From Nicola.Piazzi at gruppocomet.it Tue Dec 1 11:33:59 2015
From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi)
Date: Tue, 1 Dec 2015 11:33:59 +0000
Subject: About supported FREE Antivirus
Message-ID: <30F3912C1D29DC49B0A7DA52B8F581B912B165F2@IDRA>
Hi,
I tried all supported FREE antiviruses ad found that :
Clam work well and have a good number of detection
Sophos work well and have a discrete number of detection
Avg only 2 detections in 2 days
F-Prot no detections
- Do you know about these poors Avg and F-Prot results ?
- Are there others FREE antivirus to use ?
COMODO Antivirus is a FREE and maintained product for Linux, but there is not an implemented Wrapper,
Is there a wrapper for it ?
Thx
Nicola
Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel. +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it
[Descrizione: gc]
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1265 bytes
Desc: image001.gif
URL:
From phil.randal at hoopleltd.co.uk Tue Dec 1 12:04:53 2015
From: phil.randal at hoopleltd.co.uk (Randal, Phil)
Date: Tue, 1 Dec 2015 12:04:53 +0000
Subject: About supported FREE Antivirus
In-Reply-To: <30F3912C1D29DC49B0A7DA52B8F581B912B165F2@IDRA>
References: <30F3912C1D29DC49B0A7DA52B8F581B912B165F2@IDRA>
Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B858AB452E3@HC-EXMBX04.herefordshire.gov.uk>
I'd recommend clamd plus additional third-party definitions from SaneSecurity and others.
There's a script to maintain these
http://sanesecurity.com/usage/linux-scripts/
Cheers,
Phil
--
Phil Randal
Infrastructure Engineer
Hoople Ltd | Thorn Office Centre | Hereford | HR2 6JT
Tel : 01432 260415 |Email: phil.randal at hoopleltd.co.uk
General email: enquiries at hoopleltd.co.uk
Website: www.hoopleltd.co.uk
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Nicola Piazzi
Sent: 01 December 2015 11:34
To: 'mailscanner at lists.mailscanner.info'
Subject: About supported FREE Antivirus
Hi,
I tried all supported FREE antiviruses ad found that :
Clam work well and have a good number of detection
Sophos work well and have a discrete number of detection
Avg only 2 detections in 2 days
F-Prot no detections
- Do you know about these poors Avg and F-Prot results ?
- Are there others FREE antivirus to use ?
COMODO Antivirus is a FREE and maintained product for Linux, but there is not an implemented Wrapper,
Is there a wrapper for it ?
Thx
Nicola
Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel. +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it
[Descrizione: gc]
Hoople Ltd, Registered in England and Wales No. 7556595
Registered office: Plough Lane, Hereford, HR4 0LE
"Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it."
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1265 bytes
Desc: image001.gif
URL:
From last_warrior at mail.ru Wed Dec 2 17:08:54 2015
From: last_warrior at mail.ru (=?UTF-8?B?TklraXRh?=)
Date: Wed, 02 Dec 2015 20:08:54 +0300
Subject: =?UTF-8?B?RGV0ZWN0ZWQgYW5kIGhhdmUgZGlzYXJtZWQgS0lMTEVEIHRhZ3M=?=
Message-ID: <1449076134.692332017@f107.i.mail.ru>
Please help,
I've installed new server CentOS 7, MailScanner 4.85.2, ClamAV, postfix, SpamAssassin.
Some of my colleagues start to receive messages with text:
"MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message."
In log file i've got:
" MailScanner [ 5525 ] : Content Checks : Detected and have disarmed KILLED tags in HTML message "
In "Removing dangerous content" section I've trued to switch of (setting to yes) , one by one, sections like IFrame, From, Script and etc. But nothing happens.
I hove you know how to fix it.
Best regards,
Me
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mailinglists at feedmebits.nl Thu Dec 3 21:24:49 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Thu, 3 Dec 2015 22:24:49 +0100
Subject: dkim and Mailscanner
Message-ID: <5660B321.8040108@feedmebits.nl>
Hello,
I'm having a problem getting dkim to work together with mailscanner. I
noticed some comments about dkim in the comments so I took the advice of
the comments.
Multiple Headers = add
# Some people prefer that message headers are added in strict order with
# the newest headers at the top and the oldest headers at the bottom.
# This is also required if you receive a message which is authenticated by
# DKIM, and you are forwarding that message onto somewhere else, and want
# not to break the DKIM signature.
# **Note**: To avoid breaking DKIM signatures, you *must* also set
# Multiple Headers = add
# So if some of your users forward mail from PayPal, Ebay or Yahoo! to
# accounts stored on Gmail or Googlemail, then you need to set this to "yes"
# and "Multiple Headers = add" to avoid breaking the DKIM signature.
# It may be worth using a ruleset to just apply this to messages sent by
# the companies mentioned above.
# This can also be the filename of a ruleset.
Place New Headers At Top Of Message = yes
Each time I got the following error:
dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
dkim=pass header.i=@feedmebits.nl
So for some reason Mailscanner is changing the body hash of the dkim signature. Any know what what's causing this and how to fix it?
I can't find any other config setting in Mailscanner that would fixes this.
Maarten
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From mark at msapiro.net Thu Dec 3 22:39:27 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 3 Dec 2015 14:39:27 -0800
Subject: dkim and Mailscanner
In-Reply-To: <5660B321.8040108@feedmebits.nl>
References: <5660B321.8040108@feedmebits.nl>
Message-ID: <5660C49F.5000000@msapiro.net>
On 12/03/2015 01:24 PM, Maarten wrote:
> Hello,
>
> I'm having a problem getting dkim to work together with mailscanner. I
> noticed some comments about dkim in the comments so I took the advice of
> the comments.
>
> Multiple Headers = add
...
> Place New Headers At Top Of Message = yes
>
> Each time I got the following error:
>
> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
>
>
> I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
>
> dkim=pass header.i=@feedmebits.nl
Are you looking at incoming mail or outgoing mail? I DKIM sign outgoing
mail and I have
Multiple Headers = add
and Place New Headers At Top Of Message is a ruleset which is Yes for a
small number if incoming messages and No for everything else.
I just sent a message addressed to both Yahoo and Gmail addresses. It
had my MailScanner headers added at the bottom as expected
Yahoo said
Received-SPF: pass (domain of msapiro.net designates 72.52.113.16 as
permitted sender)
and
Authentication-Results: mta1323.mail.ne1.yahoo.com from=msapiro.net;
domainkeys=neutral (no sig); from=msapiro.net; dkim=pass (ok)
and Gmail said:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of mark at msapiro.net designates
72.52.113.16 as permitted sender) smtp.mailfrom=mark at msapiro.net;
dkim=pass header.i=@msapiro.net
According to logs, Postfix opendkim signed the message before it was
processed by MailScanner so my DKIM sig was there and MailScanner didn't
break it, however, if MailScanner does any disarming of web bugs or
suspected phishing URLs or the like, it will certainly break the sig.
For incoming mail I'm not so fussy, but my ruleset says Place New
Headers At Top Of Message = Yes for certain messages that actually get
forwarded to a remote ISP that calls them spam if the sig is broken, but
ultimately I don't scan those messages at all (per a Scan Messages
ruleset) because of MailScanner body changes for disarming.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From mailinglists at feedmebits.nl Fri Dec 4 13:20:32 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 14:20:32 +0100
Subject: MailScanner Digest, Vol 120, Issue 4
In-Reply-To:
References:
Message-ID: <56619320.8090207@feedmebits.nl>
Hello Mark,
Thanks for your reply. It's for outgoing mail, the messages gets signed
but it doesn't pass the dkim test. When I take out mailscanner and just
let it go through postfix I get a pass. So seems like Mailscanner
changes the body/hash of the dkim headers?
I have the same settings for adding multiple headers:
Multiple Headers = add
Place New Headers At Top Of Message = yes
I just send plain text mails nothing with links in them. I'll have
another look at my logs.
gmail:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
KIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=feedmebits.nl;
s=default; t=1449234663;
bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=Reply-To:To:From:Subject:Date:From;
b=XIkGDgIDv6fn5/R/xRN2iZuFU0WeKwA6WmYciBwwUARrN+99dcHrnMtpR5ORiuQTj
JQh02nSRXyiAxBbHlM9Eu0UTJ13TMRtFD1ltgTZSo5WJKD6jjh16LZlP4zLzuatck2
CmDWmwsW129cxkYOgdFUc3eZf+iR2fQO7qhNz1cc=
hotmail:
Authentication-Results: hotmail.com; spf=temperror (sender IP is 46.105.136.80) smtp.mailfrom=mailinglists at feedmebits.nl; dkim=permerror header.d=feedmebits.nl; x-hmca=none header.id=mailinglists at feedmebits.nl
X-SID-PRA: mailinglists at feedmebits.nl
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: NhFq/7gR1vThNR8614T/HV1LCNKAiOTz74c+/sD/dLNAdnBb9eSKCndmPa1+InLpBAa/DfRp4tDhx7KiLIlU9Gp94AM6nSIvBHwbw9gbUW+UHh2b/QKAg8P8Hx7nGbBWn0evWfrsmjYmh6Y/Yvi90ec3o/MVkyNrv6xJqHE6ZvbjwL/KJxQsQBgzurOq37su+2R9HwDexT3cLgJQxT89fvpS/Wx+cWRqTNntp6ISHNuH5E25f+Vjbg==
On 12/04/2015 01:00 PM, mailscanner-request at lists.mailscanner.info wrote:
> Send MailScanner mailing list submissions to
> mailscanner at lists.mailscanner.info
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.mailscanner.info/listinfo/mailscanner
> or, via email, send a message with subject or body 'help' to
> mailscanner-request at lists.mailscanner.info
>
> You can reach the person managing the list at
> mailscanner-owner at lists.mailscanner.info
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MailScanner digest..."
>
>
> Today's Topics:
>
> 1. dkim and Mailscanner (Maarten)
> 2. Re: dkim and Mailscanner (Mark Sapiro)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 3 Dec 2015 22:24:49 +0100
> From: Maarten
> To: mailscanner at lists.mailscanner.info
> Subject: dkim and Mailscanner
> Message-ID: <5660B321.8040108 at feedmebits.nl>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I'm having a problem getting dkim to work together with mailscanner. I
> noticed some comments about dkim in the comments so I took the advice of
> the comments.
>
> Multiple Headers = add
>
> # Some people prefer that message headers are added in strict order with
> # the newest headers at the top and the oldest headers at the bottom.
> # This is also required if you receive a message which is authenticated by
> # DKIM, and you are forwarding that message onto somewhere else, and want
> # not to break the DKIM signature.
> # **Note**: To avoid breaking DKIM signatures, you *must* also set
> # Multiple Headers = add
> # So if some of your users forward mail from PayPal, Ebay or Yahoo! to
> # accounts stored on Gmail or Googlemail, then you need to set this to "yes"
> # and "Multiple Headers = add" to avoid breaking the DKIM signature.
> # It may be worth using a ruleset to just apply this to messages sent by
> # the companies mentioned above.
> # This can also be the filename of a ruleset.
> Place New Headers At Top Of Message = yes
>
> Each time I got the following error:
>
> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
>
>
> I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
>
> dkim=pass header.i=@feedmebits.nl
>
>
> So for some reason Mailscanner is changing the body hash of the dkim signature. Any know what what's causing this and how to fix it?
> I can't find any other config setting in Mailscanner that would fixes this.
>
>
>
>
> Maarten
>
>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From wbaudler at gb.nrao.edu Fri Dec 4 13:31:06 2015
From: wbaudler at gb.nrao.edu (Wolfgang Baudler)
Date: Fri, 4 Dec 2015 08:31:06 -0500
Subject: MailScanner causes SpamAssassin rules to firing inconsistently
In-Reply-To:
References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu>
<563B8AEA.10804@msapiro.net>
<4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu>
<563B91EA.90106@msapiro.net>
<563BA37E.5010508@msapiro.net>
<563BC305.4020807@msapiro.net>
Message-ID: <6b7e66302a6055bfa023f4628a067154.squirrel@webmail.gb.nrao.edu>
> Wolfgang,
>
> Would you do me a favor and test this PR in your setup?
>
> https://github.com/MailScanner/v4/pull/42/files
>
I tried this version of the patch, and yes it seems to fix the issue in
our setup.
There might be other MTA implementations other then sendmail that might
need the same fix, though (There is EximDiskStore.pm, PFDiskStore.pm
QMDiskStore.pm, SMDiskStore.pm, ZMDiskStore.pm). I have only looked at
SMDiskStore.pm.
Wolfgang
> On Mon, Nov 16, 2015 at 3:53 PM, Wolfgang Baudler
> wrote:
>
>> > On 11/05/2015 11:05 AM, Wolfgang Baudler wrote:
>> >>
>> >> no difference in log messages, except the senders domain and address
>> of
>> >> course.
>> >>
>> >> internal log example:
>> >> Nov 5 13:50:58 io MailScanner[24033]: Message tA5IopES005503 from
>> >> 192.33.116.115 (wbaudler at gb.nrao.edu) to gb.nrao.edu is not spam,
>> >> SpamAssassin (score=-199.008, required 5, autolearn=disabled,
>> >> TEST_RULE_AA
>> >> 1.00, NRAO_HEADER_PRESENT -100.00, TVD_SPACE_RATIO 0.00,
>> >> T_RP_MATCHES_RCVD
>> >> -0.01, USER_IN_WHITELIST -100.00)
>> >>
>> >> external log example:
>> >> Nov 5 13:55:47 io MailScanner[24004]: Message tA5ItQmr006622 from
>> >> 98.138.229.70 (wbaudler at yahoo.com) to gb.nrao.edu is not spam,
>> >> SpamAssassin (score=0.902, required 5, autolearn=disabled,
>> >> DKIM_ADSP_CUSTOM_MED 0.00, DKIM_SIGNED 0.10, FREEMAIL_FROM 0.00,
>> >> LOCAL_ID_JAVAMAIL 1.00, NML_ADSP_CUSTOM_MED 1.20, RCVD_IN_DNSWL_LOW
>> >> -0.70, RCVD_IN_MSPIKE_H3 -0.70, SPF_PASS -0.00, T_DKIM_INVALID 0.01,
>> >> T_RP_MATCHES_RCVD -0.01)
>> >>
>> >> The TEST_RULE_AA test result is missing in the external example. The
>> >> message sent was completely identical.
>> >
>> >
>> > At this point I am at a loss unless your "Max SpamAssassin Size"
>> setting
>> > and your test message size are such that the extra headers from the
>> > remote source push the test string out of range. This seems highly
>> > unlikely.
>> >
>> > It seems this might be a spamassassin bug triggered by something in
>> the
>> > message headers from the remote servers, but this seems unlikely too.
>> >
>> > --
>> > Mark Sapiro The highway is for gamblers,
>> > San Francisco Bay Area, California better use your sense - B. Dylan
>> >
>> >
>>
>> After doing some extended chasing I have an update on this issue.
>>
>> It seems that the firing or non-firing of body rules depends on the MUA
>> used to send the message. In particular on the fact that some MUA add an
>> empty line (0x0a newline) at the end of the body when
>> sending and some do not.
>>
>> Those that add the extra line with an newline will fire body rules
>> correctly if processed through Mailscanner, those that do not have the
>> extra line will not fire.
>>
>> Some particular real spam messages seem to consistently lack this empty
>> line and thus get not tagged correctly.
>>
>> I have not figured out exactly where this missing newline throws
>> MailScanner off, but I was able to implement a crude fix by modifying
>> the
>> loop of the ReadBody function in SMDiskStore.pm like this (we are using
>> sendmail with MailScanner):
>>
>> while(defined($line = <$dh>) && $size<$max) {
>> push @{$body}, $line;
>> $size += length($line);
>> #print STDERR "Line read2 is ****" . $line . "****\n";
>> }
>> $lastlineread = $line;
>> push @{$body}, "\n";
>>
>> Only the last line was added, which pushes an unconditional newline at
>> the
>> end of the body just read. After that modification all body rules fire
>> correctly as expected.
>>
>> Hopefully someone more familiar with the MailScanner code can come up
>> with
>> a proper patch to fix this issue?
>>
>> Wolfgang
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>>
>
>
> --
> Shawn Iverson
> Director of Technology
> Rush County Schools
> 765-932-3901 x271
> iversons at rushville.k12.in.us
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
From mailinglists at feedmebits.nl Fri Dec 4 13:35:00 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 14:35:00 +0100
Subject: MailScanner Digest, Vol 120, Issue 4
In-Reply-To:
References:
Message-ID: <56619684.3050504@feedmebits.nl>
I checked my logs and the dkim headers get added, then mailscanner
processes the mail
On 12/04/2015 01:00 PM, mailscanner-request at lists.mailscanner.info wrote:
> Send MailScanner mailing list submissions to
> mailscanner at lists.mailscanner.info
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.mailscanner.info/listinfo/mailscanner
> or, via email, send a message with subject or body 'help' to
> mailscanner-request at lists.mailscanner.info
>
> You can reach the person managing the list at
> mailscanner-owner at lists.mailscanner.info
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MailScanner digest..."
>
>
> Today's Topics:
>
> 1. dkim and Mailscanner (Maarten)
> 2. Re: dkim and Mailscanner (Mark Sapiro)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 3 Dec 2015 22:24:49 +0100
> From: Maarten
> To: mailscanner at lists.mailscanner.info
> Subject: dkim and Mailscanner
> Message-ID: <5660B321.8040108 at feedmebits.nl>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I'm having a problem getting dkim to work together with mailscanner. I
> noticed some comments about dkim in the comments so I took the advice of
> the comments.
>
> Multiple Headers = add
>
> # Some people prefer that message headers are added in strict order with
> # the newest headers at the top and the oldest headers at the bottom.
> # This is also required if you receive a message which is authenticated by
> # DKIM, and you are forwarding that message onto somewhere else, and want
> # not to break the DKIM signature.
> # **Note**: To avoid breaking DKIM signatures, you *must* also set
> # Multiple Headers = add
> # So if some of your users forward mail from PayPal, Ebay or Yahoo! to
> # accounts stored on Gmail or Googlemail, then you need to set this to "yes"
> # and "Multiple Headers = add" to avoid breaking the DKIM signature.
> # It may be worth using a ruleset to just apply this to messages sent by
> # the companies mentioned above.
> # This can also be the filename of a ruleset.
> Place New Headers At Top Of Message = yes
>
> Each time I got the following error:
>
> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
>
>
> I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
>
> dkim=pass header.i=@feedmebits.nl
>
>
> So for some reason Mailscanner is changing the body hash of the dkim signature. Any know what what's causing this and how to fix it?
> I can't find any other config setting in Mailscanner that would fixes this.
>
>
>
>
> Maarten
>
>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From mark at msapiro.net Fri Dec 4 18:08:35 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 4 Dec 2015 10:08:35 -0800
Subject: dkim and Mailscanner
In-Reply-To: <56619320.8090207@feedmebits.nl>
References:
<56619320.8090207@feedmebits.nl>
Message-ID: <5661D6A3.8020503@msapiro.net>
On 12/04/2015 05:20 AM, Maarten wrote:
>
> Thanks for your reply. It's for outgoing mail, the messages gets signed
> but it doesn't pass the dkim test. When I take out mailscanner and just
> let it go through postfix I get a pass. So seems like Mailscanner
> changes the body/hash of the dkim headers?
So it seems.
> I have the same settings for adding multiple headers:
>
> Multiple Headers = add
> Place New Headers At Top Of Message = yes
In my case, for outgoing mail I my rules say Place New Headers At Top Of
Message = no.
> I just send plain text mails nothing with links in them. I'll have
> another look at my logs.
>
>
> gmail:
>
> Authentication-Results: mx.google.com;
> spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
OK, but as I said, it works for me, so I don't know what the problem is
in your case.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From mailinglists at feedmebits.nl Fri Dec 4 18:16:46 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 19:16:46 +0100
Subject: dkim and Mailscanner
In-Reply-To: <5661D6A3.8020503@msapiro.net>
References:
<56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
Message-ID: <5661D88E.1030302@feedmebits.nl>
Is there way to get set mailscanner into verbose or debug log mode, so I
can see what's actually happening. Normal mode I can only see when it's
scanning a message etc.
On 12/04/2015 07:08 PM, Mark Sapiro wrote:
> On 12/04/2015 05:20 AM, Maarten wrote:
>> Thanks for your reply. It's for outgoing mail, the messages gets signed
>> but it doesn't pass the dkim test. When I take out mailscanner and just
>> let it go through postfix I get a pass. So seems like Mailscanner
>> changes the body/hash of the dkim headers?
> So it seems.
>
>
>> I have the same settings for adding multiple headers:
>>
>> Multiple Headers = add
>> Place New Headers At Top Of Message = yes
>
> In my case, for outgoing mail I my rules say Place New Headers At Top Of
> Message = no.
>
>
>> I just send plain text mails nothing with links in them. I'll have
>> another look at my logs.
>>
>>
>> gmail:
>>
>> Authentication-Results: mx.google.com;
>> spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
>> dkim=neutral (body hash did not verify) header.i=@feedmebits.nl
>
> OK, but as I said, it works for me, so I don't know what the problem is
> in your case.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From mark at msapiro.net Fri Dec 4 18:29:37 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 4 Dec 2015 10:29:37 -0800
Subject: dkim and Mailscanner
In-Reply-To: <5661D88E.1030302@feedmebits.nl>
References:
<56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
<5661D88E.1030302@feedmebits.nl>
Message-ID: <5661DB91.5010408@msapiro.net>
On 12/04/2015 10:16 AM, Maarten wrote:
> Is there way to get set mailscanner into verbose or debug log mode, so I
> can see what's actually happening. Normal mode I can only see when it's
> scanning a message etc.
You could just compare the body of your sent message with the one that
fails verification after receipt to see what's different.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From mailinglists at feedmebits.nl Fri Dec 4 20:22:52 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 21:22:52 +0100
Subject: dkim and Mailscanner
In-Reply-To: <5661DB91.5010408@msapiro.net>
References:
<56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
<5661D88E.1030302@feedmebits.nl> <5661DB91.5010408@msapiro.net>
Message-ID: <5661F61C.80807@feedmebits.nl>
I the the message headers are exactly the same. So I sent an email to
auth-results at verifier.port25.com to get a report.
It's the Canonicalized Bodies that are different.
When the test passes I get my dns records back:
Canonicalized Body:
DNS record(s):
default._domainkey.feedmebits.nl. 86121 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaf6SefY18HUDitRouHw9eP0zJ9W8BY2x+urENVAdmV/ghPjVnqjemJLBySGrXLiMiNO2Vs9js+3BVyblUZRj2CnK6uqUlkyWnJ9GUpZ8pfKZDP1s9gP0ASCDdsMzXEcNnPqyeko2jgbIn5eiZ6xeKwX/qV8JIQsTo/XzqWko7mwIDAQAB"
default._domainkey.feedmebits.nl. 86121 IN TXT "o=~"
Public key used for verification: default._domainkey.feedmebits.nl (1024 bits)
And when the the test fails I get the following back in the body:
Canonicalized Body:
'0D''0A'
'0D''0A'
--'0D''0A'
This'20'message'20'has'20'been'20'scanned'20'for'20'viruses'20'and'0D''0A'
dangerous'20'content'20'by'20'MailScanner,'20'and'20'is'0D''0A'
believed'20'to'20'be'20'clean.'0D''0A'
At least I found where exactly it goes wrong, now to find where the problem comes from.
On 12/04/2015 07:29 PM, Mark Sapiro wrote:
> On 12/04/2015 10:16 AM, Maarten wrote:
>> Is there way to get set mailscanner into verbose or debug log mode, so I
>> can see what's actually happening. Normal mode I can only see when it's
>> scanning a message etc.
>
> You could just compare the body of your sent message with the one that
> fails verification after receipt to see what's different.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From mark at msapiro.net Fri Dec 4 20:36:15 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 4 Dec 2015 12:36:15 -0800
Subject: dkim and Mailscanner
In-Reply-To: <5661F61C.80807@feedmebits.nl>
References:
<56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
<5661D88E.1030302@feedmebits.nl> <5661DB91.5010408@msapiro.net>
<5661F61C.80807@feedmebits.nl>
Message-ID: <5661F93F.4020907@msapiro.net>
On 12/04/2015 12:22 PM, Maarten wrote:
> And when the the test fails I get the following back in the body:
>
> Canonicalized Body:
> '0D''0A'
> '0D''0A'
> --'0D''0A'
> This'20'message'20'has'20'been'20'scanned'20'for'20'viruses'20'and'0D''0A'
> dangerous'20'content'20'by'20'MailScanner,'20'and'20'is'0D''0A'
> believed'20'to'20'be'20'clean.'0D''0A'
>
> At least I found where exactly it goes wrong, now to find where the problem comes from.
Set 'Sign Clean Messages' to no in your MailScanner config
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From mailinglists at feedmebits.nl Fri Dec 4 21:09:58 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Fri, 4 Dec 2015 22:09:58 +0100
Subject: dkim and Mailscanner
In-Reply-To: <5661F93F.4020907@msapiro.net>
References:
<56619320.8090207@feedmebits.nl> <5661D6A3.8020503@msapiro.net>
<5661D88E.1030302@feedmebits.nl> <5661DB91.5010408@msapiro.net>
<5661F61C.80807@feedmebits.nl> <5661F93F.4020907@msapiro.net>
Message-ID: <56620126.4040405@feedmebits.nl>
Cheers for that fixed my problem. Now that you mention it makes sense,
been looking over different configs and different mail headers so long
that my eyes aren't working as wel ;)
Thanks for the second pair of yes.
hotmail:
Authentication-Results: hotmail.com; spf=pass (sender IP is 46.105.136.80) smtp.mailfrom=mailinglists at feedmebits.nl; dkim=permerror header.d=feedmebits.nl; x-hmca=pass header.id=mailinglists at feedmebits.nl
X-SID-PRA: mailinglists at feedmebits.nl
X-AUTH-Result: PASS
X-SID-Result: PASS
gmail:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of mailinglists at feedmebits.nl designates 46.105.136.80 as permitted sender) smtp.mailfrom=mailinglists at feedmebits.nl;
dkim=pass header.i=@feedmebits.nl
On 12/04/2015 09:36 PM, Mark Sapiro wrote:
> On 12/04/2015 12:22 PM, Maarten wrote:
>
>> And when the the test fails I get the following back in the body:
>>
>> Canonicalized Body:
>> '0D''0A'
>> '0D''0A'
>> --'0D''0A'
>> This'20'message'20'has'20'been'20'scanned'20'for'20'viruses'20'and'0D''0A'
>> dangerous'20'content'20'by'20'MailScanner,'20'and'20'is'0D''0A'
>> believed'20'to'20'be'20'clean.'0D''0A'
>>
>> At least I found where exactly it goes wrong, now to find where the problem comes from.
>
> Set 'Sign Clean Messages' to no in your MailScanner config
>
From koby at mksoft.co.il Sun Dec 6 08:38:09 2015
From: koby at mksoft.co.il (Koby Peleg Hen)
Date: Sun, 6 Dec 2015 10:38:09 +0200
Subject: bitdefender experience
Message-ID: <5663F3F1.2010604@mksoft.co.il>
An HTML attachment was scrubbed...
URL:
From jerry.benton at mailborder.com Sun Dec 6 09:14:41 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Sun, 6 Dec 2015 04:14:41 -0500
Subject: bitdefender experience
In-Reply-To: <5663F3F1.2010604@mksoft.co.il>
References: <5663F3F1.2010604@mksoft.co.il>
Message-ID: <12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>
I used it years ago and liked it. However, I recently installed the mail server version on a test machine and hate it.
-
Jerry Benton
www.mailborder.com
> On Dec 6, 2015, at 3:38 AM, Koby Peleg Hen wrote:
>
> Hello All ,
> Does any one has any real experience with bitdefender AV.
> I would like to use it as an additional AV to my system.
>
> Thank you all for your co operation
> Koby Peleg Hen
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mailinglists at feedmebits.nl Sun Dec 6 09:32:29 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Sun, 6 Dec 2015 10:32:29 +0100
Subject: bitdefender experience
In-Reply-To: <12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>
References: <5663F3F1.2010604@mksoft.co.il>
<12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>
Message-ID: <566400AD.7030709@feedmebits.nl>
I take it that you're wanting to use it for your personal mail server
not, for a business?It was one of my choices as an AV. However the
problem with most AV companies is that that they only offer the Linux
version of their product as a quote. And most AV companies I mailed
never even replied, maybe 2 out of the 10 mailed me back. I called one
company NOD32, and the person I spoke to barely even knew what Linux
was. The only company offering the Linux version of their product on
their website was F-PROT, so I can't give you any real advice on that,
so it seems like most businesses expect that you're a company if you're
running an av product under Linux and that might be the reason why you
can only get it as a quote with 99% of the AV companies. Just my two
cents on that ;)
Maarten
On 12/06/2015 10:14 AM, Jerry Benton wrote:
> I used it years ago and liked it. However, I recently installed the
> mail server version on a test machine and hate it.
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Dec 6, 2015, at 3:38 AM, Koby Peleg Hen > > wrote:
>>
>> Hello All ,
>> Does any one has any real experience with bitdefender AV.
>> I would like to use it as an additional AV to my system.
>>
>> Thank you all for your co operation
>> Koby Peleg Hen
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>>
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jerry.benton at mailborder.com Sun Dec 6 09:47:18 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Sun, 6 Dec 2015 04:47:18 -0500
Subject: bitdefender experience
In-Reply-To: <566400AD.7030709@feedmebits.nl>
References: <5663F3F1.2010604@mksoft.co.il>
<12865FC5-7F3D-4BE4-B739-5BBADDA389B3@mailborder.com>
<566400AD.7030709@feedmebits.nl>
Message-ID:
I had the same experience when emailing AV companies about redistributable licenses for Mailborder.
Me: I want to give you money.
Them: We don’t have an avenue for that. There is no one here named Linux.
-
Jerry Benton
www.mailborder.com
> On Dec 6, 2015, at 4:32 AM, Maarten wrote:
>
> I take it that you're wanting to use it for your personal mail server not, for a business?It was one of my choices as an AV. However the problem with most AV companies is that that they only offer the Linux version of their product as a quote. And most AV companies I mailed never even replied, maybe 2 out of the 10 mailed me back. I called one company NOD32, and the person I spoke to barely even knew what Linux was. The only company offering the Linux version of their product on their website was F-PROT, so I can't give you any real advice on that, so it seems like most businesses expect that you're a company if you're running an av product under Linux and that might be the reason why you can only get it as a quote with 99% of the AV companies. Just my two cents on that ;)
>
> Maarten
>
>
>
> On 12/06/2015 10:14 AM, Jerry Benton wrote:
>> I used it years ago and liked it. However, I recently installed the mail server version on a test machine and hate it.
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>>> On Dec 6, 2015, at 3:38 AM, Koby Peleg Hen < koby at mksoft.co.il > wrote:
>>>
>>> Hello All ,
>>> Does any one has any real experience with bitdefender AV.
>>> I would like to use it as an additional AV to my system.
>>>
>>> Thank you all for your co operation
>>> Koby Peleg Hen
>>>
>>>
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>
>>
>>
>>
>>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From steve at weigoldenterprises.com Wed Dec 9 01:44:22 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Tue, 8 Dec 2015 20:44:22 -0500
Subject: Pyzor integration
Message-ID: <56678776.6020401@weigoldenterprises.com>
Greetings
Apologies if this has been asked before, but while I found the list
archive, I couldn't find a means to search it and considering it goes
back many years, scanning by hand seemed a bit overwhelming. If there's
a search capability for it that I've missed, please let me know.
Anyway, I have a new server I've setup to be a spam filter gateway. It's
a clean install of Debian Jessie with MailScanner and Postfix with what
I believe to be the latest versions. Generally, the system is working,
but I'm still getting much more spam than I should be. Reviewing the
logs, I can see that I'm getting relatively low spam scores even on what
I'd consider obvious spam emails.
This lead me down the path of what else could be done with spamassassin,
which got me to Pyzor, Razor and DCC. At the moment, DCC isn't
installed. I guess it was removed from the repository because it's
non-free? Pyzor and Razor are installed, and somehow, I think I have
Razor working, at least based on the fact that I see log entries like
this one:
Dec 8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from
198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com)
to acnoc.net is not spam, SpamAssassin (not cached, score=5.497,
required 6, RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43,
RAZOR2_CHECK 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
I'm not sure Pyzor is working though, and when I run MailScanner --lint,
I get this:
pyzor: check failed: internal error, python traceback seen in response
I've googled ad nauseum and I'm getting nowhere.
In spam.assassin.prefs.conf, I have:
pyzor_options --homedir /var/spool/MailScanner/
and permissions on that folder seem OK
drwxr-xr-x 6 postfix postfix 4096 Dec 8 19:52 MailScanner
Inside it, Pyzor's servers file:
-rwxrwxr-x 1 postfix postfix 23 Dec 8 19:52 servers
Help?
Thanks!
Steve
From steve at weigoldenterprises.com Wed Dec 9 02:02:41 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Tue, 8 Dec 2015 21:02:41 -0500
Subject: Pyzor integration
In-Reply-To: <56678776.6020401@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
Message-ID: <56678BC1.7070508@weigoldenterprises.com>
Some follow on information.... I expected all of the details to be in
mail.log and didn't think to check syslog. :-( More details there:
Dec 8 11:40:35 gw1 mailscanner[4195]: Dec 8 11:40:35.083 [4334] dbg:
pyzor: got response: Traceback (most recent call last):\n File
"/usr/bin/pyzor", line 8, in \n pyzor.client.run()\n File
"/usr/lib/pymodules/python2.7/pyzor/client.py", line 1022, in run\n
ExecCall().run()\n File "/usr/lib/pymodules/python2.7/pyzor/client.py",
line 180, in run\n os.mkdir(homedir)\nOSError: [Errno 13] Permission
denied: '/var/spool/postfix/.pyzor'
Dec 8 11:40:35 gw1 mailscanner[4195]: pyzor: check failed: internal
error, python traceback seen in response
Obviously I have a permissions issue. Now I need to understand why it's
trying to use /var/spool/postfix for .pyzor instead of
/var/spool/MailScanner.
I also clicked around more and found the archive search mechanism.
Words of wisdom appreciated.
Steve
On 12/8/2015 8:44 PM, Steve Weigold wrote:
> Greetings
>
> Apologies if this has been asked before, but while I found the list
> archive, I couldn't find a means to search it and considering it goes
> back many years, scanning by hand seemed a bit overwhelming. If
> there's a search capability for it that I've missed, please let me know.
>
> Anyway, I have a new server I've setup to be a spam filter gateway.
> It's a clean install of Debian Jessie with MailScanner and Postfix
> with what I believe to be the latest versions. Generally, the system
> is working, but I'm still getting much more spam than I should be.
> Reviewing the logs, I can see that I'm getting relatively low spam
> scores even on what I'd consider obvious spam emails.
>
> This lead me down the path of what else could be done with
> spamassassin, which got me to Pyzor, Razor and DCC. At the moment,
> DCC isn't installed. I guess it was removed from the repository
> because it's non-free? Pyzor and Razor are installed, and somehow, I
> think I have Razor working, at least based on the fact that I see log
> entries like this one:
>
> Dec 8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from
> 198.173.85.230
> (amazon-promotional-credit at urfhe.selectweddingbands.com) to acnoc.net
> is not spam, SpamAssassin (not cached, score=5.497, required 6,
> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43,
> RAZOR2_CHECK 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
>
> I'm not sure Pyzor is working though, and when I run MailScanner
> --lint, I get this:
>
> pyzor: check failed: internal error, python traceback seen in response
>
> I've googled ad nauseum and I'm getting nowhere.
>
> In spam.assassin.prefs.conf, I have:
> pyzor_options --homedir /var/spool/MailScanner/
>
> and permissions on that folder seem OK
> drwxr-xr-x 6 postfix postfix 4096 Dec 8 19:52 MailScanner
>
> Inside it, Pyzor's servers file:
> -rwxrwxr-x 1 postfix postfix 23 Dec 8 19:52 servers
>
> Help?
>
> Thanks!
> Steve
>
>
>
>
>
--
------------------------------------------------------------------------
Steve Weigold
Weigold Enterprises
Cell - 513-365-0446
www.weigoldenterprises.com
www.facebook.com/weigoldenterprises
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jerry.benton at mailborder.com Wed Dec 9 02:22:17 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 8 Dec 2015 21:22:17 -0500
Subject: Pyzor integration
In-Reply-To: <56678BC1.7070508@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
<56678BC1.7070508@weigoldenterprises.com>
Message-ID: <4CF7AA19-F133-4ACF-932A-18FD96EF474F@mailborder.com>
Check which user and group you are running under. Also check the permissions. I personally like to create a group called mtagroup and add postfix, clamav, and whatever other users to it. I then use that group in MailScanner with group write permissions. Eliminates the permission issues.
-
Jerry Benton
www.mailborder.com
> On Dec 8, 2015, at 9:02 PM, Steve Weigold wrote:
>
>
> Some follow on information.... I expected all of the details to be in mail.log and didn't think to check syslog. :-( More details there:
>
> Dec 8 11:40:35 gw1 mailscanner[4195]: Dec 8 11:40:35.083 [4334] dbg: pyzor: got response: Traceback (most recent call last):\n File "/usr/bin/pyzor", line 8, in \n pyzor.client.run()\n File "/usr/lib/pymodules/python2.7/pyzor/client.py", line 1022, in run\n ExecCall().run()\n File "/usr/lib/pymodules/python2.7/pyzor/client.py", line 180, in run\n os.mkdir(homedir)\nOSError: [Errno 13] Permission denied: '/var/spool/postfix/.pyzor'
> Dec 8 11:40:35 gw1 mailscanner[4195]: pyzor: check failed: internal error, python traceback seen in response
>
> Obviously I have a permissions issue. Now I need to understand why it's trying to use /var/spool/postfix for .pyzor instead of /var/spool/MailScanner.
>
> I also clicked around more and found the archive search mechanism.
>
> Words of wisdom appreciated.
>
> Steve
>
>
> On 12/8/2015 8:44 PM, Steve Weigold wrote:
>> Greetings
>>
>> Apologies if this has been asked before, but while I found the list archive, I couldn't find a means to search it and considering it goes back many years, scanning by hand seemed a bit overwhelming. If there's a search capability for it that I've missed, please let me know.
>>
>> Anyway, I have a new server I've setup to be a spam filter gateway. It's a clean install of Debian Jessie with MailScanner and Postfix with what I believe to be the latest versions. Generally, the system is working, but I'm still getting much more spam than I should be. Reviewing the logs, I can see that I'm getting relatively low spam scores even on what I'd consider obvious spam emails.
>>
>> This lead me down the path of what else could be done with spamassassin, which got me to Pyzor, Razor and DCC. At the moment, DCC isn't installed. I guess it was removed from the repository because it's non-free? Pyzor and Razor are installed, and somehow, I think I have Razor working, at least based on the fact that I see log entries like this one:
>>
>> Dec 8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from 198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com ) to acnoc.net is not spam, SpamAssassin (not cached, score=5.497, required 6, RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
>>
>> I'm not sure Pyzor is working though, and when I run MailScanner --lint, I get this:
>>
>> pyzor: check failed: internal error, python traceback seen in response
>>
>> I've googled ad nauseum and I'm getting nowhere.
>>
>> In spam.assassin.prefs.conf, I have:
>> pyzor_options --homedir /var/spool/MailScanner/
>>
>> and permissions on that folder seem OK
>> drwxr-xr-x 6 postfix postfix 4096 Dec 8 19:52 MailScanner
>>
>> Inside it, Pyzor's servers file:
>> -rwxrwxr-x 1 postfix postfix 23 Dec 8 19:52 servers
>>
>> Help?
>>
>> Thanks!
>> Steve
>>
>>
>>
>>
>>
>
> --
> Steve Weigold
> Weigold Enterprises
> Cell - 513-365-0446
> www.weigoldenterprises.com
> www.facebook.com/weigoldenterprises
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mark at msapiro.net Wed Dec 9 04:55:11 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 8 Dec 2015 20:55:11 -0800
Subject: Searching the list archive - was: Pyzor integration
In-Reply-To: <56678776.6020401@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
Message-ID: <5667B42F.4040906@msapiro.net>
On 12/08/2015 05:44 PM, Steve Weigold wrote:
> Greetings
>
> Apologies if this has been asked before, but while I found the list
> archive, I couldn't find a means to search it and considering it goes
> back many years, scanning by hand seemed a bit overwhelming. If there's
> a search capability for it that I've missed, please let me know.
You can always use google and limit the results to the
lists.mailscanner.info domain with the query fragment
site:lists.mailscanner.info. You can also use the inurl: query to limit
results to a year or month with, e.g., inurl:2015 or inurl:2015-January.
E.g. search for
site:lists.mailscanner.info pyzor
which still gives a lot of results or
site:lists.mailscanner.info inurl:2014 pyzor
which gives a more manageable number.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From razmik.baghdasaryan at gmail.com Wed Dec 9 12:58:49 2015
From: razmik.baghdasaryan at gmail.com (Razmik Baghdasaryan)
Date: Wed, 9 Dec 2015 16:58:49 +0400
Subject: Bad File Name Detected
Message-ID:
Hi Dear All
Who can help to disable Bad File Name detection from one ip address
This is message
The following e-mails were found to have: Bad Filename Detected
Sender: razmik.baghdasaryan at example.com
IP Address: XX.XXX.XXX.XX
Recipient: razmik.baghdasaryan at example2.com
Subject: Re: Thanks and regards
MessageID: 69F5B65D42.98BA3
Quarantine: /var/spool/MailScanner/quarantine/20151209/69F4B65D42.98BA3
Report: MailScanner: No programs allowed (msg-3125-10.txt)
Thanks & Regards
Razmik
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From it at festa.bg Wed Dec 9 13:03:39 2015
From: it at festa.bg (Valentin Laskov)
Date: Wed, 9 Dec 2015 15:03:39 +0200
Subject: Bad File Name Detected
In-Reply-To:
References:
Message-ID: <566826AB.8080707@festa.bg>
Hi Razmik,
better do this:
http://lists.mailscanner.info/pipermail/mailscanner/2015-November/102728.html
На 09.12.2015 в 14:58, Razmik Baghdasaryan написа:
> Hi Dear All
>
> Who can help to disable Bad File Name detection from one ip address
>
> This is message
> The following e-mails were found to have: Bad Filename Detected
>
> Sender: razmik.baghdasaryan at example.com
>
> IP Address: XX.XXX.XXX.XX
> Recipient: razmik.baghdasaryan at example2.com
>
> Subject: Re: Thanks and regards
> MessageID: 69F5B65D42.98BA3
> Quarantine: /var/spool/MailScanner/quarantine/20151209/69F4B65D42.98BA3
> Report: MailScanner: No programs allowed (msg-3125-10.txt)
>
>
> Thanks & Regards
> Razmik
>
>
>
--
Поздрави!
Валентин Ласков
Отговорник КИПО
"Феста Холдинг" АД
бул. "Вл. Варненчик" 48
9000 гр. Варна
тел.: +359 52 669137
GSM: +359 888 669137
Fax: +359 52 669110
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ok at addix.net Wed Dec 9 14:26:29 2015
From: ok at addix.net (Oliver Kutscher)
Date: Wed, 9 Dec 2015 15:26:29 +0100
Subject: MailScanner permits mail with score higher than allowed score
Message-ID: <56683A15.20500@addix.net>
Hi,
we are experiencing a lot of spam mails since some days and some of the
mails are allowed and passed to the recepient. Let's have a look into a
log entry I found in my logs:
Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message
1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not
spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00,
KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45,
RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
This mail passes the mail system an reached the recepient. I'm curious
about two things:
Why was the mail ranked as "is not spam" (score > required score)?
Why has the required score a value of 3.5? I set per domain scores
within /etc/MailScanner/rules/spam.score.rules:
To: *@mycompany.com 4
To: *@mycompany.net 8
FromOrTo: default 3.5
To make it more complicated: Most time the required score for
mycompany.net is shown as 8 which is the required score that I'm expecting.
I would be very appreciated for any suggestions.
==============
Versions / OS
==============
Running on
Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep
15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
This is CentOS Linux release 7.1.1503 (Core)
This is Perl version 5.016003 (5.16.3)
This is MailScanner version 4.85.2
Module versions are:
1.01 AnyDBM_File
1.30 Archive::Zip
0.29 bignum
1.26 Carp
2.061 Compress::Zlib
1.119 Convert::BinHex
0.18 Convert::TNEF
2.145 Data::Dumper
2.30 Date::Parse
1.04 DirHandle
1.11 Fcntl
2.84 File::Basename
2.23 File::Copy
2.02 FileHandle
2.09 File::Path
0.2301 File::Temp
0.92 Filesys::Df
3.69 HTML::Entities
3.71 HTML::Parser
3.69 HTML::TokeParser
1.25_06 IO
1.16 IO::File
1.15 IO::Pipe
2.12 Mail::Header
1.998 Math::BigInt
0.2603 Math::BigRat
3.13 MIME::Base64
5.505 MIME::Decoder
5.505 MIME::Decoder::UU
5.505 MIME::Head
5.505 MIME::Parser
3.13 MIME::QuotedPrint
5.505 MIME::Tools
0.17 Net::CIDR
1.26 Net::IP
0.19 OLE::Storage_Lite
1.04 Pod::Escapes
3.28 Pod::Simple
1.30 POSIX
1.27 Scalar::Util
2.010 Socket
2.45 Storable
1.5 Sys::Hostname::Long
0.33 Sys::Syslog
1.48 Test::Pod
0.98 Test::Simple
1.9725 Time::HiRes
1.02 Time::localtime
Optional module versions are:
1.92 Archive::Tar
0.29 bignum
2.06 Business::ISBN
20120719.001 Business::ISBN::Data
missing Data::Dump
1.83 DB_File
1.39 DBD::SQLite
1.627 DBI
1.17 Digest
1.03 Digest::HMAC
2.52 Digest::MD5
missing Digest::SHA1
1.01 Encode::Detect
0.17020 Error
missing ExtUtils::CBuilder
3.18 ExtUtils::ParseXS
2.4 Getopt::Long
missing Inline
missing IO::String
1.10 IO::Zlib
2.28 IP::Country
missing Mail::ClamAV
3.004000 Mail::SpamAssassin
v2.008 Mail::SPF
missing Mail::SPF::Query
missing Module::Build
missing Net::CIDR::Lite
0.72 Net::DNS
missing Net::DNS::Resolver::Programmable
missing Net::LDAP
4.069 NetAddr::IP
missing Parse::RecDescent
missing SAVI
3.28 Test::Harness
missing Test::Manifest
2.02 Text::Balanced
1.60 URI
0.9907 version
missing YAML
Kind Regards,
i.A.
Oliver Kutscher
From jerry.benton at mailborder.com Wed Dec 9 14:38:28 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 09:38:28 -0500
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <56683A15.20500@addix.net>
References: <56683A15.20500@addix.net>
Message-ID: <1A25C6B7-6AB8-4E74-9C1E-FB151EE31A6B@mailborder.com>
Because my company.net is set to 8 and the SA score is 7.768? I could be wrong. I was educated in South Carolina.
-
Jerry Benton
www.mailborder.com
> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher wrote:
>
> Hi,
>
> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
>
> Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>
> This mail passes the mail system an reached the recepient. I'm curious about two things:
>
> Why was the mail ranked as "is not spam" (score > required score)?
>
> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
>
> To: *@mycompany.com 4
> To: *@mycompany.net 8
> FromOrTo: default 3.5
>
> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
>
> I would be very appreciated for any suggestions.
>
> ==============
> Versions / OS
> ==============
> Running on
> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> This is CentOS Linux release 7.1.1503 (Core)
> This is Perl version 5.016003 (5.16.3)
>
> This is MailScanner version 4.85.2
> Module versions are:
> 1.01 AnyDBM_File
> 1.30 Archive::Zip
> 0.29 bignum
> 1.26 Carp
> 2.061 Compress::Zlib
> 1.119 Convert::BinHex
> 0.18 Convert::TNEF
> 2.145 Data::Dumper
> 2.30 Date::Parse
> 1.04 DirHandle
> 1.11 Fcntl
> 2.84 File::Basename
> 2.23 File::Copy
> 2.02 FileHandle
> 2.09 File::Path
> 0.2301 File::Temp
> 0.92 Filesys::Df
> 3.69 HTML::Entities
> 3.71 HTML::Parser
> 3.69 HTML::TokeParser
> 1.25_06 IO
> 1.16 IO::File
> 1.15 IO::Pipe
> 2.12 Mail::Header
> 1.998 Math::BigInt
> 0.2603 Math::BigRat
> 3.13 MIME::Base64
> 5.505 MIME::Decoder
> 5.505 MIME::Decoder::UU
> 5.505 MIME::Head
> 5.505 MIME::Parser
> 3.13 MIME::QuotedPrint
> 5.505 MIME::Tools
> 0.17 Net::CIDR
> 1.26 Net::IP
> 0.19 OLE::Storage_Lite
> 1.04 Pod::Escapes
> 3.28 Pod::Simple
> 1.30 POSIX
> 1.27 Scalar::Util
> 2.010 Socket
> 2.45 Storable
> 1.5 Sys::Hostname::Long
> 0.33 Sys::Syslog
> 1.48 Test::Pod
> 0.98 Test::Simple
> 1.9725 Time::HiRes
> 1.02 Time::localtime
>
> Optional module versions are:
> 1.92 Archive::Tar
> 0.29 bignum
> 2.06 Business::ISBN
> 20120719.001 Business::ISBN::Data
> missing Data::Dump
> 1.83 DB_File
> 1.39 DBD::SQLite
> 1.627 DBI
> 1.17 Digest
> 1.03 Digest::HMAC
> 2.52 Digest::MD5
> missing Digest::SHA1
> 1.01 Encode::Detect
> 0.17020 Error
> missing ExtUtils::CBuilder
> 3.18 ExtUtils::ParseXS
> 2.4 Getopt::Long
> missing Inline
> missing IO::String
> 1.10 IO::Zlib
> 2.28 IP::Country
> missing Mail::ClamAV
> 3.004000 Mail::SpamAssassin
> v2.008 Mail::SPF
> missing Mail::SPF::Query
> missing Module::Build
> missing Net::CIDR::Lite
> 0.72 Net::DNS
> missing Net::DNS::Resolver::Programmable
> missing Net::LDAP
> 4.069 NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 3.28 Test::Harness
> missing Test::Manifest
> 2.02 Text::Balanced
> 1.60 URI
> 0.9907 version
> missing YAML
>
>
> Kind Regards,
> i.A.
> Oliver Kutscher
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From jerry.benton at mailborder.com Wed Dec 9 14:44:25 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 09:44:25 -0500
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <56683A15.20500@addix.net>
References: <56683A15.20500@addix.net>
Message-ID: <144A2C46-E82C-4B76-9094-940D0478B457@mailborder.com>
Yeah so … after actually reading it carefully and then pulling my shoes off to help with the counting …
Tabs? Are you using tabs in your rules?
-
Jerry Benton
www.mailborder.com
> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher wrote:
>
> Hi,
>
> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
>
> Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>
> This mail passes the mail system an reached the recepient. I'm curious about two things:
>
> Why was the mail ranked as "is not spam" (score > required score)?
>
> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
>
> To: *@mycompany.com 4
> To: *@mycompany.net 8
> FromOrTo: default 3.5
>
> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
>
> I would be very appreciated for any suggestions.
>
> ==============
> Versions / OS
> ==============
> Running on
> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> This is CentOS Linux release 7.1.1503 (Core)
> This is Perl version 5.016003 (5.16.3)
>
> This is MailScanner version 4.85.2
> Module versions are:
> 1.01 AnyDBM_File
> 1.30 Archive::Zip
> 0.29 bignum
> 1.26 Carp
> 2.061 Compress::Zlib
> 1.119 Convert::BinHex
> 0.18 Convert::TNEF
> 2.145 Data::Dumper
> 2.30 Date::Parse
> 1.04 DirHandle
> 1.11 Fcntl
> 2.84 File::Basename
> 2.23 File::Copy
> 2.02 FileHandle
> 2.09 File::Path
> 0.2301 File::Temp
> 0.92 Filesys::Df
> 3.69 HTML::Entities
> 3.71 HTML::Parser
> 3.69 HTML::TokeParser
> 1.25_06 IO
> 1.16 IO::File
> 1.15 IO::Pipe
> 2.12 Mail::Header
> 1.998 Math::BigInt
> 0.2603 Math::BigRat
> 3.13 MIME::Base64
> 5.505 MIME::Decoder
> 5.505 MIME::Decoder::UU
> 5.505 MIME::Head
> 5.505 MIME::Parser
> 3.13 MIME::QuotedPrint
> 5.505 MIME::Tools
> 0.17 Net::CIDR
> 1.26 Net::IP
> 0.19 OLE::Storage_Lite
> 1.04 Pod::Escapes
> 3.28 Pod::Simple
> 1.30 POSIX
> 1.27 Scalar::Util
> 2.010 Socket
> 2.45 Storable
> 1.5 Sys::Hostname::Long
> 0.33 Sys::Syslog
> 1.48 Test::Pod
> 0.98 Test::Simple
> 1.9725 Time::HiRes
> 1.02 Time::localtime
>
> Optional module versions are:
> 1.92 Archive::Tar
> 0.29 bignum
> 2.06 Business::ISBN
> 20120719.001 Business::ISBN::Data
> missing Data::Dump
> 1.83 DB_File
> 1.39 DBD::SQLite
> 1.627 DBI
> 1.17 Digest
> 1.03 Digest::HMAC
> 2.52 Digest::MD5
> missing Digest::SHA1
> 1.01 Encode::Detect
> 0.17020 Error
> missing ExtUtils::CBuilder
> 3.18 ExtUtils::ParseXS
> 2.4 Getopt::Long
> missing Inline
> missing IO::String
> 1.10 IO::Zlib
> 2.28 IP::Country
> missing Mail::ClamAV
> 3.004000 Mail::SpamAssassin
> v2.008 Mail::SPF
> missing Mail::SPF::Query
> missing Module::Build
> missing Net::CIDR::Lite
> 0.72 Net::DNS
> missing Net::DNS::Resolver::Programmable
> missing Net::LDAP
> 4.069 NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 3.28 Test::Harness
> missing Test::Manifest
> 2.02 Text::Balanced
> 1.60 URI
> 0.9907 version
> missing YAML
>
>
> Kind Regards,
> i.A.
> Oliver Kutscher
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From jerry.benton at mailborder.com Wed Dec 9 14:51:46 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 09:51:46 -0500
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <56683A15.20500@addix.net>
References: <56683A15.20500@addix.net>
Message-ID:
And I am still sitting here blinking …. trying to remember what would cause a “is not spam” marking when the score exceeds the threshold. (Besides whitelisting)
Any whitelists for say … the server it came from?
-
Jerry Benton
www.mailborder.com
> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher wrote:
>
> Hi,
>
> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
>
> Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>
> This mail passes the mail system an reached the recepient. I'm curious about two things:
>
> Why was the mail ranked as "is not spam" (score > required score)?
>
> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
>
> To: *@mycompany.com 4
> To: *@mycompany.net 8
> FromOrTo: default 3.5
>
> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
>
> I would be very appreciated for any suggestions.
>
> ==============
> Versions / OS
> ==============
> Running on
> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> This is CentOS Linux release 7.1.1503 (Core)
> This is Perl version 5.016003 (5.16.3)
>
> This is MailScanner version 4.85.2
> Module versions are:
> 1.01 AnyDBM_File
> 1.30 Archive::Zip
> 0.29 bignum
> 1.26 Carp
> 2.061 Compress::Zlib
> 1.119 Convert::BinHex
> 0.18 Convert::TNEF
> 2.145 Data::Dumper
> 2.30 Date::Parse
> 1.04 DirHandle
> 1.11 Fcntl
> 2.84 File::Basename
> 2.23 File::Copy
> 2.02 FileHandle
> 2.09 File::Path
> 0.2301 File::Temp
> 0.92 Filesys::Df
> 3.69 HTML::Entities
> 3.71 HTML::Parser
> 3.69 HTML::TokeParser
> 1.25_06 IO
> 1.16 IO::File
> 1.15 IO::Pipe
> 2.12 Mail::Header
> 1.998 Math::BigInt
> 0.2603 Math::BigRat
> 3.13 MIME::Base64
> 5.505 MIME::Decoder
> 5.505 MIME::Decoder::UU
> 5.505 MIME::Head
> 5.505 MIME::Parser
> 3.13 MIME::QuotedPrint
> 5.505 MIME::Tools
> 0.17 Net::CIDR
> 1.26 Net::IP
> 0.19 OLE::Storage_Lite
> 1.04 Pod::Escapes
> 3.28 Pod::Simple
> 1.30 POSIX
> 1.27 Scalar::Util
> 2.010 Socket
> 2.45 Storable
> 1.5 Sys::Hostname::Long
> 0.33 Sys::Syslog
> 1.48 Test::Pod
> 0.98 Test::Simple
> 1.9725 Time::HiRes
> 1.02 Time::localtime
>
> Optional module versions are:
> 1.92 Archive::Tar
> 0.29 bignum
> 2.06 Business::ISBN
> 20120719.001 Business::ISBN::Data
> missing Data::Dump
> 1.83 DB_File
> 1.39 DBD::SQLite
> 1.627 DBI
> 1.17 Digest
> 1.03 Digest::HMAC
> 2.52 Digest::MD5
> missing Digest::SHA1
> 1.01 Encode::Detect
> 0.17020 Error
> missing ExtUtils::CBuilder
> 3.18 ExtUtils::ParseXS
> 2.4 Getopt::Long
> missing Inline
> missing IO::String
> 1.10 IO::Zlib
> 2.28 IP::Country
> missing Mail::ClamAV
> 3.004000 Mail::SpamAssassin
> v2.008 Mail::SPF
> missing Mail::SPF::Query
> missing Module::Build
> missing Net::CIDR::Lite
> 0.72 Net::DNS
> missing Net::DNS::Resolver::Programmable
> missing Net::LDAP
> 4.069 NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 3.28 Test::Harness
> missing Test::Manifest
> 2.02 Text::Balanced
> 1.60 URI
> 0.9907 version
> missing YAML
>
>
> Kind Regards,
> i.A.
> Oliver Kutscher
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From steve at weigoldenterprises.com Wed Dec 9 15:00:32 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 10:00:32 -0500
Subject: Searching the list archive - was: Pyzor integration
In-Reply-To: <5667B42F.4040906@msapiro.net>
References: <56678776.6020401@weigoldenterprises.com>
<5667B42F.4040906@msapiro.net>
Message-ID: <56684210.9060907@weigoldenterprises.com>
On 12/8/2015 11:55 PM, Mark Sapiro wrote:
> On 12/08/2015 05:44 PM, Steve Weigold wrote:
>> Greetings
>>
>> Apologies if this has been asked before, but while I found the list
>> archive, I couldn't find a means to search it and considering it goes
>> back many years, scanning by hand seemed a bit overwhelming. If there's
>> a search capability for it that I've missed, please let me know.
>
> You can always use google and limit the results to the
> lists.mailscanner.info domain with the query fragment
> site:lists.mailscanner.info. You can also use the inurl: query to limit
> results to a year or month with, e.g., inurl:2015 or inurl:2015-January.
>
> E.g. search for
>
> site:lists.mailscanner.info pyzor
>
> which still gives a lot of results or
>
> site:lists.mailscanner.info inurl:2014 pyzor
>
> which gives a more manageable number.
>
Thanks Mark! Learned something new!
Steve
From steve at weigoldenterprises.com Wed Dec 9 15:03:10 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 10:03:10 -0500
Subject: Pyzor integration
In-Reply-To: <4CF7AA19-F133-4ACF-932A-18FD96EF474F@mailborder.com>
References: <56678776.6020401@weigoldenterprises.com>
<56678BC1.7070508@weigoldenterprises.com>
<4CF7AA19-F133-4ACF-932A-18FD96EF474F@mailborder.com>
Message-ID: <566842AE.4040706@weigoldenterprises.com>
Thanks Jerry. I fixed weird permissions on the folder and things seem
to be behaving now.
Steve
On 12/8/2015 9:22 PM, Jerry Benton wrote:
> Check which user and group you are running under. Also check the
> permissions. I personally like to create a group called mtagroup and
> add postfix, clamav, and whatever other users to it. I then use that
> group in MailScanner with group write permissions. Eliminates the
> permission issues.
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Dec 8, 2015, at 9:02 PM, Steve Weigold
>> >
>> wrote:
>>
>>
>> Some follow on information.... I expected all of the details to be in
>> mail.log and didn't think to check syslog. :-( More details there:
>>
>> Dec 8 11:40:35 gw1 mailscanner[4195]: Dec 8 11:40:35.083 [4334]
>> dbg: pyzor: got response: Traceback (most recent call last):\n File
>> "/usr/bin/pyzor", line 8, in \n pyzor.client.run()\n File
>> "/usr/lib/pymodules/python2.7/pyzor/client.py", line 1022, in run\n
>> ExecCall().run()\n File
>> "/usr/lib/pymodules/python2.7/pyzor/client.py", line 180, in run\n
>> os.mkdir(homedir)\nOSError: [Errno 13] Permission denied:
>> '/var/spool/postfix/.pyzor'
>> Dec 8 11:40:35 gw1 mailscanner[4195]: pyzor: check failed: internal
>> error, python traceback seen in response
>>
>> Obviously I have a permissions issue. Now I need to understand why
>> it's trying to use /var/spool/postfix for .pyzor instead of
>> /var/spool/MailScanner.
>>
>> I also clicked around more and found the archive search mechanism.
>>
>> Words of wisdom appreciated.
>>
>> Steve
>>
>>
>> On 12/8/2015 8:44 PM, Steve Weigold wrote:
>>> Greetings
>>>
>>> Apologies if this has been asked before, but while I found the list
>>> archive, I couldn't find a means to search it and considering it
>>> goes back many years, scanning by hand seemed a bit overwhelming. If
>>> there's a search capability for it that I've missed, please let me
>>> know.
>>>
>>> Anyway, I have a new server I've setup to be a spam filter gateway.
>>> It's a clean install of Debian Jessie with MailScanner and Postfix
>>> with what I believe to be the latest versions. Generally, the
>>> system is working, but I'm still getting much more spam than I
>>> should be. Reviewing the logs, I can see that I'm getting relatively
>>> low spam scores even on what I'd consider obvious spam emails.
>>>
>>> This lead me down the path of what else could be done with
>>> spamassassin, which got me to Pyzor, Razor and DCC. At the moment,
>>> DCC isn't installed. I guess it was removed from the repository
>>> because it's non-free? Pyzor and Razor are installed, and somehow, I
>>> think I have Razor working, at least based on the fact that I see
>>> log entries like this one:
>>>
>>> Dec 8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747
>>> from 198.173.85.230
>>> (amazon-promotional-credit at urfhe.selectweddingbands.com) to
>>> acnoc.net is not spam, SpamAssassin (not cached,
>>> score=5.497, required 6, RAZOR2_CF_RANGE_51_100 0.36,
>>> RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK 1.73, SPF_SOFTFAIL
>>> 0.97, URIBL_BLOCKED 0.00)
>>>
>>> I'm not sure Pyzor is working though, and when I run MailScanner
>>> --lint, I get this:
>>>
>>> pyzor: check failed: internal error, python traceback seen in response
>>>
>>> I've googled ad nauseum and I'm getting nowhere.
>>>
>>> In spam.assassin.prefs.conf, I have:
>>> pyzor_options --homedir /var/spool/MailScanner/
>>>
>>> and permissions on that folder seem OK
>>> drwxr-xr-x 6 postfix postfix 4096 Dec 8 19:52 MailScanner
>>>
>>> Inside it, Pyzor's servers file:
>>> -rwxrwxr-x 1 postfix postfix 23 Dec 8 19:52 servers
>>>
>>> Help?
>>>
>>> Thanks!
>>> Steve
>>>
>>>
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ok at addix.net Wed Dec 9 15:06:52 2015
From: ok at addix.net (Oliver Kutscher)
Date: Wed, 9 Dec 2015 16:06:52 +0100
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To:
References: <56683A15.20500@addix.net>
Message-ID: <5668438C.9090806@addix.net>
To give you an overview:
the company.net rule has been hit for 1381 time where 4 of them have the
strange "required 3.5" value and / or score > required score problem. An
example for an expected log:
Dec 9 15:52:52 mailscan1.mydomain.campus MailScanner[11325]: Message
1a6g6g-0004SR-Bx from 10.0.0.3 (mail at somedomain.net) to company.net is
not spam, SpamAssassin (score=1.1, required 8, KAM_LAZY_DOMAIN_SECURITY
1.00, TVD_SPACE_RATIO 0.10)
The required score is ok in this case.
> Tabs? Are you using tabs in your rules?
Yes. Tabs are used. I think if the rules file is messed up the rules
will never take effect.
> Any whitelists for say … the server it came from?
If there are any whitelist entries present (ip, domain, full address) a
"(whitelisted)" is passed to the log. 2 of the 4 strange mails were
virus infected spam mails from an unknown ip (definitely not wl).
Mit freundlichen Grüßen,
i.A.
Oliver Kutscher
--
Postanschrift:
ADDIX Internet Services GmbH
Postfach 1225
D-24011 Kiel
Tel: +49 431 7755 140
Fax: +49 431 7755 105
ok at addix.net
www.addix.net
Am 09.12.2015 um 15:51 schrieb Jerry Benton:
> And I am still sitting here blinking …. trying to remember what would cause a “is not spam” marking when the score exceeds the threshold. (Besides whitelisting)
>
> Any whitelists for say … the server it came from?
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher wrote:
>>
>> Hi,
>>
>> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
>>
>> Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>>
>> This mail passes the mail system an reached the recepient. I'm curious about two things:
>>
>> Why was the mail ranked as "is not spam" (score > required score)?
>>
>> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
>>
>> To: *@mycompany.com 4
>> To: *@mycompany.net 8
>> FromOrTo: default 3.5
>>
>> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
>>
>> I would be very appreciated for any suggestions.
>>
>> ==============
>> Versions / OS
>> ==============
>> Running on
>> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>> This is CentOS Linux release 7.1.1503 (Core)
>> This is Perl version 5.016003 (5.16.3)
>>
>> This is MailScanner version 4.85.2
>> Module versions are:
>> 1.01 AnyDBM_File
>> 1.30 Archive::Zip
>> 0.29 bignum
>> 1.26 Carp
>> 2.061 Compress::Zlib
>> 1.119 Convert::BinHex
>> 0.18 Convert::TNEF
>> 2.145 Data::Dumper
>> 2.30 Date::Parse
>> 1.04 DirHandle
>> 1.11 Fcntl
>> 2.84 File::Basename
>> 2.23 File::Copy
>> 2.02 FileHandle
>> 2.09 File::Path
>> 0.2301 File::Temp
>> 0.92 Filesys::Df
>> 3.69 HTML::Entities
>> 3.71 HTML::Parser
>> 3.69 HTML::TokeParser
>> 1.25_06 IO
>> 1.16 IO::File
>> 1.15 IO::Pipe
>> 2.12 Mail::Header
>> 1.998 Math::BigInt
>> 0.2603 Math::BigRat
>> 3.13 MIME::Base64
>> 5.505 MIME::Decoder
>> 5.505 MIME::Decoder::UU
>> 5.505 MIME::Head
>> 5.505 MIME::Parser
>> 3.13 MIME::QuotedPrint
>> 5.505 MIME::Tools
>> 0.17 Net::CIDR
>> 1.26 Net::IP
>> 0.19 OLE::Storage_Lite
>> 1.04 Pod::Escapes
>> 3.28 Pod::Simple
>> 1.30 POSIX
>> 1.27 Scalar::Util
>> 2.010 Socket
>> 2.45 Storable
>> 1.5 Sys::Hostname::Long
>> 0.33 Sys::Syslog
>> 1.48 Test::Pod
>> 0.98 Test::Simple
>> 1.9725 Time::HiRes
>> 1.02 Time::localtime
>>
>> Optional module versions are:
>> 1.92 Archive::Tar
>> 0.29 bignum
>> 2.06 Business::ISBN
>> 20120719.001 Business::ISBN::Data
>> missing Data::Dump
>> 1.83 DB_File
>> 1.39 DBD::SQLite
>> 1.627 DBI
>> 1.17 Digest
>> 1.03 Digest::HMAC
>> 2.52 Digest::MD5
>> missing Digest::SHA1
>> 1.01 Encode::Detect
>> 0.17020 Error
>> missing ExtUtils::CBuilder
>> 3.18 ExtUtils::ParseXS
>> 2.4 Getopt::Long
>> missing Inline
>> missing IO::String
>> 1.10 IO::Zlib
>> 2.28 IP::Country
>> missing Mail::ClamAV
>> 3.004000 Mail::SpamAssassin
>> v2.008 Mail::SPF
>> missing Mail::SPF::Query
>> missing Module::Build
>> missing Net::CIDR::Lite
>> 0.72 Net::DNS
>> missing Net::DNS::Resolver::Programmable
>> missing Net::LDAP
>> 4.069 NetAddr::IP
>> missing Parse::RecDescent
>> missing SAVI
>> 3.28 Test::Harness
>> missing Test::Manifest
>> 2.02 Text::Balanced
>> 1.60 URI
>> 0.9907 version
>> missing YAML
>>
>>
>> Kind Regards,
>> i.A.
>> Oliver Kutscher
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>
From dave at jonesol.com Wed Dec 9 15:29:58 2015
From: dave at jonesol.com (Dave Jones)
Date: Wed, 9 Dec 2015 09:29:58 -0600
Subject: Pyzor integration
In-Reply-To: <56678776.6020401@weigoldenterprises.com>
References: <56678776.6020401@weigoldenterprises.com>
Message-ID:
Couple of things:
1. See the URIBL_BLOCKED hit? This means you are using a DNS server
that has been blocked. You should setup a local DNS server on the
MailScanner server and not forward to another DNS server. It needs to
do it's own full recursive lookups to keep it out of the aggregated
queries of the DNS server you are currently using.
2. Setup Postfix to block most of the emails using postscreen with RBL
weighting. Postfix should be blocking most of the spam (>85%) before
it ever gets to MailScanner and Spamassassin.
Download the VM from http://efa-project.org/ and either use it or look
at how it's Postfix is setup. It will have everything setup properly
like DNS, greylisting, Postfix, MailWatch, RBLs, etc. Also there are
lot of examples on locking down Postfix on the Postfix mailing list.
Postscreen is a must.
3. Here are my Pyzor settings:
mailscanner.cf:pyzor_path /usr/bin/pyzor
mailscanner.cf:pyzor_options --homedir /etc/mail/spamassassin
mailscanner.cf:#use_pyzor 0
mailscanner.cf:pyzor_timeout 5
On Tue, Dec 8, 2015 at 7:44 PM, Steve Weigold
wrote:
> Greetings
>
> Apologies if this has been asked before, but while I found the list archive,
> I couldn't find a means to search it and considering it goes back many
> years, scanning by hand seemed a bit overwhelming. If there's a search
> capability for it that I've missed, please let me know.
>
> Anyway, I have a new server I've setup to be a spam filter gateway. It's a
> clean install of Debian Jessie with MailScanner and Postfix with what I
> believe to be the latest versions. Generally, the system is working, but
> I'm still getting much more spam than I should be. Reviewing the logs, I
> can see that I'm getting relatively low spam scores even on what I'd
> consider obvious spam emails.
>
> This lead me down the path of what else could be done with spamassassin,
> which got me to Pyzor, Razor and DCC. At the moment, DCC isn't installed.
> I guess it was removed from the repository because it's non-free? Pyzor and
> Razor are installed, and somehow, I think I have Razor working, at least
> based on the fact that I see log entries like this one:
>
> Dec 8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from
> 198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com) to
> acnoc.net is not spam, SpamAssassin (not cached, score=5.497, required 6,
> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK
> 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
>
> I'm not sure Pyzor is working though, and when I run MailScanner --lint, I
> get this:
>
> pyzor: check failed: internal error, python traceback seen in response
>
> I've googled ad nauseum and I'm getting nowhere.
>
> In spam.assassin.prefs.conf, I have:
> pyzor_options --homedir /var/spool/MailScanner/
>
> and permissions on that folder seem OK
> drwxr-xr-x 6 postfix postfix 4096 Dec 8 19:52 MailScanner
>
> Inside it, Pyzor's servers file:
> -rwxrwxr-x 1 postfix postfix 23 Dec 8 19:52 servers
>
> Help?
>
> Thanks!
> Steve
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From steve at weigoldenterprises.com Wed Dec 9 15:42:25 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 10:42:25 -0500
Subject: Pyzor integration
In-Reply-To:
References: <56678776.6020401@weigoldenterprises.com>
Message-ID: <56684BE1.5070207@weigoldenterprises.com>
Thanks Dave. I appreciate your response.
I've already addressed the URIBL_BLOCKED issue with local DNS. Watching
the logs, that seems to be working nicely now.
I'll investigate postscreen. Greylisting is in place. Wish I'd have
known about that VM a couple of days ago!
Steve
On 12/9/2015 10:29 AM, Dave Jones wrote:
> Couple of things:
> 1. See the URIBL_BLOCKED hit? This means you are using a DNS server
> that has been blocked. You should setup a local DNS server on the
> MailScanner server and not forward to another DNS server. It needs to
> do it's own full recursive lookups to keep it out of the aggregated
> queries of the DNS server you are currently using.
> 2. Setup Postfix to block most of the emails using postscreen with RBL
> weighting. Postfix should be blocking most of the spam (>85%) before
> it ever gets to MailScanner and Spamassassin.
> Download the VM from http://efa-project.org/ and either use it or look
> at how it's Postfix is setup. It will have everything setup properly
> like DNS, greylisting, Postfix, MailWatch, RBLs, etc. Also there are
> lot of examples on locking down Postfix on the Postfix mailing list.
> Postscreen is a must.
> 3. Here are my Pyzor settings:
> mailscanner.cf:pyzor_path /usr/bin/pyzor
> mailscanner.cf:pyzor_options --homedir /etc/mail/spamassassin
> mailscanner.cf:#use_pyzor 0
> mailscanner.cf:pyzor_timeout 5
>
> On Tue, Dec 8, 2015 at 7:44 PM, Steve Weigold
> wrote:
>> Greetings
>>
>> Apologies if this has been asked before, but while I found the list archive,
>> I couldn't find a means to search it and considering it goes back many
>> years, scanning by hand seemed a bit overwhelming. If there's a search
>> capability for it that I've missed, please let me know.
>>
>> Anyway, I have a new server I've setup to be a spam filter gateway. It's a
>> clean install of Debian Jessie with MailScanner and Postfix with what I
>> believe to be the latest versions. Generally, the system is working, but
>> I'm still getting much more spam than I should be. Reviewing the logs, I
>> can see that I'm getting relatively low spam scores even on what I'd
>> consider obvious spam emails.
>>
>> This lead me down the path of what else could be done with spamassassin,
>> which got me to Pyzor, Razor and DCC. At the moment, DCC isn't installed.
>> I guess it was removed from the repository because it's non-free? Pyzor and
>> Razor are installed, and somehow, I think I have Razor working, at least
>> based on the fact that I see log entries like this one:
>>
>> Dec 8 20:33:02 gw1 MailScanner[16071]: Message 0005D140024.A1747 from
>> 198.173.85.230 (amazon-promotional-credit at urfhe.selectweddingbands.com) to
>> acnoc.net is not spam, SpamAssassin (not cached, score=5.497, required 6,
>> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK
>> 1.73, SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
>>
>> I'm not sure Pyzor is working though, and when I run MailScanner --lint, I
>> get this:
>>
>> pyzor: check failed: internal error, python traceback seen in response
>>
>> I've googled ad nauseum and I'm getting nowhere.
>>
>> In spam.assassin.prefs.conf, I have:
>> pyzor_options --homedir /var/spool/MailScanner/
>>
>> and permissions on that folder seem OK
>> drwxr-xr-x 6 postfix postfix 4096 Dec 8 19:52 MailScanner
>>
>> Inside it, Pyzor's servers file:
>> -rwxrwxr-x 1 postfix postfix 23 Dec 8 19:52 servers
>>
>> Help?
>>
>> Thanks!
>> Steve
>>
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
From maxsec at gmail.com Wed Dec 9 16:42:14 2015
From: maxsec at gmail.com (Martin Hepworth)
Date: Wed, 9 Dec 2015 16:42:14 +0000
Subject: MailScanner permits mail with score higher than allowed score
In-Reply-To: <5668438C.9090806@addix.net>
References: <56683A15.20500@addix.net>
<5668438C.9090806@addix.net>
Message-ID:
Looks like you've set the 'is defintely not spam" for the address or domain
to me. Thsi will override what SA says about the email, indeed of the spam
is coming from your local 10.0 domain you may want to look deeper at what
addersses you whitelist..
--
Martin Hepworth, CISSP
Oxford, UK
On 9 December 2015 at 15:06, Oliver Kutscher wrote:
> To give you an overview:
>
> the company.net rule has been hit for 1381 time where 4 of them have the
> strange "required 3.5" value and / or score > required score problem. An
> example for an expected log:
>
> Dec 9 15:52:52 mailscan1.mydomain.campus MailScanner[11325]: Message
> 1a6g6g-0004SR-Bx from 10.0.0.3 (mail at somedomain.net) to company.net is
> not spam, SpamAssassin (score=1.1, required 8, KAM_LAZY_DOMAIN_SECURITY
> 1.00, TVD_SPACE_RATIO 0.10)
>
> The required score is ok in this case.
>
> Tabs? Are you using tabs in your rules?
>>
>
> Yes. Tabs are used. I think if the rules file is messed up the rules will
> never take effect.
>
> Any whitelists for say … the server it came from?
>>
>
> If there are any whitelist entries present (ip, domain, full address) a
> "(whitelisted)" is passed to the log. 2 of the 4 strange mails were virus
> infected spam mails from an unknown ip (definitely not wl).
>
> Mit freundlichen Grüßen,
> i.A.
> Oliver Kutscher
>
> --
>
> Postanschrift:
>
> ADDIX Internet Services GmbH
> Postfach 1225
> D-24011 Kiel
>
> Tel: +49 431 7755 140
> Fax: +49 431 7755 105
>
> ok at addix.net
> www.addix.net
>
>
> Am 09.12.2015 um 15:51 schrieb Jerry Benton:
>
>> And I am still sitting here blinking …. trying to remember what would
>> cause a “is not spam” marking when the score exceeds the threshold.
>> (Besides whitelisting)
>>
>> Any whitelists for say … the server it came from?
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher wrote:
>>>
>>> Hi,
>>>
>>> we are experiencing a lot of spam mails since some days and some of the
>>> mails are allowed and passed to the recepient. Let's have a look into a log
>>> entry I found in my logs:
>>>
>>> Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message
>>> 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is
>>> not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00,
>>> KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS
>>> 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>>>
>>> This mail passes the mail system an reached the recepient. I'm curious
>>> about two things:
>>>
>>> Why was the mail ranked as "is not spam" (score > required score)?
>>>
>>> Why has the required score a value of 3.5? I set per domain scores
>>> within /etc/MailScanner/rules/spam.score.rules:
>>>
>>> To: *@mycompany.com 4
>>> To: *@mycompany.net 8
>>> FromOrTo: default 3.5
>>>
>>> To make it more complicated: Most time the required score for
>>> mycompany.net is shown as 8 which is the required score that I'm
>>> expecting.
>>>
>>> I would be very appreciated for any suggestions.
>>>
>>> ==============
>>> Versions / OS
>>> ==============
>>> Running on
>>> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep
>>> 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>> This is CentOS Linux release 7.1.1503 (Core)
>>> This is Perl version 5.016003 (5.16.3)
>>>
>>> This is MailScanner version 4.85.2
>>> Module versions are:
>>> 1.01 AnyDBM_File
>>> 1.30 Archive::Zip
>>> 0.29 bignum
>>> 1.26 Carp
>>> 2.061 Compress::Zlib
>>> 1.119 Convert::BinHex
>>> 0.18 Convert::TNEF
>>> 2.145 Data::Dumper
>>> 2.30 Date::Parse
>>> 1.04 DirHandle
>>> 1.11 Fcntl
>>> 2.84 File::Basename
>>> 2.23 File::Copy
>>> 2.02 FileHandle
>>> 2.09 File::Path
>>> 0.2301 File::Temp
>>> 0.92 Filesys::Df
>>> 3.69 HTML::Entities
>>> 3.71 HTML::Parser
>>> 3.69 HTML::TokeParser
>>> 1.25_06 IO
>>> 1.16 IO::File
>>> 1.15 IO::Pipe
>>> 2.12 Mail::Header
>>> 1.998 Math::BigInt
>>> 0.2603 Math::BigRat
>>> 3.13 MIME::Base64
>>> 5.505 MIME::Decoder
>>> 5.505 MIME::Decoder::UU
>>> 5.505 MIME::Head
>>> 5.505 MIME::Parser
>>> 3.13 MIME::QuotedPrint
>>> 5.505 MIME::Tools
>>> 0.17 Net::CIDR
>>> 1.26 Net::IP
>>> 0.19 OLE::Storage_Lite
>>> 1.04 Pod::Escapes
>>> 3.28 Pod::Simple
>>> 1.30 POSIX
>>> 1.27 Scalar::Util
>>> 2.010 Socket
>>> 2.45 Storable
>>> 1.5 Sys::Hostname::Long
>>> 0.33 Sys::Syslog
>>> 1.48 Test::Pod
>>> 0.98 Test::Simple
>>> 1.9725 Time::HiRes
>>> 1.02 Time::localtime
>>>
>>> Optional module versions are:
>>> 1.92 Archive::Tar
>>> 0.29 bignum
>>> 2.06 Business::ISBN
>>> 20120719.001 Business::ISBN::Data
>>> missing Data::Dump
>>> 1.83 DB_File
>>> 1.39 DBD::SQLite
>>> 1.627 DBI
>>> 1.17 Digest
>>> 1.03 Digest::HMAC
>>> 2.52 Digest::MD5
>>> missing Digest::SHA1
>>> 1.01 Encode::Detect
>>> 0.17020 Error
>>> missing ExtUtils::CBuilder
>>> 3.18 ExtUtils::ParseXS
>>> 2.4 Getopt::Long
>>> missing Inline
>>> missing IO::String
>>> 1.10 IO::Zlib
>>> 2.28 IP::Country
>>> missing Mail::ClamAV
>>> 3.004000 Mail::SpamAssassin
>>> v2.008 Mail::SPF
>>> missing Mail::SPF::Query
>>> missing Module::Build
>>> missing Net::CIDR::Lite
>>> 0.72 Net::DNS
>>> missing Net::DNS::Resolver::Programmable
>>> missing Net::LDAP
>>> 4.069 NetAddr::IP
>>> missing Parse::RecDescent
>>> missing SAVI
>>> 3.28 Test::Harness
>>> missing Test::Manifest
>>> 2.02 Text::Balanced
>>> 1.60 URI
>>> 0.9907 version
>>> missing YAML
>>>
>>>
>>> Kind Regards,
>>> i.A.
>>> Oliver Kutscher
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>
>>>
>>
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From steve at weigoldenterprises.com Wed Dec 9 17:50:19 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Wed, 9 Dec 2015 12:50:19 -0500
Subject: Score modifications seem to be ignored?
Message-ID: <566869DB.204@weigoldenterprises.com>
In watching my logs on my new gateway, I noticed a couple of rules that
I wanted to have a higher effect on the SpamAssassin score. I modified
them in spam.assassin.prefs.conf (as below) and restarted MailScanner,
but the change doesn't seem to be recognized.
score LOTS_OF_MONEY 2
score URIBL_DBL_SPAM 3.5
Am I missing something?
Steve
From jerry.benton at mailborder.com Wed Dec 9 18:27:55 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Dec 2015 13:27:55 -0500
Subject: Score modifications seem to be ignored?
In-Reply-To: <566869DB.204@weigoldenterprises.com>
References: <566869DB.204@weigoldenterprises.com>
Message-ID:
Restart spamassassin.
-
Jerry Benton
www.mailborder.com
> On Dec 9, 2015, at 12:50 PM, Steve Weigold wrote:
>
>
> In watching my logs on my new gateway, I noticed a couple of rules that I wanted to have a higher effect on the SpamAssassin score. I modified them in spam.assassin.prefs.conf (as below) and restarted MailScanner, but the change doesn't seem to be recognized.
>
> score LOTS_OF_MONEY 2
> score URIBL_DBL_SPAM 3.5
>
> Am I missing something?
>
> Steve
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From mark at msapiro.net Wed Dec 9 18:34:55 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 9 Dec 2015 10:34:55 -0800
Subject: Bad File Name Detected
In-Reply-To:
References:
Message-ID: <5668744F.3080606@msapiro.net>
On 12/09/2015 04:58 AM, Razmik Baghdasaryan wrote:
>
> Who can help to disable Bad File Name detection from one ip address
Make a ruleset for Allow Filetypes. See
and the README and EXAMPLES files in the /etc/Mailscanner/rules or
wherever you MailScanner config is.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From steve at weigoldenterprises.com Thu Dec 10 17:07:55 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Thu, 10 Dec 2015 12:07:55 -0500
Subject: Score modifications seem to be ignored?
In-Reply-To: <566869DB.204@weigoldenterprises.com>
References: <566869DB.204@weigoldenterprises.com>
Message-ID: <5669B16B.9000806@weigoldenterprises.com>
So, I'm still working on resolving this. In my continued efforts, I've
learned that my revised scores are being ignored because they are trying
to change rules in the compiled ruleset. I realize this is more a
SpamAssassin question than a MailScanner question, but since MailScanner
runs SpamAssassin directly and uses it's own SpamAssassin config
(apparently rather than local.cf), this seems the place to discuss it.
Since the rules I want to tweak are in the compiled ruleset, do I
A - find the ruleset files, change the ratings and recompile with
sa-compile? Some other variation of this approach? Are my revised
rules at risk of being overwritten with an update?
B - make my own similar custom rule (somehow) to ones I feel I want to
increase? Presumably those would go in spam.assassin.prefs.conf?
C - some other approach I haven't thought of?
Thanks!
Steve
On 12/9/2015 12:50 PM, Steve Weigold wrote:
>
> In watching my logs on my new gateway, I noticed a couple of rules
> that I wanted to have a higher effect on the SpamAssassin score. I
> modified them in spam.assassin.prefs.conf (as below) and restarted
> MailScanner, but the change doesn't seem to be recognized.
>
> score LOTS_OF_MONEY 2
> score URIBL_DBL_SPAM 3.5
>
> Am I missing something?
>
> Steve
>
>
>
From mark at msapiro.net Thu Dec 10 17:56:51 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 10 Dec 2015 09:56:51 -0800
Subject: Score modifications seem to be ignored?
In-Reply-To: <5669B16B.9000806@weigoldenterprises.com>
References: <566869DB.204@weigoldenterprises.com>
<5669B16B.9000806@weigoldenterprises.com>
Message-ID: <5669BCE3.4040609@msapiro.net>
On 12/10/2015 09:07 AM, Steve Weigold wrote:
>
> Since the rules I want to tweak are in the compiled ruleset, do I
>
> A - find the ruleset files, change the ratings and recompile with
> sa-compile? Some other variation of this approach? Are my revised
> rules at risk of being overwritten with an update?
Yes, your rules will be overwritten in an update.
> B - make my own similar custom rule (somehow) to ones I feel I want to
> increase? Presumably those would go in spam.assassin.prefs.conf?
You don't need the entire rule, just the new score. You have various
options on where to put this.
Settings in the *.cf files in /etc/mail/spamassassin/ (or maybe
/etc/spamassassin/) supplement or override defaults. These files are
processed in lexical order and the last setting of any barticular thing
is effective. See
There should be a symlink like mailscanner.cf ->
/etc/MailScanner/spam.assassin.prefs.conf in this directory, so you can
put settings in /etc/MailScanner/spam.assassin.prefs.conf. There is also
normally a local.cf file there you can use.
I have my own x-local.cf file in which I put things like score changes
for various rules.
After adding your
score RULE_MAME n.n
line to one of these places, run sa-compile and reload spamd.
Also, any crons you have that update rules such as sa-update, or scripts
such as ScamNailer should also run sa-compile and reload spamd.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From steve at weigoldenterprises.com Thu Dec 10 21:33:07 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Thu, 10 Dec 2015 16:33:07 -0500
Subject: Reliably reloading configuration?
Message-ID: <5669EF93.8000304@weigoldenterprises.com>
First, is anyone else noticing a failure of list messages to come
through in the last 12-24 hours? I sent a follow up to my score
modifications email which didn't come through, and I see by looking at
the list archive that Jerry Benton responded with a suggestion of
restarting SpamAssassin which didn't come through either. :-/
In any case, I'm finding that my problem was less about finding where to
put score modifications and other custom rules, and apparently more
about reliably reloading the configuration for SpamAssassin. I've been
fighting this all day and I'm finding that the problem seems to be that
even with restarts, SpamAssassin doesn't seem to be reliably re-reading
the configuration.
I've tried all manner of restarts of MailScanner and SpamAssassin as
well as combining that with sequences of testing configs with --lint. I
can't seem to find anything that works reliably. As a reminder this is
a Debian Jessie system. I'm not seeing anything indicating an error in
syslog or mail.log on restart.
Currently, I have several modifications to standard test scores in
/etc/spamassasin/local.cf. I also have a simple custom rule. Somehow,
at some point in my testing today, I got them to be recognized, and my
updated scores are being used. Further, my test rule of:
body WE_TRUMP /\btrump/i
score WE_TRUMP 1
describe WE_TRUMP Tired of hearing about Trump this and Trump that
Is being processed, and I can see it when I look at the headers for test
messages. In testing, I've been trying to change the score value,
restart, and then send another test message, but my changes seem
ignored, again as if despite the restart, the configuration isn't being
reloaded.
I'm getting frustrated and I'm at a loss as to what to do next to figure
this out. Suggestions?
Thanks.
Steve
From mark at msapiro.net Thu Dec 10 22:12:17 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 10 Dec 2015 14:12:17 -0800
Subject: Reliably reloading configuration?
In-Reply-To: <5669EF93.8000304@weigoldenterprises.com>
References: <5669EF93.8000304@weigoldenterprises.com>
Message-ID: <5669F8C1.5030603@msapiro.net>
On 12/10/2015 01:33 PM, Steve Weigold wrote:
>
> First, is anyone else noticing a failure of list messages to come
> through in the last 12-24 hours?
Not here. I've seen everything in the archive at
> I sent a follow up to my score
> modifications email which didn't come through, and I see by looking at
> the list archive that Jerry Benton responded with a suggestion of
> restarting SpamAssassin which didn't come through either. :-/
I saw them.
> In any case, I'm finding that my problem was less about finding where to
> put score modifications and other custom rules, and apparently more
> about reliably reloading the configuration for SpamAssassin. I've been
> fighting this all day and I'm finding that the problem seems to be that
> even with restarts, SpamAssassin doesn't seem to be reliably re-reading
> the configuration.
Are you running sa-compile? Did you see my reply at
?
Your post at
implies you are using compiled rules. Thus, any time you modify rules
you have to run sa-compile.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From steve at weigoldenterprises.com Fri Dec 11 16:32:32 2015
From: steve at weigoldenterprises.com (Steve Weigold)
Date: Fri, 11 Dec 2015 11:32:32 -0500
Subject: Reliably reloading configuration?
In-Reply-To: <5669F8C1.5030603@msapiro.net>
References: <5669EF93.8000304@weigoldenterprises.com>
<5669F8C1.5030603@msapiro.net>
Message-ID: <566AFAA0.5080404@weigoldenterprises.com>
Mark, (and other helpers)
Thanks for your response. Apparently my issue with list messages was
due to another email problem on a different server which has been
resolved. It was unrelated to the list. I only noticed it because I
was looking for list replies. It's what happens when you screw with too
many things at once.
On 12/10/2015 5:12 PM, Mark Sapiro wrote:
>> In any case, I'm finding that my problem was less about finding where to
>> put score modifications and other custom rules, and apparently more
>> about reliably reloading the configuration for SpamAssassin. I've been
>> fighting this all day and I'm finding that the problem seems to be that
>> even with restarts, SpamAssassin doesn't seem to be reliably re-reading
>> the configuration.
>
> Are you running sa-compile? Did you see my reply at
> ?
>
> Your post at
>
> implies you are using compiled rules. Thus, any time you modify rules
> you have to run sa-compile.
sa-compile doesn't seem to be doing for me either. I'm not
'intentionally' using compiled rules, but apparently the stock rules are
compiled? I'm using the (generally) default spamassassin installation
in Debian Jessie.
Following your post, I made a small change to my custom rule score,
tried sa-compile and then both a spamassassin and mailscanner restart
and then sent a test message. Score was not changed in the message as
it was logged in MailWatch, nor in the actual header in the received
message.
Oddly, some time later (unsure, t > 1 hour) I happened to notice a
message go by on MailWatch which would have passed the custom rule, and
the updated score was present in the header without further intervention
from me. I'd given up for the day and just came back to check following
a food break.
I wondered if there was something happening as a cron job that was
performing some crucial additional step I was missing, but a review of
both the spamassassin and mailscanner cron jobs finds nothing _obvious_
that I'm missing. (not to say it's not there...)
The score changes I'd made previously to some of the stock rules took
effect "magically" at some point during my work yesterday, and I'm sure
it was without an sa-compile from me. Not to say it wasn't just
coincidental with one from a cron job.
For the sake of verification, when I do a mailscanner or a spamassassin
restart, I do just
/etc/init.d/mailscanner restart and
/etc/init.d/spamassassin restart
On a possibly related note, reviewing the logs, (syslog, mail) I can
clearly see where and when I restarted MailScanner. SpamAssassin on the
other hand, is leaving no evidence of a restart in either of these
logs. This seems odd.
Also, my understanding of MailScanner's use of SpamAssassin is that it's
invoked by MS and does NOT use SA in daemon mode. Assuming this is
correct, I then question the value of restarting SpamAssassin, at least
by restarting the daemon as I'm doing above. Related, I see in
MailWatch that MailScanner has 5 children indicated. Presumably these
are SA? I'm wondering if the "delay" in my updated configuration taking
effect is because SA really isn't restarting properly, or doesn't happen
until some time later when SA child processes age off and are replaced.
I'm beginning to suspect I have a subtle error in my MailScanner or
SpamAssassin configuration.
Perplexed. I feel like I'm being careful in following a strict
procedure when I test changes, but this one is eluding me. I appreciate
everyone's help with this.
Thanks.
Steve
--
------------------------------------------------------------------------
Steve Weigold
Weigold Enterprises
Cell - 513-365-0446
www.weigoldenterprises.com
www.facebook.com/weigoldenterprises
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mark at msapiro.net Fri Dec 11 19:10:02 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 11 Dec 2015 11:10:02 -0800
Subject: Reliably reloading configuration?
In-Reply-To: <566AFAA0.5080404@weigoldenterprises.com>
References: <5669EF93.8000304@weigoldenterprises.com>
<5669F8C1.5030603@msapiro.net> <566AFAA0.5080404@weigoldenterprises.com>
Message-ID: <566B1F8A.5090207@msapiro.net>
On 12/11/2015 08:32 AM, Steve Weigold wrote:
>
>
> sa-compile doesn't seem to be doing for me either. I'm not
> 'intentionally' using compiled rules, but apparently the stock rules are
> compiled? I'm using the (generally) default spamassassin installation
> in Debian Jessie.
>
> Following your post, I made a small change to my custom rule score,
> tried sa-compile and then both a spamassassin and mailscanner restart
> and then sent a test message. Score was not changed in the message as
> it was logged in MailWatch, nor in the actual header in the received
> message.
How are you running sa-compile? In a default debian/ubuntu environment,
sa-compile should be run 'su - debian-spamd'
> Oddly, some time later (unsure, t > 1 hour) I happened to notice a
> message go by on MailWatch which would have passed the custom rule, and
> the updated score was present in the header without further intervention
> from me. I'd given up for the day and just came back to check following
> a food break.
>
> I wondered if there was something happening as a cron job that was
> performing some crucial additional step I was missing, but a review of
> both the spamassassin and mailscanner cron jobs finds nothing _obvious_
> that I'm missing. (not to say it's not there...)
Again, a default debian/ubuntu spamassassin has
/etc/cron.daily/spamassassin which will update rules and run sa-compile.
> The score changes I'd made previously to some of the stock rules took
> effect "magically" at some point during my work yesterday, and I'm sure
> it was without an sa-compile from me. Not to say it wasn't just
> coincidental with one from a cron job.
>
> For the sake of verification, when I do a mailscanner or a spamassassin
> restart, I do just
>
> /etc/init.d/mailscanner restart and
> /etc/init.d/spamassassin restart
>
> On a possibly related note, reviewing the logs, (syslog, mail) I can
> clearly see where and when I restarted MailScanner. SpamAssassin on the
> other hand, is leaving no evidence of a restart in either of these
> logs. This seems odd.
'grep spamd /var/log/mail.log' should show something.
> Also, my understanding of MailScanner's use of SpamAssassin is that it's
> invoked by MS and does NOT use SA in daemon mode. Assuming this is
> correct, I then question the value of restarting SpamAssassin, at least
> by restarting the daemon as I'm doing above.
I think the above is correct, at least for 'standard' MailScanner (I
think there is a spamd patch, but it's non-standard). So yes,
restarting/reloading spamd (spamassassin) shouldn't be necessary.
> Related, I see in
> MailWatch that MailScanner has 5 children indicated. Presumably these
> are SA?
They are MailScanner workers, each of which will invoke spamassassin as
necessary when processing messages.
> I'm wondering if the "delay" in my updated configuration taking
> effect is because SA really isn't restarting properly, or doesn't happen
> until some time later when SA child processes age off and are replaced.
> I'm beginning to suspect I have a subtle error in my MailScanner or
> SpamAssassin configuration.
As noted above, I think restarting SA is a red herring here. It is more
likely an sa-compile issue of some kind.
Restarting MailScanner should definitely restart its children. If for
some reason this isn't happening, they will die of old age after (I
think) 2 hours which may explain something.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From wt at dld2000.com Sat Dec 12 15:38:13 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sat, 12 Dec 2015 10:38:13 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
Message-ID: <566C3F65.7010001@dld2000.com>
We have the following key settings in MailScanner.conf:
Spam Actions = custom()
Spam Score = yes
Use SpamAssassin = %rules-dir%/spam.scanning.rules
Spam Checks = %rules-dir%/spam.scanning.rules
Most of the emails passing through the server get a value set by
MailScanner for X-[org-name]-MailScanner-SpamScore in the message source.
However, there are a few emails where X-[org-name]-MailScanner-SpamScore
doesn't appear at all in the message source.
Can anyone tell me why?
Walt
From iversons at rushville.k12.in.us Sat Dec 12 17:19:57 2015
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sat, 12 Dec 2015 12:19:57 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566C3F65.7010001@dld2000.com>
References: <566C3F65.7010001@dld2000.com>
Message-ID:
There are some cases, depending on MailScanner settings, in which mail
bypasses spam scanning. One that I recall doing this is...
Deliver Cleaned Messages = yes
There may be others...
On Sat, Dec 12, 2015 at 10:38 AM, Walt Thiessen wrote:
> We have the following key settings in MailScanner.conf:
>
> Spam Actions = custom()
> Spam Score = yes
> Use SpamAssassin = %rules-dir%/spam.scanning.rules
> Spam Checks = %rules-dir%/spam.scanning.rules
>
> Most of the emails passing through the server get a value set by
> MailScanner for X-[org-name]-MailScanner-SpamScore in the message source.
>
> However, there are a few emails where X-[org-name]-MailScanner-SpamScore
> doesn't appear at all in the message source.
>
> Can anyone tell me why?
>
> Walt
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
--
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mark at msapiro.net Sat Dec 12 17:32:47 2015
From: mark at msapiro.net (Mark Sapiro)
Date: Sat, 12 Dec 2015 09:32:47 -0800
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566C3F65.7010001@dld2000.com>
References: <566C3F65.7010001@dld2000.com>
Message-ID: <566C5A3F.5030607@msapiro.net>
On 12/12/2015 07:38 AM, Walt Thiessen wrote:
>
> However, there are a few emails where X-[org-name]-MailScanner-SpamScore
> doesn't appear at all in the message source.
>
> Can anyone tell me why?
SpamAssassin is skipped for messages larger than "Max Spam Check Size".
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
From wt at dld2000.com Sun Dec 13 20:26:12 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sun, 13 Dec 2015 15:26:12 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566C5A3F.5030607@msapiro.net>
References: <566C3F65.7010001@dld2000.com> <566C5A3F.5030607@msapiro.net>
Message-ID: <566DD464.5060201@dld2000.com>
Thanks for all the clues, guys.
I found that the problem was actually in my CustomAction.pm file.
In that file, I attempt to extract the sascore that SpamAssassin has
already applied to the message.
I tried using $message->{sascore} and $message->{X-myorgname-SpamScore},
but both return N/A.
Can someone tell me how I can extract the SpamAssassin score for the
message so I can use it in my CustomAction.pm script?
From wt at dld2000.com Sun Dec 13 23:24:24 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sun, 13 Dec 2015 18:24:24 -0500
Subject: X-[org-name]-MailScanner-SpamScore doesn't always appear
In-Reply-To: <566DD464.5060201@dld2000.com>
References: <566C3F65.7010001@dld2000.com> <566C5A3F.5030607@msapiro.net>
<566DD464.5060201@dld2000.com>
Message-ID: <566DFE28.2090805@dld2000.com>
I think I've figured out my problem, but I don't have a solution. I'm
hoping someone here can help.
I suspect that the CustomAction module runs BEFORE SpamAssassin in
MailScanner's runtime order. Can anyone confirm this to be true?
If true, this means that I can't reliably identify whether an email is
spam according to SpamAssassin while CustomAction.pm runs.
I want the CustomAction module to decide whether to send a follow-up
email to the original sender depending upon certain conditions. One of
those conditions is that the sender's email should not be detected as
spam by SpamAssassin.
But if SpamAssassin hasn't run yet, then my decision tree can't resolve
this question correctly.
Can anyone suggest a way around this problem?
From tmeireles at electroind.com Mon Dec 14 16:22:29 2015
From: tmeireles at electroind.com (tmeireles at electroind.com)
Date: Mon, 14 Dec 2015 11:22:29 -0500
Subject: Block macro word documents
Message-ID: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
Two malicious emails with macro word documents with the extension .doc got through today.
Was wondering what you guys do to block malicious macro word documents?
Thanks,
Tiago
From jerry.benton at mailborder.com Mon Dec 14 16:23:27 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 14 Dec 2015 11:23:27 -0500
Subject: Block macro word documents
In-Reply-To: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
References: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
Message-ID:
If you are using clam, you can block all macros. You can also add Sophos to your system for free and it might pickup what clam does not. None of the AV engines seem to be doing a good job of catching malicious macros.
-
Jerry Benton
www.mailborder.com
> On Dec 14, 2015, at 11:22 AM, tmeireles at electroind.com wrote:
>
> Two malicious emails with macro word documents with the extension .doc got through today.
>
> Was wondering what you guys do to block malicious macro word documents?
>
> Thanks,
> Tiago
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From steveb_clamav at sanesecurity.com Mon Dec 14 16:29:09 2015
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Mon, 14 Dec 2015 16:29:09 -0000
Subject: Block macro word documents
In-Reply-To:
References: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
Message-ID: <5812ba6eaed2810112bbfdff2410ca8f.squirrel@sirius.servers.eqx.misp.co.uk>
On Mon, December 14, 2015 4:23 pm, Jerry Benton wrote:
> If you are using clam, you can block all macros. You can also add Sophos
> to your system for free and it might pickup what clam does not. None of
> the AV engines seem to be doing a good job of catching malicious macros.
>
If you use Sanesecuriy signatures:
Make sure you use: badmacro.ndb
If you want to block EVERYTHING MACRO you can use clamd.conf
OLE2BlockMacros on
But for me, the above clamd.conf entry blocked lots of legitimate macros
from customers...
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
From mailscanner at replies.cyways.com Mon Dec 14 18:08:55 2015
From: mailscanner at replies.cyways.com (Peter H. Lemieux)
Date: Mon, 14 Dec 2015 13:08:55 -0500
Subject: Block macro word documents
In-Reply-To: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
References: <003601d1368b$a0e01890$e2a049b0$@electroind.com>
Message-ID: <566F05B7.3050305@replies.cyways.com>
After one of my clients had a problem with embedded Office macros, they blocked their users from opening macros altogether. I believe you can use an MS group policy for this, though as a Linux person, I can't say for sure.
If I were managing a network, I'd certainly implement that policy. I was a bit surprised it wasn't the default at my client's site. I can see reasons to allow some selected people to run macros, but they'd be the exception not the rule.
As Jerry says, you can block macros entirely with ClamAV. In clamd.conf, set
ScanOLE2 yes
OLE2BlockMacros yes
Peter
On 12/14/2015 11:22 AM, tmeireles at electroind.com wrote:
> Two malicious emails with macro word documents with the extension .doc got through today.
>
> Was wondering what you guys do to block malicious macro word documents?
From maillists at conactive.com Wed Dec 16 10:31:02 2015
From: maillists at conactive.com (Kai Schaetzl)
Date: Wed, 16 Dec 2015 11:31:02 +0100
Subject: Reliably reloading configuration?
In-Reply-To: <566B1F8A.5090207@msapiro.net>
References: <5669EF93.8000304@weigoldenterprises.com>
<5669F8C1.5030603@msapiro.net>
<566AFAA0.5080404@weigoldenterprises.com>
<566B1F8A.5090207@msapiro.net>
Message-ID:
Mark Sapiro wrote on Fri, 11 Dec 2015 11:10:02 -0800:
> I think the above is correct, at least for 'standard' MailScanner (I
> think there is a spamd patch, but it's non-standard). So yes,
> restarting/reloading spamd (spamassassin) shouldn't be necessary.
To expand on this. I'm not on Ubuntu but /etc/init.d/spamassassin restart
looks like it starts the daemon (spamd). MailScanner does not use spamd.
Running spamd just costs you ressources (RAM and CPU). Shut it off.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
From jerry.benton at mailborder.com Thu Dec 17 09:11:39 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 17 Dec 2015 04:11:39 -0500
Subject: Phishing Update Server
Message-ID:
Optional hostname update: phishing.mailscanner.info
So I was wondering why my data transfer bill was so damn high … then I found the phishing update server is using a large amount of data from people downloading the update files. So ...
I moved the phishing update server to a new datacenter with more generous data allowance and speed. While I was at it I added the hostname phishing.mailscanner.info to DNS and to the server. So now you can use that domain name if you like. It is still the same exact server as phishing.mailborder.com.
-
Jerry Benton
www.mailborder.com
From kevin.miller at juneau.org Thu Dec 17 17:45:11 2015
From: kevin.miller at juneau.org (Kevin Miller)
Date: Thu, 17 Dec 2015 17:45:11 +0000
Subject: Phishing Update Server
In-Reply-To:
References:
Message-ID: <9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>
Perhaps setting up a pool, sort of like the ones for NPT, would be worthwhile. Mirror the phishing file on a dozen or so servers and do round-robin DNS to share the load. I'd bet a number of folks using MailScanner would be willing to offer up a tiny amount of disk space and a little bandwidth as a way to give back. I'd have to clear it w/my boss, but I'd bet we would. It would certainly be cheaper (I'd think anyway) than your average support contract for a commercial product...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: Thursday, December 17, 2015 12:12 AM
To: MailScanner Discussion
Subject: Phishing Update Server
Optional hostname update: phishing.mailscanner.info
So I was wondering why my data transfer bill was so damn high … then I found the phishing update server is using a large amount of data from people downloading the update files. So ...
I moved the phishing update server to a new datacenter with more generous data allowance and speed. While I was at it I added the hostname phishing.mailscanner.info to DNS and to the server. So now you can use that domain name if you like. It is still the same exact server as phishing.mailborder.com.
-
Jerry Benton
www.mailborder.com
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner
From jerry.benton at mailborder.com Thu Dec 17 19:31:20 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 17 Dec 2015 14:31:20 -0500
Subject: Phishing Update Server
In-Reply-To: <9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>
References:
<9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>
Message-ID: <59EDC4E5-1854-426D-B6A9-7647C664B8F2@mailborder.com>
Kevin,
Thanks for the offer, but it is not an issue anymore. The new server is now only costing $20 a month and I will probably start hosting the bad host and domain file on Amazon S3 with a pointer from the phishing server. That way it will be replicated and still very cheap. I also want to use the phishing as a method to kind of gauge how many MailScanner instances are out there using awstats. I noticed a lot of hits for the old file and other items (like 1x1image.gif) that I created pointers for. This “un-breaks” a lot of the older MailScanner systems.
-
Jerry Benton
www.mailborder.com
> On Dec 17, 2015, at 12:45 PM, Kevin Miller wrote:
>
> Perhaps setting up a pool, sort of like the ones for NPT, would be worthwhile. Mirror the phishing file on a dozen or so servers and do round-robin DNS to share the load. I'd bet a number of folks using MailScanner would be willing to offer up a tiny amount of disk space and a little bandwidth as a way to give back. I'd have to clear it w/my boss, but I'd bet we would. It would certainly be cheaper (I'd think anyway) than your average support contract for a commercial product...
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
> Sent: Thursday, December 17, 2015 12:12 AM
> To: MailScanner Discussion
> Subject: Phishing Update Server
>
> Optional hostname update: phishing.mailscanner.info
>
>
> So I was wondering why my data transfer bill was so damn high … then I found the phishing update server is using a large amount of data from people downloading the update files. So ...
>
> I moved the phishing update server to a new datacenter with more generous data allowance and speed. While I was at it I added the hostname phishing.mailscanner.info to DNS and to the server. So now you can use that domain name if you like. It is still the same exact server as phishing.mailborder.com.
>
>
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From wt at dld2000.com Sat Dec 19 13:38:27 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Sat, 19 Dec 2015 08:38:27 -0500
Subject: call email delivery from customaction?
In-Reply-To: <59EDC4E5-1854-426D-B6A9-7647C664B8F2@mailborder.com>
References:
<9b1d49b3c181462da2dd14525da90d08@City-Exch-DB1.cbj.local>
<59EDC4E5-1854-426D-B6A9-7647C664B8F2@mailborder.com>
Message-ID: <56755DD3.1060307@dld2000.com>
If I want to run all emails through CustomAction.pm regardless of
whether they're spam, I presume I could set Non Spam Actions = custom()
in MailScanner.conf.
But is there a way to invoke delivery from CustomAction.pm after that?
From mailscanner-list at okla.com Tue Dec 22 17:18:07 2015
From: mailscanner-list at okla.com (Tracy Greggs)
Date: Tue, 22 Dec 2015 11:18:07 -0600
Subject: Avast anyone?
Message-ID: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
Is anyone running Avast Antivirus with MailScanner and if so, what version
of their product and how happy are you with it?
Thanks!
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From marek.gorny at bolix.pl Wed Dec 23 07:29:56 2015
From: marek.gorny at bolix.pl (=?iso-8859-2?Q?Marek_G=F3rny?=)
Date: Wed, 23 Dec 2015 07:29:56 +0000
Subject: Avast anyone?
In-Reply-To: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
Message-ID:
Hi
I am using avast antivirus but in parallel f-secure also from many years.
F-secure is more effective and use less resources.
..but Avast is better than nothing.
Marek Górny
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Tracy Greggs
Sent: Tuesday, December 22, 2015 6:18 PM
To: 'MailScanner Discussion'
Subject: Avast anyone?
Is anyone running Avast Antivirus with MailScanner and if so, what version of their product and how happy are you with it?
Thanks!
[https://ipmcdn.avast.com/images/logo-avast-v1.png]
This email has been sent from a virus-free computer protected by Avast.
www.avast.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
[Bolix]
Bolix SA
Ul. Stolarska 8
34-300 Żywiec, Poland
Bolix S.A. jest wiodącym polskim producentem chemii budowlanej,
specjalizującym się w produkcji systemów elewacyjnych.
Marka BOLIX istnieje już od 1991 roku i jest synonimem najwyższej jakości rozwiązań budowlanych.
[Bolix_Kampania]
________________________________
Nr KRS: 0000230009 - Sąd Rejonowy w Bielsku-Białej,
VIII Wydział Gospodarczy Krajowego Rejestru Sądowego
Kapitał zakładowy: 10 000 000 zł.; REGON: 015433210; NIP: 526-26-85-697
UWAGA: Niniejsza korespondencja przeznaczona jest wyłącznie dla osoby lub podmiotu, do którego jest zaadresowana i może zawierać treści chronione przepisami prawa. Wgląd w treść wiadomości otrzymanej omyłkowo, dalsze jej przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, bądź podjęcie jakichkolwiek działań w oparciu o zawarte w niej informacje przez osobę lub podmiot nie będący adresatem, jest niedozwolone. Odbiorca korespondencji, który otrzymał ją omyłkowo, proszony jest o zawiadomienie nadawcy i usunięcie tego materiału z komputera.
ATTENTION: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, Or taking of any action in reliance upon, this information by person or entity other than the intended recipient is not permitted. If you received this in error, please contact the sender and delete the material from any computer.
[Las] Proszę pomyśl o środowisku przed wydrukowaniem tego maila. Please Consider the Environment before printing this Email
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From wcolburn at nrao.edu Wed Dec 23 15:49:49 2015
From: wcolburn at nrao.edu (William D. Colburn)
Date: Wed, 23 Dec 2015 08:49:49 -0700
Subject: Trouble making my own virus scanner
In-Reply-To:
References: <20151125181009.GA15002@anotheruvula.aoc.nrao.edu>
Message-ID: <20151223154949.GA2940@nmpost-master.aoc.nrao.edu>
On Thu, Nov 26, 2015 at 06:38:33AM -0500, Shawn Iverson wrote:
>I use SCEP here. I'll set it up and give it a go with your wrapper.
>
>I know that each scanner has its own code in SweepViruses.pm. I'm not sure
>if the generic scanner is actually doing much. The "ProcessGenericOutput"
>subroutine appears pretty barebones at first glance.
Did you ever figure anything out? Is there a better way to scep with
mailscanner than what I tried?
--Schlake
From mailscanner-list at okla.com Wed Dec 23 17:52:28 2015
From: mailscanner-list at okla.com (Tracy Greggs)
Date: Wed, 23 Dec 2015 11:52:28 -0600
Subject: Avast anyone?
In-Reply-To:
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
Message-ID: <014f01d13daa$b4987500$1dc95f00$@okla.com>
OK, thanks for your input.
Clamd is missing a lot of junk that Sophos free is catching but I am trying
to come up with some consensus on the best paid for AV scanner that will
work with MailScanner.
Any input from others on the list that are running multiple AV scanners
would be more than welcome J
Happy Holidays to everyone!
Tracy
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Marek Górny
Sent: Wednesday, December 23, 2015 1:30 AM
To: MailScanner Discussion
Subject: RE: Avast anyone?
Hi
I am using avast antivirus but in parallel f-secure also from many years.
F-secure is more effective and use less resources.
..but Avast is better than nothing.
Marek Górny
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Tracy Greggs
Sent: Tuesday, December 22, 2015 6:18 PM
To: 'MailScanner Discussion'
Subject: Avast anyone?
Is anyone running Avast Antivirus with MailScanner and if so, what version
of their product and how happy are you with it?
Thanks!
This email has been sent from a virus-free computer protected by Avast.
www.avast.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Bolix
Bolix SA
Ul. Stolarska 8
34-300 Żywiec, Poland
Bolix S.A. jest wiodącym polskim producentem chemii budowlanej,
specjalizującym się w produkcji systemów elewacyjnych.
Marka BOLIX istnieje już od 1991 roku i jest synonimem najwyższej jakości
rozwiązań budowlanych.
Bolix_Kampania
_____
Nr KRS: 0000230009 - Sąd Rejonowy w Bielsku-Białej,
VIII Wydział Gospodarczy Krajowego Rejestru Sądowego
Kapitał zakładowy: 10 000 000 zł.; REGON: 015433210; NIP: 526-26-85-697
UWAGA: Niniejsza korespondencja przeznaczona jest wyłącznie dla osoby lub
podmiotu, do którego jest zaadresowana i może zawierać treści chronione
przepisami prawa. Wgląd w treść wiadomości otrzymanej omyłkowo, dalsze jej
przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, bądź
podjęcie jakichkolwiek działań w oparciu o zawarte w niej informacje przez
osobę lub podmiot nie będący adresatem, jest niedozwolone. Odbiorca
korespondencji, który otrzymał ją omyłkowo, proszony jest o zawiadomienie
nadawcy i usunięcie tego materiału z komputera.
ATTENTION: The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of, Or taking of any action in reliance upon, this information by person or
entity other than the intended recipient is not permitted. If you received
this in error, please contact the sender and delete the material from any
computer.
Las
Proszę pomyśl o środowisku przed wydrukowaniem tego maila. Please Consider
the Environment before printing this Email
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From steveb_clamav at sanesecurity.com Wed Dec 23 18:00:10 2015
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Wed, 23 Dec 2015 18:00:10 -0000
Subject: Avast anyone?
In-Reply-To: <014f01d13daa$b4987500$1dc95f00$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
<014f01d13daa$b4987500$1dc95f00$@okla.com>
Message-ID: <9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:
> Clamd is missing a lot of junk that Sophos free is catching but I am
> trying to come up with some consensus on the best paid for AV scanner that
> will work with MailScanner.
When you say Clamd is missing a lot... is this just the official signatures,
or are you using the add-on Sanesecurity ClamAV signatures.
If you are using Sanesecurity sigs make sure you use;
badmacro.ndb
phish.ndb
rogue.hdb
foxhole_filename.cdb
foxhole_generic.cdb
Email me off-list if you want to discuss.
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
From tmeireles at electroind.com Wed Dec 23 18:21:36 2015
From: tmeireles at electroind.com (tmeireles at electroind.com)
Date: Wed, 23 Dec 2015 13:21:36 -0500
Subject: Avast anyone?
In-Reply-To: <014f01d13daa$b4987500$1dc95f00$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
<014f01d13daa$b4987500$1dc95f00$@okla.com>
Message-ID: <026701d13dae$c26ef330$474cd990$@electroind.com>
On the question of antiviruses does mailscanner support Symantec Endpoint
Protection? If so anyone using it? We have a corporate license and currently
we are only using clamd.
Tiago
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Tracy Greggs
Sent: Wednesday, December 23, 2015 12:52 PM
To: 'MailScanner Discussion'
Subject: RE: Avast anyone?
OK, thanks for your input.
Clamd is missing a lot of junk that Sophos free is catching but I am trying
to come up with some consensus on the best paid for AV scanner that will
work with MailScanner.
Any input from others on the list that are running multiple AV scanners
would be more than welcome J
Happy Holidays to everyone!
Tracy
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Marek Górny
Sent: Wednesday, December 23, 2015 1:30 AM
To: MailScanner Discussion
Subject: RE: Avast anyone?
Hi
I am using avast antivirus but in parallel f-secure also from many years.
F-secure is more effective and use less resources.
..but Avast is better than nothing.
Marek Górny
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
Behalf Of Tracy Greggs
Sent: Tuesday, December 22, 2015 6:18 PM
To: 'MailScanner Discussion'
Subject: Avast anyone?
Is anyone running Avast Antivirus with MailScanner and if so, what version
of their product and how happy are you with it?
Thanks!
This email has been sent from a virus-free computer protected by Avast.
www.avast.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Bolix
Bolix SA
Ul. Stolarska 8
34-300 Żywiec, Poland
Bolix S.A. jest wiodącym polskim producentem chemii budowlanej,
specjalizującym się w produkcji systemów elewacyjnych.
Marka BOLIX istnieje już od 1991 roku i jest synonimem najwyższej jakości
rozwiązań budowlanych.
Bolix_Kampania
_____
Nr KRS: 0000230009 - Sąd Rejonowy w Bielsku-Białej,
VIII Wydział Gospodarczy Krajowego Rejestru Sądowego
Kapitał zakładowy: 10 000 000 zł.; REGON: 015433210; NIP: 526-26-85-697
UWAGA: Niniejsza korespondencja przeznaczona jest wyłącznie dla osoby lub
podmiotu, do którego jest zaadresowana i może zawierać treści chronione
przepisami prawa. Wgląd w treść wiadomości otrzymanej omyłkowo, dalsze jej
przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, bądź
podjęcie jakichkolwiek działań w oparciu o zawarte w niej informacje przez
osobę lub podmiot nie będący adresatem, jest niedozwolone. Odbiorca
korespondencji, który otrzymał ją omyłkowo, proszony jest o zawiadomienie
nadawcy i usunięcie tego materiału z komputera.
ATTENTION: The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of, Or taking of any action in reliance upon, this information by person or
entity other than the intended recipient is not permitted. If you received
this in error, please contact the sender and delete the material from any
computer.
Las
Proszę pomyśl o środowisku przed wydrukowaniem tego maila. Please Consider
the Environment before printing this Email
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
This email has been sent from a virus-free computer protected by Avast.
www.avast.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mailscanner-list at okla.com Wed Dec 23 22:14:57 2015
From: mailscanner-list at okla.com (Tracy Greggs)
Date: Wed, 23 Dec 2015 16:14:57 -0600
Subject: Avast anyone?
In-Reply-To: <9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
<014f01d13daa$b4987500$1dc95f00$@okla.com>
<9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
Message-ID: <018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>
Steve:
I am not using the Sanesecurity signatures and you have a valid point that I should be, but it does seem like clamd used to be a lot better "out of the box" than it is now. One would think that since Cisco took it over it would get better but it appears they are not doing a lot with it.
I have heard everything about FPROT from it sucks bad to its great, so I am a little hesitant to buy it. Anyone can feel free to chime in on that.
Tracy
-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Basford
Sent: Wednesday, December 23, 2015 12:00 PM
To: MailScanner Discussion
Subject: RE: Avast anyone?
On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:
> Clamd is missing a lot of junk that Sophos free is catching but I am
> trying to come up with some consensus on the best paid for AV scanner
> that will work with MailScanner.
When you say Clamd is missing a lot... is this just the official signatures, or are you using the add-on Sanesecurity ClamAV signatures.
If you are using Sanesecurity sigs make sure you use;
badmacro.ndb
phish.ndb
rogue.hdb
foxhole_filename.cdb
foxhole_generic.cdb
Email me off-list if you want to discuss.
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From mailinglists at feedmebits.nl Wed Dec 23 22:30:44 2015
From: mailinglists at feedmebits.nl (Maarten)
Date: Wed, 23 Dec 2015 23:30:44 +0100
Subject: Avast anyone?
In-Reply-To: <018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
<014f01d13daa$b4987500$1dc95f00$@okla.com>
<9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
<018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>
Message-ID:
Only reason I bought an F-Prot license is because they have Linux
support without needing a quote from customer service. All the others
don't even advertise their Linux product on their site or they don't
support Linux or don't know a thing about Linux. But in overall 90% of
the AV companies don't reply to your questions about their product. So I
would just pick one that has Linux support, or compare the av companies
statiscs on: https://www.virustotal.com/
On 2015-12-23 23:14, Tracy Greggs wrote:
> Steve:
>
> I am not using the Sanesecurity signatures and you have a valid point
> that I should be, but it does seem like clamd used to be a lot better
> "out of the box" than it is now. One would think that since Cisco
> took it over it would get better but it appears they are not doing a
> lot with it.
>
> I have heard everything about FPROT from it sucks bad to its great, so
> I am a little hesitant to buy it. Anyone can feel free to chime in on
> that.
>
> Tracy
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info]
> On Behalf Of Steve Basford
> Sent: Wednesday, December 23, 2015 12:00 PM
> To: MailScanner Discussion
> Subject: RE: Avast anyone?
>
>
> On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:
>
>> Clamd is missing a lot of junk that Sophos free is catching but I am
>> trying to come up with some consensus on the best paid for AV scanner
>> that will work with MailScanner.
>
> When you say Clamd is missing a lot... is this just the official
> signatures, or are you using the add-on Sanesecurity ClamAV
> signatures.
>
> If you are using Sanesecurity sigs make sure you use;
>
> badmacro.ndb
> phish.ndb
> rogue.hdb
> foxhole_filename.cdb
> foxhole_generic.cdb
>
> Email me off-list if you want to discuss.
>
> Cheers,
>
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
From jerry.benton at mailborder.com Thu Dec 24 06:28:20 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 24 Dec 2015 01:28:20 -0500
Subject: MailScanner Statistics
Message-ID:
I was curious how many instances are running MailScanner, so I setup awstats on the phishing update site. Of course, everyone may not be using the update site, but it is interesting to see the statistics anyway. There is a statistics link at the booth of the page if you want to take a look. It is a new server, so there is not a lot of history, but you still get some good information from it.
http://phishing.mailscanner.info
-
Jerry Benton
www.mailborder.com
From carles at unlimitedmail.org Thu Dec 24 08:40:22 2015
From: carles at unlimitedmail.org (=?UTF-8?Q?[SOLTECSIS]_Carles_Xavier_Munyoz_Bald=c3=b3?=)
Date: Thu, 24 Dec 2015 09:40:22 +0100
Subject: Avast anyone?
In-Reply-To:
References: <00b301d13cdc$bdc5e5f0$3951b1d0$@okla.com>
<014f01d13daa$b4987500$1dc95f00$@okla.com>
<9fd380526f6e01d8f6009e832da1c9c6.squirrel@sanesecurity.com>
<018801d13dcf$5ff2fe60$1fd8fb20$@okla.com>
Message-ID: <567BAF76.8060906@unlimitedmail.org>
Hello,
I'm trying to use the last Avast versión for Linux: avast_2.1.0-1_amd64.deb
The problem I'm having is that the avast-wrapper script is not valid for
the last version of Avast. I have solved it modifying the
SweepViruses.pm commenting this line:
#CommonOptions => '-n -t=A',
The problem is now in the ProcessAvastOutput function that it is not
valid for this version of Avast.
Anyone knows how to solve it?
Thank you very much in advance.
Best regards.
El 23/12/15 a las 23:30, Maarten escribió:
> Only reason I bought an F-Prot license is because they have Linux
> support without needing a quote from customer service. All the others
> don't even advertise their Linux product on their site or they don't
> support Linux or don't know a thing about Linux. But in overall 90% of
> the AV companies don't reply to your questions about their product. So I
> would just pick one that has Linux support, or compare the av companies
> statiscs on: https://www.virustotal.com/
>
>
> On 2015-12-23 23:14, Tracy Greggs wrote:
>> Steve:
>>
>> I am not using the Sanesecurity signatures and you have a valid point
>> that I should be, but it does seem like clamd used to be a lot better
>> "out of the box" than it is now. One would think that since Cisco
>> took it over it would get better but it appears they are not doing a
>> lot with it.
>>
>> I have heard everything about FPROT from it sucks bad to its great, so
>> I am a little hesitant to buy it. Anyone can feel free to chime in on
>> that.
>>
>> Tracy
>>
>>
>> -----Original Message-----
>> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info]
>> On Behalf Of Steve Basford
>> Sent: Wednesday, December 23, 2015 12:00 PM
>> To: MailScanner Discussion
>> Subject: RE: Avast anyone?
>>
>>
>> On Wed, December 23, 2015 5:52 pm, Tracy Greggs wrote:
>>
>>> Clamd is missing a lot of junk that Sophos free is catching but I am
>>> trying to come up with some consensus on the best paid for AV scanner
>>> that will work with MailScanner.
>>
>> When you say Clamd is missing a lot... is this just the official
>> signatures, or are you using the add-on Sanesecurity ClamAV
>> signatures.
>>
>> If you are using Sanesecurity sigs make sure you use;
>>
>> badmacro.ndb
>> phish.ndb
>> rogue.hdb
>> foxhole_filename.cdb
>> foxhole_generic.cdb
>>
>> Email me off-list if you want to discuss.
>>
>> Cheers,
>>
>> Steve
>> Web : sanesecurity.com
>> Blog: sanesecurity.blogspot.com
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>
>
--
Saludos.
========================================
SOLTECSIS SOLUCIONES TECNOLOGICAS, S.L.
Carles Xavier Munyoz Baldó
Departamento de I+D+I
Tel./Fax: 966 446 046
cmunyoz at soltecsis.com
www.soltecsis.com
========================================
---
La información contenida en este e-mail es confidencial,
siendo para uso exclusivo del destinatario arriba mencionado.
Le informamos que está totalmente prohibida cualquier
utilización, divulgación, distribución y/o reproducción de
esta comunicación sin autorización expresa en virtud de la
legislación vigente. Si ha recibido este mensaje por error,
le rogamos nos lo notifique inmediatamente por la misma vía
y proceda a su eliminación.
---
From wt at dld2000.com Thu Dec 24 15:08:16 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Thu, 24 Dec 2015 10:08:16 -0500
Subject: MailScanner Statistics
In-Reply-To:
References:
Message-ID: <567C0A60.80001@dld2000.com>
You'd get more accurate information by installing Google Analytics on
the website. Awstats is notoriously inaccurate.
Walt
On 12/24/2015 1:28 AM, Jerry Benton wrote:
> I was curious how many instances are running MailScanner, so I setup awstats on the phishing update site. Of course, everyone may not be using the update site, but it is interesting to see the statistics anyway. There is a statistics link at the booth of the page if you want to take a look. It is a new server, so there is not a lot of history, but you still get some good information from it.
>
> http://phishing.mailscanner.info
>
>
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>
>
From jerry.benton at mailborder.com Thu Dec 24 18:30:46 2015
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 24 Dec 2015 13:30:46 -0500
Subject: MailScanner Statistics
In-Reply-To: <567C0A60.80001@dld2000.com>
References:
<567C0A60.80001@dld2000.com>
Message-ID: <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
Sure, except you cannot use Google analytics with a .conf file that gets downloaded 20,000+ times a day with curl or wget that accounts for 10GB of transfer every day.
-
Jerry Benton
www.mailborder.com
> On Dec 24, 2015, at 10:08 AM, Walt Thiessen wrote:
>
> You'd get more accurate information by installing Google Analytics on the website. Awstats is notoriously inaccurate.
>
> Walt
>
>
> On 12/24/2015 1:28 AM, Jerry Benton wrote:
>> I was curious how many instances are running MailScanner, so I setup awstats on the phishing update site. Of course, everyone may not be using the update site, but it is interesting to see the statistics anyway. There is a statistics link at the booth of the page if you want to take a look. It is a new server, so there is not a lot of history, but you still get some good information from it.
>>
>> http://phishing.mailscanner.info
>>
>>
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>>
>>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
From andrew at topdog.za.net Fri Dec 25 05:57:07 2015
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Fri, 25 Dec 2015 07:57:07 +0200
Subject: MailScanner Statistics
In-Reply-To: <51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
References:
<567C0A60.80001@dld2000.com>
<51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
Message-ID: <90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
On 24 Dec 2015, at 8:30 PM, Jerry Benton wrote:
> Sure, except you cannot use Google analytics with a .conf file that gets downloaded 20,000+ times a day with curl or wget that accounts for 10GB of transfer every day.
And… doesn't Google analytics use javascript ?
And… why are people so obsessed with having Google collect data on them and their users ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
From wt at dld2000.com Fri Dec 25 14:02:17 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Fri, 25 Dec 2015 09:02:17 -0500
Subject: MailScanner Statistics
In-Reply-To: <90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
References:
<567C0A60.80001@dld2000.com>
<51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
<90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
Message-ID: <567D4C69.5040700@dld2000.com>
Sure, most of the web uses javascript. These days, it's hard to find
websites that DON'T use javascript in one form or another. So what?
As for being "obsessed", I think Jerry's original post answers that.
It's not an obsession to want to know how much interest there is in what
you're offering.
Does data collection go too far? Sure, but do we really need to throw
out the baby with the bathwater in order to place limits?
On 12/25/2015 12:57 AM, Andrew Colin Kissa wrote:
> On 24 Dec 2015, at 8:30 PM, Jerry Benton wrote:
>
>> Sure, except you cannot use Google analytics with a .conf file that gets downloaded 20,000+ times a day with curl or wget that accounts for 10GB of transfer every day.
> And… doesn't Google analytics use javascript ?
> And… why are people so obsessed with having Google collect data on them and their users ?
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From andrew at topdog.za.net Sun Dec 27 12:58:45 2015
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Sun, 27 Dec 2015 14:58:45 +0200
Subject: MailScanner Statistics
In-Reply-To: <567D4C69.5040700@dld2000.com>
References:
<567C0A60.80001@dld2000.com>
<51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
<90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
<567D4C69.5040700@dld2000.com>
Message-ID: <528DE5E6-4F31-4A4A-8D4F-0871169EFDFE@topdog.za.net>
On 25 Dec 2015, at 16:02, Walt Thiessen wrote:
> Sure, most of the web uses javascript. These days, it's hard to find websites that DON'T use javascript in one form or another. So what?
Doh, you do actually even know what you are talking about ?
How would javascript be executed for a request by curl or wget to a file, not a page with js embedded in it ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
From andrew at topdog.za.net Sun Dec 27 13:24:32 2015
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Sun, 27 Dec 2015 15:24:32 +0200
Subject: MailScanner Statistics
In-Reply-To: <567D4C69.5040700@dld2000.com>
References:
<567C0A60.80001@dld2000.com>
<51EB07F4-2D3E-4582-ABD7-9D11CD70AB24@mailborder.com>
<90AE516D-6090-4FEB-B6C0-12BAA355306F@topdog.za.net>
<567D4C69.5040700@dld2000.com>
Message-ID: <0D493BEF-7280-4208-B457-2B65E36A69E2@topdog.za.net>
On 25 Dec 2015, at 16:02, Walt Thiessen wrote:
> As for being "obsessed", I think Jerry's original post answers that. It's not an obsession to want to know how much interest there is in what you're offering.
P.S You totally misunderstand me, i think Jerry is doing the right thing and using the right tools,
i have a problem with you and pushing google analytics, why should a third party with a
dubious record be introduced to collect this information when awstats does the job perfectly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
From pparsons at techeez.com Wed Dec 30 20:29:12 2015
From: pparsons at techeez.com (Philip Parsons)
Date: Wed, 30 Dec 2015 20:29:12 +0000
Subject: View status error
Message-ID: <11D8E491D9562549A61FD3186F363420027C75E3FF@exchange.techeez.com>
After the upgrade to 4.85
Now when I check the status of Mailscanner I am getting
/etc/init.d/MailScanner: line 78: [: =: unary operator expected
Line 78 is
[ ${NETWORKING} = "no" ] && exit 0
Anyone got any Idea's
Thank you.
Philip Parsons
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From wt at dld2000.com Thu Dec 31 16:50:08 2015
From: wt at dld2000.com (Walt Thiessen)
Date: Thu, 31 Dec 2015 11:50:08 -0500
Subject: from address?
Message-ID: <56855CC0.9070502@dld2000.com>
MailScanner apparently treats the envelope-from address as the from
address when populating $this->{from} instead of using the email's
original "from" address.
Is there an attribute that tracks the email's original "from" address?
Walt