From heino.backhaus at fink-computer.de Mon Nov 2 15:16:13 2015 From: heino.backhaus at fink-computer.de (Heino Backhaus) Date: Mon, 2 Nov 2015 16:16:13 +0100 Subject: Linux file command identifies text-file as DOS executable (COM) Message-ID: <56377E3D.7010401@fink-computer.de> A funny thing came a cross my eyes... if your using file v5.14 to detect executeables and you put this "锘" chinese charakter at the beginning of a text-file it will be detected as DOS-Executeable (COM). I'm wondering if i schould upgrade to file 5.24. Are there known issues with file v5.24 and Mailscanner? # file msg-17333-4.txt msg-17333-4.txt: DOS executable (COM) # file --version file-5.14 Greetings -Heino "In retrospect it becomes clear that hindsight is definitely overrated!" -Alfred E. Neumann From jerry.benton at mailborder.com Mon Nov 2 15:33:05 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 2 Nov 2015 10:33:05 -0500 Subject: Linux file command identifies text-file as DOS executable (COM) In-Reply-To: <56377E3D.7010401@fink-computer.de> References: <56377E3D.7010401@fink-computer.de> Message-ID: <740602E7-CD8E-4FDA-8EAE-C2904E871BBC@mailborder.com> There is no issue between the file command and MailScanner. MailScanner essentially asks file what MIME type it is and gets an answer. How that answer is derived has nothing to do with MailScanner. - Jerry Benton www.mailborder.com > On Nov 2, 2015, at 10:16 AM, Heino Backhaus wrote: > > A funny thing came a cross my eyes... > > if your using file v5.14 to detect executeables and you put this "锘" > chinese charakter at the beginning of a text-file it will be detected as DOS-Executeable (COM). I'm wondering if i schould upgrade to file 5.24. > > Are there known issues with file v5.24 and Mailscanner? > > # file msg-17333-4.txt > msg-17333-4.txt: DOS executable (COM) > > # file --version > file-5.14 > > Greetings > -Heino > > "In retrospect it becomes clear that hindsight is definitely overrated!" > > -Alfred E. Neumann > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From iversons at rushville.k12.in.us Mon Nov 2 15:36:08 2015 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 2 Nov 2015 10:36:08 -0500 Subject: Linux file command identifies text-file as DOS executable (COM) In-Reply-To: <740602E7-CD8E-4FDA-8EAE-C2904E871BBC@mailborder.com> References: <56377E3D.7010401@fink-computer.de> <740602E7-CD8E-4FDA-8EAE-C2904E871BBC@mailborder.com> Message-ID: I tested file-5.24 recently with MailScanner on a different yet similar issue and had no issues during testing. On Mon, Nov 2, 2015 at 10:33 AM, Jerry Benton wrote: > There is no issue between the file command and MailScanner. MailScanner > essentially asks file what MIME type it is and gets an answer. How that > answer is derived has nothing to do with MailScanner. > > - > Jerry Benton > www.mailborder.com > > > > > On Nov 2, 2015, at 10:16 AM, Heino Backhaus < > heino.backhaus at fink-computer.de> wrote: > > > > A funny thing came a cross my eyes... > > > > if your using file v5.14 to detect executeables and you put this "锘" > > chinese charakter at the beginning of a text-file it will be detected as > DOS-Executeable (COM). I'm wondering if i schould upgrade to file 5.24. > > > > Are there known issues with file v5.24 and Mailscanner? > > > > # file msg-17333-4.txt > > msg-17333-4.txt: DOS executable (COM) > > > > # file --version > > file-5.14 > > > > Greetings > > -Heino > > > > "In retrospect it becomes clear that hindsight is definitely overrated!" > > > > -Alfred E. Neumann > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Mon Nov 2 15:52:56 2015 From: it at festa.bg (Valentin Laskov) Date: Mon, 2 Nov 2015 17:52:56 +0200 Subject: Linux file command identifies text-file as DOS executable (COM) In-Reply-To: <56377E3D.7010401@fink-computer.de> References: <56377E3D.7010401@fink-computer.de> Message-ID: <563786D8.9080206@festa.bg> Try in MailScanner.conf File Command = /usr/local/bin/file-wrapper and make /usr/local/bin/file-wrapper as this #!/bin/bash # /usr/bin/file --mime-type "$1" #end of /usr/local/bin/file-wrapper Regards Valentin На 02.11.2015 в 17:16, Heino Backhaus написа: > A funny thing came a cross my eyes... > > if your using file v5.14 to detect executeables and you put this "锘" > chinese charakter at the beginning of a text-file it will be detected > as DOS-Executeable (COM). I'm wondering if i schould upgrade to file > 5.24. > > Are there known issues with file v5.24 and Mailscanner? > > # file msg-17333-4.txt > msg-17333-4.txt: DOS executable (COM) > > # file --version > file-5.14 > > Greetings > -Heino > > "In retrospect it becomes clear that hindsight is definitely overrated!" > > -Alfred E. Neumann > > -- Поздрави! Валентин Ласков Отговорник КИПО "Феста Холдинг" АД бул. "Вл. Варненчик" 48 9000 гр. Варна тел.: +359 52 669137 GSM: +359 888 669137 Fax: +359 52 669110 From pauldwalker at gmail.com Wed Nov 4 07:35:46 2015 From: pauldwalker at gmail.com (Paul D. Walker) Date: Wed, 4 Nov 2015 15:35:46 +0800 Subject: duplicate subject lines causing yahoo mail rejection Message-ID: I've found a bug in mailscanner I believe. One of the users was having his mail rejected from yahoo with the following error #5.0.0 smtp; 554 Message not allowed - Headers are not RFC compliant[291]> #SMTP# I had to "solve" the problem by routing the mail directly, rather than through the efa server. Digging deeper, I discovered that if your subject line as a space at the end, the mailscanner will duplicate the subject line without the trailing space. Example: (you'll see the first duplicate subject between the X-SendingOrg-MailScanner-EFA-Watermark and X-SendingOrg-MailScanner-EFA-From headers) CODE: SELECT ALL Return-path: Envelope-to: pdwalker at receiving_domain.com Delivery-date: Wed, 04 Nov 2015 07:05:36 +0000 Received: from mailx.sending_domain.com ([112.120.80.132]) by linode.receiving_domain.com with esmtp (Exim 4.63) (envelope-from ) id 1Zts8U-0008Rk-MC for pdwalker at receiving_domain.com; Wed, 04 Nov 2015 07:05:36 +0000 X-Spam-Status: No X-SendingOrg-MailScanner-EFA-Watermark: 1447225334.7874@ +F3UH5veY3iYSrMhwplUJw Subject: subject with a space at the end X-SendingOrg-MailScanner-EFA-From: pdwalker at sending_domain.com X-SendingOrg-MailScanner-EFA-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-9.999, required 4, autolearn=not spam, ALL_TRUSTED -8.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00) X-SendingOrg-MailScanner-EFA: Found to be clean X-SendingOrg-MailScanner-EFA-ID: 96785180061.A1ACE X-SendingOrg-MailScanner-EFA-Information: Please contact itsupport at sending_domain.com for more information Received: from mailx.sending_domain.com (csnwex003 [10.10.1.12]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailx.sending_domain.com (Postfix) with ESMTPS id 96785180061 for ; Wed, 4 Nov 2015 15:02:13 +0800 (HKT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sending_domain.com; s=default; t=1446620533; bh=rZAo4KkiyZoz6WmTr617gCT5XCHpgJttbzJISCaSoHU=; h=From:To:Date:Subject; b=KmZ9nL0LgR6thtTQx1siLG6TJ8dBiIGXgO1caSLziC8OD4jR+9og+WTQ+g+oX5/SB rf9ObNhJgOfWl4Xnw8qAZbRCwn80iT2NCd3JVt+OGdiXw9p1C+OU7DIOYbylNR+xXy dudzWjqw5w/VFLsZaKbUnzX6fM+gOR566ngUaBDY= Received: from CSNWEX003.sending_domain.local ([10.10.1.12]) by CSNWEX003.sending_domain.local ([10.10.1.12]) with mapi; Wed, 4 Nov 2015 15:00:42 +0800 From: "Paul D. Walker" To: "pdwalker at receiving_domain.com" Date: Wed, 4 Nov 2015 15:02:10 +0800 Subject: subject with a space at the end Thread-Topic: subject with a space at the end Thread-Index: AdEWzoTrviBuMoqDR2+PoISGliMMww== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.7.151005 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_D25FCE724CA02pdwalkersending_domaincom_" MIME-Version: 1.0 X-Spam-Score: -2.0 (--) X-Spam-Report: Spam detection software, running on the system " linode.receiving_domain.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: asdf sdfsd asdf sdfsd [...] Content analysis details: (-2.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sending_domain.com] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature --_000_D25FCE724CA02pdwalkersending_domaincom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable asdf sdfsd --_000_D25FCE724CA02pdwalkersending_domaincom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
asdf sdfsd
--_000_D25FCE724CA02pdwalkersending_domaincom_-- as opposed to this one (subject - no spaces at the end) CODE: SELECT ALL Return-path: Envelope-to: pdwalker at receiving_domain.com Delivery-date: Wed, 04 Nov 2015 07:21:06 +0000 Received: from mailz.forscientia.com ([223.255.133.202] helo= mailx.sending_domain.com) by linode.receiving_domain.com with esmtp (Exim 4.63) (envelope-from ) id 1ZtsNU-0008S0-AN for pdwalker at receiving_domain.com; Wed, 04 Nov 2015 07:21:06 +0000 X-Spam-Status: No X-SendingOrg-MailScanner-EFA-Watermark: 1447226265.54661 at f2Rtd1DFrwSsagFkybqXtg X-SendingOrg-MailScanner-EFA-From: pdwalker at sending_domain.com X-SendingOrg-MailScanner-EFA-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-7.133, required 4, ALL_TRUSTED -8.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, FSL_BULK_SIG 1.47, HTML_MESSAGE 0.00, PYZOR_CHECK 1.39) X-SendingOrg-MailScanner-EFA: Found to be clean X-SendingOrg-MailScanner-EFA-ID: 1C6AE180061.A1B27 X-SendingOrg-MailScanner-EFA-Information: Please contact itsupport at sending_domain.com for more information Received: from mailx.sending_domain.com (csnwex003 [10.10.1.12]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailx.sending_domain.com (Postfix) with ESMTPS id 1C6AE180061 for ; Wed, 4 Nov 2015 15:17:45 +0800 (HKT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sending_domain.com; s=default; t=1446621465; bh=ktlUCNmPPnUJzxghfWa5jBleOBUjJTy4TdfFySc0MRg=; h=From:To:Date:Subject; b=cLwIBLbizpCxexxc5B5zF97idtFt0yy8pxhH6SHfGJHHLdyu6jX6oEjV2bHxZlqTG F67kksRjVZ2cPMEE44GUJxO7trMYdCxVGpSP3a1hHfqMthZhAsyxxDocImMGn4PoVZ UcNpLJ0mcm0Fwjsry84HkqZF9ujsgz95IwUYnK/A= Received: from CSNWEX003.sending_domain.local ([10.10.1.12]) by CSNWEX003.sending_domain.local ([10.10.1.12]) with mapi; Wed, 4 Nov 2015 15:16:14 +0800 From: "Paul D. Walker" To: "pdwalker at receiving_domain.com" Date: Wed, 4 Nov 2015 15:17:42 +0800 Subject: no spaces at the end of the subject Thread-Topic: no spaces at the end of the subject Thread-Index: AdEW0LChkEXIm5NjTZeQCNbu4X6Szg== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.7.151005 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_D25FD2164CA05pdwalkersending_domaincom_" MIME-Version: 1.0 X-Spam-Score: -2.0 (--) X-Spam-Report: Spam detection software, running on the system " linode.receiving_domain.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: test test [...] Content analysis details: (-2.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sending_domain.com] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature --_000_D25FD2164CA05pdwalkersending_domaincom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable test --_000_D25FD2164CA05pdwalkersending_domaincom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
test
--_000_D25FD2164CA05pdwalkersending_domaincom_-- Any suggestions for solving this problem other than telling users never to add spaces at the end of the subject, or routing yahoo.com mail away from the mailscanner appliance? :wq! -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Wed Nov 4 09:53:45 2015 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 4 Nov 2015 04:53:45 -0500 Subject: duplicate subject lines causing yahoo mail rejection In-Reply-To: References: Message-ID: Since this is on an efa, I am going to test this against the latest mailscanner code and report back the results, just to confirm. On Wed, Nov 4, 2015 at 2:35 AM, Paul D. Walker wrote: > I've found a bug in mailscanner I believe. > > One of the users was having his mail rejected from yahoo with the > following error > #5.0.0 smtp; 554 Message not allowed - Headers are not RFC compliant[291]> > #SMTP# > > I had to "solve" the problem by routing the mail directly, rather than > through the efa server. > > Digging deeper, I discovered that if your subject line as a space at the > end, the mailscanner will duplicate the subject line without the trailing > space. > > Example: (you'll see the first duplicate subject between the > X-SendingOrg-MailScanner-EFA-Watermark and > X-SendingOrg-MailScanner-EFA-From headers) > > CODE: SELECT ALL > > Return-path: > Envelope-to: pdwalker at receiving_domain.com > Delivery-date: Wed, 04 Nov 2015 07:05:36 +0000 > Received: from mailx.sending_domain.com ([112.120.80.132]) > by linode.receiving_domain.com with esmtp (Exim 4.63) > (envelope-from ) > id 1Zts8U-0008Rk-MC > for pdwalker at receiving_domain.com; Wed, 04 Nov 2015 07:05:36 +0000 > X-Spam-Status: No > X-SendingOrg-MailScanner-EFA-Watermark: 1447225334.7874@ > +F3UH5veY3iYSrMhwplUJw > Subject: subject with a space at the end > X-SendingOrg-MailScanner-EFA-From: pdwalker at sending_domain.com > X-SendingOrg-MailScanner-EFA-SpamCheck: not spam (whitelisted), > SpamAssassin (not cached, score=-9.999, required 4, > autolearn=not spam, ALL_TRUSTED -8.00, BAYES_00 -1.90, > DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, > HTML_MESSAGE 0.00) > X-SendingOrg-MailScanner-EFA: Found to be clean > X-SendingOrg-MailScanner-EFA-ID: 96785180061.A1ACE > X-SendingOrg-MailScanner-EFA-Information: Please contact > itsupport at sending_domain.com for more information > Received: from mailx.sending_domain.com (csnwex003 [10.10.1.12]) > (using TLSv1 with cipher RC4-MD5 (128/128 bits)) > (No client certificate requested) > by mailx.sending_domain.com (Postfix) with ESMTPS id 96785180061 > for ; Wed, 4 Nov 2015 15:02:13 +0800 > (HKT) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sending_domain.com; > s=default; t=1446620533; > bh=rZAo4KkiyZoz6WmTr617gCT5XCHpgJttbzJISCaSoHU=; > h=From:To:Date:Subject; > b=KmZ9nL0LgR6thtTQx1siLG6TJ8dBiIGXgO1caSLziC8OD4jR+9og+WTQ+g+oX5/SB > rf9ObNhJgOfWl4Xnw8qAZbRCwn80iT2NCd3JVt+OGdiXw9p1C+OU7DIOYbylNR+xXy > dudzWjqw5w/VFLsZaKbUnzX6fM+gOR566ngUaBDY= > Received: from CSNWEX003.sending_domain.local ([10.10.1.12]) by > CSNWEX003.sending_domain.local ([10.10.1.12]) with mapi; Wed, 4 Nov 2015 > 15:00:42 +0800 > From: "Paul D. Walker" > To: "pdwalker at receiving_domain.com" > Date: Wed, 4 Nov 2015 15:02:10 +0800 > Subject: subject with a space at the end > Thread-Topic: subject with a space at the end > Thread-Index: AdEWzoTrviBuMoqDR2+PoISGliMMww== > Message-ID: > Accept-Language: en-US > Content-Language: en-US > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > user-agent: Microsoft-MacOutlook/14.5.7.151005 > acceptlanguage: en-US > Content-Type: multipart/alternative; > boundary="_000_D25FCE724CA02pdwalkersending_domaincom_" > MIME-Version: 1.0 > X-Spam-Score: -2.0 (--) > X-Spam-Report: Spam detection software, running on the system " > linode.receiving_domain.com", has > identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > the administrator of that system for details. > Content preview: asdf sdfsd asdf sdfsd [...] > Content analysis details: (-2.0 points, 5.0 required) > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was > blocked. > See > http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block > for more information. > [URIs: sending_domain.com] > -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover > relay > domain > -0.0 SPF_PASS SPF: sender matches SPF record > -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > [score: 0.0000] > 0.0 HTML_MESSAGE BODY: HTML included in message > -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature > from author's > domain > 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > necessarily valid > -0.1 DKIM_VALID Message has at least one valid DKIM or DK > signature > > --_000_D25FCE724CA02pdwalkersending_domaincom_ > Content-Type: text/plain; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > asdf sdfsd > > --_000_D25FCE724CA02pdwalkersending_domaincom_ > Content-Type: text/html; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > -webkit-nbsp-mode:= > space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); > font-si= > ze: 14px; font-family: Georgia, sans-serif;">
asdf > sdfsd
html> > > --_000_D25FCE724CA02pdwalkersending_domaincom_-- > > as opposed to this one (subject - no spaces at the end) > > CODE: SELECT ALL > > Return-path: > Envelope-to: pdwalker at receiving_domain.com > Delivery-date: Wed, 04 Nov 2015 07:21:06 +0000 > Received: from mailz.forscientia.com ([223.255.133.202] helo= > mailx.sending_domain.com) > by linode.receiving_domain.com with esmtp (Exim 4.63) > (envelope-from ) > id 1ZtsNU-0008S0-AN > for pdwalker at receiving_domain.com; Wed, 04 Nov 2015 07:21:06 +0000 > X-Spam-Status: No > X-SendingOrg-MailScanner-EFA-Watermark: > 1447226265.54661 at f2Rtd1DFrwSsagFkybqXtg > X-SendingOrg-MailScanner-EFA-From: pdwalker at sending_domain.com > X-SendingOrg-MailScanner-EFA-SpamCheck: not spam (whitelisted), > SpamAssassin (not cached, score=-7.133, required 4, > ALL_TRUSTED -8.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, > DKIM_VALID -0.10, DKIM_VALID_AU -0.10, FSL_BULK_SIG 1.47, > HTML_MESSAGE 0.00, PYZOR_CHECK 1.39) > X-SendingOrg-MailScanner-EFA: Found to be clean > X-SendingOrg-MailScanner-EFA-ID: 1C6AE180061.A1B27 > X-SendingOrg-MailScanner-EFA-Information: Please contact > itsupport at sending_domain.com for more information > Received: from mailx.sending_domain.com (csnwex003 [10.10.1.12]) > (using TLSv1 with cipher RC4-MD5 (128/128 bits)) > (No client certificate requested) > by mailx.sending_domain.com (Postfix) with ESMTPS id 1C6AE180061 > for ; Wed, 4 Nov 2015 15:17:45 +0800 > (HKT) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sending_domain.com; > s=default; t=1446621465; > bh=ktlUCNmPPnUJzxghfWa5jBleOBUjJTy4TdfFySc0MRg=; > h=From:To:Date:Subject; > b=cLwIBLbizpCxexxc5B5zF97idtFt0yy8pxhH6SHfGJHHLdyu6jX6oEjV2bHxZlqTG > F67kksRjVZ2cPMEE44GUJxO7trMYdCxVGpSP3a1hHfqMthZhAsyxxDocImMGn4PoVZ > UcNpLJ0mcm0Fwjsry84HkqZF9ujsgz95IwUYnK/A= > Received: from CSNWEX003.sending_domain.local ([10.10.1.12]) by > CSNWEX003.sending_domain.local ([10.10.1.12]) with mapi; Wed, 4 Nov 2015 > 15:16:14 +0800 > From: "Paul D. Walker" > To: "pdwalker at receiving_domain.com" > Date: Wed, 4 Nov 2015 15:17:42 +0800 > Subject: no spaces at the end of the subject > Thread-Topic: no spaces at the end of the subject > Thread-Index: AdEW0LChkEXIm5NjTZeQCNbu4X6Szg== > Message-ID: > Accept-Language: en-US > Content-Language: en-US > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > user-agent: Microsoft-MacOutlook/14.5.7.151005 > acceptlanguage: en-US > Content-Type: multipart/alternative; > boundary="_000_D25FD2164CA05pdwalkersending_domaincom_" > MIME-Version: 1.0 > X-Spam-Score: -2.0 (--) > X-Spam-Report: Spam detection software, running on the system " > linode.receiving_domain.com", has > identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > the administrator of that system for details. > Content preview: test test [...] > Content analysis details: (-2.0 points, 5.0 required) > pts rule name description > ---- ---------------------- > -------------------------------------------------- > -0.0 SPF_PASS SPF: sender matches SPF record > 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was > blocked. > See > http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block > for more information. > [URIs: sending_domain.com] > -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > [score: 0.0000] > 0.0 HTML_MESSAGE BODY: HTML included in message > -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature > from author's > domain > 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > necessarily valid > -0.1 DKIM_VALID Message has at least one valid DKIM or DK > signature > > --_000_D25FD2164CA05pdwalkersending_domaincom_ > Content-Type: text/plain; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > test > > --_000_D25FD2164CA05pdwalkersending_domaincom_ > Content-Type: text/html; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > -webkit-nbsp-mode:= > space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); > font-si= > ze: 14px; font-family: Georgia, sans-serif;">
test
> > --_000_D25FD2164CA05pdwalkersending_domaincom_-- > > > Any suggestions for solving this problem other than telling users never to > add spaces at the end of the subject, or routing yahoo.com mail away from > the mailscanner appliance? > > :wq! > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Wed Nov 4 10:35:52 2015 From: it at festa.bg (Valentin Laskov) Date: Wed, 4 Nov 2015 12:35:52 +0200 Subject: Subject in UTF-8 replaced by question marks Message-ID: <5639DF88.2040900@festa.bg> Hi all! I have a problem when the subject line is in Bulgarian. This must be the same with Russian and other languages if it is not only my fault. In user interface of the client (Thunderbird) I see Subject: {Spam?} Специални отстъпки за клиенти на карта OFRM which is OK. I have bg+en report files in UTF-8. In attached inline.spam.warning.txt I see subject replaced by question marks, but explanation is OK: Нашият MailScanner счита, че | Our MailScanner believes that the приложението към това писмо до | attachment to this message sent to Вас от: | you from: info at asdasd.bg На тема: | Subject: ????????? ???????? ?? ??????? ?? ????? OFRM е непоискано рекламно писмо (spam).| is Unsolicited Commercial Email (spam). /etc./ In report below I see: 1.6 SUBJ_ALL_CAPS Subject is all capitals but it does not all capitals. In the headers of letter subject line is: Subject: {Spam?} =?utf-8?B?0KHQv9C10YbQuNCw0LvQvdC4INC+0YLRgdGC0YrQv9C60Lgg0LfQsCDQutC70LjQtdC90YLQuCDQvdCwINC60LDRgNGC0LAgT0ZSTQ==?= In MailScanner.conf I have Attachment Encoding Charset = UTF-8 and system environment is set | grep LANG LANG=bg_BG.UTF-8 Please help to fix this. Regards Valentin From kevin.miller at juneau.org Wed Nov 4 18:09:47 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 4 Nov 2015 18:09:47 +0000 Subject: duplicate subject lines causing yahoo mail rejection In-Reply-To: References: Message-ID: What’s an “efa”? I was having the same issue earlier this year. I don’t know if it was due to spaces in the subject, but we were getting rejects from yahoo due to multiple subjects injected by MailScanner. The workaround (I hesitate to call it a solution) was posted by Scott Anderson on 2/23, subject “RE: DKIM and MailScanner Watermarking”: Multiple Headers = append Place New Headers At Top Of Message = yes ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson Sent: Wednesday, November 04, 2015 12:54 AM To: MailScanner Discussion Subject: Re: duplicate subject lines causing yahoo mail rejection Since this is on an efa, I am going to test this against the latest mailscanner code and report back the results, just to confirm. On Wed, Nov 4, 2015 at 2:35 AM, Paul D. Walker > wrote: I've found a bug in mailscanner I believe. One of the users was having his mail rejected from yahoo with the following error #5.0.0 smtp; 554 Message not allowed - Headers are not RFC compliant[291]> #SMTP# I had to "solve" the problem by routing the mail directly, rather than through the efa server. Digging deeper, I discovered that if your subject line as a space at the end, the mailscanner will duplicate the subject line without the trailing space. Example: (you'll see the first duplicate subject between the X-SendingOrg-MailScanner-EFA-Watermark and X-SendingOrg-MailScanner-EFA-From headers) CODE: SELECT ALL Return-path: > Envelope-to: pdwalker at receiving_domain.com Delivery-date: Wed, 04 Nov 2015 07:05:36 +0000 Received: from mailx.sending_domain.com ([112.120.80.132]) by linode.receiving_domain.com with esmtp (Exim 4.63) (envelope-from >) id 1Zts8U-0008Rk-MC for pdwalker at receiving_domain.com; Wed, 04 Nov 2015 07:05:36 +0000 X-Spam-Status: No X-SendingOrg-MailScanner-EFA-Watermark: 1447225334.7874 at +F3UH5veY3iYSrMhwplUJw Subject: subject with a space at the end X-SendingOrg-MailScanner-EFA-From: pdwalker at sending_domain.com X-SendingOrg-MailScanner-EFA-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-9.999, required 4, autolearn=not spam, ALL_TRUSTED -8.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00) X-SendingOrg-MailScanner-EFA: Found to be clean X-SendingOrg-MailScanner-EFA-ID: 96785180061.A1ACE X-SendingOrg-MailScanner-EFA-Information: Please contact itsupport at sending_domain.com for more information Received: from mailx.sending_domain.com (csnwex003 [10.10.1.12]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailx.sending_domain.com (Postfix) with ESMTPS id 96785180061 for >; Wed, 4 Nov 2015 15:02:13 +0800 (HKT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sending_domain.com; s=default; t=1446620533; bh=rZAo4KkiyZoz6WmTr617gCT5XCHpgJttbzJISCaSoHU=; h=From:To:Date:Subject; b=KmZ9nL0LgR6thtTQx1siLG6TJ8dBiIGXgO1caSLziC8OD4jR+9og+WTQ+g+oX5/SB rf9ObNhJgOfWl4Xnw8qAZbRCwn80iT2NCd3JVt+OGdiXw9p1C+OU7DIOYbylNR+xXy dudzWjqw5w/VFLsZaKbUnzX6fM+gOR566ngUaBDY= Received: from CSNWEX003.sending_domain.local ([10.10.1.12]) by CSNWEX003.sending_domain.local ([10.10.1.12]) with mapi; Wed, 4 Nov 2015 15:00:42 +0800 From: "Paul D. Walker" > To: "pdwalker at receiving_domain.com" > Date: Wed, 4 Nov 2015 15:02:10 +0800 Subject: subject with a space at the end Thread-Topic: subject with a space at the end Thread-Index: AdEWzoTrviBuMoqDR2+PoISGliMMww== Message-ID: > Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.7.151005 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_D25FCE724CA02pdwalkersending_domaincom_" MIME-Version: 1.0 X-Spam-Score: -2.0 (--) X-Spam-Report: Spam detection software, running on the system "linode.receiving_domain.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: asdf sdfsd asdf sdfsd [...] Content analysis details: (-2.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sending_domain.com] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature --_000_D25FCE724CA02pdwalkersending_domaincom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable asdf sdfsd --_000_D25FCE724CA02pdwalkersending_domaincom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
asdf sdfsd
--_000_D25FCE724CA02pdwalkersending_domaincom_-- as opposed to this one (subject - no spaces at the end) CODE: SELECT ALL Return-path: > Envelope-to: pdwalker at receiving_domain.com Delivery-date: Wed, 04 Nov 2015 07:21:06 +0000 Received: from mailz.forscientia.com ([223.255.133.202] helo=mailx.sending_domain.com) by linode.receiving_domain.com with esmtp (Exim 4.63) (envelope-from >) id 1ZtsNU-0008S0-AN for pdwalker at receiving_domain.com; Wed, 04 Nov 2015 07:21:06 +0000 X-Spam-Status: No X-SendingOrg-MailScanner-EFA-Watermark: 1447226265.54661 at f2Rtd1DFrwSsagFkybqXtg X-SendingOrg-MailScanner-EFA-From: pdwalker at sending_domain.com X-SendingOrg-MailScanner-EFA-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-7.133, required 4, ALL_TRUSTED -8.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, FSL_BULK_SIG 1.47, HTML_MESSAGE 0.00, PYZOR_CHECK 1.39) X-SendingOrg-MailScanner-EFA: Found to be clean X-SendingOrg-MailScanner-EFA-ID: 1C6AE180061.A1B27 X-SendingOrg-MailScanner-EFA-Information: Please contact itsupport at sending_domain.com for more information Received: from mailx.sending_domain.com (csnwex003 [10.10.1.12]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailx.sending_domain.com (Postfix) with ESMTPS id 1C6AE180061 for >; Wed, 4 Nov 2015 15:17:45 +0800 (HKT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sending_domain.com; s=default; t=1446621465; bh=ktlUCNmPPnUJzxghfWa5jBleOBUjJTy4TdfFySc0MRg=; h=From:To:Date:Subject; b=cLwIBLbizpCxexxc5B5zF97idtFt0yy8pxhH6SHfGJHHLdyu6jX6oEjV2bHxZlqTG F67kksRjVZ2cPMEE44GUJxO7trMYdCxVGpSP3a1hHfqMthZhAsyxxDocImMGn4PoVZ UcNpLJ0mcm0Fwjsry84HkqZF9ujsgz95IwUYnK/A= Received: from CSNWEX003.sending_domain.local ([10.10.1.12]) by CSNWEX003.sending_domain.local ([10.10.1.12]) with mapi; Wed, 4 Nov 2015 15:16:14 +0800 From: "Paul D. Walker" > To: "pdwalker at receiving_domain.com" > Date: Wed, 4 Nov 2015 15:17:42 +0800 Subject: no spaces at the end of the subject Thread-Topic: no spaces at the end of the subject Thread-Index: AdEW0LChkEXIm5NjTZeQCNbu4X6Szg== Message-ID: > Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.7.151005 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_D25FD2164CA05pdwalkersending_domaincom_" MIME-Version: 1.0 X-Spam-Score: -2.0 (--) X-Spam-Report: Spam detection software, running on the system "linode.receiving_domain.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: test test [...] Content analysis details: (-2.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sending_domain.com] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature --_000_D25FD2164CA05pdwalkersending_domaincom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable test --_000_D25FD2164CA05pdwalkersending_domaincom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
test
--_000_D25FD2164CA05pdwalkersending_domaincom_-- Any suggestions for solving this problem other than telling users never to add spaces at the end of the subject, or routing yahoo.com mail away from the mailscanner appliance? :wq! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us [https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_UFV2VFdmNG1SaVE&revid=0Bw5iD0ToYvs_U3VaVlpuTFBtak9QZXVRL3FmRUd2d0laTkZRPQ] -------------- next part -------------- An HTML attachment was scrubbed... URL: From Antony.Stone at mailscanner.open.source.it Wed Nov 4 20:05:00 2015 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Wed, 4 Nov 2015 21:05:00 +0100 Subject: duplicate subject lines causing yahoo mail rejection In-Reply-To: References: Message-ID: <201511042105.00380.Antony.Stone@mailscanner.open.source.it> On Wednesday 04 November 2015 at 19:09:47, Kevin Miller wrote: > What’s an “efa”? https://efa-project.org/ > I was having the same issue earlier this year. I don’t know if it was due > to spaces in the subject, but we were getting rejects from yahoo due to > multiple subjects injected by MailScanner. > > The workaround (I hesitate to call it a solution) was posted by Scott > Anderson on 2/23, subject “RE: DKIM and MailScanner Watermarking”: > > Multiple Headers = append > > Place New Headers At Top Of Message = yes > > ...Kevin Regards, Antony. -- This email was created using 100% recycled electrons. Please reply to the list; please *don't* CC me. From wcolburn at nrao.edu Wed Nov 4 20:22:25 2015 From: wcolburn at nrao.edu (William D. Colburn) Date: Wed, 4 Nov 2015 13:22:25 -0700 Subject: Spam with bogus spamassassin checks Message-ID: <20151104202225.GA1776@anotheruvula.aoc.nrao.edu> We use MailScanner here, I'm at 4.85.2-3. Spamassassin is at 3.4.1. with razor agents 2.84. We have spam leaking through that has bogus looking spamassassin results: X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.01, required 5, autolearn=disabled, T_RP_MATCHES_RCVD -0.01) X-Spam-Status: No If I manually run the spam message through spamassassin it is flagged correctly as spam. The messages are small, 2k or so, with nothing weird in the headers that I can spot. I've scanned the maillogs. I've tried turning on all the various debug options in MailScanner I could find. Nothing has panned out. These emails continue to leak through with no indication of why. Does anyone have any suggestions of where I should look? ---------------------------------------------------------------------- Also, your listserve's confirmation email was considered to be spam by MailScanner. X-MailScanner-Information: Please contact the postmaster at aoc.nrao.edu for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.651, required 5, autolearn=disabled, DKIM_SIGNED 0.10, RCVD_IN_DNSWL_LOW -0.70, TVD_SPACE_RATIO 0.00, TVD_SPACE_RATIO_MINFP 2.75, T_DKIM_INVALID 0.01, T_RP_MATCHES_RCVD -0.01, VIRUS_WARNING62 3.50) X-MailScanner-SpamScore: sssss X-MailScanner-From: mailscanner-bounces at lists.mailscanner.info X-Spam-Status: Yes --Schlake From kevin.miller at juneau.org Wed Nov 4 21:00:18 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 4 Nov 2015 21:00:18 +0000 Subject: Spam with bogus spamassassin checks In-Reply-To: <20151104202225.GA1776@anotheruvula.aoc.nrao.edu> References: <20151104202225.GA1776@anotheruvula.aoc.nrao.edu> Message-ID: <6a9a6c9b416b4b1db10181155733ebe4@City-Exch-DB2.cbj.local> Are you running old SARE rule sets? The VIRUS_WARNING62 is a bit suspect - I don't have that rule in my spamassassin (3.4). Maybe it was added in 3.4.1 but All references I found to it dated to around 2005 or 2006. SARE went away years ago. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of William D. Colburn Sent: Wednesday, November 04, 2015 11:22 AM To: mailscanner at lists.mailscanner.info Subject: Spam with bogus spamassassin checks We use MailScanner here, I'm at 4.85.2-3. Spamassassin is at 3.4.1. with razor agents 2.84. We have spam leaking through that has bogus looking spamassassin results: X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.01, required 5, autolearn=disabled, T_RP_MATCHES_RCVD -0.01) X-Spam-Status: No If I manually run the spam message through spamassassin it is flagged correctly as spam. The messages are small, 2k or so, with nothing weird in the headers that I can spot. I've scanned the maillogs. I've tried turning on all the various debug options in MailScanner I could find. Nothing has panned out. These emails continue to leak through with no indication of why. Does anyone have any suggestions of where I should look? ---------------------------------------------------------------------- Also, your listserve's confirmation email was considered to be spam by MailScanner. X-MailScanner-Information: Please contact the postmaster at aoc.nrao.edu for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.651, required 5, autolearn=disabled, DKIM_SIGNED 0.10, RCVD_IN_DNSWL_LOW -0.70, TVD_SPACE_RATIO 0.00, TVD_SPACE_RATIO_MINFP 2.75, T_DKIM_INVALID 0.01, T_RP_MATCHES_RCVD -0.01, VIRUS_WARNING62 3.50) X-MailScanner-SpamScore: sssss X-MailScanner-From: mailscanner-bounces at lists.mailscanner.info X-Spam-Status: Yes --Schlake -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From tmeireles at electroind.com Wed Nov 4 21:03:14 2015 From: tmeireles at electroind.com (Tiago Meireles) Date: Wed, 4 Nov 2015 16:03:14 -0500 Subject: Spam with bogus spamassassin checks In-Reply-To: <6a9a6c9b416b4b1db10181155733ebe4@City-Exch-DB2.cbj.local> References: <20151104202225.GA1776@anotheruvula.aoc.nrao.edu> <6a9a6c9b416b4b1db10181155733ebe4@City-Exch-DB2.cbj.local> Message-ID: <001301d11744$38a382f0$a9ea88d0$@electroind.com> The SARE rule sets caused me a lot of headaches. Removing them fixed a significant amount of false positives on my end. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Wednesday, November 04, 2015 4:00 PM To: 'MailScanner Discussion' Subject: RE: Spam with bogus spamassassin checks Are you running old SARE rule sets? The VIRUS_WARNING62 is a bit suspect - I don't have that rule in my spamassassin (3.4). Maybe it was added in 3.4.1 but All references I found to it dated to around 2005 or 2006. SARE went away years ago. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of William D. Colburn Sent: Wednesday, November 04, 2015 11:22 AM To: mailscanner at lists.mailscanner.info Subject: Spam with bogus spamassassin checks We use MailScanner here, I'm at 4.85.2-3. Spamassassin is at 3.4.1. with razor agents 2.84. We have spam leaking through that has bogus looking spamassassin results: X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.01, required 5, autolearn=disabled, T_RP_MATCHES_RCVD -0.01) X-Spam-Status: No If I manually run the spam message through spamassassin it is flagged correctly as spam. The messages are small, 2k or so, with nothing weird in the headers that I can spot. I've scanned the maillogs. I've tried turning on all the various debug options in MailScanner I could find. Nothing has panned out. These emails continue to leak through with no indication of why. Does anyone have any suggestions of where I should look? ---------------------------------------------------------------------- Also, your listserve's confirmation email was considered to be spam by MailScanner. X-MailScanner-Information: Please contact the postmaster at aoc.nrao.edu for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.651, required 5, autolearn=disabled, DKIM_SIGNED 0.10, RCVD_IN_DNSWL_LOW -0.70, TVD_SPACE_RATIO 0.00, TVD_SPACE_RATIO_MINFP 2.75, T_DKIM_INVALID 0.01, T_RP_MATCHES_RCVD -0.01, VIRUS_WARNING62 3.50) X-MailScanner-SpamScore: sssss X-MailScanner-From: mailscanner-bounces at lists.mailscanner.info X-Spam-Status: Yes --Schlake -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From wcolburn at nrao.edu Wed Nov 4 21:20:17 2015 From: wcolburn at nrao.edu (William D. Colburn) Date: Wed, 4 Nov 2015 14:20:17 -0700 Subject: Spam with bogus spamassassin checks In-Reply-To: <001301d11744$38a382f0$a9ea88d0$@electroind.com> References: <20151104202225.GA1776@anotheruvula.aoc.nrao.edu> <6a9a6c9b416b4b1db10181155733ebe4@City-Exch-DB2.cbj.local> <001301d11744$38a382f0$a9ea88d0$@electroind.com> Message-ID: <20151104212017.GA5986@anotheruvula.aoc.nrao.edu> >The SARE rule sets caused me a lot of headaches. Removing them fixed a significant amount of false positives on my end. I found a SARE rule someone had installed in /etc/mail/spamassassin/. But it seems unlikely that the existance of this rule would cause a spam message to have no spamassassin tags in it. --Schlake From kevin.miller at juneau.org Wed Nov 4 23:24:24 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 4 Nov 2015 23:24:24 +0000 Subject: Spam with bogus spamassassin checks In-Reply-To: <20151104212017.GA5986@anotheruvula.aoc.nrao.edu> References: <20151104202225.GA1776@anotheruvula.aoc.nrao.edu> <6a9a6c9b416b4b1db10181155733ebe4@City-Exch-DB2.cbj.local> <001301d11744$38a382f0$a9ea88d0$@electroind.com> <20151104212017.GA5986@anotheruvula.aoc.nrao.edu> Message-ID: <122c08a4f92141ccb0605464e8ec44be@City-Exch-DB2.cbj.local> The SARE comment is because you said " Also, your listserve's confirmation email was considered to be spam by MailScanner." MailScanner doesn't consider the listserve to be spam - your spamassassin setup does. Adding 3.5 points for VIRUS_WARNING62 is what bumped it over the top. But that rule doesn't come with MailScanner. Someone at your site configured it that way. At least it doesn't come with the stock MailScanner package. Regarding the spam getting flagged by spamassassin when run directly but not when called by MailScanner, it could be RBL dependent. I.e., when the message first comes on it isn't on any RBLs yet. By the time you run it manually, it is. Another possibility is you're running spamassassin as a different user under MailScanner than your are when you analyze the message manually. Since you didn't post the spam report from running the message manually it's pretty much impossible to guess why there's a difference. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of William D. Colburn Sent: Wednesday, November 04, 2015 12:20 PM To: MailScanner Discussion Subject: Re: Spam with bogus spamassassin checks >The SARE rule sets caused me a lot of headaches. Removing them fixed a significant amount of false positives on my end. I found a SARE rule someone had installed in /etc/mail/spamassassin/. But it seems unlikely that the existance of this rule would cause a spam message to have no spamassassin tags in it. --Schlake -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From dave.mehler at gmail.com Thu Nov 5 12:04:12 2015 From: dave.mehler at gmail.com (David Mehler) Date: Thu, 5 Nov 2015 07:04:12 -0500 Subject: Mailscanner, SA, database backend, retraining false positives Message-ID: Hello, I've got a Postfix email server going with a Mysql database backend on FreeBSD 10.2. I'm now wanting to add Spamassassin to the picture and am wondering current best practices? It's been a number of years since I did it and last time effectiveness wasn't so good. I'm not sure if it was because I was following old information or didn't have things done right configuration wise? It's looking like I have several options, MailScanner which hooks in to SA, or SA as a milter called directly from my MTA. Comments on these or other methods? I'm also wanting to get the latest antispam rules, are those from SA or are there third party rules I should look into? My goal is to have only emails I know have passed through my lighter antispam checks, done mainly by Postfix to hit the Mailscanner and SA setup, I don't want a resource bottleneck, and I am definitely looking at a single instance postfix setup. Finally, one of the things I'm going to implement in addition to SA is Sieve, done with my MDA Dovecot, in which mail flagged witha spam header is automatically moved in to a dedicated spam folder. I am then wanting to set up a system to tell SA when it has misclassified a false positive, what are people using in that environment? In this environment should I go with flat files or my existing database server? Any other user feedback appreciated. Thanks. Dave. From wbaudler at gb.nrao.edu Thu Nov 5 14:05:13 2015 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Thu, 5 Nov 2015 09:05:13 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently Message-ID: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> We run MailScanner 4.85.2 with SpamAssassin 3.4.1 on RHEL6. Bayes and Autolearn are disabled. I tried to add a custom rule to SpamAssassin local.cf and found that it fires inconsistently. A simple example rule is body TEST_RULE_AA /SOMETEXT/ score TEST_RULE_AA 0.5 If I send a test email locally with the string "SOMETEXT" the rule triggers all the time. If I run SpamAssassin from the command line, the rule triggers as well $ spamassassin References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> Message-ID: You should feed it the MailScanner spamassassin configuration file when scanning a message. /etc/MailScanner/spam.assassin.prefs.conf - Jerry Benton www.mailborder.com > On Nov 5, 2015, at 9:05 AM, Wolfgang Baudler wrote: > > We run MailScanner 4.85.2 with SpamAssassin 3.4.1 on RHEL6. Bayes and > Autolearn are disabled. > > I tried to add a custom rule to SpamAssassin local.cf and found that it > fires inconsistently. A simple example rule is > > body TEST_RULE_AA /SOMETEXT/ > score TEST_RULE_AA 0.5 > > If I send a test email locally with the string "SOMETEXT" the rule > triggers all the time. If I run SpamAssassin from the command line, the > rule triggers as well > > $ spamassassin > If I send a test message from an external provider like yahoo however the > rule does not always fire (some other rules like FREEMAIL_FROM do fire). > > The peculiar thing is that they do fire some times if I resend the message > often enough. I can not figure out what is causing these inconsistencies. > > This is a very basic body rule, which should fire unconditionally all the > time it finds the string. It only has one score, so SpamAssassin score set > changes shouldn't play into this either. > > What am I missing? Why are the rules not applied consistently for every > email when SpamAssassin is run through MailScanner (and ONLY when it is > run through MailScanner, sapmassassin detects it 100% of the time when run > manually)? > > Any suggestions appreciated. > > Wolfgang > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From wbaudler at gb.nrao.edu Thu Nov 5 16:35:49 2015 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Thu, 5 Nov 2015 11:35:49 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> Message-ID: <93d17ce1e4e7632d2ea7e33378ff759e.squirrel@webmail.gb.nrao.edu> > You should feed it the MailScanner spamassassin configuration file when > scanning a message. > > /etc/MailScanner/spam.assassin.prefs.conf > There is a symlink mailscanner.cf -> /etc/MailScanner/spam.assassin.prefs.conf in /etc/mail/spamassassin. So, it does have the same config files. Anyways, the manual SpamAssassin run is not the problem. It works correctly. Running through MailScanner is giving inconsistent results (and is hard to debug, since it uses the SpamAssassin Perl API directly). Wolfgang From wbaudler at gb.nrao.edu Thu Nov 5 16:46:14 2015 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Thu, 5 Nov 2015 11:46:14 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> Message-ID: <50787baaac84b92d9e60d3535a820b31.squirrel@webmail.gb.nrao.edu> > We run MailScanner 4.85.2 with SpamAssassin 3.4.1 on RHEL6. Bayes and > Autolearn are disabled. > > I tried to add a custom rule to SpamAssassin local.cf and found that it > fires inconsistently. A simple example rule is > > body TEST_RULE_AA /SOMETEXT/ > score TEST_RULE_AA 0.5 > > If I send a test email locally with the string "SOMETEXT" the rule > triggers all the time. If I run SpamAssassin from the command line, the > rule triggers as well > > $ spamassassin > If I send a test message from an external provider like yahoo however the > rule does not always fire (some other rules like FREEMAIL_FROM do fire). > > The peculiar thing is that they do fire some times if I resend the message > often enough. I can not figure out what is causing these inconsistencies. > > This is a very basic body rule, which should fire unconditionally all the > time it finds the string. It only has one score, so SpamAssassin score set > changes shouldn't play into this either. > > What am I missing? Why are the rules not applied consistently for every > email when SpamAssassin is run through MailScanner (and ONLY when it is > run through MailScanner, sapmassassin detects it 100% of the time when run > manually)? > > Any suggestions appreciated. > > Wolfgang > > An additional data point is that this problem is not new to the latest versions of MailScanner and SpamAssassin. It also occurs with mailscanner-4.84.6 and spamassassin-3.4.0. I have not tested with other versions. Wolfgang From mark at msapiro.net Thu Nov 5 16:59:22 2015 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 5 Nov 2015 08:59:22 -0800 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> Message-ID: <563B8AEA.10804@msapiro.net> On 11/05/2015 06:05 AM, Wolfgang Baudler wrote: > > I tried to add a custom rule to SpamAssassin local.cf and found that it > fires inconsistently. A simple example rule is > > body TEST_RULE_AA /SOMETEXT/ > score TEST_RULE_AA 0.5 > > If I send a test email locally with the string "SOMETEXT" the rule > triggers all the time. If I run SpamAssassin from the command line, the > rule triggers as well > > $ spamassassin > If I send a test message from an external provider like yahoo however the > rule does not always fire (some other rules like FREEMAIL_FROM do fire). So if I understand correctly, the intermittent non-firing only occurs with mail arriving from external sources. Have you looked at the raw message bodies of this mail to see what might be different between ones that do and don't trigger the rule? Have you run a non-fired message as received manually through spamassassin? Have you looked at the MTA and MailScanner logs to see if there are any clues there? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From wbaudler at gb.nrao.edu Thu Nov 5 17:10:31 2015 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Thu, 5 Nov 2015 12:10:31 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: <563B8AEA.10804@msapiro.net> References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> Message-ID: <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> > > So if I understand correctly, the intermittent non-firing only occurs > with mail arriving from external sources. Yes, this is correct. > Have you looked at the raw > message bodies of this mail to see what might be different between ones > that do and don't trigger the rule? > Yes, I have compared the headers of test messages in detail. Didn't see anything wrong or suspicious in them. In fact they look very similar to our internal headers. > Have you run a non-fired message as received manually through > spamassassin? Yes, the test rule fires 100% in that case. > > Have you looked at the MTA and MailScanner logs to see if there are any > clues there? > Yes, I have looked at those logs a lot. No errors or warnings or anything else that might indicate what is going on. Wolfgang From mark at msapiro.net Thu Nov 5 17:29:14 2015 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 5 Nov 2015 09:29:14 -0800 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> Message-ID: <563B91EA.90106@msapiro.net> On 11/05/2015 09:10 AM, Wolfgang Baudler wrote: > > Yes, I have compared the headers of test messages in detail. Didn't see > anything wrong or suspicious in them. In fact they look very similar to > our internal headers. How about the bodies since you are testing with a body rule? > Yes, I have looked at those logs a lot. No errors or warnings or anything > else that might indicate what is going on. What about 'normal' messages present in one case and absent in the other? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From wbaudler at gb.nrao.edu Thu Nov 5 17:51:35 2015 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Thu, 5 Nov 2015 12:51:35 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: <563B91EA.90106@msapiro.net> References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> <563B91EA.90106@msapiro.net> Message-ID: > On 11/05/2015 09:10 AM, Wolfgang Baudler wrote: >> >> Yes, I have compared the headers of test messages in detail. Didn't see >> anything wrong or suspicious in them. In fact they look very similar to >> our internal headers. > > > How about the bodies since you are testing with a body rule? > I produced test messages that are binary identical internal vs external and still the internal one fired while the other one did not. I also tested with rawbody and full rules, which show similar behavior to normal body rules. > >> Yes, I have looked at those logs a lot. No errors or warnings or >> anything >> else that might indicate what is going on. > > > What about 'normal' messages present in one case and absent in the other? > Not sure what you mean with normal messages being present. There is always a lot of activity on that server, mostly spam, but also some ham messages present most of the time. "Max Children" is set to 5, but testing with only one instance of MailScanner resulted in the same behavior also. If there is only one instance of MailScanner running it still processes messages in batches, right? Is it possible that that it gets confused in that process and is mixing the results of different messages scanned in the same batch? Still doesn't explain why internal messages always fire correctly. Wolfgang From mark at msapiro.net Thu Nov 5 18:44:14 2015 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 5 Nov 2015 10:44:14 -0800 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> <563B91EA.90106@msapiro.net> Message-ID: <563BA37E.5010508@msapiro.net> On 11/05/2015 09:51 AM, Wolfgang Baudler wrote: > > Not sure what you mean with normal messages being present. There is always > a lot of activity on that server, mostly spam, but also some ham messages > present most of the time. "Max Children" is set to 5, but testing with > only one instance of MailScanner resulted in the same behavior also. By 'normal', I mean't not errors or warnings. I mean if you consider two messages, one that fires and one that doesn't, if you look at all the MTA and MailScanner log messages relevant to the processing of those two messages, are the log messages the same or is there some difference between the two sets. > If there is only one instance of MailScanner running it still processes > messages in batches, right? Is it possible that that it gets confused in > that process and is mixing the results of different messages scanned in > the same batch? Still doesn't explain why internal messages always fire > correctly. Yes, even with only one child, processing is still in batches. If there is some evidence (added headers) in the message that doesn't fire that spamassassin was invoked on that message, I don't see how that's an issue. OTOH, if there is no evidence that spamassassin was invoked on the message at all, then we are looking at 'why does MailScanner sometimes skip spamassassin' as opposed to 'why does spamassassin sometimes behave differently'. The former could be a rule set. Years ago, with MailScanner and Postfix, I would see occasional message duplication with multiple children, so I've been running with one child process ever since, but that doesn't seem relevant -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From wbaudler at gb.nrao.edu Thu Nov 5 19:05:50 2015 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Thu, 5 Nov 2015 14:05:50 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: <563BA37E.5010508@msapiro.net> References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> <563B91EA.90106@msapiro.net> <563BA37E.5010508@msapiro.net> Message-ID: > On 11/05/2015 09:51 AM, Wolfgang Baudler wrote: > >> >> Not sure what you mean with normal messages being present. There is >> always >> a lot of activity on that server, mostly spam, but also some ham >> messages >> present most of the time. "Max Children" is set to 5, but testing with >> only one instance of MailScanner resulted in the same behavior also. > > > By 'normal', I mean't not errors or warnings. I mean if you consider two > messages, one that fires and one that doesn't, if you look at all the > MTA and MailScanner log messages relevant to the processing of those two > messages, are the log messages the same or is there some difference > between the two sets. > no difference in log messages, except the senders domain and address of course. internal log example: Nov 5 13:50:58 io MailScanner[24033]: Message tA5IopES005503 from 192.33.116.115 (wbaudler at gb.nrao.edu) to gb.nrao.edu is not spam, SpamAssassin (score=-199.008, required 5, autolearn=disabled, TEST_RULE_AA 1.00, NRAO_HEADER_PRESENT -100.00, TVD_SPACE_RATIO 0.00, T_RP_MATCHES_RCVD -0.01, USER_IN_WHITELIST -100.00) external log example: Nov 5 13:55:47 io MailScanner[24004]: Message tA5ItQmr006622 from 98.138.229.70 (wbaudler at yahoo.com) to gb.nrao.edu is not spam, SpamAssassin (score=0.902, required 5, autolearn=disabled, DKIM_ADSP_CUSTOM_MED 0.00, DKIM_SIGNED 0.10, FREEMAIL_FROM 0.00, LOCAL_ID_JAVAMAIL 1.00, NML_ADSP_CUSTOM_MED 1.20, RCVD_IN_DNSWL_LOW -0.70, RCVD_IN_MSPIKE_H3 -0.70, SPF_PASS -0.00, T_DKIM_INVALID 0.01, T_RP_MATCHES_RCVD -0.01) The TEST_RULE_AA test result is missing in the external example. The message sent was completely identical. > >> If there is only one instance of MailScanner running it still processes >> messages in batches, right? Is it possible that that it gets confused in >> that process and is mixing the results of different messages scanned in >> the same batch? Still doesn't explain why internal messages always fire >> correctly. > > > Yes, even with only one child, processing is still in batches. If there > is some evidence (added headers) in the message that doesn't fire that > spamassassin was invoked on that message, I don't see how that's an issue. It does have the usual spamassassin headers added. Just not with the right rule flags, i.e. rules that should have triggered are missing. > > OTOH, if there is no evidence that spamassassin was invoked on the > message at all, then we are looking at 'why does MailScanner sometimes > skip spamassassin' as opposed to 'why does spamassassin sometimes behave > differently'. The former could be a rule set. > No, it is definitely a case of 'why does spamassassin sometimes behave differently'. Wolfgang From mark at msapiro.net Thu Nov 5 20:58:45 2015 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 5 Nov 2015 12:58:45 -0800 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> <563B91EA.90106@msapiro.net> <563BA37E.5010508@msapiro.net> Message-ID: <563BC305.4020807@msapiro.net> On 11/05/2015 11:05 AM, Wolfgang Baudler wrote: > > no difference in log messages, except the senders domain and address of > course. > > internal log example: > Nov 5 13:50:58 io MailScanner[24033]: Message tA5IopES005503 from > 192.33.116.115 (wbaudler at gb.nrao.edu) to gb.nrao.edu is not spam, > SpamAssassin (score=-199.008, required 5, autolearn=disabled, TEST_RULE_AA > 1.00, NRAO_HEADER_PRESENT -100.00, TVD_SPACE_RATIO 0.00, T_RP_MATCHES_RCVD > -0.01, USER_IN_WHITELIST -100.00) > > external log example: > Nov 5 13:55:47 io MailScanner[24004]: Message tA5ItQmr006622 from > 98.138.229.70 (wbaudler at yahoo.com) to gb.nrao.edu is not spam, > SpamAssassin (score=0.902, required 5, autolearn=disabled, > DKIM_ADSP_CUSTOM_MED 0.00, DKIM_SIGNED 0.10, FREEMAIL_FROM 0.00, > LOCAL_ID_JAVAMAIL 1.00, NML_ADSP_CUSTOM_MED 1.20, RCVD_IN_DNSWL_LOW > -0.70, RCVD_IN_MSPIKE_H3 -0.70, SPF_PASS -0.00, T_DKIM_INVALID 0.01, > T_RP_MATCHES_RCVD -0.01) > > The TEST_RULE_AA test result is missing in the external example. The > message sent was completely identical. At this point I am at a loss unless your "Max SpamAssassin Size" setting and your test message size are such that the extra headers from the remote source push the test string out of range. This seems highly unlikely. It seems this might be a spamassassin bug triggered by something in the message headers from the remote servers, but this seems unlikely too. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From heino.backhaus at fink-computer.de Fri Nov 6 09:02:25 2015 From: heino.backhaus at fink-computer.de (Heino Backhaus) Date: Fri, 6 Nov 2015 10:02:25 +0100 Subject: Linux file command identifies text-file as DOS executable (COM) In-Reply-To: <563786D8.9080206@festa.bg> References: <56377E3D.7010401@fink-computer.de> <563786D8.9080206@festa.bg> Message-ID: <563C6CA1.8040403@fink-computer.de> Thanks Valentin, i've allready upgraded to 5.25 and it works perfektly at the moment. The Upgrade it self is, following the LFS-Documentation, easy. You need to have a sane development-system installed. Thanks for helping cheers -Heino "In retrospect it becomes clear that hindsight is definitely overrated!" -Alfred E. Neumann Am 02.11.2015 um 16:52 schrieb Valentin Laskov: > Try > in MailScanner.conf > File Command = /usr/local/bin/file-wrapper > > and make /usr/local/bin/file-wrapper as this > > #!/bin/bash > # > /usr/bin/file --mime-type "$1" > #end of /usr/local/bin/file-wrapper > > Regards > Valentin > > На 02.11.2015 в 17:16, Heino Backhaus написа: >> A funny thing came a cross my eyes... >> >> if your using file v5.14 to detect executeables and you put this "锘" >> chinese charakter at the beginning of a text-file it will be detected >> as DOS-Executeable (COM). I'm wondering if i schould upgrade to file >> 5.24. >> >> Are there known issues with file v5.24 and Mailscanner? >> >> # file msg-17333-4.txt >> msg-17333-4.txt: DOS executable (COM) >> >> # file --version >> file-5.14 >> >> Greetings >> -Heino >> >> "In retrospect it becomes clear that hindsight is definitely overrated!" >> >> -Alfred E. Neumann >> >> > From pauldwalker at gmail.com Sat Nov 7 07:45:37 2015 From: pauldwalker at gmail.com (Paul D. Walker) Date: Sat, 7 Nov 2015 15:45:37 +0800 Subject: duplicate subject lines causing yahoo mail rejection Message-ID: ​Hmm.. My version of mailscanner on efa 3.0.0.8 is 4.84.6 My MailScanner settings are​: Multiple Headers = add Place New Headers At Top Of Message = yes I vaguely remember changing the Multiple Headers setting from append to add because of dkim. Unfortunately, I might be misremembering. I cannot remember and I didn't keep notes. All I am sure of it that it solved another problem for me. - Paul ---------- Forwarded message ---------- > From: Kevin Miller > To: "'MailScanner Discussion'" > Cc: > Date: Wed, 4 Nov 2015 18:09:47 +0000 > Subject: RE: duplicate subject lines causing yahoo mail rejection > > What’s an “efa”? > > > > I was having the same issue earlier this year. I don’t know if it was due > to spaces in the subject, but we were getting rejects from yahoo due to > multiple subjects injected by MailScanner. > > > > The workaround (I hesitate to call it a solution) was posted by Scott > Anderson on 2/23, subject “RE: DKIM and MailScanner Watermarking”: > > Multiple Headers = append > > Place New Headers At Top Of Message = yes > > > > ...Kevin > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From syahrir.hamzah at gmail.com Mon Nov 9 07:15:16 2015 From: syahrir.hamzah at gmail.com (Syahrir Hamzah) Date: Mon, 9 Nov 2015 14:15:16 +0700 Subject: Scam message which is not a scam. Message-ID: Dear Sir, I set up an automatic e-mail for my trading using robot and place the robot in VPS. The problem are, every time the robot send me an e mail, that e mail is identified as a scam and send me following e mail : Our UCE (spam) detectors have been triggered by a message you received:- From: syahrir.hamzah at efexrobot.com Subject: EA WAVEDIR Date: Wed Sep 16 19:00:09 2015 This message has not been delivered. The detectors that were triggered are spam, SpamAssassin. The message to you has been detected as spam based on either its contents or the mail server which sent the message to us, or both. If you have any questions about this, or you believe you have received this message in error, please contact the site system administrators. Your system administrators will need the following information: Server name: mx1-dti.idweb.host Message id: 42D0521BD0.A9113 Date code: 20150916 The above e mail only one of many e-mail which is send to me, means it could happen by different robot and different date. I use the same e mail address (syahrir.hamzah at gmail.com) as receiver but I use syahrir.hamzah at efexrobot.com as a sender. I usually use Google chrome, google.com and windows 8.1 at my computer. I need to accept my e mail directly and do not filter using your mail scanner software. Thank you so much for your attention and help. Regard : Syahrir. -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxsec at gmail.com Mon Nov 9 11:11:54 2015 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 9 Nov 2015 11:11:54 +0000 Subject: Scam message which is not a scam. In-Reply-To: References: Message-ID: Hi looks like this had nothing to do with the MailScanner product, but the spam testing setup at idwebhost. I suggest to add an SPF record that says that your web robot's ip-address is allowed to send as efexrobot.com as you dont seem to have that setup. This will help alot. -- Martin Hepworth, CISSP Oxford, UK On 9 November 2015 at 07:15, Syahrir Hamzah wrote: > Dear Sir, > > I set up an automatic e-mail for my trading using robot and place the > robot in VPS. > The problem are, every time the robot send me an e mail, that e mail is > identified as a scam and send me following e mail : > > Our UCE (spam) detectors have been triggered by a message you received:- > From: syahrir.hamzah at efexrobot.com > Subject: EA WAVEDIR > Date: Wed Sep 16 19:00:09 2015 > This message has not been delivered. The detectors that were triggered are > spam, SpamAssassin. > > The message to you has been detected as spam based on either its contents > or > the mail server which sent the message to us, or both. > > If you have any questions about this, or you believe you have received > this message in error, please contact the site system administrators. > > Your system administrators will need the following information: > Server name: mx1-dti.idweb.host > Message id: 42D0521BD0.A9113 > Date code: 20150916 > > The above e mail only one of many e-mail which is send to me, means it > could happen by different robot and different date. > I use the same e mail address (syahrir.hamzah at gmail.com) as receiver but > I use syahrir.hamzah at efexrobot.com as a sender. > I usually use Google chrome, google.com and windows 8.1 at my computer. > > I need to accept my e mail directly and do not filter using your mail > scanner software. > > Thank you so much for your attention and help. > > Regard : Syahrir. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alvaro at hostalia.com Tue Nov 10 09:47:06 2015 From: alvaro at hostalia.com (=?UTF-8?B?QWx2YXJvIE1hcsOtbg==?=) Date: Tue, 10 Nov 2015 10:47:06 +0100 Subject: Scan Messages and CustomFunction In-Reply-To: References: <5602CACF.30307@hostalia.com> <5603B78F.1090402@hostalia.com> Message-ID: <5641BD1A.5070705@hostalia.com> Hi, I've been running MailScanner with this patch for several days and it's running fine. It reads the value of "scanmail" from the variable of $newmessage, and it doesn't call to the function again to calculate it. Regards, El 30/09/15 a las 21:52, Jerry Benton escribió: > anyone have any feedback on this? I haven't had time to take a look at it, > > - > Jerry Benton > www.mailborder.com > Sent from my iPhone > >> On Sep 24, 2015, at 04:42, Alvaro Marín wrote: >> >> Hi again, >> >> debugging the code, I've found those 2 calls to "Scan Messages" function: >> >> [+] Message.pm, new (constructor, called by Postfix.pm's CreateBatch >> function): >> >> # Decide if we want to scan this message at all >> $this->{scanmail} = MailScanner::Config::Value('scanmail', $this); >> if ($this->{scanmail} =~ /[12]/) { >> $this->{scanmail} = 1; >> } else { >> # Make sure it is set to something, and not left as undef. >> $this->{scanmail} = 0; >> } >> if ($this->{scanmail} !~ /1/) { >> $this->{scanvirusonly} = 1; >> } else { >> $this->{scanvirusonly} = 0; >> } >> >> [+] Postfix.pm, in CreateBatch function: >> >> if (MailScanner::Config::Value("scanmail", $newmessage) =~ /[12]/ || >> MailScanner::Config::Value("virusscan", $newmessage) =~ /1/ || >> MailScanner::Config::Value("dangerscan", $newmessage) =~ /1/) { >> $newmessage->NeedsScanning(1); >> >> >> So in that Postfix.pm's code, insted of read the value of $newmessage's >> variable "scanmail", that was created in Message.pm code that I've >> pasted before, it calls again to MailScanner::Config::Value function >> that searchs again for that value (if is a ruleset it will look for the >> rule in the rules file or if it's a function, like in my configuration, >> it will execute it one more time). >> Changing that code by: >> >> if ($newmessage->{"scanmail"} =~ /[12]/ || >> $newmessage->{"virusscan"} =~ /1/ || >> $newmessage->{"dangerscan"} =~ /1/) { >> $newmessage->NeedsScanning(1); >> >> it reads the value from the variable filled by Message.pm, and doesn't >> call again to the function. >> >> Can you confirm if this is correct? >> Thanks. >> >> Regards, >> >>> El 23/09/15 a las 17:52, Alvaro Marín escribió: >>> Hello, >>> >>> I'm writing a CustomFunction to check the "Scan Messages" value in a >>> database: >>> >>> Scan Messages = &ScanMsgs >>> >>> I've done the same with : >>> >>> Spam Checks (for avoid mails being scanned, that is, whitelisting) >>> Is Definitely Spam (for blacklisting) >>> >>> and these 2 functions run fine. >>> >>> The problem with "Scan Messages" is that the function is executed two >>> times for each message: >>> >>> Sep 23 17:15:05 MailScanner[22554]: 4694D2180A7.AC573: ScanMsgs checking. >>> Sep 23 17:15:05 MailScanner[22554]: 4694D2180A7.AC573: ScanMsgs checking. >>> >>> and I see in MySQL logs that the queries are done 2 times. >>> Simplifying the code to: >>> >>> ======== >>> package MailScanner::CustomConfig; >>> sub InitScanMsgs { >>> MailScanner::Log::InfoLog("Starting ScanMsgs..."); >>> } >>> sub ScanMsgs { >>> my($message) = @_; >>> my $msgid=$message->{id}; >>> MailScanner::Log::WarnLog("$msgid: ScanMsgs checking."); >>> return 0; >>> } >>> sub EndScanMsgs { >>> MailScanner::Log::InfoLog("Ending ScanMsgs..."); >>> exit; >>> } >>> 1; >>> ======== >>> >>> the problem still occurs. >>> Any idea? Is strange because, as I've said, white and blacklisting work >>> fine with similar code. >>> >>> Thank you. >>> Regards, >> >> >> -- >> Alvaro Marín Illera >> Hostalia Internet >> www.hostalia.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > -- Alvaro Marín Illera Hostalia Internet www.hostalia.com From koby at mksoft.co.il Mon Nov 16 10:20:14 2015 From: koby at mksoft.co.il (Koby Peleg Hen) Date: Mon, 16 Nov 2015 12:20:14 +0200 Subject: Sql Config Goal Message-ID: <5649ADDE.206@mksoft.co.il> An HTML attachment was scrubbed... URL: From mailscanner at gojensen.no Mon Nov 16 11:18:30 2015 From: mailscanner at gojensen.no (gojensen) Date: Mon, 16 Nov 2015 12:18:30 +0100 Subject: Filename/type rules Message-ID: <5649BB86.9040201@gojensen.no> Quick question... how can I verify that attachements are scanned for "invalid" files? We keep getting .zip files with .scr executables inside of them... not good. And in the MailScanner.conf I can read... # This can also point to a ruleset, but the ruleset filename must end in # ".rules" so that MailScanner can determine if the filename given is # a ruleset or not! Filename Rules = %etc-dir%/filename.rules.conf So the description says the filename must end with .rules extension, but the default is .rules.conf?! Which is correct? -- // gojensen From Antony.Stone at mailscanner.open.source.it Mon Nov 16 11:38:07 2015 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Mon, 16 Nov 2015 12:38:07 +0100 Subject: Filename/type rules In-Reply-To: <5649BB86.9040201@gojensen.no> References: <5649BB86.9040201@gojensen.no> Message-ID: <201511161238.07559.Antony.Stone@mailscanner.open.source.it> On Monday 16 November 2015 at 12:18:30, gojensen wrote: > Quick question... how can I verify that attachements are scanned for > "invalid" files? We keep getting .zip files with .scr executables inside > of them... not good. Your system should be looking inside the zip files to see what the content is, not just regarding it as "a zip file". > And in the MailScanner.conf I can read... > > # This can also point to a ruleset, but the ruleset filename must end in > # ".rules" so that MailScanner can determine if the filename given is > # a ruleset or not! > Filename Rules = %etc-dir%/filename.rules.conf > > So the description says the filename must end with .rules extension, but > the default is .rules.conf?! > > Which is correct? Both :) If you specify just a list of (static) filename rules, they go into the file %etc-dir%/filename.rules.conf If instead you specify a ruleset, then the filename containing that ruleset must end in .rules This is how MailScanner knows that one is a list of rules, and the other is a ruleset. Rulesets allow you to do different things based on sender and recipient addresses. Static rules simply apply the same (filename, in this case) rules to all mail going through the system. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:readme has further details. Regards, Antony. -- There's no such thing as bad weather - only the wrong clothes. - Billy Connolly Please reply to the list; please *don't* CC me. From mailscanner at gojensen.no Mon Nov 16 13:51:07 2015 From: mailscanner at gojensen.no (gojensen) Date: Mon, 16 Nov 2015 14:51:07 +0100 Subject: Filename/type rules In-Reply-To: <201511161238.07559.Antony.Stone@mailscanner.open.source.it> References: <5649BB86.9040201@gojensen.no> <201511161238.07559.Antony.Stone@mailscanner.open.source.it> Message-ID: <5649DF4B.6030402@gojensen.no> On 16.11.2015 12:38, Antony Stone wrote: > On Monday 16 November 2015 at 12:18:30, gojensen wrote: >> Quick question... how can I verify that attachements are scanned for >> "invalid" files? We keep getting .zip files with .scr executables inside >> of them... not good. > > Your system should be looking inside the zip files to see what the content is, > not just regarding it as "a zip file". Then this must not be working... We got a .zip with a .scr inside and it just got through with no tagging or flagging... any idea how I can debug this? As far as I can see from the mostly default mailscanner.conf it does treat .zip as archives and it uses the archives.filename.rules.conf which has a deny on .scr files. #MailScanner.conf Archives Are = zip rar ole Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf #both filename.rules.conf and archives.filename.rules.conf has this deny \.scr$ Possible virus hidden in a screensaver I did notice Maximum Archive Depth was set to 0 (by default?) - does this totally disable archive scanning?! or just disable the limit on nested archive files? > If you specify just a list of (static) filename rules, they go into the file > %etc-dir%/filename.rules.conf > > If instead you specify a ruleset, then the filename containing that ruleset > must end in .rules > > This is how MailScanner knows that one is a list of rules, and the other is a > ruleset. > > Rulesets allow you to do different things based on sender and recipient > addresses. Static rules simply apply the same (filename, in this case) rules > to all mail going through the system. Thanks for that clarification Antony. We don't use advanced rulesets so that's why I was a bit confused I guess... -- // gojensen From jerry.benton at mailborder.com Mon Nov 16 14:12:10 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 16 Nov 2015 09:12:10 -0500 Subject: Filename/type rules In-Reply-To: <5649DF4B.6030402@gojensen.no> References: <5649BB86.9040201@gojensen.no> <201511161238.07559.Antony.Stone@mailscanner.open.source.it> <5649DF4B.6030402@gojensen.no> Message-ID: <232BDB9B-62BD-41FC-9010-070F2948FFEE@mailborder.com> Are you sure you did not get a zipped HTML file with an iframe that downloaded the .scr ? It is currently a common attack vector. - Jerry Benton www.mailborder.com > On Nov 16, 2015, at 8:51 AM, gojensen wrote: > > On 16.11.2015 12:38, Antony Stone wrote: >> On Monday 16 November 2015 at 12:18:30, gojensen wrote: >>> Quick question... how can I verify that attachements are scanned for >>> "invalid" files? We keep getting .zip files with .scr executables inside >>> of them... not good. >> >> Your system should be looking inside the zip files to see what the content is, >> not just regarding it as "a zip file". > > Then this must not be working... We got a .zip with a .scr inside and it just got through with no tagging or flagging... any idea how I can debug this? > > As far as I can see from the mostly default mailscanner.conf it does treat .zip as archives and it uses the archives.filename.rules.conf which has a deny on .scr files. > > #MailScanner.conf > Archives Are = zip rar ole > Filename Rules = %etc-dir%/filename.rules.conf > Filetype Rules = %etc-dir%/filetype.rules.conf > Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf > Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf > > #both filename.rules.conf and archives.filename.rules.conf has this > deny \.scr$ Possible virus hidden in a screensaver > > I did notice Maximum Archive Depth was set to 0 (by default?) - does this totally disable archive scanning?! or just disable the limit on nested archive files? > >> If you specify just a list of (static) filename rules, they go into the file >> %etc-dir%/filename.rules.conf >> >> If instead you specify a ruleset, then the filename containing that ruleset >> must end in .rules >> >> This is how MailScanner knows that one is a list of rules, and the other is a >> ruleset. >> >> Rulesets allow you to do different things based on sender and recipient >> addresses. Static rules simply apply the same (filename, in this case) rules >> to all mail going through the system. > > Thanks for that clarification Antony. We don't use advanced rulesets so that's why I was a bit confused I guess... > > -- > // gojensen > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From mailscanner at gojensen.no Mon Nov 16 14:17:43 2015 From: mailscanner at gojensen.no (gojensen) Date: Mon, 16 Nov 2015 15:17:43 +0100 Subject: Filename/type rules In-Reply-To: <232BDB9B-62BD-41FC-9010-070F2948FFEE@mailborder.com> References: <5649BB86.9040201@gojensen.no> <201511161238.07559.Antony.Stone@mailscanner.open.source.it> <5649DF4B.6030402@gojensen.no> <232BDB9B-62BD-41FC-9010-070F2948FFEE@mailborder.com> Message-ID: <5649E587.2050202@gojensen.no> Nope, regular zip with a regular scr inside. Can't really test it either, because both google-mail and my private mail server refuses to send the mail :D Just our company service that admits it... :-/ -- // gojensen On 16.11.2015 15:12, Jerry Benton wrote: > Are you sure you did not get a zipped HTML file with an iframe that downloaded the .scr ? It is currently a common attack vector. > > - > Jerry Benton > www.mailborder.com > > > >> On Nov 16, 2015, at 8:51 AM, gojensen wrote: >> >> On 16.11.2015 12:38, Antony Stone wrote: >>> On Monday 16 November 2015 at 12:18:30, gojensen wrote: >>>> Quick question... how can I verify that attachements are scanned for >>>> "invalid" files? We keep getting .zip files with .scr executables inside >>>> of them... not good. >>> >>> Your system should be looking inside the zip files to see what the content is, >>> not just regarding it as "a zip file". >> >> Then this must not be working... We got a .zip with a .scr inside and it just got through with no tagging or flagging... any idea how I can debug this? >> >> As far as I can see from the mostly default mailscanner.conf it does treat .zip as archives and it uses the archives.filename.rules.conf which has a deny on .scr files. >> >> #MailScanner.conf >> Archives Are = zip rar ole >> Filename Rules = %etc-dir%/filename.rules.conf >> Filetype Rules = %etc-dir%/filetype.rules.conf >> Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf >> Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf >> >> #both filename.rules.conf and archives.filename.rules.conf has this >> deny \.scr$ Possible virus hidden in a screensaver >> >> I did notice Maximum Archive Depth was set to 0 (by default?) - does this totally disable archive scanning?! or just disable the limit on nested archive files? >> >>> If you specify just a list of (static) filename rules, they go into the file >>> %etc-dir%/filename.rules.conf >>> >>> If instead you specify a ruleset, then the filename containing that ruleset >>> must end in .rules >>> >>> This is how MailScanner knows that one is a list of rules, and the other is a >>> ruleset. >>> >>> Rulesets allow you to do different things based on sender and recipient >>> addresses. Static rules simply apply the same (filename, in this case) rules >>> to all mail going through the system. >> >> Thanks for that clarification Antony. We don't use advanced rulesets so that's why I was a bit confused I guess... >> >> -- >> // gojensen >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > From heino.backhaus at fink-computer.de Mon Nov 16 14:19:11 2015 From: heino.backhaus at fink-computer.de (Heino Backhaus) Date: Mon, 16 Nov 2015 15:19:11 +0100 Subject: Filename/type rules In-Reply-To: <5649DF4B.6030402@gojensen.no> References: <5649BB86.9040201@gojensen.no> <201511161238.07559.Antony.Stone@mailscanner.open.source.it> <5649DF4B.6030402@gojensen.no> Message-ID: <5649E5DF.1060008@fink-computer.de> please double check that the zip is realy a zip and not something else. .arj just renamed to .zip for example. In this case mailscanner will not look inside the archive cause it's an arj. 7zip will extract it anyway... Mit freundlichen Gruessen H. Backhaus Fink-Computer Systeme Heggrabenstr. 9, 35435 Wettenberg Email: heino.backhaus at fink-computer.de Web: www.fink-computer.de Fax: +49-641-98444638 Fon: +49-641-98444640 UST-ID: DE151040770 HRB: 2143 Gießen GF: Fredi Fink "In retrospect it becomes clear that hindsight is definitely overrated!" -Alfred E. Neumann Am 16.11.2015 um 14:51 schrieb gojensen: > On 16.11.2015 12:38, Antony Stone wrote: >> On Monday 16 November 2015 at 12:18:30, gojensen wrote: >>> Quick question... how can I verify that attachements are scanned for >>> "invalid" files? We keep getting .zip files with .scr executables inside >>> of them... not good. >> >> Your system should be looking inside the zip files to see what the >> content is, >> not just regarding it as "a zip file". > > Then this must not be working... We got a .zip with a .scr inside and it > just got through with no tagging or flagging... any idea how I can debug > this? > > As far as I can see from the mostly default mailscanner.conf it does > treat .zip as archives and it uses the archives.filename.rules.conf > which has a deny on .scr files. > > #MailScanner.conf > Archives Are = zip rar ole > Filename Rules = %etc-dir%/filename.rules.conf > Filetype Rules = %etc-dir%/filetype.rules.conf > Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf > Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf > > #both filename.rules.conf and archives.filename.rules.conf has this > deny \.scr$ Possible virus hidden in a screensaver > > I did notice Maximum Archive Depth was set to 0 (by default?) - does > this totally disable archive scanning?! or just disable the limit on > nested archive files? > >> If you specify just a list of (static) filename rules, they go into >> the file >> %etc-dir%/filename.rules.conf >> >> If instead you specify a ruleset, then the filename containing that >> ruleset >> must end in .rules >> >> This is how MailScanner knows that one is a list of rules, and the >> other is a >> ruleset. >> >> Rulesets allow you to do different things based on sender and recipient >> addresses. Static rules simply apply the same (filename, in this >> case) rules >> to all mail going through the system. > > Thanks for that clarification Antony. We don't use advanced rulesets so > that's why I was a bit confused I guess... > From alex at vidadigital.com.pa Mon Nov 16 14:21:00 2015 From: alex at vidadigital.com.pa (Alex Neuman) Date: Mon, 16 Nov 2015 09:21:00 -0500 Subject: Sql Config Goal In-Reply-To: <5649ADDE.206@mksoft.co.il> References: <5649ADDE.206@mksoft.co.il> Message-ID: Benefits include centralizing the configuration, even when using multiple MailScanner boxes in a load-balancing fashion. [image: logo] *Alex Neuman van der Hans* *Producer/Host**, Vida Digital* +1 (440) 253-9789 <+1+(440)+253-9789> | +507 6781-9505 <+507+6781-9505> | Panama |alex at vidadigital.com.pa | http://vidadigital.com.pa/ |Skype: alexneuman On Mon, Nov 16, 2015 at 5:20 AM, Koby Peleg Hen wrote: > Hello All > I would like to ask what is the most benefit with the SQL config > Does it allow any option that the regular config option deos not ? > > Thanks, > Koby Peleg Hen. > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steveb_clamav at sanesecurity.com Mon Nov 16 14:23:50 2015 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon, 16 Nov 2015 14:23:50 -0000 Subject: Filename/type rules In-Reply-To: <5649BB86.9040201@gojensen.no> References: <5649BB86.9040201@gojensen.no> Message-ID: <8e4eba23d6472c5f58da207bd2d8f4ec.squirrel@sirius.servers.eqx.misp.co.uk> On Mon, November 16, 2015 11:18 am, gojensen wrote: > Quick question... how can I verify that attachements are scanned for > "invalid" files? We keep getting .zip files with .scr executables inside > of them... not good. > I think you've got to set (for example): Maximum Archive Depth = 2 If you are using ClamAV: http://sanesecurity.com/foxhole-databases/ Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com From mailscanner at gojensen.no Mon Nov 16 14:28:07 2015 From: mailscanner at gojensen.no (gojensen) Date: Mon, 16 Nov 2015 15:28:07 +0100 Subject: Filename/type rules In-Reply-To: <8e4eba23d6472c5f58da207bd2d8f4ec.squirrel@sirius.servers.eqx.misp.co.uk> References: <5649BB86.9040201@gojensen.no> <8e4eba23d6472c5f58da207bd2d8f4ec.squirrel@sirius.servers.eqx.misp.co.uk> Message-ID: <5649E7F7.9030401@gojensen.no> Yes. Changing Maximum Archive Depth from the default 0 (?) to something larger stopped the attachement... Going to take a look at that Foxhole now ;) thanks for the tip... -- // gojensen On 16.11.2015 15:23, Steve Basford wrote: > > On Mon, November 16, 2015 11:18 am, gojensen wrote: >> Quick question... how can I verify that attachements are scanned for >> "invalid" files? We keep getting .zip files with .scr executables inside >> of them... not good. >> > I think you've got to set (for example): > > Maximum Archive Depth = 2 > > If you are using ClamAV: > http://sanesecurity.com/foxhole-databases/ > > Cheers, > > Steve > Web : sanesecurity.com > Blog: sanesecurity.blogspot.com > > > From jerry.benton at mailborder.com Mon Nov 16 14:30:16 2015 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 16 Nov 2015 09:30:16 -0500 Subject: Filename/type rules In-Reply-To: <5649E7F7.9030401@gojensen.no> References: <5649BB86.9040201@gojensen.no> <8e4eba23d6472c5f58da207bd2d8f4ec.squirrel@sirius.servers.eqx.misp.co.uk> <5649E7F7.9030401@gojensen.no> Message-ID: Default is 8 - Jerry Benton www.mailborder.com > On Nov 16, 2015, at 9:28 AM, gojensen wrote: > > Yes. Changing Maximum Archive Depth from the default 0 (?) to something larger stopped the attachement... > > Going to take a look at that Foxhole now ;) thanks for the tip... > > -- > // gojensen > > On 16.11.2015 15:23, Steve Basford wrote: >> >> On Mon, November 16, 2015 11:18 am, gojensen wrote: >>> Quick question... how can I verify that attachements are scanned for >>> "invalid" files? We keep getting .zip files with .scr executables inside >>> of them... not good. >>> >> I think you've got to set (for example): >> >> Maximum Archive Depth = 2 >> >> If you are using ClamAV: >> http://sanesecurity.com/foxhole-databases/ >> >> Cheers, >> >> Steve >> Web : sanesecurity.com >> Blog: sanesecurity.blogspot.com >> >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From wbaudler at gb.nrao.edu Mon Nov 16 20:53:14 2015 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Mon, 16 Nov 2015 15:53:14 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: <563BC305.4020807@msapiro.net> References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> <563B91EA.90106@msapiro.net> <563BA37E.5010508@msapiro.net> <563BC305.4020807@msapiro.net> Message-ID: > On 11/05/2015 11:05 AM, Wolfgang Baudler wrote: >> >> no difference in log messages, except the senders domain and address of >> course. >> >> internal log example: >> Nov 5 13:50:58 io MailScanner[24033]: Message tA5IopES005503 from >> 192.33.116.115 (wbaudler at gb.nrao.edu) to gb.nrao.edu is not spam, >> SpamAssassin (score=-199.008, required 5, autolearn=disabled, >> TEST_RULE_AA >> 1.00, NRAO_HEADER_PRESENT -100.00, TVD_SPACE_RATIO 0.00, >> T_RP_MATCHES_RCVD >> -0.01, USER_IN_WHITELIST -100.00) >> >> external log example: >> Nov 5 13:55:47 io MailScanner[24004]: Message tA5ItQmr006622 from >> 98.138.229.70 (wbaudler at yahoo.com) to gb.nrao.edu is not spam, >> SpamAssassin (score=0.902, required 5, autolearn=disabled, >> DKIM_ADSP_CUSTOM_MED 0.00, DKIM_SIGNED 0.10, FREEMAIL_FROM 0.00, >> LOCAL_ID_JAVAMAIL 1.00, NML_ADSP_CUSTOM_MED 1.20, RCVD_IN_DNSWL_LOW >> -0.70, RCVD_IN_MSPIKE_H3 -0.70, SPF_PASS -0.00, T_DKIM_INVALID 0.01, >> T_RP_MATCHES_RCVD -0.01) >> >> The TEST_RULE_AA test result is missing in the external example. The >> message sent was completely identical. > > > At this point I am at a loss unless your "Max SpamAssassin Size" setting > and your test message size are such that the extra headers from the > remote source push the test string out of range. This seems highly > unlikely. > > It seems this might be a spamassassin bug triggered by something in the > message headers from the remote servers, but this seems unlikely too. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > After doing some extended chasing I have an update on this issue. It seems that the firing or non-firing of body rules depends on the MUA used to send the message. In particular on the fact that some MUA add an empty line (0x0a newline) at the end of the body when sending and some do not. Those that add the extra line with an newline will fire body rules correctly if processed through Mailscanner, those that do not have the extra line will not fire. Some particular real spam messages seem to consistently lack this empty line and thus get not tagged correctly. I have not figured out exactly where this missing newline throws MailScanner off, but I was able to implement a crude fix by modifying the loop of the ReadBody function in SMDiskStore.pm like this (we are using sendmail with MailScanner): while(defined($line = <$dh>) && $size<$max) { push @{$body}, $line; $size += length($line); #print STDERR "Line read2 is ****" . $line . "****\n"; } $lastlineread = $line; push @{$body}, "\n"; Only the last line was added, which pushes an unconditional newline at the end of the body just read. After that modification all body rules fire correctly as expected. Hopefully someone more familiar with the MailScanner code can come up with a proper patch to fix this issue? Wolfgang From koby at mksoft.co.il Sat Nov 21 12:15:58 2015 From: koby at mksoft.co.il (Koby Peleg Hen) Date: Sat, 21 Nov 2015 14:15:58 +0200 Subject: F-Prot Version Message-ID: <5650607E.9090403@mksoft.co.il> An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sat Nov 21 13:19:19 2015 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 21 Nov 2015 08:19:19 -0500 Subject: duplicate subject lines causing yahoo mail rejection In-Reply-To: References: Message-ID: Paul, Would you do me a favor and test the code in this Pull Request? https://github.com/MailScanner/v4/pull/42/files On Sat, Nov 7, 2015 at 2:45 AM, Paul D. Walker wrote: > ​Hmm.. > > My version of mailscanner on efa 3.0.0.8 is 4.84.6 > > My MailScanner settings are​: > Multiple Headers = add > Place New Headers At Top Of Message = yes > > I vaguely remember changing the Multiple Headers setting from append to > add because of dkim. Unfortunately, I might be misremembering. I cannot > remember and I didn't keep notes. All I am sure of it that it solved > another problem for me. > > - Paul > > ---------- Forwarded message ---------- >> From: Kevin Miller >> To: "'MailScanner Discussion'" >> Cc: >> Date: Wed, 4 Nov 2015 18:09:47 +0000 >> Subject: RE: duplicate subject lines causing yahoo mail rejection >> >> What’s an “efa”? >> >> >> >> I was having the same issue earlier this year. I don’t know if it was >> due to spaces in the subject, but we were getting rejects from yahoo due to >> multiple subjects injected by MailScanner. >> >> >> >> The workaround (I hesitate to call it a solution) was posted by Scott >> Anderson on 2/23, subject “RE: DKIM and MailScanner Watermarking”: >> >> Multiple Headers = append >> >> Place New Headers At Top Of Message = yes >> >> >> >> ...Kevin >> >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sat Nov 21 13:19:58 2015 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 21 Nov 2015 08:19:58 -0500 Subject: duplicate subject lines causing yahoo mail rejection In-Reply-To: References: Message-ID: Whoops wrong thread... On Sat, Nov 21, 2015 at 8:19 AM, Shawn Iverson wrote: > Paul, > > Would you do me a favor and test the code in this Pull Request? > > https://github.com/MailScanner/v4/pull/42/files > > On Sat, Nov 7, 2015 at 2:45 AM, Paul D. Walker > wrote: > >> ​Hmm.. >> >> My version of mailscanner on efa 3.0.0.8 is 4.84.6 >> >> My MailScanner settings are​: >> Multiple Headers = add >> Place New Headers At Top Of Message = yes >> >> I vaguely remember changing the Multiple Headers setting from append to >> add because of dkim. Unfortunately, I might be misremembering. I cannot >> remember and I didn't keep notes. All I am sure of it that it solved >> another problem for me. >> >> - Paul >> >> ---------- Forwarded message ---------- >>> From: Kevin Miller >>> To: "'MailScanner Discussion'" >>> Cc: >>> Date: Wed, 4 Nov 2015 18:09:47 +0000 >>> Subject: RE: duplicate subject lines causing yahoo mail rejection >>> >>> What’s an “efa”? >>> >>> >>> >>> I was having the same issue earlier this year. I don’t know if it was >>> due to spaces in the subject, but we were getting rejects from yahoo due to >>> multiple subjects injected by MailScanner. >>> >>> >>> >>> The workaround (I hesitate to call it a solution) was posted by Scott >>> Anderson on 2/23, subject “RE: DKIM and MailScanner Watermarking”: >>> >>> Multiple Headers = append >>> >>> Place New Headers At Top Of Message = yes >>> >>> >>> >>> ...Kevin >>> >>> >>> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sat Nov 21 13:20:47 2015 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 21 Nov 2015 08:20:47 -0500 Subject: MailScanner causes SpamAssassin rules to firing inconsistently In-Reply-To: References: <337823d02b9775137cb2fbc2e143707b.squirrel@webmail.gb.nrao.edu> <563B8AEA.10804@msapiro.net> <4efed985650ec6619cdabfa03c1ca30c.squirrel@webmail.gb.nrao.edu> <563B91EA.90106@msapiro.net> <563BA37E.5010508@msapiro.net> <563BC305.4020807@msapiro.net> Message-ID: Wolfgang, Would you do me a favor and test this PR in your setup? https://github.com/MailScanner/v4/pull/42/files On Mon, Nov 16, 2015 at 3:53 PM, Wolfgang Baudler wrote: > > On 11/05/2015 11:05 AM, Wolfgang Baudler wrote: > >> > >> no difference in log messages, except the senders domain and address of > >> course. > >> > >> internal log example: > >> Nov 5 13:50:58 io MailScanner[24033]: Message tA5IopES005503 from > >> 192.33.116.115 (wbaudler at gb.nrao.edu) to gb.nrao.edu is not spam, > >> SpamAssassin (score=-199.008, required 5, autolearn=disabled, > >> TEST_RULE_AA > >> 1.00, NRAO_HEADER_PRESENT -100.00, TVD_SPACE_RATIO 0.00, > >> T_RP_MATCHES_RCVD > >> -0.01, USER_IN_WHITELIST -100.00) > >> > >> external log example: > >> Nov 5 13:55:47 io MailScanner[24004]: Message tA5ItQmr006622 from > >> 98.138.229.70 (wbaudler at yahoo.com) to gb.nrao.edu is not spam, > >> SpamAssassin (score=0.902, required 5, autolearn=disabled, > >> DKIM_ADSP_CUSTOM_MED 0.00, DKIM_SIGNED 0.10, FREEMAIL_FROM 0.00, > >> LOCAL_ID_JAVAMAIL 1.00, NML_ADSP_CUSTOM_MED 1.20, RCVD_IN_DNSWL_LOW > >> -0.70, RCVD_IN_MSPIKE_H3 -0.70, SPF_PASS -0.00, T_DKIM_INVALID 0.01, > >> T_RP_MATCHES_RCVD -0.01) > >> > >> The TEST_RULE_AA test result is missing in the external example. The > >> message sent was completely identical. > > > > > > At this point I am at a loss unless your "Max SpamAssassin Size" setting > > and your test message size are such that the extra headers from the > > remote source push the test string out of range. This seems highly > > unlikely. > > > > It seems this might be a spamassassin bug triggered by something in the > > message headers from the remote servers, but this seems unlikely too. > > > > -- > > Mark Sapiro The highway is for gamblers, > > San Francisco Bay Area, California better use your sense - B. Dylan > > > > > > After doing some extended chasing I have an update on this issue. > > It seems that the firing or non-firing of body rules depends on the MUA > used to send the message. In particular on the fact that some MUA add an > empty line (0x0a newline) at the end of the body when > sending and some do not. > > Those that add the extra line with an newline will fire body rules > correctly if processed through Mailscanner, those that do not have the > extra line will not fire. > > Some particular real spam messages seem to consistently lack this empty > line and thus get not tagged correctly. > > I have not figured out exactly where this missing newline throws > MailScanner off, but I was able to implement a crude fix by modifying the > loop of the ReadBody function in SMDiskStore.pm like this (we are using > sendmail with MailScanner): > > while(defined($line = <$dh>) && $size<$max) { > push @{$body}, $line; > $size += length($line); > #print STDERR "Line read2 is ****" . $line . "****\n"; > } > $lastlineread = $line; > push @{$body}, "\n"; > > Only the last line was added, which pushes an unconditional newline at the > end of the body just read. After that modification all body rules fire > correctly as expected. > > Hopefully someone more familiar with the MailScanner code can come up with > a proper patch to fix this issue? > > Wolfgang > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at jonesol.com Sun Nov 22 15:51:19 2015 From: dave at jonesol.com (Dave Jones) Date: Sun, 22 Nov 2015 09:51:19 -0600 Subject: F-Prot Version In-Reply-To: <5650607E.9090403@mksoft.co.il> References: <5650607E.9090403@mksoft.co.il> Message-ID: Most of the time it should be the file scanner. I use Eset Nod32 on a large mail filtering platform for about 92K mailboxes and it's very fast. I used McAfee before and it had a 4 or 5 second startup time for each batch which made my overall batch processing time much longer. On Sat, Nov 21, 2015 at 6:15 AM, Koby Peleg Hen wrote: > Hello All , > I would like to add one more AV to my MailScanner. > I would like to try F-Prot AV which have 2 version : > > 1. F-Prot for Linux 64 bit mail server > 2. F-Prot for Linux 64 bit file server > > Which one is the right one ? > > Thank you all for your co operation > > Koby Peleg Hen > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > From wcolburn at nrao.edu Wed Nov 25 18:10:09 2015 From: wcolburn at nrao.edu (William D. Colburn) Date: Wed, 25 Nov 2015 11:10:09 -0700 Subject: Trouble making my own virus scanner Message-ID: <20151125181009.GA15002@anotheruvula.aoc.nrao.edu> I'm trying to use MailScanner to scan mail for viruses with Microsoft's SCEP. I updated /etc/MailScanner/virus.scanners.conf to use my own scep wrapper. #generic /usr/share/MailScanner/generic-wrapper / generic /opt/services/bin/scep-wrapper /opt/microsoft/scep I updated /etc/MailScanner/MailScanner.conf to use both sophos and scep Virus Scanners = sophos generic My wrapper does (mostly) what the documentation in /usr/share/MailScanner/generic-wrapper says it should do. It parses -IsItInstalled and returns 0 or 1 depending. It assumes the last argument is the directory to scan (ignoring the possibility of an option -disinfect). It writes to stdout lines that look like "INFECTED::virusname::path\n". It doesn't return the error code from the virus scanner, but does return false (!0) if a virus is found, and true (0) if no virus is found. I can see that MailScanner is calling my scanner. I even get log messages about viruses found, including lines such as "Generic found 3 infections". Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner:: scep INFECTED::Win32/PSW.Papras.EH trojan::./APHKXb9028650/r20150934875878888224005.PDF.exe Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner:: scep INFECTED::Win32/PSW.Papras.EH trojan::./APHKXb9028650/n201593844371388752253040.rar Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner:: scep INFECTED::Win32/PSW.Papras.EH trojan::./APHKXb9028650/n201593844371388752253040.rar >> RAR >> 20150934875878888224005.PDF'.exe Nov 25 10:21:23 revere MailScanner[12670]: Virus Scanning: Generic found 3 infections The actual messages passed on, however, only mention Sophos. If take sophos out of MailScanner.conf the messages are not flagged as virueses. I didn't change anything in SweepViruses.pm, and I don't see anything from reading that file that I'm doing wrong. Why isn't generic catching my viruses? --Schlake -------------- next part -------------- #!/usr/bin/env python import os import sys import time now = time.time() debug = False if debug: log = open( "/tmp/scep-wrapper.log", "a+" ) log.write( str( now ) + ' started ' + str( sys.argv ) + '\n' ) log.close() scep = "/opt/microsoft/scep/sbin/scep_scan" found = [] if sys.argv[1] == "-IsItInstalled": if os.path.exists( scep ): sys.exit( 0 ) else: sys.exit( 1 ) target = sys.argv[-1] ret = 0 def parse( line ): global ret path = line.split( 'name="' )[1].split( '", threat="' )[0] virus = line.split( ', threat="' )[1].split( '", action="' )[0] ## ## the virus could still be wrong if it sticks random text in there ## that isn't the one case I know about and check for ## ## Archives will have >> and more data than just a path, but I don't ## think I care? ## ret = ret + 1 found.append( virus ) return 'INFECTED::%s::%s' % (virus,path) ## ## LANG=C because I don't want weird things to happen ## cmd = "LANG=C %s --clean-mode=none %s 2>&1" % (scep,target) fp = os.popen( cmd, "r" ) for line in fp: if (', threat="' in line) and (', threat="", ' not in line) and ('", threat="is OK", ' not in line): print parse( line ) fp.close() if found: log = open( "/tmp/scep-wrapper.log", "a+" ) log.write( str( now ) + ' found ' + str( found ) + '\n' ) log.close() #sys.exit( ret ) sys.exit( 0 ) From iversons at rushville.k12.in.us Thu Nov 26 11:38:33 2015 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 26 Nov 2015 06:38:33 -0500 Subject: Trouble making my own virus scanner In-Reply-To: <20151125181009.GA15002@anotheruvula.aoc.nrao.edu> References: <20151125181009.GA15002@anotheruvula.aoc.nrao.edu> Message-ID: I use SCEP here. I'll set it up and give it a go with your wrapper. I know that each scanner has its own code in SweepViruses.pm. I'm not sure if the generic scanner is actually doing much. The "ProcessGenericOutput" subroutine appears pretty barebones at first glance. On Wed, Nov 25, 2015 at 1:10 PM, William D. Colburn wrote: > I'm trying to use MailScanner to scan mail for viruses with Microsoft's > SCEP. > > I updated /etc/MailScanner/virus.scanners.conf to use my own scep wrapper. > #generic /usr/share/MailScanner/generic-wrapper / > generic /opt/services/bin/scep-wrapper > /opt/microsoft/scep > > I updated /etc/MailScanner/MailScanner.conf to use both sophos and scep > Virus Scanners = sophos generic > > My wrapper does (mostly) what the documentation in > /usr/share/MailScanner/generic-wrapper says it should do. It parses > -IsItInstalled and returns 0 or 1 depending. It assumes the last > argument is the directory to scan (ignoring the possibility of an option > -disinfect). It writes to stdout lines that look like > "INFECTED::virusname::path\n". It doesn't return the error code from > the virus scanner, but does return false (!0) if a virus is found, and > true (0) if no virus is found. > > I can see that MailScanner is calling my scanner. I even get log > messages about viruses found, including lines such as "Generic found 3 > infections". > > Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner:: > scep INFECTED::Win32/PSW.Papras.EH > trojan::./APHKXb9028650/r20150934875878888224005.PDF.exe > Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner:: > scep INFECTED::Win32/PSW.Papras.EH > trojan::./APHKXb9028650/n201593844371388752253040.rar > Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner:: > scep INFECTED::Win32/PSW.Papras.EH > trojan::./APHKXb9028650/n201593844371388752253040.rar >> RAR >> > 20150934875878888224005.PDF'.exe > Nov 25 10:21:23 revere MailScanner[12670]: Virus Scanning: Generic found 3 > infections > > The actual messages passed on, however, only mention Sophos. If take > sophos out of MailScanner.conf the messages are not flagged as virueses. > > I didn't change anything in SweepViruses.pm, and I don't see anything from > reading that file that I'm doing wrong. > > Why isn't generic catching my viruses? > > --Schlake > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From maillists at conactive.com Fri Nov 27 14:29:29 2015 From: maillists at conactive.com (Kai Schaetzl) Date: Fri, 27 Nov 2015 15:29:29 +0100 Subject: No specific action for bad content? Message-ID: Hello everyone, my MailScanners are running untouched for months and years and so on ... and seldom there is a problem. But now ... am I missing something? Lately, I'm getting phishing spam from a faked interfax.net address and was just about to use postfix header checks to stop them. Looked up the messages in Mailwatch and found they were detected as "bad content" (by filename rules for .js). A "detected" message was sent to postmaster, but the message was delivered normally. I would rather have it stored and not delivered and thought this being the case in the past. As it is not detected as spam spam actions do not apply, but I cannot find another actions config setting which could apply here. Obviously, I do not want to block other "non spam" messages. Are we missing such a setting or do I have to apply a delivery rule to filename.rules.conf or create a new file for that? Thanks, Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From mikael at syska.dk Sat Nov 28 23:29:18 2015 From: mikael at syska.dk (Mikael Syska) Date: Sun, 29 Nov 2015 00:29:18 +0100 Subject: DLT Files ... matched as executable by filetype.rules.conf - is whitelist possible Message-ID: Hi, DLT files is plugins for 3dmax ... so I want to allow them. Problem is they are being tagged as "executable" which is probably right. Is there any way to let "filename.rules.conf" whitelist this type of files without removing the "executable" rule which deny these kind of files? Or is there any other way around this ... I know it's logical that they are banned because of the rule in "filetype" fires ... What does other people do? Personally I don't mind them being blocked but that's speaking as the maintainer of the system ... but users do see it in an other way ... :-( // Mikael Syska -------------- next part -------------- An HTML attachment was scrubbed... URL: