From Nicola.Piazzi at gruppocomet.it  Tue Dec  1 11:33:59 2015
From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi)
Date: Tue, 1 Dec 2015 11:33:59 +0000
Subject: About supported FREE Antivirus
Message-ID: <30F3912C1D29DC49B0A7DA52B8F581B912B165F2@IDRA>

Hi,
I tried all supported FREE antiviruses ad found that :

Clam                     work well and have a good number of detection
Sophos                work well and have a discrete number of detection
Avg                        only 2 detections in 2 days
F-Prot                   no detections


-          Do you know about these poors Avg and F-Prot results ?

-          Are there others FREE antivirus to use ?

COMODO Antivirus is a FREE and maintained product for Linux, but there is not an implemented Wrapper,
Is there a wrapper for it ?

Thx
Nicola


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151201/c7d2b34e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1265 bytes
Desc: image001.gif
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151201/c7d2b34e/attachment.gif>

From phil.randal at hoopleltd.co.uk  Tue Dec  1 12:04:53 2015
From: phil.randal at hoopleltd.co.uk (Randal, Phil)
Date: Tue, 1 Dec 2015 12:04:53 +0000
Subject: About supported FREE Antivirus
In-Reply-To: <30F3912C1D29DC49B0A7DA52B8F581B912B165F2@IDRA>
References: <30F3912C1D29DC49B0A7DA52B8F581B912B165F2@IDRA>
Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B858AB452E3@HC-EXMBX04.herefordshire.gov.uk>

I'd recommend clamd plus additional third-party definitions from SaneSecurity and others.

There's a script to maintain these

http://sanesecurity.com/usage/linux-scripts/

Cheers,

Phil

--
Phil Randal
Infrastructure Engineer
Hoople Ltd | Thorn Office Centre | Hereford | HR2 6JT
Tel : 01432 260415 |Email: phil.randal at hoopleltd.co.uk<mailto:phil.randal at hoopleltd.co.uk>
General email: enquiries at hoopleltd.co.uk<mailto:enquiries at hoopleltd.co.uk>
Website: www.hoopleltd.co.uk<http://www.hoopleltd.co.uk/>

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Nicola Piazzi
Sent: 01 December 2015 11:34
To: 'mailscanner at lists.mailscanner.info'
Subject: About supported FREE Antivirus

Hi,
I tried all supported FREE antiviruses ad found that :

Clam                     work well and have a good number of detection
Sophos                work well and have a discrete number of detection
Avg                        only 2 detections in 2 days
F-Prot                   no detections


-          Do you know about these poors Avg and F-Prot results ?

-          Are there others FREE antivirus to use ?

COMODO Antivirus is a FREE and maintained product for Linux, but there is not an implemented Wrapper,
Is there a wrapper for it ?

Thx
Nicola


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Hoople Ltd, Registered in England and Wales No. 7556595
Registered office: Plough Lane, Hereford, HR4 0LE

"Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151201/6b012de8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1265 bytes
Desc: image001.gif
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151201/6b012de8/attachment.gif>

From last_warrior at mail.ru  Wed Dec  2 17:08:54 2015
From: last_warrior at mail.ru (=?UTF-8?B?TklraXRh?=)
Date: Wed, 02 Dec 2015 20:08:54 +0300
Subject: =?UTF-8?B?RGV0ZWN0ZWQgYW5kIGhhdmUgZGlzYXJtZWQgS0lMTEVEIHRhZ3M=?=
Message-ID: <1449076134.692332017@f107.i.mail.ru>

 Please help,

I've installed new server CentOS 7, MailScanner 4.85.2, ClamAV, postfix, SpamAssassin.

Some of my colleagues start to receive messages  with text:
"MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message."

In log file i've got:
" MailScanner [ 5525 ] : Content Checks : Detected and have disarmed KILLED tags in HTML message "

In "Removing dangerous content" section I've trued to switch of (setting to yes) , one by one, sections like IFrame, From, Script and etc. But nothing happens.

I hove you know how to fix it.

Best regards,
Me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151202/fe46778b/attachment.html>

From mailinglists at feedmebits.nl  Thu Dec  3 21:24:49 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Thu, 3 Dec 2015 22:24:49 +0100
Subject: dkim and Mailscanner
Message-ID: <5660B321.8040108@feedmebits.nl>

Hello,

I'm having a problem getting dkim to work together with mailscanner. I
noticed some comments about dkim in the comments so I took the advice of
the comments.

Multiple Headers = add

# Some people prefer that message headers are added in strict order with
# the newest headers at the top and the oldest headers at the bottom.
# This is also required if you receive a message which is authenticated by
# DKIM, and you are forwarding that message onto somewhere else, and want
# not to break the DKIM signature.
# **Note**: To avoid breaking DKIM signatures, you *must* also set
#   Multiple Headers = add
# So if some of your users forward mail from PayPal, Ebay or Yahoo! to
# accounts stored on Gmail or Googlemail, then you need to set this to "yes"
# and "Multiple Headers = add" to avoid breaking the DKIM signature.
# It may be worth using a ruleset to just apply this to messages sent by
# the companies mentioned above.
# This can also be the filename of a ruleset.
Place New Headers At Top Of Message = yes

Each time I got the following error:

dkim=neutral (body hash did not verify) header.i=@feedmebits.nl


I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:

dkim=pass header.i=@feedmebits.nl


So for some reason Mailscanner is changing the body hash of the dkim signature. Any know what what's causing this and how to fix it?
I can't find any other config setting in Mailscanner that would fixes this.




Maarten




-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mark at msapiro.net  Thu Dec  3 22:39:27 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 3 Dec 2015 14:39:27 -0800
Subject: dkim and Mailscanner
In-Reply-To: <5660B321.8040108@feedmebits.nl>
References: <5660B321.8040108@feedmebits.nl>
Message-ID: <5660C49F.5000000@msapiro.net>

On 12/03/2015 01:24 PM, Maarten wrote:
> Hello,
> 
> I'm having a problem getting dkim to work together with mailscanner. I
> noticed some comments about dkim in the comments so I took the advice of
> the comments.
> 
> Multiple Headers = add
...
> Place New Headers At Top Of Message = yes
> 
> Each time I got the following error:
> 
> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
> 
> 
> I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
> 
> dkim=pass header.i=@feedmebits.nl


Are you looking at incoming mail or outgoing mail? I DKIM sign outgoing
mail and I have

Multiple Headers = add

and Place New Headers At Top Of Message is a ruleset which is Yes for a
small number if incoming messages and No for everything else.

I just sent a message addressed to both Yahoo and Gmail addresses. It
had my MailScanner headers added at the bottom as expected

Yahoo said

Received-SPF: pass (domain of msapiro.net designates 72.52.113.16 as
permitted sender)

and

Authentication-Results: mta1323.mail.ne1.yahoo.com  from=msapiro.net;
domainkeys=neutral (no sig);  from=msapiro.net; dkim=pass (ok)

and Gmail said:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of mark at msapiro.net designates
72.52.113.16 as permitted sender) smtp.mailfrom=mark at msapiro.net;
       dkim=pass header.i=@msapiro.net

According to logs, Postfix opendkim signed the message before it was
processed by MailScanner so my DKIM sig was there and MailScanner didn't
break it, however, if MailScanner does any disarming of web bugs or
suspected phishing URLs or the like, it will certainly break the sig.

For incoming mail I'm not so fussy, but my ruleset says Place New
Headers At Top Of Message = Yes for certain messages that actually get
forwarded to a remote ISP that calls them spam if the sig is broken, but
ultimately I don't scan those messages at all (per a Scan Messages
ruleset) because of MailScanner body changes for disarming.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mailinglists at feedmebits.nl  Fri Dec  4 13:20:32 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 14:20:32 +0100
Subject: MailScanner Digest, Vol 120, Issue 4
In-Reply-To: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
Message-ID: <56619320.8090207@feedmebits.nl>

Hello Mark,

Thanks for your reply. It's for outgoing mail, the messages gets signed
but it doesn't pass the dkim test.  When I take out mailscanner and just
let it go through postfix I get a pass. So seems like Mailscanner
changes the body/hash of the dkim headers?
I have the same settings for adding multiple headers:

Multiple Headers = add
Place New Headers At Top Of Message = yes

I just send plain text mails nothing with links in them. I'll have
another look at my logs.


gmail:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
       dkim=neutral (body hash did not verify) header.i=@feedmebits.nl

KIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=feedmebits.nl;
	s=default; t=1449234663;
	bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
	h=Reply-To:To:From:Subject:Date:From;
	b=XIkGDgIDv6fn5/R/xRN2iZuFU0WeKwA6WmYciBwwUARrN+99dcHrnMtpR5ORiuQTj
	 JQh02nSRXyiAxBbHlM9Eu0UTJ13TMRtFD1ltgTZSo5WJKD6jjh16LZlP4zLzuatck2
	 CmDWmwsW129cxkYOgdFUc3eZf+iR2fQO7qhNz1cc=

hotmail:

Authentication-Results: hotmail.com; spf=temperror (sender IP is 46.105.136.80) smtp.mailfrom=mailinglists at feedmebits.nl; dkim=permerror header.d=feedmebits.nl; x-hmca=none header.id=mailinglists at feedmebits.nl
X-SID-PRA: mailinglists at feedmebits.nl
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: NhFq/7gR1vThNR8614T/HV1LCNKAiOTz74c+/sD/dLNAdnBb9eSKCndmPa1+InLpBAa/DfRp4tDhx7KiLIlU9Gp94AM6nSIvBHwbw9gbUW+UHh2b/QKAg8P8Hx7nGbBWn0evWfrsmjYmh6Y/Yvi90ec3o/MVkyNrv6xJqHE6ZvbjwL/KJxQsQBgzurOq37su+2R9HwDexT3cLgJQxT89fvpS/Wx+cWRqTNntp6ISHNuH5E25f+Vjbg==







On 12/04/2015 01:00 PM, mailscanner-request at lists.mailscanner.info wrote:
> Send MailScanner mailing list submissions to
> 	mailscanner at lists.mailscanner.info
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.mailscanner.info/listinfo/mailscanner
> or, via email, send a message with subject or body 'help' to
> 	mailscanner-request at lists.mailscanner.info
>
> You can reach the person managing the list at
> 	mailscanner-owner at lists.mailscanner.info
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MailScanner digest..."
>
>
> Today's Topics:
>
>    1. dkim and Mailscanner (Maarten)
>    2. Re: dkim and Mailscanner (Mark Sapiro)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 3 Dec 2015 22:24:49 +0100
> From: Maarten <mailinglists at feedmebits.nl>
> To: mailscanner at lists.mailscanner.info
> Subject: dkim and Mailscanner
> Message-ID: <5660B321.8040108 at feedmebits.nl>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I'm having a problem getting dkim to work together with mailscanner. I
> noticed some comments about dkim in the comments so I took the advice of
> the comments.
>
> Multiple Headers = add
>
> # Some people prefer that message headers are added in strict order with
> # the newest headers at the top and the oldest headers at the bottom.
> # This is also required if you receive a message which is authenticated by
> # DKIM, and you are forwarding that message onto somewhere else, and want
> # not to break the DKIM signature.
> # **Note**: To avoid breaking DKIM signatures, you *must* also set
> #   Multiple Headers = add
> # So if some of your users forward mail from PayPal, Ebay or Yahoo! to
> # accounts stored on Gmail or Googlemail, then you need to set this to "yes"
> # and "Multiple Headers = add" to avoid breaking the DKIM signature.
> # It may be worth using a ruleset to just apply this to messages sent by
> # the companies mentioned above.
> # This can also be the filename of a ruleset.
> Place New Headers At Top Of Message = yes
>
> Each time I got the following error:
>
> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
>
>
> I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
>
> dkim=pass header.i=@feedmebits.nl
>
>
> So for some reason Mailscanner is changing the body hash of the dkim signature. Any know what what's causing this and how to fix it?
> I can't find any other config setting in Mailscanner that would fixes this.
>
>
>
>
> Maarten
>
>
>
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From wbaudler at gb.nrao.edu  Fri Dec  4 13:31:06 2015
From: wbaudler at gb.nrao.edu (Wolfgang Baudler)
Date: Fri, 4 Dec 2015 08:31:06 -0500
Subject: MailScanner causes SpamAssassin rules to firing inconsistently
In-Reply-To: <CABu_8zLxun3Pb9ECEV9MCDSrxAwO=ph62zd3=utAzWg_72=HYA@mail.gmail.com>
References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu>
 <563B8AEA.10804@msapiro.net>
 <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu>
 <563B91EA.90106@msapiro.net>
 <be95e6024ed32d77808e759f227d0516.squirrel@webmail.gb.nrao.edu>
 <563BA37E.5010508@msapiro.net>
 <c2d6e4e6ede2b985e19676df5931c209.squirrel@webmail.gb.nrao.edu>
 <563BC305.4020807@msapiro.net>
 <eda692bcf52184fe98e6278183427d25.squirrel@webmail.gb.nrao.edu>
 <CABu_8zLxun3Pb9ECEV9MCDSrxAwO=ph62zd3=utAzWg_72=HYA@mail.gmail.com>
Message-ID: <6b7e66302a6055bfa023f4628a067154.squirrel@webmail.gb.nrao.edu>

> Wolfgang,
>
> Would you do me a favor and test this PR in your setup?
>
> https://github.com/MailScanner/v4/pull/42/files
>

I tried this version of the patch, and yes it seems to fix the issue in
our setup.

There might be other MTA implementations other then sendmail that might
need the same fix, though (There is EximDiskStore.pm, PFDiskStore.pm 
QMDiskStore.pm, SMDiskStore.pm, ZMDiskStore.pm). I have only looked at 
SMDiskStore.pm.

Wolfgang

> On Mon, Nov 16, 2015 at 3:53 PM, Wolfgang Baudler <wbaudler at gb.nrao.edu>
> wrote:
>
>> > On 11/05/2015 11:05 AM, Wolfgang Baudler wrote:
>> >>
>> >> no difference in log messages, except the senders domain and address
>> of
>> >> course.
>> >>
>> >> internal log example:
>> >> Nov  5 13:50:58 io MailScanner[24033]: Message tA5IopES005503 from
>> >> 192.33.116.115 (wbaudler at gb.nrao.edu) to gb.nrao.edu is not spam,
>> >> SpamAssassin (score=-199.008, required 5, autolearn=disabled,
>> >> TEST_RULE_AA
>> >> 1.00, NRAO_HEADER_PRESENT -100.00, TVD_SPACE_RATIO 0.00,
>> >> T_RP_MATCHES_RCVD
>> >> -0.01, USER_IN_WHITELIST -100.00)
>> >>
>> >> external log example:
>> >> Nov  5 13:55:47 io MailScanner[24004]: Message tA5ItQmr006622 from
>> >> 98.138.229.70 (wbaudler at yahoo.com) to gb.nrao.edu is not spam,
>> >>  SpamAssassin (score=0.902, required 5, autolearn=disabled,
>> >> DKIM_ADSP_CUSTOM_MED 0.00, DKIM_SIGNED 0.10, FREEMAIL_FROM 0.00,
>> >> LOCAL_ID_JAVAMAIL 1.00, NML_ADSP_CUSTOM_MED 1.20, RCVD_IN_DNSWL_LOW
>> >> -0.70, RCVD_IN_MSPIKE_H3 -0.70, SPF_PASS -0.00, T_DKIM_INVALID 0.01,
>> >> T_RP_MATCHES_RCVD -0.01)
>> >>
>> >> The TEST_RULE_AA test result is missing in the external example. The
>> >> message sent was completely identical.
>> >
>> >
>> > At this point I am at a loss unless your "Max SpamAssassin Size"
>> setting
>> > and your test message size are such that the extra headers from the
>> > remote source push the test string out of range. This seems highly
>> > unlikely.
>> >
>> > It seems this might be a spamassassin bug triggered by something in
>> the
>> > message headers from the remote servers, but this seems unlikely too.
>> >
>> > --
>> > Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>> > San Francisco Bay Area, California    better use your sense - B. Dylan
>> >
>> >
>>
>> After doing some extended chasing I have an update on this issue.
>>
>> It seems that the firing or non-firing of body rules depends on the MUA
>> used to send the message. In particular on the fact that some MUA add an
>> empty line (0x0a newline) at the end of the body when
>> sending and some do not.
>>
>> Those that add the extra line with an newline will fire body rules
>> correctly if processed through Mailscanner, those that do not have the
>> extra line will not fire.
>>
>> Some particular real spam messages seem to consistently lack this empty
>> line and thus get not tagged correctly.
>>
>> I have not figured out exactly where this missing newline throws
>> MailScanner off, but I was able to implement a crude fix by modifying
>> the
>> loop of the ReadBody function in SMDiskStore.pm like this (we are using
>> sendmail with MailScanner):
>>
>>   while(defined($line = <$dh>) && $size<$max) {
>>     push @{$body}, $line;
>>     $size += length($line);
>>     #print STDERR "Line read2 is ****" . $line . "****\n";
>>   }
>>   $lastlineread = $line;
>>   push @{$body}, "\n";
>>
>> Only the last line was added, which pushes an unconditional newline at
>> the
>> end of the body just read. After that modification all body rules fire
>> correctly as expected.
>>
>> Hopefully someone more familiar with the MailScanner code can come up
>> with
>> a proper patch to fix this issue?
>>
>> Wolfgang
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>>
>
>
> --
> Shawn Iverson
> Director of Technology
> Rush County Schools
> 765-932-3901 x271
> iversons at rushville.k12.in.us
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>



From mailinglists at feedmebits.nl  Fri Dec  4 13:35:00 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 14:35:00 +0100
Subject: MailScanner Digest, Vol 120, Issue 4
In-Reply-To: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
Message-ID: <56619684.3050504@feedmebits.nl>

I checked my logs and the dkim headers get added, then mailscanner
processes the mail


On 12/04/2015 01:00 PM, mailscanner-request at lists.mailscanner.info wrote:
> Send MailScanner mailing list submissions to
> 	mailscanner at lists.mailscanner.info
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.mailscanner.info/listinfo/mailscanner
> or, via email, send a message with subject or body 'help' to
> 	mailscanner-request at lists.mailscanner.info
>
> You can reach the person managing the list at
> 	mailscanner-owner at lists.mailscanner.info
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MailScanner digest..."
>
>
> Today's Topics:
>
>    1. dkim and Mailscanner (Maarten)
>    2. Re: dkim and Mailscanner (Mark Sapiro)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 3 Dec 2015 22:24:49 +0100
> From: Maarten <mailinglists at feedmebits.nl>
> To: mailscanner at lists.mailscanner.info
> Subject: dkim and Mailscanner
> Message-ID: <5660B321.8040108 at feedmebits.nl>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I'm having a problem getting dkim to work together with mailscanner. I
> noticed some comments about dkim in the comments so I took the advice of
> the comments.
>
> Multiple Headers = add
>
> # Some people prefer that message headers are added in strict order with
> # the newest headers at the top and the oldest headers at the bottom.
> # This is also required if you receive a message which is authenticated by
> # DKIM, and you are forwarding that message onto somewhere else, and want
> # not to break the DKIM signature.
> # **Note**: To avoid breaking DKIM signatures, you *must* also set
> #   Multiple Headers = add
> # So if some of your users forward mail from PayPal, Ebay or Yahoo! to
> # accounts stored on Gmail or Googlemail, then you need to set this to "yes"
> # and "Multiple Headers = add" to avoid breaking the DKIM signature.
> # It may be worth using a ruleset to just apply this to messages sent by
> # the companies mentioned above.
> # This can also be the filename of a ruleset.
> Place New Headers At Top Of Message = yes
>
> Each time I got the following error:
>
> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
>
>
> I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
>
> dkim=pass header.i=@feedmebits.nl
>
>
> So for some reason Mailscanner is changing the body hash of the dkim signature. Any know what what's causing this and how to fix it?
> I can't find any other config setting in Mailscanner that would fixes this.
>
>
>
>
> Maarten
>
>
>
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mark at msapiro.net  Fri Dec  4 18:08:35 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 4 Dec 2015 10:08:35 -0800
Subject: dkim and Mailscanner
In-Reply-To: <56619320.8090207@feedmebits.nl>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
 <56619320.8090207@feedmebits.nl>
Message-ID: <5661D6A3.8020503@msapiro.net>

On 12/04/2015 05:20 AM, Maarten wrote:
> 
> Thanks for your reply. It's for outgoing mail, the messages gets signed
> but it doesn't pass the dkim test.  When I take out mailscanner and just
> let it go through postfix I get a pass. So seems like Mailscanner
> changes the body/hash of the dkim headers?

So it seems.


> I have the same settings for adding multiple headers:
> 
> Multiple Headers = add
> Place New Headers At Top Of Message = yes


In my case, for outgoing mail I my rules say Place New Headers At Top Of
Message = no.


> I just send plain text mails nothing with links in them. I'll have
> another look at my logs.
> 
> 
> gmail:
> 
> Authentication-Results: mx.google.com;
>        spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
>        dkim=neutral (body hash did not verify) header.i=@feedmebits.nl


OK, but as I said, it works for me, so I don't know what the problem is
in your case.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mailinglists at feedmebits.nl  Fri Dec  4 18:16:46 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 19:16:46 +0100
Subject: dkim and Mailscanner
In-Reply-To: <5661D6A3.8020503@msapiro.net>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
 <56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
Message-ID: <5661D88E.1030302@feedmebits.nl>

Is there way to get set mailscanner into verbose or debug log mode, so I
can see what's actually happening. Normal mode I can only see when it's
scanning a message etc.

On 12/04/2015 07:08 PM, Mark Sapiro wrote:
> On 12/04/2015 05:20 AM, Maarten wrote:
>> Thanks for your reply. It's for outgoing mail, the messages gets signed
>> but it doesn't pass the dkim test.  When I take out mailscanner and just
>> let it go through postfix I get a pass. So seems like Mailscanner
>> changes the body/hash of the dkim headers?
> So it seems.
>
>
>> I have the same settings for adding multiple headers:
>>
>> Multiple Headers = add
>> Place New Headers At Top Of Message = yes
>
> In my case, for outgoing mail I my rules say Place New Headers At Top Of
> Message = no.
>
>
>> I just send plain text mails nothing with links in them. I'll have
>> another look at my logs.
>>
>>
>> gmail:
>>
>> Authentication-Results: mx.google.com;
>>        spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
>>        dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
>
> OK, but as I said, it works for me, so I don't know what the problem is
> in your case.
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mark at msapiro.net  Fri Dec  4 18:29:37 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 4 Dec 2015 10:29:37 -0800
Subject: dkim and Mailscanner
In-Reply-To: <5661D88E.1030302@feedmebits.nl>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
 <56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
 <5661D88E.1030302@feedmebits.nl>
Message-ID: <5661DB91.5010408@msapiro.net>

On 12/04/2015 10:16 AM, Maarten wrote:
> Is there way to get set mailscanner into verbose or debug log mode, so I
> can see what's actually happening. Normal mode I can only see when it's
> scanning a message etc.


You could just compare the body of your sent message with the one that
fails verification after receipt to see what's different.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mailinglists at feedmebits.nl  Fri Dec  4 20:22:52 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 21:22:52 +0100
Subject: dkim and Mailscanner
In-Reply-To: <5661DB91.5010408@msapiro.net>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
 <56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
 <5661D88E.1030302@feedmebits.nl> <5661DB91.5010408@msapiro.net>
Message-ID: <5661F61C.80807@feedmebits.nl>

I the the message headers are exactly the same. So I sent an email to
auth-results at verifier.port25.com to get a report.
It's the Canonicalized Bodies that are different.

When the test passes I get my  dns records back:

Canonicalized Body:

DNS record(s):
    default._domainkey.feedmebits.nl. 86121 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaf6SefY18HUDitRouHw9eP0zJ9W8BY2x+urENVAdmV/ghPjVnqjemJLBySGrXLiMiNO2Vs9js+3BVyblUZRj2CnK6uqUlkyWnJ9GUpZ8pfKZDP1s9gP0ASCDdsMzXEcNnPqyeko2jgbIn5eiZ6xeKwX/qV8JIQsTo/XzqWko7mwIDAQAB"
    default._domainkey.feedmebits.nl. 86121 IN TXT "o=~"

Public key used for verification: default._domainkey.feedmebits.nl (1024 bits)

And when the the test fails I get the following back in the body:

Canonicalized Body:
    '0D''0A'
    '0D''0A'
    --'0D''0A'
    This'20'message'20'has'20'been'20'scanned'20'for'20'viruses'20'and'0D''0A'
    dangerous'20'content'20'by'20'MailScanner,'20'and'20'is'0D''0A'
    believed'20'to'20'be'20'clean.'0D''0A'

At least I found where exactly it goes wrong, now to find where the problem comes from. 



On 12/04/2015 07:29 PM, Mark Sapiro wrote:
> On 12/04/2015 10:16 AM, Maarten wrote:
>> Is there way to get set mailscanner into verbose or debug log mode, so I
>> can see what's actually happening. Normal mode I can only see when it's
>> scanning a message etc.
>
> You could just compare the body of your sent message with the one that
> fails verification after receipt to see what's different.
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mark at msapiro.net  Fri Dec  4 20:36:15 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 4 Dec 2015 12:36:15 -0800
Subject: dkim and Mailscanner
In-Reply-To: <5661F61C.80807@feedmebits.nl>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
 <56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
 <5661D88E.1030302@feedmebits.nl> <5661DB91.5010408@msapiro.net>
 <5661F61C.80807@feedmebits.nl>
Message-ID: <5661F93F.4020907@msapiro.net>

On 12/04/2015 12:22 PM, Maarten wrote:

> And when the the test fails I get the following back in the body:
> 
> Canonicalized Body:
>     '0D''0A'
>     '0D''0A'
>     --'0D''0A'
>     This'20'message'20'has'20'been'20'scanned'20'for'20'viruses'20'and'0D''0A'
>     dangerous'20'content'20'by'20'MailScanner,'20'and'20'is'0D''0A'
>     believed'20'to'20'be'20'clean.'0D''0A'
> 
> At least I found where exactly it goes wrong, now to find where the problem comes from. 


Set 'Sign Clean Messages' to no in your MailScanner config

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mailinglists at feedmebits.nl  Fri Dec  4 21:09:58 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 22:09:58 +0100
Subject: dkim and Mailscanner
In-Reply-To: <5661F93F.4020907@msapiro.net>
References: <mailman.1.1449230401.7624.mailscanner@lists.mailscanner.info>
 <56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
 <5661D88E.1030302@feedmebits.nl> <5661DB91.5010408@msapiro.net>
 <5661F61C.80807@feedmebits.nl> <5661F93F.4020907@msapiro.net>
Message-ID: <56620126.4040405@feedmebits.nl>

Cheers for that fixed my problem. Now that you mention it makes sense,
been looking over different configs and different mail headers so long
that my eyes aren't working as wel ;)
Thanks for the second pair of yes.

hotmail:

Authentication-Results: hotmail.com; spf=pass (sender IP is 46.105.136.80) smtp.mailfrom=mailinglists at feedmebits.nl; dkim=permerror header.d=feedmebits.nl; x-hmca=pass header.id=mailinglists at feedmebits.nl
X-SID-PRA: mailinglists at feedmebits.nl
X-AUTH-Result: PASS
X-SID-Result: PASS


gmail:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
       dkim=pass header.i=@feedmebits.nl



On 12/04/2015 09:36 PM, Mark Sapiro wrote:
> On 12/04/2015 12:22 PM, Maarten wrote:
>
>> And when the the test fails I get the following back in the body:
>>
>> Canonicalized Body:
>>     '0D''0A'
>>     '0D''0A'
>>     --'0D''0A'
>>     This'20'message'20'has'20'been'20'scanned'20'for'20'viruses'20'and'0D''0A'
>>     dangerous'20'content'20'by'20'MailScanner,'20'and'20'is'0D''0A'
>>     believed'20'to'20'be'20'clean.'0D''0A'
>>
>> At least I found where exactly it goes wrong, now to find where the problem comes from. 
>
> Set 'Sign Clean Messages' to no in your MailScanner config
>


From koby at mksoft.co.il  Sun Dec  6 08:38:09 2015
From: koby at mksoft.co.il (Koby Peleg Hen)
Date: Sun, 6 Dec 2015 10:38:09 +0200
Subject: bitdefender experience
Message-ID: <5663F3F1.2010604@mksoft.co.il>

An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151206/5e7146fd/attachment.html>

From jerry.benton at mailborder.com  Sun Dec  6 09:14:41 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Sun, 6 Dec 2015 04:14:41 -0500
Subject: bitdefender experience
In-Reply-To: <5663F3F1.2010604@mksoft.co.il>
References: <5663F3F1.2010604@mksoft.co.il>
Message-ID: <12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>

I used it years ago and liked it. However, I recently installed the mail server version on a test machine and hate it. 

-
Jerry Benton
www.mailborder.com



> On Dec 6, 2015, at 3:38 AM, Koby Peleg Hen <koby at mksoft.co.il> wrote:
> 
> Hello All , 
> Does any one has any real experience with bitdefender AV.
> I would like to use it as an additional AV to my system.
> 
> Thank you all for your co operation
> Koby Peleg Hen
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151206/904d9dff/attachment.html>

From mailinglists at feedmebits.nl  Sun Dec  6 09:32:29 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Sun, 6 Dec 2015 10:32:29 +0100
Subject: bitdefender experience
In-Reply-To: <12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>
References: <5663F3F1.2010604@mksoft.co.il>
 <12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>
Message-ID: <566400AD.7030709@feedmebits.nl>

I take it that you're wanting to use it for your personal mail server
not, for a business?It was one of my choices  as an AV. However the
problem with most AV companies is that that they only offer the Linux
version of their product as a quote. And most  AV companies I mailed
never even replied, maybe 2 out of the 10  mailed me back. I called one
company NOD32, and the person I spoke to barely even knew what Linux
was. The only company offering the Linux version of their product on
their website was F-PROT, so  I can't give you any real advice on that,
so it seems like most businesses  expect that you're a company if you're
running an av product under Linux and that might be the reason why you
can only get it as a quote with 99% of the AV companies.  Just my two
cents on that ;)

Maarten



On 12/06/2015 10:14 AM, Jerry Benton wrote:
> I used it years ago and liked it. However, I recently installed the
> mail server version on a test machine and hate it. 
>
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com>
>
>
>
>> On Dec 6, 2015, at 3:38 AM, Koby Peleg Hen <koby at mksoft.co.il
>> <mailto:koby at mksoft.co.il>> wrote:
>>
>> Hello All , 
>> Does any one has any real experience with bitdefender AV.
>> I would like to use it as an additional AV to my system.
>>
>> Thank you all for your co operation
>> Koby Peleg Hen
>>
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151206/3b19b157/attachment.html>

From jerry.benton at mailborder.com  Sun Dec  6 09:47:18 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Sun, 6 Dec 2015 04:47:18 -0500
Subject: bitdefender experience
In-Reply-To: <566400AD.7030709@feedmebits.nl>
References: <5663F3F1.2010604@mksoft.co.il>
 <12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>
 <566400AD.7030709@feedmebits.nl>
Message-ID: <AA6B731D-8218-49B2-97EB-35B65F72FCDC@mailborder.com>

I had the same experience when emailing AV companies about redistributable licenses for Mailborder. 

Me: I want to give you money.
Them: We don’t have an avenue for that. There is no one here named Linux. 

-
Jerry Benton
www.mailborder.com



> On Dec 6, 2015, at 4:32 AM, Maarten <mailinglists at feedmebits.nl> wrote:
> 
> I take it that you're wanting to use it for your personal mail server not, for a business?It was one of my choices  as an AV. However the problem with most AV companies is that that they only offer the Linux version of their product as a quote. And most  AV companies I mailed never even replied, maybe 2 out of the 10  mailed me back. I called one company NOD32, and the person I spoke to barely even knew what Linux was. The only company offering the Linux version of their product on their website was F-PROT, so  I can't give you any real advice on that, so it seems like most businesses  expect that you're a company if you're running an av product under Linux and that might be the reason why you can only get it as a quote with 99% of the AV companies.  Just my two cents on that ;)
> 
> Maarten
> 
> 
> 
> On 12/06/2015 10:14 AM, Jerry Benton wrote:
>> I used it years ago and liked it. However, I recently installed the mail server version on a test machine and hate it. 
>> 
>> -
>> Jerry Benton
>>  <http://www.mailborder.com/>www.mailborder.com <http://www.mailborder.com/>
>> 
>> 
>> 
>>> On Dec 6, 2015, at 3:38 AM, Koby Peleg Hen < <mailto:koby at mksoft.co.il>koby at mksoft.co.il <mailto:koby at mksoft.co.il>> wrote:
>>> 
>>> Hello All , 
>>> Does any one has any real experience with bitdefender AV.
>>> I would like to use it as an additional AV to my system.
>>> 
>>> Thank you all for your co operation
>>> Koby Peleg Hen
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>>> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
>>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151206/48d97b74/attachment.html>

From steve at weigoldenterprises.com  Wed Dec  9 01:44:22 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Tue, 8 Dec 2015 20:44:22 -0500
Subject: Pyzor integration
Message-ID: <56678776.6020401@weigoldenterprises.com>

Greetings

Apologies if this has been asked before, but while I found the list 
archive, I couldn't find a means to search it and considering it goes 
back many years, scanning by hand seemed a bit overwhelming. If there's 
a search capability for it that I've missed, please let me know.

Anyway, I have a new server I've setup to be a spam filter gateway. It's 
a clean install of Debian Jessie with MailScanner and Postfix with what 
I believe to be the latest versions.  Generally, the system is working, 
but I'm still getting much more spam than I should be.  Reviewing the 
logs, I can see that I'm getting relatively low spam scores even on what 
I'd consider obvious spam emails.

This lead me down the path of what else could be done with spamassassin, 
which got me to Pyzor, Razor and DCC.  At the moment, DCC isn't 
installed.   I guess it was removed from the repository because it's 
non-free?  Pyzor and Razor are installed, and somehow, I think I have 
Razor working, at least based on the fact that I see log entries like 
this one:

Dec  8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from 
198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com) 
to acnoc.net is not spam, SpamAssassin (not cached, score=5.497, 
required 6, RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, 
RAZOR2_CHECK 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)

I'm not sure Pyzor is working though, and when I run MailScanner --lint, 
I get this:

pyzor: check failed: internal error, python traceback seen in response

I've googled ad nauseum and I'm getting nowhere.

In spam.assassin.prefs.conf, I have:
pyzor_options --homedir /var/spool/MailScanner/

and permissions on that folder seem OK
drwxr-xr-x  6 postfix     postfix     4096 Dec  8 19:52 MailScanner

Inside it, Pyzor's servers file:
-rwxrwxr-x 1 postfix postfix   23 Dec  8 19:52 servers

Help?

Thanks!
Steve




From steve at weigoldenterprises.com  Wed Dec  9 02:02:41 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Tue, 8 Dec 2015 21:02:41 -0500
Subject: Pyzor integration
In-Reply-To: <56678776.6020401@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
Message-ID: <56678BC1.7070508@weigoldenterprises.com>


Some follow on information.... I expected all of the details to be in 
mail.log and didn't think to check syslog. :-(  More details there:

Dec  8 11:40:35 gw1 mailscanner[4195]: Dec  8 11:40:35.083 [4334] dbg: 
pyzor: got response: Traceback (most recent call last):\n File 
"/usr/bin/pyzor", line 8, in <module>\n pyzor.client.run()\n File 
"/usr/lib/pymodules/python2.7/pyzor/client.py", line 1022, in run\n 
ExecCall().run()\n File "/usr/lib/pymodules/python2.7/pyzor/client.py", 
line 180, in run\n os.mkdir(homedir)\nOSError: [Errno 13] Permission 
denied: '/var/spool/postfix/.pyzor'
Dec  8 11:40:35 gw1 mailscanner[4195]: pyzor: check failed: internal 
error, python traceback seen in response

Obviously I have a permissions issue.  Now I need to understand why it's 
trying to use /var/spool/postfix for .pyzor instead of 
/var/spool/MailScanner.

I also clicked around more and found the archive search mechanism.

Words of wisdom appreciated.

Steve


On 12/8/2015 8:44 PM, Steve Weigold wrote:
> Greetings
>
> Apologies if this has been asked before, but while I found the list 
> archive, I couldn't find a means to search it and considering it goes 
> back many years, scanning by hand seemed a bit overwhelming. If 
> there's a search capability for it that I've missed, please let me know.
>
> Anyway, I have a new server I've setup to be a spam filter gateway. 
> It's a clean install of Debian Jessie with MailScanner and Postfix 
> with what I believe to be the latest versions. Generally, the system 
> is working, but I'm still getting much more spam than I should be.  
> Reviewing the logs, I can see that I'm getting relatively low spam 
> scores even on what I'd consider obvious spam emails.
>
> This lead me down the path of what else could be done with 
> spamassassin, which got me to Pyzor, Razor and DCC.  At the moment, 
> DCC isn't installed.   I guess it was removed from the repository 
> because it's non-free?  Pyzor and Razor are installed, and somehow, I 
> think I have Razor working, at least based on the fact that I see log 
> entries like this one:
>
> Dec  8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from 
> 198.173.85.230 
> (amazon-promotional-credit at urfhe.selectweddingbands.com) to acnoc.net 
> is not spam, SpamAssassin (not cached, score=5.497, required 6, 
> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, 
> RAZOR2_CHECK 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
>
> I'm not sure Pyzor is working though, and when I run MailScanner 
> --lint, I get this:
>
> pyzor: check failed: internal error, python traceback seen in response
>
> I've googled ad nauseum and I'm getting nowhere.
>
> In spam.assassin.prefs.conf, I have:
> pyzor_options --homedir /var/spool/MailScanner/
>
> and permissions on that folder seem OK
> drwxr-xr-x  6 postfix     postfix     4096 Dec  8 19:52 MailScanner
>
> Inside it, Pyzor's servers file:
> -rwxrwxr-x 1 postfix postfix   23 Dec  8 19:52 servers
>
> Help?
>
> Thanks!
> Steve
>
>
>
>
>

-- 
------------------------------------------------------------------------
Steve Weigold
Weigold Enterprises
Cell - 513-365-0446
www.weigoldenterprises.com
www.facebook.com/weigoldenterprises
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151208/4405060f/attachment.html>

From jerry.benton at mailborder.com  Wed Dec  9 02:22:17 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 8 Dec 2015 21:22:17 -0500
Subject: Pyzor integration
In-Reply-To: <56678BC1.7070508@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
 <56678BC1.7070508@weigoldenterprises.com>
Message-ID: <4CF7AA19-F133-4ACF-932A-18FD96EF474F@mailborder.com>

Check which user and group you are running under. Also check the permissions. I personally like to create a group called mtagroup and add postfix, clamav, and whatever other users to it. I then use that group in MailScanner with group write permissions. Eliminates the permission issues. 

-
Jerry Benton
www.mailborder.com



> On Dec 8, 2015, at 9:02 PM, Steve Weigold <steve at weigoldenterprises.com> wrote:
> 
> 
> Some follow on information.... I expected all of the details to be in mail.log and didn't think to check syslog. :-(  More details there:
> 
> Dec  8 11:40:35 gw1 mailscanner[4195]: Dec  8 11:40:35.083 [4334] dbg: pyzor: got response: Traceback (most recent call last):\n File "/usr/bin/pyzor", line 8, in <module>\n pyzor.client.run()\n File "/usr/lib/pymodules/python2.7/pyzor/client.py", line 1022, in run\n ExecCall().run()\n File "/usr/lib/pymodules/python2.7/pyzor/client.py", line 180, in run\n os.mkdir(homedir)\nOSError: [Errno 13] Permission denied: '/var/spool/postfix/.pyzor'
> Dec  8 11:40:35 gw1 mailscanner[4195]: pyzor: check failed: internal error, python traceback seen in response
> 
> Obviously I have a permissions issue.  Now I need to understand why it's trying to use /var/spool/postfix for .pyzor instead of /var/spool/MailScanner.
> 
> I also clicked around more and found the archive search mechanism.
> 
> Words of wisdom appreciated.
> 
> Steve
> 
> 
> On 12/8/2015 8:44 PM, Steve Weigold wrote:
>> Greetings 
>> 
>> Apologies if this has been asked before, but while I found the list archive, I couldn't find a means to search it and considering it goes back many years, scanning by hand seemed a bit overwhelming. If there's a search capability for it that I've missed, please let me know. 
>> 
>> Anyway, I have a new server I've setup to be a spam filter gateway. It's a clean install of Debian Jessie with MailScanner and Postfix with what I believe to be the latest versions.  Generally, the system is working, but I'm still getting much more spam than I should be.  Reviewing the logs, I can see that I'm getting relatively low spam scores even on what I'd consider obvious spam emails. 
>> 
>> This lead me down the path of what else could be done with spamassassin, which got me to Pyzor, Razor and DCC.  At the moment, DCC isn't installed.   I guess it was removed from the repository because it's non-free?  Pyzor and Razor are installed, and somehow, I think I have Razor working, at least based on the fact that I see log entries like this one: 
>> 
>> Dec  8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from 198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com <mailto:amazon-promotional-credit at urfhe.selectweddingbands.com>) to acnoc.net is not spam, SpamAssassin (not cached, score=5.497, required 6, RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00) 
>> 
>> I'm not sure Pyzor is working though, and when I run MailScanner --lint, I get this: 
>> 
>> pyzor: check failed: internal error, python traceback seen in response 
>> 
>> I've googled ad nauseum and I'm getting nowhere. 
>> 
>> In spam.assassin.prefs.conf, I have: 
>> pyzor_options --homedir /var/spool/MailScanner/ 
>> 
>> and permissions on that folder seem OK 
>> drwxr-xr-x  6 postfix     postfix     4096 Dec  8 19:52 MailScanner 
>> 
>> Inside it, Pyzor's servers file: 
>> -rwxrwxr-x 1 postfix postfix   23 Dec  8 19:52 servers 
>> 
>> Help? 
>> 
>> Thanks! 
>> Steve 
>> 
>> 
>> 
>> 
>> 
> 
> -- 
> Steve Weigold
> Weigold Enterprises
> Cell - 513-365-0446
> www.weigoldenterprises.com <http://www.weigoldenterprises.com/>
> www.facebook.com/weigoldenterprises <http://www.facebook.com/weigoldenterprises>
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151208/9970a325/attachment.html>

From mark at msapiro.net  Wed Dec  9 04:55:11 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 8 Dec 2015 20:55:11 -0800
Subject: Searching the list archive - was: Pyzor integration
In-Reply-To: <56678776.6020401@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
Message-ID: <5667B42F.4040906@msapiro.net>

On 12/08/2015 05:44 PM, Steve Weigold wrote:
> Greetings
> 
> Apologies if this has been asked before, but while I found the list
> archive, I couldn't find a means to search it and considering it goes
> back many years, scanning by hand seemed a bit overwhelming. If there's
> a search capability for it that I've missed, please let me know.


You can always use google and limit the results to the
lists.mailscanner.info domain with the query fragment
site:lists.mailscanner.info. You can also use the inurl: query to limit
results to a year or month with, e.g., inurl:2015 or inurl:2015-January.

E.g. search for

site:lists.mailscanner.info pyzor

which still gives a lot of results or

site:lists.mailscanner.info inurl:2014 pyzor

which gives a more manageable number.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From razmik.baghdasaryan at gmail.com  Wed Dec  9 12:58:49 2015
From: razmik.baghdasaryan at gmail.com (Razmik Baghdasaryan)
Date: Wed, 9 Dec 2015 16:58:49 +0400
Subject: Bad File Name Detected
Message-ID: <CAD8C15MDnvxjMZrBPF57CniRZLp+itDQ6-xhEGx4FrYDF=V-YQ@mail.gmail.com>

Hi Dear All

Who can help to disable Bad File Name detection from one ip address

This is message
The following e-mails were found to have: Bad Filename Detected

    Sender: razmik.baghdasaryan at example.com
IP Address: XX.XXX.XXX.XX
 Recipient: razmik.baghdasaryan at example2.com
   Subject: Re: Thanks and regards
 MessageID: 69F5B65D42.98BA3
Quarantine: /var/spool/MailScanner/quarantine/20151209/69F4B65D42.98BA3
    Report: MailScanner: No programs allowed (msg-3125-10.txt)


Thanks & Regards
Razmik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151209/d8d68324/attachment.html>

From it at festa.bg  Wed Dec  9 13:03:39 2015
From: it at festa.bg (Valentin Laskov)
Date: Wed, 9 Dec 2015 15:03:39 +0200
Subject: Bad File Name Detected
In-Reply-To: <CAD8C15MDnvxjMZrBPF57CniRZLp+itDQ6-xhEGx4FrYDF=V-YQ@mail.gmail.com>
References: <CAD8C15MDnvxjMZrBPF57CniRZLp+itDQ6-xhEGx4FrYDF=V-YQ@mail.gmail.com>
Message-ID: <566826AB.8080707@festa.bg>

Hi Razmik,

better do this:

http://lists.mailscanner.info/pipermail/mailscanner/2015-November/102728.html

На 09.12.2015 в 14:58, Razmik Baghdasaryan написа:
> Hi Dear All
>
> Who can help to disable Bad File Name detection from one ip address
>
> This is message
> The following e-mails were found to have: Bad Filename Detected
>
>     Sender: razmik.baghdasaryan at example.com 
> <mailto:razmik.baghdasaryan at example.com>
> IP Address: XX.XXX.XXX.XX
>  Recipient: razmik.baghdasaryan at example2.com 
> <mailto:razmik.baghdasaryan at example2.com>
>    Subject: Re: Thanks and regards
>  MessageID: 69F5B65D42.98BA3
> Quarantine: /var/spool/MailScanner/quarantine/20151209/69F4B65D42.98BA3
>     Report: MailScanner: No programs allowed (msg-3125-10.txt)
>
>
> Thanks & Regards
> Razmik
>
>
>

-- 
Поздрави!

Валентин Ласков
Отговорник КИПО
"Феста Холдинг" АД
бул. "Вл. Варненчик" 48
9000 гр. Варна
тел.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151209/c0d258c3/attachment.html>

From ok at addix.net  Wed Dec  9 14:26:29 2015
From: ok at addix.net (Oliver Kutscher)
Date: Wed, 9 Dec 2015 15:26:29 +0100
Subject: MailScanner permits mail with score higher than allowed score
Message-ID: <56683A15.20500@addix.net>

Hi,

we are experiencing a lot of spam mails since some days and some of the 
mails are allowed and passed to the recepient. Let's have a look into a 
log entry I found in my logs:

Dec  9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 
1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not 
spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, 
KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, 
RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)

This mail passes the mail system an reached the recepient. I'm curious 
about two things:

Why was the mail ranked as "is not spam" (score > required score)?

Why has the required score a value of 3.5? I set per domain scores 
within /etc/MailScanner/rules/spam.score.rules:

To:             *@mycompany.com                      4
To:             *@mycompany.net                     8
FromOrTo:       default                         3.5

To make it more complicated: Most time the required score for 
mycompany.net is shown as 8 which is the required score that I'm expecting.

I would be very appreciated for any suggestions.

==============
Versions / OS
==============
Running on
Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 
15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
This is CentOS Linux release 7.1.1503 (Core)
This is Perl version 5.016003 (5.16.3)

This is MailScanner version 4.85.2
Module versions are:
1.01    AnyDBM_File
1.30    Archive::Zip
0.29    bignum
1.26    Carp
2.061   Compress::Zlib
1.119   Convert::BinHex
0.18    Convert::TNEF
2.145   Data::Dumper
2.30    Date::Parse
1.04    DirHandle
1.11    Fcntl
2.84    File::Basename
2.23    File::Copy
2.02    FileHandle
2.09    File::Path
0.2301  File::Temp
0.92    Filesys::Df
3.69    HTML::Entities
3.71    HTML::Parser
3.69    HTML::TokeParser
1.25_06 IO
1.16    IO::File
1.15    IO::Pipe
2.12    Mail::Header
1.998   Math::BigInt
0.2603  Math::BigRat
3.13    MIME::Base64
5.505   MIME::Decoder
5.505   MIME::Decoder::UU
5.505   MIME::Head
5.505   MIME::Parser
3.13    MIME::QuotedPrint
5.505   MIME::Tools
0.17    Net::CIDR
1.26    Net::IP
0.19    OLE::Storage_Lite
1.04    Pod::Escapes
3.28    Pod::Simple
1.30    POSIX
1.27    Scalar::Util
2.010   Socket
2.45    Storable
1.5     Sys::Hostname::Long
0.33    Sys::Syslog
1.48    Test::Pod
0.98    Test::Simple
1.9725  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.92    Archive::Tar
0.29    bignum
2.06    Business::ISBN
20120719.001    Business::ISBN::Data
missing Data::Dump
1.83    DB_File
1.39    DBD::SQLite
1.627   DBI
1.17    Digest
1.03    Digest::HMAC
2.52    Digest::MD5
missing Digest::SHA1
1.01    Encode::Detect
0.17020 Error
missing ExtUtils::CBuilder
3.18    ExtUtils::ParseXS
2.4     Getopt::Long
missing Inline
missing IO::String
1.10    IO::Zlib
2.28    IP::Country
missing Mail::ClamAV
3.004000        Mail::SpamAssassin
v2.008  Mail::SPF
missing Mail::SPF::Query
missing Module::Build
missing Net::CIDR::Lite
0.72    Net::DNS
missing Net::DNS::Resolver::Programmable
missing Net::LDAP
  4.069  NetAddr::IP
missing Parse::RecDescent
missing SAVI
3.28    Test::Harness
missing Test::Manifest
2.02    Text::Balanced
1.60    URI
0.9907  version
missing YAML


Kind Regards,
i.A.
Oliver Kutscher

From jerry.benton at mailborder.com  Wed Dec  9 14:38:28 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 09:38:28 -0500
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <56683A15.20500@addix.net>
References: <56683A15.20500@addix.net>
Message-ID: <1A25C6B7-6AB8-4E74-9C1E-FB151EE31A6B@mailborder.com>

Because my company.net is set to 8 and the SA score is 7.768? I could be wrong. I was educated in South Carolina.

-
Jerry Benton
www.mailborder.com



> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <ok at addix.net> wrote:
> 
> Hi,
> 
> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
> 
> Dec  9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
> 
> This mail passes the mail system an reached the recepient. I'm curious about two things:
> 
> Why was the mail ranked as "is not spam" (score > required score)?
> 
> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
> 
> To:             *@mycompany.com                      4
> To:             *@mycompany.net                     8
> FromOrTo:       default                         3.5
> 
> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
> 
> I would be very appreciated for any suggestions.
> 
> ==============
> Versions / OS
> ==============
> Running on
> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> This is CentOS Linux release 7.1.1503 (Core)
> This is Perl version 5.016003 (5.16.3)
> 
> This is MailScanner version 4.85.2
> Module versions are:
> 1.01    AnyDBM_File
> 1.30    Archive::Zip
> 0.29    bignum
> 1.26    Carp
> 2.061   Compress::Zlib
> 1.119   Convert::BinHex
> 0.18    Convert::TNEF
> 2.145   Data::Dumper
> 2.30    Date::Parse
> 1.04    DirHandle
> 1.11    Fcntl
> 2.84    File::Basename
> 2.23    File::Copy
> 2.02    FileHandle
> 2.09    File::Path
> 0.2301  File::Temp
> 0.92    Filesys::Df
> 3.69    HTML::Entities
> 3.71    HTML::Parser
> 3.69    HTML::TokeParser
> 1.25_06 IO
> 1.16    IO::File
> 1.15    IO::Pipe
> 2.12    Mail::Header
> 1.998   Math::BigInt
> 0.2603  Math::BigRat
> 3.13    MIME::Base64
> 5.505   MIME::Decoder
> 5.505   MIME::Decoder::UU
> 5.505   MIME::Head
> 5.505   MIME::Parser
> 3.13    MIME::QuotedPrint
> 5.505   MIME::Tools
> 0.17    Net::CIDR
> 1.26    Net::IP
> 0.19    OLE::Storage_Lite
> 1.04    Pod::Escapes
> 3.28    Pod::Simple
> 1.30    POSIX
> 1.27    Scalar::Util
> 2.010   Socket
> 2.45    Storable
> 1.5     Sys::Hostname::Long
> 0.33    Sys::Syslog
> 1.48    Test::Pod
> 0.98    Test::Simple
> 1.9725  Time::HiRes
> 1.02    Time::localtime
> 
> Optional module versions are:
> 1.92    Archive::Tar
> 0.29    bignum
> 2.06    Business::ISBN
> 20120719.001    Business::ISBN::Data
> missing Data::Dump
> 1.83    DB_File
> 1.39    DBD::SQLite
> 1.627   DBI
> 1.17    Digest
> 1.03    Digest::HMAC
> 2.52    Digest::MD5
> missing Digest::SHA1
> 1.01    Encode::Detect
> 0.17020 Error
> missing ExtUtils::CBuilder
> 3.18    ExtUtils::ParseXS
> 2.4     Getopt::Long
> missing Inline
> missing IO::String
> 1.10    IO::Zlib
> 2.28    IP::Country
> missing Mail::ClamAV
> 3.004000        Mail::SpamAssassin
> v2.008  Mail::SPF
> missing Mail::SPF::Query
> missing Module::Build
> missing Net::CIDR::Lite
> 0.72    Net::DNS
> missing Net::DNS::Resolver::Programmable
> missing Net::LDAP
> 4.069  NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 3.28    Test::Harness
> missing Test::Manifest
> 2.02    Text::Balanced
> 1.60    URI
> 0.9907  version
> missing YAML
> 
> 
> Kind Regards,
> i.A.
> Oliver Kutscher
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From jerry.benton at mailborder.com  Wed Dec  9 14:44:25 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 09:44:25 -0500
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <56683A15.20500@addix.net>
References: <56683A15.20500@addix.net>
Message-ID: <144A2C46-E82C-4B76-9094-940D0478B457@mailborder.com>

Yeah so … after actually reading it carefully and then pulling my shoes off to help with the counting …

Tabs? Are you using tabs in your rules?

-
Jerry Benton
www.mailborder.com



> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <ok at addix.net> wrote:
> 
> Hi,
> 
> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
> 
> Dec  9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
> 
> This mail passes the mail system an reached the recepient. I'm curious about two things:
> 
> Why was the mail ranked as "is not spam" (score > required score)?
> 
> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
> 
> To:             *@mycompany.com                      4
> To:             *@mycompany.net                     8
> FromOrTo:       default                         3.5
> 
> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
> 
> I would be very appreciated for any suggestions.
> 
> ==============
> Versions / OS
> ==============
> Running on
> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> This is CentOS Linux release 7.1.1503 (Core)
> This is Perl version 5.016003 (5.16.3)
> 
> This is MailScanner version 4.85.2
> Module versions are:
> 1.01    AnyDBM_File
> 1.30    Archive::Zip
> 0.29    bignum
> 1.26    Carp
> 2.061   Compress::Zlib
> 1.119   Convert::BinHex
> 0.18    Convert::TNEF
> 2.145   Data::Dumper
> 2.30    Date::Parse
> 1.04    DirHandle
> 1.11    Fcntl
> 2.84    File::Basename
> 2.23    File::Copy
> 2.02    FileHandle
> 2.09    File::Path
> 0.2301  File::Temp
> 0.92    Filesys::Df
> 3.69    HTML::Entities
> 3.71    HTML::Parser
> 3.69    HTML::TokeParser
> 1.25_06 IO
> 1.16    IO::File
> 1.15    IO::Pipe
> 2.12    Mail::Header
> 1.998   Math::BigInt
> 0.2603  Math::BigRat
> 3.13    MIME::Base64
> 5.505   MIME::Decoder
> 5.505   MIME::Decoder::UU
> 5.505   MIME::Head
> 5.505   MIME::Parser
> 3.13    MIME::QuotedPrint
> 5.505   MIME::Tools
> 0.17    Net::CIDR
> 1.26    Net::IP
> 0.19    OLE::Storage_Lite
> 1.04    Pod::Escapes
> 3.28    Pod::Simple
> 1.30    POSIX
> 1.27    Scalar::Util
> 2.010   Socket
> 2.45    Storable
> 1.5     Sys::Hostname::Long
> 0.33    Sys::Syslog
> 1.48    Test::Pod
> 0.98    Test::Simple
> 1.9725  Time::HiRes
> 1.02    Time::localtime
> 
> Optional module versions are:
> 1.92    Archive::Tar
> 0.29    bignum
> 2.06    Business::ISBN
> 20120719.001    Business::ISBN::Data
> missing Data::Dump
> 1.83    DB_File
> 1.39    DBD::SQLite
> 1.627   DBI
> 1.17    Digest
> 1.03    Digest::HMAC
> 2.52    Digest::MD5
> missing Digest::SHA1
> 1.01    Encode::Detect
> 0.17020 Error
> missing ExtUtils::CBuilder
> 3.18    ExtUtils::ParseXS
> 2.4     Getopt::Long
> missing Inline
> missing IO::String
> 1.10    IO::Zlib
> 2.28    IP::Country
> missing Mail::ClamAV
> 3.004000        Mail::SpamAssassin
> v2.008  Mail::SPF
> missing Mail::SPF::Query
> missing Module::Build
> missing Net::CIDR::Lite
> 0.72    Net::DNS
> missing Net::DNS::Resolver::Programmable
> missing Net::LDAP
> 4.069  NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 3.28    Test::Harness
> missing Test::Manifest
> 2.02    Text::Balanced
> 1.60    URI
> 0.9907  version
> missing YAML
> 
> 
> Kind Regards,
> i.A.
> Oliver Kutscher
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From jerry.benton at mailborder.com  Wed Dec  9 14:51:46 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 09:51:46 -0500
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <56683A15.20500@addix.net>
References: <56683A15.20500@addix.net>
Message-ID: <B0B3B440-4994-40BD-BAE5-E935B614CD33@mailborder.com>

And I am still sitting here blinking …. trying to remember what would cause a “is not spam” marking when the score exceeds the threshold. (Besides whitelisting) 

Any whitelists for say …  the server it came from? 

-
Jerry Benton
www.mailborder.com



> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <ok at addix.net> wrote:
> 
> Hi,
> 
> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
> 
> Dec  9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
> 
> This mail passes the mail system an reached the recepient. I'm curious about two things:
> 
> Why was the mail ranked as "is not spam" (score > required score)?
> 
> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
> 
> To:             *@mycompany.com                      4
> To:             *@mycompany.net                     8
> FromOrTo:       default                         3.5
> 
> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
> 
> I would be very appreciated for any suggestions.
> 
> ==============
> Versions / OS
> ==============
> Running on
> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> This is CentOS Linux release 7.1.1503 (Core)
> This is Perl version 5.016003 (5.16.3)
> 
> This is MailScanner version 4.85.2
> Module versions are:
> 1.01    AnyDBM_File
> 1.30    Archive::Zip
> 0.29    bignum
> 1.26    Carp
> 2.061   Compress::Zlib
> 1.119   Convert::BinHex
> 0.18    Convert::TNEF
> 2.145   Data::Dumper
> 2.30    Date::Parse
> 1.04    DirHandle
> 1.11    Fcntl
> 2.84    File::Basename
> 2.23    File::Copy
> 2.02    FileHandle
> 2.09    File::Path
> 0.2301  File::Temp
> 0.92    Filesys::Df
> 3.69    HTML::Entities
> 3.71    HTML::Parser
> 3.69    HTML::TokeParser
> 1.25_06 IO
> 1.16    IO::File
> 1.15    IO::Pipe
> 2.12    Mail::Header
> 1.998   Math::BigInt
> 0.2603  Math::BigRat
> 3.13    MIME::Base64
> 5.505   MIME::Decoder
> 5.505   MIME::Decoder::UU
> 5.505   MIME::Head
> 5.505   MIME::Parser
> 3.13    MIME::QuotedPrint
> 5.505   MIME::Tools
> 0.17    Net::CIDR
> 1.26    Net::IP
> 0.19    OLE::Storage_Lite
> 1.04    Pod::Escapes
> 3.28    Pod::Simple
> 1.30    POSIX
> 1.27    Scalar::Util
> 2.010   Socket
> 2.45    Storable
> 1.5     Sys::Hostname::Long
> 0.33    Sys::Syslog
> 1.48    Test::Pod
> 0.98    Test::Simple
> 1.9725  Time::HiRes
> 1.02    Time::localtime
> 
> Optional module versions are:
> 1.92    Archive::Tar
> 0.29    bignum
> 2.06    Business::ISBN
> 20120719.001    Business::ISBN::Data
> missing Data::Dump
> 1.83    DB_File
> 1.39    DBD::SQLite
> 1.627   DBI
> 1.17    Digest
> 1.03    Digest::HMAC
> 2.52    Digest::MD5
> missing Digest::SHA1
> 1.01    Encode::Detect
> 0.17020 Error
> missing ExtUtils::CBuilder
> 3.18    ExtUtils::ParseXS
> 2.4     Getopt::Long
> missing Inline
> missing IO::String
> 1.10    IO::Zlib
> 2.28    IP::Country
> missing Mail::ClamAV
> 3.004000        Mail::SpamAssassin
> v2.008  Mail::SPF
> missing Mail::SPF::Query
> missing Module::Build
> missing Net::CIDR::Lite
> 0.72    Net::DNS
> missing Net::DNS::Resolver::Programmable
> missing Net::LDAP
> 4.069  NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 3.28    Test::Harness
> missing Test::Manifest
> 2.02    Text::Balanced
> 1.60    URI
> 0.9907  version
> missing YAML
> 
> 
> Kind Regards,
> i.A.
> Oliver Kutscher
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From steve at weigoldenterprises.com  Wed Dec  9 15:00:32 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 10:00:32 -0500
Subject: Searching the list archive - was: Pyzor integration
In-Reply-To: <5667B42F.4040906@msapiro.net>
References: <56678776.6020401@weigoldenterprises.com>
 <5667B42F.4040906@msapiro.net>
Message-ID: <56684210.9060907@weigoldenterprises.com>



On 12/8/2015 11:55 PM, Mark Sapiro wrote:
> On 12/08/2015 05:44 PM, Steve Weigold wrote:
>> Greetings
>>
>> Apologies if this has been asked before, but while I found the list
>> archive, I couldn't find a means to search it and considering it goes
>> back many years, scanning by hand seemed a bit overwhelming. If there's
>> a search capability for it that I've missed, please let me know.
>
> You can always use google and limit the results to the
> lists.mailscanner.info domain with the query fragment
> site:lists.mailscanner.info. You can also use the inurl: query to limit
> results to a year or month with, e.g., inurl:2015 or inurl:2015-January.
>
> E.g. search for
>
> site:lists.mailscanner.info pyzor
>
> which still gives a lot of results or
>
> site:lists.mailscanner.info inurl:2014 pyzor
>
> which gives a more manageable number.
>

Thanks Mark! Learned something new!

Steve


From steve at weigoldenterprises.com  Wed Dec  9 15:03:10 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 10:03:10 -0500
Subject: Pyzor integration
In-Reply-To: <4CF7AA19-F133-4ACF-932A-18FD96EF474F@mailborder.com>
References: <56678776.6020401@weigoldenterprises.com>
 <56678BC1.7070508@weigoldenterprises.com>
 <4CF7AA19-F133-4ACF-932A-18FD96EF474F@mailborder.com>
Message-ID: <566842AE.4040706@weigoldenterprises.com>


Thanks Jerry.  I fixed weird permissions on the folder and things seem 
to be behaving now.

Steve


On 12/8/2015 9:22 PM, Jerry Benton wrote:
> Check which user and group you are running under. Also check the 
> permissions. I personally like to create a group called mtagroup and 
> add postfix, clamav, and whatever other users to it. I then use that 
> group in MailScanner with group write permissions. Eliminates the 
> permission issues.
>
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com>
>
>
>
>> On Dec 8, 2015, at 9:02 PM, Steve Weigold 
>> <steve at weigoldenterprises.com <mailto:steve at weigoldenterprises.com>> 
>> wrote:
>>
>>
>> Some follow on information.... I expected all of the details to be in 
>> mail.log and didn't think to check syslog. :-(  More details there:
>>
>> Dec  8 11:40:35 gw1 mailscanner[4195]: Dec  8 11:40:35.083 [4334] 
>> dbg: pyzor: got response: Traceback (most recent call last):\n File 
>> "/usr/bin/pyzor", line 8, in <module>\n pyzor.client.run()\n File 
>> "/usr/lib/pymodules/python2.7/pyzor/client.py", line 1022, in run\n 
>> ExecCall().run()\n File 
>> "/usr/lib/pymodules/python2.7/pyzor/client.py", line 180, in run\n 
>> os.mkdir(homedir)\nOSError: [Errno 13] Permission denied: 
>> '/var/spool/postfix/.pyzor'
>> Dec  8 11:40:35 gw1 mailscanner[4195]: pyzor: check failed: internal 
>> error, python traceback seen in response
>>
>> Obviously I have a permissions issue.  Now I need to understand why 
>> it's trying to use /var/spool/postfix for .pyzor instead of 
>> /var/spool/MailScanner.
>>
>> I also clicked around more and found the archive search mechanism.
>>
>> Words of wisdom appreciated.
>>
>> Steve
>>
>>
>> On 12/8/2015 8:44 PM, Steve Weigold wrote:
>>> Greetings
>>>
>>> Apologies if this has been asked before, but while I found the list 
>>> archive, I couldn't find a means to search it and considering it 
>>> goes back many years, scanning by hand seemed a bit overwhelming. If 
>>> there's a search capability for it that I've missed, please let me 
>>> know.
>>>
>>> Anyway, I have a new server I've setup to be a spam filter gateway. 
>>> It's a clean install of Debian Jessie with MailScanner and Postfix 
>>> with what I believe to be the latest versions.  Generally, the 
>>> system is working, but I'm still getting much more spam than I 
>>> should be. Reviewing the logs, I can see that I'm getting relatively 
>>> low spam scores even on what I'd consider obvious spam emails.
>>>
>>> This lead me down the path of what else could be done with 
>>> spamassassin, which got me to Pyzor, Razor and DCC.  At the moment, 
>>> DCC isn't installed.   I guess it was removed from the repository 
>>> because it's non-free? Pyzor and Razor are installed, and somehow, I 
>>> think I have Razor working, at least based on the fact that I see 
>>> log entries like this one:
>>>
>>> Dec  8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 
>>> from 198.173.85.230 
>>> (amazon-promotional-credit at urfhe.selectweddingbands.com) to 
>>> acnoc.net <http://acnoc.net> is not spam, SpamAssassin (not cached, 
>>> score=5.497, required 6, RAZOR2_CF_RANGE_51_100 0.36, 
>>> RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK 1.73, SPF_SOFTFAIL 
>>> 0.97, URIBL_BLOCKED 0.00)
>>>
>>> I'm not sure Pyzor is working though, and when I run MailScanner 
>>> --lint, I get this:
>>>
>>> pyzor: check failed: internal error, python traceback seen in response
>>>
>>> I've googled ad nauseum and I'm getting nowhere.
>>>
>>> In spam.assassin.prefs.conf, I have:
>>> pyzor_options --homedir /var/spool/MailScanner/
>>>
>>> and permissions on that folder seem OK
>>> drwxr-xr-x  6 postfix     postfix     4096 Dec  8 19:52 MailScanner
>>>
>>> Inside it, Pyzor's servers file:
>>> -rwxrwxr-x 1 postfix postfix   23 Dec  8 19:52 servers
>>>
>>> Help?
>>>
>>> Thanks!
>>> Steve
>>>
>>>
>>>
>>>
>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151209/0940074f/attachment.html>

From ok at addix.net  Wed Dec  9 15:06:52 2015
From: ok at addix.net (Oliver Kutscher)
Date: Wed, 9 Dec 2015 16:06:52 +0100
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <B0B3B440-4994-40BD-BAE5-E935B614CD33@mailborder.com>
References: <56683A15.20500@addix.net>
 <B0B3B440-4994-40BD-BAE5-E935B614CD33@mailborder.com>
Message-ID: <5668438C.9090806@addix.net>

To give you an overview:

the company.net rule has been hit for 1381 time where 4 of them have the 
strange "required 3.5" value and / or score > required score problem. An 
example for an expected log:

Dec  9 15:52:52 mailscan1.mydomain.campus MailScanner[11325]: Message 
1a6g6g-0004SR-Bx from 10.0.0.3 (mail at somedomain.net) to company.net is 
not spam, SpamAssassin (score=1.1, required 8, KAM_LAZY_DOMAIN_SECURITY 
1.00, TVD_SPACE_RATIO 0.10)

The required score is ok in this case.

> Tabs? Are you using tabs in your rules?

Yes. Tabs are used. I think if the rules file is messed up the rules 
will never take effect.

> Any whitelists for say …  the server it came from?

If there are any whitelist entries present (ip, domain, full address) a 
"(whitelisted)" is passed to the log. 2 of the 4 strange mails were 
virus infected spam mails from an unknown ip (definitely not wl).

Mit freundlichen Grüßen,
i.A.
Oliver Kutscher

-- 

Postanschrift:

ADDIX Internet Services GmbH
Postfach 1225
D-24011 Kiel

Tel: +49 431 7755 140
Fax: +49 431 7755 105

ok at addix.net
www.addix.net

Am 09.12.2015 um 15:51 schrieb Jerry Benton:
> And I am still sitting here blinking …. trying to remember what would cause a “is not spam” marking when the score exceeds the threshold. (Besides whitelisting)
>
> Any whitelists for say …  the server it came from?
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <ok at addix.net> wrote:
>>
>> Hi,
>>
>> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
>>
>> Dec  9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>>
>> This mail passes the mail system an reached the recepient. I'm curious about two things:
>>
>> Why was the mail ranked as "is not spam" (score > required score)?
>>
>> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
>>
>> To:             *@mycompany.com                      4
>> To:             *@mycompany.net                     8
>> FromOrTo:       default                         3.5
>>
>> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
>>
>> I would be very appreciated for any suggestions.
>>
>> ==============
>> Versions / OS
>> ==============
>> Running on
>> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>> This is CentOS Linux release 7.1.1503 (Core)
>> This is Perl version 5.016003 (5.16.3)
>>
>> This is MailScanner version 4.85.2
>> Module versions are:
>> 1.01    AnyDBM_File
>> 1.30    Archive::Zip
>> 0.29    bignum
>> 1.26    Carp
>> 2.061   Compress::Zlib
>> 1.119   Convert::BinHex
>> 0.18    Convert::TNEF
>> 2.145   Data::Dumper
>> 2.30    Date::Parse
>> 1.04    DirHandle
>> 1.11    Fcntl
>> 2.84    File::Basename
>> 2.23    File::Copy
>> 2.02    FileHandle
>> 2.09    File::Path
>> 0.2301  File::Temp
>> 0.92    Filesys::Df
>> 3.69    HTML::Entities
>> 3.71    HTML::Parser
>> 3.69    HTML::TokeParser
>> 1.25_06 IO
>> 1.16    IO::File
>> 1.15    IO::Pipe
>> 2.12    Mail::Header
>> 1.998   Math::BigInt
>> 0.2603  Math::BigRat
>> 3.13    MIME::Base64
>> 5.505   MIME::Decoder
>> 5.505   MIME::Decoder::UU
>> 5.505   MIME::Head
>> 5.505   MIME::Parser
>> 3.13    MIME::QuotedPrint
>> 5.505   MIME::Tools
>> 0.17    Net::CIDR
>> 1.26    Net::IP
>> 0.19    OLE::Storage_Lite
>> 1.04    Pod::Escapes
>> 3.28    Pod::Simple
>> 1.30    POSIX
>> 1.27    Scalar::Util
>> 2.010   Socket
>> 2.45    Storable
>> 1.5     Sys::Hostname::Long
>> 0.33    Sys::Syslog
>> 1.48    Test::Pod
>> 0.98    Test::Simple
>> 1.9725  Time::HiRes
>> 1.02    Time::localtime
>>
>> Optional module versions are:
>> 1.92    Archive::Tar
>> 0.29    bignum
>> 2.06    Business::ISBN
>> 20120719.001    Business::ISBN::Data
>> missing Data::Dump
>> 1.83    DB_File
>> 1.39    DBD::SQLite
>> 1.627   DBI
>> 1.17    Digest
>> 1.03    Digest::HMAC
>> 2.52    Digest::MD5
>> missing Digest::SHA1
>> 1.01    Encode::Detect
>> 0.17020 Error
>> missing ExtUtils::CBuilder
>> 3.18    ExtUtils::ParseXS
>> 2.4     Getopt::Long
>> missing Inline
>> missing IO::String
>> 1.10    IO::Zlib
>> 2.28    IP::Country
>> missing Mail::ClamAV
>> 3.004000        Mail::SpamAssassin
>> v2.008  Mail::SPF
>> missing Mail::SPF::Query
>> missing Module::Build
>> missing Net::CIDR::Lite
>> 0.72    Net::DNS
>> missing Net::DNS::Resolver::Programmable
>> missing Net::LDAP
>> 4.069  NetAddr::IP
>> missing Parse::RecDescent
>> missing SAVI
>> 3.28    Test::Harness
>> missing Test::Manifest
>> 2.02    Text::Balanced
>> 1.60    URI
>> 0.9907  version
>> missing YAML
>>
>>
>> Kind Regards,
>> i.A.
>> Oliver Kutscher
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>

From dave at jonesol.com  Wed Dec  9 15:29:58 2015
From: dave at jonesol.com (Dave Jones)
Date: Wed, 9 Dec 2015 09:29:58 -0600
Subject: Pyzor integration
In-Reply-To: <56678776.6020401@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
Message-ID: <CAJmnxLU_F3q_yGRE+Ccz5PodptSfCoyK+sze4MFb05HjvV=jig@mail.gmail.com>

Couple of things:
1. See the URIBL_BLOCKED hit?  This means you are using a DNS server
that has been blocked.  You should setup a local DNS server on the
MailScanner server and not forward to another DNS server.  It needs to
do it's own full recursive lookups to keep it out of the aggregated
queries of the DNS server you are currently using.
2. Setup Postfix to block most of the emails using postscreen with RBL
weighting.  Postfix should be blocking most of the spam (>85%) before
it ever gets to MailScanner and Spamassassin.
Download the VM from http://efa-project.org/ and either use it or look
at how it's Postfix is setup.  It will have everything setup properly
like DNS, greylisting, Postfix, MailWatch, RBLs, etc.  Also there are
lot of examples on locking down Postfix on the Postfix mailing list.
Postscreen is a must.
3.  Here are my Pyzor settings:
mailscanner.cf:pyzor_path /usr/bin/pyzor
mailscanner.cf:pyzor_options --homedir /etc/mail/spamassassin
mailscanner.cf:#use_pyzor 0
mailscanner.cf:pyzor_timeout 5

On Tue, Dec 8, 2015 at 7:44 PM, Steve Weigold
<steve at weigoldenterprises.com> wrote:
> Greetings
>
> Apologies if this has been asked before, but while I found the list archive,
> I couldn't find a means to search it and considering it goes back many
> years, scanning by hand seemed a bit overwhelming. If there's a search
> capability for it that I've missed, please let me know.
>
> Anyway, I have a new server I've setup to be a spam filter gateway. It's a
> clean install of Debian Jessie with MailScanner and Postfix with what I
> believe to be the latest versions.  Generally, the system is working, but
> I'm still getting much more spam than I should be.  Reviewing the logs, I
> can see that I'm getting relatively low spam scores even on what I'd
> consider obvious spam emails.
>
> This lead me down the path of what else could be done with spamassassin,
> which got me to Pyzor, Razor and DCC.  At the moment, DCC isn't installed.
> I guess it was removed from the repository because it's non-free?  Pyzor and
> Razor are installed, and somehow, I think I have Razor working, at least
> based on the fact that I see log entries like this one:
>
> Dec  8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from
> 198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com) to
> acnoc.net is not spam, SpamAssassin (not cached, score=5.497, required 6,
> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK
> 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
>
> I'm not sure Pyzor is working though, and when I run MailScanner --lint, I
> get this:
>
> pyzor: check failed: internal error, python traceback seen in response
>
> I've googled ad nauseum and I'm getting nowhere.
>
> In spam.assassin.prefs.conf, I have:
> pyzor_options --homedir /var/spool/MailScanner/
>
> and permissions on that folder seem OK
> drwxr-xr-x  6 postfix     postfix     4096 Dec  8 19:52 MailScanner
>
> Inside it, Pyzor's servers file:
> -rwxrwxr-x 1 postfix postfix   23 Dec  8 19:52 servers
>
> Help?
>
> Thanks!
> Steve
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>

From steve at weigoldenterprises.com  Wed Dec  9 15:42:25 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 10:42:25 -0500
Subject: Pyzor integration
In-Reply-To: <CAJmnxLU_F3q_yGRE+Ccz5PodptSfCoyK+sze4MFb05HjvV=jig@mail.gmail.com>
References: <56678776.6020401@weigoldenterprises.com>
 <CAJmnxLU_F3q_yGRE+Ccz5PodptSfCoyK+sze4MFb05HjvV=jig@mail.gmail.com>
Message-ID: <56684BE1.5070207@weigoldenterprises.com>

Thanks Dave.  I appreciate your response.

I've already addressed the URIBL_BLOCKED issue with local DNS. Watching 
the logs, that seems to be working nicely now.

I'll investigate postscreen.  Greylisting is in place.  Wish I'd have 
known about that VM a couple of days ago!

Steve


On 12/9/2015 10:29 AM, Dave Jones wrote:
> Couple of things:
> 1. See the URIBL_BLOCKED hit?  This means you are using a DNS server
> that has been blocked.  You should setup a local DNS server on the
> MailScanner server and not forward to another DNS server.  It needs to
> do it's own full recursive lookups to keep it out of the aggregated
> queries of the DNS server you are currently using.
> 2. Setup Postfix to block most of the emails using postscreen with RBL
> weighting.  Postfix should be blocking most of the spam (>85%) before
> it ever gets to MailScanner and Spamassassin.
> Download the VM from http://efa-project.org/ and either use it or look
> at how it's Postfix is setup.  It will have everything setup properly
> like DNS, greylisting, Postfix, MailWatch, RBLs, etc.  Also there are
> lot of examples on locking down Postfix on the Postfix mailing list.
> Postscreen is a must.
> 3.  Here are my Pyzor settings:
> mailscanner.cf:pyzor_path /usr/bin/pyzor
> mailscanner.cf:pyzor_options --homedir /etc/mail/spamassassin
> mailscanner.cf:#use_pyzor 0
> mailscanner.cf:pyzor_timeout 5
>
> On Tue, Dec 8, 2015 at 7:44 PM, Steve Weigold
> <steve at weigoldenterprises.com> wrote:
>> Greetings
>>
>> Apologies if this has been asked before, but while I found the list archive,
>> I couldn't find a means to search it and considering it goes back many
>> years, scanning by hand seemed a bit overwhelming. If there's a search
>> capability for it that I've missed, please let me know.
>>
>> Anyway, I have a new server I've setup to be a spam filter gateway. It's a
>> clean install of Debian Jessie with MailScanner and Postfix with what I
>> believe to be the latest versions.  Generally, the system is working, but
>> I'm still getting much more spam than I should be.  Reviewing the logs, I
>> can see that I'm getting relatively low spam scores even on what I'd
>> consider obvious spam emails.
>>
>> This lead me down the path of what else could be done with spamassassin,
>> which got me to Pyzor, Razor and DCC.  At the moment, DCC isn't installed.
>> I guess it was removed from the repository because it's non-free?  Pyzor and
>> Razor are installed, and somehow, I think I have Razor working, at least
>> based on the fact that I see log entries like this one:
>>
>> Dec  8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from
>> 198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com) to
>> acnoc.net is not spam, SpamAssassin (not cached, score=5.497, required 6,
>> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK
>> 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
>>
>> I'm not sure Pyzor is working though, and when I run MailScanner --lint, I
>> get this:
>>
>> pyzor: check failed: internal error, python traceback seen in response
>>
>> I've googled ad nauseum and I'm getting nowhere.
>>
>> In spam.assassin.prefs.conf, I have:
>> pyzor_options --homedir /var/spool/MailScanner/
>>
>> and permissions on that folder seem OK
>> drwxr-xr-x  6 postfix     postfix     4096 Dec  8 19:52 MailScanner
>>
>> Inside it, Pyzor's servers file:
>> -rwxrwxr-x 1 postfix postfix   23 Dec  8 19:52 servers
>>
>> Help?
>>
>> Thanks!
>> Steve
>>
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>



From maxsec at gmail.com  Wed Dec  9 16:42:14 2015
From: maxsec at gmail.com (Martin Hepworth)
Date: Wed, 9 Dec 2015 16:42:14 +0000
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <5668438C.9090806@addix.net>
References: <56683A15.20500@addix.net>
 <B0B3B440-4994-40BD-BAE5-E935B614CD33@mailborder.com>
 <5668438C.9090806@addix.net>
Message-ID: <CAGDKorJL9OvEMEGe-yjGTrdjYYJ5KuwRHtsz2X07+dOizXME5g@mail.gmail.com>

Looks like you've set the 'is defintely not spam" for the address or domain
to me. Thsi will override what SA says about the email, indeed of the spam
is coming from your local 10.0 domain you may want to look deeper at what
addersses you whitelist..

-- 
Martin Hepworth, CISSP
Oxford, UK

On 9 December 2015 at 15:06, Oliver Kutscher <ok at addix.net> wrote:

> To give you an overview:
>
> the company.net rule has been hit for 1381 time where 4 of them have the
> strange "required 3.5" value and / or score > required score problem. An
> example for an expected log:
>
> Dec  9 15:52:52 mailscan1.mydomain.campus MailScanner[11325]: Message
> 1a6g6g-0004SR-Bx from 10.0.0.3 (mail at somedomain.net) to company.net is
> not spam, SpamAssassin (score=1.1, required 8, KAM_LAZY_DOMAIN_SECURITY
> 1.00, TVD_SPACE_RATIO 0.10)
>
> The required score is ok in this case.
>
> Tabs? Are you using tabs in your rules?
>>
>
> Yes. Tabs are used. I think if the rules file is messed up the rules will
> never take effect.
>
> Any whitelists for say …  the server it came from?
>>
>
> If there are any whitelist entries present (ip, domain, full address) a
> "(whitelisted)" is passed to the log. 2 of the 4 strange mails were virus
> infected spam mails from an unknown ip (definitely not wl).
>
> Mit freundlichen Grüßen,
> i.A.
> Oliver Kutscher
>
> --
>
> Postanschrift:
>
> ADDIX Internet Services GmbH
> Postfach 1225
> D-24011 Kiel
>
> Tel: +49 431 7755 140
> Fax: +49 431 7755 105
>
> ok at addix.net
> www.addix.net
>
>
> Am 09.12.2015 um 15:51 schrieb Jerry Benton:
>
>> And I am still sitting here blinking …. trying to remember what would
>> cause a “is not spam” marking when the score exceeds the threshold.
>> (Besides whitelisting)
>>
>> Any whitelists for say …  the server it came from?
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <ok at addix.net> wrote:
>>>
>>> Hi,
>>>
>>> we are experiencing a lot of spam mails since some days and some of the
>>> mails are allowed and passed to the recepient. Let's have a look into a log
>>> entry I found in my logs:
>>>
>>> Dec  9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message
>>> 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is
>>> not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00,
>>> KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS
>>> 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>>>
>>> This mail passes the mail system an reached the recepient. I'm curious
>>> about two things:
>>>
>>> Why was the mail ranked as "is not spam" (score > required score)?
>>>
>>> Why has the required score a value of 3.5? I set per domain scores
>>> within /etc/MailScanner/rules/spam.score.rules:
>>>
>>> To:             *@mycompany.com                      4
>>> To:             *@mycompany.net                     8
>>> FromOrTo:       default                         3.5
>>>
>>> To make it more complicated: Most time the required score for
>>> mycompany.net is shown as 8 which is the required score that I'm
>>> expecting.
>>>
>>> I would be very appreciated for any suggestions.
>>>
>>> ==============
>>> Versions / OS
>>> ==============
>>> Running on
>>> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep
>>> 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>> This is CentOS Linux release 7.1.1503 (Core)
>>> This is Perl version 5.016003 (5.16.3)
>>>
>>> This is MailScanner version 4.85.2
>>> Module versions are:
>>> 1.01    AnyDBM_File
>>> 1.30    Archive::Zip
>>> 0.29    bignum
>>> 1.26    Carp
>>> 2.061   Compress::Zlib
>>> 1.119   Convert::BinHex
>>> 0.18    Convert::TNEF
>>> 2.145   Data::Dumper
>>> 2.30    Date::Parse
>>> 1.04    DirHandle
>>> 1.11    Fcntl
>>> 2.84    File::Basename
>>> 2.23    File::Copy
>>> 2.02    FileHandle
>>> 2.09    File::Path
>>> 0.2301  File::Temp
>>> 0.92    Filesys::Df
>>> 3.69    HTML::Entities
>>> 3.71    HTML::Parser
>>> 3.69    HTML::TokeParser
>>> 1.25_06 IO
>>> 1.16    IO::File
>>> 1.15    IO::Pipe
>>> 2.12    Mail::Header
>>> 1.998   Math::BigInt
>>> 0.2603  Math::BigRat
>>> 3.13    MIME::Base64
>>> 5.505   MIME::Decoder
>>> 5.505   MIME::Decoder::UU
>>> 5.505   MIME::Head
>>> 5.505   MIME::Parser
>>> 3.13    MIME::QuotedPrint
>>> 5.505   MIME::Tools
>>> 0.17    Net::CIDR
>>> 1.26    Net::IP
>>> 0.19    OLE::Storage_Lite
>>> 1.04    Pod::Escapes
>>> 3.28    Pod::Simple
>>> 1.30    POSIX
>>> 1.27    Scalar::Util
>>> 2.010   Socket
>>> 2.45    Storable
>>> 1.5     Sys::Hostname::Long
>>> 0.33    Sys::Syslog
>>> 1.48    Test::Pod
>>> 0.98    Test::Simple
>>> 1.9725  Time::HiRes
>>> 1.02    Time::localtime
>>>
>>> Optional module versions are:
>>> 1.92    Archive::Tar
>>> 0.29    bignum
>>> 2.06    Business::ISBN
>>> 20120719.001    Business::ISBN::Data
>>> missing Data::Dump
>>> 1.83    DB_File
>>> 1.39    DBD::SQLite
>>> 1.627   DBI
>>> 1.17    Digest
>>> 1.03    Digest::HMAC
>>> 2.52    Digest::MD5
>>> missing Digest::SHA1
>>> 1.01    Encode::Detect
>>> 0.17020 Error
>>> missing ExtUtils::CBuilder
>>> 3.18    ExtUtils::ParseXS
>>> 2.4     Getopt::Long
>>> missing Inline
>>> missing IO::String
>>> 1.10    IO::Zlib
>>> 2.28    IP::Country
>>> missing Mail::ClamAV
>>> 3.004000        Mail::SpamAssassin
>>> v2.008  Mail::SPF
>>> missing Mail::SPF::Query
>>> missing Module::Build
>>> missing Net::CIDR::Lite
>>> 0.72    Net::DNS
>>> missing Net::DNS::Resolver::Programmable
>>> missing Net::LDAP
>>> 4.069  NetAddr::IP
>>> missing Parse::RecDescent
>>> missing SAVI
>>> 3.28    Test::Harness
>>> missing Test::Manifest
>>> 2.02    Text::Balanced
>>> 1.60    URI
>>> 0.9907  version
>>> missing YAML
>>>
>>>
>>> Kind Regards,
>>> i.A.
>>> Oliver Kutscher
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>
>>>
>>
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151209/1a8201aa/attachment.html>

From steve at weigoldenterprises.com  Wed Dec  9 17:50:19 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 12:50:19 -0500
Subject: Score modifications seem to be ignored?
Message-ID: <566869DB.204@weigoldenterprises.com>


In watching my logs on my new gateway, I noticed a couple of rules that 
I wanted to have a higher effect on the SpamAssassin score.  I modified 
them in spam.assassin.prefs.conf (as below) and restarted MailScanner, 
but the change doesn't seem to be recognized.

score LOTS_OF_MONEY 2
score URIBL_DBL_SPAM 3.5

Am I missing something?

Steve


From jerry.benton at mailborder.com  Wed Dec  9 18:27:55 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 13:27:55 -0500
Subject: Score modifications seem to be ignored?
In-Reply-To: <566869DB.204@weigoldenterprises.com>
References: <566869DB.204@weigoldenterprises.com>
Message-ID: <E015AC07-32F9-4516-AB2F-781817C888D1@mailborder.com>

Restart spamassassin.

-
Jerry Benton
www.mailborder.com



> On Dec 9, 2015, at 12:50 PM, Steve Weigold <steve at weigoldenterprises.com> wrote:
> 
> 
> In watching my logs on my new gateway, I noticed a couple of rules that I wanted to have a higher effect on the SpamAssassin score.  I modified them in spam.assassin.prefs.conf (as below) and restarted MailScanner, but the change doesn't seem to be recognized.
> 
> score LOTS_OF_MONEY 2
> score URIBL_DBL_SPAM 3.5
> 
> Am I missing something?
> 
> Steve
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From mark at msapiro.net  Wed Dec  9 18:34:55 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 9 Dec 2015 10:34:55 -0800
Subject: Bad File Name Detected
In-Reply-To: <CAD8C15MDnvxjMZrBPF57CniRZLp+itDQ6-xhEGx4FrYDF=V-YQ@mail.gmail.com>
References: <CAD8C15MDnvxjMZrBPF57CniRZLp+itDQ6-xhEGx4FrYDF=V-YQ@mail.gmail.com>
Message-ID: <5668744F.3080606@msapiro.net>

On 12/09/2015 04:58 AM, Razmik Baghdasaryan wrote:
> 
> Who can help to disable Bad File Name detection from one ip address


Make a ruleset for Allow Filetypes. See
<https://www.mailscanner.info/MailScanner.conf.index.html#Allow%20Filetypes>
and the README and EXAMPLES files in the /etc/Mailscanner/rules or
wherever you MailScanner config is.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From steve at weigoldenterprises.com  Thu Dec 10 17:07:55 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Thu, 10 Dec 2015 12:07:55 -0500
Subject: Score modifications seem to be ignored?
In-Reply-To: <566869DB.204@weigoldenterprises.com>
References: <566869DB.204@weigoldenterprises.com>
Message-ID: <5669B16B.9000806@weigoldenterprises.com>

So, I'm still working on resolving this.  In my continued efforts, I've 
learned that my revised scores are being ignored because they are trying 
to change rules in the compiled ruleset.  I realize this is more a 
SpamAssassin question than a MailScanner question, but since MailScanner 
runs SpamAssassin directly and uses it's own SpamAssassin config 
(apparently rather than local.cf), this seems the place to discuss it.

Since the rules I want to tweak are in the compiled ruleset, do I

A - find the ruleset files, change the ratings and recompile with 
sa-compile?  Some other variation of this approach?  Are my revised 
rules at risk of being overwritten with an update?

B - make my own similar custom rule (somehow) to ones I feel I want to 
increase?  Presumably those would go in spam.assassin.prefs.conf?

C - some other approach I haven't thought of?

Thanks!
Steve

On 12/9/2015 12:50 PM, Steve Weigold wrote:
>
> In watching my logs on my new gateway, I noticed a couple of rules 
> that I wanted to have a higher effect on the SpamAssassin score. I 
> modified them in spam.assassin.prefs.conf (as below) and restarted 
> MailScanner, but the change doesn't seem to be recognized.
>
> score LOTS_OF_MONEY 2
> score URIBL_DBL_SPAM 3.5
>
> Am I missing something?
>
> Steve
>
>
>


From mark at msapiro.net  Thu Dec 10 17:56:51 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 10 Dec 2015 09:56:51 -0800
Subject: Score modifications seem to be ignored?
In-Reply-To: <5669B16B.9000806@weigoldenterprises.com>
References: <566869DB.204@weigoldenterprises.com>
 <5669B16B.9000806@weigoldenterprises.com>
Message-ID: <5669BCE3.4040609@msapiro.net>

On 12/10/2015 09:07 AM, Steve Weigold wrote:
> 
> Since the rules I want to tweak are in the compiled ruleset, do I
> 
> A - find the ruleset files, change the ratings and recompile with
> sa-compile?  Some other variation of this approach?  Are my revised
> rules at risk of being overwritten with an update?


Yes, your rules will be overwritten in an update.


> B - make my own similar custom rule (somehow) to ones I feel I want to
> increase?  Presumably those would go in spam.assassin.prefs.conf?


You don't need the entire rule, just the new score. You have various
options on where to put this.

Settings in the *.cf files in /etc/mail/spamassassin/ (or maybe
/etc/spamassassin/) supplement or override defaults. These files are
processed in lexical order and the last setting of any barticular thing
is effective. See
<http://wiki.apache.org/spamassassin/WhereDoLocalSettingsGo>

There should be a symlink like mailscanner.cf ->
/etc/MailScanner/spam.assassin.prefs.conf in this directory, so you can
put settings in /etc/MailScanner/spam.assassin.prefs.conf. There is also
normally a local.cf file there you can use.

I have my own x-local.cf file in which I put things like score changes
for various rules.

After adding your

score RULE_MAME n.n

line to one of these places, run sa-compile and reload spamd.

Also, any crons you have that update rules such as sa-update, or scripts
such as ScamNailer should also run sa-compile and reload spamd.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From steve at weigoldenterprises.com  Thu Dec 10 21:33:07 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Thu, 10 Dec 2015 16:33:07 -0500
Subject: Reliably reloading configuration?
Message-ID: <5669EF93.8000304@weigoldenterprises.com>


First, is anyone else noticing a failure of list messages to come 
through in the last 12-24 hours?  I sent a follow up to my score 
modifications email which didn't come through, and I see by looking at 
the list archive that Jerry Benton responded with a suggestion of 
restarting SpamAssassin which didn't come through either.  :-/

In any case, I'm finding that my problem was less about finding where to 
put score modifications and other custom rules, and apparently more 
about reliably reloading the configuration for SpamAssassin.   I've been 
fighting this all day and I'm finding that the problem seems to be that 
even with restarts, SpamAssassin doesn't seem to be reliably re-reading 
the configuration.

I've tried all manner of restarts of MailScanner and SpamAssassin as 
well as combining that with sequences of testing configs with --lint.  I 
can't seem to find anything that works reliably.   As a reminder this is 
a Debian Jessie system.  I'm not seeing anything indicating an error in 
syslog or mail.log on restart.

Currently, I have several modifications to standard test scores in 
/etc/spamassasin/local.cf.  I also have a simple custom rule. Somehow, 
at some point in my testing today, I got them to be recognized, and my 
updated scores are being used.  Further, my test rule of:

body WE_TRUMP   /\btrump/i
score WE_TRUMP 1
describe WE_TRUMP       Tired of hearing about Trump this and Trump that

Is being processed, and I can see it when I look at the headers for test 
messages.   In testing, I've been trying to change the score value, 
restart, and then send another test message, but my changes seem 
ignored, again as if  despite the restart, the configuration isn't being 
reloaded.

I'm getting frustrated and I'm at a loss as to what to do next to figure 
this out.  Suggestions?

Thanks.
Steve



From mark at msapiro.net  Thu Dec 10 22:12:17 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 10 Dec 2015 14:12:17 -0800
Subject: Reliably reloading configuration?
In-Reply-To: <5669EF93.8000304@weigoldenterprises.com>
References: <5669EF93.8000304@weigoldenterprises.com>
Message-ID: <5669F8C1.5030603@msapiro.net>

On 12/10/2015 01:33 PM, Steve Weigold wrote:
> 
> First, is anyone else noticing a failure of list messages to come
> through in the last 12-24 hours?


Not here. I've seen everything in the archive at
<http://lists.mailscanner.info/pipermail/mailscanner/2015-December/thread.html>


> I sent a follow up to my score
> modifications email which didn't come through, and I see by looking at
> the list archive that Jerry Benton responded with a suggestion of
> restarting SpamAssassin which didn't come through either.  :-/


I saw them.


> In any case, I'm finding that my problem was less about finding where to
> put score modifications and other custom rules, and apparently more
> about reliably reloading the configuration for SpamAssassin.   I've been
> fighting this all day and I'm finding that the problem seems to be that
> even with restarts, SpamAssassin doesn't seem to be reliably re-reading
> the configuration.


Are you running sa-compile? Did you see my reply at
<http://lists.mailscanner.info/pipermail/mailscanner/2015-December/102815.html>?

Your post at
<http://lists.mailscanner.info/pipermail/mailscanner/2015-December/102814.html>
implies you are using compiled rules. Thus, any time you modify rules
you have to run sa-compile.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From steve at weigoldenterprises.com  Fri Dec 11 16:32:32 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Fri, 11 Dec 2015 11:32:32 -0500
Subject: Reliably reloading configuration?
In-Reply-To: <5669F8C1.5030603@msapiro.net>
References: <5669EF93.8000304@weigoldenterprises.com>
 <5669F8C1.5030603@msapiro.net>
Message-ID: <566AFAA0.5080404@weigoldenterprises.com>


Mark, (and other helpers)

Thanks for your response.  Apparently my issue with list messages was 
due to another email problem on a different server which has been 
resolved.  It was unrelated to the list.  I only noticed it because I 
was looking for list replies.  It's what happens when you screw with too 
many things at once.

On 12/10/2015 5:12 PM, Mark Sapiro wrote:
>> In any case, I'm finding that my problem was less about finding where to
>> put score modifications and other custom rules, and apparently more
>> about reliably reloading the configuration for SpamAssassin.   I've been
>> fighting this all day and I'm finding that the problem seems to be that
>> even with restarts, SpamAssassin doesn't seem to be reliably re-reading
>> the configuration.
>
> Are you running sa-compile? Did you see my reply at
> <http://lists.mailscanner.info/pipermail/mailscanner/2015-December/102815.html>?
>
> Your post at
> <http://lists.mailscanner.info/pipermail/mailscanner/2015-December/102814.html>
> implies you are using compiled rules. Thus, any time you modify rules
> you have to run sa-compile.

sa-compile doesn't seem to be doing for me either.  I'm not 
'intentionally' using compiled rules, but apparently the stock rules are 
compiled?  I'm using the (generally) default spamassassin installation 
in Debian Jessie.

Following your post, I made a small change to my custom rule score, 
tried sa-compile and then both a spamassassin and mailscanner restart 
and then sent a test message.  Score was not changed in the message as 
it was logged in MailWatch, nor in the actual header in the received 
message.

Oddly, some time later (unsure, t > 1 hour) I happened to notice a 
message go by on MailWatch which would have passed the custom rule, and 
the updated score was present in the header without further intervention 
from me. I'd given up for the day and just came back to check following 
a food break.

I wondered if there was something happening as a cron job that was 
performing some crucial additional step I was missing, but a review of 
both the spamassassin and mailscanner cron jobs finds nothing _obvious_ 
that I'm missing. (not to say it's not there...)

The score changes I'd made previously to some of the stock rules took 
effect "magically" at some point during my work yesterday, and I'm sure 
it was without an sa-compile from me.  Not to say it wasn't just 
coincidental with one from a cron job.

For the sake of verification, when I do a mailscanner or a spamassassin 
restart, I do just

/etc/init.d/mailscanner restart and
/etc/init.d/spamassassin restart

On a possibly related note, reviewing the logs, (syslog, mail) I can 
clearly see where and when I restarted MailScanner.  SpamAssassin on the 
other hand, is leaving no evidence of a restart in either of these 
logs.  This seems odd.

Also, my understanding of MailScanner's use of SpamAssassin is that it's 
invoked by MS and does NOT use SA in daemon mode.  Assuming this is 
correct, I then question the value of restarting SpamAssassin, at least 
by restarting the daemon as I'm doing above.   Related, I see in 
MailWatch that MailScanner has 5 children indicated.  Presumably these 
are SA?  I'm wondering if the "delay" in my updated configuration taking 
effect is because SA really isn't restarting properly, or doesn't happen 
until some time later when SA child processes age off and are replaced.  
I'm beginning to suspect I have a subtle error in my MailScanner or 
SpamAssassin configuration.

Perplexed.  I feel like I'm being careful in following a strict 
procedure when I test changes, but this one is eluding me.  I appreciate 
everyone's help with this.

Thanks.
Steve







-- 
------------------------------------------------------------------------
Steve Weigold
Weigold Enterprises
Cell - 513-365-0446
www.weigoldenterprises.com
www.facebook.com/weigoldenterprises
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151211/ae1b609b/attachment.html>

From mark at msapiro.net  Fri Dec 11 19:10:02 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 11 Dec 2015 11:10:02 -0800
Subject: Reliably reloading configuration?
In-Reply-To: <566AFAA0.5080404@weigoldenterprises.com>
References: <5669EF93.8000304@weigoldenterprises.com>
 <5669F8C1.5030603@msapiro.net> <566AFAA0.5080404@weigoldenterprises.com>
Message-ID: <566B1F8A.5090207@msapiro.net>

On 12/11/2015 08:32 AM, Steve Weigold wrote:
> 
> 
> sa-compile doesn't seem to be doing for me either.  I'm not
> 'intentionally' using compiled rules, but apparently the stock rules are
> compiled?  I'm using the (generally) default spamassassin installation
> in Debian Jessie.
> 
> Following your post, I made a small change to my custom rule score,
> tried sa-compile and then both a spamassassin and mailscanner restart
> and then sent a test message.  Score was not changed in the message as
> it was logged in MailWatch, nor in the actual header in the received
> message.


How are you running sa-compile?  In a default debian/ubuntu environment,
sa-compile should be run 'su - debian-spamd'


> Oddly, some time later (unsure, t > 1 hour) I happened to notice a
> message go by on MailWatch which would have passed the custom rule, and
> the updated score was present in the header without further intervention
> from me. I'd given up for the day and just came back to check following
> a food break.
> 
> I wondered if there was something happening as a cron job that was
> performing some crucial additional step I was missing, but a review of
> both the spamassassin and mailscanner cron jobs finds nothing _obvious_
> that I'm missing. (not to say it's not there...)


Again, a default debian/ubuntu spamassassin has
/etc/cron.daily/spamassassin which will update rules and run sa-compile.


> The score changes I'd made previously to some of the stock rules took
> effect "magically" at some point during my work yesterday, and I'm sure
> it was without an sa-compile from me.  Not to say it wasn't just
> coincidental with one from a cron job.
> 
> For the sake of verification, when I do a mailscanner or a spamassassin
> restart, I do just
> 
> /etc/init.d/mailscanner restart and
> /etc/init.d/spamassassin restart
> 
> On a possibly related note, reviewing the logs, (syslog, mail) I can
> clearly see where and when I restarted MailScanner.  SpamAssassin on the
> other hand, is leaving no evidence of a restart in either of these
> logs.  This seems odd.


'grep spamd /var/log/mail.log' should show something.


> Also, my understanding of MailScanner's use of SpamAssassin is that it's
> invoked by MS and does NOT use SA in daemon mode.  Assuming this is
> correct, I then question the value of restarting SpamAssassin, at least
> by restarting the daemon as I'm doing above.


I think the above is correct, at least for 'standard' MailScanner (I
think there is a spamd patch, but it's non-standard). So yes,
restarting/reloading spamd (spamassassin) shouldn't be necessary.


> Related, I see in
> MailWatch that MailScanner has 5 children indicated.  Presumably these
> are SA?


They are MailScanner workers, each of which will invoke spamassassin as
necessary when processing messages.


> I'm wondering if the "delay" in my updated configuration taking
> effect is because SA really isn't restarting properly, or doesn't happen
> until some time later when SA child processes age off and are replaced. 
> I'm beginning to suspect I have a subtle error in my MailScanner or
> SpamAssassin configuration.


As noted above, I think restarting SA is a red herring here. It is more
likely an sa-compile issue of some kind.

Restarting MailScanner should definitely restart its children. If for
some reason this isn't happening, they will die of old age after (I
think) 2 hours which may explain something.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From wt at dld2000.com  Sat Dec 12 15:38:13 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sat, 12 Dec 2015 10:38:13 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
Message-ID: <566C3F65.7010001@dld2000.com>

We have the following key settings in MailScanner.conf:

Spam Actions = custom()
Spam Score = yes
Use SpamAssassin = %rules-dir%/spam.scanning.rules
Spam Checks = %rules-dir%/spam.scanning.rules

Most of the emails passing through the server get a value set by 
MailScanner for X-[org-name]-MailScanner-SpamScore in the message source.

However, there are a few emails where X-[org-name]-MailScanner-SpamScore 
doesn't appear at all in the message source.

Can anyone tell me why?

Walt

From iversons at rushville.k12.in.us  Sat Dec 12 17:19:57 2015
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sat, 12 Dec 2015 12:19:57 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566C3F65.7010001@dld2000.com>
References: <566C3F65.7010001@dld2000.com>
Message-ID: <CABu_8z+JrMHyVBuJp=f2NMFSmiMKvdMPai8QQtnuoEBZxgnu1Q@mail.gmail.com>

There are some cases, depending on MailScanner settings, in which mail
bypasses spam scanning.  One that I recall doing this is...

Deliver Cleaned Messages = yes

There may be others...


On Sat, Dec 12, 2015 at 10:38 AM, Walt Thiessen <wt at dld2000.com> wrote:

> We have the following key settings in MailScanner.conf:
>
> Spam Actions = custom()
> Spam Score = yes
> Use SpamAssassin = %rules-dir%/spam.scanning.rules
> Spam Checks = %rules-dir%/spam.scanning.rules
>
> Most of the emails passing through the server get a value set by
> MailScanner for X-[org-name]-MailScanner-SpamScore in the message source.
>
> However, there are a few emails where X-[org-name]-MailScanner-SpamScore
> doesn't appear at all in the message source.
>
> Can anyone tell me why?
>
> Walt
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151212/c2cca372/attachment.html>

From mark at msapiro.net  Sat Dec 12 17:32:47 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Sat, 12 Dec 2015 09:32:47 -0800
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566C3F65.7010001@dld2000.com>
References: <566C3F65.7010001@dld2000.com>
Message-ID: <566C5A3F.5030607@msapiro.net>

On 12/12/2015 07:38 AM, Walt Thiessen wrote:
> 
> However, there are a few emails where X-[org-name]-MailScanner-SpamScore
> doesn't appear at all in the message source.
> 
> Can anyone tell me why?


SpamAssassin is skipped for messages larger than "Max Spam Check Size".

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From wt at dld2000.com  Sun Dec 13 20:26:12 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sun, 13 Dec 2015 15:26:12 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566C5A3F.5030607@msapiro.net>
References: <566C3F65.7010001@dld2000.com> <566C5A3F.5030607@msapiro.net>
Message-ID: <566DD464.5060201@dld2000.com>

Thanks for all the clues, guys.

I found that the problem was actually in my CustomAction.pm file.

In that file, I attempt to extract the sascore that SpamAssassin has 
already applied to the message.

I tried using $message->{sascore} and $message->{X-myorgname-SpamScore}, 
but both return N/A.

Can someone tell me how I can extract the SpamAssassin score for the 
message so I can use it in my CustomAction.pm script?

From wt at dld2000.com  Sun Dec 13 23:24:24 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sun, 13 Dec 2015 18:24:24 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566DD464.5060201@dld2000.com>
References: <566C3F65.7010001@dld2000.com> <566C5A3F.5030607@msapiro.net>
 <566DD464.5060201@dld2000.com>
Message-ID: <566DFE28.2090805@dld2000.com>

I think I've figured out my problem, but I don't have a solution. I'm 
hoping someone here can help.

I suspect that the CustomAction module runs BEFORE SpamAssassin in 
MailScanner's runtime order. Can anyone confirm this to be true?

If true, this means that I can't reliably identify whether an email is 
spam according to SpamAssassin while CustomAction.pm runs.

I want the CustomAction module to decide whether to send a follow-up 
email to the original sender depending upon certain conditions. One of 
those conditions is that the sender's email should not be detected as 
spam by SpamAssassin.

But if SpamAssassin hasn't run yet, then my decision tree can't resolve 
this question correctly.

Can anyone suggest a way around this problem?

From tmeireles at electroind.com  Mon Dec 14 16:22:29 2015
From: tmeireles at electroind.com (tmeireles at electroind.com)
Date: Mon, 14 Dec 2015 11:22:29 -0500
Subject: Block macro word documents
Message-ID: <003601d1368b$a0e01890$e2a049b0$@electroind.com>

Two malicious emails with macro word documents with the extension .doc got through today. 

Was wondering what you guys do to block malicious macro word documents?

Thanks,
Tiago





From jerry.benton at mailborder.com  Mon Dec 14 16:23:27 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 14 Dec 2015 11:23:27 -0500
Subject: Block macro word documents
In-Reply-To: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
References: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
Message-ID: <DAB9B2D2-5879-4D92-A097-A4454C9288B2@mailborder.com>

If you are using clam, you can block all macros. You can also add Sophos to your system for free and it might pickup what clam does not. None of the AV engines seem to be doing a good job of catching malicious macros. 

-
Jerry Benton
www.mailborder.com



> On Dec 14, 2015, at 11:22 AM, tmeireles at electroind.com wrote:
> 
> Two malicious emails with macro word documents with the extension .doc got through today. 
> 
> Was wondering what you guys do to block malicious macro word documents?
> 
> Thanks,
> Tiago
> 
> 
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From steveb_clamav at sanesecurity.com  Mon Dec 14 16:29:09 2015
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Mon, 14 Dec 2015 16:29:09 -0000
Subject: Block macro word documents
In-Reply-To: <DAB9B2D2-5879-4D92-A097-A4454C9288B2@mailborder.com>
References: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
 <DAB9B2D2-5879-4D92-A097-A4454C9288B2@mailborder.com>
Message-ID: <5812ba6eaed2810112bbfdff2410ca8f.squirrel@sirius.servers.eqx.misp.co.uk>


On Mon, December 14, 2015 4:23 pm, Jerry Benton wrote:
> If you are using clam, you can block all macros. You can also add Sophos
> to your system for free and it might pickup what clam does not. None of
> the AV engines seem to be doing a good job of catching malicious macros.
>
If you use Sanesecuriy signatures:

Make sure you use: badmacro.ndb

If you want to block EVERYTHING MACRO you can use clamd.conf

OLE2BlockMacros on

But for me, the above clamd.conf entry blocked lots of legitimate macros
from customers...

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com


From mailscanner at replies.cyways.com  Mon Dec 14 18:08:55 2015
From: mailscanner at replies.cyways.com (Peter H. Lemieux)
Date: Mon, 14 Dec 2015 13:08:55 -0500
Subject: Block macro word documents
In-Reply-To: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
References: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
Message-ID: <566F05B7.3050305@replies.cyways.com>

After one of my clients had a problem with embedded Office macros, they blocked their users from opening macros altogether.  I believe you can use an MS group policy for this, though as a Linux person, I can't say for sure.

If I were managing a network, I'd certainly implement that policy.  I was a bit surprised it wasn't the default at my client's site.  I can see reasons to allow some selected people to run macros, but they'd be the exception not the rule.

As Jerry says, you can block macros entirely with ClamAV.  In clamd.conf, set

ScanOLE2 yes
OLE2BlockMacros yes

Peter


On 12/14/2015 11:22 AM, tmeireles at electroind.com wrote:
> Two malicious emails with macro word documents with the extension .doc got through today.
>
> Was wondering what you guys do to block malicious macro word documents?

From maillists at conactive.com  Wed Dec 16 10:31:02 2015
From: maillists at conactive.com (Kai Schaetzl)
Date: Wed, 16 Dec 2015 11:31:02 +0100
Subject: Reliably reloading configuration?
In-Reply-To: <566B1F8A.5090207@msapiro.net>
References: <5669EF93.8000304@weigoldenterprises.com>
 <5669F8C1.5030603@msapiro.net>
 <566AFAA0.5080404@weigoldenterprises.com>
 <566B1F8A.5090207@msapiro.net>
Message-ID: <VA.00004254.0863e6cb@news.conactive.com>

Mark Sapiro wrote on Fri, 11 Dec 2015 11:10:02 -0800:

> I think the above is correct, at least for 'standard' MailScanner (I
> think there is a spamd patch, but it's non-standard). So yes,
> restarting/reloading spamd (spamassassin) shouldn't be necessary.

To expand on this. I'm not on Ubuntu but /etc/init.d/spamassassin restart 
looks like it starts the daemon (spamd). MailScanner does not use spamd. 
Running spamd just costs you ressources (RAM and CPU). Shut it off.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From jerry.benton at mailborder.com  Thu Dec 17 09:11:39 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 17 Dec 2015 04:11:39 -0500
Subject: Phishing Update Server
Message-ID: <C14813EF-D0F4-4983-B1DB-1F9A48E56629@mailborder.com>

Optional hostname update: phishing.mailscanner.info


So I was wondering why my data transfer bill was so damn high … then I found the phishing update server is using a large amount of data from people downloading the update files. So ...

I moved the phishing update server to a new datacenter with more generous data allowance and speed. While I was at it I added the hostname phishing.mailscanner.info to DNS and to the server. So now you can use that domain name if you like. It is still the same exact server as phishing.mailborder.com.



-
Jerry Benton
www.mailborder.com




From kevin.miller at juneau.org  Thu Dec 17 17:45:11 2015
From: kevin.miller at juneau.org (Kevin Miller)
Date: Thu, 17 Dec 2015 17:45:11 +0000
Subject: Phishing Update Server
In-Reply-To: <C14813EF-D0F4-4983-B1DB-1F9A48E56629@mailborder.com>
References: <C14813EF-D0F4-4983-B1DB-1F9A48E56629@mailborder.com>
Message-ID: <9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>

Perhaps setting up a pool, sort of like the ones for NPT, would be worthwhile.  Mirror the phishing file on a dozen or so servers and do round-robin DNS to share the load.  I'd bet a number of folks using MailScanner would be willing to offer up a tiny amount of disk space and a little bandwidth as a way to give back.  I'd have to clear it w/my boss, but I'd bet we would.  It would certainly be cheaper (I'd think anyway) than your average support contract for a commercial product...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357

-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: Thursday, December 17, 2015 12:12 AM
To: MailScanner Discussion
Subject: Phishing Update Server

Optional hostname update: phishing.mailscanner.info


So I was wondering why my data transfer bill was so damn high … then I found the phishing update server is using a large amount of data from people downloading the update files. So ...

I moved the phishing update server to a new datacenter with more generous data allowance and speed. While I was at it I added the hostname phishing.mailscanner.info to DNS and to the server. So now you can use that domain name if you like. It is still the same exact server as phishing.mailborder.com.



-
Jerry Benton
www.mailborder.com





-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner


From jerry.benton at mailborder.com  Thu Dec 17 19:31:20 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 17 Dec 2015 14:31:20 -0500
Subject: Phishing Update Server
In-Reply-To: <9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>
References: <C14813EF-D0F4-4983-B1DB-1F9A48E56629@mailborder.com>
 <9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>
Message-ID: <59EDC4E5-1854-426D-B6A9-7647C664B8F2@mailborder.com>

Kevin,

Thanks for the offer, but it is not an issue anymore. The new server is now only costing $20 a month and I will probably start hosting the bad host and domain file on Amazon S3 with a pointer from the phishing server. That way it will be replicated and still very cheap. I also want to use the phishing as a method to kind of gauge how many MailScanner instances are out there using awstats. I noticed a lot of hits for the old file and other items (like 1x1image.gif) that I created pointers for. This “un-breaks” a lot of the older MailScanner systems. 

-
Jerry Benton
www.mailborder.com



> On Dec 17, 2015, at 12:45 PM, Kevin Miller <kevin.miller at juneau.org> wrote:
> 
> Perhaps setting up a pool, sort of like the ones for NPT, would be worthwhile.  Mirror the phishing file on a dozen or so servers and do round-robin DNS to share the load.  I'd bet a number of folks using MailScanner would be willing to offer up a tiny amount of disk space and a little bandwidth as a way to give back.  I'd have to clear it w/my boss, but I'd bet we would.  It would certainly be cheaper (I'd think anyway) than your average support contract for a commercial product...
> 
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
> 
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
> Sent: Thursday, December 17, 2015 12:12 AM
> To: MailScanner Discussion
> Subject: Phishing Update Server
> 
> Optional hostname update: phishing.mailscanner.info
> 
> 
> So I was wondering why my data transfer bill was so damn high … then I found the phishing update server is using a large amount of data from people downloading the update files. So ...
> 
> I moved the phishing update server to a new datacenter with more generous data allowance and speed. While I was at it I added the hostname phishing.mailscanner.info to DNS and to the server. So now you can use that domain name if you like. It is still the same exact server as phishing.mailborder.com.
> 
> 
> 
> -
> Jerry Benton
> www.mailborder.com
> 
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From wt at dld2000.com  Sat Dec 19 13:38:27 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sat, 19 Dec 2015 08:38:27 -0500
Subject: call email delivery from customaction?
In-Reply-To: <59EDC4E5-1854-426D-B6A9-7647C664B8F2@mailborder.com>
References: <C14813EF-D0F4-4983-B1DB-1F9A48E56629@mailborder.com>
 <9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>
 <59EDC4E5-1854-426D-B6A9-7647C664B8F2@mailborder.com>
Message-ID: <56755DD3.1060307@dld2000.com>

If I want to run all emails through CustomAction.pm regardless of 
whether they're spam, I presume I could set Non Spam Actions = custom() 
in MailScanner.conf.

But is there a way to invoke delivery from CustomAction.pm after that?

From mailscanner-list at okla.com  Tue Dec 22 17:18:07 2015
From: mailscanner-list at okla.com (Tracy Greggs)
Date: Tue, 22 Dec 2015 11:18:07 -0600
Subject: Avast anyone?
Message-ID: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>

Is anyone running Avast Antivirus with MailScanner and if so, what version
of their product and how happy are you with it?

 

Thanks!

 



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151222/388eef4c/attachment.html>

From marek.gorny at bolix.pl  Wed Dec 23 07:29:56 2015
From: marek.gorny at bolix.pl (=?iso-8859-2?Q?Marek_G=F3rny?=)
Date: Wed, 23 Dec 2015 07:29:56 +0000
Subject: Avast anyone?
In-Reply-To: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
Message-ID: <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>

Hi
I am using avast antivirus but in parallel f-secure also from many years.
F-secure is more effective and use less resources.
..but Avast is better than nothing.

Marek Górny

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Tracy Greggs
Sent: Tuesday, December 22, 2015 6:18 PM
To: 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
Subject: Avast anyone?

Is anyone running Avast Antivirus with MailScanner and if so, what version of their product and how happy are you with it?

Thanks!

[https://ipmcdn.avast.com/images/logo-avast-v1.png]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>

This email has been sent from a virus-free computer protected by Avast.
www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>


--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

[Bolix]

Bolix SA
Ul. Stolarska 8
34-300 Żywiec, Poland
Bolix S.A. jest wiodącym polskim producentem chemii budowlanej,
specjalizującym się w produkcji systemów elewacyjnych.
Marka BOLIX istnieje już od 1991 roku i jest synonimem najwyższej jakości rozwiązań budowlanych.

[Bolix_Kampania] <http://www.chemiabudowlana.info/rankingi/ranking_producentow_systemow_ocieplen_2015/index>



________________________________

Nr KRS: 0000230009  - Sąd Rejonowy w Bielsku-Białej,
VIII Wydział Gospodarczy Krajowego Rejestru Sądowego
Kapitał zakładowy: 10 000 000 zł.; REGON: 015433210; NIP: 526-26-85-697

UWAGA: Niniejsza korespondencja przeznaczona jest wyłącznie dla osoby lub podmiotu, do którego jest zaadresowana i może zawierać treści chronione przepisami prawa. Wgląd w treść wiadomości otrzymanej omyłkowo, dalsze jej przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, bądź podjęcie jakichkolwiek działań w oparciu o zawarte w niej informacje przez osobę lub podmiot nie będący adresatem, jest niedozwolone. Odbiorca korespondencji, który otrzymał ją omyłkowo, proszony jest o zawiadomienie nadawcy i usunięcie tego materiału z komputera.

ATTENTION:  The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, Or taking of any action in reliance upon, this information by person or entity other than the intended recipient is not permitted. If you received this in error, please contact the sender and delete the material from any computer.

[Las] Proszę pomyśl o środowisku przed wydrukowaniem tego maila. Please Consider the Environment before printing this Email
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151223/3c1e337f/attachment.html>

From wcolburn at nrao.edu  Wed Dec 23 15:49:49 2015
From: wcolburn at nrao.edu (William D. Colburn)
Date: Wed, 23 Dec 2015 08:49:49 -0700
Subject: Trouble making my own virus scanner
In-Reply-To: <CABu_8zKqZ0YCMmyaqePrtGwSHqkfbVO7wnd2m+k9jQu1J00GKA@mail.gmail.com>
References: <20151125181009.GA15002@anotheruvula.aoc.nrao.edu>
 <CABu_8zKqZ0YCMmyaqePrtGwSHqkfbVO7wnd2m+k9jQu1J00GKA@mail.gmail.com>
Message-ID: <20151223154949.GA2940@nmpost-master.aoc.nrao.edu>

On Thu, Nov 26, 2015 at 06:38:33AM -0500, Shawn Iverson wrote:
>I use SCEP here.  I'll set it up and give it a go with your wrapper.
>
>I know that each scanner has its own code in SweepViruses.pm.  I'm not sure
>if the generic scanner is actually doing much.  The "ProcessGenericOutput"
>subroutine appears pretty barebones at first glance.

Did you ever figure anything out?  Is there a better way to scep with
mailscanner than what I tried?

--Schlake

From mailscanner-list at okla.com  Wed Dec 23 17:52:28 2015
From: mailscanner-list at okla.com (Tracy Greggs)
Date: Wed, 23 Dec 2015 11:52:28 -0600
Subject: Avast anyone?
In-Reply-To: <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
 <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>
Message-ID: <014f01d13daa$b4987500$1dc95f00$@okla.com>

OK, thanks for your input.



Clamd is missing a lot of junk that Sophos free is catching but I am trying
to come up with some consensus on the best paid for AV scanner that will
work with MailScanner.



Any input from others on the list that are running multiple AV scanners
would be more than welcome J



Happy Holidays to everyone!



Tracy



From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Marek Górny
Sent: Wednesday, December 23, 2015 1:30 AM
To: MailScanner Discussion
Subject: RE: Avast anyone?



Hi

I am using avast antivirus but in parallel f-secure also from many years.

F-secure is more effective and use less resources.

..but Avast is better than nothing.



Marek Górny



From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Tracy Greggs
Sent: Tuesday, December 22, 2015 6:18 PM
To: 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
Subject: Avast anyone?



Is anyone running Avast Antivirus with MailScanner and if so, what version
of their product and how happy are you with it?



Thanks!





<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient>

This email has been sent from a virus-free computer protected by Avast.

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient> www.avast.com


--
This message has been scanned for viruses and
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.

 Bolix <http://www.bolix.pl/_img/logo.gif>

Bolix SA
Ul. Stolarska 8
34-300 Żywiec, Poland
Bolix S.A. jest wiodącym polskim producentem chemii budowlanej,
specjalizującym się w produkcji systemów elewacyjnych.
Marka BOLIX istnieje już od 1991 roku i jest synonimem najwyższej jakości
rozwiązań budowlanych.


<http://www.chemiabudowlana.info/rankingi/ranking_producentow_systemow_ociep
len_2015/index> Bolix_Kampania


<http://www.chemiabudowlana.info/rankingi/ranking_producentow_systemow_ociep
len_2015/index>



  _____

Nr KRS: 0000230009  - Sąd Rejonowy w Bielsku-Białej,
VIII Wydział Gospodarczy Krajowego Rejestru Sądowego
Kapitał zakładowy: 10 000 000 zł.; REGON: 015433210; NIP: 526-26-85-697

UWAGA: Niniejsza korespondencja przeznaczona jest wyłącznie dla osoby lub
podmiotu, do którego jest zaadresowana i może zawierać treści chronione
przepisami prawa. Wgląd w treść wiadomości otrzymanej omyłkowo, dalsze jej
przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, bądź
podjęcie jakichkolwiek działań w oparciu o zawarte w niej informacje przez
osobę lub podmiot nie będący adresatem, jest niedozwolone. Odbiorca
korespondencji, który otrzymał ją omyłkowo, proszony jest o zawiadomienie
nadawcy i usunięcie tego materiału z komputera.

ATTENTION:  The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of, Or taking of any action in reliance upon, this information by person or
entity other than the intended recipient is not permitted. If you received
this in error, please contact the sender and delete the material from any
computer.

 Las <http://www.bolix.pl/files_pl/editor/images/_/1327933481_55480700.jpg>
Proszę pomyśl o środowisku przed wydrukowaniem tego maila. Please Consider
the Environment before printing this Email


--
This message has been scanned for viruses and
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151223/9e3293e9/attachment.html>

From steveb_clamav at sanesecurity.com  Wed Dec 23 18:00:10 2015
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Wed, 23 Dec 2015 18:00:10 -0000
Subject: Avast anyone?
In-Reply-To: <014f01d13daa$b4987500$1dc95f00$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
 <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>
 <014f01d13daa$b4987500$1dc95f00$@okla.com>
Message-ID: <9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>


On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:

> Clamd is missing a lot of junk that Sophos free is catching but I am
> trying to come up with some consensus on the best paid for AV scanner that
> will work with MailScanner.

When you say Clamd is missing a lot... is this just the official signatures,
or are you using the add-on Sanesecurity ClamAV signatures.

If you are using Sanesecurity sigs make sure you use;

badmacro.ndb
phish.ndb
rogue.hdb
foxhole_filename.cdb
foxhole_generic.cdb

Email me off-list if you want to discuss.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com


From tmeireles at electroind.com  Wed Dec 23 18:21:36 2015
From: tmeireles at electroind.com (tmeireles at electroind.com)
Date: Wed, 23 Dec 2015 13:21:36 -0500
Subject: Avast anyone?
In-Reply-To: <014f01d13daa$b4987500$1dc95f00$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
 <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>
 <014f01d13daa$b4987500$1dc95f00$@okla.com>
Message-ID: <026701d13dae$c26ef330$474cd990$@electroind.com>

On the question of antiviruses does mailscanner support Symantec Endpoint
Protection? If so anyone using it? We have a corporate license and currently
we are only using clamd.

 

Tiago

 

 

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Tracy Greggs
Sent: Wednesday, December 23, 2015 12:52 PM
To: 'MailScanner Discussion'
Subject: RE: Avast anyone?

 

OK, thanks for your input.

 

Clamd is missing a lot of junk that Sophos free is catching but I am trying
to come up with some consensus on the best paid for AV scanner that will
work with MailScanner.

 

Any input from others on the list that are running multiple AV scanners
would be more than welcome J

 

Happy Holidays to everyone!

 

Tracy

 

 

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Marek Górny
Sent: Wednesday, December 23, 2015 1:30 AM
To: MailScanner Discussion
Subject: RE: Avast anyone?

 

Hi

I am using avast antivirus but in parallel f-secure also from many years.

F-secure is more effective and use less resources.

..but Avast is better than nothing.

 

Marek Górny

 

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Tracy Greggs
Sent: Tuesday, December 22, 2015 6:18 PM
To: 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
Subject: Avast anyone?

 

Is anyone running Avast Antivirus with MailScanner and if so, what version
of their product and how happy are you with it?

 

Thanks!

 


 
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient> 

This email has been sent from a virus-free computer protected by Avast. 
 
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient> www.avast.com 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 

 Bolix <http://www.bolix.pl/_img/logo.gif> 

Bolix SA
Ul. Stolarska 8
34-300 Żywiec, Poland
Bolix S.A. jest wiodącym polskim producentem chemii budowlanej, 
specjalizującym się w produkcji systemów elewacyjnych.
Marka BOLIX istnieje już od 1991 roku i jest synonimem najwyższej jakości
rozwiązań budowlanych.

 
<http://www.chemiabudowlana.info/rankingi/ranking_producentow_systemow_ociep
len_2015/index> Bolix_Kampania

 
<http://www.chemiabudowlana.info/rankingi/ranking_producentow_systemow_ociep
len_2015/index>  

 

  _____  

Nr KRS: 0000230009  - Sąd Rejonowy w Bielsku-Białej, 
VIII Wydział Gospodarczy Krajowego Rejestru Sądowego 
Kapitał zakładowy: 10 000 000 zł.; REGON: 015433210; NIP: 526-26-85-697

UWAGA: Niniejsza korespondencja przeznaczona jest wyłącznie dla osoby lub
podmiotu, do którego jest zaadresowana i może zawierać treści chronione
przepisami prawa. Wgląd w treść wiadomości otrzymanej omyłkowo, dalsze jej
przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, bądź
podjęcie jakichkolwiek działań w oparciu o zawarte w niej informacje przez
osobę lub podmiot nie będący adresatem, jest niedozwolone. Odbiorca
korespondencji, który otrzymał ją omyłkowo, proszony jest o zawiadomienie
nadawcy i usunięcie tego materiału z komputera.

ATTENTION:  The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of, Or taking of any action in reliance upon, this information by person or
entity other than the intended recipient is not permitted. If you received
this in error, please contact the sender and delete the material from any
computer. 

 Las <http://www.bolix.pl/files_pl/editor/images/_/1327933481_55480700.jpg>
Proszę pomyśl o środowisku przed wydrukowaniem tego maila. Please Consider
the Environment before printing this Email


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 


 
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient> 

This email has been sent from a virus-free computer protected by Avast. 
 
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campai
gn=sig-email&utm_content=emailclient> www.avast.com 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151223/3418ef48/attachment.html>

From mailscanner-list at okla.com  Wed Dec 23 22:14:57 2015
From: mailscanner-list at okla.com (Tracy Greggs)
Date: Wed, 23 Dec 2015 16:14:57 -0600
Subject: Avast anyone?
In-Reply-To: <9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
 <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>
 <014f01d13daa$b4987500$1dc95f00$@okla.com>
 <9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
Message-ID: <018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>

Steve:

I am not using the Sanesecurity signatures and you have a valid point that I should be, but it does seem like clamd used to be a lot better "out of the box" than it is now.   One would think that since Cisco took it over it would get better but it appears they are not doing a lot with it.

I have heard everything about FPROT from it sucks bad to its great, so I am a little hesitant to buy it.  Anyone can feel free to chime in on that.

Tracy


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Basford
Sent: Wednesday, December 23, 2015 12:00 PM
To: MailScanner Discussion
Subject: RE: Avast anyone?


On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:

> Clamd is missing a lot of junk that Sophos free is catching but I am
> trying to come up with some consensus on the best paid for AV scanner
> that will work with MailScanner.

When you say Clamd is missing a lot... is this just the official signatures, or are you using the add-on Sanesecurity ClamAV signatures.

If you are using Sanesecurity sigs make sure you use;

badmacro.ndb
phish.ndb
rogue.hdb
foxhole_filename.cdb
foxhole_generic.cdb

Email me off-list if you want to discuss.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mailinglists at feedmebits.nl  Wed Dec 23 22:30:44 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Wed, 23 Dec 2015 23:30:44 +0100
Subject: Avast anyone?
In-Reply-To: <018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
 <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>
 <014f01d13daa$b4987500$1dc95f00$@okla.com>
 <9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
 <018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>
Message-ID: <d9622d418ef6dad2ab137f8d90247944@webmail.feedmebits.nl>

Only reason I bought an F-Prot license is because they have Linux 
support without needing a quote from customer service. All the others 
don't even advertise their Linux product on their site or they don't 
support Linux or don't know a thing about Linux. But in overall 90% of 
the AV companies don't reply to your questions about their product. So I 
would just pick one that has Linux support, or compare the av companies 
statiscs on: https://www.virustotal.com/


On 2015-12-23 23:14, Tracy Greggs wrote:
> Steve:
> 
> I am not using the Sanesecurity signatures and you have a valid point
> that I should be, but it does seem like clamd used to be a lot better
> "out of the box" than it is now.   One would think that since Cisco
> took it over it would get better but it appears they are not doing a
> lot with it.
> 
> I have heard everything about FPROT from it sucks bad to its great, so
> I am a little hesitant to buy it.  Anyone can feel free to chime in on
> that.
> 
> Tracy
> 
> 
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info]
> On Behalf Of Steve Basford
> Sent: Wednesday, December 23, 2015 12:00 PM
> To: MailScanner Discussion
> Subject: RE: Avast anyone?
> 
> 
> On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:
> 
>> Clamd is missing a lot of junk that Sophos free is catching but I am
>> trying to come up with some consensus on the best paid for AV scanner
>> that will work with MailScanner.
> 
> When you say Clamd is missing a lot... is this just the official
> signatures, or are you using the add-on Sanesecurity ClamAV
> signatures.
> 
> If you are using Sanesecurity sigs make sure you use;
> 
> badmacro.ndb
> phish.ndb
> rogue.hdb
> foxhole_filename.cdb
> foxhole_generic.cdb
> 
> Email me off-list if you want to discuss.
> 
> Cheers,
> 
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 
> 
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

From jerry.benton at mailborder.com  Thu Dec 24 06:28:20 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 24 Dec 2015 01:28:20 -0500
Subject: MailScanner Statistics
Message-ID: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>

I was curious how many instances are running MailScanner, so I setup awstats on the phishing update site. Of course, everyone may not be using the update site, but it is interesting to see the statistics anyway. There is a statistics link at the booth of the page if you want to take a look. It is a new server, so there is not a lot of history, but you still get some good information from it.

http://phishing.mailscanner.info



-
Jerry Benton
www.mailborder.com




From carles at unlimitedmail.org  Thu Dec 24 08:40:22 2015
From: carles at unlimitedmail.org (=?UTF-8?Q?[SOLTECSIS]_Carles_Xavier_Munyoz_Bald=c3=b3?=)
Date: Thu, 24 Dec 2015 09:40:22 +0100
Subject: Avast anyone?
In-Reply-To: <d9622d418ef6dad2ab137f8d90247944@webmail.feedmebits.nl>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
 <a46c77c9b8d9423abffbefdf3b3059af@BolixEx2.bolix.local>
 <014f01d13daa$b4987500$1dc95f00$@okla.com>
 <9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
 <018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>
 <d9622d418ef6dad2ab137f8d90247944@webmail.feedmebits.nl>
Message-ID: <567BAF76.8060906@unlimitedmail.org>

Hello,
I'm trying to use the last Avast versión for Linux: avast_2.1.0-1_amd64.deb

The problem I'm having is that the avast-wrapper script is not valid for
the last version of Avast. I have solved it modifying the
SweepViruses.pm commenting this line:
#CommonOptions      => '-n -t=A',

The problem is now in the ProcessAvastOutput function that it is not
valid for this version of Avast.

Anyone knows how to solve it?

Thank you very much in advance.
Best regards.



El 23/12/15 a las 23:30, Maarten escribió:
> Only reason I bought an F-Prot license is because they have Linux
> support without needing a quote from customer service. All the others
> don't even advertise their Linux product on their site or they don't
> support Linux or don't know a thing about Linux. But in overall 90% of
> the AV companies don't reply to your questions about their product. So I
> would just pick one that has Linux support, or compare the av companies
> statiscs on: https://www.virustotal.com/
> 
> 
> On 2015-12-23 23:14, Tracy Greggs wrote:
>> Steve:
>>
>> I am not using the Sanesecurity signatures and you have a valid point
>> that I should be, but it does seem like clamd used to be a lot better
>> "out of the box" than it is now.   One would think that since Cisco
>> took it over it would get better but it appears they are not doing a
>> lot with it.
>>
>> I have heard everything about FPROT from it sucks bad to its great, so
>> I am a little hesitant to buy it.  Anyone can feel free to chime in on
>> that.
>>
>> Tracy
>>
>>
>> -----Original Message-----
>> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info]
>> On Behalf Of Steve Basford
>> Sent: Wednesday, December 23, 2015 12:00 PM
>> To: MailScanner Discussion
>> Subject: RE: Avast anyone?
>>
>>
>> On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:
>>
>>> Clamd is missing a lot of junk that Sophos free is catching but I am
>>> trying to come up with some consensus on the best paid for AV scanner
>>> that will work with MailScanner.
>>
>> When you say Clamd is missing a lot... is this just the official
>> signatures, or are you using the add-on Sanesecurity ClamAV
>> signatures.
>>
>> If you are using Sanesecurity sigs make sure you use;
>>
>> badmacro.ndb
>> phish.ndb
>> rogue.hdb
>> foxhole_filename.cdb
>> foxhole_generic.cdb
>>
>> Email me off-list if you want to discuss.
>>
>> Cheers,
>>
>> Steve
>> Web : sanesecurity.com
>> Blog: sanesecurity.blogspot.com
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>>
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
> 
> 


-- 
Saludos.
========================================
SOLTECSIS SOLUCIONES TECNOLOGICAS, S.L.
Carles Xavier Munyoz Baldó
Departamento de I+D+I
Tel./Fax: 966 446 046
cmunyoz at soltecsis.com
www.soltecsis.com
========================================

---
La información contenida en este e-mail es confidencial,
siendo para uso exclusivo del destinatario arriba mencionado.
Le informamos que está totalmente prohibida cualquier
utilización, divulgación, distribución y/o reproducción de
esta comunicación sin autorización expresa en virtud de la
legislación vigente. Si ha recibido este mensaje por error,
le rogamos nos lo notifique inmediatamente por la misma vía
y proceda a su eliminación.
---

From wt at dld2000.com  Thu Dec 24 15:08:16 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Thu, 24 Dec 2015 10:08:16 -0500
Subject: MailScanner Statistics
In-Reply-To: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>
References: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>
Message-ID: <567C0A60.80001@dld2000.com>

You'd get more accurate information by installing Google Analytics on 
the website. Awstats is notoriously inaccurate.

Walt


On 12/24/2015 1:28 AM, Jerry Benton wrote:
> I was curious how many instances are running MailScanner, so I setup awstats on the phishing update site. Of course, everyone may not be using the update site, but it is interesting to see the statistics anyway. There is a statistics link at the booth of the page if you want to take a look. It is a new server, so there is not a lot of history, but you still get some good information from it.
>
> http://phishing.mailscanner.info
>
>
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>
>


From jerry.benton at mailborder.com  Thu Dec 24 18:30:46 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 24 Dec 2015 13:30:46 -0500
Subject: MailScanner Statistics
In-Reply-To: <567C0A60.80001@dld2000.com>
References: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>
 <567C0A60.80001@dld2000.com>
Message-ID: <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>

Sure, except you cannot use Google analytics with a .conf file that gets downloaded 20,000+ times a day with curl or wget that accounts for 10GB of transfer every day.

-
Jerry Benton
www.mailborder.com



> On Dec 24, 2015, at 10:08 AM, Walt Thiessen <wt at dld2000.com> wrote:
> 
> You'd get more accurate information by installing Google Analytics on the website. Awstats is notoriously inaccurate.
> 
> Walt
> 
> 
> On 12/24/2015 1:28 AM, Jerry Benton wrote:
>> I was curious how many instances are running MailScanner, so I setup awstats on the phishing update site. Of course, everyone may not be using the update site, but it is interesting to see the statistics anyway. There is a statistics link at the booth of the page if you want to take a look. It is a new server, so there is not a lot of history, but you still get some good information from it.
>> 
>> http://phishing.mailscanner.info
>> 
>> 
>> 
>> -
>> Jerry Benton
>> www.mailborder.com
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From andrew at topdog.za.net  Fri Dec 25 05:57:07 2015
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Fri, 25 Dec 2015 07:57:07 +0200
Subject: MailScanner Statistics
In-Reply-To: <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
References: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>
 <567C0A60.80001@dld2000.com>
 <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
Message-ID: <90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>


On 24 Dec 2015, at 8:30 PM, Jerry Benton <jerry.benton at mailborder.com> wrote:

> Sure, except you cannot use Google analytics with a .conf file that gets downloaded 20,000+ times a day with curl or wget that accounts for 10GB of transfer every day.

And… doesn't Google analytics use javascript ?
And… why are people so obsessed with having Google collect data on them and their users ?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151225/edd489cc/attachment.sig>

From wt at dld2000.com  Fri Dec 25 14:02:17 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Fri, 25 Dec 2015 09:02:17 -0500
Subject: MailScanner Statistics
In-Reply-To: <90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
References: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>
 <567C0A60.80001@dld2000.com>
 <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
 <90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
Message-ID: <567D4C69.5040700@dld2000.com>

Sure, most of the web uses javascript. These days, it's hard to find 
websites that DON'T use javascript in one form or another. So what?

As for being "obsessed", I think Jerry's original post answers that. 
It's not an obsession to want to know how much interest there is in what 
you're offering.

Does data collection go too far? Sure, but do we really need to throw 
out the baby with the bathwater in order to place limits?

On 12/25/2015 12:57 AM, Andrew Colin Kissa wrote:
> On 24 Dec 2015, at 8:30 PM, Jerry Benton <jerry.benton at mailborder.com> wrote:
>
>> Sure, except you cannot use Google analytics with a .conf file that gets downloaded 20,000+ times a day with curl or wget that accounts for 10GB of transfer every day.
> And… doesn't Google analytics use javascript ?
> And… why are people so obsessed with having Google collect data on them and their users ?
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151225/fc02afb2/attachment.html>

From andrew at topdog.za.net  Sun Dec 27 12:58:45 2015
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Sun, 27 Dec 2015 14:58:45 +0200
Subject: MailScanner Statistics
In-Reply-To: <567D4C69.5040700@dld2000.com>
References: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>
 <567C0A60.80001@dld2000.com>
 <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
 <90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
 <567D4C69.5040700@dld2000.com>
Message-ID: <528DE5E6-4F31-4A4A-8D4F-0871169EFDFE@topdog.za.net>


On 25 Dec 2015, at 16:02, Walt Thiessen <wt at dld2000.com> wrote:

> Sure, most of the web uses javascript. These days, it's hard to find websites that DON'T use javascript in one form or another. So what?

Doh, you do actually even know what you are talking about ?

How would javascript be executed for a request by curl or wget to a file, not a page with js embedded in it ?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151227/464111bb/attachment.sig>

From andrew at topdog.za.net  Sun Dec 27 13:24:32 2015
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Sun, 27 Dec 2015 15:24:32 +0200
Subject: MailScanner Statistics
In-Reply-To: <567D4C69.5040700@dld2000.com>
References: <F64CE413-A1AC-415F-A5EE-FE020498D1DF@mailborder.com>
 <567C0A60.80001@dld2000.com>
 <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
 <90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
 <567D4C69.5040700@dld2000.com>
Message-ID: <0D493BEF-7280-4208-B457-2B65E36A69E2@topdog.za.net>


On 25 Dec 2015, at 16:02, Walt Thiessen <wt at dld2000.com> wrote:

> As for being "obsessed", I think Jerry's original post answers that. It's not an obsession to want to know how much interest there is in what you're offering.

P.S You totally misunderstand me, i think Jerry is doing the right thing and using the right tools,
i have a problem with you and pushing google analytics, why should a third party with a
dubious record be introduced to collect this information when awstats does the job perfectly.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151227/8f2f4a60/attachment.sig>

From pparsons at techeez.com  Wed Dec 30 20:29:12 2015
From: pparsons at techeez.com (Philip Parsons)
Date: Wed, 30 Dec 2015 20:29:12 +0000
Subject: View status error
Message-ID: <11D8E491D9562549A61FD3186F363420027C75E3FF@exchange.techeez.com>

After the upgrade to 4.85

Now when I check the status of Mailscanner I am getting

/etc/init.d/MailScanner: line 78: [: =: unary operator expected

Line 78 is

[ ${NETWORKING} = "no" ] && exit 0



Anyone got any Idea's


Thank you.
Philip Parsons


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151230/e88abd5e/attachment.html>

From wt at dld2000.com  Thu Dec 31 16:50:08 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Thu, 31 Dec 2015 11:50:08 -0500
Subject: from address?
Message-ID: <56855CC0.9070502@dld2000.com>

MailScanner apparently treats the envelope-from address as the from
address when populating $this->{from} instead of using the email's
original "from" address.

Is there an attribute that tracks the email's original "from" address?

Walt