From jerry.benton at mailborder.com Sat Aug 1 02:09:55 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 31 Jul 2015 22:09:55 -0400 Subject: 7z and other archive formats support In-Reply-To: References: Message-ID: <04DE5299-5773-4F33-BE65-2AD6E8433B76@mailborder.com> I’d have to look into it. I personally have not tested it. - Jerry Benton www.mailborder.com > On Jul 31, 2015, at 6:20 PM, Danny wrote: > > Hello, > > I was wondering if MailScanner has 7z (binary) support or are the devs working on this or is it on the roadmap? > It would be nice to be able to look inside 7z, arj, cpio etc. > > Regards, > Danny > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From salyuruk at cyh.com.tr Mon Aug 3 15:14:57 2015 From: salyuruk at cyh.com.tr (Sinan Alyuruk) Date: Mon, 03 Aug 2015 18:14:57 +0300 Subject: signature attachment character set problem Message-ID: <55BF8571.9010505@cyh.com.tr> Hello, I had add a text company signatures to outgoing messages by Mailscanner. Also I have to use Latin-5 or Utf-8 encoding in attachment files as Turkish language has different charset regarding form us-ascii, and Latin-1 Setting "Attachment Encoding Charset" to ISO-8859-9 or UTF-8 did not help although I had correctly encode the attachment files in respective charset. Especially some Outlook versions make signatures messy which are attached my Mailscanner. Any known solutions? Thanks, -- Mehmet Sinan Alyürük Sistem Mühendisi CİNER YAYIN HOLDİNG Abdülhakhamit Cd. No:25 Talimhane - Beyoğlu / İstanbul T: +90 (212) 313 65 18 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.jpg Type: image/jpeg Size: 52696 bytes Desc: not available URL: From jerry.benton at mailborder.com Tue Aug 4 08:08:14 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 4 Aug 2015 04:08:14 -0400 Subject: signature attachment character set problem In-Reply-To: <55BF8571.9010505@cyh.com.tr> References: <55BF8571.9010505@cyh.com.tr> Message-ID: What version are you using? The latest version should handle your character sets with no problem. - Jerry Benton www.mailborder.com > On Aug 3, 2015, at 11:14 AM, Sinan Alyuruk wrote: > > Hello, > > I had add a text company signatures to outgoing messages by Mailscanner. Also I have to use Latin-5 or Utf-8 encoding in attachment files as Turkish language has different charset regarding form us-ascii, and Latin-1 > > Setting "Attachment Encoding Charset" to ISO-8859-9 or UTF-8 did not help although I had correctly encode the attachment files in respective charset. Especially some Outlook versions make signatures messy which are attached my Mailscanner. > > Any known solutions? > > Thanks, > > -- > > > > > > > > > > > > > Mehmet Sinan Alyürük > > Sistem Mühendisi > > > CİNER YAYIN HOLDİNG > > Abdülhakhamit Cd. No:25 > Talimhane - Beyoğlu / İstanbul > > T: +90 (212) 313 65 18 > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From salyuruk at cyh.com.tr Tue Aug 4 08:29:38 2015 From: salyuruk at cyh.com.tr (Sinan Alyuruk) Date: Tue, 04 Aug 2015 11:29:38 +0300 Subject: signature attachment character set problem In-Reply-To: References: <55BF8571.9010505@cyh.com.tr> Message-ID: <55C077F2.7040103@cyh.com.tr> Hi Jerry On 04-08-2015 11:08, Jerry Benton wrote: > What version are you using? The latest version should handle your > character sets with no problem. > > - > Jerry Benton > www.mailborder.com > I am using version 4.85.2. We still have issues with IOS and outlook clients when attaching utf8 signatures. > > >> On Aug 3, 2015, at 11:14 AM, Sinan Alyuruk > > wrote: >> >> Hello, >> >> I had add a text company signatures to outgoing messages by >> Mailscanner. Also I have to use Latin-5 or Utf-8 encoding in >> attachment files as Turkish language has different charset regarding >> form us-ascii, and Latin-1 >> >> Setting "Attachment Encoding Charset" to ISO-8859-9 or UTF-8 did not >> help although I had correctly encode the attachment files in >> respective charset. Especially some Outlook versions make signatures >> messy which are attached my Mailscanner. >> >> Any known solutions? >> >> Thanks, -- Mehmet Sinan Alyürük Sistem Mühendisi CİNER YAYIN HOLDİNG Abdülhakhamit Cd. No:25 Talimhane - Beyoğlu / İstanbul T: +90 (212) 313 65 18 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.jpg Type: image/jpeg Size: 52696 bytes Desc: not available URL: From andrew at topdog.za.net Tue Aug 4 12:28:53 2015 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Tue, 4 Aug 2015 14:28:53 +0200 Subject: signature attachment character set problem In-Reply-To: <55C077F2.7040103@cyh.com.tr> References: <55BF8571.9010505@cyh.com.tr> <55C077F2.7040103@cyh.com.tr> Message-ID: <0563D49E-9A0E-447A-AE65-A5F233209280@topdog.za.net> On 04 Aug 2015, at 10:29 AM, Sinan Alyuruk wrote: > I am using version 4.85.2. We still have issues with IOS and outlook clients when attaching utf8 signatures. Can you paste bin a sample. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From salyuruk at cyh.com.tr Tue Aug 4 12:36:29 2015 From: salyuruk at cyh.com.tr (Sinan Alyuruk) Date: Tue, 04 Aug 2015 15:36:29 +0300 Subject: signature attachment character set problem In-Reply-To: <0563D49E-9A0E-447A-AE65-A5F233209280@topdog.za.net> References: <55BF8571.9010505@cyh.com.tr> <55C077F2.7040103@cyh.com.tr> <0563D49E-9A0E-447A-AE65-A5F233209280@topdog.za.net> Message-ID: <55C0B1CD.3060307@cyh.com.tr> On 04-08-2015 15:28, Andrew Colin Kissa wrote: > On 04 Aug 2015, at 10:29 AM, Sinan Alyuruk wrote: > >> I am using version 4.85.2. We still have issues with IOS and outlook clients when attaching utf8 signatures. > Can you paste bin a sample. This is how utf-8 MailScanner signatures look when send by Mail.app http://snag.gy/b48Jt.jpg -- Mehmet Sinan Alyürük Sistem Mühendisi CİNER YAYIN HOLDİNG Abdülhakhamit Cd. No:25 Talimhane - Beyoğlu / İstanbul T: +90 (212) 313 65 18 From andrew at topdog.za.net Tue Aug 4 13:24:16 2015 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Tue, 4 Aug 2015 15:24:16 +0200 Subject: signature attachment character set problem In-Reply-To: <55C0B1CD.3060307@cyh.com.tr> References: <55BF8571.9010505@cyh.com.tr> <55C077F2.7040103@cyh.com.tr> <0563D49E-9A0E-447A-AE65-A5F233209280@topdog.za.net> <55C0B1CD.3060307@cyh.com.tr> Message-ID: <0F3DA214-6691-4540-9F78-8DE08103BB59@topdog.za.net> On 04 Aug 2015, at 2:36 PM, Sinan Alyuruk wrote: > This is how utf-8 MailScanner signatures look when send by Mail.app > > http://snag.gy/b48Jt.jpg A picture is really not of much help. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry.benton at mailborder.com Tue Aug 4 15:53:47 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 4 Aug 2015 11:53:47 -0400 Subject: signature attachment character set problem In-Reply-To: <0F3DA214-6691-4540-9F78-8DE08103BB59@topdog.za.net> References: <55BF8571.9010505@cyh.com.tr> <55C077F2.7040103@cyh.com.tr> <0563D49E-9A0E-447A-AE65-A5F233209280@topdog.za.net> <55C0B1CD.3060307@cyh.com.tr> <0F3DA214-6691-4540-9F78-8DE08103BB59@topdog.za.net> Message-ID: I already answered him off list. (He emailed Jules directly and Jules pointed him back to me.) In short, he wants to modify headers to force UTF8 which will break DKIM. I suggested that he set UTF8 at the client. (As did Jules.) - Jerry Benton www.mailborder.com > On Aug 4, 2015, at 9:24 AM, Andrew Colin Kissa wrote: > > > On 04 Aug 2015, at 2:36 PM, Sinan Alyuruk wrote: > >> This is how utf-8 MailScanner signatures look when send by Mail.app >> >> http://snag.gy/b48Jt.jpg > > A picture is really not of much help. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From vpdose at kirchenweg.de Wed Aug 5 17:01:47 2015 From: vpdose at kirchenweg.de (Volker Dose) Date: Wed, 5 Aug 2015 19:01:47 +0200 Subject: MailScanner: allowing attachments identified as text/plain by file -i In-Reply-To: <55BA14B8.9080508@fink-computer.de> References: <55BA14B8.9080508@fink-computer.de> Message-ID: Hi Heino, I double-checked the TABs, this was not the issue. Still wondering, why I cannot get this to work. Do you have this special setting actually in use? I will set up a clone of my machine and do some testing with a new, blank filetype.rules.conf. Best regards Volker > Am 30.07.2015 um 14:12 schrieb Heino Backhaus : > > Hello Volker, > > > > If the "mime type" *and* the filetype fields are both specified (and > > are not "-") > > I do not think that the dash is the source of the problem. > Eventualy this is a case of spaces instead of tabs. > Please double check that you've used Tabs. Otherwise > the line is ignored. > > # NOTE: Fields are separated by TAB characters --- Important! > > This can happen easily by editing the configfile in a Putty-Session > with vi and using copy and paste. > I had a similar thing today. > > Mit freundlichen Gruessen > > H. Backhaus > > Fink-Computer Systeme > Heggrabenstr. 9, 35435 Wettenberg > Email: heino.backhaus at fink-computer.de > Web: www.fink-computer.de > Fax: +49-641-98444638 > Fon: +49-641-98444640 > UST-ID: DE151040770 > HRB: 2143 Gießen > GF: Fredi Fink > > "In retrospect it becomes clear that hindsight is definitely overrated!" > > -Alfred E. Neumann > > Am 22.07.2015 um 14:21 schrieb Volker Dose: >> Hi list, >> >> I am struggling with the ”magic” fifth field in filetype.rules.conf – >> as so many others in the past, as far as I understand old posting. >> >> Let me explain my settings: >> >> I have a list of attachments, I do allow in filetype.rules.conf (like >> text, pics, html, pdf and other stuff) and the last line is a deny for >> every other attachment. I did this, because I do not want to get >> anything to my mailserver, where I am not 100% sure of the filetype – so >> executables are banned and also every unknown filetype. >> >> This file looks like this: >> >> >> ------- >> allow ASCII text ASCII text ASCII text >> allow PC bitmap PC bitmap PC bitmap >> allow Emacs v18 Emacs v18 Emacs v18 >> allow C++ source C++ source C++ source >> allow source diverse source diverse source >> […] >> deny .* Deny unidentified attachments >> Deny unidentified attachments >> ---------- >> >> >> But from time to time I get a false positive, often non-english >> text-parts are not very good identified, like Finnish or east-European >> languages. Often the pdf attachment is identified fine and mailscanner >> processes it, but txt and html-parts are too often blocked. >> >> >> >> But using the file –I command I have a much higher rate of messages >> identified as text or html mail-part. >> >> So I wanted to use this feature Julian implemented 2008: >> >> >> ------------ >> This 5th field is optional, and specifies a regular expression which is >> matched against the MIME type as determined by the "file -i" command. >> >> If it is never specified, then the "file -i" command will never be run >> on your message attachments so there is no appreciable overhead on the >> speed of MailScanner caused by this new feature. >> >> If the "mime type" *and* the filetype fields are both specified (and are >> not "-") then either matching will cause the rule to fire. In a "deny" >> rule like the example above, then *either* test firing will cause the >> attachment to be blocked. In an "allow" rule then *both* of the tests >> must pass to cause the attachment to be allowed and hence no more rules >> to be checked. This sounds a bit odd but actually ends up doing pretty >> much what you expect it to. I'm sure you'll let me know if I'm wrong >> there :-) >> --------- >> >> I added a line like this in my filetype.rules.conf: >> >> allow - text/plain >> - - >> >> But the message mentioned above still triggered my last line >> >> deny .* Deny unidentified attachments >> Deny unidentified attachments >> >> >> For example: Yesterday I realized, the text-message of an email >> (starting with the string “THX!”) war identified as “*AHX version*” from >> my file (version 5.14) command but as *text/plain* with „file -i" >> >> I understand the text from Julian, that both the “file” and the “file >> -i”-field has to match and added a line like this: >> >> allow AHX version text/plain - - >> >> Which works – but only because I have added the “file”-regex to that >> line, too. >> >> I am looking for a “match all” at that point – the dash “-“ did not work >> for me. >> >> I wonder if there is a way to allow any attachments, that give you a >> “text/plain” when using “file –i”. >> >> >> Any help appreciated! >> >> I am using MS-4.84.6-1 on a CentOS 6.6 32 bit. >> >> And by the way: I love MailScanner – thanks to all of you helping make >> the software work. >> >> Best regards >> Volker >> >> >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From greminn at gmail.com Wed Aug 5 21:42:31 2015 From: greminn at gmail.com (Simon) Date: Thu, 6 Aug 2015 09:42:31 +1200 Subject: Adding headers to reports (e.g. recipient.spam.report.txt) Message-ID: Hi There, We would like to add some headers to the reports such as the recipient.spam.report.txt. This is to add things like: Auto-Submitted: auto-replied Precedence: bulk X-Autoreply: yes To help stop customers auto responders responding to mailscanners notifications. Is this simply adding them to the headers at the top of the report .txt files? PS: Might i suggest that these should be in the reports be default? Thanks! Simon -------------- next part -------------- An HTML attachment was scrubbed... URL: From hfleming at moosebird.net Thu Aug 6 15:35:56 2015 From: hfleming at moosebird.net (Howard Fleming) Date: Thu, 06 Aug 2015 11:35:56 -0400 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: References: Message-ID: <55C37EDC.8060800@moosebird.net> Good morning, I am in the process of rebuilding my mail server and running into a problem with any email sent from the 2 virtual domains on the system is being flagged as spam by MailScanner (the other 2 domains that are not virtual is working as it should). Other than the virtual domain outgoing email being flagged as spam, everything appears to be working as it should. Any suggestions on where to start looking and what additional information I need to send here for troubleshooting? System info: CentOS 6.6 Postfix version 2.6.6, Release 6.el6_5 MailScanner -v Running on Linux comm.moosebird.net 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 6.6 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.85.2 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.021 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.9993 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.58 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data 1.15 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.12 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.27 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.46 Inline 1.08 IO::String 1.09 IO::Zlib 2.28 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.008 Mail::SPF 1.999001 Mail::SPF::Query 0.35 Module::Build 0.21 Net::CIDR::Lite 0.65 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.65 Net::LDAP 4.027 NetAddr::IP 1.965001 Parse::RecDescent missing SAVI 3.17 Test::Harness 1.22 Test::Manifest 2.0.0 Text::Balanced 1.40 URI 0.77 version missing YAML MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 462 hostnames from the phishing whitelist Read 12121 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.85.2) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamavmodule, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamavmodule,clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Thanks for any help, Howard From jeremy at fluxlabs.net Thu Aug 6 15:41:13 2015 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Thu, 6 Aug 2015 15:41:13 +0000 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: <55C37EDC.8060800@moosebird.net> References: , <55C37EDC.8060800@moosebird.net> Message-ID: <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> Pastebin the header of one of the emails. What are you using for virtual domains ? What mta ? -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net On Aug 6, 2015, at 10:36 AM, Howard Fleming > wrote: Good morning, I am in the process of rebuilding my mail server and running into a problem with any email sent from the 2 virtual domains on the system is being flagged as spam by MailScanner (the other 2 domains that are not virtual is working as it should). Other than the virtual domain outgoing email being flagged as spam, everything appears to be working as it should. Any suggestions on where to start looking and what additional information I need to send here for troubleshooting? System info: CentOS 6.6 Postfix version 2.6.6, Release 6.el6_5 MailScanner -v Running on Linux comm.moosebird.net 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 6.6 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.85.2 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.021 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.9993 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.58 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data 1.15 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.12 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.27 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.46 Inline 1.08 IO::String 1.09 IO::Zlib 2.28 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.008 Mail::SPF 1.999001 Mail::SPF::Query 0.35 Module::Build 0.21 Net::CIDR::Lite 0.65 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.65 Net::LDAP 4.027 NetAddr::IP 1.965001 Parse::RecDescent missing SAVI 3.17 Test::Harness 1.22 Test::Manifest 2.0.0 Text::Balanced 1.40 URI 0.77 version missing YAML MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 462 hostnames from the phishing whitelist Read 12121 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.85.2) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamavmodule, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamavmodule,clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Thanks for any help, Howard -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From hfleming at moosebird.net Thu Aug 6 16:16:11 2015 From: hfleming at moosebird.net (Howard Fleming) Date: Thu, 06 Aug 2015 12:16:11 -0400 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> References: , <55C37EDC.8060800@moosebird.net> <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> Message-ID: <55C3884B.6050905@moosebird.net> Header info: http://pastebin.com/FRpcJirk Virtual domains are handled by postfix (and if this is not what you are looking for, please let me know): main.cf: virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps MTA is postfix. Thanks, Howard On 08/06/2015 11:41 AM, Jeremy McSpadden wrote: > Pastebin the header of one of the emails. What are you using for > virtual domains ? What mta ? > > -- > Jeremy McSpadden | Flux Labs > Local - 850-250-5590x501 | Mobile - > 850-890-2543 > Fax - 850-254-2955 | Toll Free - 877-699-FLUX > > Web - http://www.fluxlabs.net > > > On Aug 6, 2015, at 10:36 AM, Howard Fleming > wrote: > >> Good morning, >> >> I am in the process of rebuilding my mail server and running into a >> problem with any email sent from the 2 virtual domains on the system >> is being flagged as spam by MailScanner (the other 2 domains that are >> not virtual is working as it should). Other than the virtual domain >> outgoing email being flagged as spam, everything appears to be >> working as it should. >> >> Any suggestions on where to start looking and what additional >> information I need to send here for troubleshooting? >> >> System info: >> >> CentOS 6.6 >> Postfix version 2.6.6, Release 6.el6_5 >> >> MailScanner -v >> Running on >> Linux comm.moosebird.net >> 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 UTC 2015 x86_64 >> x86_64 x86_64 GNU/Linux >> This is CentOS release 6.6 (Final) >> This is Perl version 5.010001 (5.10.1) >> >> This is MailScanner version 4.85.2 >> Module versions are: >> 1.00 AnyDBM_File >> 1.30 Archive::Zip >> 0.23 bignum >> 1.11 Carp >> 2.021 Compress::Zlib >> 1.119 Convert::BinHex >> 0.17 Convert::TNEF >> 2.124 Data::Dumper >> 2.27 Date::Parse >> 1.03 DirHandle >> 1.06 Fcntl >> 2.77 File::Basename >> 2.14 File::Copy >> 2.02 FileHandle >> 2.08 File::Path >> 0.22 File::Temp >> 0.92 Filesys::Df >> 3.64 HTML::Entities >> 3.64 HTML::Parser >> 3.57 HTML::TokeParser >> 1.25 IO >> 1.14 IO::File >> 1.13 IO::Pipe >> 2.04 Mail::Header >> 1.9993 Math::BigInt >> 0.22 Math::BigRat >> 3.08 MIME::Base64 >> 5.427 MIME::Decoder >> 5.427 MIME::Decoder::UU >> 5.427 MIME::Head >> 5.427 MIME::Parser >> 3.08 MIME::QuotedPrint >> 5.427 MIME::Tools >> 0.14 Net::CIDR >> 1.25 Net::IP >> 0.19 OLE::Storage_Lite >> 1.04 Pod::Escapes >> 3.13 Pod::Simple >> 1.17 POSIX >> 1.21 Scalar::Util >> 1.82 Socket >> 2.20 Storable >> 1.4 Sys::Hostname::Long >> 0.27 Sys::Syslog >> 1.40 Test::Pod >> 0.92 Test::Simple >> 1.9721 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.58 Archive::Tar >> 0.23 bignum >> missing Business::ISBN >> missing Business::ISBN::Data >> 1.15 Data::Dump >> 1.82 DB_File >> 1.27 DBD::SQLite >> 1.609 DBI >> 1.16 Digest >> 1.01 Digest::HMAC >> 2.39 Digest::MD5 >> 2.12 Digest::SHA1 >> 1.01 Encode::Detect >> 0.17015 Error >> 0.27 ExtUtils::CBuilder >> 2.2203 ExtUtils::ParseXS >> 2.38 Getopt::Long >> 0.46 Inline >> 1.08 IO::String >> 1.09 IO::Zlib >> 2.28 IP::Country >> 0.29 Mail::ClamAV >> 3.003001 Mail::SpamAssassin >> v2.008 Mail::SPF >> 1.999001 Mail::SPF::Query >> 0.35 Module::Build >> 0.21 Net::CIDR::Lite >> 0.65 Net::DNS >> v0.003 Net::DNS::Resolver::Programmable >> 0.65 Net::LDAP >> 4.027 NetAddr::IP >> 1.965001 Parse::RecDescent >> missing SAVI >> 3.17 Test::Harness >> 1.22 Test::Manifest >> 2.0.0 Text::Balanced >> 1.40 URI >> 0.77 version >> missing YAML >> >> >> MailScanner --lint >> Trying to setlogsock(unix) >> >> Reading configuration file /etc/MailScanner/MailScanner.conf >> Reading configuration file /etc/MailScanner/conf.d/README >> Read 462 hostnames from the phishing whitelist >> Read 12121 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.85.2) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Connected to Processing Attempts Database >> Created Processing Attempts Database successfully >> There are 0 messages in the Processing Attempts Database >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = clamd" >> Found these virus scanners installed: clamavmodule, clamd >> =========================================================================== >> Filename Checks: Windows/DOS Executable (1 eicar.com ) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> =========================================================================== >> Virus Scanner test reports: >> Clamd said "eicar.com was infected: >> Eicar-Test-Signature" >> >> If any of your virus scanners (clamavmodule,clamd) >> are not listed there, you should check that they are installed correctly >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Thanks for any help, >> Howard >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Aug 6 16:18:35 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 6 Aug 2015 12:18:35 -0400 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: <55C3884B.6050905@moosebird.net> References: <55C37EDC.8060800@moosebird.net> <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> <55C3884B.6050905@moosebird.net> Message-ID: It is triggering on your RBLs. X-Moosebird-MailScanner-SpamCheck: spam, spamhaus-ZEN - Jerry Benton www.mailborder.com > On Aug 6, 2015, at 12:16 PM, Howard Fleming wrote: > > Header info: > http://pastebin.com/FRpcJirk > > Virtual domains are handled by postfix (and if this is not what you are looking for, please let me know): > > main.cf: > virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains > virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps > > MTA is postfix. > > Thanks, > Howard > > > > > > On 08/06/2015 11:41 AM, Jeremy McSpadden wrote: >> Pastebin the header of one of the emails. What are you using for virtual domains ? What mta ? >> >> -- >> Jeremy McSpadden | Flux Labs >> Local - 850-250-5590x501 | Mobile - 850-890-2543 >> Fax - 850-254-2955 | Toll Free - 877-699-FLUX >> Web - http://www.fluxlabs.net >> >> >> On Aug 6, 2015, at 10:36 AM, Howard Fleming > wrote: >> >>> Good morning, >>> >>> I am in the process of rebuilding my mail server and running into a problem with any email sent from the 2 virtual domains on the system is being flagged as spam by MailScanner (the other 2 domains that are not virtual is working as it should). Other than the virtual domain outgoing email being flagged as spam, everything appears to be working as it should. >>> >>> Any suggestions on where to start looking and what additional information I need to send here for troubleshooting? >>> >>> System info: >>> >>> CentOS 6.6 >>> Postfix version 2.6.6, Release 6.el6_5 >>> >>> MailScanner -v >>> Running on >>> Linux comm.moosebird.net 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux >>> This is CentOS release 6.6 (Final) >>> This is Perl version 5.010001 (5.10.1) >>> >>> This is MailScanner version 4.85.2 >>> Module versions are: >>> 1.00 AnyDBM_File >>> 1.30 Archive::Zip >>> 0.23 bignum >>> 1.11 Carp >>> 2.021 Compress::Zlib >>> 1.119 Convert::BinHex >>> 0.17 Convert::TNEF >>> 2.124 Data::Dumper >>> 2.27 Date::Parse >>> 1.03 DirHandle >>> 1.06 Fcntl >>> 2.77 File::Basename >>> 2.14 File::Copy >>> 2.02 FileHandle >>> 2.08 File::Path >>> 0.22 File::Temp >>> 0.92 Filesys::Df >>> 3.64 HTML::Entities >>> 3.64 HTML::Parser >>> 3.57 HTML::TokeParser >>> 1.25 IO >>> 1.14 IO::File >>> 1.13 IO::Pipe >>> 2.04 Mail::Header >>> 1.9993 Math::BigInt >>> 0.22 Math::BigRat >>> 3.08 MIME::Base64 >>> 5.427 MIME::Decoder >>> 5.427 MIME::Decoder::UU >>> 5.427 MIME::Head >>> 5.427 MIME::Parser >>> 3.08 MIME::QuotedPrint >>> 5.427 MIME::Tools >>> 0.14 Net::CIDR >>> 1.25 Net::IP >>> 0.19 OLE::Storage_Lite >>> 1.04 Pod::Escapes >>> 3.13 Pod::Simple >>> 1.17 POSIX >>> 1.21 Scalar::Util >>> 1.82 Socket >>> 2.20 Storable >>> 1.4 Sys::Hostname::Long >>> 0.27 Sys::Syslog >>> 1.40 Test::Pod >>> 0.92 Test::Simple >>> 1.9721 Time::HiRes >>> 1.02 Time::localtime >>> >>> Optional module versions are: >>> 1.58 Archive::Tar >>> 0.23 bignum >>> missing Business::ISBN >>> missing Business::ISBN::Data >>> 1.15 Data::Dump >>> 1.82 DB_File >>> 1.27 DBD::SQLite >>> 1.609 DBI >>> 1.16 Digest >>> 1.01 Digest::HMAC >>> 2.39 Digest::MD5 >>> 2.12 Digest::SHA1 >>> 1.01 Encode::Detect >>> 0.17015 Error >>> 0.27 ExtUtils::CBuilder >>> 2.2203 ExtUtils::ParseXS >>> 2.38 Getopt::Long >>> 0.46 Inline >>> 1.08 IO::String >>> 1.09 IO::Zlib >>> 2.28 IP::Country >>> 0.29 Mail::ClamAV >>> 3.003001 Mail::SpamAssassin >>> v2.008 Mail::SPF >>> 1.999001 Mail::SPF::Query >>> 0.35 Module::Build >>> 0.21 Net::CIDR::Lite >>> 0.65 Net::DNS >>> v0.003 Net::DNS::Resolver::Programmable >>> 0.65 Net::LDAP >>> 4.027 NetAddr::IP >>> 1.965001 Parse::RecDescent >>> missing SAVI >>> 3.17 Test::Harness >>> 1.22 Test::Manifest >>> 2.0.0 Text::Balanced >>> 1.40 URI >>> 0.77 version >>> missing YAML >>> >>> >>> MailScanner --lint >>> Trying to setlogsock(unix) >>> >>> Reading configuration file /etc/MailScanner/MailScanner.conf >>> Reading configuration file /etc/MailScanner/conf.d/README >>> Read 462 hostnames from the phishing whitelist >>> Read 12121 hostnames from the phishing blacklists >>> >>> Checking version numbers... >>> Version number in MailScanner.conf (4.85.2) is correct. >>> >>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>> MailScanner setting GID to (89) >>> MailScanner setting UID to (89) >>> >>> Checking for SpamAssassin errors (if you use it)... >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database >>> SpamAssassin reported no errors. >>> Connected to Processing Attempts Database >>> Created Processing Attempts Database successfully >>> There are 0 messages in the Processing Attempts Database >>> Using locktype = posix >>> MailScanner.conf says "Virus Scanners = clamd" >>> Found these virus scanners installed: clamavmodule, clamd >>> =========================================================================== >>> Filename Checks: Windows/DOS Executable (1 eicar.com ) >>> Other Checks: Found 1 problems >>> Virus and Content Scanning: Starting >>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 2 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 2 viruses >>> =========================================================================== >>> Virus Scanner test reports: >>> Clamd said "eicar.com was infected: Eicar-Test-Signature" >>> >>> If any of your virus scanners (clamavmodule,clamd) >>> are not listed there, you should check that they are installed correctly >>> and that MailScanner is finding them correctly via its virus.scanners.conf. >>> >>> Thanks for any help, >>> Howard >>> >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/listinfo/mailscanner >>> >> >> >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hfleming at moosebird.net Thu Aug 6 16:41:53 2015 From: hfleming at moosebird.net (Howard Fleming) Date: Thu, 06 Aug 2015 12:41:53 -0400 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: References: <55C37EDC.8060800@moosebird.net> <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> <55C3884B.6050905@moosebird.net> Message-ID: <55C38E51.8010003@moosebird.net> Hi Jerry, This is probably under the heading of a newbie question, but how do I go about fixing this? It appears spamhaus is picking up the ip address of the email client sending the the email, since it is being delivered locally on the server. I assume this is a postfix configuration issue? Thanks, Howard On 08/06/2015 12:18 PM, Jerry Benton wrote: > It is triggering on your RBLs. > > > X-Moosebird-MailScanner-SpamCheck: spam, spamhaus-ZEN > > - > Jerry Benton > www.mailborder.com > > > >> On Aug 6, 2015, at 12:16 PM, Howard Fleming > > wrote: >> >> Header info: >> http://pastebin.com/FRpcJirk >> >> Virtual domains are handled by postfix (and if this is not what you are looking for, please let me know): >> >> main.cf: >> virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains >> virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps >> >> MTA is postfix. >> >> Thanks, >> Howard >> >> >> >> >> >> On 08/06/2015 11:41 AM, Jeremy McSpadden wrote: >>> Pastebin the header of one of the emails. What are you using for >>> virtual domains ? What mta ? >>> >>> -- >>> Jeremy McSpadden | Flux Labs >>> Local - 850-250-5590x501 | Mobile - >>> 850-890-2543 >>> Fax - 850-254-2955 | Toll Free - 877-699-FLUX >>> >>> Web - http://www.fluxlabs.net >>> >>> >>> On Aug 6, 2015, at 10:36 AM, Howard Fleming >> > wrote: >>> >>>> Good morning, >>>> >>>> I am in the process of rebuilding my mail server and running into a >>>> problem with any email sent from the 2 virtual domains on the >>>> system is being flagged as spam by MailScanner (the other 2 domains >>>> that are not virtual is working as it should). Other than the >>>> virtual domain outgoing email being flagged as spam, everything >>>> appears to be working as it should. >>>> >>>> Any suggestions on where to start looking and what additional >>>> information I need to send here for troubleshooting? >>>> >>>> System info: >>>> >>>> CentOS 6.6 >>>> Postfix version 2.6.6, Release 6.el6_5 >>>> >>>> MailScanner -v >>>> Running on >>>> Linux comm.moosebird.net >>>> 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 UTC 2015 >>>> x86_64 x86_64 x86_64 GNU/Linux >>>> This is CentOS release 6.6 (Final) >>>> This is Perl version 5.010001 (5.10.1) >>>> >>>> This is MailScanner version 4.85.2 >>>> Module versions are: >>>> 1.00 AnyDBM_File >>>> 1.30 Archive::Zip >>>> 0.23 bignum >>>> 1.11 Carp >>>> 2.021 Compress::Zlib >>>> 1.119 Convert::BinHex >>>> 0.17 Convert::TNEF >>>> 2.124 Data::Dumper >>>> 2.27 Date::Parse >>>> 1.03 DirHandle >>>> 1.06 Fcntl >>>> 2.77 File::Basename >>>> 2.14 File::Copy >>>> 2.02 FileHandle >>>> 2.08 File::Path >>>> 0.22 File::Temp >>>> 0.92 Filesys::Df >>>> 3.64 HTML::Entities >>>> 3.64 HTML::Parser >>>> 3.57 HTML::TokeParser >>>> 1.25 IO >>>> 1.14 IO::File >>>> 1.13 IO::Pipe >>>> 2.04 Mail::Header >>>> 1.9993 Math::BigInt >>>> 0.22 Math::BigRat >>>> 3.08 MIME::Base64 >>>> 5.427 MIME::Decoder >>>> 5.427 MIME::Decoder::UU >>>> 5.427 MIME::Head >>>> 5.427 MIME::Parser >>>> 3.08 MIME::QuotedPrint >>>> 5.427 MIME::Tools >>>> 0.14 Net::CIDR >>>> 1.25 Net::IP >>>> 0.19 OLE::Storage_Lite >>>> 1.04 Pod::Escapes >>>> 3.13 Pod::Simple >>>> 1.17 POSIX >>>> 1.21 Scalar::Util >>>> 1.82 Socket >>>> 2.20 Storable >>>> 1.4 Sys::Hostname::Long >>>> 0.27 Sys::Syslog >>>> 1.40 Test::Pod >>>> 0.92 Test::Simple >>>> 1.9721 Time::HiRes >>>> 1.02 Time::localtime >>>> >>>> Optional module versions are: >>>> 1.58 Archive::Tar >>>> 0.23 bignum >>>> missing Business::ISBN >>>> missing Business::ISBN::Data >>>> 1.15 Data::Dump >>>> 1.82 DB_File >>>> 1.27 DBD::SQLite >>>> 1.609 DBI >>>> 1.16 Digest >>>> 1.01 Digest::HMAC >>>> 2.39 Digest::MD5 >>>> 2.12 Digest::SHA1 >>>> 1.01 Encode::Detect >>>> 0.17015 Error >>>> 0.27 ExtUtils::CBuilder >>>> 2.2203 ExtUtils::ParseXS >>>> 2.38 Getopt::Long >>>> 0.46 Inline >>>> 1.08 IO::String >>>> 1.09 IO::Zlib >>>> 2.28 IP::Country >>>> 0.29 Mail::ClamAV >>>> 3.003001 Mail::SpamAssassin >>>> v2.008 Mail::SPF >>>> 1.999001 Mail::SPF::Query >>>> 0.35 Module::Build >>>> 0.21 Net::CIDR::Lite >>>> 0.65 Net::DNS >>>> v0.003 Net::DNS::Resolver::Programmable >>>> 0.65 Net::LDAP >>>> 4.027 NetAddr::IP >>>> 1.965001 Parse::RecDescent >>>> missing SAVI >>>> 3.17 Test::Harness >>>> 1.22 Test::Manifest >>>> 2.0.0 Text::Balanced >>>> 1.40 URI >>>> 0.77 version >>>> missing YAML >>>> >>>> >>>> MailScanner --lint >>>> Trying to setlogsock(unix) >>>> >>>> Reading configuration file /etc/MailScanner/MailScanner.conf >>>> Reading configuration file /etc/MailScanner/conf.d/README >>>> Read 462 hostnames from the phishing whitelist >>>> Read 12121 hostnames from the phishing blacklists >>>> >>>> Checking version numbers... >>>> Version number in MailScanner.conf (4.85.2) is correct. >>>> >>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>> MailScanner setting GID to (89) >>>> MailScanner setting UID to (89) >>>> >>>> Checking for SpamAssassin errors (if you use it)... >>>> Using SpamAssassin results cache >>>> Connected to SpamAssassin cache database >>>> SpamAssassin reported no errors. >>>> Connected to Processing Attempts Database >>>> Created Processing Attempts Database successfully >>>> There are 0 messages in the Processing Attempts Database >>>> Using locktype = posix >>>> MailScanner.conf says "Virus Scanners = clamd" >>>> Found these virus scanners installed: clamavmodule, clamd >>>> =========================================================================== >>>> Filename Checks: Windows/DOS Executable (1 eicar.com >>>> ) >>>> Other Checks: Found 1 problems >>>> Virus and Content Scanning: Starting >>>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>>> >>>> Virus Scanning: Clamd found 2 infections >>>> Infected message 1 came from 10.1.1.1 >>>> Virus Scanning: Found 2 viruses >>>> =========================================================================== >>>> Virus Scanner test reports: >>>> Clamd said "eicar.com was infected: >>>> Eicar-Test-Signature" >>>> >>>> If any of your virus scanners (clamavmodule,clamd) >>>> are not listed there, you should check that they are installed >>>> correctly >>>> and that MailScanner is finding them correctly via its >>>> virus.scanners.conf. >>>> >>>> Thanks for any help, >>>> Howard >>>> >>>> >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> >>>> http://lists.mailscanner.info/listinfo/mailscanner >>>> >>> >>> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Aug 6 16:45:02 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 6 Aug 2015 12:45:02 -0400 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: <55C38E51.8010003@moosebird.net> References: <55C37EDC.8060800@moosebird.net> <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> <55C3884B.6050905@moosebird.net> <55C38E51.8010003@moosebird.net> Message-ID: This is a MailScanner configuration issue. https://www.mailscanner.info/MailScanner.conf.index.html#Spam Lists To Be Spam - Jerry Benton www.mailborder.com > On Aug 6, 2015, at 12:41 PM, Howard Fleming wrote: > > Hi Jerry, > > This is probably under the heading of a newbie question, but how do I go about fixing this? > > It appears spamhaus is picking up the ip address of the email client sending the the email, since it is being delivered locally on the server. I assume this is a postfix configuration issue? > > Thanks, > Howard > > > On 08/06/2015 12:18 PM, Jerry Benton wrote: >> It is triggering on your RBLs. >> >> >> X-Moosebird-MailScanner-SpamCheck: spam, spamhaus-ZEN >> >> - >> Jerry Benton >> www.mailborder.com >> >> >> >>> On Aug 6, 2015, at 12:16 PM, Howard Fleming > wrote: >>> >>> Header info: >>> http://pastebin.com/FRpcJirk >>> >>> Virtual domains are handled by postfix (and if this is not what you are looking for, please let me know): >>> >>> main.cf: >>> virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains >>> virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps >>> >>> MTA is postfix. >>> >>> Thanks, >>> Howard >>> >>> >>> >>> >>> >>> On 08/06/2015 11:41 AM, Jeremy McSpadden wrote: >>>> Pastebin the header of one of the emails. What are you using for virtual domains ? What mta ? >>>> >>>> -- >>>> Jeremy McSpadden | Flux Labs >>>> Local - 850-250-5590x501 | Mobile - 850-890-2543 >>>> Fax - 850-254-2955 | Toll Free - 877-699-FLUX >>>> Web - http://www.fluxlabs.net >>>> >>>> >>>> On Aug 6, 2015, at 10:36 AM, Howard Fleming > wrote: >>>> >>>>> Good morning, >>>>> >>>>> I am in the process of rebuilding my mail server and running into a problem with any email sent from the 2 virtual domains on the system is being flagged as spam by MailScanner (the other 2 domains that are not virtual is working as it should). Other than the virtual domain outgoing email being flagged as spam, everything appears to be working as it should. >>>>> >>>>> Any suggestions on where to start looking and what additional information I need to send here for troubleshooting? >>>>> >>>>> System info: >>>>> >>>>> CentOS 6.6 >>>>> Postfix version 2.6.6, Release 6.el6_5 >>>>> >>>>> MailScanner -v >>>>> Running on >>>>> Linux comm.moosebird.net 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux >>>>> This is CentOS release 6.6 (Final) >>>>> This is Perl version 5.010001 (5.10.1) >>>>> >>>>> This is MailScanner version 4.85.2 >>>>> Module versions are: >>>>> 1.00 AnyDBM_File >>>>> 1.30 Archive::Zip >>>>> 0.23 bignum >>>>> 1.11 Carp >>>>> 2.021 Compress::Zlib >>>>> 1.119 Convert::BinHex >>>>> 0.17 Convert::TNEF >>>>> 2.124 Data::Dumper >>>>> 2.27 Date::Parse >>>>> 1.03 DirHandle >>>>> 1.06 Fcntl >>>>> 2.77 File::Basename >>>>> 2.14 File::Copy >>>>> 2.02 FileHandle >>>>> 2.08 File::Path >>>>> 0.22 File::Temp >>>>> 0.92 Filesys::Df >>>>> 3.64 HTML::Entities >>>>> 3.64 HTML::Parser >>>>> 3.57 HTML::TokeParser >>>>> 1.25 IO >>>>> 1.14 IO::File >>>>> 1.13 IO::Pipe >>>>> 2.04 Mail::Header >>>>> 1.9993 Math::BigInt >>>>> 0.22 Math::BigRat >>>>> 3.08 MIME::Base64 >>>>> 5.427 MIME::Decoder >>>>> 5.427 MIME::Decoder::UU >>>>> 5.427 MIME::Head >>>>> 5.427 MIME::Parser >>>>> 3.08 MIME::QuotedPrint >>>>> 5.427 MIME::Tools >>>>> 0.14 Net::CIDR >>>>> 1.25 Net::IP >>>>> 0.19 OLE::Storage_Lite >>>>> 1.04 Pod::Escapes >>>>> 3.13 Pod::Simple >>>>> 1.17 POSIX >>>>> 1.21 Scalar::Util >>>>> 1.82 Socket >>>>> 2.20 Storable >>>>> 1.4 Sys::Hostname::Long >>>>> 0.27 Sys::Syslog >>>>> 1.40 Test::Pod >>>>> 0.92 Test::Simple >>>>> 1.9721 Time::HiRes >>>>> 1.02 Time::localtime >>>>> >>>>> Optional module versions are: >>>>> 1.58 Archive::Tar >>>>> 0.23 bignum >>>>> missing Business::ISBN >>>>> missing Business::ISBN::Data >>>>> 1.15 Data::Dump >>>>> 1.82 DB_File >>>>> 1.27 DBD::SQLite >>>>> 1.609 DBI >>>>> 1.16 Digest >>>>> 1.01 Digest::HMAC >>>>> 2.39 Digest::MD5 >>>>> 2.12 Digest::SHA1 >>>>> 1.01 Encode::Detect >>>>> 0.17015 Error >>>>> 0.27 ExtUtils::CBuilder >>>>> 2.2203 ExtUtils::ParseXS >>>>> 2.38 Getopt::Long >>>>> 0.46 Inline >>>>> 1.08 IO::String >>>>> 1.09 IO::Zlib >>>>> 2.28 IP::Country >>>>> 0.29 Mail::ClamAV >>>>> 3.003001 Mail::SpamAssassin >>>>> v2.008 Mail::SPF >>>>> 1.999001 Mail::SPF::Query >>>>> 0.35 Module::Build >>>>> 0.21 Net::CIDR::Lite >>>>> 0.65 Net::DNS >>>>> v0.003 Net::DNS::Resolver::Programmable >>>>> 0.65 Net::LDAP >>>>> 4.027 NetAddr::IP >>>>> 1.965001 Parse::RecDescent >>>>> missing SAVI >>>>> 3.17 Test::Harness >>>>> 1.22 Test::Manifest >>>>> 2.0.0 Text::Balanced >>>>> 1.40 URI >>>>> 0.77 version >>>>> missing YAML >>>>> >>>>> >>>>> MailScanner --lint >>>>> Trying to setlogsock(unix) >>>>> >>>>> Reading configuration file /etc/MailScanner/MailScanner.conf >>>>> Reading configuration file /etc/MailScanner/conf.d/README >>>>> Read 462 hostnames from the phishing whitelist >>>>> Read 12121 hostnames from the phishing blacklists >>>>> >>>>> Checking version numbers... >>>>> Version number in MailScanner.conf (4.85.2) is correct. >>>>> >>>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>>> MailScanner setting GID to (89) >>>>> MailScanner setting UID to (89) >>>>> >>>>> Checking for SpamAssassin errors (if you use it)... >>>>> Using SpamAssassin results cache >>>>> Connected to SpamAssassin cache database >>>>> SpamAssassin reported no errors. >>>>> Connected to Processing Attempts Database >>>>> Created Processing Attempts Database successfully >>>>> There are 0 messages in the Processing Attempts Database >>>>> Using locktype = posix >>>>> MailScanner.conf says "Virus Scanners = clamd" >>>>> Found these virus scanners installed: clamavmodule, clamd >>>>> =========================================================================== >>>>> Filename Checks: Windows/DOS Executable (1 eicar.com ) >>>>> Other Checks: Found 1 problems >>>>> Virus and Content Scanning: Starting >>>>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>>>> Virus Scanning: Clamd found 2 infections >>>>> Infected message 1 came from 10.1.1.1 >>>>> Virus Scanning: Found 2 viruses >>>>> =========================================================================== >>>>> Virus Scanner test reports: >>>>> Clamd said "eicar.com was infected: Eicar-Test-Signature" >>>>> >>>>> If any of your virus scanners (clamavmodule,clamd) >>>>> are not listed there, you should check that they are installed correctly >>>>> and that MailScanner is finding them correctly via its virus.scanners.conf. >>>>> >>>>> Thanks for any help, >>>>> Howard >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/listinfo/mailscanner >>>>> >>>> >>>> >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/listinfo/mailscanner >>> >> >> >> >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Thu Aug 6 17:21:08 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Thu, 6 Aug 2015 17:21:08 +0000 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: <55C38E51.8010003@moosebird.net> References: <55C37EDC.8060800@moosebird.net> <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> <55C3884B.6050905@moosebird.net> <55C38E51.8010003@moosebird.net> Message-ID: Received: from [192.168.15.109] (va-67-233-71-80.dhcp.embarqhsd.net [67.233.71.80]) by comm.moosebird.net (Postfix) with ESMTPSA id 1981B2A01E3 for ; Tue, 4 Aug 2015 11:38:54 -0400 (EDT) See http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a%0967.233.71.80&run=toolpage IP 67.233.71.80 is blacklisted. Since you’re including spamhaus and/or barracuda in your blacklists you block those mails. The cheesy workaround is to whitelist them, or quit using the RBLs. Not much of an option. The better solution is to find out why you’re blacklisted (see the spamhaus page) and take the steps to get removed. Looking up your server IP, it appears that it’s a DHCP address which would probably normally be assigned to a home user. Your email server should have a static IP. $ host 67.233.71.80 80.71.233.67.in-addr.arpa domain name pointer va-67-233-71-80.dhcp.embarqhsd.net. Running a RBL lookup at dns-stuff.com I see this: SBL-ZEN IP detected as NON-COMPLIANT (End-user Non-MTA IP addresses set by ISP outbound mail policy) SPAMHAUS PBL IP detected as SPAM Hope this helps some. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Howard Fleming Sent: Thursday, August 06, 2015 8:42 AM To: MailScanner Discussion Subject: Re: email sent from virtual domains on server being tagged as spam Hi Jerry, This is probably under the heading of a newbie question, but how do I go about fixing this? It appears spamhaus is picking up the ip address of the email client sending the the email, since it is being delivered locally on the server. I assume this is a postfix configuration issue? Thanks, Howard On 08/06/2015 12:18 PM, Jerry Benton wrote: It is triggering on your RBLs. X-Moosebird-MailScanner-SpamCheck: spam, spamhaus-ZEN - Jerry Benton www.mailborder.com On Aug 6, 2015, at 12:16 PM, Howard Fleming > wrote: Header info: http://pastebin.com/FRpcJirk Virtual domains are handled by postfix (and if this is not what you are looking for, please let me know): main.cf: virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps MTA is postfix. Thanks, Howard On 08/06/2015 11:41 AM, Jeremy McSpadden wrote: Pastebin the header of one of the emails. What are you using for virtual domains ? What mta ? -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net On Aug 6, 2015, at 10:36 AM, Howard Fleming > wrote: Good morning, I am in the process of rebuilding my mail server and running into a problem with any email sent from the 2 virtual domains on the system is being flagged as spam by MailScanner (the other 2 domains that are not virtual is working as it should). Other than the virtual domain outgoing email being flagged as spam, everything appears to be working as it should. Any suggestions on where to start looking and what additional information I need to send here for troubleshooting? System info: CentOS 6.6 Postfix version 2.6.6, Release 6.el6_5 MailScanner -v Running on Linux comm.moosebird.net 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 6.6 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.85.2 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.021 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.9993 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.58 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data 1.15 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.12 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.27 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.46 Inline 1.08 IO::String 1.09 IO::Zlib 2.28 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.008 Mail::SPF 1.999001 Mail::SPF::Query 0.35 Module::Build 0.21 Net::CIDR::Lite 0.65 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.65 Net::LDAP 4.027 NetAddr::IP 1.965001 Parse::RecDescent missing SAVI 3.17 Test::Harness 1.22 Test::Manifest 2.0.0 Text::Balanced 1.40 URI 0.77 version missing YAML MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 462 hostnames from the phishing whitelist Read 12121 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.85.2) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamavmodule, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamavmodule,clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Thanks for any help, Howard -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.m.schipper at lawrence.edu Thu Aug 6 17:49:06 2015 From: sean.m.schipper at lawrence.edu (Sean M. Schipper) Date: Thu, 6 Aug 2015 17:49:06 +0000 Subject: Spam question Message-ID: <1b3f07632f9346fdaeec795c7406f648@mail.lawrence.edu> Since last November I've been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I'll get a similar rush of spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. I've been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs, accelerated... To cut down on the processing/traffic on my server I've been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyone else have similar battle stories like this? Thanks for any suggestions on this. Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Aug 6 17:50:28 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 6 Aug 2015 13:50:28 -0400 Subject: Spam question In-Reply-To: <1b3f07632f9346fdaeec795c7406f648@mail.lawrence.edu> References: <1b3f07632f9346fdaeec795c7406f648@mail.lawrence.edu> Message-ID: <7930BF7F-335A-4479-B496-5B233C909146@mailborder.com> - Use RBLs at the MTA level - Use greylisting - Jerry Benton www.mailborder.com > On Aug 6, 2015, at 1:49 PM, Sean M. Schipper wrote: > > Since last November I’ve been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I’ll get a similar rush of spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. > > I’ve been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs, accelerated... > > To cut down on the processing/traffic on my server I’ve been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyone else have similar battle stories like this? > > Thanks for any suggestions on this. > > Sean > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at fluxlabs.net Thu Aug 6 17:50:42 2015 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Thu, 6 Aug 2015 17:50:42 +0000 Subject: Spam question In-Reply-To: <1b3f07632f9346fdaeec795c7406f648@mail.lawrence.edu> References: <1b3f07632f9346fdaeec795c7406f648@mail.lawrence.edu> Message-ID: RBL ? Greylisting ? How many domains are you filtering ? What MTA ? -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net On Aug 6, 2015, at 12:49 PM, Sean M. Schipper > wrote: Since last November I've been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I'll get a similar rush of spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. I've been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs, accelerated... To cut down on the processing/traffic on my server I've been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyone else have similar battle stories like this? Thanks for any suggestions on this. Sean -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmeireles at electroind.com Thu Aug 6 17:55:11 2015 From: tmeireles at electroind.com (Tiago Meireles) Date: Thu, 6 Aug 2015 13:55:11 -0400 Subject: Spam question In-Reply-To: <7930BF7F-335A-4479-B496-5B233C909146@mailborder.com> References: <1b3f07632f9346fdaeec795c7406f648@mail.lawrence.edu> <7930BF7F-335A-4479-B496-5B233C909146@mailborder.com> Message-ID: <00af01d0d071$0a7cb050$1f7610f0$@electroind.com> Any RBLs that you recommend? From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Thursday, August 06, 2015 1:50 PM To: MailScanner Discussion Subject: Re: Spam question - Use RBLs at the MTA level - Use greylisting - Jerry Benton www.mailborder.com On Aug 6, 2015, at 1:49 PM, Sean M. Schipper wrote: Since last November I’ve been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I’ll get a similar rush of spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. I’ve been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs, accelerated... To cut down on the processing/traffic on my server I’ve been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyone else have similar battle stories like this? Thanks for any suggestions on this. Sean -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Aug 6 18:04:01 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 6 Aug 2015 14:04:01 -0400 Subject: Spam question In-Reply-To: <00af01d0d071$0a7cb050$1f7610f0$@electroind.com> References: <1b3f07632f9346fdaeec795c7406f648@mail.lawrence.edu> <7930BF7F-335A-4479-B496-5B233C909146@mailborder.com> <00af01d0d071$0a7cb050$1f7610f0$@electroind.com> Message-ID: reject_rbl_client b.barracudacentral.org , reject_rbl_client zen.spamhaus.org , reject_rbl_client ix.dnsbl.manitu.net , reject_rbl_client rbl.megarbl.net , reject_rbl_client dnsbl.inps.de , reject_rbl_client bl.spamcop.net , reject_rbl_client cbl.abuseat.org , - Jerry Benton www.mailborder.com > On Aug 6, 2015, at 1:55 PM, Tiago Meireles wrote: > > Any RBLs that you recommend? > > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: Thursday, August 06, 2015 1:50 PM > To: MailScanner Discussion > Subject: Re: Spam question > > - Use RBLs at the MTA level > - Use greylisting > > - > Jerry Benton > www.mailborder.com > > > >> On Aug 6, 2015, at 1:49 PM, Sean M. Schipper > wrote: >> >> Since last November I’ve been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I’ll get a similar rush of spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. >> >> I’ve been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs, accelerated... >> >> To cut down on the processing/traffic on my server I’ve been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyone else have similar battle stories like this? >> >> Thanks for any suggestions on this. >> >> Sean >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.m.schipper at lawrence.edu Thu Aug 6 18:10:24 2015 From: sean.m.schipper at lawrence.edu (Sean M. Schipper) Date: Thu, 6 Aug 2015 18:10:24 +0000 Subject: Spam question Message-ID: Email is accepted for a single domain. I use postfix as my MTA. I employ Spamhaus as an RBL that I use to reject at SMTP. I do use others but do not reject based on them. Any others that are reputable enough to reject with? I haven't really considered Greylisting. I just read some on it to refresh my memory. Is this commonly used by the MailScanner community? -- RBL ? Greylisting ? How many domains are you filtering ? What MTA ? -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net> On Aug 6, 2015, at 12:49 PM, Sean M. Schipper >> wrote: Since last November I've been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I'll get a similar rush of spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. I've been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs, accelerated... To cut down on the processing/traffic on my server I've been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyone else have similar battle stories like this? Thanks for any suggestions on this. Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at fluxlabs.net Thu Aug 6 18:11:59 2015 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Thu, 6 Aug 2015 18:11:59 +0000 Subject: Spam question In-Reply-To: References: Message-ID: 7000 spam for a single domain in 1 day. Must have quite s few accounts. Jerry replied with a good list for postfix. What Spamassain rules are you using ? -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net On Aug 6, 2015, at 1:10 PM, Sean M. Schipper > wrote: Email is accepted for a single domain. I use postfix as my MTA. I employ Spamhaus as an RBL that I use to reject at SMTP. I do use others but do not reject based on them. Any others that are reputable enough to reject with? I haven't really considered Greylisting. I just read some on it to refresh my memory. Is this commonly used by the MailScanner community? -- RBL ? Greylisting ? How many domains are you filtering ? What MTA ? -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net> On Aug 6, 2015, at 12:49 PM, Sean M. Schipper >> wrote: Since last November I've been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I'll get a similar rush of spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. I've been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs, accelerated... To cut down on the processing/traffic on my server I've been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyone else have similar battle stories like this? Thanks for any suggestions on this. Sean -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From wt at dld2000.com Thu Aug 6 19:56:06 2015 From: wt at dld2000.com (Walt Thiessen) Date: Thu, 6 Aug 2015 15:56:06 -0400 Subject: mailscanner db In-Reply-To: References: <55A50C01.7040204@dld2000.com> Message-ID: <55C3BBD6.7030004@dld2000.com> Thanks to Michael and Jerry who answered my question in mid-July about individual white lists. I finally was able to make some time to delve into this, and after poking around for awhile, I have another question. I was looking at the mailscanner database through phpMyAdmin to try to get a feel for how stuff is organized. To my surprise, the only table with data in it is the maillog table. All others are empty. As an experiment, I whitelisted an email address in one of my domains. While I can see the rule in spam.whitelist.rules, I still don't see it in the MySQL db. Can someone point me to any documentation that would help me to understand what I'm seeing? Walt From hfleming at moosebird.net Thu Aug 6 20:18:04 2015 From: hfleming at moosebird.net (Howard Fleming) Date: Thu, 06 Aug 2015 16:18:04 -0400 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: References: <55C37EDC.8060800@moosebird.net> <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> <55C3884B.6050905@moosebird.net> <55C38E51.8010003@moosebird.net> Message-ID: <55C3C0FC.8050008@moosebird.net> The ip address (67.233.71.80) is the address of the email client that is sending email to my server. For the moment, I have disabled the rbl list and that has (poorly) fixed the problem for now... . What I hope I can do (still researching this) is have rbl checking turned off for email received via port 587, and only allow my authenticated users to to use this port. Thanks, Howard On 08/06/2015 01:21 PM, Kevin Miller wrote: > > Received: from [192.168.15.109] (va-67-233-71-80.dhcp.embarqhsd.net > [67.233.71.80]) > > by comm.moosebird.net (Postfix) with ESMTPSA id 1981B2A01E3 > > for ; Tue, 4 Aug 2015 11:38:54 -0400 > (EDT) > > See > http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a%0967.233.71.80&run=toolpage > > IP 67.233.71.80 is blacklisted. Since you’re including spamhaus and/or > barracuda in your blacklists you block those mails. The cheesy > workaround is to whitelist them, or quit using the RBLs. Not much of > an option. The better solution is to find out why you’re blacklisted > (see the spamhaus page) and take the steps to get removed. > > Looking up your server IP, it appears that it’s a DHCP address which > would probably normally be assigned to a home user. Your email server > should have a static IP. > > $ host 67.233.71.80 > > 80.71.233.67.in-addr.arpa domain name pointer > va-67-233-71-80.dhcp.embarqhsd.net. > > Running a RBL lookup at dns-stuff.com I see this: > > SBL-ZEN IP detected as NON-COMPLIANT (End-user Non-MTA IP > addresses set by ISP outbound mail policy) > > SPAMHAUS PBL IP detected as SPAM > > Hope this helps some. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 > Registered Linux User No: 307357 > > *From:*MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] > *On Behalf Of *Howard Fleming > *Sent:* Thursday, August 06, 2015 8:42 AM > *To:* MailScanner Discussion > *Subject:* Re: email sent from virtual domains on server being tagged > as spam > > Hi Jerry, > > This is probably under the heading of a newbie question, but how do I > go about fixing this? > > It appears spamhaus is picking up the ip address of the email client > sending the the email, since it is being delivered locally on the > server. I assume this is a postfix configuration issue? > > Thanks, > Howard > > On 08/06/2015 12:18 PM, Jerry Benton wrote: > > It is triggering on your RBLs. > > X-Moosebird-MailScanner-SpamCheck: spam, spamhaus-ZEN > > > - > > Jerry Benton > > www.mailborder.com > > On Aug 6, 2015, at 12:16 PM, Howard Fleming > > wrote: > > Header info: > > http://pastebin.com/FRpcJirk > > Virtual domains are handled by postfix (and if this is not what you are looking for, please let me know): > > > > main.cf: > > virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains > > virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps > > > > MTA is postfix. > > > > Thanks, > > Howard > > > > > > > On 08/06/2015 11:41 AM, Jeremy McSpadden wrote: > > Pastebin the header of one of the emails. What are you > using for virtual domains ? What mta ? > > -- > Jeremy McSpadden | Flux Labs > Local - 850-250-5590x501 | Mobile - > 850-890-2543 > Fax - 850-254-2955 | Toll Free - > 877-699-FLUX > Web - http://www.fluxlabs.net > > > On Aug 6, 2015, at 10:36 AM, Howard Fleming > > > wrote: > > Good morning, > > I am in the process of rebuilding my mail server and > running into a problem with any email sent from the 2 > virtual domains on the system is being flagged as spam > by MailScanner (the other 2 domains that are not > virtual is working as it should). Other than the > virtual domain outgoing email being flagged as spam, > everything appears to be working as it should. > > Any suggestions on where to start looking and what > additional information I need to send here for > troubleshooting? > > System info: > > CentOS 6.6 > Postfix version 2.6.6, Release 6.el6_5 > > MailScanner -v > Running on > Linux comm.moosebird.net > 2.6.32-504.30.3.el6.x86_64 #1 SMP Wed Jul 15 10:13:09 > UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > This is CentOS release 6.6 (Final) > This is Perl version 5.010001 (5.10.1) > > This is MailScanner version 4.85.2 > Module versions are: > 1.00 AnyDBM_File > 1.30 Archive::Zip > 0.23 bignum > 1.11 Carp > 2.021 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.124 Data::Dumper > 2.27 Date::Parse > 1.03 DirHandle > 1.06 Fcntl > 2.77 File::Basename > 2.14 File::Copy > 2.02 FileHandle > 2.08 File::Path > 0.22 File::Temp > 0.92 Filesys::Df > 3.64 HTML::Entities > 3.64 HTML::Parser > 3.57 HTML::TokeParser > 1.25 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.04 Mail::Header > 1.9993 Math::BigInt > 0.22 Math::BigRat > 3.08 MIME::Base64 > 5.427 MIME::Decoder > 5.427 MIME::Decoder::UU > 5.427 MIME::Head > 5.427 MIME::Parser > 3.08 MIME::QuotedPrint > 5.427 MIME::Tools > 0.14 Net::CIDR > 1.25 Net::IP > 0.19 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.13 Pod::Simple > 1.17 POSIX > 1.21 Scalar::Util > 1.82 Socket > 2.20 Storable > 1.4 Sys::Hostname::Long > 0.27 Sys::Syslog > 1.40 Test::Pod > 0.92 Test::Simple > 1.9721 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.58 Archive::Tar > 0.23 bignum > missing Business::ISBN > missing Business::ISBN::Data > 1.15 Data::Dump > 1.82 DB_File > 1.27 DBD::SQLite > 1.609 DBI > 1.16 Digest > 1.01 Digest::HMAC > 2.39 Digest::MD5 > 2.12 Digest::SHA1 > 1.01 Encode::Detect > 0.17015 Error > 0.27 ExtUtils::CBuilder > 2.2203 ExtUtils::ParseXS > 2.38 Getopt::Long > 0.46 Inline > 1.08 IO::String > 1.09 IO::Zlib > 2.28 IP::Country > 0.29 Mail::ClamAV > 3.003001 Mail::SpamAssassin > v2.008 Mail::SPF > 1.999001 Mail::SPF::Query > 0.35 Module::Build > 0.21 Net::CIDR::Lite > 0.65 Net::DNS > v0.003 Net::DNS::Resolver::Programmable > 0.65 Net::LDAP > 4.027 NetAddr::IP > 1.965001 Parse::RecDescent > missing SAVI > 3.17 Test::Harness > 1.22 Test::Manifest > 2.0.0 Text::Balanced > 1.40 URI > 0.77 version > missing YAML > > > MailScanner --lint > Trying to setlogsock(unix) > > Reading configuration file > /etc/MailScanner/MailScanner.conf > Reading configuration file /etc/MailScanner/conf.d/README > Read 462 hostnames from the phishing whitelist > Read 12121 hostnames from the phishing blacklists > > Checking version numbers... > Version number in MailScanner.conf (4.85.2) is correct. > > Your envelope_sender_header in > spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 0 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamavmodule, clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com > ) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED:: Eicar-Test-Signature :: > ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > Virus Scanner test reports: > Clamd said "eicar.com was > infected: Eicar-Test-Signature" > > If any of your virus scanners (clamavmodule,clamd) > are not listed there, you should check that they are > installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Thanks for any help, > Howard > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Thu Aug 6 20:46:37 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Thu, 6 Aug 2015 20:46:37 +0000 Subject: email sent from virtual domains on server being tagged as spam In-Reply-To: <55C3C0FC.8050008@moosebird.net> References: <55C37EDC.8060800@moosebird.net> <015F56AD-4756-4461-A3A6-D6D419D599DF@fluxlabs.net> <55C3884B.6050905@moosebird.net> <55C38E51.8010003@moosebird.net> <55C3C0FC.8050008@moosebird.net> Message-ID: <06b81fd99d774237ac54789eed89aca8@City-Exch-DB2.cbj.local> OK, but it’s still blacklisted. That means that anyone that uses spamhaus or Barracuda RBLs will either reject or spamify messages sent from that address so it should be dealt with. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Howard Fleming Sent: Thursday, August 06, 2015 12:18 PM To: MailScanner Discussion Subject: Re: email sent from virtual domains on server being tagged as spam The ip address (67.233.71.80) is the address of the email client that is sending email to my server. For the moment, I have disabled the rbl list and that has (poorly) fixed the problem for now... . What I hope I can do (still researching this) is have rbl checking turned off for email received via port 587, and only allow my authenticated users to to use this port. Thanks, Howard -------------- next part -------------- An HTML attachment was scrubbed... URL: From wt at dld2000.com Thu Aug 6 20:46:52 2015 From: wt at dld2000.com (Walt Thiessen) Date: Thu, 6 Aug 2015 16:46:52 -0400 Subject: never mind In-Reply-To: <41EF5653-F15D-4D1F-B64B-6781E87292AC@mailborder.com> References: <55A50C01.7040204@dld2000.com> <41EF5653-F15D-4D1F-B64B-6781E87292AC@mailborder.com> Message-ID: <55C3C7BC.4070409@dld2000.com> Nevermind ... I finally found the appropriate reference in the manual. Apparently, the MySQL db is only for front-end apps like MailWatch. Sorry to bother you all. Walt From l at avc.su Sat Aug 8 21:46:34 2015 From: l at avc.su (l at avc.su) Date: Sun, 09 Aug 2015 00:46:34 +0300 Subject: Mailscanner + postfix: dealing with huge loads on distributed mailserver setup Message-ID: Hi All. We've got 2 servers with MailScanner+Mailwatch, using Postfix as MTA. Recently we've experienced huge incoming load from distributed locations (our marketing team fired up large newsletter and our corporate server got about 10K "auto-reply" mails in just 20 minutes), and our 'hold' queue got filled up with mails. It caused big delay in recieving legitimate mails, and MailScanner (15 children max.) was buisy with them for about an hour. Is there any way to prevent Postfix from recieving any new mail if there is a clog in Hold queue? For example, if there are more than 500 messages, don't recieve new mail and respond with 421 code so clients would go to another mail server? I haven't found any solid measures against it, and I'm considering to write own policy-server for Postfix. It's complicated task (and I'm lack of coding skills), and I want to be sure that I haven't missed vanilla setting for this. So, basically, there two questions: is there some sort of failswitch to prevent Postfix to get new connections if there is a clog in queue, and how do you deal with huge mailing loads? Thank you. From maxsec at gmail.com Sun Aug 9 08:46:48 2015 From: maxsec at gmail.com (Martin Hepworth) Date: Sun, 09 Aug 2015 08:46:48 +0000 Subject: Mailscanner + postfix: dealing with huge loads on distributed mailserver setup In-Reply-To: References: Message-ID: Another way is to get the marketing crew to use a no-reply type address thatll just bounce (you're check invalid recipients in pf right) and something like constant contact to send the campaigns in the first place. Theyll them way better metrics about opens etc On Sat, 8 Aug 2015 at 22:46, wrote: > Hi All. > > We've got 2 servers with MailScanner+Mailwatch, using Postfix as MTA. > Recently we've experienced huge incoming load from distributed locations > (our marketing team fired up large newsletter and our corporate server > got about 10K "auto-reply" mails in just 20 minutes), and our 'hold' > queue got filled up with mails. It caused big delay in recieving > legitimate mails, and MailScanner (15 children max.) was buisy with them > for about an hour. > > Is there any way to prevent Postfix from recieving any new mail if there > is a clog in Hold queue? For example, if there are more than 500 > messages, don't recieve new mail and respond with 421 code so clients > would go to another mail server? > I haven't found any solid measures against it, and I'm considering to > write own policy-server for Postfix. It's complicated task (and I'm lack > of coding skills), and I want to be sure that I haven't missed vanilla > setting for this. > > So, basically, there two questions: is there some sort of failswitch to > prevent Postfix to get new connections if there is a clog in queue, and > how do you deal with huge mailing loads? > > Thank you. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danny at tweegy.nl Sun Aug 9 11:39:22 2015 From: danny at tweegy.nl (Danny) Date: Sun, 9 Aug 2015 13:39:22 +0200 Subject: 7z and other archive formats support In-Reply-To: <04DE5299-5773-4F33-BE65-2AD6E8433B76@mailborder.com> References: <04DE5299-5773-4F33-BE65-2AD6E8433B76@mailborder.com> Message-ID: Op 1-8-2015 om 4:09 schreef Jerry Benton: > I’d have to look into it. I personally have not tested it. > > - > Jerry Benton > www.mailborder.com > > > >> On Jul 31, 2015, at 6:20 PM, Danny wrote: >> >> Hello, >> >> I was wondering if MailScanner has 7z (binary) support or are the devs working on this or is it on the roadmap? >> It would be nice to be able to look inside 7z, arj, cpio etc. >> >> Regards, >> Danny >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > Hello Jerry and others, I don't know whether this is the place to post any patches, but I wrote a patch adding 7z and other archives support by using the 7z binary, which is included in most distributions. Also I added support to scan pdf's for suspicious content by using PDFid. (also external tool) Language and subject modification support for pdf scanning isn't included (yet). 2 patch files attached to the message, one for MailScanner.conf and one for the modules, ConfigDefs.pl, Message.pm and SweepContent.pm I found the patches useful for my setup, feel free to use them. Regards, Danny -------------- next part -------------- diff -ur MailScanner.orig/ConfigDefs.pl MailScanner/ConfigDefs.pl --- MailScanner.orig/ConfigDefs.pl 2015-05-03 16:04:05.000000000 +0200 +++ MailScanner/ConfigDefs.pl 2015-08-09 11:17:49.133813987 +0200 @@ -350,6 +350,8 @@ MCPSpamAssassinTimeout 10 TNEFTimeout 120 UnrarTimeout 50 +Un7zipTimeout 50 +PDFiDTimeout 50 WhitelistMaxRecips 20 # For Qmail users qmailhashdirectorynumber 23 @@ -405,6 +407,8 @@ MCPSpamAssassinInstallPrefix /etc/MailScanner/mcp TNEFExpander /usr/bin/tnef --maxsize=100000000 UnrarCommand /usr/bin/unrar +Un7zipCommand /usr/bin/7z +PDFiDCommand /usr/local/bin/pdfid.py VirusScanners auto # Space-separated list WorkUser WorkGroup @@ -490,6 +494,9 @@ WarnSizeSenders 0 no 0 yes 1 WarnOtherSenders 1 no 0 yes 1 # JKF 19/12/2007 WarnPasswordSenders 1 no 0 yes 1 +ScanPDF 1 no 0 yes 1 +DeliverSuspiciousPDF 0 no 0 yes 1 +SuspiciousPDFModifySubject start no 0 yes 1 start start end end [First,File] DeletedContentMessage /etc/MailScanner/reports/en/deleted.content.message.txt @@ -603,6 +610,7 @@ SizeSubjectText {Size} unzipmembers *.txt *.ini *.log *.csv unzipmimetype text/plain +SuspiciousPDFSubjectText {Suspicious PDF?} [All,YesNo] AddEnvFrom 1 no 0 yes 1 diff -ur MailScanner.orig/Message.pm MailScanner/Message.pm --- MailScanner.orig/Message.pm 2015-05-03 16:04:05.000000000 +0200 +++ MailScanner/Message.pm 2015-08-09 12:20:39.949883649 +0200 @@ -2660,8 +2660,9 @@ my($size, $level, $ziperror, $tarerror, $silentviruses, $noisyviruses); my($allziperrors, $alltarerrors, $textlevel, $failisokay); my($linenum, $foundheader, $prevline, $line, $position, $prevpos, $nextpos); - my($cyclecounter, $rarerror, $create0files, $oleerror); - + my($cyclecounter, $rarerror, $create0files, $oleerror, $sevenzerror); + my($filecommand, $PipeTimeOut, $memb, $use_unpacker); + $dir = new DirHandle; $file = new FileHandle; $level = 0; #-1; @@ -2669,6 +2670,7 @@ $cyclecounter = 0; $ziperror = 0; $tarerror = 0; + $sevenzerror = 0; # Do they only want encryption checking and nothing else? my $onlycheckencryption; @@ -2803,6 +2805,28 @@ #$level++; next if $level > $maxlevels; + # Do a file (magic) on every file we run into and appoint an unpacker + $PipeTimeOut = MailScanner::Config::Value('filetimeout'); + $filecommand = MailScanner::Config::Value('filecommand'); + $use_unpacker = ''; + if ($filecommand && -x $filecommand) { # check if we got support + $memb = SafePipe("$filecommand -b '$explodeinto/$part' 2>&1", + $PipeTimeOut); + + if ($memb =~ /ERROR/) { + MailScanner::Log::WarnLog("File magic error (%s)", $memb); + } elsif ( ($memb =~ /^Zip archive/i) ) { # use zip unpacker + $use_unpacker = "zip"; + } elsif ( ($memb =~ /^RAR archive/i) ) { # use (official) rar unpacker + $use_unpacker = "rar"; + } elsif ( ($memb =~ /^(7-zip|arj|cpio|lha(.*)|xar|GNU tar|POSIX tar|ASCII cpio) archive/i) || # use 7zip unpacker + ($memb =~ /^(lzh|lzma|bzip2|gzip|xz) compressed/i) || + ($memb =~ /^(RPM|Delta-RPM|Windows imaging|\# ISO|ISO)/i) ) { + $use_unpacker = "7z"; + } + } + #MailScanner::Log::WarnLog("Unpack-engine (%s) file (%s)", $use_unpacker, $part); + # Find all the zip files #print STDERR "Looking at $explodeinto/$part\n"; #next if MailScanner::Config::Value('filecommand', $this) eq ""; @@ -2828,7 +2852,8 @@ $failisokay; #print STDERR "Found a zip or rar file\n" ; $file->close, next unless MailScanner::Config::Value('findarchivesbycontent', $this) || - $part =~ /\.(tar\.g?z|taz|tgz|tz|zip|exe|rar|uu|uue|doc|xls|ppt|dot|xlt|pps)$/i; + $part =~ /\.(tar\.g?z|taz|tgz|tz|zip|exe|rar|uu|uue|doc|docx|xls|xlsx|ppt|pptx|dot|dotx|xlt|xltx|pps|ppsx)$/i; +# $part =~ /\.(tar\.g?z|taz|tgz|tz|zip|exe|rar|uu|uue|doc|xls|ppt|dot|xlt|pps)$/i; $foundnewfiles = 1; #print STDERR "Unpacking $part at level $level\n"; @@ -2848,10 +2873,11 @@ $ziperror = $this->UnpackZip($part, $explodeinto, $allowpasswords, $insistpasswords, $onlycheckencryption, $create0files); + #MailScanner::Log::WarnLog("UnpackZip (%s) file (%s)", $ziperror, $part); #print STDERR "* * * * * * * Unpackzip $part returned $ziperror\n"; # If unpacking as a zip failed, try it as a rar $rarerror = ""; - if ($part =~ /\.rar$/i || $buffer eq "Rar!" or $buffer =~ /^MZ[P]?/) { + if ($part =~ /\.rar$/i || $use_unpacker eq "rar" || $buffer eq "Rar!") { $rarerror = $this->UnpackRar($part, $explodeinto, $allowpasswords, $insistpasswords, $onlycheckencryption, $create0files); @@ -2872,7 +2898,17 @@ $tarerror = 0 # $this->UnpackTar($part, $explodeinto, $allowpasswords) if $ziperror || $part =~ /(tar\.g?z|tgz)$/i; #print STDERR "In inner: \"$part\"\n"; - if ($ziperror eq "nonpassword" || $rarerror eq "nonpassword") { + + if ( + ($use_unpacker eq "7z") || + ($part =~ /\.(001|7z|arj|bz2|bzip2|cab|cpio|deb|dmg|fat|gz|gzip|hfs|iso|jar|lha|lzh|lzma)$/) || + ($part =~ /\.(ntfs|rpm|squashfs|swm|tar|taz|tbz|tbz2|tgz|tpz|txz|vhd|wim|xar|xz|z)$/) ) { + $sevenzerror = $this->Unpack7zip($part, $explodeinto, $allowpasswords, + $insistpasswords, + $onlycheckencryption, $create0files); + } + + if ($ziperror eq "nonpassword" || $rarerror eq "nonpassword" || $sevenzerror eq "nonpassword" ) { # Trim off leading type indicator character for logging. my $f = substr($part,1); MailScanner::Log::WarnLog("Non-password-protected archive (%s) in %s", @@ -2886,7 +2922,7 @@ $this->{cantdisinfect} = 1; # Don't even think about disinfecting this! $this->{silent}=1 if $silentviruses =~ / Zip-NonPassword | All-Viruses /i; $this->{noisy} =1 if $noisyviruses =~ / Zip-NonPassword /i; - } elsif ($ziperror eq "password" || $rarerror eq "password") { + } elsif ($ziperror eq "password" || $rarerror eq "password" || $sevenzerror eq "password") { # Trim off leading type indicator character for logging. my $f = substr($part,1); MailScanner::Log::WarnLog("Password-protected archive (%s) in %s", @@ -2900,7 +2936,7 @@ $this->{cantdisinfect} = 1; # Don't even think about disinfecting this! $this->{silent}=1 if $silentviruses =~ / Zip-Password | All-Viruses /i; $this->{noisy} =1 if $noisyviruses =~ / Zip-Password /i; - } elsif ($ziperror && $tarerror && $rarerror && !$failisokay) { + } elsif ($ziperror && ($tarerror || $rarerror || $sevenzerror) && !$failisokay) { # Trim off leading type indicator character for logging. my $f = substr($part,1); MailScanner::Log::WarnLog("Unreadable archive (%s) in %s", @@ -3248,6 +3284,7 @@ while(<$Kid>) { $Str .= $_; #print STDERR "SafePipe : Processing line \"$_\"\n"; + #MailScanner::Log::WarnLog("SafePipe : Processing line \"$_\" \n"); } #MailScanner::Log::DebugLog("SafePipe : Completed $Cmd"); @@ -3325,6 +3362,217 @@ } +# Unpack a 7za file into the named directory. +# Return 1 if an error occurred, else 0. +# Return 0 on success. +# Return "password" if a member was password-protected. +# Very much like UnpackZip except it uses the external "7z" command. +sub Unpack7zip { + my($this, $zipname, $explodeinto, $allowpasswords, $insistpasswords, $onlycheckencryption, $touchfiles) = @_; + + my($zip, @members, $member, $name, $fh, $safename, $memb, $check, $junk, + $unzip, $unrar, $IsEncrypted, $PipeTimeOut, $PipeReturn,$NameTwo, $HasErrors, + $member2, $Stuff, $BeginInfo, $EndInfo, $ParseLine, $what, $nopathname); + + # Timeout value for unrar is currently the same as that of the file + # command + 20. Julian, when you add the filetimeout to the config file + # perhaps you should think about adding a maxcommandexecutetime setting + # as well + $PipeTimeOut = MailScanner::Config::Value('un7ziptimeout'); + $unzip = MailScanner::Config::Value('un7zipcommand'); + return 1 unless $unzip && -x $unzip; + + #MailScanner::Log::WarnLog("7ZipUnpacker: %s", $zipname); + + # This part lists the archive contents and makes the list of + # file names within. "This is a list verbose option" + #$memb = SafePipe("$unrar v -p- '$explodeinto/$zipname' 2>&1", + # $PipeTimeOut); + $memb = SafePipe("$unzip l '$explodeinto/$zipname' 2>&1", + $PipeTimeOut); + + if ($memb =~ /^error/i) { + MailScanner::Log::WarnLog("7ZipUnpacker: (%s)", $memb); + $HasErrors = 1; + } + #MailScanner::Log::WarnLog("7z output: %s", $memb); + + $junk = ""; + $Stuff = ""; + $BeginInfo = 0; + $EndInfo = 0; + $ParseLine = 1; + $memb =~ s/\r//gs; + my @test = split /\n/, $memb; + $memb = ''; + + # Have to parse the output from the 'v' command and parse the information + # between the ----------------------------- lines + foreach $what (@test) { + #print STDERR "Processing \"$what\"\n"; + #MailScanner::Log::WarnLog("7z what: %s", $what); + + # Have we already hit the beginng and now find another ------ string? + # If so then we are at the end + $EndInfo = 1 if $what =~ /-{18,}$/ && $BeginInfo; + + # if we are after the begning but haven't reached the end, + # then process this line + if ($BeginInfo && !$EndInfo) { + # MailScanner::Log::WarnLog("7z what: %s", $what); + # If we are on line one then it's the file name with full path + # otherwise we are on the info line containing the attributes + $what =~ s/ +/ /g; + my (@Zarray ) = split /\s/, $what; + my $Zname = pop @Zarray; # this is the most important value, other values are nice to have but this one we must have + my $Zdate = $Zarray[0]; + my $Ztime = $Zarray[1]; + my $Zattr = $Zarray[2]; + #my $Zsize = $Zarray[3]; + #my $ZCsize = $Zarray[4]; + + #MailScanner::Log::WarnLog("7z-members: [%s] [%s] [%s] [%s] [%s] [%s]", $Zdate, $Ztime, $Zattr, $Zsize, $ZCsize, $Zname); + + $memb .= "$Zname\n" if $Zattr !~ /^d|^D/; + } + + # If we have a line full of ---- and $BeginInfo is not set then + # we are at the first and we need to set $BeginInfo so next pass + # begins processing file information + if ($what =~ /-{18,}$/ && ! $BeginInfo) { + $BeginInfo = 1; + } + } + + + # Remove returns from the output string, exit if the archive is empty + # or the output is empty + + $memb =~ s/\r//gs; + return 1 if $memb ne '' && + $memb =~ /(No files to extract|^COMMAND_TIMED_OUT$)/si; + + return 0 if $memb eq ''; + #MailScanner::Log::DebugLog("Unrar : Archive Testing Completed On : %s", + # $memb); + + @members = split /\n/, $memb; + $fh = new FileHandle; + + foreach $member2 (@members) { + $IsEncrypted = 0; + $HasErrors = 0; + #MailScanner::Log::InfoLog("Checking member %s",$member2); + # Test the current file name to see if it's password protected + # and capture the output. If the command times out, then return + + next if $member2 eq ""; + $member = quotemeta $member2; + #print STDERR "Member is ***$member***\n"; + #MailScanner::Log::WarnLog("Un7zip: member %s",$member ); + + $check = SafePipe( + "$unzip -y t '$explodeinto/$zipname' $member 2>&1", + $PipeTimeOut); + #print STDERR "Point 1\n"; + return 1 if $check =~ /^COMMAND_TIMED_OUT$/; + + # Check for any error with this file. Format is FileName - Error string + if ($check =~ /$member\s+-\s/i){ + MailScanner::Log::WarnLog("Un7zip Error in file: %s -> %s", + $zipname,$member); + $HasErrors = 1; + } + + $check =~ s/\n/:/gsi; + #MailScanner::Log::WarnLog("Got : %s", $check); + + # If we get the string Encrypted then we have found a password + # protected archive and we handle it the same as zips are handled + + if ($check =~ /\bEnter password(.*)\bWrong password/s) { + $IsEncrypted = 1; + MailScanner::Log::WarnLog("Password Protected archive Found"); + #print STDERR "Checking member " . $member . "\n"; + #print STDERR "******** Encryption = " . $IsEncrypted . "\n"; + return "password" if !$allowpasswords && $IsEncrypted; + } else { + if ($insistpasswords) { + MailScanner::Log::WarnLog("Non-Password Protected archive Found"); + return "nonpassword"; + } + } + + + # If they don't want to extract, but only check for encryption, + # then skip the rest of this as we don't actually want the files + # checked against the file name/type rules + + next if $onlycheckencryption; + + $name = $member2; + #print STDERR "UnPackRar : Making Safe Name from $name\n"; + + # There is no facility to change the output name for a rar file + # but we can rename rename the files inside the archive + # prefer to use $NameTwo because there is no path attached + # $safename is guaranteed not to exist, but NameTwo gives us the + # filename without any directory information, which we use later. + $nopathname = $name; + $nopathname =~ s/^.*\///; + $safename = $this->MakeNameSafe('r'.$nopathname,$explodeinto); + $NameTwo = $safename; + $NameTwo = $1 if $NameTwo =~ /([^\/]+)$/; + #MailScanner::Log::InfoLog("UnPackRar: Member : %s", $member); + #print STDERR "UnPackRar : Safe Name is $safename\n"; + + #MailScanner::Log::InfoLog("UnPackRar: SafeName : %s", $safename); + $this->{file2parent}{$name} = $zipname; + $this->{file2parent}{$safename} = $zipname; + $this->{file2safefile}{$name} = $safename; + $this->{safefile2file}{$safename} = $name; + #print STDERR "Archive member \"$name\" is now \"$safename\"\n"; + + #$this->{file2entity}{$name} = $this->{entity}; + # JKF 20090505 Don't do this: $this->{file2safefile}{$name} = $zipname; + #$this->{safefile2file}{$safename} = $zipname; + + $safename = "$explodeinto/$safename"; + + $PipeReturn = ''; + $? = 0; + if (!$IsEncrypted && !$HasErrors) { + #print STDERR "Expanding ***$member***\ninto ***$NameTwo***\n"; + $PipeReturn = SafePipe( + "$unzip e -y -so '$explodeinto/$zipname' $member > \"$NameTwo\"", + $PipeTimeOut); + unless ("$?" == 0 && $PipeReturn ne 'COMMAND_TIMED_OUT'){ + # The rename operation failed!, so skip the extraction of a + # potentially bad file name. + # JKF Temporary testing code + #MailScanner::Log::WarnLog("UnPackRar: RC: %s PipeReturn : ",$?,$PipeReturn); + MailScanner::Log::WarnLog("7zipUnpacker: Could not rename or use " . + "safe name in Extract, NOT Unpacking file %s", $safename); + next; + } + #MailScanner::Log::InfoLog("7zipUnacker: Done...., got %d and %s for %s", $?, $PipeReturn, $safename); + } + #MailScanner::Log::WarnLog("RC = %s : Encrypt = %s : PipeReturn = %s", + # $?,$IsEncrypted,$PipeReturn ); + unless ("$?" == 0 && !$HasErrors && !$IsEncrypted && + $PipeReturn ne 'COMMAND_TIMED_OUT') { + + # If we got an error, or this file is encrypted create a zero-length + # file so the filename tests will still work. + MailScanner::Log::WarnLog("7zipUnpacker : Encrypted Or Extract Error Creating" . + " 0 length %s",$NameTwo); + $touchfiles && $fh->open(">$safename") && $fh->close(); + } + } + return 0; +} + + # Unpack a zip file into the named directory. # Return 1 if an error occurred, else 0. # Return 0 on success. diff -ur MailScanner.orig/SweepContent.pm MailScanner/SweepContent.pm --- MailScanner.orig/SweepContent.pm 2015-05-03 16:04:05.000000000 +0200 +++ MailScanner/SweepContent.pm 2015-08-09 12:14:33.641879518 +0200 @@ -140,6 +140,10 @@ # Check all the files for the attachment-size limit $counter += CheckAttachmentSizes($message, $id); + # Check PDF's for any suspicious content + if (MailScanner::Config::Value('scanpdf')) { + $counter += CheckPDF($message, $id); + } # Search for Microsoft-specific attacks # Disallow both by default. Allow them only if all addresses agree. my $iframevalue = MailScanner::Config::Value('allowiframetags', $message); @@ -336,6 +340,98 @@ return $counter; } +# Danny: added scanning of PDF's for suspicious content using PDFiD +# more information at http://blog.didierstevens.com/programs/pdf-tools/ +sub CheckPDF { + my($message, $id) = @_; + + my($BaseDir, $basefh, $safename, $maxsize, $attachsize, $tnefname); + my($unsafename, $counter, $minsize, $attachentity); + + my ($PDFiDPipeTimeOut, $PDFiDcommand, $FilePipeTimeOut, $filecommand, $memb); + + # return if we don't want pdf scanning + return 0 unless (MailScanner::Config::Value('scanpdf')); + + $PDFiDPipeTimeOut = MailScanner::Config::Value('pdfidtimeout'); + $PDFiDcommand = MailScanner::Config::Value('pdfidcommand'); + + # return if pdfif.py doesn't exists or it isn't executable + return 1 unless ($PDFiDcommand && -x $PDFiDcommand); + + $FilePipeTimeOut = MailScanner::Config::Value('filetimeout'); + $filecommand = MailScanner::Config::Value('filecommand'); + + # Get into the directory containing all the attachments + $BaseDir = $global::MS->{work}->{dir} . "/$id"; + chdir $BaseDir or die "Cannot chdir to $BaseDir for file size checking, $!"; + + $basefh = new DirHandle; + $basefh->open('.') + or MailScanner::Log::DieLog("Could not open attachment dir %s, %s", + $BaseDir, $!); + $counter = 0; + while ($safename = $basefh->read()) { + next if $safename eq '.' || $safename eq '..'; + + #MailScanner::Log::WarnLog("Looping attachment (%s/%s)", $BaseDir, $safename); + + if ($filecommand && -x $filecommand) { + $memb = MailScanner::Message::SafePipe("$filecommand -b '$BaseDir/$safename' 2>&1", # re-use SafePipe from Message.pm + $FilePipeTimeOut); + + if ($memb =~ /ERROR/) { + MailScanner::Log::WarnLog("File magic error (%s)", $memb); + } elsif ( ($memb =~ /^PDF document/i || $safename =~ /\.pdf$/i) ) { + MailScanner::Log::WarnLog("Checking PDF for malicious content (%s/%s)", $BaseDir, $safename); + + if ($PDFiDcommand && -x $PDFiDcommand) { + $memb = MailScanner::Message::SafePipe("$PDFiDcommand -s '$BaseDir/$safename' 2>&1", # re-use SafePipe from Message.pm + $PDFiDPipeTimeOut); + my $orig_memb = $memb; + $memb =~ s/\r//g; + $memb =~ s/\n/ /g; + my $remove = 0; + if ($memb =~ /Traceback|Not a PDF/i) { + MailScanner::Log::WarnLog("PDFiD scan error (%s)", $memb); + + } elsif ( $memb =~ /PDF Header/i ) { + #MailScanner::Log::WarnLog("PDFiD: result (%s)", $orig_memb); + my $score = 0; + my (@string_array) = split /\n/,$orig_memb; + shift @string_array; # remove fullpath/filename + foreach my $string (@string_array) + { + $string =~ s/ +/ /g; + my ($dummy, $code, $number) = split / /,$string; + if ( (($code =~ /JS|JavaScript|AA|OpenAction|RichMedia|Launch/) && ($number !~ /0/)) || ($number =~ /$.*$/) ) { + $score += 10; # if any string matches and value is != 0 or we got some obfuscation add 10 to score + } elsif (($code =~ /EmbeddedFile|Encrypt|ObjStm|JBIG2Decode|XFA|Colors/) && ($number !~ /0/) ){ + $score++; # if any string matches and value is != 0 add 1 to score + } + } + if ($score >= 2) { + $remove = 1; + } + } else { + MailScanner::Log::WarnLog("PDFiD: unknown and therefor suspicous result (%s)", $memb); + $remove = 1; + } + if ($remove && MailScanner::Config::Value('deliversuspiciouspdf', $message) eq 0) { + $message->{otherreports}{$safename} .= + "A PDF with suspicous content was found, these are often used by malware to exploit system vulnerabilities\n"; + #MailScanner::Config::LanguageValue($message,'foundpdf') . "\n"; # todo add to language conf + $message->{othertypes}{$safename} .= "c"; + $counter++; + $message->{otherinfected}++; + } + } + } + } + } + return $counter; +} + # Walk the entire tree of a message, looking for any -------------- next part -------------- --- MailScanner.conf.orig 2015-08-09 11:58:15.341860815 +0200 +++ MailScanner.conf 2015-08-09 12:03:17.273867373 +0200 @@ -457,6 +457,31 @@ # RAR archive (in seconds) Unrar Timeout = 50 +# Used as unpacking engine for multiple archive formats +Un7zip Command = /usr/bin/7z +# +Un7zip Timeout = 50 + + +# Used for string scanning a pdf for possible malicious content +# http://blog.didierstevens.com/programs/pdf-tools/#pdfid +PDFiD Command = /usr/local/bin/pdfid.py + +# +PDFiD Timeout = 50 + +# Enable pdf scanning using PDFiD +Scan PDF = yes + +# Block and replace pdf if possible malicious content is detected +Deliver Suspicious PDF = no + +# Todo: allow PDF but change Subject +# Subject change only possible when Delivery of Suspicious PDFs is Yes +#Suspicious PDF Modify Subject = start +#Suspicious PDF Subject Text = {Suspicious PDF?} + + # A few viruses store their infected data in UU-encoded files, to try to # catch out virus scanners. This rarely succeeds at all. # Setting this option to yes means that you can apply filename and filetype From alex at vidadigital.com.pa Sun Aug 9 19:38:57 2015 From: alex at vidadigital.com.pa (Alex Neuman) Date: Sun, 9 Aug 2015 14:38:57 -0500 Subject: Mailscanner + postfix: dealing with huge loads on distributed mailserver setup In-Reply-To: References:

Message-ID: Or have newsletters come out a sub domain with a different MX instead. On Aug 9, 2015 3:47 AM, "Martin Hepworth" wrote: > Another way is to get the marketing crew to use a no-reply type address > thatll just bounce (you're check invalid recipients in pf right) and > something like constant contact to send the campaigns in the first place. > Theyll them way better metrics about opens etc > On Sat, 8 Aug 2015 at 22:46, wrote: > >> Hi All. >> >> We've got 2 servers with MailScanner+Mailwatch, using Postfix as MTA. >> Recently we've experienced huge incoming load from distributed locations >> (our marketing team fired up large newsletter and our corporate server >> got about 10K "auto-reply" mails in just 20 minutes), and our 'hold' >> queue got filled up with mails. It caused big delay in recieving >> legitimate mails, and MailScanner (15 children max.) was buisy with them >> for about an hour. >> >> Is there any way to prevent Postfix from recieving any new mail if there >> is a clog in Hold queue? For example, if there are more than 500 >> messages, don't recieve new mail and respond with 421 code so clients >> would go to another mail server? >> I haven't found any solid measures against it, and I'm considering to >> write own policy-server for Postfix. It's complicated task (and I'm lack >> of coding skills), and I want to be sure that I haven't missed vanilla >> setting for this. >> >> So, basically, there two questions: is there some sort of failswitch to >> prevent Postfix to get new connections if there is a clog in queue, and >> how do you deal with huge mailing loads? >> >> Thank you. >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Mon Aug 10 20:24:13 2015 From: mailscanner-list at okla.com (Tracy Greggs) Date: Mon, 10 Aug 2015 15:24:13 -0500 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? Message-ID: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> Since Exchange 2013 doesn't do recipient verification like Exchange 2010, I can't user milter-ahead like I could with Exchange 2010. Does anyone have any good docs for doing LDAP recipient verification with Sendmail in a MailScanner gateway installation? Any pointers would be appreciatesd J Thanks in advance, Tracy Greggs --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Mon Aug 10 21:05:14 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 10 Aug 2015 17:05:14 -0400 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> Message-ID: <1A379BDD-12EA-4178-8938-9151864935B9@mailborder.com> So step 4 listed on this page does not exist in Exchange 2013? https://www.mailborder.com/docs/guides/exchange-antispam - Jerry Benton www.mailborder.com > On Aug 10, 2015, at 4:24 PM, Tracy Greggs wrote: > > Since Exchange 2013 doesn’t do recipient verification like Exchange 2010, I can’t user milter-ahead like I could with Exchange 2010. > > Does anyone have any good docs for doing LDAP recipient verification with Sendmail in a MailScanner gateway installation? > > Any pointers would be appreciatesd J > > Thanks in advance, > Tracy Greggs > > > > > This email has been checked for viruses by Avast antivirus software. > www.avast.com > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at fluxlabs.net Mon Aug 10 21:20:17 2015 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon, 10 Aug 2015 21:20:17 +0000 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <1A379BDD-12EA-4178-8938-9151864935B9@mailborder.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com>, <1A379BDD-12EA-4178-8938-9151864935B9@mailborder.com> Message-ID: In 2013 the EMC mmc snap-in doesn't exist. It was moved to EWS (Exchange Web Services) and is managed all via the web. Referred to as Exchange Admin Center (ECP) So no .. Not specifically. -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net On Aug 10, 2015, at 4:05 PM, Jerry Benton > wrote: So step 4 listed on this page does not exist in Exchange 2013? https://www.mailborder.com/docs/guides/exchange-antispam - Jerry Benton www.mailborder.com On Aug 10, 2015, at 4:24 PM, Tracy Greggs > wrote: Since Exchange 2013 doesn't do recipient verification like Exchange 2010, I can't user milter-ahead like I could with Exchange 2010. Does anyone have any good docs for doing LDAP recipient verification with Sendmail in a MailScanner gateway installation? Any pointers would be appreciatesd :) Thanks in advance, Tracy Greggs ________________________________ [Avast logo] This email has been checked for viruses by Avast antivirus software. www.avast.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbanderson at impromed.com Mon Aug 10 21:51:03 2015 From: sbanderson at impromed.com (Scott B. Anderson) Date: Mon, 10 Aug 2015 21:51:03 +0000 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com>, <1A379BDD-12EA-4178-8938-9151864935B9@mailborder.com> Message-ID: <7ecd83ddbaa8439e85b14554d7873894@ES4.impromed.com> It is managed via Exchange snap-ins for Powershell. The web interface has a subset of the available commands. It might be better to write instructions for Exchange Power Shell cli which would probably be extremely similar in versions 2010, 2013 and upcoming 2016 version. (2007 also had powershell but was architecturally a lot more like 2003 than 2010, so many of the commands are different) Scott Anderson BTW - I painfully maintain an aliases list on my MailScanner boxes for this purpose. If you all come up with a better way for missing recipient rejection in Exchange, I'm all ears. Scott > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On > Behalf Of Jeremy McSpadden > Sent: Monday, August 10, 2015 4:20 PM > To: MailScanner Discussion > Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? > > In 2013 the EMC mmc snap-in doesn't exist. It was moved to EWS (Exchange Web > Services) and is managed all via the web. > Referred to as Exchange Admin Center (ECP) > > So no .. Not specifically. > -- > Jeremy McSpadden | Flux Labs > Local - 850-250-5590x501 | Mobile - 850-890-2543 890-2543> Fax - 850-254-2955 | Toll Free - 877-699- > FLUX Web - > http://www.fluxlabs.net > > > On Aug 10, 2015, at 4:05 PM, Jerry Benton > > wrote: > > So step 4 listed on this page does not exist in Exchange 2013? > > > https://www.mailborder.com/docs/guides/exchange-antispam > > > - > Jerry Benton > www.mailborder.com > > > > On Aug 10, 2015, at 4:24 PM, Tracy Greggs list at okla.com> wrote: > > Since Exchange 2013 doesn't do recipient verification like Exchange 2010, I can't > user milter-ahead like I could with Exchange 2010. > > Does anyone have any good docs for doing LDAP recipient verification with > Sendmail in a MailScanner gateway installation? > > Any pointers would be appreciatesd :) > > Thanks in advance, > Tracy Greggs > > > > ________________________________ > [Avast logo] > > This email has been checked for viruses by Avast antivirus software. > www.avast.com > > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner ... -- Rely On Us. ImproMed LLC -- From mailscanner-list at okla.com Tue Aug 11 15:50:33 2015 From: mailscanner-list at okla.com (Tracy Greggs) Date: Tue, 11 Aug 2015 10:50:33 -0500 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <7ecd83ddbaa8439e85b14554d7873894@ES4.impromed.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com>, <1A379BDD-12EA-4178-8938-9151864935B9@mailborder.com> <7ecd83ddbaa8439e85b14554d7873894@ES4.impromed.com> Message-ID: <01a701d0d44d$7924ce90$6b6e6bb0$@okla.com> The organization that this is being installed for is a small office and I get away with setting things up with virtusertable/access and it is a hyper-v vm but I would like to get a script crontabbed that would pull the LDAP users once a day and restart MailScanner which would make the portability of my MS gateway vm easier for other clients. I don't really want to do the realtime ldap query because of the load on the Exchange server if and when a dictionary attack occurs. I have seen other posts in other forums that say that can lead to a huge load on the Exchange box and possible crash it. If anyone out there has a script that would satisfy my needs, I would certainly appreciate it. Thanks! Tracy Greggs -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott B. Anderson Sent: Monday, August 10, 2015 4:51 PM To: MailScanner Discussion Subject: RE: MS Gateway for Exchange 2013 - Any LDAP documentation? It is managed via Exchange snap-ins for Powershell. The web interface has a subset of the available commands. It might be better to write instructions for Exchange Power Shell cli which would probably be extremely similar in versions 2010, 2013 and upcoming 2016 version. (2007 also had powershell but was architecturally a lot more like 2003 than 2010, so many of the commands are different) Scott Anderson BTW - I painfully maintain an aliases list on my MailScanner boxes for this purpose. If you all come up with a better way for missing recipient rejection in Exchange, I'm all ears. Scott > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] > On Behalf Of Jeremy McSpadden > Sent: Monday, August 10, 2015 4:20 PM > To: MailScanner Discussion > Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? > > In 2013 the EMC mmc snap-in doesn't exist. It was moved to EWS > (Exchange Web > Services) and is managed all via the web. > Referred to as Exchange Admin Center (ECP) > > So no .. Not specifically. > -- > Jeremy McSpadden | Flux Labs > Local - 850-250-5590x501 | Mobile - > 850-890-2543 890-2543> Fax - 850-254-2955 | Toll Free - 877-699- > FLUX Web - > http://www.fluxlabs.net > > > On Aug 10, 2015, at 4:05 PM, Jerry Benton > > wrote: > > So step 4 listed on this page does not exist in Exchange 2013? > > > https://www.mailborder.com/docs/guides/exchange-antispam > > > - > Jerry Benton > www.mailborder.com > > > > On Aug 10, 2015, at 4:24 PM, Tracy Greggs list at okla.com> wrote: > > Since Exchange 2013 doesn't do recipient verification like Exchange > 2010, I can't user milter-ahead like I could with Exchange 2010. > > Does anyone have any good docs for doing LDAP recipient verification > with Sendmail in a MailScanner gateway installation? > > Any pointers would be appreciatesd :) > > Thanks in advance, > Tracy Greggs > > > > ________________________________ > [Avast logo] > > This email has been checked for viruses by Avast antivirus software. > www.avast.com > > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info r.info> http://lists.mailscanner.info/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info r.info> http://lists.mailscanner.info/listinfo/mailscanner ... -- Rely On Us. ImproMed LLC -- -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From endelwar at aregar.it Tue Aug 11 15:55:23 2015 From: endelwar at aregar.it (Manuel Dalla Lana) Date: Tue, 11 Aug 2015 17:55:23 +0200 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <01a701d0d44d$7924ce90$6b6e6bb0$@okla.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <1A379BDD-12EA-4178-8938-9151864935B9@mailborder.com> <7ecd83ddbaa8439e85b14554d7873894@ES4.impromed.com> <01a701d0d44d$7924ce90$6b6e6bb0$@okla.com> Message-ID: <55CA1AEB.1040003@aregar.it> Il 11/08/15 17:50, Tracy Greggs ha scritto: > If anyone out there has a script that would satisfy my needs, I would certainly appreciate it. > Hi Tracy, you can take inspiration by the MailWatch LDAP user import script[1] and create a new one that populate a db table or a file that can be looked up by the mailserver. ciao, Manuel [1] https://github.com/mailwatch/1.2.0/blob/master/tools/Cron_jobs/mailwatch_ldap_sync.sh From jerry.benton at mailborder.com Tue Aug 11 16:06:41 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 11 Aug 2015 12:06:41 -0400 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <01a701d0d44d$7924ce90$6b6e6bb0$@okla.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <1A379BDD-12EA-4178-8938-9151864935B9@mailborder.com> <7ecd83ddbaa8439e85b14554d7873894@ES4.impromed.com> <01a701d0d44d$7924ce90$6b6e6bb0$@okla.com> Message-ID: <1F7C1710-5351-47D6-BF3B-8DD39B6BBF92@mailborder.com> Recipient verification is cached, so you server is not going to crash. It is not done via LDAP. I made a video a couple of years ago covering this topic here: https://www.youtube.com/watch?v=J2XfMbu7GfQ - Jerry Benton www.mailborder.com > On Aug 11, 2015, at 11:50 AM, Tracy Greggs wrote: > > The organization that this is being installed for is a small office and I get away with setting things up with virtusertable/access and it is a hyper-v vm but I would like to get a script crontabbed that would pull the LDAP users once a day and restart MailScanner which would make the portability of my MS gateway vm easier for other clients. > > I don't really want to do the realtime ldap query because of the load on the Exchange server if and when a dictionary attack occurs. I have seen other posts in other forums that say that can lead to a huge load on the Exchange box and possible crash it. > > If anyone out there has a script that would satisfy my needs, I would certainly appreciate it. > > Thanks! > > Tracy Greggs > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott B. Anderson > Sent: Monday, August 10, 2015 4:51 PM > To: MailScanner Discussion > Subject: RE: MS Gateway for Exchange 2013 - Any LDAP documentation? > > It is managed via Exchange snap-ins for Powershell. The web interface has a subset of the available commands. It might be better to write instructions for Exchange Power Shell cli which would probably be extremely similar in versions 2010, 2013 and upcoming 2016 version. (2007 also had powershell but was architecturally a lot more like 2003 than 2010, so many of the commands are different) > > Scott Anderson > > BTW - I painfully maintain an aliases list on my MailScanner boxes for this purpose. If you all come up with a better way for missing recipient rejection in Exchange, I'm all ears. > > Scott > > >> -----Original Message----- >> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] >> On Behalf Of Jeremy McSpadden >> Sent: Monday, August 10, 2015 4:20 PM >> To: MailScanner Discussion >> Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? >> >> In 2013 the EMC mmc snap-in doesn't exist. It was moved to EWS >> (Exchange Web >> Services) and is managed all via the web. >> Referred to as Exchange Admin Center (ECP) >> >> So no .. Not specifically. >> -- >> Jeremy McSpadden | Flux Labs >> Local - 850-250-5590x501 | Mobile - >> 850-890-2543> 890-2543> Fax - 850-254-2955 | Toll Free - 877-699- >> FLUX Web - >> http://www.fluxlabs.net >> >> >> On Aug 10, 2015, at 4:05 PM, Jerry Benton >> > wrote: >> >> So step 4 listed on this page does not exist in Exchange 2013? >> >> >> https://www.mailborder.com/docs/guides/exchange-antispam >> >> >> - >> Jerry Benton >> www.mailborder.com >> >> >> >> On Aug 10, 2015, at 4:24 PM, Tracy Greggs > list at okla.com> wrote: >> >> Since Exchange 2013 doesn't do recipient verification like Exchange >> 2010, I can't user milter-ahead like I could with Exchange 2010. >> >> Does anyone have any good docs for doing LDAP recipient verification >> with Sendmail in a MailScanner gateway installation? >> >> Any pointers would be appreciatesd :) >> >> Thanks in advance, >> Tracy Greggs >> >> >> >> ________________________________ >> [Avast logo] >> >> This email has been checked for viruses by Avast antivirus software. >> www.avast.com >> >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info> r.info> http://lists.mailscanner.info/listinfo/mailscanner >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info> r.info> http://lists.mailscanner.info/listinfo/mailscanner > > ... > > -- > Rely On Us. > ImproMed LLC > -- > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > --- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From jerry.benton at mailborder.com Tue Aug 11 16:26:47 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 11 Aug 2015 12:26:47 -0400 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> Message-ID: <2EB53CA9-8066-4E4D-93EC-D470375BAA00@mailborder.com> As a note regarding anti-spam features on Exchange 2013 from the Microsoft website: "Exchange uses transport agents to provide anti-spam protection, and the built-in agents that are available in Exchange 2013 are relatively unchanged from Microsoft Exchange Server 2010.” https://technet.microsoft.com/en-us/library/JJ218660(v=EXCHG.150).aspx Again, covered in the video I created here: https://youtu.be/J2XfMbu7GfQ - Jerry Benton www.mailborder.com > On Aug 10, 2015, at 4:24 PM, Tracy Greggs wrote: > > Since Exchange 2013 doesn’t do recipient verification like Exchange 2010, I can’t user milter-ahead like I could with Exchange 2010. > > Does anyone have any good docs for doing LDAP recipient verification with Sendmail in a MailScanner gateway installation? > > Any pointers would be appreciatesd J > > Thanks in advance, > Tracy Greggs > > > > > This email has been checked for viruses by Avast antivirus software. > www.avast.com > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Tue Aug 11 20:33:20 2015 From: mailscanner-list at okla.com (Tracy Greggs) Date: Tue, 11 Aug 2015 15:33:20 -0500 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <2EB53CA9-8066-4E4D-93EC-D470375BAA00@mailborder.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <2EB53CA9-8066-4E4D-93EC-D470375BAA00@mailborder.com> Message-ID: <01e801d0d474$faa449b0$efecdd10$@okla.com> Thanks for the info Jerry. My installation is with Sendmail and not postfix. Your video is great but it is for Exchange 2010. The Exchange 2013 Admin Center does not have the applicable section to reject messages to users that do not exist. Maybe my head is in the wrong place. Does anyone on this list have a Mailscanner/Sendmail gateway in production use with Exchange 2013? If so, how are you doing recipient verification from the MS gateway? It’s not that I am 100% unwilling to go the postfix route, but I have been using Sendmail for 20 years and hate to change now. It has always just worked flawlessly even in the MS gateway configuration with Exchange 2010 and milter-ahead to perform the call ahead. The quick fix for me is to use Exchange 2010 for this installation but I would like to be able to get this working. Again, maybe my head is in my arse! Thanks, Tracy Greggs From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Tuesday, August 11, 2015 11:27 AM To: MailScanner Discussion Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? As a note regarding anti-spam features on Exchange 2013 from the Microsoft website: "Exchange uses transport agents to provide anti-spam protection, and the built-in agents that are available in Exchange 2013 are relatively unchanged from Microsoft Exchange Server 2010.” https://technet.microsoft.com/en-us/library/JJ218660(v=EXCHG.150).aspx Again, covered in the video I created here: https://youtu.be/J2XfMbu7GfQ - Jerry Benton www.mailborder.com On Aug 10, 2015, at 4:24 PM, Tracy Greggs wrote: Since Exchange 2013 doesn’t do recipient verification like Exchange 2010, I can’t user milter-ahead like I could with Exchange 2010. Does anyone have any good docs for doing LDAP recipient verification with Sendmail in a MailScanner gateway installation? Any pointers would be appreciatesd J Thanks in advance, Tracy Greggs _____ Avast logo This email has been checked for viruses by Avast antivirus software. www.avast.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Tue Aug 11 20:40:51 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 11 Aug 2015 16:40:51 -0400 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <01e801d0d474$faa449b0$efecdd10$@okla.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <2EB53CA9-8066-4E4D-93EC-D470375BAA00@mailborder.com> <01e801d0d474$faa449b0$efecdd10$@okla.com> Message-ID: <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> I am sure it can be done with sendmail. I am also sure Exchange 2013 has this setting. I have not spun up Exchange 2013 in the lab yet, so I can’t give you exact instructions. - Jerry Benton www.mailborder.com > On Aug 11, 2015, at 4:33 PM, Tracy Greggs wrote: > > Thanks for the info Jerry. My installation is with Sendmail and not postfix. Your video is great but it is for Exchange 2010. The Exchange 2013 Admin Center does not have the applicable section to reject messages to users that do not exist. > > Maybe my head is in the wrong place. > > Does anyone on this list have a Mailscanner/Sendmail gateway in production use with Exchange 2013? If so, how are you doing recipient verification from the MS gateway? > > It’s not that I am 100% unwilling to go the postfix route, but I have been using Sendmail for 20 years and hate to change now. It has always just worked flawlessly even in the MS gateway configuration with Exchange 2010 and milter-ahead to perform the call ahead. > > The quick fix for me is to use Exchange 2010 for this installation but I would like to be able to get this working. > > Again, maybe my head is in my arse! > > Thanks, > Tracy Greggs > > > > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: Tuesday, August 11, 2015 11:27 AM > To: MailScanner Discussion > Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? > > As a note regarding anti-spam features on Exchange 2013 from the Microsoft website: > > "Exchange uses transport agents to provide anti-spam protection, and the built-in agents that are available in Exchange 2013 are relatively unchanged from Microsoft Exchange Server 2010.” > > https://technet.microsoft.com/en-us/library/JJ218660(v=EXCHG.150).aspx > > > Again, covered in the video I created here: https://youtu.be/J2XfMbu7GfQ > > > - > Jerry Benton > www.mailborder.com > > > >> On Aug 10, 2015, at 4:24 PM, Tracy Greggs > wrote: >> >> Since Exchange 2013 doesn’t do recipient verification like Exchange 2010, I can’t user milter-ahead like I could with Exchange 2010. >> >> Does anyone have any good docs for doing LDAP recipient verification with Sendmail in a MailScanner gateway installation? >> >> Any pointers would be appreciatesd J >> >> Thanks in advance, >> Tracy Greggs >> >> >> >> >> This email has been checked for viruses by Avast antivirus software. >> www.avast.com >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner , and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > > > This email has been checked for viruses by Avast antivirus software. > www.avast.com > > -- > This message has been scanned for viruses and > dangerous content by MailScanner , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From Antony.Stone at mailscanner.open.source.it Tue Aug 11 20:50:23 2015 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 11 Aug 2015 22:50:23 +0200 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <01e801d0d474$faa449b0$efecdd10$@okla.com> <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> Message-ID: <201508112250.23815.Antony.Stone@mailscanner.open.source.it> On Tuesday 11 August 2015 at 22:40:51, Jerry Benton wrote: > I am sure it can be done with sendmail. I am also sure Exchange 2013 has > this setting. I have not spun up Exchange 2013 in the lab yet, so I can’t > give you exact instructions. I'm absolutely no expert on MS Exchange, but is it possible that https://technet.microsoft.com/en-us/library/bb123891(v=exchg.150).aspx at least points you in the right direction? Antony. > > On Aug 11, 2015, at 4:33 PM, Tracy Greggs wrote: > > > > Thanks for the info Jerry. My installation is with Sendmail and not > > postfix. Your video is great but it is for Exchange 2010. The Exchange > > 2013 Admin Center does not have the applicable section to reject > > messages to users that do not exist. > > > > Maybe my head is in the wrong place. > > > > Does anyone on this list have a Mailscanner/Sendmail gateway in > > production use with Exchange 2013? If so, how are you doing recipient > > verification from the MS gateway? > > > > It’s not that I am 100% unwilling to go the postfix route, but I have > > been using Sendmail for 20 years and hate to change now. It has always > > just worked flawlessly even in the MS gateway configuration with > > Exchange 2010 and milter-ahead to perform the call ahead. > > > > The quick fix for me is to use Exchange 2010 for this installation but I > > would like to be able to get this working. > > > > Again, maybe my head is in my arse! > > > > Thanks, > > Tracy Greggs -- What do you get when you cross a joke with a rhetorical question? Please reply to the list; please *don't* CC me. From kevin.miller at juneau.org Tue Aug 11 22:50:02 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Tue, 11 Aug 2015 22:50:02 +0000 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <201508112250.23815.Antony.Stone@mailscanner.open.source.it> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <01e801d0d474$faa449b0$efecdd10$@okla.com> <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> <201508112250.23815.Antony.Stone@mailscanner.open.source.it> Message-ID: <7f5c5c66bef34da9ade1c52be252affc@City-Exch-DB2.cbj.local> The problem with 2013 is that it rejects after the DATA phase, meaning that the connection with the sending server is long gone by the time the reject happens. This, of course, leads to blowback to innocent users. I have my MailScanner gateways pointing at my old exchange 07 server to do recipient validation with SMF-SAV. It's an extra hop but it works. Microsoft did away with the edge transport in 2013, but has just recently reintroduced it. See http://windowsitpro.com/blog/exchange-2013-SP1-edge-transport-server-role-returns - we're going to toss one in the mix so we can reclaim the Exchange 07 box. Typical Microsoft to take two years to fix something so wantonly broken. But at least they *finally* read the memo. Or, more specifically, the RFC. On my new postfix boxes I'm using getadsmtp.pl (google it). I massage the output to only include the addresses I want available to the public, then write that to the recipient table. I run it nightly. Takes about 30 seconds to run. I'll probably deprecate it after the edge transport server is built but in the mean time it works just dapper... ...Kevin -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Antony Stone Sent: Tuesday, August 11, 2015 12:50 PM To: MailScanner Discussion Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? On Tuesday 11 August 2015 at 22:40:51, Jerry Benton wrote: > I am sure it can be done with sendmail. I am also sure Exchange 2013 > has this setting. I have not spun up Exchange 2013 in the lab yet, so > I can’t give you exact instructions. I'm absolutely no expert on MS Exchange, but is it possible that https://technet.microsoft.com/en-us/library/bb123891(v=exchg.150).aspx at least points you in the right direction? Antony. > > On Aug 11, 2015, at 4:33 PM, Tracy Greggs wrote: > > > > Thanks for the info Jerry. My installation is with Sendmail and not > > postfix. Your video is great but it is for Exchange 2010. The > > Exchange > > 2013 Admin Center does not have the applicable section to reject > > messages to users that do not exist. > > > > Maybe my head is in the wrong place. > > > > Does anyone on this list have a Mailscanner/Sendmail gateway in > > production use with Exchange 2013? If so, how are you doing > > recipient verification from the MS gateway? > > > > It’s not that I am 100% unwilling to go the postfix route, but I > > have been using Sendmail for 20 years and hate to change now. It > > has always just worked flawlessly even in the MS gateway > > configuration with Exchange 2010 and milter-ahead to perform the call ahead. > > > > The quick fix for me is to use Exchange 2010 for this installation > > but I would like to be able to get this working. > > > > Again, maybe my head is in my arse! > > > > Thanks, > > Tracy Greggs -- What do you get when you cross a joke with a rhetorical question? Please reply to the list; please *don't* CC me. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From mailscanner-list at okla.com Wed Aug 12 00:12:55 2015 From: mailscanner-list at okla.com (Tracy Greggs) Date: Tue, 11 Aug 2015 19:12:55 -0500 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <7f5c5c66bef34da9ade1c52be252affc@City-Exch-DB2.cbj.local> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <01e801d0d474$faa449b0$efecdd10$@okla.com> <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> <201508112250.23815.Antony.Stone@mailscanner.open.source.it> <7f5c5c66bef34da9ade1c52be252affc@City-Exch-DB2.cbj.local> Message-ID: <024901d0d493$a6fb1c20$f4f15460$@okla.com> Thanks Kevin, I guess I haven't lost my mind just yet. Tracy -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Tuesday, August 11, 2015 5:50 PM To: 'MailScanner Discussion' Subject: RE: MS Gateway for Exchange 2013 - Any LDAP documentation? The problem with 2013 is that it rejects after the DATA phase, meaning that the connection with the sending server is long gone by the time the reject happens. This, of course, leads to blowback to innocent users. I have my MailScanner gateways pointing at my old exchange 07 server to do recipient validation with SMF-SAV. It's an extra hop but it works. Microsoft did away with the edge transport in 2013, but has just recently reintroduced it. See http://windowsitpro.com/blog/exchange-2013-SP1-edge-transport-server-role-returns - we're going to toss one in the mix so we can reclaim the Exchange 07 box. Typical Microsoft to take two years to fix something so wantonly broken. But at least they *finally* read the memo. Or, more specifically, the RFC. On my new postfix boxes I'm using getadsmtp.pl (google it). I massage the output to only include the addresses I want available to the public, then write that to the recipient table. I run it nightly. Takes about 30 seconds to run. I'll probably deprecate it after the edge transport server is built but in the mean time it works just dapper... ...Kevin -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Antony Stone Sent: Tuesday, August 11, 2015 12:50 PM To: MailScanner Discussion Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? On Tuesday 11 August 2015 at 22:40:51, Jerry Benton wrote: > I am sure it can be done with sendmail. I am also sure Exchange 2013 > has this setting. I have not spun up Exchange 2013 in the lab yet, so > I can’t give you exact instructions. I'm absolutely no expert on MS Exchange, but is it possible that https://technet.microsoft.com/en-us/library/bb123891(v=exchg.150).aspx at least points you in the right direction? Antony. > > On Aug 11, 2015, at 4:33 PM, Tracy Greggs wrote: > > > > Thanks for the info Jerry. My installation is with Sendmail and not > > postfix. Your video is great but it is for Exchange 2010. The > > Exchange > > 2013 Admin Center does not have the applicable section to reject > > messages to users that do not exist. > > > > Maybe my head is in the wrong place. > > > > Does anyone on this list have a Mailscanner/Sendmail gateway in > > production use with Exchange 2013? If so, how are you doing > > recipient verification from the MS gateway? > > > > It’s not that I am 100% unwilling to go the postfix route, but I > > have been using Sendmail for 20 years and hate to change now. It > > has always just worked flawlessly even in the MS gateway > > configuration with Exchange 2010 and milter-ahead to perform the call ahead. > > > > The quick fix for me is to use Exchange 2010 for this installation > > but I would like to be able to get this working. > > > > Again, maybe my head is in my arse! > > > > Thanks, > > Tracy Greggs -- What do you get when you cross a joke with a rhetorical question? Please reply to the list; please *don't* CC me. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kevin.miller at juneau.org Wed Aug 12 00:20:05 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 12 Aug 2015 00:20:05 +0000 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <024901d0d493$a6fb1c20$f4f15460$@okla.com> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <01e801d0d474$faa449b0$efecdd10$@okla.com> <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> <201508112250.23815.Antony.Stone@mailscanner.open.source.it> <7f5c5c66bef34da9ade1c52be252affc@City-Exch-DB2.cbj.local> <024901d0d493$a6fb1c20$f4f15460$@okla.com> Message-ID: <236ffb6814bb4fd295da89ff698d3b0d@City-Exch-DB2.cbj.local> Nope - that comes with Exchange SP2. :-) -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Tracy Greggs Sent: Tuesday, August 11, 2015 4:13 PM To: 'MailScanner Discussion' Subject: RE: MS Gateway for Exchange 2013 - Any LDAP documentation? Thanks Kevin, I guess I haven't lost my mind just yet. Tracy From michael at huntley.net Thu Aug 13 02:21:49 2015 From: michael at huntley.net (Michael Huntley) Date: Wed, 12 Aug 2015 19:21:49 -0700 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <201508112250.23815.Antony.Stone@mailscanner.open.source.it> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <01e801d0d474$faa449b0$efecdd10$@okla.com> <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> <201508112250.23815.Antony.Stone@mailscanner.open.source.it> Message-ID: <55CBFF3D.1030308@huntley.net> I use getadsmtp.py to get a list of acceptable recipients. I just run it every hour and let the smtp server check the list. https://gist.github.com/liveaverage/4503265 Cheers! Michael Huntley On 8/11/2015 1:50 PM, Antony Stone wrote: > On Tuesday 11 August 2015 at 22:40:51, Jerry Benton wrote: > >> I am sure it can be done with sendmail. I am also sure Exchange 2013 has >> this setting. I have not spun up Exchange 2013 in the lab yet, so I can’t >> give you exact instructions. > I'm absolutely no expert on MS Exchange, but is it possible that > https://technet.microsoft.com/en-us/library/bb123891(v=exchg.150).aspx at > least points you in the right direction? > > Antony. > >>> On Aug 11, 2015, at 4:33 PM, Tracy Greggs wrote: >>> >>> Thanks for the info Jerry. My installation is with Sendmail and not >>> postfix. Your video is great but it is for Exchange 2010. The Exchange >>> 2013 Admin Center does not have the applicable section to reject >>> messages to users that do not exist. >>> >>> Maybe my head is in the wrong place. >>> >>> Does anyone on this list have a Mailscanner/Sendmail gateway in >>> production use with Exchange 2013? If so, how are you doing recipient >>> verification from the MS gateway? >>> >>> It’s not that I am 100% unwilling to go the postfix route, but I have >>> been using Sendmail for 20 years and hate to change now. It has always >>> just worked flawlessly even in the MS gateway configuration with >>> Exchange 2010 and milter-ahead to perform the call ahead. >>> >>> The quick fix for me is to use Exchange 2010 for this installation but I >>> would like to be able to get this working. >>> >>> Again, maybe my head is in my arse! >>> >>> Thanks, >>> Tracy Greggs From mailscanner-list at okla.com Thu Aug 13 23:53:15 2015 From: mailscanner-list at okla.com (Tracy Greggs) Date: Thu, 13 Aug 2015 18:53:15 -0500 Subject: MS Gateway for Exchange 2013 - Any LDAP documentation? In-Reply-To: <55CBFF3D.1030308@huntley.net> References: <00f201d0d3aa$89785490$9c68fdb0$@okla.com> <01e801d0d474$faa449b0$efecdd10$@okla.com> <3F7304EF-4494-49B8-B151-2B36D4E44831@mailborder.com> <201508112250.23815.Antony.Stone@mailscanner.open.source.it> <55CBFF3D.1030308@huntley.net> Message-ID: <003401d0d623$3c9ce8e0$b5d6baa0$@okla.com> Thanks to all for your responses. I am going to see what I can do with the Edge Transport and will let everyone know how that works out. I have several ways to make this work so no worries. Tracy Greggs -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Michael Huntley Sent: Wednesday, August 12, 2015 9:22 PM To: mailscanner at lists.mailscanner.info Subject: Re: MS Gateway for Exchange 2013 - Any LDAP documentation? I use getadsmtp.py to get a list of acceptable recipients. I just run it every hour and let the smtp server check the list. https://gist.github.com/liveaverage/4503265 Cheers! Michael Huntley On 8/11/2015 1:50 PM, Antony Stone wrote: > On Tuesday 11 August 2015 at 22:40:51, Jerry Benton wrote: > >> I am sure it can be done with sendmail. I am also sure Exchange 2013 >> has this setting. I have not spun up Exchange 2013 in the lab yet, so >> I can’t give you exact instructions. > I'm absolutely no expert on MS Exchange, but is it possible that > https://technet.microsoft.com/en-us/library/bb123891(v=exchg.150).aspx > at least points you in the right direction? > > Antony. > >>> On Aug 11, 2015, at 4:33 PM, Tracy Greggs wrote: >>> >>> Thanks for the info Jerry. My installation is with Sendmail and not >>> postfix. Your video is great but it is for Exchange 2010. The >>> Exchange >>> 2013 Admin Center does not have the applicable section to reject >>> messages to users that do not exist. >>> >>> Maybe my head is in the wrong place. >>> >>> Does anyone on this list have a Mailscanner/Sendmail gateway in >>> production use with Exchange 2013? If so, how are you doing >>> recipient verification from the MS gateway? >>> >>> It’s not that I am 100% unwilling to go the postfix route, but I >>> have been using Sendmail for 20 years and hate to change now. It >>> has always just worked flawlessly even in the MS gateway >>> configuration with Exchange 2010 and milter-ahead to perform the call ahead. >>> >>> The quick fix for me is to use Exchange 2010 for this installation >>> but I would like to be able to get this working. >>> >>> Again, maybe my head is in my arse! >>> >>> Thanks, >>> Tracy Greggs -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at replies.cyways.com Fri Aug 14 03:02:21 2015 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Thu, 13 Aug 2015 23:02:21 -0400 Subject: Rulesets for documents with OLE2 macros Message-ID: <55CD5A3D.5020508@replies.cyways.com> We've enabled OLE2BlockMacros in clamd.conf so clamd will reject any message with an attached MS Office document containing macros. My client's office was infected when someone unwittingly ran a macro in a Trojan horse document. The client has since globally disabled peoples' ability to run Office macros, but we still want to block these documents just in case. Blocked messages create log entries like these: MailScanner[4652]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros :: ./t7DDKoxE006712/AccountDocuments.doc These messages are treated as viruses by MailScanner since clamd reports them as infected. However the logs indicate MailScanner knows this "infection" is an OLE2 macro violation. Currently if we want to exempt senders from the OLE2 restriction, we need to whitelist them from virus scanning entirely. Is there was a way to create a rule that keys on clamd returning the "ContainsMacros" string and permits or blocks the message based on a ruleset? Peter From steveb_clamav at sanesecurity.com Fri Aug 14 07:05:14 2015 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Fri, 14 Aug 2015 08:05:14 +0100 Subject: Rulesets for documents with OLE2 macros In-Reply-To: <55CD5A3D.5020508@replies.cyways.com> References: <55CD5A3D.5020508@replies.cyways.com> Message-ID: <194ddec7d11f7c673fdfad5d4f799519.squirrel@sirius.servers.eqx.misp.co.uk> On Fri, August 14, 2015 4:02 am, Peter Lemieux wrote: > MailScanner[4652]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros :: > ./t7DDKoxE006712/AccountDocuments.doc > > Hi Peter, Heuristics.OLE2.ContainsMacros will block *ALL* macros good/bad, so I guess that's why you want to whitelist some "good" senders. In case it helps, yesterday I added a new database to stop bad macros... instead of using the Heuristics.OLE2.ContainsMacros: badmacro.ndb So, if you use this as well as phish.ndb it's take care of the bad stuff. New download scipts http://sanesecurity.com/usage/linux-scripts/ Other signatures: http://sanesecurity.com/usage/signatures/ Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com From blaurila at sbcglobal.net Fri Aug 14 15:56:42 2015 From: blaurila at sbcglobal.net (Bryan Laurila) Date: Fri, 14 Aug 2015 15:56:42 +0000 (UTC) Subject: Rule for Calendar Appointments Message-ID: <1895124263.2876481.1439567802441.JavaMail.yahoo@mail.yahoo.com> I have noticed over the past couple months that I have hadan increase in the number of spam false positives for calendar appointments. Does anyone have a working rule that would decrease the spamassassin score for calendar appointments? Or is there a rule or setting that I can modify to allow calendarappointments through regardless of their spam score? Thanks, Bryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaurila at sbcglobal.net Fri Aug 14 16:03:43 2015 From: blaurila at sbcglobal.net (Bryan Laurila) Date: Fri, 14 Aug 2015 16:03:43 +0000 (UTC) Subject: Strange MailScanner --lint error Message-ID: <656784937.2957755.1439568223089.JavaMail.yahoo@mail.yahoo.com> I am currentlyrunning MailScanner version 4.84.6 and in checking log files for something elseI discovered the following in /var/log/mail today. Not sure how long this has been happening butI’d venture to guess it has been years… 2015-08-12T10:45:42.679370-05:00DCMXRLY1 MailScanner[19393]: Syntax error(s) in configuration file:2015-08-12T10:45:42.679398-05:00DCMXRLY1 MailScanner[19393]: Unrecognised keyword"spamassassinprefsfile" at line 31292015-08-12T10:45:42.679411-05:00 DCMXRLY1MailScanner[19393]: Warning: syntax errors in/etc/MailScanner/MailScanner.conf. In running aMailScanner –lint I see the following: Tryingto setlogsock(unix) Readingconfiguration file /etc/MailScanner/MailScanner.confReadingconfiguration file /etc/MailScanner/conf.d/READMEReadingconfiguration file /etc/MailScanner/conf.d/web_bugSyntax error(s) inconfiguration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 2213.Unrecognised keyword"spamassassinprefsfile" at line 3129 at/usr/lib/MailScanner/MailScanner/Config.pm line 2216.Warning: syntax errors in/etc/MailScanner/MailScanner.conf. at/usr/lib/MailScanner/MailScanner/Config.pm line 2221.Read463 hostnames from the phishing whitelistRead11928 hostnames from the phishing blacklists Checkingversion numbers...Versionnumber in MailScanner.conf (4.84.6) is correct. Yourenvelope_sender_header in spam.assassin.prefs.conf is correct.MailScannersetting GID to (51)MailScannersetting UID to (51) Checkingfor SpamAssassin errors (if you use it)...UsingSpamAssassin results cacheConnectedto SpamAssassin cache databaseSpamAssassinreported no errors.Ihave found clamav scanners installed, and will use them all by default.Connectedto Processing Attempts DatabaseCreatedProcessing Attempts Database successfullyThereare 368 messages in the Processing Attempts DatabaseUsinglocktype = posixMailScanner.confsays "Virus Scanners = auto"Foundthese virus scanners installed: clamav===========================================================================FilenameChecks: Windows/DOS Executable (1 eicar.com)OtherChecks: Found 1 problemsVirusand Content Scanning: Starting1.message:Eicar-Test-Signature-1 FOUND ./1/eicar.com:Eicar-Test-Signature FOUND VirusScanning: ClamAV found 2 infectionsInfectedmessage 1 came from 10.1.1.1VirusScanning: Found 2 viruses===========================================================================VirusScanner test reports:ClamAVsaid "eicar.com contains Eicar-Test-Signature" Ifany of your virus scanners (clamav)arenot listed there, you should check that they are installed correctlyand that MailScanner is finding them correctly viaits virus.scanners.conf. Inlooking at /etc/MailScanner/MailScanner.conf I have the following on line 3129: SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf In searching forthis error regarding the spam.assassin.prefs.conf file, all I find is old stufffrom like 2006-2009. Some results say tojust comment out the line and others say to run upgrade_Mail_Scanner_conf. What’s going onhere and how do I fix it? All help isgreatly appreciated. Thanks, Bryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at replies.cyways.com Fri Aug 14 17:02:37 2015 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Fri, 14 Aug 2015 13:02:37 -0400 Subject: Strange MailScanner --lint error In-Reply-To: <656784937.2957755.1439568223089.JavaMail.yahoo@mail.yahoo.com> References: <656784937.2957755.1439568223089.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55CE1F2D.4030700@replies.cyways.com> I upgraded painlessly from 4.84.6 to 4.85.2 using the install.sh script that comes with the packages at https://www.mailscanner.info/downloads/. Maybe you should give that try? However the string "spamassassinprefsfile" also does not appear in the Config.pm that comes with 4.85.2. I also don't see an equivalent entry in my new MailScanner.conf. Maybe that's a deprecated item? Peter On 08/14/2015 12:03 PM, Bryan Laurila wrote: > *I am currently running MailScanner version 4.84.6 and in checking log files > for something else I discovered the following in /var/log/mail today.Not > sure how long this has been happening but I’d venture to guess it has been > years…* > 2015-08-12T10:45:42.679370-05:00 DCMXRLY1 MailScanner[19393]: Syntax > error(s) in configspamassassinprefsfileuration file: > 2015-08-12T10:45:42.679398-05:00 DCMXRLY1 MailScanner[19393]: Unrecognised > keyword "spamassassinprefsfile" at line 3129 > 2015-08-12T10:45:42.679411-05:00 DCMXRLY1 MailScanner[19393]: Warning: > syntax errors in /etc/MailScanner/MailScanner.conf. From jerry.benton at mailborder.com Fri Aug 14 17:10:17 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 14 Aug 2015 13:10:17 -0400 Subject: Strange MailScanner --lint error In-Reply-To: <656784937.2957755.1439568223089.JavaMail.yahoo@mail.yahoo.com> References: <656784937.2957755.1439568223089.JavaMail.yahoo@mail.yahoo.com> Message-ID: <08E64A9F-3976-4432-990E-F2C737690666@mailborder.com> Uncomment line 313 of ConfigDefs.pl - Jerry Benton www.mailborder.com > On Aug 14, 2015, at 12:03 PM, Bryan Laurila wrote: > > I am currently running MailScanner version 4.84.6 and in checking log files for something else I discovered the following in /var/log/mail today. Not sure how long this has been happening but I’d venture to guess it has been years… > > 2015-08-12T10:45:42.679370-05:00 DCMXRLY1 MailScanner[19393]: Syntax error(s) in configuration file: > 2015-08-12T10:45:42.679398-05:00 DCMXRLY1 MailScanner[19393]: Unrecognised keyword "spamassassinprefsfile" at line 3129 > 2015-08-12T10:45:42.679411-05:00 DCMXRLY1 MailScanner[19393]: Warning: syntax errors in /etc/MailScanner/MailScanner.conf. > > > In running a MailScanner –lint I see the following: > > Trying to setlogsock(unix) > > Reading configuration file /etc/MailScanner/MailScanner.conf > Reading configuration file /etc/MailScanner/conf.d/README > Reading configuration file /etc/MailScanner/conf.d/web_bug > Syntax error(s) in configuration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 2213. > Unrecognised keyword "spamassassinprefsfile" at line 3129 at /usr/lib/MailScanner/MailScanner/Config.pm line 2216. > Warning: syntax errors in /etc/MailScanner/MailScanner.conf. at /usr/lib/MailScanner/MailScanner/Config.pm line 2221. > Read 463 hostnames from the phishing whitelist > Read 11928 hostnames from the phishing blacklists > > Checking version numbers... > Version number in MailScanner.conf (4.84.6) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (51) > MailScanner setting UID to (51) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > I have found clamav scanners installed, and will use them all by default. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 368 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamav > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > 1.message: Eicar-Test-Signature-1 FOUND > > ./1/eicar.com: Eicar-Test-Signature FOUND > > Virus Scanning: ClamAV found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > Virus Scanner test reports: > ClamAV said "eicar.com contains Eicar-Test-Signature" > > If any of your virus scanners (clamav) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > > > In looking at /etc/MailScanner/MailScanner.conf I have the following on line 3129: > > SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf > > > > In searching for this error regarding the spam.assassin.prefs.conf file, all I find is old stuff from like 2006-2009. Some results say to just comment out the line and others say to run upgrade_Mail_Scanner_conf. > > What’s going on here and how do I fix it? All help is greatly appreciated. > > Thanks, > Bryan > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaurila at sbcglobal.net Fri Aug 14 20:52:58 2015 From: blaurila at sbcglobal.net (Bryan Laurila) Date: Fri, 14 Aug 2015 20:52:58 +0000 (UTC) Subject: Strange MailScanner --lint error In-Reply-To: <08E64A9F-3976-4432-990E-F2C737690666@mailborder.com> References: <08E64A9F-3976-4432-990E-F2C737690666@mailborder.com> Message-ID: <2123413622.3065342.1439585578172.JavaMail.yahoo@mail.yahoo.com> Thanks Jerry! That got rid of the error but can you shed some light into why that line was commented out (assuming by default) and what uncommenting it will do to the functionality of MailScanner? Bryan From: Jerry Benton To: MailScanner Discussion Sent: Friday, August 14, 2015 12:10 PM Subject: Re: Strange MailScanner --lint error Uncomment line 313 of ConfigDefs.pl -Jerry Bentonwww.mailborder.com On Aug 14, 2015, at 12:03 PM, Bryan Laurila wrote: I am currentlyrunning MailScanner version 4.84.6 and in checking log files for something elseI discovered the following in /var/log/mail today. Not sure how long this has been happening butI’d venture to guess it has been years… 2015-08-12T10:45:42.679370-05:00DCMXRLY1 MailScanner[19393]: Syntax error(s) in configuration file:2015-08-12T10:45:42.679398-05:00DCMXRLY1 MailScanner[19393]: Unrecognised keyword"spamassassinprefsfile" at line 31292015-08-12T10:45:42.679411-05:00 DCMXRLY1MailScanner[19393]: Warning: syntax errors in/etc/MailScanner/MailScanner.conf. In running aMailScanner –lint I see the following: Tryingto setlogsock(unix) Readingconfiguration file /etc/MailScanner/MailScanner.confReadingconfiguration file /etc/MailScanner/conf.d/READMEReadingconfiguration file /etc/MailScanner/conf.d/web_bugSyntax error(s) inconfiguration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 2213.Unrecognised keyword"spamassassinprefsfile" at line 3129 at/usr/lib/MailScanner/MailScanner/Config.pm line 2216.Warning: syntax errors in/etc/MailScanner/MailScanner.conf. at/usr/lib/MailScanner/MailScanner/Config.pm line 2221.Read463 hostnames from the phishing whitelistRead11928 hostnames from the phishing blacklists Checkingversion numbers...Versionnumber in MailScanner.conf (4.84.6) is correct. Yourenvelope_sender_header in spam.assassin.prefs.conf is correct.MailScannersetting GID to (51)MailScannersetting UID to (51) Checkingfor SpamAssassin errors (if you use it)...UsingSpamAssassin results cacheConnectedto SpamAssassin cache databaseSpamAssassinreported no errors.Ihave found clamav scanners installed, and will use them all by default.Connectedto Processing Attempts DatabaseCreatedProcessing Attempts Database successfullyThereare 368 messages in the Processing Attempts DatabaseUsinglocktype = posixMailScanner.confsays "Virus Scanners = auto"Foundthese virus scanners installed: clamav===========================================================================FilenameChecks: Windows/DOS Executable (1 eicar.com)OtherChecks: Found 1 problemsVirusand Content Scanning: Starting1.message:Eicar-Test-Signature-1 FOUND ./1/eicar.com:Eicar-Test-Signature FOUND VirusScanning: ClamAV found 2 infectionsInfectedmessage 1 came from 10.1.1.1VirusScanning: Found 2 viruses===========================================================================VirusScanner test reports:ClamAVsaid "eicar.com contains Eicar-Test-Signature" Ifany of your virus scanners (clamav)arenot listed there, you should check that they are installed correctlyand that MailScanner is finding them correctly viaits virus.scanners.conf. Inlooking at /etc/MailScanner/MailScanner.conf I have the following on line 3129: SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf In searching forthis error regarding the spam.assassin.prefs.conf file, all I find is old stufffrom like 2006-2009. Some results say tojust comment out the line and others say to run upgrade_Mail_Scanner_conf. What’s going onhere and how do I fix it? All help isgreatly appreciated. Thanks, Bryan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Fri Aug 14 21:09:46 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 14 Aug 2015 17:09:46 -0400 Subject: Strange MailScanner --lint error In-Reply-To: <2123413622.3065342.1439585578172.JavaMail.yahoo@mail.yahoo.com> References: <08E64A9F-3976-4432-990E-F2C737690666@mailborder.com> <2123413622.3065342.1439585578172.JavaMail.yahoo@mail.yahoo.com> Message-ID: <9E6C702B-2E4D-4F2F-8A6A-1609D734DF12@mailborder.com> Honestly, I have no idea why it was commented out by default. I will remove it from the source unless someone else enlightens me as to do otherwise. - Jerry Benton www.mailborder.com > On Aug 14, 2015, at 4:52 PM, Bryan Laurila wrote: > > Thanks Jerry! > > That got rid of the error but can you shed some light into why that line was commented out (assuming by default) and what uncommenting it will do to the functionality of MailScanner? > > Bryan > > From: Jerry Benton > To: MailScanner Discussion > Sent: Friday, August 14, 2015 12:10 PM > Subject: Re: Strange MailScanner --lint error > > Uncomment line 313 of ConfigDefs.pl > > > - > Jerry Benton > www.mailborder.com > > > >> >> >> On Aug 14, 2015, at 12:03 PM, Bryan Laurila > wrote: >> >> I am currently running MailScanner version 4.84.6 and in checking log files for something else I discovered the following in /var/log/mail today. Not sure how long this has been happening but I’d venture to guess it has been years… >> >> 2015-08-12T10:45:42.679370-05:00 DCMXRLY1 MailScanner[19393]: Syntax error(s) in configuration file: >> 2015-08-12T10:45:42.679398-05:00 DCMXRLY1 MailScanner[19393]: Unrecognised keyword "spamassassinprefsfile" at line 3129 >> 2015-08-12T10:45:42.679411-05:00 DCMXRLY1 MailScanner[19393]: Warning: syntax errors in /etc/MailScanner/MailScanner.conf. >> >> >> In running a MailScanner –lint I see the following: >> >> Trying to setlogsock(unix) >> >> Reading configuration file /etc/MailScanner/MailScanner.conf >> Reading configuration file /etc/MailScanner/conf.d/README >> Reading configuration file /etc/MailScanner/conf.d/web_bug >> Syntax error(s) in configuration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 2213. >> Unrecognised keyword "spamassassinprefsfile" at line 3129 at /usr/lib/MailScanner/MailScanner/Config.pm line 2216. >> Warning: syntax errors in /etc/MailScanner/MailScanner.conf. at /usr/lib/MailScanner/MailScanner/Config.pm line 2221. >> Read 463 hostnames from the phishing whitelist >> Read 11928 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.84.6) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (51) >> MailScanner setting UID to (51) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> I have found clamav scanners installed, and will use them all by default. >> Connected to Processing Attempts Database >> Created Processing Attempts Database successfully >> There are 368 messages in the Processing Attempts Database >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamav >> =========================================================================== >> Filename Checks: Windows/DOS Executable (1 eicar.com ) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> 1.message: Eicar-Test-Signature-1 FOUND >> >> ./1/eicar.com : Eicar-Test-Signature FOUND >> >> Virus Scanning: ClamAV found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> =========================================================================== >> Virus Scanner test reports: >> ClamAV said "eicar.com contains Eicar-Test-Signature" >> >> If any of your virus scanners (clamav) >> are not listed there, you should check that they are installed correctly >> and that MailScanner is finding them correctly via its virus.scanners.conf. >> >> >> In looking at /etc/MailScanner/MailScanner.conf I have the following on line 3129: >> >> SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf >> >> >> >> In searching for this error regarding the spam.assassin.prefs.conf file, all I find is old stuff from like 2006-2009. Some results say to just comment out the line and others say to run upgrade_Mail_Scanner_conf. >> >> What’s going on here and how do I fix it? All help is greatly appreciated. >> >> Thanks, >> Bryan >> >> >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Aug 14 21:40:01 2015 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 14 Aug 2015 14:40:01 -0700 Subject: Strange MailScanner --lint error In-Reply-To: <2123413622.3065342.1439585578172.JavaMail.yahoo@mail.yahoo.com> References: <2123413622.3065342.1439585578172.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55CE6031.4010801@msapiro.net> Bryan Laurila wrote: That got rid of the error but can you shed some light into why that line was commented out (assuming by default) and what uncommenting it will do to the functionality of MailScanner? I think the "Spamassassin Prefs File" setting has been disabled for some time. The file is normally /etc/MailScanner/spam.assassin.prefs.conf or whatever is symlinked from mailscanner.cf in the spamassassin config directory. If you set "Spamassassin Prefs File" in MailScanner's config, you get the Unrecognised keyword error because ConfigDefs.pl doesn't recognize it. If you uncomment the #spamassassinprefsfile /etc/MailScanner/spam.assassin.prefs.conf line in ConfigDefs.pl, Mailscanner allows the directive without complaint, but it does nothing with the setting no matter what you set it to. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From blaurila at sbcglobal.net Tue Aug 18 15:51:23 2015 From: blaurila at sbcglobal.net (Bryan Laurila) Date: Tue, 18 Aug 2015 15:51:23 +0000 (UTC) Subject: Spam question In-Reply-To: References: Message-ID: <1068033614.3833341.1439913083736.JavaMail.yahoo@mail.yahoo.com> I haven’t given “current RBLs” much thought in a long time so this discussion sparked my interest especially since we have been seeing an increase in Spam messages getting past MailScanner in recent months. Below is an excerpt from my MailScanner.conf file showing my “Spam List =” line as well as my “Spam Domain List = “ line (yes, I know it’s blank). Below that is my current spam.lists.conf file which hasn’t been updated in a longtime (anyone have an updated version?). Although this configuration has worked well for me in the past, I’m thinking I could do better. What are other people are using for their configurations for “Spam List =” and “Spam Domain List=”? Thanks! Bryan ====================================================================# This is the list of spam blacklists (RBLs) which you are using.# See the "Spam List Definitions" file for more information about what# you can put here.# This can also be the filename of a ruleset.#Spam List = # spamhaus-ZEN # You can un-comment this to enable themSpam List = spamhaus-ZEN spamcop.net SORBS-NEW SORBS-RECENT SORBS-DNSBL # This is the list of spam domain blacklists which you are using# (such as the "rfc-ignorant" domains). See the "Spam List Definitions"# file for more information about what you can put here.# This can also be the filename of a ruleset.Spam Domain List = ====================================================================== This is my current spam.lists.conf file which hasn’t been updated in a long time. ======================================================================================= # This file translates the names of the spam lists and spam domains lists# into the real DNS domains to search. # There is a far more comprehensive list of these at#http://www.declude.com/JunkMail/Support/ip4r.htm# and you can easily search them all atwww.DNSstuff.com. # If you want to search other DNSBL's you will need to define them here first,# before referring to them by name in mailscanner.conf (or a rules file). spamhaus.org sbl.spamhaus.org.spamhaus-XBL xbl.spamhaus.org.spamhaus-PBL pbl.spamhaus.org.spamhaus-ZEN zen.spamhaus.org.SBL+XBL sbl-xbl.spamhaus.org.spamcop.net bl.spamcop.net.NJABL dnsbl.njabl.org. # ORDB has been shut down.#ORDB-RBL relays.ordb.org. #Infinite-Monkeys proxies.relays.monkeys.com.#osirusoft.com relays.osirusoft.com.# These two lists are now dead and must not be used. # MAPS now charge for their services, so you'll have to buy a contract before# attempting to use the next 3 lines. MAPS-RBL blackholes.mail-abuse.org.MAPS-DUL dialups.mail-abuse.org.MAPS-RSS relays.mail-abuse.org. # This next line works for JANET UK Academic sites only MAPS-RBL+ rbl-plus.mail-abuse.ja.net. # And build a similar list for the RBL domains that work on the name# of the domain rather than the IP address of the exact machine that# is listed. This way the RBL controllers can blacklist entire# domains very quickly and easily.# These aren't used by default, as they slow down MailScanner quite a bit. RFC-IGNORANT-DSN dsn.rfc-ignorant.org.RFC-IGNORANT-POSTMASTER postmaster.rfc-ignorant.org.RFC-IGNORANT-ABUSE abuse.rfc-ignorant.org.RFC-IGNORANT-WHOIS whois.rfc-ignorant.org.RFC-IGNORANT-IPWHOIS ipwhois.rfc-ignorant.org.RFC-IGNORANT-BOGUSMX bogusmx.rfc-ignorant.org. # Easynet are closing down, so don't use these any moreEasynet-DNSBL blackholes.easynet.nl.Easynet-Proxies proxies.blackholes.easynet.nl.Easynet-Dynablock dynablock.easynet.nl. # This list is now dead and must not be used.#OSIRUSOFT-SPEWS spews.relays.osirusoft.com. # These folks are still going strongSORBS-DNSBL dnsbl.sorbs.net.SORBS-HTTP http.dnsbl.sorbs.net.SORBS-SOCKS socks.dnsbl.sorbs.net.SORBS-MISC misc.dnsbl.sorbs.net.SORBS-SMTP smtp.dnsbl.sorbs.net.SORBS-WEB web.dnsbl.sorbs.net.SORBS-SPAM spam.dnsbl.sorbs.net.SORBS-BLOCK block.dnsbl.sorbs.net.SORBS-ZOMBIE zombie.dnsbl.sorbs.net.SORBS-DUL dul.dnsbl.sorbs.net.SORBS-RHSBL rhsbl.sorbs.net.## Added by BSL on 20131125 fromwww.sorbs.net/genera/using.shtmlSORBS-NEW new.spam.dnsbl.sorbs.net.SORBS-RECENT recent.spam.dnsbl.sorbs.net. # These next 2 are "Spam Domain List" entries and not "Spam List"sSORBS-BADCONF badconf.rhsbl.sorbs.net.SORBS-NOMAIL nomail.rhsbl.sorbs.net. # Some other good lists CBL cbl.abuseat.org.# JKF 30 Oct 2008 Gone: DSBL list.dsbl.org.================================================================= From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Thursday, August 06, 2015 1:04 PM To: MailScanner Discussion Subject: Re: Spam question reject_rbl_client b.barracudacentral.org,reject_rbl_client zen.spamhaus.org,reject_rbl_client ix.dnsbl.manitu.net,reject_rbl_client rbl.megarbl.net,reject_rbl_client dnsbl.inps.de,reject_rbl_client bl.spamcop.net,reject_rbl_client cbl.abuseat.org, -Jerry Bentonwww.mailborder.com On Aug 6, 2015, at 1:55 PM, Tiago Meireles wrote: Any RBLs that you recommend? From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of JerryBenton Sent: Thursday, August 06, 2015 1:50 PM To: MailScanner Discussion Subject: Re: Spam question - Use RBLs at the MTA level- Use greylisting -Jerry Bentonwww.mailborder.com On Aug 6, 2015, at 1:49 PM, Sean M. Schipper wrote: Since last November I’ve been getting inundated with spam (yesterday just under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same subnet in the morning starting like clockwork just after 9am. Then sometimes I’ll get a similar rushof spam in the afternoon coming from a separate IP range. Countries of origin include US and Bulgaria mostly but also have come from Brasil, Romania and S. Africa. I’ve been able to train MailScanner to correctly identify these as spam since the content is very similar -- tons of links to websites with .php extensions. Examples of subject lines: Situations for 2015 that forgive your Student-Loan, 12 month MBA programs,accelerated... To cut down on the processing/traffic on my server I’ve been just blacklisting these IP subnets at smtp with a deny bounce message. Does anyone have any other suggestions on actions I can take to rid myself of this annoying daily routine? Does anyoneelse have similar battle stories like this? Thanks for any suggestions on this. Sean -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner Untitled Page Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. As required by federal and state laws, you need to hold this information as privileged and confidential. This message may contain Protected Health Information (PHI). PHI is personal and sensitive information related to a person's health care. It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited. If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments. Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at jonesol.com Tue Aug 18 16:46:38 2015 From: dave at jonesol.com (Dave Jones) Date: Tue, 18 Aug 2015 11:46:38 -0500 Subject: Spam question In-Reply-To: <1068033614.3833341.1439913083736.JavaMail.yahoo@mail.yahoo.com> References: <1068033614.3833341.1439913083736.JavaMail.yahoo@mail.yahoo.com> Message-ID: Jerry is correct. Block at the MTA and use greylisting to help with compromised accounts from normally trustworthy senders and other zero-hour senders that aren't listed on RBLs yet. If your MTA is Postfix definitely look into using Postscreen. It allows you to use normally unreliable RBLs in a weighted fashion so they can provide some usefulness in combination with other reliable RBLs. It also has some other tricks that help block spambots. http://www.postfix.org/POSTSCREEN_README.html /etc/postfix/main.cf postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_dnsbl_ttl = 10m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 b.barracudacentral.org=127.0.0.2*7 bl.spamcop.net=127.0.0.2*4 dnsbl-1.uceprotect.net=127.0.0.2*3 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*7 dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 hostkarma.junkemailfilter.com=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.4*1 hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 You can also look at other Postfix settings to block at the MTA level for invalid DNS and SMTP HELO values. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unknown_reverse_client_hostname, reject_unlisted_sender, reject_unlisted_recipient, # SQLgrey on 127.0.0.1:2501 check_policy_service inet:127.0.0.1:2501, reject_unverified_recipient, permit Above you see the SQLgrey that I also recommend highly. I started in discrimination mode to ease into it which was not painful at all for my users. On Tue, Aug 18, 2015 at 10:51 AM, Bryan Laurila wrote: > I haven’t given “current RBLs” much thought in a long time so this > discussion sparked my interest especially since we have been seeing an > increase in Spam messages getting past MailScanner in recent months. > > Below is an excerpt from my MailScanner.conf file showing my “Spam List =” > line as well as my “Spam Domain List = “ line (yes, I know it’s blank). > Below that is my current spam.lists.conf file which hasn’t been updated in a > long time (anyone have an updated version?). > > Although this configuration has worked well for me in the past, I’m thinking > I could do better. > > What are other people are using for their configurations for “Spam List =” > and “Spam Domain List=”? > > Thanks! > Bryan > > > ==================================================================== > # This is the list of spam blacklists (RBLs) which you are using. > # See the "Spam List Definitions" file for more information about what > # you can put here. > # This can also be the filename of a ruleset. > #Spam List = # spamhaus-ZEN # You can un-comment this to enable them > Spam List = spamhaus-ZEN spamcop.net SORBS-NEW SORBS-RECENT SORBS-DNSBL > > # This is the list of spam domain blacklists which you are using > # (such as the "rfc-ignorant" domains). See the "Spam List Definitions" > # file for more information about what you can put here. > # This can also be the filename of a ruleset. > Spam Domain List = > > ====================================================================== > > This is my current spam.lists.conf file which hasn’t been updated in a long > time. > ======================================================================================= > > > # This file translates the names of the spam lists and spam domains lists > # into the real DNS domains to search. > > # There is a far more comprehensive list of these at > # http://www.declude.com/JunkMail/Support/ip4r.htm > # and you can easily search them all at www.DNSstuff.com. > > # If you want to search other DNSBL's you will need to define them here > first, > # before referring to them by name in mailscanner.conf (or a rules file). > > spamhaus.org sbl.spamhaus.org. > spamhaus-XBL xbl.spamhaus.org. > spamhaus-PBL pbl.spamhaus.org. > spamhaus-ZEN zen.spamhaus.org. > SBL+XBL sbl-xbl.spamhaus.org. > spamcop.net bl.spamcop.net. > NJABL dnsbl.njabl.org. > > # ORDB has been shut down. > #ORDB-RBL relays.ordb.org. > > #Infinite-Monkeys proxies.relays.monkeys.com. > #osirusoft.com relays.osirusoft.com. > # These two lists are now dead and must not be used. > > # MAPS now charge for their services, so you'll have to buy a contract > before > # attempting to use the next 3 lines. > > MAPS-RBL blackholes.mail-abuse.org. > MAPS-DUL dialups.mail-abuse.org. > MAPS-RSS relays.mail-abuse.org. > > # This next line works for JANET UK Academic sites only > > MAPS-RBL+ rbl-plus.mail-abuse.ja.net. > > # And build a similar list for the RBL domains that work on the name > # of the domain rather than the IP address of the exact machine that > # is listed. This way the RBL controllers can blacklist entire > # domains very quickly and easily. > # These aren't used by default, as they slow down MailScanner quite a bit. > > RFC-IGNORANT-DSN dsn.rfc-ignorant.org. > RFC-IGNORANT-POSTMASTER postmaster.rfc-ignorant.org. > RFC-IGNORANT-ABUSE abuse.rfc-ignorant.org. > RFC-IGNORANT-WHOIS whois.rfc-ignorant.org. > RFC-IGNORANT-IPWHOIS ipwhois.rfc-ignorant.org. > RFC-IGNORANT-BOGUSMX bogusmx.rfc-ignorant.org. > > # Easynet are closing down, so don't use these any more > Easynet-DNSBL blackholes.easynet.nl. > Easynet-Proxies proxies.blackholes.easynet.nl. > Easynet-Dynablock dynablock.easynet.nl. > > # This list is now dead and must not be used. > #OSIRUSOFT-SPEWS spews.relays.osirusoft.com. > > # These folks are still going strong > SORBS-DNSBL dnsbl.sorbs.net. > SORBS-HTTP http.dnsbl.sorbs.net. > SORBS-SOCKS socks.dnsbl.sorbs.net. > SORBS-MISC misc.dnsbl.sorbs.net. > SORBS-SMTP smtp.dnsbl.sorbs.net. > SORBS-WEB web.dnsbl.sorbs.net. > SORBS-SPAM spam.dnsbl.sorbs.net. > SORBS-BLOCK block.dnsbl.sorbs.net. > SORBS-ZOMBIE zombie.dnsbl.sorbs.net. > SORBS-DUL dul.dnsbl.sorbs.net. > SORBS-RHSBL rhsbl.sorbs.net. > ## Added by BSL on 20131125 from www.sorbs.net/genera/using.shtml > SORBS-NEW new.spam.dnsbl.sorbs.net. > SORBS-RECENT recent.spam.dnsbl.sorbs.net. > > # These next 2 are "Spam Domain List" entries and not "Spam List"s > SORBS-BADCONF badconf.rhsbl.sorbs.net. > SORBS-NOMAIL nomail.rhsbl.sorbs.net. > > # Some other good lists > > CBL cbl.abuseat.org. > # JKF 30 Oct 2008 Gone: DSBL list.dsbl.org. > ================================================================= > > > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On > Behalf Of Jerry Benton > Sent: Thursday, August 06, 2015 1:04 PM > To: MailScanner Discussion > Subject: Re: Spam question > > reject_rbl_client b.barracudacentral.org, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client ix.dnsbl.manitu.net, > reject_rbl_client rbl.megarbl.net, > reject_rbl_client dnsbl.inps.de, > reject_rbl_client bl.spamcop.net, > reject_rbl_client cbl.abuseat.org, > > - > Jerry Benton > www.mailborder.com > > > > On Aug 6, 2015, at 1:55 PM, Tiago Meireles wrote: > > Any RBLs that you recommend? > > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On > Behalf Of Jerry Benton > Sent: Thursday, August 06, 2015 1:50 PM > To: MailScanner Discussion > Subject: Re: Spam question > > - Use RBLs at the MTA level > - Use greylisting > > - > Jerry Benton > www.mailborder.com > > > > On Aug 6, 2015, at 1:49 PM, Sean M. Schipper > wrote: > > Since last November I’ve been getting inundated with spam (yesterday just > under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same > subnet in the morning starting like clockwork just after 9am. Then > sometimes I’ll get a similar rush of spam in the afternoon coming from a > separate IP range. Countries of origin include US and Bulgaria mostly but > also have come from Brasil, Romania and S. Africa. > > I’ve been able to train MailScanner to correctly identify these as spam > since the content is very similar -- tons of links to websites with .php > extensions. Examples of subject lines: Situations for 2015 that forgive > your Student-Loan, 12 month MBA programs, accelerated... > > To cut down on the processing/traffic on my server I’ve been just > blacklisting these IP subnets at smtp with a deny bounce message. Does > anyone have any other suggestions on actions I can take to rid myself of > this annoying daily routine? Does anyone else have similar battle stories > like this? > > Thanks for any suggestions on this. > > Sean > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > Confidentiality Notice: > > This e-mail communication and any attachments may contain confidential and > privileged information for the use of the designated recipients named above. > If you are not the intended recipient, you are hereby notified that you have > received this communication in error and that any review, disclosure, > dissemination, distribution or copying of it or its contents is prohibited. > As required by federal and state laws, you need to hold this information as > privileged and confidential. > > This message may contain Protected Health Information (PHI). PHI is > personal and sensitive information related to a person's health care. It is > being emailed to you after appropriate authorization from the patient or > under circumstances that do not require patient authorization. You, the > recipient, are obligated to maintain it in a safe, secure and confidential > manner. Re-disclosure without additional patient consent or as permitted by > law is prohibited. Unauthorized re-disclosure or failure to maintain > confidentiality could subject you to penalties described in federal and > state law. > > If you are not the intended recipient, or the employee or agent responsible > to deliver it to the intended recipient, you are hereby notified that any > disclosure, copying or distribution of this information is Strictly > Prohibited. If you have received this communication in error, please notify > the sender and destroy all copies of this communication and any attachments. > > Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, > MI 49801, www.dchs.org > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > From alex at short.net Tue Aug 18 21:01:40 2015 From: alex at short.net (Alex Short) Date: Tue, 18 Aug 2015 21:01:40 +0000 Subject: SA auto-learn settings not working Message-ID: Main problem is that according to mailwatch, only things that are like >44 or something are getting 'learned' as spam. I'd like to drop the score required to something like >10 and learn it as spam. Now I'm manually using mailwatch to give me results from 10-20 and tagging them as spam which has proven quite effective (if not annoying!). The way I know its not learning is using mailwatch it says 'SpamAssassin Autolearn': N I've tried putting this stuff in local.cf, and mailscanner.cf -- doesn't appear to make a difference. I know that it isn't learning because when I tell it to learn something that scored 15, it accepts it and learns it (vs saying 0) local.cf:bayes_auto_learn 1 local.cf:bayes_auto_learn_threshold_nonspam -5.0 local.cf:bayes_auto_learn_threshold_spam 11.0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Wed Aug 19 18:04:46 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 19 Aug 2015 18:04:46 +0000 Subject: OT: Quick postfix question Message-ID: <14b563ac7e72411fa9e32703466d86eb@City-Exch-DB2.cbj.local> I'm new to postfix, (making the transition from sendmail), and have a quick question. In my main.cf, can I have multiple check_client_access lines? Currently I have this one: check_client_access hash:/etc/postfix/rbl_override_whitelist where I was whitelisting certain domains. Then I realized I could also put in lines with REJECT rather than OK. It's largely cosmetic I suppose, as both REJECT and OK seem to work in the same file, but I'd rather have a whitelist and a blacklist file similar to what we have in MailScanner, only at the MTA level. Any issues doing that? TIA... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From tclark at clarktechnical.com Fri Aug 21 19:56:17 2015 From: tclark at clarktechnical.com (Tony Clark) Date: Fri, 21 Aug 2015 15:56:17 -0400 Subject: Whitelist not working Message-ID: <55D78261.3000507@clarktechnical.com> I cannot get any whitelist entries to work in MailScanner. I am updating the whitelist in MailWatch, but I am not seeing it get updated in spam.whitelist.rules I've tried manually updating spam.whitelist.rules, but every time I send a test SPAM, it gets blocked as spam. Here are my file contents: --- spam.whitelist.rules: # If you are basing a blacklist on this then you can refer to # a null (empty) sender address with "/^$/" as the address to match. # # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes #From: host:soton.ac.uk yes # Note this is slower than using the IP FromOrTo: default no From: *@*.mydomain.com yes --- MailScanner.conf: # Main configuration file for the MailScanner E-Mail Virus Scanner # # It's good practice to check through configuration files to make sure # they fit with your system and your needs, whatever you expect them to # contain. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # # Note for Version 4.00 and above: # A lot of the settings can take a ruleset as well as just simple # values. These rulesets are files containing rules which are applied # to the current message to calculate the value of the configuration # option. The rules are checked in the order they appear in the ruleset. # # Note for Version 4.03 and above: # As well as rulesets, you can now include your own functions in # here. Look at the directory containing Config.pm and you will find # CustomConfig.pm. In here, you can add your own "value" function and # an Initvalue function to set up any global state you need such as # database connections. Then for a setting below, you can put: # Configuration Option = &ValueFunction # where "ValueFunction" is the name of the function you have # written in CustomConfig.pm. # # Note for Version 4.54 and above: # Numbers can be scaled by 1 thousand, 1 million or 1 billion by # putting a "k", "m" or "g" immediately after the number. You must # *not* put any spaces between the number and the k, m or g. # # Note for Version 4.77 and above: # If you are going to use "host:" in rulesets, it is imperative that # you have a local caching name-server (DNS server). Or else using # "host:" in rulesets will really slow you down. # # Note for Version 4.78 and above: # This file now supports nested "include" statements. The syntax is # include filename-wildcard-here # where filename-wildcard-here is replaced with the full path of one # or more other MailScanner.conf files to be read. You can use the # normal shell wildcard characters such as "*". # For each setting, the last value read will be used by MailScanner. # At the end of this file, there is an "include" that will pull in # all the files in /etc/MailScanner/conf.d so you can just add # your own local changes in there, and not need to modify this file. # # # Definition of variables which are substituted into definitions below. # # You can add any %variables% that you want to use in addition to the # ones provided. # # You can also use any shell environment variables here such as $HOSTNAME # or ${HOSTNAME} in configuration settings and rulesets. See the # definition of "Hostname" for an example. # # Enter a short identifying name for your organisation below, this is # used to make the X-MailScanner headers unique for your organisation. # Multiple servers within one site should use an identical value here # to avoid adding multiple redundant headers where mail has passed # through several servers within your organisation. # # Note: Some Symantec scanners complain (incorrectly) about "." # ***** characters appearing in the names of headers. # Some other mail servers complain about "_" characters # appearing in the names of headers as well. # So don't put "." or "_" in this setting. # # **** RULE: It must not contain any spaces! **** %org-name% = MyOrganization # Enter the full name of your organisation below, this is used in the # signature placed at the bottom of report messages sent by MailScanner. # It can include pretty much any text you like. You can make the result # span several lines by including "\n" sequences in the text. These will # be replaced by line-breaks. %org-long-name% = My Organization # Enter the location of your organisation's web site below. This is used # in the signature placed at the bottom of report messages sent by # MailScanner. It should preferably be the location of a page that you # have written explaining why you might have rejected the mail and what # the recipient and/or sender should do about it. %web-site% = www.mydomain.com # Configuration directory containing this file %etc-dir% = /etc/MailScanner # Set the directory containing all the reports in the required language %report-dir% = /etc/MailScanner/reports/en # Rulesets directory containing your ".rules" files %rules-dir% = /etc/MailScanner/rules # Configuration directory containing files related to MCP # (Message Content Protection) %mcp-dir% = /etc/MailScanner/mcp # One other that is set automatically for you is %version% which is, # unsurprisingly, the string of the MailScanner version. It does not # contain the build number (the "-1" on the end), but does include the rest. # # System settings # --------------- # # How many MailScanner processes do you want to run at a time? # There is no point increasing this figure if your MailScanner server # is happily keeping up with your mail traffic. # If you are running on a server with more than 1 CPU, or you have a # high mail load (and/or slow DNS lookups) then you should see better # performance if you increase this figure. # If you are running on a small system with limited RAM, you should # note that each child takes just over 20MB. # # As a rough guide, try 5 children per CPU. But read the notes above. Max Children = 5 # User to run as (not normally used for sendmail) # If you want to change the ownership or permissions of the quarantine or # temporary files created by MailScanner, please see the "Incoming Work" # settings later in this file. #Run As User = mail #Run As User = postfix Run As User = postfix # Group to run as (not normally used for sendmail) #Run As Group = mail #Run As Group = postfix Run As Group = postfix # How often (in seconds) should each process check the incoming mail # queue for new messages? If you have a quiet mail server, you might # want to increase this value so it causes less load on your server, at # the cost of slightly increasing the time taken for an average message # to be processed. Queue Scan Interval = 6 # Set location of incoming mail queue # # This can be any one of # 1. A directory name # Example: /var/spool/mqueue.in # 2. A wildcard giving directory names # Example: /var/spool/mqueue.in/* # 3. The name of a file containing a list of directory names, # which can in turn contain wildcards. # Example: /etc/MailScanner/mqueue.in.list.conf # # If you are using sendmail and have your queues split into qf, df, xf # directories, then just specify the main directory, do not give me the # directory names of the qf,df,xf directories. # Example: if you have /var/spool/mqueue.in/qf # /var/spool/mqueue.in/df # /var/spool/mqueue.in/xf # then just tell me /var/spool/mqueue.in. I will find the subdirectories # automatically. # Incoming Queue Dir = /var/spool/postfix/hold # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/postfix/incoming # Set where to unpack incoming messages before scanning them # This can completely safely use tmpfs or a ramdisk, which will # give you a significant performance improvement. # NOTE: The path given here must not include any links at all, # NOTE: but must be the absolute path to the directory. # NOTE: If you change this, you should change these too: # NOTE: SpamAssassin Temporary Dir # NOTE: SpamAssassin Cache Database File Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id number so you can stop MailScanner PID file = /var/run/MailScanner.pid # To avoid resource leaks, re-start periodically. Forces a re-read of all # the configuration files too, so new updates to the bad phishing sites list # are read frequently. Restart Every = 7200 # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file MTA = postfix # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/sbin/sendmail # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/sbin/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf Sendmail2 = /usr/sbin/sendmail # # Incoming Work Dir Settings # -------------------------- # # You should not normally need to touch these settings at all, # unless you are using ClamAV and need to be able to use the # external archive unpackers instead of ClamAV's built-in ones. # If you want to create the temporary working files so they are owned # by a user other than the "Run As User" setting at the top of this file, # you can change that here. # # Note: If the "Run As User" is not "root" you cannot change the # user but may still be able to change the group, if the # "Run As User" is a member of both of the groups "Run As Group" # and "Incoming Work Group" # Note: If the "Run As User" is "root" (or not set at all) and you are # using the "clamd" virus scanner AND clamd is not running as root, # then this must be set to the group clamd is using (from your # clamd.conf), example: # Incoming Work Group = clamav # Incoming Work Permissions = 0640 Incoming Work User = Incoming Work Group = postfix # If you want processes running under the same *group* as MailScanner to # be able to read the working files (and list what is in the # directories, of course), set to 0640. If you want *all* other users to # be able to read them, set to 0644. For a detailed description, if # you're not already familiar with it, refer to `man 2 chmod`. # Typical use: external helper programs of virus scanners (notably ClamAV), # like unpackers. # Use with care, you may well open security holes. # # Note: If the "Run As User" is "root" (or not set at all) and you are # using the "clamd" virus scanner, then this must be set: # Incoming Work Group = clamav # Incoming Work Permissions = 0640 Incoming Work Permissions = 0640 # # Quarantine and Archive Settings # ------------------------------- # # If, for example, you are using a web interface so that users can manage # their quarantined files, you might want to change the ownership and # permissions of the quarantined so that they can be read and/or deleted # by the web server. # Don't touch this unless you know what you are doing! # If you want to create the quarantine/archive so the files are owned # by a user other than the "Run As User" setting at the top of this file, # you can change that here. # Note: If the "Run As User" is not "root" then you cannot change the # user but may still be able to change the group, if the # "Run As User" is a member of both of the groups "Run As Group" # and "Quarantine Group". Quarantine User = root Quarantine Group = apache # If you want processes running under the same *group* as MailScanner to # be able to read the quarantined files (and list what is in the # directories, of course), set to 0640. If you want *all* other users to # be able to read them, set to 0644. For a detailed description, if # you're not already familiar with it, refer to `man 2 chmod`. # Typical use: let the webserver have access to the files so users can # download them if they really want to. # Use with care, you may well open security holes. Quarantine Permissions = 0660 # # Processing Incoming Mail # ------------------------ # # In every batch of virus-scanning, limit the maximum # a) number of unscanned messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of unscanned messages to deliver # d) total size of potentially infected messages to unpack and scan Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 800 # If this is set to "yes", then email messages passing through MailScanner # will be processed and checked, and all the other options in this file # will be used to control what checks are made on the message. # # If this is set to "no", then email messages will NOT be processed or # checked *at all*, and so any viruses or other problems will be ignored. # # If this is set to "virus", then email messages will only be scanned for # viruses and *nothing* else. # # The purpose of this option is to set it to be a ruleset, so that you # can skip all scanning of mail destined for some of your users/customers # and still scan all the rest. # A sample ruleset would look like this: # To: bad.customer.com no # From: ignore.domain.com no # From: my.domain.com virus # FromOrTo: default yes # That will scan all mail except mail to bad.customer.com and mail from # ignore.domain.com. To set this up, put the 3 lines above into a file # called /etc/MailScanner/rules/scan.messages.rules and set the next line to # Scan Messages = %rules-dir%/scan.messages.rules # This can also be the filename of a ruleset (as illustrated above). Scan Messages = yes # You may not want to receive mail from certain addresses and/or to certain # addresses. If so, you can do this with your email transport (sendmail, # Postfix, etc) but that will just send a one-line message which is not # helpful to the user sending the message. # If this is set to yes, then the message set by the "Rejection Report" # will be sent instead, and the incoming message will be deleted. # If you want to store a copy of the original incoming message then use the # "Archive Mail" setting to archive a copy of it. # The purpose of this option is to set it to be a ruleset, so that you # can reject messages from a few offending addresses where you need to send # a polite reply instead of just a brief 1-line rejection message. Reject Message = no # Limit the number of attempts made at processing any particular message. # If you get a message which repeatedly crashes MailScanner, it will # limit the imapact by ignoring the message and refusing to process it, # after more than the given number of attempts have been made at it. # Note that enabling this feature causes a slight performance hit. # Set this to 0 to disable the limit and the entire Processing Attempts # Database and its requirement for SQLite. # This cannot be a ruleset, only a simple value. Maximum Processing Attempts = 6 # This is the location of the database file used to track the number of # times any message has been attempted. # To clear out the database, just delete the file, MailScanner will re- # create it automatically when it starts. Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db # The maximum number of attachments allowed in a message before it is # considered to be an error. Some email systems, if bouncing a message # between 2 addresses repeatedly, add information about each bounce as # an attachment, creating a message with thousands of attachments in just # a few minutes. This can slow down or even stop MailScanner as it uses # all available memory to unpack these thousands of attachments. # This can also be the filename of a ruleset. Maximum Attachments Per Message = 200 # Expand TNEF attachments using an external program (or a Perl module)? # This should be "yes" unless the scanner you are using (Sophos, McAfee) has # the facility built-in. However, if you set it to "no", then the filenames # within the TNEF attachment will not be checked against the filename rules. Expand TNEF = yes # When the TNEF (winmail.dat) attachments are expanded, should the # attachments contained in there be added to the list of attachments in # the message? # If you set this to "add" or "replace" then recipients of messages sent # in "Outlook Rich Text Format" (TNEF) will be able to read the attachments # if they are not using Microsoft Outlook. # # no => Leave winmail.dat TNEF attachments alone. # add => Add the contents of winmail.dat as extra attachments, but also # still include the winmail.dat file itself. This will result in # TNEF messages being doubled in size. # replace => Replace the winmail.dat TNEF attachment with the files it # contains, and delete the original winmail.dat file itself. # This means the message stays the same size, but is usable by # non-Outlook recipients. # # This can also be the filename of a ruleset. Use TNEF Contents = replace # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. # This can also be the filename of a ruleset. #TNEF Expander = internal TNEF Expander = /usr/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = /usr/bin/file # The maximum length of time the "file" command is allowed to run for 1 # batch of messages (in seconds). File Timeout = 20 # Where the "gunzip" command is installed. # This is used for expanding .gz files. # To disable gzipped file checking, set this value to blank # and the timeout to 0. Gunzip Command = /bin/gunzip # The maximum length of time the "gunzip" command is allowed to run to expand # 1 attachment file (in seconds). Gunzip Timeout = 50 # Where the "unrar" command is installed. # If you haven't got this command, look at www.rarlab.com. # # This is used for unpacking rar archives so that the contents can be # checked for banned filenames and filetypes, and also that the # archive can be tested to see if it is password-protected. # Virus scanning the contents of rar archives is still left to the virus # scanner, with one exception: # If using the clavavmodule virus scanner, this adds external RAR checking # to that scanner which is needed for archives which are RAR version 3. Unrar Command = /usr/bin/unrar # The maximum length of time the "unrar" command is allowed to run for 1 # RAR archive (in seconds) Unrar Timeout = 50 # A few viruses store their infected data in UU-encoded files, to try to # catch out virus scanners. This rarely succeeds at all. # Setting this option to yes means that you can apply filename and filetype # checks to the contents of UU-encoded files. This may occasionally be # useful, in which case you should set to yes. # This can also be the filename of a ruleset. Find UU-Encoded Files = no # The maximum size, in bytes, of any message including the headers. # If this is set to zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # dialup users so their email applications don't time out downloading huge # messages. Maximum Message Size = %rules-dir%/max.message.size.rules # The maximum size, in bytes, of any attachment in a message. # If this is set to zero, effectively no attachments are allowed. # If this is set less than zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # large mailing lists so they don't get deluged by large attachments. # This can also be the filename of a ruleset. Maximum Attachment Size = -1 # The minimum size, in bytes, of any attachment in a message. # If this is set less than or equal to zero, then no size checking is done. # It is very useful to set this to 1 as it removes any zero-length # attachments which may be created by broken viruses. # This can also be the filename of a ruleset. Minimum Attachment Size = -1 # The maximum depth to which zip archives, rar archives and Microsoft Office # documents will be unpacked, to allow for checking filenames and filetypes # within zip and rar archives and embedded within Office documents. # # Note: This setting does *not* affect virus scanning in archives at all. # # To disable this feature set this to 0. # A common useful setting is this option = 0, and Allow Password-Protected # Archives = no. That block password-protected archives but does not do # any filename/filetype checks on the files within the archive. # This can also be the filename of a ruleset. Maximum Archive Depth = 8 # Find zip archives by filename or by file contents? # Finding them by content is a far more reliable way of finding them, but # it does mean that you cannot tell your users to avoid zip file checking # by renaming the file from ".zip" to "_zip" and tricks like that. # Only set this to no (i.e. check by filename only) if you don't want to # reliably check the contents of zip files. Note this does not affect # virus checking, but it will affect all the other checks done on the contents # of the zip file. # This can also be the filename of a ruleset. Find Archives By Content = yes # Do you want to unpack Microsoft "OLE" documents, such as *.doc, *.xls # and *.ppt documents? This will extract any files which have been hidden # by being embedded in these documents. # There are one or two minor bugs in the third-party code that does the # processing of these files, so it can cause MailScanner to hang in very # rare cases. # ClamAV has its own OLE unpacking code, so you can safely switch this off # if you just rely on ClamAV for your virus-scanning. Note that this will, # however, disabled all lfilename and filetype checking of embedded files. # This can also be the filename of a ruleset. Unpack Microsoft Documents = yes # Should the attachments be compressed and put into a single zip file? # This can also be the filename of a ruleset. Zip Attachments = no # If the attachments are to be compressed into a single zip file, # this is the filename of the zip file. # This can also be the filename of a ruleset. Attachments Zip Filename = MessageAttachments.zip # If the original total size of all the attachments to be compressed is # less than this number of bytes, they will not be zipped at all. # This can also be the filename of a ruleset. Attachments Min Total Size To Zip = 100k # Attachments whose filenames end in these strings will not be zipped. # This can also be the filename of a ruleset. Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml # Do you want to add the plain text contents of Microsoft Word documents? # This feature uses the 'antiword' program available from # http://www.winfield.demon.nl/ # For those of you running on Linux, you can get RPMs and SRPMs from # http://www.volny.cz/zellerin/rpmmenu.html # It is switched off by default, as it causes a slight performance hit. # This can also be the filename of a ruleset. Add Text Of Doc = no # Location and full command of the "antiword" program # Using a ruleset here, you could have different output styles for # different people. # This can also be the filename of a ruleset. Antiword = /usr/bin/antiword -f # The maximum length of time the "antiword" command is allowed to run for 1 # Word document (in seconds) Antiword Timeout = 50 # MailScanner can automatically unpack small archives, # so you don't have to go through several extra clicks to extract small # files from automatically-generated emailed archives. # # This is the maximum number of files in each archive. If an archive contains # more files than this, we do not try to unpack it at all. # Set this value to 0 to disable this feature. # This can also be the filename of a ruleset. Unzip Maximum Files Per Archive = 0 # The maximum unpacked size of each file in an archive. Bigger than this, and # the file will not be unpacked. Setting this value to 0 will disable this # feature completely. # This can also be the filename of a ruleset. Unzip Maximum File Size = 50k # The list of filename extensions that should be unpacked. # This can also be the filename of a ruleset. Unzip Filenames = *.txt *.ini *.log *.csv # The MIME type of the files unpacked from the archive. # If you are using it for mostly text files, then use "text/plain". # If you are using it for mostly binary files, then use # "application/octet-stream". # This can also be the filename of a ruleset. Unzip MimeType = text/plain # # Virus Scanning and Vulnerability Testing # ---------------------------------------- # # Do you want to scan email for viruses? # A few people don't have a virus scanner licence and so want to disable # all the virus scanning. # If you use a ruleset for this setting, then the mail will be scanned if # *any* of the rules match (except the default). That way unscanned mail # never reaches a user who is having their mail virus-scanned. # # If you want to be able to switch scanning on/off for different users or # different domains, set this to the filename of a ruleset. # This can also be the filename of a ruleset. Virus Scanning = yes # Which Virus Scanning package(s) to use: # sophos from www.sophos.com # sophossavi (also from www.sophos.com, using the SAVI perl module) # mcafee from www.mcafee.com # mcafee6 from www.mcafee.com (Version 6 and newer) # command from www.command.co.uk # bitdefender from www.bitdefender.com # drweb from www.dials.ru/english/dsav_toolkit/drwebunix.htm # kaspersky-4.5 from www.kaspersky.com (Version 4.5 and newer) # kaspersky from www.kaspersky.com # kavdaemonclient from www.kaspersky.com # etrust from http://www3.ca.com/Solutions/Product.asp?ID=156 # inoculate from www.cai.com/products/inoculateit.htm # inoculan from ftp.ca.com/pub/getbbs/linux.eng/inoctar.LINUX.Z # nod32 for No32 before version 1.99 from www.nod32.com # nod32-1.99 for Nod32 1.99 and later, from www.nod32.com # f-secure from www.f-secure.com # f-prot from www.f-prot.com # f-prot-6 for F-Prot version 6 or later, from www.f-prot.com # f-protd-6 for F-Prot version 6 or later "fpscand" daemon # panda from www.pandasoftware.com # rav from www.ravantivirus.com # antivir from www.antivir.de # clamav from www.clamav.net # clamavmodule (also from www.clamav.net using the ClamAV perl module) # clamd (also from www.clamav.net using the clamd daemon) # *Note: read the comments above the "Incoming Work Group" setting*, # or # trend from www.trendmicro.com # norman from www.norman.de # css from www.symantec.com # avg from www.grisoft.com # vexira from www.centralcommand.com # symscanengine from www.symantec.com (Symantec Scan Engine, not CSS) # avast from www.avast.com # avastd (also from www.avast.com and relies on avastd to be configured # [read 'man avastd.conf'] and running) # esets from www.eset.com # vba32 from www.anti-virus.by/en/ # generic One you wrote: edit the generic-wrapper and generic-autoupdate # to fit your own needs. The output spec is in generic-wrapper, or # none No virus scanning at all. # # Note for McAfee users: do not use any symlinks with McAfee at all. It is # very strange but may not detect all viruses when # started from a symlink or scanning a directory path # including symlinks. # # Note: If you want to use multiple virus scanners, then this should be a # space-separated list of virus scanners. For example: # Virus Scanners = sophos f-prot mcafee # # Note: Make sure that you check that the base installation directory in the # 3rd column of virus.scanners.conf matches the location you have # installed each of your virus scanners. The supplied # virus.scanners.conf file assumes the default installation locations # recommended by each of the virus scanner installation guides. # # Note: If you specify "auto" then MailScanner will search for all the # scanners you have installed and will use all of them. If you really # want none, then specify "none". # # This *cannot* be the filename of a ruleset. Virus Scanners = auto # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # Less than 1% of viruses in the wild can be successfully disinfected, # as macro viruses are now a rare occurrence. So the default has been # changed to "no" as it gives a significant performance improvement. # # This can also be the filename of a ruleset. Deliver Disinfected Files = no # Strings listed here will be searched for in the output of the virus scanners. # It is used to list which viruses should be handled differently from other # viruses. If a virus name is given here, then # 1) The sender will not be warned that he sent it # 2) No attempt at true disinfection will take place # (but it will still be "cleaned" by removing the nasty attachments # from the message) # 3) The recipient will not receive the message, # unless the "Still Deliver Silent Viruses" option is set # Other words that can be put in this list are the 5 special keywords # HTML-IFrame : inserting this will stop senders being warned about # HTML Iframe tags, when they are not allowed. # HTML-Codebase : inserting this will stop senders being warned about # HTML Object Codebase/Data tags, when they are not allowed. # HTML-Script : inserting this will stop senders being warned about # HTML Script tags, when they are not allowed. # HTML-Form : inserting this will stop senders being warned about # HTML Form tags, when they are not allowed. # Zip-Password : inserting this will stop senders being warned about # password-protected zip files, when they are not allowed. # This keyword is not needed if you include All-Viruses. # All-Viruses : inserting this will stop senders being warned about # any virus, while still allowing you to warn senders # about HTML-based attacks. This includes Zip-Password # so you don't need to include both. # # The default of "All-Viruses" means that no senders of viruses will be # notified (as the sender address is always forged these days anyway), # but anyone who sends a message that is blocked for other reasons will # still be notified. # # This can also be the filename of a ruleset. Silent Viruses = HTML-IFrame All-Viruses # Still deliver (after cleaning) messages that contained viruses listed # in the above option ("Silent Viruses") to the recipient? # Setting this to "yes" is good when you are testing everything, and # because it shows management that MailScanner is protecting them, # but it is bad because they have to filter/delete all the incoming virus # warnings. # # Note: Once you have deployed this into "production" use, you should set # Note: this option to "no" so you don't bombard thousands of people with # Note: useless messages they don't want! # # This can also be the filename of a ruleset. Still Deliver Silent Viruses = no # Strings listed here will be searched for in the output of the virus scanners. # It works to achieve the opposite effect of the "Silent Viruses" listed above. # If a string here is found in the output of the virus scanners, then the # message will be treated as if it were not infected with a "Silent Virus". # If a message is detected as both a silent virus and a non-forging virus, # then the ___non-forging status will override the silent status.___ # In simple terms, you should list virus names (or parts of them) that you # know do *not* forge the From address. # A good example of this is a document macro virus or a Joke program. # Another word that can be put in this list is the special keyword # Zip-Password : inserting this will cause senders to be warned about # password-protected zip files, when they are not allowed. # This will over-ride the All-Viruses setting in the list # of "Silent Viruses" above. # Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar # Some virus scanners now use their signatures to detect spam as well as # viruses. These "viruses" are called "spam-viruses". When they are found # the following header will be added to your message before it is passed to # SpamAssassin, listing all the "spam-viruses" that were found as a comma- # separated list. # This can also be the filename of a ruleset. Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: # This defines which virus reports from your virus scanners are really the # names of "spam-viruses" as described in the "Spam-Virus Header" section # above. This is a space-separated list of strings which can contain "*" # wildcards to mean "any string of characters", and which will match the # whole name of the virus reported by your virus scanner. So for example # "HTML/*" will match all virus names which start with the string "HTML/". # The supplied example is suitable for F-Prot6 and the SaneSecurity # databases for ClamAV. The test is case-sensitive. # This cannot be a ruleset, it must be a simple value as described. Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* # Should encrypted messages be blocked? # This is useful if you are wary about your users sending encrypted # messages to your competition. # This can be a ruleset so you can block encrypted message to certain domains. Block Encrypted Messages = no # Should unencrypted messages be blocked? # This could be used to ensure all your users send messages outside your # company encrypted to avoid snooping of mail to your business partners. # This can be a ruleset so you can just check mail to certain users/domains. Block Unencrypted Messages = no # Should archives which contain any password-protected files be allowed? # Leaving this set to "no" is a good way of protecting against all the # protected zip files used by viruses at the moment. # This can also be the filename of a ruleset. Allow Password-Protected Archives = no # Normally, you can still get the filenames out of a password-protected # archive, despite the encryption. So by default filename checks are still # done on these files. However, some people want to suppress this checking # as they allow a few people to receive password-protected archives that # contain things such as .exe's as part of their business needs. This option # can be used to suppress filename checks inside password-protected archives. # This can also be the filename of a ruleset. Check Filenames In Password-Protected Archives = yes # # Options specific to Sophos Anti-Virus # ------------------------------------- # # Anything on the next line that appears in brackets at the end of a line # of output from Sophos will cause the error/infection to be ignored. # Use of this option is dangerous, and should only be used if you are having # trouble with lots of corrupt PDF files, for example. # If you need to specify more than 1 string to find in the error message, # then put each string in quotes and separate them with a comma. # For example: #Allowed Sophos Error Messages = "corrupt", "format not supported", "File was encrypted", "The main body of virus data is out of date", "Password protected file" Allowed Sophos Error Messages = # The directory (or a link to it) containing all the Sophos *.ide files. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos IDE Dir = /opt/sophos-av/lib/sav # The directory (or a link to it) containing all the Sophos *.so libraries. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos Lib Dir = /opt/sophos-av/lib # SophosSAVI only: monitor each of these files for changes in size to # detect when a Sophos update has happened. The date of the Sophos Lib Dir # is also monitored. # This is only used by the "sophossavi" virus scanner, not the "sophos" # scanner setting. Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide # # Options specific to ClamAV Anti-Virus # ------------------------------------- # # ClamAVModule only: monitor each of these files for changes in size to # detect when a ClamAV update has happened. # This is only used by the "clamavmodule" virus scanner, not the "clamav" # scanner setting. Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd # ClamAVModule only: set limits when scanning for viruses. # # The maximum recursion level of archives, # The maximum number of files per batch, # The maximum file of each file, # The maximum compression ratio of archive. # These settings *cannot* be the filename of a ruleset, only a simple number. ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 # Clamd only: configuration options for using the clamd daemon. # 1. The port to use when communicating with clamd via TCP connection # 2. The Socket, or IP to use for communicating with the clamd Daemon. # You enter either the full path to the UNIX socket file or the IP # address the daemon is listening on. # 3. The ClamD Lock file should be created by clamd init script in most # cases. If it is not then the entry should be blank. # 4. If MailScanner is running on a system with more then 1 CPU core (or # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to # speed up the scanning, otherwise there is no advantage and it should # be set to "no". # # None of these options can be the filenames of rulesets, they must be just # simple values. Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd.sock Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = no # There are now sets of signatures available from places such as # www.sanesecurity.co.uk which use ClamAV to detect spam. Some of these # signatures rely on being passed the whole message as one file. By setting # this option to "yes", each entire message is written out to the scanning # area, thus enabling these signatures to work reliably. # It has a slight speed impact but is worth it for the extra spam-spotting # ability. # # This option cannot be the filename of a ruleset, it must be "yes" or "no". ClamAV Full Message Scan = yes # # Options specific to F-Protd-6 Anti-Virus # ---------------------------------------- # # This is the port number used by the local fpscand daemon. 10200 is the # default value used by the F-Prot 6 installation program, and so should # be correct. # This option cannot be the filename of a ruleset, it must be a number. Fpscand Port = 10200 # # Removing/Logging dangerous or potentially offensive content # ----------------------------------------------------------- # # Do you want to scan the messages for potentially dangerous content? # Setting this to "no" will disable all the content-based checks except # Virus Scanning, Allow Partial Messages and Allow External Message Bodies. # This can also be the filename of a ruleset. Dangerous Content Scanning = yes # Do you want to allow partial messages, which only contain a fraction of # the attachments, not the whole thing? There is absolutely no way to # scan these "partial messages" properly for viruses, as MailScanner never # sees all of the attachment at the same time. Enabling this option can # allow viruses through. You have been warned. # This can also be the filename of a ruleset so you can, for example, allow # them in outgoing mail but not in incoming mail. Allow Partial Messages = no # Do you want to allow messages whose body is stored somewhere else on the # internet, which is downloaded separately by the user's email package? # There is no way to guarantee that the file fetched by the user's email # package is free from viruses, as MailScanner never sees it. # This feature is dangerous as it can allow viruses to be fetched from # other Internet sites by a user's email package. The user would just # think it was a normal email attachment and would have been scanned by # MailScanner. # It is only currently supported by Netscape 6 anyway, and the only people # who use it are the IETF. So I would strongly advise leaving this switched off. # This can also be the filename of a ruleset. Allow External Message Bodies = no # Do you want to check for "Phishing" attacks? # These are attacks that look like a genuine email message from your bank, # which contain a link to click on to take you to the web site where you # will be asked to type in personal information such as your account number # or credit card details. # Except it is not the real bank's web site at all, it is a very good copy # of it run by thieves who want to steal your personal information or # credit card details. # These can be spotted because the real address of the link in the message # is not the same as the text that appears to be the link. # Note: This does cause extra load, particularly on systems receiving lots # of spam such as secondary MX hosts. # This can also be the filename of a ruleset. Find Phishing Fraud = yes # While detecting "Phishing" attacks, do you also want to point out links # to numeric IP addresses. Genuine links to totally numeric IP addresses # are very rare, so this option is set to "yes" by default. If a numeric # IP address is found in a link, the same phishing warning message is used # as in the Find Phishing Fraud option above. # This can also be the filename of a ruleset. Also Find Numeric Phishing = yes # If this is set to yes, then most of the URL in a link must match the # destination address it claims to take you to. This is the default as it is # a much stronger test and is very hard to maliciously avoid. # If this is set to no, then just the company name and country (and any # names between the two, dependent on the specific country) must match. # This is not as strict as it will not protect you against internal # malicious sites based within the company being abused. For example, it would # not find www.nasty.company-name.co.uk pretending to be # www.nice.company-name.co.uk. But it will still detect most phishing attacks # of the type www.nasty.co.jp versus www.nice.co.jp. # Depending on the country code it knows how many levels of domain need to # be checked. # This can also be the filename of a ruleset. Use Stricter Phishing Net = yes # If a phishing fraud is detected, do you want to highlight the tag with # a message stating that the link may be to a fraudulent web site. # This can also be the filename of a ruleeset. Highlight Phishing Fraud = yes # There are some companies, such as banks, that insist on sending out # email messages with links in them that are caught by the "Find Phishing # Fraud" test described above. # This is a space-separated list of the names of files which contain a # list of link destinations which should be ignored in the test. This may, # for example, contain the known websites of some banks. # See the file itself for more information. # This can only be the names of the files containing the list, it *cannot* # be the filename of a ruleset. Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf # As an opposite to the "safe" list above, there is also a live continuously- # updated list of known bad sites, which will always trigger the "Find # Phishing Fraud" test described above. # This is a space-separated list of the names of files which contain # a list of link destinations which should always trigger the test. This # file should be updated hourly. # This can only be the name of the file containing the list, it *cannot* # be the filename of a ruleset. Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf # This file lists all the countries that use 2nd-level and 3rd-level # domain names to classify distinct types of website within their country. # This cannot be the name of a ruleset, it is just a simple setting. Country Sub-Domains List = %etc-dir%/country.domains.conf # Do you want to allow