they cannot make it past the > MTA, they cannot get to MS anyway. > > On Wed, May 14, 2014 at 5:23 AM, Peter Farrow > wrote: > > I have to agree with Jonas... I have about 6 Blacklists I > routinely use... > > P. > > > > > On 14/05/2014 09:59, Jonas Akrouh Larsen wrote: > > One thing to keep in mind with RBLs, are DNS queries. It is not recommended > > to use public DNS servers. (Google/open dns) Run > > bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by > > having too many RBLs .. You'll just up the processing time and queries. > > This part I do not agree with. Unless you think all RBL's contains more or less the same IP's, its pretty obvious that your protection improves with more RBL's. > > > > Also unless you have resource contention in regards to multiple threads, the slowness RBL's introduce doesn't matter, and the system is just waiting for a response from the network, which almost doesn't consume any system resources. > > > > Personally I have RBL's in both the MTA and in mailscanner. In the MTA I greylist based on a few very trustworthy RBL's and in mailscanner I score based on ohh I don't know 10-20 RBL's. It allows you to have a much more fine-tuned system instead of blocking based on a single RBL at the SMTP level. > > > > The advantage of having them in mailscanner is mainly that you can whitelist senders, the disadvantage is that senders aren't told that they are listed (but since all the RBL's I use are public db's used in thousands of systesm I trust somebody else will let them know soon enough :) ) > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Web:www.techbiz.dk > > > > > > > > > > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140514/50215ba9/attachment.html From alex at nanogherkin.com Wed May 14 20:00:30 2014 From: alex at nanogherkin.com (Alex Crow) Date: Wed, 14 May 2014 20:00:30 +0100 Subject: RBLS In-Reply-To: References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> Message-ID: <5373BD4E.5030202@nanogherkin.com> >The advantage of having them in mailscanner is mainly that you can whitelist senders, You can whitelist pretty much anything in your MTA too before an RBL lookup happens. I'm speaking for postfix but if the other big ones don't allow you to say "this host is OK, SPF pass is OK, DKIM pass is OK" before hitting an RBL they are a pretty poor MTA! From terry.hulen at gmail.com Wed May 14 20:26:31 2014 From: terry.hulen at gmail.com (Terry Hulen Jr) Date: Wed, 14 May 2014 15:26:31 -0400 Subject: RBLS In-Reply-To: <5373BB9F.6090609@nanogherkin.com> References: <11D8E491D9562549A61FD3186F36342001D5545EF1@exchange.techeez.com> <53733629.7050403@farrows.org> <11D8E491D9562549A61FD3186F36342001D554DB73@exchange.techeez.com> <5373BB9F.6090609@nanogherkin.com> Message-ID: I use those 3 in order. I have not had an issue with spamcop blocking something that it shouldn't. Barracuda grabs the majority (due to it being the first one) of spammers so I do not have to worry about whitelisting. I have this theory (and I do not recommend anyone else following it), IF you end up on Barracuda's list, you probably deserved it. I haven't seen many false positives from Barraucda or ZEN. On Wed, May 14, 2014 at 2:53 PM, Alex Crow wrote: > I'd not use spamcop in an MTA. Too unreliable for an outright reject as > it's based on their users' opinions of what is SPAM and what is not. > Unsurprisingly a lot of IPs are blacklisted in SpamCop just because someone > signed up for the service, subscribed to something, and then instead of > addressing that problem reported it to SpamCop, > > Zen and Sorbs will kill a lot, add greylisting and rejecting mail for > unknown users and it's as good as Gmail for spamlessness. > > We tried it and had a lot of customer complaints so now we just use it for > a moderate + score in MS. > > Cheers > > > > On 14/05/14 17:29, Philip Parsons wrote: > > Actually the original question was if you use them which ones do you use > ? and have had the greatest success with. Hahaha I also said I did not > want to kick off the discussion again which has gone through the list many > many times? > > > > I am just looking for some suggestions to what lists to use. > > > > *From:* mailscanner-bounces at lists.mailscanner.info [ > mailto:mailscanner-bounces at lists.mailscanner.info] > *On Behalf Of *Terry Hulen Jr > *Sent:* May-14-14 6:25 AM > *To:* MailScanner discussion > *Subject:* Re: RBLS > > > > I do not believe that anyone is wrong in this thread. I have ~3-5 DNSBLs > that I use. All of these are utilized at the MTA and I also use > Greylisting. I am using postfix as my MTA. > > With all of that being said... > > The poster's original question was if I used RBLs with MS, the answer is > that I have never needed to. I save machine resources by catching the > offenders early in the process and if they cannot make it past the MTA, > they cannot get to MS anyway. > > > > On Wed, May 14, 2014 at 5:23 AM, Peter Farrow wrote: > > I have to agree with Jonas... I have about 6 Blacklists I routinely > use... > > P. > > > > > On 14/05/2014 09:59, Jonas Akrouh Larsen wrote: > > One thing to keep in mind with RBLs, are DNS queries. It is not recommended > > to use public DNS servers. (Google/open dns) Run > > bind/named/dnsmasq/tinydns locally. Also, you won't really gain anything by > > having too many RBLs .. You'll just up the processing time and queries. > > This part I do not agree with. Unless you think all RBL's contains more or less the same IP's, its pretty obvious that your protection improves with more RBL's. > > > > Also unless you have resource contention in regards to multiple threads, the slowness RBL's introduce doesn't matter, and the system is just waiting for a response from the network, which almost doesn't consume any system resources. > > > > Personally I have RBL's in both the MTA and in mailscanner. In the MTA I greylist based on a few very trustworthy RBL's and in mailscanner I score based on ohh I don't know 10-20 RBL's. It allows you to have a much more fine-tuned system instead of blocking based on a single RBL at the SMTP level. > > > > The advantage of having them in mailscanner is mainly that you can whitelist senders, the disadvantage is that senders aren't told that they are listed (but since all the RBL's I use are public db's used in thousands of systesm I trust somebody else will let them know soon enough :) ) > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Web: www.techbiz.dk > > > > > > > > > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140514/7edec0c6/attachment.html From campbell at cnpapers.com Thu May 15 15:35:28 2014 From: campbell at cnpapers.com (Steve Campbell) Date: Thu, 15 May 2014 10:35:28 -0400 Subject: delay_checks Message-ID: <5374D0B0.4020208@cnpapers.com> Does using the delay_checks Feature in sendmail have any consequences when using MailScanner? steve campbell From johnnyb at marlboro.edu Thu May 15 19:25:19 2014 From: johnnyb at marlboro.edu (John Baker) Date: Thu, 15 May 2014 14:25:19 -0400 Subject: with Sophos 9 Message-ID: So old Sophos 4 is retired (though still seems to be getting updates at the moment). Sophos 9 for Linux is what they want everyone to use and ,of course, their support seems to have no clue that anybody was using this on mailservers. Is there an officially recommended way to do this now? Can savscan work with Mailscanner or should I find something else? -- John Baker Network Administrator Marlboro College Phone: 451-7551 Cell: 490-0066 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140515/fe0e4be7/attachment.html From it at festa.bg Thu May 15 19:29:11 2014 From: it at festa.bg (Valentin Laskov) Date: Thu, 15 May 2014 21:29:11 +0300 Subject: delay_checks References: <5374D0B0.4020208@cnpapers.com> Message-ID: <75995886787544B5AD7FEC55DDB644AC@vnvdelux> No. ----- Original Message ----- From: "Steve Campbell" To: Sent: Thursday, May 15, 2014 5:35 PM Subject: delay_checks | Does using the delay_checks Feature in sendmail have any consequences | when using MailScanner? | | steve campbell | -- | MailScanner mailing list | mailscanner at lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | From campbell at cnpapers.com Thu May 15 20:01:01 2014 From: campbell at cnpapers.com (Steve Campbell) Date: Thu, 15 May 2014 15:01:01 -0400 Subject: delay_checks In-Reply-To: <75995886787544B5AD7FEC55DDB644AC@vnvdelux> References: <5374D0B0.4020208@cnpapers.com> <75995886787544B5AD7FEC55DDB644AC@vnvdelux> Message-ID: <53750EED.7020809@cnpapers.com> Thank you. I tried it and didn't see anything strange, but I'd read somewhere long ago that it might have different logging and cause problems with either MailScanner or MailWatch. steve On 5/15/2014 2:29 PM, Valentin Laskov wrote: > No. > > ----- Original Message ----- > From: "Steve Campbell" > To: > Sent: Thursday, May 15, 2014 5:35 PM > Subject: delay_checks > > > | Does using the delay_checks Feature in sendmail have any consequences > | when using MailScanner? > | > | steve campbell > | -- > | MailScanner mailing list > | mailscanner at lists.mailscanner.info > | http://lists.mailscanner.info/mailman/listinfo/mailscanner > | > | Before posting, read http://wiki.mailscanner.info/posting > | > | Support MailScanner development - buy the book off the website! > | From it at festa.bg Fri May 16 08:41:01 2014 From: it at festa.bg (Valentin Laskov) Date: Fri, 16 May 2014 10:41:01 +0300 Subject: with Sophos 9 References: Message-ID: FYI clamav-0.98.3 sets new very high requirements to the hardware and used OS. Cheers! Valentin Laskov ----- Original Message ----- From: "John Baker" To: "MailScanner discussion" Sent: Thursday, May 15, 2014 9:25 PM Subject: with Sophos 9 | So old Sophos 4 is retired (though still seems to be getting updates at the | moment). | | Sophos 9 for Linux is what they want everyone to use and ,of course, their | support seems to have no clue that anybody was using this on mailservers. | | Is there an officially recommended way to do this now? Can savscan work | with Mailscanner or should I find something else? | | -- | John Baker | Network Administrator | Marlboro College | Phone: 451-7551 Cell: 490-0066 | -------------------------------------------------------------------------------- | -- | MailScanner mailing list | mailscanner at lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | From richard at fastnet.co.uk Fri May 16 09:05:04 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 16 May 2014 08:05:04 +0000 Subject: delay_checks In-Reply-To: <53750EED.7020809@cnpapers.com> References: <5374D0B0.4020208@cnpapers.com> <75995886787544B5AD7FEC55DDB644AC@vnvdelux> <53750EED.7020809@cnpapers.com> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBB1321@BTN-EXCHANGE-V1.fastnet.local> Hi Steve, I prefer using it as you get to see the 'From' email address if you bounce the email through RBL's. It makes things simpler to diagnose. One downside to using it is would be using custom bounce error codes. When I use it and create a custom bounce, the error doesn't appear on the bounce, all you get is 'relaying denied'. Hope that helps, Rich -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell Sent: 15 May 2014 20:01 To: mailscanner at lists.mailscanner.info Subject: Re: delay_checks Thank you. I tried it and didn't see anything strange, but I'd read somewhere long ago that it might have different logging and cause problems with either MailScanner or MailWatch. steve On 5/15/2014 2:29 PM, Valentin Laskov wrote: > No. > > ----- Original Message ----- > From: "Steve Campbell" > To: > Sent: Thursday, May 15, 2014 5:35 PM > Subject: delay_checks > > > | Does using the delay_checks Feature in sendmail have any > | consequences when using MailScanner? > | > | steve campbell > | -- > | MailScanner mailing list > | mailscanner at lists.mailscanner.info > | http://lists.mailscanner.info/mailman/listinfo/mailscanner > | > | Before posting, read http://wiki.mailscanner.info/posting > | > | Support MailScanner development - buy the book off the website! > | -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maillists at conactive.com Fri May 16 10:21:56 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 16 May 2014 11:21:56 +0200 Subject: with Sophos 9 In-Reply-To: References: Message-ID: Valentin Laskov wrote on Fri, 16 May 2014 10:41:01 +0300: > FYI clamav-0.98.3 sets new very high requirements to the hardware and used OS. Where does it say this? http://www.clamav.net/lang/en/2014/05/07/clamav-0-98-3-has-been-released/ Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From it at festa.bg Fri May 16 12:43:45 2014 From: it at festa.bg (Valentin Laskov) Date: Fri, 16 May 2014 14:43:45 +0300 Subject: with Sophos 9 References: Message-ID: <09C500ABB730440AB9D9CE5CA555CD9E@festa.bg> ----- Original Message ----- From: "Kai Schaetzl" Sent: Friday, May 16, 2014 12:21 PM | Valentin Laskov wrote on Fri, 16 May 2014 10:41:01 +0300: | | > FYI clamav-0.98.3 sets new very high requirements to the hardware and used OS. | | Where does it say this? | http://www.clamav.net/lang/en/2014/05/07/clamav-0-98-3-has-been-released/ | "- Use OpenSSL file hash functions for improved performance. OpenSSL is now prerequisite software for ClamAV 0.98.3." and "- Improvements to ClamAV build process, ..." In my case, it complains about my old C compiler and does not compile. I installed Slackware 14.1 for testing. Compiling consumes more time than before but is successfull. About hardware requirements, I'm sorry! It's my "false positive" :) . It turned out that my testing machine has no enought RAM. ----- Original Message ----- From: "John Baker" Sent: Thursday, May 15, 2014 9:25 PM | Can savscan work with Mailscanner or should I find something else? ClamAV works well for me. Valentin From campbell at cnpapers.com Fri May 16 12:50:26 2014 From: campbell at cnpapers.com (Steve Campbell) Date: Fri, 16 May 2014 07:50:26 -0400 Subject: delay_checks In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBB1321@BTN-EXCHANGE-V1.fastnet.local> References: <5374D0B0.4020208@cnpapers.com> <75995886787544B5AD7FEC55DDB644AC@vnvdelux> <53750EED.7020809@cnpapers.com> <6EE47AF64C339A4F8F7F50507241B3795EBB1321@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <5375FB82.7080301@cnpapers.com> Thanks, RBLs were the problem. I needed to allow an address being sent from a server listed in SpamCop. I used the generic delay_checks with no options so that a simple "From:" in my access file would override the blockage. I hope that's the way it works. steve On 5/16/2014 4:05 AM, Richard Mealing wrote: > Hi Steve, > > I prefer using it as you get to see the 'From' email address if you bounce the email through RBL's. It makes things simpler to diagnose. > One downside to using it is would be using custom bounce error codes. When I use it and create a custom bounce, the error doesn't appear on the bounce, all you get is 'relaying denied'. > > Hope that helps, > Rich > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: 15 May 2014 20:01 > To: mailscanner at lists.mailscanner.info > Subject: Re: delay_checks > > Thank you. I tried it and didn't see anything strange, but I'd read somewhere long ago that it might have different logging and cause problems with either MailScanner or MailWatch. > > steve > On 5/15/2014 2:29 PM, Valentin Laskov wrote: >> No. >> >> ----- Original Message ----- >> From: "Steve Campbell" >> To: >> Sent: Thursday, May 15, 2014 5:35 PM >> Subject: delay_checks >> >> >> | Does using the delay_checks Feature in sendmail have any >> | consequences when using MailScanner? >> | >> | steve campbell >> | -- >> | MailScanner mailing list >> | mailscanner at lists.mailscanner.info >> | http://lists.mailscanner.info/mailman/listinfo/mailscanner >> | >> | Before posting, read http://wiki.mailscanner.info/posting >> | >> | Support MailScanner development - buy the book off the website! >> | > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From richard at fastnet.co.uk Fri May 16 17:10:59 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 16 May 2014 16:10:59 +0000 Subject: delay_checks In-Reply-To: <5375FB82.7080301@cnpapers.com> References: <5374D0B0.4020208@cnpapers.com> <75995886787544B5AD7FEC55DDB644AC@vnvdelux> <53750EED.7020809@cnpapers.com> <6EE47AF64C339A4F8F7F50507241B3795EBB1321@BTN-EXCHANGE-V1.fastnet.local> <5375FB82.7080301@cnpapers.com> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBB1BA6@BTN-EXCHANGE-V1.fastnet.local> Yes that will work - From:somedomain.com OK Or Connect:1.1.1.1 OK Or you can do the delay_checks with the friend option. Then something like this - Spam:somedomainname.co.uk FRIEND To bypass the RBL's altogether (some people don't like them..). Rich -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell Sent: 16 May 2014 12:50 To: MailScanner discussion Subject: Re: delay_checks Thanks, RBLs were the problem. I needed to allow an address being sent from a server listed in SpamCop. I used the generic delay_checks with no options so that a simple "From:" in my access file would override the blockage. I hope that's the way it works. steve On 5/16/2014 4:05 AM, Richard Mealing wrote: > Hi Steve, > > I prefer using it as you get to see the 'From' email address if you bounce the email through RBL's. It makes things simpler to diagnose. > One downside to using it is would be using custom bounce error codes. When I use it and create a custom bounce, the error doesn't appear on the bounce, all you get is 'relaying denied'. > > Hope that helps, > Rich > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve > Campbell > Sent: 15 May 2014 20:01 > To: mailscanner at lists.mailscanner.info > Subject: Re: delay_checks > > Thank you. I tried it and didn't see anything strange, but I'd read somewhere long ago that it might have different logging and cause problems with either MailScanner or MailWatch. > > steve > On 5/15/2014 2:29 PM, Valentin Laskov wrote: >> No. >> >> ----- Original Message ----- >> From: "Steve Campbell" >> To: >> Sent: Thursday, May 15, 2014 5:35 PM >> Subject: delay_checks >> >> >> | Does using the delay_checks Feature in sendmail have any >> | consequences when using MailScanner? >> | >> | steve campbell >> | -- >> | MailScanner mailing list >> | mailscanner at lists.mailscanner.info >> | http://lists.mailscanner.info/mailman/listinfo/mailscanner >> | >> | Before posting, read http://wiki.mailscanner.info/posting >> | >> | Support MailScanner development - buy the book off the website! >> | > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From email at ace.net.au Sat May 17 17:44:01 2014 From: email at ace.net.au (Peter Nitschke) Date: Sun, 18 May 2014 02:14:01 +0930 Subject: Spear fishing updates Message-ID: <201405180214010684.2B503462@web.ace.net.au> Hi, Is anyone else having problems with the spear fishing updates? Unable to retrieve http://cdn.mailscanner.info/emails..2014-196 :500 Can't connect to cdn.mailscanner.info:80 (connect: timeout) Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.1 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.2 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.3 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.4 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.5 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.6 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Regards, Peter From jerry.benton at mailborder.com Sat May 17 18:26:53 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 17 May 2014 19:26:53 +0200 Subject: Spear fishing updates In-Reply-To: <201405180214010684.2B503462@web.ace.net.au> References: <201405180214010684.2B503462@web.ace.net.au> Message-ID: <8E7E4CD9-B09D-4590-8490-FA829F17F719@mailborder.com> The connection is timing out for me as well. - Jerry Benton www.mailborder.com On May 17, 2014, at 6:44 PM, Peter Nitschke wrote: > Hi, > > Is anyone else having problems with the spear fishing updates? > > Unable to retrieve http://cdn.mailscanner.info/emails..2014-196 :500 Can't > connect to cdn.mailscanner.info:80 (connect: timeout) > Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.1 at > /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. > Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.2 at > /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. > Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.3 at > /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. > Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.4 at > /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. > Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.5 at > /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. > Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.6 at > /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. > > Regards, > Peter > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140517/d932170e/attachment.html From mark at msapiro.net Sat May 17 18:28:18 2014 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 17 May 2014 10:28:18 -0700 Subject: Spear fishing updates In-Reply-To: <201405180214010684.2B503462@web.ace.net.au> References: <201405180214010684.2B503462@web.ace.net.au> Message-ID: <53779C32.104@msapiro.net> On 05/17/2014 09:44 AM, Peter Nitschke wrote: > > Is anyone else having problems with the spear fishing updates? > > Unable to retrieve http://cdn.mailscanner.info/emails..2014-196 :500 Can't > connect to cdn.mailscanner.info:80 (connect: timeout) ... cdn.mailscanner.info appears unresponsive at the moment. Change 'cdn.mailscanner.info' in the script to 'www.mailscanner.eu'. That one is working. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jeremy at fluxlabs.net Sat May 17 18:39:24 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Sat, 17 May 2014 17:39:24 +0000 Subject: Spear fishing updates In-Reply-To: <201405180214010684.2B503462@web.ace.net.au> References: <201405180214010684.2B503462@web.ace.net.au> Message-ID: http://www.downforeveryoneorjustme.com/cdn.mailscanner.info -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Sat, May 17, 2014 at 9:58 AM -0700, "Peter Nitschke" > wrote: Hi, Is anyone else having problems with the spear fishing updates? Unable to retrieve http://cdn.mailscanner.info/emails..2014-196 :500 Can't connect to cdn.mailscanner.info:80 (connect: timeout) Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.1 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.2 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.3 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.4 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.5 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Failed to retrieve http://cdn.mailscanner.info/emails.2014-196.6 at /etc/cron.hourly/Spear.Phishing.Rules.v2.05 line 332. Regards, Peter -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140517/8e3271ef/attachment.html From paul at welshfamily.com Sun May 18 23:00:29 2014 From: paul at welshfamily.com (Paul Welsh) Date: Sun, 18 May 2014 23:00:29 +0100 Subject: Antivirus performance, AVG Message-ID: Hi folks I ran into some problems recently with the performance of clamscan on my virtual CentOS 6.5 box. Essentially it is slow and resource intensive. It was causing major performance issues on my server. Thought I'd share my findings in case it proves useful to anyone else. I also have a question about AVG Free Edition for Linux Here's what my problem was with clamscan: Scanned files: 37 Time: 34.725 sec (0 m 34 s) F-prot was much faster: Files: 39 Running time: 00:01 I wanted to run at least 2 scanners so F-prot was an obvious choice and I needed to find an alternative for clamscan. I tried bitdefender 7.6 but it was nearly as slow as clamscan: Files: 40 real 0m25.261s Of course, anyone with more experience would know that clamd is much faster than clamav and this is the way I went: Scanned files: 37 Time: 5.342 sec (0 m 5 s) I also tried AVG Free Edition for Linux from http://free.avg.com/gb-en/download-free-all-product and this also worked very well: Files scanned : 39(39) real 0m0.606s However, I notice that the avg mentioned in /etc/MailScanner/MailScanner.conf is: # avg from www.grisoft.com Things have obviously moved on from the grisoft.com days and I'm wondering if avg is working correctly. I have the services running: root 28596 0.0 0.2 317596 2088 ? Sl May14 0:23 /opt/avg/av/bin//avgd root 28610 0.0 0.1 85328 1136 ? Sl May14 0:17 /opt/avg/av/bin/avgavid root 28620 0.0 0.0 137316 824 ? Sl May14 1:48 /opt/avg/av/bin/avgtcpd root 28625 0.0 0.0 297096 864 ? Sl May14 0:06 /opt/avg/av/bin/avgscand -c 3 root 28659 0.0 0.0 410860 944 ? Sl May14 0:00 /opt/avg/av/bin/avgsched If I send an eicar.com attachment with just avg as the configured scanner I get this; looks OK: May 18 18:46:34 mail MailScanner[28946]: Avg: Virus identified EICAR_Test in eicar.com May 18 18:46:34 mail MailScanner[28946]: Virus Scanning: Avg found 1 infections May 18 18:46:34 mail MailScanner[28946]: Infected message 1Wm5AP-0007Wu-Rd came from May 18 18:46:34 mail MailScanner[28946]: Virus Scanning: Found 1 viruses May 18 18:46:34 mail MailScanner[28946]: Viruses marked as silent: Avg: Found virus EICAR_Test in file eicar.com May 18 18:46:43 mail MailScanner[28946]: Cleaned: Delivered 1 cleaned messages If I use avg, f-prot and clamd the avg part looks like this. What concerns me a bit is the string "Test in neicar.com" when the filename was eicar.com. Also the reference to "icar.com" and "irus" instead of "Virus": May 18 18:38:19 mail MailScanner[21420]: Virus Scanning: Clamd found 2 infections May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test in neicar.com May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test in 1Wm52O-0007I7-Jc.message->icar.com May 18 18:38:20 mail MailScanner[21420]: Avg: irus identified EICAR_Test in 1Wm52O-0007I7-Jc.message May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: Avg found 3 infections May 18 18:38:20 mail MailScanner[21420]: [Found virus] ./1Wm52O-0007I7-Jc/eicar.com May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: F-Prot6 found 2 infections I'm half tempted to stop using avg given these formatting issues. Anyone else using AVG Free Edition for Linux with MailScanner 4.84.5? I also reduced the number of MailScanner child processes from 5 to 3: Max Children = 3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140518/67209538/attachment.html From steveb_clamav at sanesecurity.com Mon May 19 08:46:19 2014 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon, 19 May 2014 08:46:19 +0100 Subject: Antivirus performance, AVG In-Reply-To: References: Message-ID: On Sun, May 18, 2014 11:00 pm, Paul Welsh wrote: > > I ran into some problems recently with the performance of clamscan on my > virtual CentOS 6.5 box. Essentially it is slow and resource intensive. It > was causing major performance issues on my server. What's the speed when using clamdscan, instead of clamscan... Here's a nice quote that explains... "Clamd is a persistent process and does not need to load all the signatures each time it is called. You simply tell it where to find the file to scan and assuming it has permissions to do so, it scans the file(s). You connect to it via Unix or TCP sockets. Clamscan has to load the signatures each time it is run so on a busy system this can be a burden. If you wish to do this in real time then the clamd method is faster and less load on your system. " Cheers, Steve Sanesecurity.com From it at festa.bg Mon May 19 09:51:32 2014 From: it at festa.bg (Valentin Laskov) Date: Mon, 19 May 2014 11:51:32 +0300 Subject: Antivirus performance, AVG References: Message-ID: <5AEBB3FFAFFB444EACF968E4046FF7A6@festa.bg> Hi Paul, which version is ClamAV. There are some bugs in last ClamAV 0.98.3 There's clamav-0-98-4rc1 [1] as a bug fix release candidate. I'm still using ClamAV 0.98.1 and trying to compile 4rc1 [1] http://www.clamav.net/lang/en/2014/05/17/clamav-0-98-4rc1-is-now-available/ ----- Original Message ----- From: "Paul Welsh" To: "MailScanner discussion" Sent: Monday, May 19, 2014 1:00 AM Subject: Antivirus performance, AVG | Hi folks | | I ran into some problems recently with the performance of clamscan on my | virtual CentOS 6.5 box. Essentially it is slow and resource intensive. It | was causing major performance issues on my server. | From maxsec at gmail.com Mon May 19 11:56:49 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 19 May 2014 11:56:49 +0100 Subject: Antivirus performance, AVG In-Reply-To: <5AEBB3FFAFFB444EACF968E4046FF7A6@festa.bg> References: <5AEBB3FFAFFB444EACF968E4046FF7A6@festa.bg> Message-ID: TO concurr with Steve and Valentin, using clamd (and clamdscan) is way faster that clamscan the 0.98 track of ClamAv has been troublesome. the 0.98.4 is looking promising to resolve these issues. -- Martin Hepworth, CISSP Oxford, UK On 19 May 2014 09:51, Valentin Laskov wrote: > Hi Paul, > > which version is ClamAV. There are some bugs in last ClamAV 0.98.3 > There's clamav-0-98-4rc1 [1] as a bug fix release candidate. > I'm still using ClamAV 0.98.1 and trying to compile 4rc1 > > [1] > http://www.clamav.net/lang/en/2014/05/17/clamav-0-98-4rc1-is-now-available/ > > > ----- Original Message ----- > From: "Paul Welsh" > To: "MailScanner discussion" > Sent: Monday, May 19, 2014 1:00 AM > Subject: Antivirus performance, AVG > > > | Hi folks > | > | I ran into some problems recently with the performance of clamscan on my > | virtual CentOS 6.5 box. Essentially it is slow and resource intensive. > It > | was causing major performance issues on my server. > | > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140519/17638102/attachment.html From richard at fastnet.co.uk Tue May 20 10:43:35 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 20 May 2014 09:43:35 +0000 Subject: Mailscanner loops stops processing emails. Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> Hi, I'm having problems with mailscanner where I see the error like - Quarantined message s4K962Jg091731 as it caused MailScanner to crash several times Here's my debug - mailscanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 30 messages. Can't call method "CombineReports" on unblessed reference at /usr/local/lib/MailScanner/MailScanner/MessageBatch.pm line 736. I cannot see any problems with permissions, but I will be glad to share them with the list. Just let me know what you want to look at. The only thing that seems to fix this is deleting the Processing.db file for mailscanner, then restarting mailscanner. If I have a large queue then it just happens again and I start seeing "Making attempt 2 at processing message s4K9YVUO015387" etc etc. Does anyone else see this problem or is it just me? MailScanner-4.84.6 sendmail-8.14.5 clamav-0.98.1_1 FreebSD 8.2-RELEASE Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140520/a52655ea/attachment.html From maxsec at gmail.com Tue May 20 11:22:34 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 20 May 2014 11:22:34 +0100 Subject: Mailscanner loops stops processing emails. In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> Message-ID: make sure the MailScanner perl script has the -U flag at the top, sounds like the usual taint mode issues. -- Martin Hepworth, CISSP Oxford, UK On 20 May 2014 10:43, Richard Mealing wrote: > Hi, > > > > I?m having problems with mailscanner where I see the error like - > Quarantined message s4K962Jg091731 as it caused MailScanner to crash > several times > > > > Here?s my debug ? > > > > mailscanner --debug > > > > > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > Building a message batch to scan... > > Have a batch of 30 messages. > > Can't call method "CombineReports" on unblessed reference at > /usr/local/lib/MailScanner/MailScanner/MessageBatch.pm line 736. > > > > I cannot see any problems with permissions, but I will be glad to share > them with the list. Just let me know what you want to look at. > > > > The only thing that seems to fix this is deleting the Processing.db file > for mailscanner, then restarting mailscanner. If I have a large queue then > it just happens again and I start seeing ?Making attempt 2 at processing > message s4K9YVUO015387? etc etc. > > > > Does anyone else see this problem or is it just me? > > > > MailScanner-4.84.6 > > sendmail-8.14.5 > > clamav-0.98.1_1 > > FreebSD 8.2-RELEASE > > > > Thanks, > > Rich > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140520/23c79e9b/attachment.html From stef at aoc-uk.com Tue May 20 11:49:57 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Tue, 20 May 2014 10:49:57 +0000 Subject: with Sophos 9 In-Reply-To: <59faf3ce-4c5a-4498-9fc5-d17b725bdd58@VONLIPWIG.aoc-uk.com> References: <59faf3ce-4c5a-4498-9fc5-d17b725bdd58@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA2091ABF72@vonLipwig.aoc-uk.com> I'm using Sophos 9 and oddly my experience with Sophos Support was quite positive. Savscan works perfectly well, although in the (perhaps unlikely) event I have some time on my hands in the near future, I'm going to look at a custom plugin for the SAVDI interface, as calling savscan for each batch isn't wonderfully efficient. Stef ________________________________ From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of John Baker Sent: 15 May 2014 19:25 To: MailScanner discussion Subject: with Sophos 9 So old Sophos 4 is retired (though still seems to be getting updates at the moment). Sophos 9 for Linux is what they want everyone to use and ,of course, their support seems to have no clue that anybody was using this on mailservers. Is there an officially recommended way to do this now? Can savscan work with Mailscanner or should I find something else? -- John Baker Network Administrator Marlboro College Phone: 451-7551 Cell: 490-0066 -- This email has been scanned by the Alpha Omega Computers Ltd MailCrusader for viruses, spam and dangerous content. For more information please visit Alpha Omega Computers Ltd. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140520/d2f561c7/attachment.html From richard at fastnet.co.uk Tue May 20 12:33:01 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 20 May 2014 11:33:01 +0000 Subject: Mailscanner loops stops processing emails. In-Reply-To: References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local> Hi Martin, Thanks, but that doesn?t work for me. I changed the Processing attemtps to 0 and now I see clamd timing out and crashing in the logs. Lots of this - MailScanner[66580]: Virus Scanning: No virus scanners worked, so message batch was abandoned and re-tried! Lots of this ? MailScanner[71612]: Cannot find Socket (/var/run/clamav/clamd) Exiting! My socket does match mailscanner.. But now all the emails seem to be processing and obviously now not being quarantined my mailscanner. I?m debugging clamd but I can?t find anything obvious in the logs. I?ve opened a thread with the clamd list. Here?s some of my clamconf ?n - LogFile = "/var/log/clamav/clamd.log" LogFileMaxSize = "104857600" LogTime = "yes" LogVerbose = "yes" PidFile = "/var/run/clamav/clamd.pid" TemporaryDirectory = "/tmp" LocalSocket = "/var/run/clamav/clamd" MaxConnectionQueueLength = "30" MaxThreads = "50" ReadTimeout = "300" CommandReadTimeout = "7" MaxQueue = "300" Debug = "yes" User = "clamav" AllowSupplementaryGroups = "yes" StructuredMinCreditCardCount = "5" StructuredMinSSNCount = "5" MaxRecursion = "20" Here?s my mailscanner processing timeouts ? Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 I?m wondering if there is something here I need to change. Any advice would obviously be appreciated!! Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 20 May 2014 11:23 To: MailScanner discussion Subject: Re: Mailscanner loops stops processing emails. make sure the MailScanner perl script has the -U flag at the top, sounds like the usual taint mode issues. -- Martin Hepworth, CISSP Oxford, UK On 20 May 2014 10:43, Richard Mealing > wrote: Hi, I?m having problems with mailscanner where I see the error like - Quarantined message s4K962Jg091731 as it caused MailScanner to crash several times Here?s my debug ? mailscanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 30 messages. Can't call method "CombineReports" on unblessed reference at /usr/local/lib/MailScanner/MailScanner/MessageBatch.pm line 736. I cannot see any problems with permissions, but I will be glad to share them with the list. Just let me know what you want to look at. The only thing that seems to fix this is deleting the Processing.db file for mailscanner, then restarting mailscanner. If I have a large queue then it just happens again and I start seeing ?Making attempt 2 at processing message s4K9YVUO015387? etc etc. Does anyone else see this problem or is it just me? MailScanner-4.84.6 sendmail-8.14.5 clamav-0.98.1_1 FreebSD 8.2-RELEASE Thanks, Rich -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140520/f03eaacd/attachment.html From it at festa.bg Tue May 20 12:59:42 2014 From: it at festa.bg (Valentin Laskov) Date: Tue, 20 May 2014 14:59:42 +0300 Subject: Mailscanner loops stops processing emails. References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> <6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <4E869BBC845E4440822C4BDAADACBC89@festa.bg> clamd ??? :) What version ? I'm still using 0.98.1 because 0.98.3 is buggy There is 0.98.4.rc1 which I can't compile Valentin ----- Original Message ----- From: "Richard Mealing" To: "'MailScanner discussion'" Sent: Tuesday, May 20, 2014 2:33 PM Subject: RE: Mailscanner loops stops processing emails. | Hi Martin, | | Thanks, but that doesn?t work for me. | I changed the Processing attemtps to 0 and now I see clamd timing out and crashing in the logs. | | Lots of this - | MailScanner[66580]: Virus Scanning: No virus scanners worked, so message batch was abandoned and re-tried! | | Lots of this ? | MailScanner[71612]: Cannot find Socket (/var/run/clamav/clamd) Exiting! | | My socket does match mailscanner.. | | But now all the emails seem to be processing and obviously now not being quarantined my mailscanner. | | I?m debugging clamd but I can?t find anything obvious in the logs. I?ve opened a thread with the clamd list. | | Here?s some of my clamconf ?n - | | LogFile = "/var/log/clamav/clamd.log" | LogFileMaxSize = "104857600" | LogTime = "yes" | LogVerbose = "yes" | PidFile = "/var/run/clamav/clamd.pid" | TemporaryDirectory = "/tmp" | LocalSocket = "/var/run/clamav/clamd" | MaxConnectionQueueLength = "30" | MaxThreads = "50" | ReadTimeout = "300" | CommandReadTimeout = "7" | MaxQueue = "300" | Debug = "yes" | User = "clamav" | AllowSupplementaryGroups = "yes" | StructuredMinCreditCardCount = "5" | StructuredMinSSNCount = "5" | MaxRecursion = "20" | | Here?s my mailscanner processing timeouts ? | | | Max Unscanned Bytes Per Scan = 100m | Max Unsafe Bytes Per Scan = 50m | Max Unscanned Messages Per Scan = 30 | Max Unsafe Messages Per Scan = 30 | | | I?m wondering if there is something here I need to change. Any advice would obviously be appreciated!! | | Thanks, | Rich | | From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth | Sent: 20 May 2014 11:23 | To: MailScanner discussion | Subject: Re: Mailscanner loops stops processing emails. | | make sure the MailScanner perl script has the -U flag at the top, sounds like the usual taint mode issues. | | -- | Martin Hepworth, CISSP | Oxford, UK | | On 20 May 2014 10:43, Richard Mealing > wrote: | Hi, | | I?m having problems with mailscanner where I see the error like - Quarantined message s4K962Jg091731 as it caused MailScanner to crash several times | | Here?s my debug ? | | mailscanner --debug | | | In Debugging mode, not forking... | Trying to setlogsock(unix) | Building a message batch to scan... | Have a batch of 30 messages. | Can't call method "CombineReports" on unblessed reference at /usr/local/lib/MailScanner/MailScanner/MessageBatch.pm line 736. | | I cannot see any problems with permissions, but I will be glad to share them with the list. Just let me know what you want to look at. | | The only thing that seems to fix this is deleting the Processing.db file for mailscanner, then restarting mailscanner. If I have a large queue then it just happens again and I start seeing ?Making attempt 2 at processing message s4K9YVUO015387? etc etc. | | Does anyone else see this problem or is it just me? | | MailScanner-4.84.6 | sendmail-8.14.5 | clamav-0.98.1_1 | FreebSD 8.2-RELEASE | | Thanks, | Rich | | -- | MailScanner mailing list | mailscanner at lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | | -------------------------------------------------------------------------------- | -- | MailScanner mailing list | mailscanner at lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | From alex at vidadigital.com.pa Tue May 20 13:40:32 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue, 20 May 2014 07:40:32 -0500 Subject: Mailscanner loops stops processing emails. In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> <6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local> Message-ID: Sounds like a permissions issue. On May 20, 2014 7:35 AM, "Richard Mealing" wrote: > Hi Martin, > > > > Thanks, but that doesn?t work for me. > > I changed the Processing attemtps to 0 and now I see clamd timing out and > crashing in the logs. > > > > Lots of this - > > MailScanner[66580]: Virus Scanning: No virus scanners worked, so message > batch was abandoned and re-tried! > > > > Lots of this ? > > MailScanner[71612]: Cannot find Socket (/var/run/clamav/clamd) Exiting! > > > > My socket does match mailscanner.. > > > > But now all the emails seem to be processing and obviously now not being > quarantined my mailscanner. > > > > I?m debugging clamd but I can?t find anything obvious in the logs. I?ve > opened a thread with the clamd list. > > > > Here?s some of my clamconf ?n - > > > > LogFile = "/var/log/clamav/clamd.log" > > LogFileMaxSize = "104857600" > > LogTime = "yes" > > LogVerbose = "yes" > > PidFile = "/var/run/clamav/clamd.pid" > > TemporaryDirectory = "/tmp" > > LocalSocket = "/var/run/clamav/clamd" > > MaxConnectionQueueLength = "30" > > MaxThreads = "50" > > ReadTimeout = "300" > > CommandReadTimeout = "7" > > MaxQueue = "300" > > Debug = "yes" > > User = "clamav" > > AllowSupplementaryGroups = "yes" > > StructuredMinCreditCardCount = "5" > > StructuredMinSSNCount = "5" > > MaxRecursion = "20" > > > > Here?s my mailscanner processing timeouts ? > > > > > > Max Unscanned Bytes Per Scan = 100m > > Max Unsafe Bytes Per Scan = 50m > > Max Unscanned Messages Per Scan = 30 > > Max Unsafe Messages Per Scan = 30 > > > > > > I?m wondering if there is something here I need to change. Any advice > would obviously be appreciated!! > > > > Thanks, > > Rich > > > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* 20 May 2014 11:23 > *To:* MailScanner discussion > *Subject:* Re: Mailscanner loops stops processing emails. > > > > make sure the MailScanner perl script has the -U flag at the top, sounds > like the usual taint mode issues. > > > -- > Martin Hepworth, CISSP > Oxford, UK > > > > On 20 May 2014 10:43, Richard Mealing wrote: > > Hi, > > > > I?m having problems with mailscanner where I see the error like - > Quarantined message s4K962Jg091731 as it caused MailScanner to crash > several times > > > > Here?s my debug ? > > > > mailscanner --debug > > > > > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > Building a message batch to scan... > > Have a batch of 30 messages. > > Can't call method "CombineReports" on unblessed reference at > /usr/local/lib/MailScanner/MailScanner/MessageBatch.pm line 736. > > > > I cannot see any problems with permissions, but I will be glad to share > them with the list. Just let me know what you want to look at. > > > > The only thing that seems to fix this is deleting the Processing.db file > for mailscanner, then restarting mailscanner. If I have a large queue then > it just happens again and I start seeing ?Making attempt 2 at processing > message s4K9YVUO015387? etc etc. > > > > Does anyone else see this problem or is it just me? > > > > MailScanner-4.84.6 > > sendmail-8.14.5 > > clamav-0.98.1_1 > > FreebSD 8.2-RELEASE > > > > Thanks, > > Rich > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140520/e6772628/attachment.html From richard at fastnet.co.uk Tue May 20 14:35:44 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 20 May 2014 13:35:44 +0000 Subject: Mailscanner loops stops processing emails. In-Reply-To: <4E869BBC845E4440822C4BDAADACBC89@festa.bg> References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> <6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local> <4E869BBC845E4440822C4BDAADACBC89@festa.bg> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBB4E85@BTN-EXCHANGE-V1.fastnet.local> 0.98.1_1 I tried using the .3 version but it doesn't compile for me either. I'm waiting for the .4 version to become available in the freebsd ports. I'm not sure it's going to fix my problem through. I would say it's a permission problem but it works most of the time, so could it be? When I get a heavy load like a ddos or something, it breaks. Clamd crashes and then restarts, processes some mail but then crashes again. Since I changed the Processing db to 0 I don't get this loop any more, so I'm happy now, but I really want to try and fix the clamd crashing problems. I will continue to debug clamd. Thanks, Rich -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Valentin Laskov Sent: 20 May 2014 13:00 To: MailScanner discussion Subject: Re: Mailscanner loops stops processing emails. clamd ??? :) What version ? I'm still using 0.98.1 because 0.98.3 is buggy There is 0.98.4.rc1 which I can't compile Valentin ----- Original Message ----- From: "Richard Mealing" To: "'MailScanner discussion'" Sent: Tuesday, May 20, 2014 2:33 PM Subject: RE: Mailscanner loops stops processing emails. | Hi Martin, | | Thanks, but that doesn?t work for me. | I changed the Processing attemtps to 0 and now I see clamd timing out and crashing in the logs. | | Lots of this - | MailScanner[66580]: Virus Scanning: No virus scanners worked, so message batch was abandoned and re-tried! | | Lots of this ? | MailScanner[71612]: Cannot find Socket (/var/run/clamav/clamd) Exiting! | | My socket does match mailscanner.. | | But now all the emails seem to be processing and obviously now not being quarantined my mailscanner. | | I?m debugging clamd but I can?t find anything obvious in the logs. I?ve opened a thread with the clamd list. | | Here?s some of my clamconf ?n - | | LogFile = "/var/log/clamav/clamd.log" | LogFileMaxSize = "104857600" | LogTime = "yes" | LogVerbose = "yes" | PidFile = "/var/run/clamav/clamd.pid" | TemporaryDirectory = "/tmp" | LocalSocket = "/var/run/clamav/clamd" | MaxConnectionQueueLength = "30" | MaxThreads = "50" | ReadTimeout = "300" | CommandReadTimeout = "7" | MaxQueue = "300" | Debug = "yes" | User = "clamav" | AllowSupplementaryGroups = "yes" | StructuredMinCreditCardCount = "5" | StructuredMinSSNCount = "5" | MaxRecursion = "20" | | Here?s my mailscanner processing timeouts ? | | | Max Unscanned Bytes Per Scan = 100m | Max Unsafe Bytes Per Scan = 50m | Max Unscanned Messages Per Scan = 30 | Max Unsafe Messages Per Scan = 30 | | | I?m wondering if there is something here I need to change. Any advice would obviously be appreciated!! | | Thanks, | Rich | | From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth | Sent: 20 May 2014 11:23 | To: MailScanner discussion | Subject: Re: Mailscanner loops stops processing emails. | | make sure the MailScanner perl script has the -U flag at the top, sounds like the usual taint mode issues. | | -- | Martin Hepworth, CISSP | Oxford, UK | | On 20 May 2014 10:43, Richard Mealing > wrote: | Hi, | | I?m having problems with mailscanner where I see the error like - Quarantined message s4K962Jg091731 as it caused MailScanner to crash several times | | Here?s my debug ? | | mailscanner --debug | | | In Debugging mode, not forking... | Trying to setlogsock(unix) | Building a message batch to scan... | Have a batch of 30 messages. | Can't call method "CombineReports" on unblessed reference at /usr/local/lib/MailScanner/MailScanner/MessageBatch.pm line 736. | | I cannot see any problems with permissions, but I will be glad to share them with the list. Just let me know what you want to look at. | | The only thing that seems to fix this is deleting the Processing.db file for mailscanner, then restarting mailscanner. If I have a large queue then it just happens again and I start seeing ?Making attempt 2 at processing message s4K9YVUO015387? etc etc. | | Does anyone else see this problem or is it just me? | | MailScanner-4.84.6 | sendmail-8.14.5 | clamav-0.98.1_1 | FreebSD 8.2-RELEASE | | Thanks, | Rich | | -- | MailScanner mailing list | mailscanner at lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | | -------------------------------------------------------------------------------- | -- | MailScanner mailing list | mailscanner at lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From it at festa.bg Tue May 20 15:20:05 2014 From: it at festa.bg (Valentin Laskov) Date: Tue, 20 May 2014 17:20:05 +0300 Subject: Mailscanner loops stops processing emails. References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local><6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local><4E869BBC845E4440822C4BDAADACBC89@festa.bg> <6EE47AF64C339A4F8F7F50507241B3795EBB4E85@BTN-EXCHANGE-V1.fastnet.local> Message-ID: You can try using clamscan not clamd or clamdscan. clamscan works not so fast - it loads virus database each time it started, but you can obtain reliability this way. You can decrease number of MailScanner child processes to decrease system load. ----- Original Message ----- From: "Richard Mealing" To: "'MailScanner discussion'" Sent: Tuesday, May 20, 2014 4:35 PM Subject: RE: Mailscanner loops stops processing emails. | 0.98.1_1 | | I tried using the .3 version but it doesn't compile for me either. I'm waiting for the .4 version to become available in the freebsd ports. I'm not sure it's going to fix my problem through. | | I would say it's a permission problem but it works most of the time, so could it be? | | When I get a heavy load like a ddos or something, it breaks. Clamd crashes and then restarts, processes some mail but then crashes again. Since I changed the Processing db to 0 I don't get this loop any more, so I'm happy now, but I really want to try and fix the clamd crashing problems. | | I will continue to debug clamd. | | Thanks, | Rich | | -----Original Message----- | From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Valentin Laskov | Sent: 20 May 2014 13:00 | To: MailScanner discussion | Subject: Re: Mailscanner loops stops processing emails. | | clamd ??? :) What version ? | | I'm still using 0.98.1 because 0.98.3 is buggy | | There is 0.98.4.rc1 which I can't compile | | Valentin | From richard at fastnet.co.uk Tue May 20 15:48:15 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 20 May 2014 14:48:15 +0000 Subject: Mailscanner loops stops processing emails. In-Reply-To: References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local><6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local><4E869BBC845E4440822C4BDAADACBC89@festa.bg> <6EE47AF64C339A4F8F7F50507241B3795EBB4E85@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBB50FF@BTN-EXCHANGE-V1.fastnet.local> OK, I will give that a go. I've changed in mailscanner - Maximum Processing Attempts = 0 And now I've changed this in clamd.conf - SelfCheck 3600 It was set to 10 minutes and I think it just restarts itself, then mailscanner cannot find the socket and starts complaining. I'll give it more time and see if the errors persist. Since disabling the processing attempts I see no mail looping (Yay). From reading an old thread from Julian, it is off by default. I don't really understand what it does. Thanks, Rich ---Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Valentin Laskov Sent: 20 May 2014 15:20 To: MailScanner discussion Subject: Re: Mailscanner loops stops processing emails. You can try using clamscan not clamd or clamdscan. clamscan works not so fast - it loads virus database each time it started, but you can obtain reliability this way. You can decrease number of MailScanner child processes to decrease system load. ----- Original Message ----- From: "Richard Mealing" To: "'MailScanner discussion'" Sent: Tuesday, May 20, 2014 4:35 PM Subject: RE: Mailscanner loops stops processing emails. | 0.98.1_1 | | I tried using the .3 version but it doesn't compile for me either. I'm waiting for the .4 version to become available in the freebsd ports. I'm not sure it's going to fix my problem through. | | I would say it's a permission problem but it works most of the time, so could it be? | | When I get a heavy load like a ddos or something, it breaks. Clamd crashes and then restarts, processes some mail but then crashes again. Since I changed the Processing db to 0 I don't get this loop any more, so I'm happy now, but I really want to try and fix the clamd crashing problems. | | I will continue to debug clamd. | | Thanks, | Rich | | -----Original Message----- | From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Valentin Laskov | Sent: 20 May 2014 13:00 | To: MailScanner discussion | Subject: Re: Mailscanner loops stops processing emails. | | clamd ??? :) What version ? | | I'm still using 0.98.1 because 0.98.3 is buggy | | There is 0.98.4.rc1 which I can't compile | | Valentin | -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From axisml at gmail.com Tue May 20 17:40:02 2014 From: axisml at gmail.com (Chris Stone) Date: Tue, 20 May 2014 10:40:02 -0600 Subject: Mailscanner loops stops processing emails. In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBB50FF@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBB483A@BTN-EXCHANGE-V1.fastnet.local> <6EE47AF64C339A4F8F7F50507241B3795EBB4B20@BTN-EXCHANGE-V1.fastnet.local> <4E869BBC845E4440822C4BDAADACBC89@festa.bg> <6EE47AF64C339A4F8F7F50507241B3795EBB4E85@BTN-EXCHANGE-V1.fastnet.local> <6EE47AF64C339A4F8F7F50507241B3795EBB50FF@BTN-EXCHANGE-V1.fastnet.local> Message-ID: Had similar problems here and also found that disabling the Processing Attempts database code fixed it - no more loops. I don't see it as a clamd problem though - looks more like SA crashing on processing. I now from time to time see messages that I 'think' would cause the problems if Processing Attempts were enabled - they seem to get processed 4-6 times before going on though and being seen as spam and quarantined. Not causing any real problems this way so leaving as is. Chris On Tue, May 20, 2014 at 8:48 AM, Richard Mealing wrote: > OK, I will give that a go. > > I've changed in mailscanner - Maximum Processing Attempts = 0 > And now I've changed this in clamd.conf - > > SelfCheck 3600 > > It was set to 10 minutes and I think it just restarts itself, then > mailscanner cannot find the socket and starts complaining. I'll give it > more time and see if the errors persist. > > Since disabling the processing attempts I see no mail looping (Yay). From > reading an old thread from Julian, it is off by default. I don't really > understand what it does. > > Thanks, > Rich > > > ---Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] On Behalf Of Valentin Laskov > Sent: 20 May 2014 15:20 > To: MailScanner discussion > Subject: Re: Mailscanner loops stops processing emails. > > You can try using clamscan not clamd or clamdscan. > clamscan works not so fast - it loads virus database each time it started, > but you can obtain reliability this way. You can decrease number of > MailScanner child processes to decrease system load. > > > > ----- Original Message ----- > From: "Richard Mealing" > To: "'MailScanner discussion'" > Sent: Tuesday, May 20, 2014 4:35 PM > Subject: RE: Mailscanner loops stops processing emails. > > > | 0.98.1_1 > | > | I tried using the .3 version but it doesn't compile for me either. I'm > waiting for the .4 version to become available in the > freebsd ports. I'm not sure it's going to fix my problem through. > | > | I would say it's a permission problem but it works most of the time, so > could it be? > | > | When I get a heavy load like a ddos or something, it breaks. Clamd > crashes and then restarts, processes some mail but then crashes > again. Since I changed the Processing db to 0 I don't get this loop any > more, so I'm happy now, but I really want to try and fix the > clamd crashing problems. > | > | I will continue to debug clamd. > | > | Thanks, > | Rich > | > | -----Original Message----- > | From: mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] On Behalf Of Valentin Laskov > | Sent: 20 May 2014 13:00 > | To: MailScanner discussion > | Subject: Re: Mailscanner loops stops processing emails. > | > | clamd ??? :) What version ? > | > | I'm still using 0.98.1 because 0.98.3 is buggy > | > | There is 0.98.4.rc1 which I can't compile > | > | Valentin > | > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Chris Stone AxisInternet, Inc. www.axint.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140520/456930fa/attachment.html From paul at welshfamily.com Tue May 20 20:53:24 2014 From: paul at welshfamily.com (Paul Welsh) Date: Tue, 20 May 2014 20:53:24 +0100 Subject: AVG Free Edition for Linux Message-ID: Thanks for the responses about clamd vs clamscan. Does anyone have anything to say about AVG Free Edition for Linux from http://free.avg.com/gb-en/download-free-all-product that I mentioned in my previous message? Specifically, it is the irregular messages I get when a virus is found when use avg, f-prot and clamd. What concerns me a bit is the string "Test in neicar.com" when the filename was eicar.com. Also the reference to "icar.com" and "irus" instead of "Virus": May 18 18:38:19 mail MailScanner[21420]: Virus Scanning: Clamd found 2 infections May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test in neicar.com May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test in 1Wm52O-0007I7-Jc.message->icar.com May 18 18:38:20 mail MailScanner[21420]: Avg: irus identified EICAR_Test in 1Wm52O-0007I7-Jc.message May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: Avg found 3 infections May 18 18:38:20 mail MailScanner[21420]: [Found virus] ./1Wm52O-0007I7-Jc/eicar.com May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: F-Prot6 found 2 infections -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140520/c7bd024e/attachment.html From pparsons at techeez.com Wed May 21 03:07:34 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 21 May 2014 02:07:34 +0000 Subject: Hey Guys need some help Message-ID: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> So I upgraded spamassassin to 3.4.0 and it all seems to be working except it does not seem to be reading the mailscanner.cf file in the /etc/mail/spamassassin/ as it looks like the local rules dir is set =/root/perl5/etc/mail/spamassassin as below and I cannot find a way to change it does anyone know of one ? [root at changeme Mail-SpamAssassin-3.4.0]# spamassassin -D --lint May 20 18:45:43.244 [25041] dbg: logger: adding facilities: all May 20 18:45:43.244 [25041] dbg: logger: logging level is DBG May 20 18:45:43.244 [25041] dbg: generic: SpamAssassin version 3.4.0 May 20 18:45:43.244 [25041] dbg: generic: Perl 5.014004, PREFIX=/root/perl5, DEF_RULES_DIR=/root/perl5/share/spamassassin, LOCAL_RULES_DIR=/root/perl5/etc/mail/spamassassin, LOCAL_STATE_DIR=/root/perl5/var/spamassassin Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140521/d49b4b0d/attachment.html From richard at fastnet.co.uk Wed May 21 12:47:05 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed, 21 May 2014 11:47:05 +0000 Subject: Hey Guys need some help In-Reply-To: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBB5C80@BTN-EXCHANGE-V1.fastnet.local> Hi Philip, I think you can change this. grep LOCAL_STATE_DIR `which spamassassin` The option is in your /bin/spamassassin file, or where ever you have it installed. Mine is /usr/local/bin/spamassassin as I am on freebsd. Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: 21 May 2014 03:08 To: MailScanner discussion Subject: Hey Guys need some help So I upgraded spamassassin to 3.4.0 and it all seems to be working except it does not seem to be reading the mailscanner.cf file in the /etc/mail/spamassassin/ as it looks like the local rules dir is set =/root/perl5/etc/mail/spamassassin as below and I cannot find a way to change it does anyone know of one ? [root at changeme Mail-SpamAssassin-3.4.0]# spamassassin -D --lint May 20 18:45:43.244 [25041] dbg: logger: adding facilities: all May 20 18:45:43.244 [25041] dbg: logger: logging level is DBG May 20 18:45:43.244 [25041] dbg: generic: SpamAssassin version 3.4.0 May 20 18:45:43.244 [25041] dbg: generic: Perl 5.014004, PREFIX=/root/perl5, DEF_RULES_DIR=/root/perl5/share/spamassassin, LOCAL_RULES_DIR=/root/perl5/etc/mail/spamassassin, LOCAL_STATE_DIR=/root/perl5/var/spamassassin Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140521/f561d9c6/attachment.html From mark at msapiro.net Wed May 21 15:30:25 2014 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 21 May 2014 07:30:25 -0700 Subject: Hey Guys need some help In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBB5C80@BTN-EXCHANGE-V1.fastnet.local> References: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> <6EE47AF64C339A4F8F7F50507241B3795EBB5C80@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <537CB881.6030806@msapiro.net> On 05/21/2014 04:47 AM, Richard Mealing wrote: > I think you can change this. > > > > grep LOCAL_STATE_DIR `which spamassassin` I think what the OP wants to change is LOCAL_RULES_DIR. I.e., my $LOCAL_RULES_DIR = '/etc/mail/spamassassin'; -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pparsons at techeez.com Wed May 21 16:49:04 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 21 May 2014 15:49:04 +0000 Subject: Hey Guys need some help In-Reply-To: <537CB881.6030806@msapiro.net> References: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> <6EE47AF64C339A4F8F7F50507241B3795EBB5C80@BTN-EXCHANGE-V1.fastnet.local> <537CB881.6030806@msapiro.net> Message-ID: <11D8E491D9562549A61FD3186F36342001D555A096@exchange.techeez.com> So I have changed that in the file do I need to do something else before it works ? because after the change I run the --lint and it still shows the old location... -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: May-21-14 7:30 AM To: mailscanner at lists.mailscanner.info Subject: Re: Hey Guys need some help On 05/21/2014 04:47 AM, Richard Mealing wrote: > I think you can change this. > > > > grep LOCAL_STATE_DIR `which spamassassin` I think what the OP wants to change is LOCAL_RULES_DIR. I.e., my $LOCAL_RULES_DIR = '/etc/mail/spamassassin'; -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Wed May 21 17:14:10 2014 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 21 May 2014 09:14:10 -0700 Subject: Hey Guys need some help In-Reply-To: <11D8E491D9562549A61FD3186F36342001D555A096@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> <6EE47AF64C339A4F8F7F50507241B3795EBB5C80@BTN-EXCHANGE-V1.fastnet.local> <537CB881.6030806@msapiro.net> <11D8E491D9562549A61FD3186F36342001D555A096@exchange.techeez.com> Message-ID: <537CD0D2.10204@msapiro.net> On 05/21/2014 08:49 AM, Philip Parsons wrote: > So I have changed that in the file do I need to do something else before it works ? because after the change I run the --lint and it still shows the old location... Rather than making that file change, why not just create a symlink /root/perl5/etc/mail/spamassassin -> /etc/mail/spamassassin -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pparsons at techeez.com Wed May 21 17:51:32 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 21 May 2014 16:51:32 +0000 Subject: Hey Guys need some help References: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> <6EE47AF64C339A4F8F7F50507241B3795EBB5C80@BTN-EXCHANGE-V1.fastnet.local> <537CB881.6030806@msapiro.net> Message-ID: <11D8E491D9562549A61FD3186F36342001D555A39B@exchange.techeez.com> Figured it out I changed the wrong file... -----Original Message----- From: Philip Parsons Sent: May-21-14 8:50 AM To: mailscanner at lists.mailscanner.info Subject: RE: Hey Guys need some help So I have changed that in the file do I need to do something else before it works ? because after the change I run the --lint and it still shows the old location... -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: May-21-14 7:30 AM To: mailscanner at lists.mailscanner.info Subject: Re: Hey Guys need some help On 05/21/2014 04:47 AM, Richard Mealing wrote: > I think you can change this. > > > > grep LOCAL_STATE_DIR `which spamassassin` I think what the OP wants to change is LOCAL_RULES_DIR. I.e., my $LOCAL_RULES_DIR = '/etc/mail/spamassassin'; -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pparsons at techeez.com Wed May 21 17:58:47 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 21 May 2014 16:58:47 +0000 Subject: Mailscanner and Spamassassin 3.4 Message-ID: <11D8E491D9562549A61FD3186F36342001D555A486@exchange.techeez.com> New issue: Seems that the new setup is not following the rules, it sees the config saying time out 40 times but does it once and then delivers the mail... any hints ??? May 20 02:24:59 mailscanner MailScanner[4114]: SpamAssassin timed out and was killed, failure 1 of 40 May 20 02:25:00 mailscanner MailScanner[4114]: Message s4K9IDBL004113 from 54.240.9.7 (0000014618ec85da-4da8b1c4-31b2-4d78-9fa0-86be8b188b9b-000000 at amazonses.com) to XXXXXXXX is not spam, SORBS-SPAM, SpamAssassin (not cached, timed out) May 20 02:25:00 mailscanner MailScanner[4114]: Delivery of nonspam: message s4K9IDBL004113 from 0000014618ec85da-4da8b1c4-31b2-4d78-9fa0-86be8b188b9b-000000 at amazonses.com to XXXXX at XXXXX with subject [SmugMug] URGENT - Renewing your SmugMug account Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140521/76c2a3c8/attachment.html From pparsons at techeez.com Wed May 21 19:33:59 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 21 May 2014 18:33:59 +0000 Subject: Hey Guys need some help In-Reply-To: <537CD0D2.10204@msapiro.net> References: <11D8E491D9562549A61FD3186F36342001D55597DE@exchange.techeez.com> <6EE47AF64C339A4F8F7F50507241B3795EBB5C80@BTN-EXCHANGE-V1.fastnet.local> <537CB881.6030806@msapiro.net> <11D8E491D9562549A61FD3186F36342001D555A096@exchange.techeez.com> <537CD0D2.10204@msapiro.net> Message-ID: <11D8E491D9562549A61FD3186F36342001D555A7F5@exchange.techeez.com> It is not the spamassassin file that is the problem it is that it does not find the mailscanner.cf file within the folders... -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: May-21-14 9:14 AM To: mailscanner at lists.mailscanner.info Subject: Re: Hey Guys need some help On 05/21/2014 08:49 AM, Philip Parsons wrote: > So I have changed that in the file do I need to do something else before it works ? because after the change I run the --lint and it still shows the old location... Rather than making that file change, why not just create a symlink /root/perl5/etc/mail/spamassassin -> /etc/mail/spamassassin -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul at welshfamily.com Wed May 21 22:44:08 2014 From: paul at welshfamily.com (Paul Welsh) Date: Wed, 21 May 2014 22:44:08 +0100 Subject: ClamAV 0.98.3 Message-ID: This release is, I believe, horribly buggy. Getting this regularly in maillog: May 21 19:00:40 mail MailScanner[25244]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . Having to monitor and restart hourly. Roll on a fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140521/a88634eb/attachment.html From Kevin_Miller at ci.juneau.ak.us Wed May 21 22:52:07 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed, 21 May 2014 13:52:07 -0800 Subject: ClamAV 0.98.3 In-Reply-To: References: Message-ID: If you haven?t already, check that the clamd service is running, and check the /var/log/clamav/clamd.log for clues? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Paul Welsh Sent: Wednesday, May 21, 2014 1:44 PM To: MailScanner discussion Subject: ClamAV 0.98.3 This release is, I believe, horribly buggy. Getting this regularly in maillog: May 21 19:00:40 mail MailScanner[25244]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . Having to monitor and restart hourly. Roll on a fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140521/685e532f/attachment.html From it at festa.bg Thu May 22 07:39:59 2014 From: it at festa.bg (Valentin Laskov) Date: Thu, 22 May 2014 09:39:59 +0300 Subject: ClamAV 0.98.3 References: Message-ID: better use ClamAV 0.98.1 or set MailScanner to use clamscan Valentin ----- Original Message ----- From: "Kevin Miller" To: "'MailScanner discussion'" Sent: Thursday, May 22, 2014 12:52 AM Subject: RE: ClamAV 0.98.3 | If you haven?t already, check that the clamd service is running, and check the /var/log/clamav/clamd.log for clues? | | ...Kevin | -- | Kevin Miller | Network/email Administrator, CBJ MIS Dept. | 155 South Seward Street | Juneau, Alaska 99801 | Phone: (907) 586-0242, Fax: (907) 586-4500 | Registered Linux User No: 307357 | From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Paul Welsh | Sent: Wednesday, May 21, 2014 1:44 PM | To: MailScanner discussion | Subject: ClamAV 0.98.3 | | This release is, I believe, horribly buggy. | | Getting this regularly in maillog: | May 21 19:00:40 mail MailScanner[25244]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . | | Having to monitor and restart hourly. | | Roll on a fix. | -------------------------------------------------------------------------------- From glenn.steen at gmail.com Thu May 22 09:41:38 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 22 May 2014 10:41:38 +0200 Subject: NDRs marked as spam In-Reply-To: <536D4C74.9050502@mailborder.com> References: <536D27C7.1020401@mailborder.com> <536D4C74.9050502@mailborder.com> Message-ID: .... Unless the "watermark" survives in the NDR, yes, that is as expected. I suppose you've actively set the watermarking stuff? If so, there's really not much to do, other than perhaps reevaluate wether you really want the watermak thingy or not. Cheers! On 9 May 2014 23:45, Jerry Benton wrote: > It was the watermarking. Watermarks + null sender = spam. > > > On 5/9/14, 10:08 PM, Martin Hepworth wrote: > > So what do the logs say about it? > Are you signing the headers outbound or not? > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 9 May 2014 20:08, Jerry Benton wrote: > >> No, this happens from internal servers relaying emails outbound. The >> MTA is not performing any ip related checks, but I will review in case I >> missed something. >> >> >> On 5/9/14, 8:21 PM, Jeremy McSpadden wrote: >> >> IP found on an RBL at MTA time ? >> >> >> >> -- >> Jeremy McSpadden >> Flux Labs | http://www.fluxlabs.net | Endless Solutions >> Office : 850-250-5590x501 <850-250-5590;501> | Cell : 850-890-2543 | Fax >> : 850-254-2955 >> >> >> >> >> On Fri, May 9, 2014 at 10:06 AM -0700, "Jerry Benton" < >> jerry.benton at mailborder.com> wrote: >> >> Has anyone seen NDRs getting marked as spam without even being scanned >> by SA? I am seeing the behavior and am assuming it is a MailScanner thing >> since the message never seems to pass through SA. >> >> I am assuming the null sender is triggering it. >> >> -- >> >> -- >> Jerry Benton >> Mailborder Systems >> www.mailborder.com >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/013e3989/attachment.html From glenn.steen at gmail.com Thu May 22 09:58:35 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 22 May 2014 10:58:35 +0200 Subject: Antivirus performance, AVG In-Reply-To: References: Message-ID: Hi Paul, Seems like something is up with the patterns (in MS) for avg, so one of the maintainers really should look through that part of the code. Back in the days, Jules would be on this;-). The actual perl (in the wrappers and in SweepViruses.pm) is ... voluminous... but perhaps not downright obtuse (since I think I know how it works:-)... There is however a fair bit of massaging of the output from the scanner going on in ProcessAvgOutput (in SweepViruses.pm), so ... If you can generate the output and play with the REs as from that function, maybe you'll find the solution yourself;-). Alas, I myself has next to no time to put into any projects anymore, so can't be of more help. Cheers! -- -- Glenn On 19 May 2014 00:00, Paul Welsh wrote: > Hi folks > > I ran into some problems recently with the performance of clamscan on my > virtual CentOS 6.5 box. Essentially it is slow and resource intensive. It > was causing major performance issues on my server. > > Thought I'd share my findings in case it proves useful to anyone else. I > also have a question about AVG Free Edition for Linux > > Here's what my problem was with clamscan: > > Scanned files: 37 > > Time: 34.725 sec (0 m 34 s) > > F-prot was much faster: > > Files: 39 > > Running time: 00:01 > > I wanted to run at least 2 scanners so F-prot was an obvious choice and I > needed to find an alternative for clamscan. > > I tried bitdefender 7.6 but it was nearly as slow as clamscan: > > Files: 40 > > real 0m25.261s > > Of course, anyone with more experience would know that clamd is much > faster than clamav and this is the way I went: > > Scanned files: 37 > > Time: 5.342 sec (0 m 5 s) > > > I also tried AVG Free Edition for Linux from > http://free.avg.com/gb-en/download-free-all-product and this also worked > very well: > > Files scanned : 39(39) > > real 0m0.606s > > > However, I notice that the avg mentioned in > /etc/MailScanner/MailScanner.conf is: > # avg from www.grisoft.com > > Things have obviously moved on from the grisoft.com days and I'm > wondering if avg is working correctly. I have the services running: > root 28596 0.0 0.2 317596 2088 ? Sl May14 0:23 /opt/avg/av/bin//avgd root > 28610 0.0 0.1 85328 1136 ? Sl May14 0:17 /opt/avg/av/bin/avgavid root 28620 > 0.0 0.0 137316 824 ? Sl May14 1:48 /opt/avg/av/bin/avgtcpd root 28625 0.0 > 0.0 297096 864 ? Sl May14 0:06 /opt/avg/av/bin/avgscand -c 3 root 28659 0.0 > 0.0 410860 944 ? Sl May14 0:00 /opt/avg/av/bin/avgsched > > If I send an eicar.com attachment with just avg as the configured scanner > I get this; looks OK: > May 18 18:46:34 mail MailScanner[28946]: Avg: Virus identified EICAR_Test > in eicar.com May 18 18:46:34 mail MailScanner[28946]: Virus Scanning: Avg > found 1 infections May 18 18:46:34 mail MailScanner[28946]: Infected > message 1Wm5AP-0007Wu-Rd came from May 18 18:46:34 mail > MailScanner[28946]: Virus Scanning: Found 1 viruses May 18 18:46:34 mail > MailScanner[28946]: Viruses marked as silent: Avg: Found virus EICAR_Test > in file eicar.com > May 18 18:46:43 mail MailScanner[28946]: Cleaned: Delivered 1 cleaned > messages > If I use avg, f-prot and clamd the avg part looks like this. What > concerns me a bit is the string "Test in neicar.com" when the filename > was eicar.com. Also the reference to "icar.com" and "irus" instead of > "Virus": > May 18 18:38:19 mail MailScanner[21420]: Virus Scanning: Clamd found 2 > infections > > May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test > in neicar.com > May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test > in 1Wm52O-0007I7-Jc.message->icar.com > May 18 18:38:20 mail MailScanner[21420]: Avg: irus identified EICAR_Test > in 1Wm52O-0007I7-Jc.message > May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: Avg found 3 > infections > May 18 18:38:20 mail MailScanner[21420]: [Found virus] (exact)> ./1Wm52O-0007I7-Jc/eicar.com > > May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: F-Prot6 found 2 > infections > > I'm half tempted to stop using avg given these formatting issues. Anyone > else using AVG Free Edition for Linux with MailScanner 4.84.5? > > I also reduced the number of MailScanner child processes from 5 to 3: > Max Children = 3 > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/4f6e9dd6/attachment.html From glenn.steen at gmail.com Thu May 22 10:04:26 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 22 May 2014 11:04:26 +0200 Subject: AVG Free Edition for Linux In-Reply-To: References: Message-ID: See "answer" in the other thread;-) Cheers -- -- Glenn On 20 May 2014 21:53, Paul Welsh wrote: > Thanks for the responses about clamd vs clamscan. > > Does anyone have anything to say about AVG Free Edition for Linux from > http://free.avg.com/gb-en/download-free-all-product that I mentioned in > my previous message? > > > Specifically, it is the irregular messages I get when a virus is found > when use avg, f-prot and clamd. > > What concerns me a bit is the string "Test in neicar.com" when the > filename was eicar.com. Also the reference to "icar.com" and "irus" > instead of "Virus": > May 18 18:38:19 mail MailScanner[21420]: Virus Scanning: Clamd found 2 > infections > > May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test > in neicar.com > May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test > in 1Wm52O-0007I7-Jc.message->icar.com > May 18 18:38:20 mail MailScanner[21420]: Avg: irus identified EICAR_Test > in 1Wm52O-0007I7-Jc.message > May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: Avg found 3 > infections > May 18 18:38:20 mail MailScanner[21420]: [Found virus] (exact)> ./1Wm52O-0007I7-Jc/eicar.com > > May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: F-Prot6 found 2 > infections > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/8fd6cfcb/attachment.html From glenn.steen at gmail.com Thu May 22 10:11:05 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 22 May 2014 11:11:05 +0200 Subject: Mailscanner and Spamassassin 3.4 In-Reply-To: <11D8E491D9562549A61FD3186F36342001D555A486@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D555A486@exchange.techeez.com> Message-ID: IMO one should set the timeout ridiculously high (several minutes) so that MS never interrupt SA. This was true for bayes expiry problems back when everyone had them as files that ... grew insaly huge over time (bayes_seen in the multi-hundred MiB to GiB range might be a problem in this case... Simple fix though, just delete:-). Increasing the timeout would at least avoid the problem of interruption/delivery. Cheers! -- -- Glenn On 21 May 2014 18:58, Philip Parsons wrote: > New issue: > > > > Seems that the new setup is not following the rules, it sees the config > saying time out 40 times but does it once and then delivers the mail? any > hints ??? > > > > May 20 02:24:59 mailscanner MailScanner[4114]: SpamAssassin timed out and > was killed, failure 1 of 40 > > May 20 02:25:00 mailscanner MailScanner[4114]: Message s4K9IDBL004113 from > 54.240.9.7 ( > 0000014618ec85da-4da8b1c4-31b2-4d78-9fa0-86be8b188b9b-000000 at amazonses.com) > to XXXXXXXX is not spam, SORBS-SPAM, SpamAssassin (not cached, timed out) > > May 20 02:25:00 mailscanner MailScanner[4114]: Delivery of nonspam: > message s4K9IDBL004113 from > 0000014618ec85da-4da8b1c4-31b2-4d78-9fa0-86be8b188b9b-000000 at amazonses.comto XXXXX at XXXXXwith subject [SmugMug] URGENT - Renewing your SmugMug account > > > > > > Thank you. > Philip Parsons > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/7663ea2b/attachment.html From glenn.steen at gmail.com Thu May 22 10:27:04 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu, 22 May 2014 11:27:04 +0200 Subject: State of cdn.mailscanner.info? Message-ID: Hi guys! I wounder if anyone has a clue as to the state of cdn.mailscanner.info, or rather the host the C-name points to...? # host cdn.mailscanner.info cdn.mailscanner.info is an alias for wwwmailscannertv.bastionnetworksl.netdna-cdn.com. Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: 3(NXDOMAIN) Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: 3(NXDOMAIN) # host www.mailscanner.eu www.mailscanner.eu has address 78.153.201.155 # host www.mailscanner.tv www.mailscanner.tv is an alias for jules.mailscanner.info. jules.mailscanner.info has address 78.153.201.155 # With some guesswork, the actual information (phishing etc updates) is from www.mailscanner.eu anyway, so I've of course changed to use that. the problem with cdn.mailscnner.info is that, as I'm sure many of you do, the web bug replacement default is to http://cdn.mailscanner.info/1x1spacer.gif ... For the new ones replaced, all is dandy, but for the already received and stored emails... Well, i noticed the bad state of the site, since I got complaints from users that printing HTML-emails where the web bug had been replaced with the above crashed their OutLook (OL2013... Great Stuff M$!:-). I suppose I could futz this in my local DNS, but I'd rather not have to:-). Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/4ddf1c82/attachment.html From jerry.benton at mailborder.com Thu May 22 12:27:04 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 22 May 2014 13:27:04 +0200 Subject: State of cdn.mailscanner.info? In-Reply-To: References: Message-ID: I have sent a request to Jules so I can stand up a secondary or mirror site in the Mailborder data center. As soon as I hear back from him I will build out a server. I know this has been a problem for a while. On Thu, May 22, 2014 at 11:27 AM, Glenn Steen wrote: > Hi guys! > > I wounder if anyone has a clue as to the state of cdn.mailscanner.info, > or rather the host the C-name points to...? > > # host cdn.mailscanner.info > cdn.mailscanner.info is an alias for > wwwmailscannertv.bastionnetworksl.netdna-cdn.com. > Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: > 3(NXDOMAIN) > Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: > 3(NXDOMAIN) > # host www.mailscanner.eu > www.mailscanner.eu has address 78.153.201.155 > # host www.mailscanner.tv > www.mailscanner.tv is an alias for jules.mailscanner.info. > jules.mailscanner.info has address 78.153.201.155 > # > > With some guesswork, the actual information (phishing etc updates) is from > www.mailscanner.eu anyway, so I've of course changed to use that. > the problem with cdn.mailscnner.info is that, as I'm sure many of you do, > the web bug replacement default is to > http://cdn.mailscanner.info/1x1spacer.gif ... For the new ones replaced, > all is dandy, but for the already received and stored emails... Well, i > noticed the bad state of the site, since I got complaints from users that > printing HTML-emails where the web bug had been replaced with the above > crashed their OutLook (OL2013... Great Stuff M$!:-). > > I suppose I could futz this in my local DNS, but I'd rather not have to:-). > > Cheers! > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/b5eeed6c/attachment.html From paul at welshfamily.com Thu May 22 12:51:15 2014 From: paul at welshfamily.com (Paul Welsh) Date: Thu, 22 May 2014 12:51:15 +0100 Subject: Antivirus performance, AVG Message-ID: Thanks for the hints, Glenn. I have no time either so have abandoned AVG. Hopefully someone will read this before trying it and save themselves the bother. On 22 May 2014 12:00, wrote: > > ---------- Forwarded message ---------- > From: Glenn Steen > To: MailScanner discussion > Cc: > Date: Thu, 22 May 2014 10:58:35 +0200 > Subject: Re: Antivirus performance, AVG > Hi Paul, > > Seems like something is up with the patterns (in MS) for avg, so one of > the maintainers really should look through that part of the code. Back in > the days, Jules would be on this;-). > > The actual perl (in the wrappers and in SweepViruses.pm) is ... > voluminous... but perhaps not downright obtuse (since I think I know how it > works:-)... There is however a fair bit of massaging of the output from the > scanner going on in ProcessAvgOutput (in SweepViruses.pm), so ... If you > can generate the output and play with the REs as from that function, maybe > you'll find the solution yourself;-). > > Alas, I myself has next to no time to put into any projects anymore, so > can't be of more help. > > Cheers! > -- > -- Glenn > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/a69a44e5/attachment.html From paul at welshfamily.com Thu May 22 13:07:51 2014 From: paul at welshfamily.com (Paul Welsh) Date: Thu, 22 May 2014 13:07:51 +0100 Subject: ClamAV 0.98.3 Message-ID: After I abandoned the use of AVG Free Edition for Linux at http://free.avg.com/gb-en/download.prd-alf the problems with clamd crashing regularly have ceased. f-prot is working fine with clamd. In fact f-prot is, I reckon, a good choice. Very fast, no daemon. One I haven't tested but looked promising in terms of price and reputation was ESET Linux File Server Security - http://www.eset.co.uk/Business/File-Security/Linux-File-Server - available at https://shop.eset.co.uk/Store/File-Security for, I believe, ?83 per server per year. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/4dafa7bd/attachment.html From jonathanmhorne at outlook.com Fri May 23 03:12:25 2014 From: jonathanmhorne at outlook.com (Jonathan Horne) Date: Fri, 23 May 2014 02:12:25 +0000 Subject: =?utf-8?Q?MailScanner_filtering_out_less_and_less_spam?= Message-ID: Greetings, I have several MailScanner installs that lately, have been allowing an increased amount of spam to deliver. all separate systems, at separate sites, but all behaving the same way. more and more spam each week is getting thru. ive been noticing an increase at least over the past 3-4 weeks. is there anything that can be done? previously when these systems were deployed (about 9-12 months ago, I forget now) they were incredibly effective. thanks for any tips, Jonathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140523/73f405d7/attachment.html From jeremy at fluxlabs.net Fri May 23 03:25:54 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri, 23 May 2014 02:25:54 +0000 Subject: MailScanner filtering out less and less spam In-Reply-To: References: Message-ID: RBL or grey listing ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Thu, May 22, 2014 at 7:22 PM -0700, "Jonathan Horne" > wrote: Greetings, I have several MailScanner installs that lately, have been allowing an increased amount of spam to deliver. all separate systems, at separate sites, but all behaving the same way. more and more spam each week is getting thru. ive been noticing an increase at least over the past 3-4 weeks. is there anything that can be done? previously when these systems were deployed (about 9-12 months ago, I forget now) they were incredibly effective. thanks for any tips, Jonathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140523/8ebeaae9/attachment.html From alex at vidadigital.com.pa Fri May 23 06:21:34 2014 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri, 23 May 2014 00:21:34 -0500 Subject: MailScanner filtering out less and less spam In-Reply-To: References: Message-ID: Updates to spamassassin? Better ruleset scoring and tuning? *Alex Neuman van der Hans*Reliant Technologies / Vida Digital http://vidadigital.com.pa/ Mobile: +507-6781-9505 Work: +507-832-6725 Work (USA): +1-440-253-9789 Follow *@AlexNeuman * on Twitter Like Vida Digital on Facebook Follow VidaDigital on Instagram Subscribe to Vida Digital on Youtube On Thu, May 22, 2014 at 9:25 PM, Jeremy McSpadden wrote: > RBL or grey listing ? > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 <850-250-5590;501> | Cell : 850-890-2543 | Fax > : 850-254-2955 > > > > > On Thu, May 22, 2014 at 7:22 PM -0700, "Jonathan Horne" < > jonathanmhorne at outlook.com> wrote: > > Greetings, > > I have several MailScanner installs that lately, have been allowing an > increased amount of spam to deliver. all separate systems, at separate > sites, but all behaving the same way. more and more spam each week is > getting thru. ive been noticing an increase at least over the past 3-4 > weeks. > > is there anything that can be done? previously when these systems were > deployed (about 9-12 months ago, I forget now) they were incredibly > effective. > > thanks for any tips, > Jonathan > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140523/104cf32e/attachment.html From michael at huntley.net Fri May 23 06:45:12 2014 From: michael at huntley.net (Michael Huntley) Date: Thu, 22 May 2014 22:45:12 -0700 Subject: MailScanner filtering out less and less spam In-Reply-To: References: Message-ID: <537EE068.10502@huntley.net> I always keep a sizable chunk of recent spam on hand to feed to spamassassin. I do it on a 45 day or so schedule. I place the spam in a folder and sa-learn it using the proper user. This seems to keep things sane. Cheers! mph On 5/22/2014 7:12 PM, Jonathan Horne wrote: > Greetings, > > I have several MailScanner installs that lately, have been allowing an > increased amount of spam to deliver. all separate systems, at > separate sites, but all behaving the same way. more and more spam > each week is getting thru. ive been noticing an increase at least over > the past 3-4 weeks. > > is there anything that can be done? previously when these systems > were deployed (about 9-12 months ago, I forget now) they were > incredibly effective. > > thanks for any tips, > Jonathan > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/41dd73f0/attachment.html From michael at huntley.net Fri May 23 07:00:28 2014 From: michael at huntley.net (Michael Huntley) Date: Thu, 22 May 2014 23:00:28 -0700 Subject: Antivirus performance, AVG In-Reply-To: References: Message-ID: <537EE3FC.4090701@huntley.net> I got AVG to work. I changed this line in virus.scanners.conf: avg /usr/lib/MailScanner/avg-wrapper /opt/avg/av Save a copy just-in-case someone blows the dust off this project and releases an update...... Then I edited the wrapper: /usr/lib/MailScanner/avg-wrapper: #Add the t option to delete infected object. MailScanner doesn't remove it otherwise... #probably a code issue. Don't care, throw the beastie away. ScanOptions="-at" PackageDir=$1 shift Prog=avgscan if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/bin/$Prog ] && exit 0 exit 1 fi # Force output into English LANG=EN export LANG # update AVGs library reference #Needed For Proper Use Of New AVG export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/avg/av/lib export AVGINSTDIR=/opt/avg/av export HOME=/opt/avg/av exec $PackageDir/bin/$Prog $ScanOptions "$@" 2>&1 exit 1 ... Save a backup of the wrapper in case (highly UNLIKELY at this time) MailScanner has an update. HA! Cheers! mph On 5/22/2014 4:51 AM, Paul Welsh wrote: > Thanks for the hints, Glenn. > > I have no time either so have abandoned AVG. > > Hopefully someone will read this before trying it and save themselves > the bother. > > > On 22 May 2014 12:00, > wrote: > > ---------- Forwarded message ---------- > From: Glenn Steen > > To: MailScanner discussion > > Cc: > Date: Thu, 22 May 2014 10:58:35 +0200 > Subject: Re: Antivirus performance, AVG > Hi Paul, > > Seems like something is up with the patterns (in MS) for avg, so > one of the maintainers really should look through that part of the > code. Back in the days, Jules would be on this;-). > > The actual perl (in the wrappers and in SweepViruses.pm) is ... > voluminous... but perhaps not downright obtuse (since I think I > know how it works:-)... There is however a fair bit of massaging > of the output from the scanner going on in ProcessAvgOutput (in > SweepViruses.pm), so ... If you can generate the output and play > with the REs as from that function, maybe you'll find the solution > yourself;-). > > Alas, I myself has next to no time to put into any projects > anymore, so can't be of more help. > > Cheers! > -- > -- Glenn > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/80015d1e/attachment.html From maxsec at gmail.com Fri May 23 14:42:24 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 23 May 2014 14:42:24 +0100 Subject: MailScanner filtering out less and less spam In-Reply-To: <537EE068.10502@huntley.net> References: <537EE068.10502@huntley.net> Message-ID: Hi add the SA info into email headers to see what the score and rule hits are ( helps with debug), in MailScanner.conf make sure the follow are set thus: Spam Score Number Format = %5.2f Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score Number Format = %5.2f This should give you some clue as to whats (not) happening as first step -- Martin Hepworth, CISSP Oxford, UK On 23 May 2014 06:45, Michael Huntley wrote: > I always keep a sizable chunk of recent spam on hand to feed to > spamassassin. I do it on a 45 day or so schedule. I place the spam in a > folder and sa-learn it using the proper user. This seems to keep things > sane. > > Cheers! > > mph > > > On 5/22/2014 7:12 PM, Jonathan Horne wrote: > > Greetings, > > I have several MailScanner installs that lately, have been allowing an > increased amount of spam to deliver. all separate systems, at separate > sites, but all behaving the same way. more and more spam each week is > getting thru. ive been noticing an increase at least over the past 3-4 > weeks. > > is there anything that can be done? previously when these systems were > deployed (about 9-12 months ago, I forget now) they were incredibly > effective. > > thanks for any tips, > Jonathan > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140523/a390acab/attachment.html From paul at welshfamily.com Fri May 23 18:27:33 2014 From: paul at welshfamily.com (Paul Welsh) Date: Fri, 23 May 2014 18:27:33 +0100 Subject: Antivirus performance, AVG Message-ID: Thanks very much for sharing the steps needed to get the new AVG working, Michael. Currently I'm happy with f-prot + clamd but if I do decide to add AVG or swap it with f-prot then your steps will be handy. On 23 May 2014 12:00, wrote: > > From: Michael Huntley > To: MailScanner discussion > Cc: > Date: Thu, 22 May 2014 23:00:28 -0700 > Subject: Re: Antivirus performance, AVG > I got AVG to work. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140523/9f49f570/attachment.html From maillists at conactive.com Fri May 23 19:31:03 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 23 May 2014 20:31:03 +0200 Subject: Mailscanner and Spamassassin 3.4 In-Reply-To: <11D8E491D9562549A61FD3186F36342001D555A486@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D555A486@exchange.techeez.com> Message-ID: Philip Parsons wrote on Wed, 21 May 2014 16:58:47 +0000: > Seems that the new setup is not following the rules what new setup? Are you talking about moving from SA 3.3 to 3.4? I did months ago. I haven't seen any issues. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri May 23 19:31:03 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 23 May 2014 20:31:03 +0200 Subject: =?utf-8?Q?MailScanner_filtering_out_less_and_less_spam?= In-Reply-To: References: Message-ID: compare the scores with older scores. Easy if you have Mailwatch or other interface installed. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From pparsons at techeez.com Fri May 23 19:41:32 2014 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 23 May 2014 18:41:32 +0000 Subject: MailScanner filtering out less and less spam In-Reply-To: References: Message-ID: <11D8E491D9562549A61FD3186F36342001D555E6AD@exchange.techeez.com> What version of spamassassin are you using upgrade to 3.4 it is very good. From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jonathan Horne Sent: May-22-14 7:12 PM To: mailscanner at lists.mailscanner.info Subject: MailScanner filtering out less and less spam Greetings, I have several MailScanner installs that lately, have been allowing an increased amount of spam to deliver. all separate systems, at separate sites, but all behaving the same way. more and more spam each week is getting thru. ive been noticing an increase at least over the past 3-4 weeks. is there anything that can be done? previously when these systems were deployed (about 9-12 months ago, I forget now) they were incredibly effective. thanks for any tips, Jonathan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140523/ebce73be/attachment.html From mailscanner at barendse.to Sun May 25 23:06:55 2014 From: mailscanner at barendse.to (Remco Barendse) Date: Mon, 26 May 2014 00:06:55 +0200 (CEST) Subject: State of cdn.mailscanner.info? In-Reply-To: References: Message-ID: On Thu, 22 May 2014, Glenn Steen wrote: > Hi guys! > I wounder if anyone has a clue as to the state of cdn.mailscanner.info, or rather the host the C-name points to...? Unfortunately it seems the entire MailScanner project has turned into abandonware, really a pity, it still does a great job filtering my email Some people on this list did a great job fixing some bugs but never saw a new release out, hope Jules will hand over the project to the active developers > # host cdn.mailscanner.info > cdn.mailscanner.info is an alias for wwwmailscannertv.bastionnetworksl.netdna-cdn.com. > Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: 3(NXDOMAIN) > Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: 3(NXDOMAIN) > # host www.mailscanner.eu > www.mailscanner.eu has address 78.153.201.155 > # host www.mailscanner.tv > www.mailscanner.tv is an alias for jules.mailscanner.info. > jules.mailscanner.info has address 78.153.201.155 > #? > > With some guesswork, the actual information (phishing etc updates) is from www.mailscanner.eu anyway, so I've of course changed to use that. > the problem with cdn.mailscnner.info is that, as I'm sure many of you do, the web bug replacement default is to http://cdn.mailscanner.info/1x1spacer.gif ... For > the new ones replaced, all is dandy, but for the already received and stored emails... Well, i noticed the bad state of the site, since I got complaints from users > that printing HTML-emails where the web bug had been replaced with the above crashed their OutLook (OL2013... Great Stuff M$!:-). > > I suppose I could futz this in my local DNS, but I'd rather not have to:-). > > Cheers! > --? > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > > From jerry.benton at mailborder.com Mon May 26 12:34:30 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 26 May 2014 13:34:30 +0200 Subject: State of cdn.mailscanner.info? In-Reply-To: References: Message-ID: <44DC350D-89EA-4D4F-B20E-9C6A122487E5@mailborder.com> It?s not abandoned. It is just moving really slow. I will have the time to start focusing more on it around the middle of June. I am going to try and get a new release out sometime around then. - Jerry Benton www.mailborder.com On May 26, 2014, at 12:06 AM, Remco Barendse wrote: > On Thu, 22 May 2014, Glenn Steen wrote: > >> Hi guys! >> I wounder if anyone has a clue as to the state of cdn.mailscanner.info, or rather the host the C-name points to...? > > Unfortunately it seems the entire MailScanner project has turned into abandonware, really a pity, it still does a great job filtering my email > > Some people on this list did a great job fixing some bugs but never saw a new release out, hope Jules will hand over the project to the active developers > > >> # host cdn.mailscanner.info >> cdn.mailscanner.info is an alias for wwwmailscannertv.bastionnetworksl.netdna-cdn.com. >> Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: 3(NXDOMAIN) >> Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: 3(NXDOMAIN) >> # host www.mailscanner.eu >> www.mailscanner.eu has address 78.153.201.155 >> # host www.mailscanner.tv >> www.mailscanner.tv is an alias for jules.mailscanner.info. >> jules.mailscanner.info has address 78.153.201.155 >> # >> With some guesswork, the actual information (phishing etc updates) is from www.mailscanner.eu anyway, so I've of course changed to use that. >> the problem with cdn.mailscnner.info is that, as I'm sure many of you do, the web bug replacement default is to http://cdn.mailscanner.info/1x1spacer.gif ... For >> the new ones replaced, all is dandy, but for the already received and stored emails... Well, i noticed the bad state of the site, since I got complaints from users >> that printing HTML-emails where the web bug had been replaced with the above crashed their OutLook (OL2013... Great Stuff M$!:-). >> I suppose I could futz this in my local DNS, but I'd rather not have to:-). >> Cheers! >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140526/a45d5b9c/attachment.html From richard at fastnet.co.uk Tue May 27 09:30:01 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 27 May 2014 08:30:01 +0000 Subject: Message that was not processed. Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBC1165@BTN-EXCHANGE-V1.fastnet.local> Hi, I have a problem with a TNEF encoded attachment. I have now added the user to a rule set to deliver unparsable attachments. I found the following in my debug output. MIME::Body::File->open /tmpfs/7154/s4M9MvRV091763/tTikWaiChan: No such file or directory at /usr/local/lib/perl5/site_perl/5.14/MIME/Body.pm line 435. The file is not there, so the error is correct. I'm wondering if there is a fix for this or any advice? Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140527/eaf9f514/attachment.html From phil.randal at hoopleltd.co.uk Tue May 27 10:44:10 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Tue, 27 May 2014 09:44:10 +0000 Subject: Message that was not processed. In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBC1165@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBC1165@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857EA07292@HC-EXMBX04.herefordshire.gov.uk> Get the TNEF.pm from the MailScanner Git repository. That may fix the issue. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.randal at hoopleltd.co.uk From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Mealing Sent: 27 May 2014 09:30 To: 'MailScanner discussion (mailscanner at lists.mailscanner.info)' Subject: Message that was not processed. Hi, I have a problem with a TNEF encoded attachment. I have now added the user to a rule set to deliver unparsable attachments. I found the following in my debug output. MIME::Body::File->open /tmpfs/7154/s4M9MvRV091763/tTikWaiChan: No such file or directory at /usr/local/lib/perl5/site_perl/5.14/MIME/Body.pm line 435. The file is not there, so the error is correct. I'm wondering if there is a fix for this or any advice? Thanks, Rich Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140527/bcd6c10d/attachment.html From maxsec at gmail.com Tue May 27 10:48:13 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 27 May 2014 10:48:13 +0100 Subject: Message that was not processed. In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBC1165@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBC1165@BTN-EXCHANGE-V1.fastnet.local> Message-ID: Which TNEF module are you using? Try the other one.. oh and try and get the end user to stop using tnef is at all possible. -- Martin Hepworth, CISSP Oxford, UK On 27 May 2014 09:30, Richard Mealing wrote: > Hi, > > > > I have a problem with a TNEF encoded attachment. I have now added the user > to a rule set to deliver unparsable attachments. > > > > I found the following in my debug output. > > > > MIME::Body::File->open /tmpfs/7154/s4M9MvRV091763/tTikWaiChan: No such > file or directory at /usr/local/lib/perl5/site_perl/5.14/MIME/Body.pm line > 435. > > > > The file is not there, so the error is correct. I?m wondering if there is > a fix for this or any advice? > > > > Thanks, > > Rich > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140527/e1355c06/attachment.html From jonathanmhorne at outlook.com Tue May 27 15:20:14 2014 From: jonathanmhorne at outlook.com (Jonathan Horne) Date: Tue, 27 May 2014 14:20:14 +0000 Subject: =?utf-8?Q?Re:_MailScanner_filtering_out_less_and_less_spam?= Message-ID: im not totally sure, what ever the default config gave me. how can I tell? From: Jeremy McSpadden Sent: ?Thursday?, ?May? ?22?, ?2014 ?10?:?12? ?PM To: mailscanner at lists.mailscanner.info RBL or grey listing ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Thu, May 22, 2014 at 7:22 PM -0700, "Jonathan Horne" wrote: Greetings, I have several MailScanner installs that lately, have been allowing an increased amount of spam to deliver. all separate systems, at separate sites, but all behaving the same way. more and more spam each week is getting thru. ive been noticing an increase at least over the past 3-4 weeks. is there anything that can be done? previously when these systems were deployed (about 9-12 months ago, I forget now) they were incredibly effective. thanks for any tips, Jonathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140527/b36bf3a2/attachment.html -------------- next part -------------- -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jonathanmhorne at outlook.com Tue May 27 15:24:04 2014 From: jonathanmhorne at outlook.com (Jonathan Horne) Date: Tue, 27 May 2014 14:24:04 +0000 Subject: =?utf-8?Q?Re:_MailScanner_filtering_out_less_and_less_spam?= Message-ID: the only one not enabled as Always Include SpamAssassin Report. the spam score number format was %d I think, but I tried the setting below, looks like that will be more verbose. overall, im not seeing rules get skipped, but emails that are obviously spams are just being no scored as such. thanks for the advice! From: Martin Hepworth Sent: ?Friday?, ?May? ?23?, ?2014 ?9?:?32? ?AM To: mailscanner at lists.mailscanner.info Hi add the SA info into email headers to see what the score and rule hits are ( helps with debug), in MailScanner.conf make sure the follow are set thus: Spam Score Number Format = %5.2f Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score Number Format = %5.2f This should give you some clue as to whats (not) happening as first step -- Martin Hepworth, CISSP Oxford, UK On 23 May 2014 06:45, Michael Huntley wrote: I always keep a sizable chunk of recent spam on hand to feed to spamassassin. I do it on a 45 day or so schedule. I place the spam in a folder and sa-learn it using the proper user. This seems to keep things sane. Cheers! mph On 5/22/2014 7:12 PM, Jonathan Horne wrote: Greetings, I have several MailScanner installs that lately, have been allowing an increased amount of spam to deliver. all separate systems, at separate sites, but all behaving the same way. more and more spam each week is getting thru. ive been noticing an increase at least over the past 3-4 weeks. is there anything that can be done? previously when these systems were deployed (about 9-12 months ago, I forget now) they were incredibly effective. thanks for any tips, Jonathan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140527/19e6d099/attachment.html -------------- next part -------------- -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From richard at fastnet.co.uk Tue May 27 16:51:25 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 27 May 2014 15:51:25 +0000 Subject: MailScanner filtering out less and less spam In-Reply-To: References: Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBC1F12@BTN-EXCHANGE-V1.fastnet.local> If you don?t have mailwatch you can turn on ?Log Non Spam?, then you can see the scores in the logs. Maybe your threshold is wrong or you have turned it off altogether? If you use clamav then you can add the signatured from sanesecurity and then you can treat emails as spam through the ?Virus Names Which Are Spam? option. For example ? Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jonathan Horne Sent: 27 May 2014 15:24 To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner filtering out less and less spam the only one not enabled as Always Include SpamAssassin Report. the spam score number format was %d I think, but I tried the setting below, looks like that will be more verbose. overall, im not seeing rules get skipped, but emails that are obviously spams are just being no scored as such. thanks for the advice! From: Martin Hepworth Sent: ?Friday?, ?May? ?23?, ?2014 ?9?:?32? ?AM To: mailscanner at lists.mailscanner.info Hi add the SA info into email headers to see what the score and rule hits are ( helps with debug), in MailScanner.conf make sure the follow are set thus: Spam Score Number Format = %5.2f Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score Number Format = %5.2f This should give you some clue as to whats (not) happening as first step -- Martin Hepworth, CISSP Oxford, UK On 23 May 2014 06:45, Michael Huntley > wrote: I always keep a sizable chunk of recent spam on hand to feed to spamassassin. I do it on a 45 day or so schedule. I place the spam in a folder and sa-learn it using the proper user. This seems to keep things sane. Cheers! mph On 5/22/2014 7:12 PM, Jonathan Horne wrote: Greetings, I have several MailScanner installs that lately, have been allowing an increased amount of spam to deliver. all separate systems, at separate sites, but all behaving the same way. more and more spam each week is getting thru. ive been noticing an increase at least over the past 3-4 weeks. is there anything that can be done? previously when these systems were deployed (about 9-12 months ago, I forget now) they were incredibly effective. thanks for any tips, Jonathan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140527/892b1825/attachment.html From pparsons at techeez.com Wed May 28 02:37:56 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 28 May 2014 01:37:56 +0000 Subject: Has anyone seen when the load on a MailScanner server Message-ID: Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If you have seen this is there something we can change that changes the process ? Thank you P Parsons From mailscanner at joolee.nl Wed May 28 07:57:04 2014 From: mailscanner at joolee.nl (Joolee) Date: Wed, 28 May 2014 08:57:04 +0200 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: References: Message-ID: You probably hit a timeout somewhere. Can you find out from the logs which component times out? On 28 May 2014 03:37, Philip Parsons wrote: > Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If > you have seen this is there something we can change that changes the > process ? > > Thank you > P Parsons > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/5d398c3a/attachment.html From jerry.benton at mailborder.com Wed May 28 08:46:53 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 28 May 2014 09:46:53 +0200 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: References: Message-ID: What is happening is your queue is exceeding the threshold set (800 by default I think) where MailScanner just starts to process the email without scanning it. If your server is getting hit by a surge of email and MailScanner cannot keep up, it stops doing checks. Of course, I could be wrong. Happens a lot. On Wed, May 28, 2014 at 8:57 AM, Joolee wrote: > You probably hit a timeout somewhere. Can you find out from the logs which > component times out? > > > On 28 May 2014 03:37, Philip Parsons wrote: > >> Gets too high like 5 or 6 that MailScanner marks all messages as spam ? >> If you have seen this is there something we can change that changes the >> process ? >> >> Thank you >> P Parsons >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/e348e9d2/attachment.html From glenn.steen at gmail.com Wed May 28 11:54:08 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed, 28 May 2014 12:54:08 +0200 Subject: State of cdn.mailscanner.info? In-Reply-To: References: Message-ID: Hi Jerry, It'd be great if you could get this sorted, of course. The easy stop-gap thing to do would of course be to just point the cdn.mailscanner.info CNAME to www.mailscanner.eu ...:-). Cheers! -- -- Glenn On 22 May 2014 13:27, Jerry Benton wrote: > I have sent a request to Jules so I can stand up a secondary or mirror > site in the Mailborder data center. As soon as I hear back from him I will > build out a server. I know this has been a problem for a while. > > > On Thu, May 22, 2014 at 11:27 AM, Glenn Steen wrote: > >> Hi guys! >> >> I wounder if anyone has a clue as to the state of cdn.mailscanner.info, >> or rather the host the C-name points to...? >> >> # host cdn.mailscanner.info >> cdn.mailscanner.info is an alias for >> wwwmailscannertv.bastionnetworksl.netdna-cdn.com. >> Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: >> 3(NXDOMAIN) >> Host wwwmailscannertv.bastionnetworksl.netdna-cdn.com not found: >> 3(NXDOMAIN) >> # host www.mailscanner.eu >> www.mailscanner.eu has address 78.153.201.155 >> # host www.mailscanner.tv >> www.mailscanner.tv is an alias for jules.mailscanner.info. >> jules.mailscanner.info has address 78.153.201.155 >> # >> >> With some guesswork, the actual information (phishing etc updates) is >> from www.mailscanner.eu anyway, so I've of course changed to use that. >> the problem with cdn.mailscnner.info is that, as I'm sure many of you >> do, the web bug replacement default is to >> http://cdn.mailscanner.info/1x1spacer.gif ... For the new ones replaced, >> all is dandy, but for the already received and stored emails... Well, i >> noticed the bad state of the site, since I got complaints from users that >> printing HTML-emails where the web bug had been replaced with the above >> crashed their OutLook (OL2013... Great Stuff M$!:-). >> >> I suppose I could futz this in my local DNS, but I'd rather not have >> to:-). >> >> Cheers! >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/d8d9adad/attachment.html From glenn.steen at gmail.com Wed May 28 11:59:50 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed, 28 May 2014 12:59:50 +0200 Subject: MailScanner filtering out less and less spam In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBC1F12@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBC1F12@BTN-EXCHANGE-V1.fastnet.local> Message-ID: And beware excessive whitelisting! Some of that stuff may well bite you!;-) -- -- Glenn On 27 May 2014 17:51, Richard Mealing wrote: > If you don?t have mailwatch you can turn on ?Log Non Spam?, then you can > see the scores in the logs. Maybe your threshold is wrong or you have > turned it off altogether? > > > > If you use clamav then you can add the signatured from sanesecurity and > then you can treat emails as spam through the ?Virus Names Which Are Spam? > option. > > > > For example ? > > > > > > Thanks, > > Rich > > > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Jonathan Horne > *Sent:* 27 May 2014 15:24 > *To:* mailscanner at lists.mailscanner.info > *Subject:* Re: MailScanner filtering out less and less spam > > > > the only one not enabled as Always Include SpamAssassin Report. the spam > score number format was %d I think, but I tried the setting below, looks > like that will be more verbose. > > > > overall, im not seeing rules get skipped, but emails that are obviously > spams are just being no scored as such. > > > > thanks for the advice! > > > > > > > > *From:* Martin Hepworth > *Sent:* ?Friday?, ?May? ?23?, ?2014 ?9?:?32? ?AM > *To:* mailscanner at lists.mailscanner.info > > > > Hi > add the SA info into email headers to see what the score and rule hits are > ( helps with debug), in MailScanner.conf make sure the follow are set > thus: > > Spam Score Number Format = %5.2f > > Detailed Spam Report = yes > > Include Scores In SpamAssassin Report = yes > > Always Include SpamAssassin Report = yes > > Spam Score Number Format = %5.2f > > This should give you some clue as to whats (not) happening as first step > > > -- > Martin Hepworth, CISSP > Oxford, UK > > > > On 23 May 2014 06:45, Michael Huntley wrote: > > I always keep a sizable chunk of recent spam on hand to feed to > spamassassin. I do it on a 45 day or so schedule. I place the spam in a > folder and sa-learn it using the proper user. This seems to keep things > sane. > > Cheers! > > mph > > > > > On 5/22/2014 7:12 PM, Jonathan Horne wrote: > > Greetings, > > > > I have several MailScanner installs that lately, have been allowing an > increased amount of spam to deliver. all separate systems, at separate > sites, but all behaving the same way. more and more spam each week is > getting thru. ive been noticing an increase at least over the past 3-4 > weeks. > > > > is there anything that can be done? previously when these systems were > deployed (about 9-12 months ago, I forget now) they were incredibly > effective. > > > > thanks for any tips, > > Jonathan > > > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/fdb65cb7/attachment.html From richard at fastnet.co.uk Wed May 28 13:17:33 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed, 28 May 2014 12:17:33 +0000 Subject: MailScanner filtering out less and less spam In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBC1F12@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBC1F12@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBC4CBA@BTN-EXCHANGE-V1.fastnet.local> Hit the wrong button and omitted my example.. Anyway, here?s my example ? #Sanesecurity Signature (jurlbl.ndb) header SPAMVIRUSJurlbl X-YOURORGANISATION-MailScanner-SpamVirus-Report =~ /Sanesecurity.Jurlbl/i score SPAMVIRUSJurlbl 4.0 describe SPAMVIRUSJurlbl Spam Virus Junk There are loads of databases you can use, it?s a fantastic ?bolt on? to clamd. Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Mealing Sent: 27 May 2014 16:51 To: 'mailscanner at lists.mailscanner.info' Subject: RE: MailScanner filtering out less and less spam If you don?t have mailwatch you can turn on ?Log Non Spam?, then you can see the scores in the logs. Maybe your threshold is wrong or you have turned it off altogether? If you use clamav then you can add the signatured from sanesecurity and then you can treat emails as spam through the ?Virus Names Which Are Spam? option. For example ? Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jonathan Horne Sent: 27 May 2014 15:24 To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner filtering out less and less spam the only one not enabled as Always Include SpamAssassin Report. the spam score number format was %d I think, but I tried the setting below, looks like that will be more verbose. overall, im not seeing rules get skipped, but emails that are obviously spams are just being no scored as such. thanks for the advice! From: Martin Hepworth Sent: ?Friday?, ?May? ?23?, ?2014 ?9?:?32? ?AM To: mailscanner at lists.mailscanner.info Hi add the SA info into email headers to see what the score and rule hits are ( helps with debug), in MailScanner.conf make sure the follow are set thus: Spam Score Number Format = %5.2f Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score Number Format = %5.2f This should give you some clue as to whats (not) happening as first step -- Martin Hepworth, CISSP Oxford, UK On 23 May 2014 06:45, Michael Huntley > wrote: I always keep a sizable chunk of recent spam on hand to feed to spamassassin. I do it on a 45 day or so schedule. I place the spam in a folder and sa-learn it using the proper user. This seems to keep things sane. Cheers! mph On 5/22/2014 7:12 PM, Jonathan Horne wrote: Greetings, I have several MailScanner installs that lately, have been allowing an increased amount of spam to deliver. all separate systems, at separate sites, but all behaving the same way. more and more spam each week is getting thru. ive been noticing an increase at least over the past 3-4 weeks. is there anything that can be done? previously when these systems were deployed (about 9-12 months ago, I forget now) they were incredibly effective. thanks for any tips, Jonathan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/64cd2aee/attachment.html From Denis.Beauchemin at usherbrooke.ca Wed May 28 13:20:27 2014 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Wed, 28 May 2014 12:20:27 +0000 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: References: Message-ID: I believe you are wrong. When there are too many emails in the inqueue, MS will still check the email contents it will just not check the mails in the order they were received. It will pick the first N mails it sees in the queue whether they just arrived or have been sitting there for some time. Usually MS picks the oldest mails first. Denis De : mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Jerry Benton Envoy? : 28 mai 2014 03:54 ? : MailScanner discussion Objet : Re: Has anyone seen when the load on a MailScanner server What is happening is your queue is exceeding the threshold set (800 by default I think) where MailScanner just starts to process the email without scanning it. If your server is getting hit by a surge of email and MailScanner cannot keep up, it stops doing checks. Of course, I could be wrong. Happens a lot. On Wed, May 28, 2014 at 8:57 AM, Joolee > wrote: You probably hit a timeout somewhere. Can you find out from the logs which component times out? On 28 May 2014 03:37, Philip Parsons > wrote: Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If you have seen this is there something we can change that changes the process ? Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/d8891feb/attachment.html From richard at fastnet.co.uk Wed May 28 13:22:23 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed, 28 May 2014 12:22:23 +0000 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: References: Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> I?m not sure that is correct, but I may be wrong too! # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 2000 So it just stops in the date order and goes for what is top of the queue. I set mine to 2000 but it never reaches that now I have made all my changes. You should look into tmpfs, it has brought down the load on my servers considerably. I use it for a few things now ? Incoming Work Dir = /tmpfs SpamAssassin Cache Database File = /tmpfs/SpamAssassin.cache.db SpamAssassin Temporary Dir = /tmpfs Maybe run some gstat commands and check your disks are behaving. If not, then implement tmpfs. Thanks! Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 28 May 2014 08:47 To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server What is happening is your queue is exceeding the threshold set (800 by default I think) where MailScanner just starts to process the email without scanning it. If your server is getting hit by a surge of email and MailScanner cannot keep up, it stops doing checks. Of course, I could be wrong. Happens a lot. On Wed, May 28, 2014 at 8:57 AM, Joolee > wrote: You probably hit a timeout somewhere. Can you find out from the logs which component times out? On 28 May 2014 03:37, Philip Parsons > wrote: Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If you have seen this is there something we can change that changes the process ? Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/b662da2e/attachment.html From jerry.benton at mailborder.com Wed May 28 14:39:16 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 28 May 2014 15:39:16 +0200 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> Message-ID: See ... my wife was right. I am wrong all the time. On the same note, I am seeing similar behavior on a lab server I just built testing out Ubuntu 14.04. I will email results when (if) I have them. On Wed, May 28, 2014 at 2:22 PM, Richard Mealing wrote: > I?m not sure that is correct, but I may be wrong too! > > > > # If more messages are found in the queue than this, then switch to an > > # "accelerated" mode of processing messages. This will cause it to stop > > # scanning messages in strict date order, but in the order it finds them > > # in the queue. If your queue is bigger than this size a lot of the time, > > # then some messages could be greatly delayed. So treat this option as > > # "in emergency only". > > Max Normal Queue Size = 2000 > > > > So it just stops in the date order and goes for what is top of the queue. > I set mine to 2000 but it never reaches that now I have made all my changes. > > > > You should look into tmpfs, it has brought down the load on my servers > considerably. I use it for a few things now ? > > > > Incoming Work Dir = /tmpfs > > SpamAssassin Cache Database File = /tmpfs/SpamAssassin.cache.db > > SpamAssassin Temporary Dir = /tmpfs > > > > Maybe run some gstat commands and check your disks are behaving. If not, > then implement tmpfs. > > > > Thanks! > > Rich > > > > *From:* mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Jerry Benton > *Sent:* 28 May 2014 08:47 > *To:* MailScanner discussion > *Subject:* Re: Has anyone seen when the load on a MailScanner server > > > > What is happening is your queue is exceeding the threshold set (800 by > default I think) where MailScanner just starts to process the email without > scanning it. If your server is getting hit by a surge of email and > MailScanner cannot keep up, it stops doing checks. > > Of course, I could be wrong. Happens a lot. > > > > On Wed, May 28, 2014 at 8:57 AM, Joolee wrote: > > You probably hit a timeout somewhere. Can you find out from the logs which > component times out? > > > > On 28 May 2014 03:37, Philip Parsons wrote: > > Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If > you have seen this is there something we can change that changes the > process ? > > Thank you > P Parsons > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > > > -- > > Jerry Benton > > Mailborder Systems > www.mailborder.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/0c30b6b2/attachment.html From richard at fastnet.co.uk Wed May 28 15:33:12 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed, 28 May 2014 14:33:12 +0000 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBC507C@BTN-EXCHANGE-V1.fastnet.local> Hi Jerry, When it happens, try deleting the Processing.db and tail the logs. You don?t even need to restart mailscanner. See if that fixes the problem. I?m curious to see your results.. Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 28 May 2014 14:39 To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server See ... my wife was right. I am wrong all the time. On the same note, I am seeing similar behavior on a lab server I just built testing out Ubuntu 14.04. I will email results when (if) I have them. On Wed, May 28, 2014 at 2:22 PM, Richard Mealing > wrote: I?m not sure that is correct, but I may be wrong too! # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 2000 So it just stops in the date order and goes for what is top of the queue. I set mine to 2000 but it never reaches that now I have made all my changes. You should look into tmpfs, it has brought down the load on my servers considerably. I use it for a few things now ? Incoming Work Dir = /tmpfs SpamAssassin Cache Database File = /tmpfs/SpamAssassin.cache.db SpamAssassin Temporary Dir = /tmpfs Maybe run some gstat commands and check your disks are behaving. If not, then implement tmpfs. Thanks! Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 28 May 2014 08:47 To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server What is happening is your queue is exceeding the threshold set (800 by default I think) where MailScanner just starts to process the email without scanning it. If your server is getting hit by a surge of email and MailScanner cannot keep up, it stops doing checks. Of course, I could be wrong. Happens a lot. On Wed, May 28, 2014 at 8:57 AM, Joolee > wrote: You probably hit a timeout somewhere. Can you find out from the logs which component times out? On 28 May 2014 03:37, Philip Parsons > wrote: Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If you have seen this is there something we can change that changes the process ? Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/bc3e4100/attachment-0001.html From pparsons at techeez.com Wed May 28 16:11:20 2014 From: pparsons at techeez.com (Philip Parsons) Date: Wed, 28 May 2014 15:11:20 +0000 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local>, Message-ID: <268A230D-F977-4A28-8F55-CE9572DBA62D@techeez.com> I will look into the queue size setting. But this does not seem to be the issue. What happened is all the emails every single one got marked as spam so where not delivered even the white listed ones. Thank you P Parsons On May 28, 2014, at 7:51 AM, "Jerry Benton" > wrote: See ... my wife was right. I am wrong all the time. On the same note, I am seeing similar behavior on a lab server I just built testing out Ubuntu 14.04. I will email results when (if) I have them. On Wed, May 28, 2014 at 2:22 PM, Richard Mealing > wrote: I?m not sure that is correct, but I may be wrong too! # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 2000 So it just stops in the date order and goes for what is top of the queue. I set mine to 2000 but it never reaches that now I have made all my changes. You should look into tmpfs, it has brought down the load on my servers considerably. I use it for a few things now ? Incoming Work Dir = /tmpfs SpamAssassin Cache Database File = /tmpfs/SpamAssassin.cache.db SpamAssassin Temporary Dir = /tmpfs Maybe run some gstat commands and check your disks are behaving. If not, then implement tmpfs. Thanks! Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 28 May 2014 08:47 To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server What is happening is your queue is exceeding the threshold set (800 by default I think) where MailScanner just starts to process the email without scanning it. If your server is getting hit by a surge of email and MailScanner cannot keep up, it stops doing checks. Of course, I could be wrong. Happens a lot. On Wed, May 28, 2014 at 8:57 AM, Joolee > wrote: You probably hit a timeout somewhere. Can you find out from the logs which component times out? On 28 May 2014 03:37, Philip Parsons > wrote: Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If you have seen this is there something we can change that changes the process ? Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/71cb01a0/attachment.html From maxsec at gmail.com Wed May 28 17:08:07 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 28 May 2014 17:08:07 +0100 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: <268A230D-F977-4A28-8F55-CE9572DBA62D@techeez.com> References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> <268A230D-F977-4A28-8F55-CE9572DBA62D@techeez.com> Message-ID: why did they get marked as spam? what rules hit? -- Martin Hepworth, CISSP Oxford, UK On 28 May 2014 16:11, Philip Parsons wrote: > I will look into the queue size setting. But this does not seem to be > the issue. What happened is all the emails every single one got marked as > spam so where not delivered even the white listed ones. > > Thank you > P Parsons > > On May 28, 2014, at 7:51 AM, "Jerry Benton" > wrote: > > See ... my wife was right. I am wrong all the time. > > On the same note, I am seeing similar behavior on a lab server I just > built testing out Ubuntu 14.04. I will email results when (if) I have them. > > > On Wed, May 28, 2014 at 2:22 PM, Richard Mealing wrote: > >> I?m not sure that is correct, but I may be wrong too! >> >> >> >> # If more messages are found in the queue than this, then switch to an >> >> # "accelerated" mode of processing messages. This will cause it to stop >> >> # scanning messages in strict date order, but in the order it finds them >> >> # in the queue. If your queue is bigger than this size a lot of the time, >> >> # then some messages could be greatly delayed. So treat this option as >> >> # "in emergency only". >> >> Max Normal Queue Size = 2000 >> >> >> >> So it just stops in the date order and goes for what is top of the queue. >> I set mine to 2000 but it never reaches that now I have made all my changes. >> >> >> >> You should look into tmpfs, it has brought down the load on my servers >> considerably. I use it for a few things now ? >> >> >> >> Incoming Work Dir = /tmpfs >> >> SpamAssassin Cache Database File = /tmpfs/SpamAssassin.cache.db >> >> SpamAssassin Temporary Dir = /tmpfs >> >> >> >> Maybe run some gstat commands and check your disks are behaving. If not, >> then implement tmpfs. >> >> >> >> Thanks! >> >> Rich >> >> >> >> *From:* mailscanner-bounces at lists.mailscanner.info [mailto: >> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Jerry Benton >> *Sent:* 28 May 2014 08:47 >> *To:* MailScanner discussion >> *Subject:* Re: Has anyone seen when the load on a MailScanner server >> >> >> >> What is happening is your queue is exceeding the threshold set (800 by >> default I think) where MailScanner just starts to process the email without >> scanning it. If your server is getting hit by a surge of email and >> MailScanner cannot keep up, it stops doing checks. >> >> Of course, I could be wrong. Happens a lot. >> >> >> >> On Wed, May 28, 2014 at 8:57 AM, Joolee wrote: >> >> You probably hit a timeout somewhere. Can you find out from the logs >> which component times out? >> >> >> >> On 28 May 2014 03:37, Philip Parsons wrote: >> >> Gets too high like 5 or 6 that MailScanner marks all messages as spam ? >> If you have seen this is there something we can change that changes the >> process ? >> >> Thank you >> P Parsons >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> -- >> >> >> -- >> >> Jerry Benton >> >> Mailborder Systems >> www.mailborder.com >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140528/63e66f27/attachment.html From pparsons at techeez.com Thu May 29 23:54:10 2014 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 29 May 2014 22:54:10 +0000 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <11D8E491D9562549A61FD3186F36342001D5565C9E@exchange.techeez.com> So digging further into this I have found that it is at the same time there are a bunch of these messages in the logs.. May 23 15:06:15 MailScanner[4971]: Commercial scanner clamav timed out! May 23 15:06:15 MailScanner[4971]: clamav: Failed to complete, timed out May 23 15:06:15 MailScanner[4971]: Virus Scanning: Denial Of Service attack is in message s4NLTn3v008504 I do not know of a section in Mailscanner.conf related to that ? From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: May-28-14 6:39 AM To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server See ... my wife was right. I am wrong all the time. On the same note, I am seeing similar behavior on a lab server I just built testing out Ubuntu 14.04. I will email results when (if) I have them. On Wed, May 28, 2014 at 2:22 PM, Richard Mealing > wrote: I?m not sure that is correct, but I may be wrong too! # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 2000 So it just stops in the date order and goes for what is top of the queue. I set mine to 2000 but it never reaches that now I have made all my changes. You should look into tmpfs, it has brought down the load on my servers considerably. I use it for a few things now ? Incoming Work Dir = /tmpfs SpamAssassin Cache Database File = /tmpfs/SpamAssassin.cache.db SpamAssassin Temporary Dir = /tmpfs Maybe run some gstat commands and check your disks are behaving. If not, then implement tmpfs. Thanks! Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 28 May 2014 08:47 To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server What is happening is your queue is exceeding the threshold set (800 by default I think) where MailScanner just starts to process the email without scanning it. If your server is getting hit by a surge of email and MailScanner cannot keep up, it stops doing checks. Of course, I could be wrong. Happens a lot. On Wed, May 28, 2014 at 8:57 AM, Joolee > wrote: You probably hit a timeout somewhere. Can you find out from the logs which component times out? On 28 May 2014 03:37, Philip Parsons > wrote: Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If you have seen this is there something we can change that changes the process ? Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140529/4c8c7a1e/attachment.html From richard at fastnet.co.uk Fri May 30 10:49:53 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 30 May 2014 09:49:53 +0000 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: <11D8E491D9562549A61FD3186F36342001D5565C9E@exchange.techeez.com> References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> <11D8E491D9562549A61FD3186F36342001D5565C9E@exchange.techeez.com> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EBC6E92@BTN-EXCHANGE-V1.fastnet.local> It sounds like you have some high load on your server. Have you looked at your disk i/o activity? I was getting the same thing with mine some time ago so I had to make some drastic changes to bring the load down. You should look at things before the mailscanner process, such as RBL?s on your MTA, fail2ban to block malicious senders (fantastic program btw), moving your tmp directories to RAM disk, or adding more servers to compensate for the load. Thanks, Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: 29 May 2014 23:54 To: MailScanner discussion Subject: RE: Has anyone seen when the load on a MailScanner server So digging further into this I have found that it is at the same time there are a bunch of these messages in the logs.. May 23 15:06:15 MailScanner[4971]: Commercial scanner clamav timed out! May 23 15:06:15 MailScanner[4971]: clamav: Failed to complete, timed out May 23 15:06:15 MailScanner[4971]: Virus Scanning: Denial Of Service attack is in message s4NLTn3v008504 I do not know of a section in Mailscanner.conf related to that ? From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: May-28-14 6:39 AM To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server See ... my wife was right. I am wrong all the time. On the same note, I am seeing similar behavior on a lab server I just built testing out Ubuntu 14.04. I will email results when (if) I have them. On Wed, May 28, 2014 at 2:22 PM, Richard Mealing > wrote: I?m not sure that is correct, but I may be wrong too! # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 2000 So it just stops in the date order and goes for what is top of the queue. I set mine to 2000 but it never reaches that now I have made all my changes. You should look into tmpfs, it has brought down the load on my servers considerably. I use it for a few things now ? Incoming Work Dir = /tmpfs SpamAssassin Cache Database File = /tmpfs/SpamAssassin.cache.db SpamAssassin Temporary Dir = /tmpfs Maybe run some gstat commands and check your disks are behaving. If not, then implement tmpfs. Thanks! Rich From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 28 May 2014 08:47 To: MailScanner discussion Subject: Re: Has anyone seen when the load on a MailScanner server What is happening is your queue is exceeding the threshold set (800 by default I think) where MailScanner just starts to process the email without scanning it. If your server is getting hit by a surge of email and MailScanner cannot keep up, it stops doing checks. Of course, I could be wrong. Happens a lot. On Wed, May 28, 2014 at 8:57 AM, Joolee > wrote: You probably hit a timeout somewhere. Can you find out from the logs which component times out? On 28 May 2014 03:37, Philip Parsons > wrote: Gets too high like 5 or 6 that MailScanner marks all messages as spam ? If you have seen this is there something we can change that changes the process ? Thank you P Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140530/331150f8/attachment.html From maillists at conactive.com Fri May 30 10:52:06 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 30 May 2014 11:52:06 +0200 Subject: Has anyone seen when the load on a MailScanner server In-Reply-To: <11D8E491D9562549A61FD3186F36342001D5565C9E@exchange.techeez.com> References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> <11D8E491D9562549A61FD3186F36342001D5565C9E@exchange.techeez.com> Message-ID: Philip Parsons wrote on Thu, 29 May 2014 22:54:10 +0000: > I do not know of a section in Mailscanner.conf related to that ? https://www.google.de/search? hl=de&as_q=&as_epq=Denial+Of+Service+attack+is+in+message Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From it at festa.bg Fri May 30 12:46:54 2014 From: it at festa.bg (Valentin Laskov) Date: Fri, 30 May 2014 14:46:54 +0300 Subject: Has anyone seen when the load on a MailScanner server References: <6EE47AF64C339A4F8F7F50507241B3795EBC4CD2@BTN-EXCHANGE-V1.fastnet.local> <11D8E491D9562549A61FD3186F36342001D5565C9E@exchange.techeez.com> Message-ID: ----- Original Message ----- From: "Philip Parsons" Sent: Friday, May 30, 2014 1:54 AM | | May 23 15:06:15 MailScanner[4971]: Commercial scanner clamav timed out! | May 23 15:06:15 MailScanner[4971]: clamav: Failed to complete, timed out | May 23 15:06:15 MailScanner[4971]: Virus Scanning: Denial Of Service attack is in message s4NLTn3v008504 | First, it's better to configure MailScanner to use clamd (and start clamd :) ) . I have May 28 14:29:04 mail MailScanner[9271]: ClamD Timed Out During PING Check! May 28 14:29:04 mail MailScanner[9275]: ClamD Timed Out During PING Check! May 28 14:29:12 mail MailScanner[8908]: Clamd::ERROR:: CLAM PING TIMED OUT! :: . May 28 14:29:14 mail MailScanner[8764]: Clamd::ERROR:: CLAM PING TIMED OUT! :: . and May 28 14:30:05 mail MailScanner[8764]: Virus Scanning: No virus scanners worked, so message batch was abandoned and re-tried! This happens just after FreshClam updated virus database and clamd loads new base. Loading virus database takes a while. Regards Valentin