From lorenzo.tombini at gmail.com Thu Dec 1 08:37:44 2016 From: lorenzo.tombini at gmail.com (lorenzo tombini) Date: Thu, 1 Dec 2016 09:37:44 +0100 Subject: download version archive Message-ID: Hi there, could someone let me know where find latest version of source of mailscanner 4.X (maybe 4.86 )? thanks a lot in advanced kind regards -- Lorenzo Tombini -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Dec 1 10:46:32 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 1 Dec 2016 05:46:32 -0500 Subject: download version archive In-Reply-To: References: Message-ID: Debian: https://s3.amazonaws.com/mailscanner/release/v4/deb/MailScanner-4.85.2-3.deb.tar.gz RHEL: https://s3.amazonaws.com/mailscanner/release/v4/rpm/MailScanner-4.85.2-3.rpm.tar.gz SUSE: https://s3.amazonaws.com/mailscanner/release/v4/suse/MailScanner-4.85.2-3.suse-rpm.tar.gz NIX: https://s3.amazonaws.com/mailscanner/release/v4/tar/MailScanner-4.85.2-3.tar.gz - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Dec 1, 2016, at 3:37 AM, lorenzo tombini wrote: > > Hi there, > could someone let me know where find latest version of source of mailscanner 4.X (maybe 4.86 )? > > thanks a lot in advanced > > kind regards > > -- > Lorenzo Tombini > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lorenzo.tombini at gmail.com Thu Dec 1 11:06:17 2016 From: lorenzo.tombini at gmail.com (lorenzo tombini) Date: Thu, 1 Dec 2016 12:06:17 +0100 Subject: download version archive In-Reply-To: References: Message-ID: thanks a lot Jerry have a nice day. 2016-12-01 11:46 GMT+01:00 Jerry Benton : > Debian: https://s3.amazonaws.com/mailscanner/release/v4/ > deb/MailScanner-4.85.2-3.deb.tar.gz > RHEL: https://s3.amazonaws.com/mailscanner/release/v4/ > rpm/MailScanner-4.85.2-3.rpm.tar.gz > SUSE: https://s3.amazonaws.com/mailscanner/release/v4/ > suse/MailScanner-4.85.2-3.suse-rpm.tar.gz > NIX: https://s3.amazonaws.com/mailscanner/release/v4/tar/ > MailScanner-4.85.2-3.tar.gz > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 <(844)%20436-6245> > > > > On Dec 1, 2016, at 3:37 AM, lorenzo tombini > wrote: > > Hi there, > could someone let me know where find latest version of source of > mailscanner 4.X (maybe 4.86 )? > > thanks a lot in advanced > > kind regards > > -- > Lorenzo Tombini > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- Lorenzo Tombini -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.m.schipper at lawrence.edu Thu Dec 1 17:33:15 2016 From: sean.m.schipper at lawrence.edu (Sean M. Schipper) Date: Thu, 1 Dec 2016 17:33:15 +0000 Subject: MailScanner startup script Message-ID: <59111d2b14a940d3832a211a16fae6aa@mail.lawrence.edu> I am upgrading my mailscanner install on a new RHEL 6 server and using postfix as my MTA. My current box (4.84.3) has a MailScanner startup script that incorporates the restart of postfix along with MailScanner. I notice that on my new setup, v5.0.3, postfix is not restarted along with mailscanner. Is this expected behavior or is this indicative of an issue somewhere during my installation? I noticed that the mailscanner init script does not mention postfix in it at all. Perhaps I can just copy the older init script? Thanks for any advice on this. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at shout.net Thu Dec 1 18:13:44 2016 From: jim at shout.net (Jim Creason) Date: Thu, 01 Dec 2016 12:13:44 -0600 Subject: MailScanner startup script In-Reply-To: <59111d2b14a940d3832a211a16fae6aa@mail.lawrence.edu> References: <59111d2b14a940d3832a211a16fae6aa@mail.lawrence.edu> Message-ID: This has already been covered in depth on this list, it is by design. Check the list archives. On 2016-12-01 11:33, Sean M. Schipper wrote: > I am upgrading my mailscanner install on a new RHEL 6 server and using > postfix as my MTA. > > My current box (4.84.3) has a MailScanner startup script that > incorporates the restart of postfix along with MailScanner. I notice > that on my new setup, v5.0.3, postfix is not restarted along with > mailscanner. > > Is this expected behavior or is this indicative of an issue somewhere > during my installation? I noticed that the mailscanner init script > does not mention postfix in it at all. Perhaps I can just copy the > older init script? Thanks for any advice on this. From gsjarvis at pt.lu Fri Dec 2 14:12:20 2016 From: gsjarvis at pt.lu (Graham S. Jarvis) Date: Fri, 2 Dec 2016 15:12:20 +0100 Subject: Moving from sendmail to postfix Message-ID: <5a86ce1c-1087-f1ee-aeb2-5c25c9a30b5d@pt.lu> Hello, I'm sure this is a really common question but google wasn't very helpful finding me the "one true answer" ;) I run a MailScanner "hub" which processes mail for various domains. Mail arrives at this hub because the MX10 record for those domains points to this host. Some addresses are local some have to be sent on to the final destination after having been scanned. I had this set-up and working on a sendmail system using virtualusertable, aliases, access and mailertable and this works well. I've now moved to Postfix and I need to know how to replicate the access/mailertable configuration so that I can list the domains where mail has to be forwarded and the IP_Addr of those hosts. At the moment everything works fine for the local domains/addresses via virtual_alias_domains = /etc/mail/local-host-names virtual_alias_maps = hash:/etc/mail/virtusertable, hash:/etc/mail/aliases in main.cf BUT, when a mail arrives for one of the domains that is not on this host I get a "(mail for domain.tld loops back to myself)" message and the mail is bounced. I can understand that this is because the domain.tld has an MX10 that points back to me. SO, how to make sure that Postfix forwards directly to the IP_Addr like Sendmail used to..... ? All help and pointers gratefully received! Thanks in advance, -Graham- From thom at vdb.nl Fri Dec 2 15:54:56 2016 From: thom at vdb.nl (Thom van der Boon) Date: Fri, 2 Dec 2016 16:54:56 +0100 (CET) Subject: Moving from sendmail to postfix In-Reply-To: <5a86ce1c-1087-f1ee-aeb2-5c25c9a30b5d@pt.lu> References: <5a86ce1c-1087-f1ee-aeb2-5c25c9a30b5d@pt.lu> Message-ID: <1475743214.174290.1480694096580.JavaMail.zimbra@vdb.nl> This has nothing to do with MailScanner You have to fill the following two settings: relay_domains = transport_maps = Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: +31 (0)88 4272727 Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ Van: "Graham S. Jarvis" Aan: "MailScanner discussion" Verzonden: Vrijdag 2 december 2016 15:12:20 Onderwerp: Moving from sendmail to postfix Hello, I'm sure this is a really common question but google wasn't very helpful finding me the "one true answer" ;) I run a MailScanner "hub" which processes mail for various domains. Mail arrives at this hub because the MX10 record for those domains points to this host. Some addresses are local some have to be sent on to the final destination after having been scanned. I had this set-up and working on a sendmail system using virtualusertable, aliases, access and mailertable and this works well. I've now moved to Postfix and I need to know how to replicate the access/mailertable configuration so that I can list the domains where mail has to be forwarded and the IP_Addr of those hosts. At the moment everything works fine for the local domains/addresses via virtual_alias_domains = /etc/mail/local-host-names virtual_alias_maps = hash:/etc/mail/virtusertable, hash:/etc/mail/aliases in main.cf BUT, when a mail arrives for one of the domains that is not on this host I get a "(mail for domain.tld loops back to myself)" message and the mail is bounced. I can understand that this is because the domain.tld has an MX10 that points back to me. SO, how to make sure that Postfix forwards directly to the IP_Addr like Sendmail used to..... ? All help and pointers gratefully received! Thanks in advance, -Graham- -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Fri Dec 2 16:01:30 2016 From: thom at vdb.nl (Thom van der Boon) Date: Fri, 2 Dec 2016 17:01:30 +0100 (CET) Subject: Feature request: Block Microsoft Office files containing Macros by default Message-ID: <1101162633.174362.1480694490160.JavaMail.zimbra@vdb.nl> Hi All, I get lots of virus mails with .docm files in them. I am strong supporter of by default blocking the Microsoft Office filetypes containing Macros ( .DOCM , .DOTM , .XLSM , .XLTM , .XLAM , .PPTM , .POTM , .PPAM , .PPSM , .SLDM ). I added these types to my filename.rules.conf, but I think it is better to block them by MailScanner by default deny \.docm$ Possible dangerous Microsoft Word with Macros Possible dangerous attachment deny \.dotm$ Possible dangerous Microsoft Word Template with Macros Possible dangerous attachment deny \.xlsm$ Possible dangerous Microsoft Excel with Macros Possible dangerous attachment deny \.xltm$ Possible dangerous Microsoft Excel Template with Macros Possible dangerous attachment deny \.xlta$ Possible dangerous Microsoft Excel with Macros Possible dangerous attachment deny \.pptm$ Possible dangerous Microsoft PowerPoint Template with Macros Possible dangerous attachment deny \.potm$ Possible dangerous Microsoft Office Open XML Format Presentation Template with Macros Enabled Possible dangerous attachment deny \.ppam$ Possible dangerous Microsoft Office Open XML Format Add-in With Macros Possible dangerous attachment deny \.ppsm$ Possible dangerous PowerPoint Open XML Macro-Enabled Slide Show With Macros Possible dangerous attachment deny \.sldm$ Possible dangerous Microsoft PowerPoint 2007/2010 macro-enabled Open XML slide file Possible dangerous attachment Anybody agrees/disagrees? Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: +31 (0)88 4272727 Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Fri Dec 2 17:44:50 2016 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 2 Dec 2016 17:44:50 +0000 Subject: Moving from sendmail to postfix In-Reply-To: <5a86ce1c-1087-f1ee-aeb2-5c25c9a30b5d@pt.lu> References: <5a86ce1c-1087-f1ee-aeb2-5c25c9a30b5d@pt.lu> Message-ID: Copy the content of sendmail's mailertable to the postfix transport file. In /etc/postfix/transport I changed esmtp to just smtp. I.e. juneau.org esmtp:[199.58.55.96] became juneau.org smtp:[191.168.55.96] That took care of the forwarding part. I'm not using the virtualusertable at all. To replace access I created two files: client_access and sender_access. They're in .db format. In main.cf put check_sender_access hash:/etc/postfix/sender_access check_client_access hash:/etc/postfix/client_access under the smtpd_recipient_restrictions = ... check_client_access blocks or whitelists by client IP, Client IP Range or Hostname check_sender_access blocks or whitelists by sender e-mail address (In the envelope FROM field) Hope I have all that right. At any rate, it's working for me. HTH... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Graham S. Jarvis Sent: Friday, December 02, 2016 5:12 AM To: MailScanner discussion Subject: Moving from sendmail to postfix Hello, I'm sure this is a really common question but google wasn't very helpful finding me the "one true answer" ;) I run a MailScanner "hub" which processes mail for various domains. Mail arrives at this hub because the MX10 record for those domains points to this host. Some addresses are local some have to be sent on to the final destination after having been scanned. I had this set-up and working on a sendmail system using virtualusertable, aliases, access and mailertable and this works well. I've now moved to Postfix and I need to know how to replicate the access/mailertable configuration so that I can list the domains where mail has to be forwarded and the IP_Addr of those hosts. At the moment everything works fine for the local domains/addresses via virtual_alias_domains = /etc/mail/local-host-names virtual_alias_maps = hash:/etc/mail/virtusertable, hash:/etc/mail/aliases in main.cf BUT, when a mail arrives for one of the domains that is not on this host I get a "(mail for domain.tld loops back to myself)" message and the mail is bounced. I can understand that this is because the domain.tld has an MX10 that points back to me. SO, how to make sure that Postfix forwards directly to the IP_Addr like Sendmail used to..... ? All help and pointers gratefully received! Thanks in advance, -Graham- -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From gsjarvis at pt.lu Mon Dec 5 08:17:01 2016 From: gsjarvis at pt.lu (Graham S. Jarvis) Date: Mon, 5 Dec 2016 09:17:01 +0100 Subject: Moving from sendmail to postfix In-Reply-To: <1475743214.174290.1480694096580.JavaMail.zimbra@vdb.nl> References: <5a86ce1c-1087-f1ee-aeb2-5c25c9a30b5d@pt.lu> <1475743214.174290.1480694096580.JavaMail.zimbra@vdb.nl> Message-ID: Hello Thom, That was it ! - I postmap'd the transport file but I thought transport_maps= was a default. Many thanks - I know my question wasn't really for the mailscanner list, but I thought this was the best place to ask given what I'm trying to do. I knew there'd be someone here who also likes to run the mail server on a physically different host than the web server..... Thanks again! -Graham- Thom van der Boon wrote on 02/12/16 16:54: > This has nothing to do with MailScanner > > You have to fill the following two settings: > > relay_domains = > > transport_maps = > > Met vriendelijke groet, Best regards, > > > Thom van der Boon > E-Mail: thom at vdb.nl > > > > ===== > > > > Thom.H. van der Boon b.v. > Transito 4 > 6909 DA Babberich > Tel.: +31 (0)88 4272727 > Fax: +31 (0)88 4272789 > Home Page: http://www.vdb.nl/ > > -------------------------------------------------------------------------------- > *Van: *"Graham S. Jarvis" > *Aan: *"MailScanner discussion" > *Verzonden: *Vrijdag 2 december 2016 15:12:20 > *Onderwerp: *Moving from sendmail to postfix > > Hello, > > I'm sure this is a really common question but google wasn't very helpful finding > me the "one true answer" ;) > > I run a MailScanner "hub" which processes mail for various domains. > > Mail arrives at this hub because the MX10 record for those domains points to > this host. Some addresses are local some have to be sent on to the final > destination after having been scanned. > > I had this set-up and working on a sendmail system using virtualusertable, > aliases, access and mailertable and this works well. > > I've now moved to Postfix and I need to know how to replicate the > access/mailertable configuration so that I can list the domains where mail has > to be forwarded and the IP_Addr of those hosts. > > At the moment everything works fine for the local domains/addresses via > virtual_alias_domains = /etc/mail/local-host-names > virtual_alias_maps = hash:/etc/mail/virtusertable, hash:/etc/mail/aliases > in main.cf > > BUT, > when a mail arrives for one of the domains that is not on this host I get a > "(mail for domain.tld loops back to myself)" message and the mail is bounced. > > I can understand that this is because the domain.tld has an MX10 that points > back to me. > > SO, > how to make sure that Postfix forwards directly to the IP_Addr like Sendmail > used to..... ? > > All help and pointers gratefully received! > > Thanks in advance, > > -Graham- > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard at fastnet.co.uk Tue Dec 6 23:49:46 2016 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 6 Dec 2016 23:49:46 +0000 Subject: MailScanner / Sendmail / FreeBSD - writing to /var/spool/MailScanner/quarantine/20161123/uANNOfAO00xxx/message: No such file or directory In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795F7A8BCC@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795F7A893E@BTN-EXCHANGE-V1.fastnet.local> <77621C6A-4C4C-4B93-B324-A43C9968C4F1@mailborder.com> <6EE47AF64C339A4F8F7F50507241B3795F7A8981@BTN-EXCHANGE-V1.fastnet.local> <20161128132841.GE4314@weiser.dinsnail.net> <6EE47AF64C339A4F8F7F50507241B3795F7A8BCC@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795F7B64FA@BTN-EXCHANGE-V1.fastnet.local> Massive hit again - 8 servers and over 800M in todays quarantine folder. Another 100k hosts blocked on my rbl.There is a vulnerability here. I'm going to dig through the code tomorrow. I wish Jules was about to let me know what the problem might be! -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Richard Mealing Sent: Monday, November 28, 2016 14:33 To: MailScanner Discussion Subject: RE: MailScanner / Sendmail / FreeBSD - writing to /var/spool/MailScanner/quarantine/20161123/uANNOfAO00xxx/message: No such file or directory Hi Michael, It doesn't appear so. I did check that since I thought at first it was a permissions issue or a disk / inodes issue. I do have a mixture of servers but one of them had 200G space free using entire disk. I had this issue on a few servers all with different disks. Some virtual and some physical. Here's one of them that had the problem - # df -i /var Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/da0s1e 20308398 11043200 7640528 59% 586627 2051195 22% /var # df -h Filesystem Size Used Avail Capacity Mounted on /dev/da0s1a 4.8G 1.1G 3.3G 25% / devfs 1.0K 1.0K 0B 100% /dev /dev/da0s1f 6.8G 128M 6.1G 2% /rich /dev/da0s1d 19G 12G 5.6G 69% /usr /dev/da0s1e 19G 11G 7.3G 59% /var tmpfs 17G 4.0K 17G 0% /tmp tmpfs 17G 7.0M 17G 0% /tmpfs fdescfs 1.0K 1.0K 0B 100% /dev/fd devfs 1.0K 1.0K 0B 100% /var/named/dev /usr/local/lib/engines 19G 12G 5.6G 69% /var/named/usr/local/lib/engines Here's another - df -i /var Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/mfid0p2 467188404 47435968 382377364 11% 1019908 59412858 2% / df -h Filesystem Size Used Avail Capacity Mounted on /dev/mfid0p2 446G 45G 365G 11% / devfs 1.0K 1.0K 0B 100% /dev tmpfs 4.2G 5.5M 4.2G 0% /tmpfs tmpfs 4.2G 476K 4.2G 0% /tmp devfs 1.0K 1.0K 0B 100% /var/named/dev /usr/local/lib/engines 446G 45G 365G 11% /var/named/usr/local/lib/engines Both had the same problem, nearly at the same time. I'm wondering if mailscanner has an open handle to that directory or if it just knows where to write to that directory, or if it somehow needs to read that directory? I'm sure I could try and reproduce the error. I'll see what I can do from here and report back. Thanks, Rich -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Michael Weiser Sent: Monday, November 28, 2016 13:29 To: MailScanner Discussion Subject: Re: MailScanner / Sendmail / FreeBSD - writing to /var/spool/MailScanner/quarantine/20161123/uANNOfAO00xxx/message: No such file or directory Hi Richard, On Mon, Nov 28, 2016 at 11:34:18AM +0000, Richard Mealing wrote: > That was my initial thought and all have adequate space. Some of them > have 100+G for /var. Could /var have run out of inodes instead (df -i /var)? -- Regads, Michael -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From jason at geeknocity.com Wed Dec 7 13:46:25 2016 From: jason at geeknocity.com (Jason Waters) Date: Wed, 7 Dec 2016 08:46:25 -0500 Subject: Releasing Messages Message-ID: I'm using mailscanner with MailWatch. When I release a mail it comes gets sent to the end user, but it says Message was released from quarantine. I would prefer that they just got the original email instead of knowing that it was caught by the mail gateway. Is there anyway to do this? Thanks. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Dec 7 14:25:58 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 7 Dec 2016 06:25:58 -0800 Subject: Releasing Messages In-Reply-To: References: Message-ID: <5cc00856-a268-49bf-f280-962a5092ad7c@msapiro.net> On 12/07/2016 05:46 AM, Jason Waters wrote: > I'm using mailscanner with MailWatch. When I release a mail it comes > gets sent to the end user, but it says Message was released from > quarantine. I would prefer that they just got the original email > instead of knowing that it was caught by the mail gateway. Is there > anyway to do this? Thanks. This is a question for MailWatch, not MailScanner. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jason at geeknocity.com Wed Dec 7 14:31:08 2016 From: jason at geeknocity.com (Jason Waters) Date: Wed, 7 Dec 2016 09:31:08 -0500 Subject: Releasing Messages In-Reply-To: <5cc00856-a268-49bf-f280-962a5092ad7c@msapiro.net> References: <5cc00856-a268-49bf-f280-962a5092ad7c@msapiro.net> Message-ID: I wasn't sure, since it uses Mailscanner. But thanks, I will ask my question there. On Wed, Dec 7, 2016 at 9:25 AM, Mark Sapiro wrote: > On 12/07/2016 05:46 AM, Jason Waters wrote: > > I'm using mailscanner with MailWatch. When I release a mail it comes > > gets sent to the end user, but it says Message was released from > > quarantine. I would prefer that they just got the original email > > instead of knowing that it was caught by the mail gateway. Is there > > anyway to do this? Thanks. > > > This is a question for MailWatch, not MailScanner. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at geeknocity.com Wed Dec 7 21:55:11 2016 From: jason at geeknocity.com (Jason Waters) Date: Wed, 7 Dec 2016 16:55:11 -0500 Subject: Messages being disarmed Message-ID: I thought that I had disabled everything that would mark the subject as disarmed but I keep getting emails like this and can not see what is in them. Also the file that it says is on the server is not there. Subject: {Disarmed} RE: Service MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/6797/25ACEE03FD. AE977/nmsg-6797-37.html Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5 -A5) Dec 7 12:59:47 mailscanner MailScanner[6797]: tag found in message 25ACEE03FD.AE977 from user at remoteemail.com Dec 7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in message 25ACEE03FD.AE977 from user at remoteemail.com Dec 7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time reached Dec 7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist Dec 7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries Dec 7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died, status = 13 Dec 7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977 from user at remoteemail.com Dec 7 12:59:56 mailscanner MailScanner[6797]: Requeue: 25ACEE03FD.AE977 to B27BCE0403 Dec 7 12:59:56 mailscanner postfix/qmgr[1738]: B27BCE0403: from=< user at remoteemail.com>, size=17598, nrcpt=2 (queue active) Dec 7 12:59:56 mailscanner MailScanner[6797]: Uninfected: Delivered 1 messages Thanks Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Thu Dec 8 06:49:20 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 7 Dec 2016 22:49:20 -0800 Subject: Messages being disarmed In-Reply-To: References: Message-ID: On 12/07/2016 01:55 PM, Jason Waters wrote: > > MailScanner was attacked by a Denial Of Service attack, and has > therefore deleted this part of the message. Please contact your e-mail > providers for more information if you need it, giving them the whole of > this report. Attack in: > /var/spool/MailScanner/incoming/6797/25ACEE03FD.AE977/nmsg-6797-37.html This file only exists during processing. It's gone by the time you see this message. You may find the message in /var/spool/MailScanner/quarantine/20161207/25ACEE03FD.AE977/message, but probably not. In any case, I think the error is permission related and doesn't depend on the message content. > Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5 -A5) > > > > Dec 7 12:59:47 mailscanner MailScanner[6797]: ' > 25ACEE03FD.AE977 from user at remoteemail.com > > Dec 7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in > message 25ACEE03FD.AE977 from user at remoteemail.com > > > Dec 7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time > reached > > Dec 7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist > > Dec 7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries > > Dec 7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died, > status = 13 MailScanner forks a child to do the actual HTML parse and disarm. The child died with error 13 which is a permissions issue. What is ownership and permissions on /var/spool/MailScanner/ and its various subdirectories? > Dec 7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected > and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977 > from user at remoteemail.com This is a direct result of the above. It just says the disarming died. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jason at geeknocity.com Thu Dec 8 13:02:52 2016 From: jason at geeknocity.com (Jason Waters) Date: Thu, 8 Dec 2016 08:02:52 -0500 Subject: Messages being disarmed In-Reply-To: References: Message-ID: drwxrwxr-x 6 postfix www-data 4096 Nov 15 13:17 MailScanner drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:12 archive drwxrwx--- 10 root mtagroup 4096 Dec 8 08:01 incoming drwxrwxr-x 32 root www-data 4096 Dec 8 00:02 quarantine -rw------- 1 postfix postfix 23 Nov 15 13:14 servers drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:23 spamassassin some of my settings in MailScanner.conf Incoming Work Group = mtagroup Incoming Work Permissions = 0660 Quarantine User = root Quarantine Group = www-data Thank you for your help! On Thu, Dec 8, 2016 at 1:49 AM, Mark Sapiro wrote: > On 12/07/2016 01:55 PM, Jason Waters wrote: > > > > MailScanner was attacked by a Denial Of Service attack, and has > > therefore deleted this part of the message. Please contact your e-mail > > providers for more information if you need it, giving them the whole of > > this report. Attack in: > > /var/spool/MailScanner/incoming/6797/25ACEE03FD.AE977/nmsg-6797-37.html > > > This file only exists during processing. It's gone by the time you see > this message. > > You may find the message in > /var/spool/MailScanner/quarantine/20161207/25ACEE03FD.AE977/message, but > probably not. In any case, I think the error is permission related and > doesn't depend on the message content. > > > > Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5 > -A5) > > > > > > > > Dec 7 12:59:47 mailscanner MailScanner[6797]: ' > > 25ACEE03FD.AE977 from user at remoteemail.com > > > > Dec 7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in > > message 25ACEE03FD.AE977 from user at remoteemail.com > > > > > > Dec 7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time > > reached > > > > Dec 7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist > > > > Dec 7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries > > > > Dec 7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died, > > status = 13 > > > MailScanner forks a child to do the actual HTML parse and disarm. The > child died with error 13 which is a permissions issue. What is > ownership and permissions on /var/spool/MailScanner/ and its various > subdirectories? > > > > Dec 7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected > > and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977 > > from user at remoteemail.com > > > This is a direct result of the above. It just says the disarming died. > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkaelin at hosttech.ch Thu Dec 8 10:59:55 2016 From: mkaelin at hosttech.ch (=?UTF-8?B?TWFudWVsIEvDpGxpbg==?=) Date: Thu, 08 Dec 2016 11:59:55 +0100 Subject: Mailscanner initial Setup help Message-ID: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> Hi everyone! We are evaluating Mailscanner software for central Mail-checks. Is there any person who has already setup a central solution? Example: Server A and B get mails, they forward it directly to Mailscanner server, this checks the mail and give it back to Server A or B We can forward and get mails by file to the Mailscanner server. But at the moment they are not being processed. Does anyone has experience with this kind of problem/solution? Kind Regards Manuel K?lin ------------------- hosttech GmbH -------------- next part -------------- An HTML attachment was scrubbed... URL: From heino.backhaus at fink-computer.de Thu Dec 8 13:42:22 2016 From: heino.backhaus at fink-computer.de (Heino Backhaus) Date: Thu, 8 Dec 2016 14:42:22 +0100 Subject: Mailscanner initial Setup help In-Reply-To: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> Message-ID: <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> Hi Manuel, it's a bit complicated to guess your enviroment, but if you use Postfix together with MailScanner the mails schould be queue-files and placed in the in MailScanner.conf defined hold-queue-directory. MailScanner will watch that directory an start processing. I think I would prefer to receive the mails with Mailscanner, check them and forward them to Server A or B. Mit freundlichen Gruessen H. Backhaus Fink-Computer Systeme Heggrabenstr. 9, 35435 Wettenberg Email: heino.backhaus at fink-computer.de Web: www.fink-computer.de Fax: +49-641-98444638 Fon: +49-641-98444640 UST-ID: DE151040770 HRB: 2143 Gie?en GF: Fredi Fink "In retrospect it becomes clear that hindsight is definitely overrated!" -Alfred E. Neumann Am 08.12.2016 um 11:59 schrieb Manuel K?lin: > Hi everyone! > > We are evaluating Mailscanner software for central Mail-checks. > Is there any person who has already setup a central solution? > > Example: > Server A and B get mails, they forward it directly to Mailscanner > server, this checks the mail and give it back to Server A or B > We can forward and get mails by file to the Mailscanner server. But at > the moment they are not being processed. > > Does anyone has experience with this kind of problem/solution? > > Kind Regards > > Manuel K?lin > ------------------- > hosttech GmbH > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at replies.cyways.com Thu Dec 8 15:03:38 2016 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Thu, 8 Dec 2016 10:03:38 -0500 Subject: Mailscanner initial Setup help In-Reply-To: <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> Message-ID: <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> That's my solution as well. All the mail comes in to the central scanning server and is then forwarded on to the final destinations. The model where the final delivery servers receive the mail, forward it to a central scanner, and then receive the results, is much harder to set up. In the first stage you don't want the server to be the final delivery host, while in the second you do. Peter On 12/08/2016 08:42 AM, Heino Backhaus wrote: > I think I would prefer to receive the mails with Mailscanner, check them > and forward them to Server A or B. From jason at geeknocity.com Thu Dec 8 15:04:05 2016 From: jason at geeknocity.com (Jason Waters) Date: Thu, 8 Dec 2016 10:04:05 -0500 Subject: Messages being disarmed In-Reply-To: References: Message-ID: Is there a way that I can test it on my own? So if I email a message that has certain HTML tags? will that do it? Seems odd because I'm not getting a ton that do it. Thanks again. Jason On Thu, Dec 8, 2016 at 8:02 AM, Jason Waters wrote: > drwxrwxr-x 6 postfix www-data 4096 Nov 15 13:17 MailScanner > > drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:12 archive > drwxrwx--- 10 root mtagroup 4096 Dec 8 08:01 incoming > drwxrwxr-x 32 root www-data 4096 Dec 8 00:02 quarantine > -rw------- 1 postfix postfix 23 Nov 15 13:14 servers > drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:23 spamassassin > > > some of my settings in MailScanner.conf > Incoming Work Group = mtagroup > Incoming Work Permissions = 0660 > Quarantine User = root > Quarantine Group = www-data > > Thank you for your help! > > > On Thu, Dec 8, 2016 at 1:49 AM, Mark Sapiro wrote: > >> On 12/07/2016 01:55 PM, Jason Waters wrote: >> > >> > MailScanner was attacked by a Denial Of Service attack, and has >> > therefore deleted this part of the message. Please contact your e-mail >> > providers for more information if you need it, giving them the whole of >> > this report. Attack in: >> > /var/spool/MailScanner/incoming/6797/25ACEE03FD.AE977/nmsg-6797-37.html >> >> >> This file only exists during processing. It's gone by the time you see >> this message. >> >> You may find the message in >> /var/spool/MailScanner/quarantine/20161207/25ACEE03FD.AE977/message, but >> probably not. In any case, I think the error is permission related and >> doesn't depend on the message content. >> >> >> > Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5 >> -A5) >> > >> > >> > >> > Dec 7 12:59:47 mailscanner MailScanner[6797]: ' >> > 25ACEE03FD.AE977 from user at remoteemail.com > > >> > >> > Dec 7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in >> > message 25ACEE03FD.AE977 from user at remoteemail.com >> > >> > >> > Dec 7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time >> > reached >> > >> > Dec 7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist >> > >> > Dec 7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries >> > >> > Dec 7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died, >> > status = 13 >> >> >> MailScanner forks a child to do the actual HTML parse and disarm. The >> child died with error 13 which is a permissions issue. What is >> ownership and permissions on /var/spool/MailScanner/ and its various >> subdirectories? >> >> >> > Dec 7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected >> > and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977 >> > from user at remoteemail.com >> >> >> This is a direct result of the above. It just says the disarming died. >> >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkaelin at hosttech.ch Thu Dec 8 15:13:26 2016 From: mkaelin at hosttech.ch (=?UTF-8?B?TWFudWVsIEvDpGxpbg==?=) Date: Thu, 08 Dec 2016 16:13:26 +0100 Subject: Mailscanner initial Setup help In-Reply-To: <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: Hi Yes, we need this second solution with incoming and outgoing direct trom the final hosts. Have you set this up with postfix and how did you forward the mails? As files or something like smarthost? Manuel ----- Urspr?ngliche Nachricht ----- Von: "MailScanner Discussion" An:"MailScanner Discussion" Cc: Gesendet:Thu, 8 Dec 2016 10:03:38 -0500 Betreff:Re: Mailscanner initial Setup help That's my solution as well. All the mail comes in to the central scanning server and is then forwarded on to the final destinations. The model where the final delivery servers receive the mail, forward it to a central scanner, and then receive the results, is much harder to set up. In the first stage you don't want the server to be the final delivery host, while in the second you do. Peter On 12/08/2016 08:42 AM, Heino Backhaus wrote: > I think I would prefer to receive the mails with Mailscanner, check them > and forward them to Server A or B. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at replies.cyways.com Thu Dec 8 16:00:32 2016 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Thu, 8 Dec 2016 11:00:32 -0500 Subject: Mailscanner initial Setup help In-Reply-To: References: Message-ID: Unless you're supporting a lot of hosts, I'd just install MailScanner on each of them rather than trying some complicated routing scheme. Using a single scanning host is pretty easy to set up; just point the MX records for all the domains you support to the scanner. I use sendmail so I can't help with Postfix configuration. Peter On 12/08/2016 10:13 AM, Manuel K?lin wrote: > Hi > > Yes, we need this second solution with incoming and outgoing direct trom > the final hosts. > Have you set this up with postfix and how did you forward the mails? As > files or something like smarthost? > > Manuel > > > ----- Urspr?ngliche Nachricht ----- > Von: > "MailScanner Discussion" > > An: > "MailScanner Discussion" > Cc: > > Gesendet: > Thu, 8 Dec 2016 10:03:38 -0500 > Betreff: > Re: Mailscanner initial Setup help > > > That's my solution as well. All the mail comes in to the central > scanning server and is then forwarded on to the final destinations. The > model where the final delivery servers receive the mail, forward it > to a > central scanner, and then receive the results, is much harder to set > up. > In the first stage you don't want the server to be the final delivery > host, while in the second you do. > > Peter > > > On 12/08/2016 08:42 AM, Heino Backhaus wrote: > > I think I would prefer to receive the mails with Mailscanner, > check them > > and forward them to Server A or B. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > From mark at msapiro.net Thu Dec 8 16:04:41 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 8 Dec 2016 08:04:41 -0800 Subject: Messages being disarmed In-Reply-To: References: Message-ID: On 12/08/2016 05:02 AM, Jason Waters wrote: > drwxrwxr-x 6 postfix www-data 4096 Nov 15 13:17 MailScanner > > drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:12 archive > drwxrwx--- 10 root mtagroup 4096 Dec 8 08:01 incoming > drwxrwxr-x 32 root www-data 4096 Dec 8 00:02 quarantine > -rw------- 1 postfix postfix 23 Nov 15 13:14 servers > drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:23 spamassassin Do this cd /var/spool/MailScanner sudo chown -R postfix incoming quarantine -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jason at geeknocity.com Thu Dec 8 16:14:38 2016 From: jason at geeknocity.com (Jason Waters) Date: Thu, 8 Dec 2016 11:14:38 -0500 Subject: Messages being disarmed In-Reply-To: References: Message-ID: Ok I did that. Any way to officially test it? I sent a test email in from the outside and go that so I know it is still working. But would love to trigger the content check and make sure it doesn't do that. Could it be that it only does it on some emails and not all? On Thu, Dec 8, 2016 at 11:04 AM, Mark Sapiro wrote: > On 12/08/2016 05:02 AM, Jason Waters wrote: > > drwxrwxr-x 6 postfix www-data 4096 Nov 15 13:17 MailScanner > > > > drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:12 archive > > drwxrwx--- 10 root mtagroup 4096 Dec 8 08:01 incoming > > drwxrwxr-x 32 root www-data 4096 Dec 8 00:02 quarantine > > -rw------- 1 postfix postfix 23 Nov 15 13:14 servers > > drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:23 spamassassin > > > Do this > > cd /var/spool/MailScanner > sudo chown -R postfix incoming quarantine > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Thu Dec 8 16:35:39 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 8 Dec 2016 08:35:39 -0800 Subject: Messages being disarmed In-Reply-To: References: Message-ID: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> On 12/08/2016 08:14 AM, Jason Waters wrote: > Ok I did that. Any way to officially test it? I sent a test email in > from the outside and go that so I know it is still working. But would > love to trigger the content check and make sure it doesn't do that. > Could it be that it only does it on some emails and not all? Your initial log excerpt showed the message had an A tag and an IMG tag. You might try this message: To: user at example.com From: user at example.com Subject: test it MIME-Version: 1.0 Content-Type: Text/html Content-Transfer-Encoding: quoted-printable Here's a test
 http://www.goodsite.com/good
see about that.
-- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From gsjarvis at pt.lu Thu Dec 8 16:38:02 2016 From: gsjarvis at pt.lu (Graham S. Jarvis) Date: Thu, 8 Dec 2016 17:38:02 +0100 Subject: Mailscanner initial Setup help In-Reply-To: References: Message-ID: <8372b11d-5fc0-0376-ebce-f147a6abf248@pt.lu> Hello everybody, this is exactly how we have our set-up - should we write some documentation and try to get it added to the MailScanner docs on the web site? - It's actually more DNS and PostFix/Sendmail set-up issue than MailScanner but I always thought that the MailScanner site would be a good place to centralise this information because it's going to be a "standard" requirement. Here's the concept: The domain is "mydomain.tld" and this IP_Addr is running a web and e-mail server (etc.,etc., etc.) We want to set up a separate host to act as a mail "hub" with MailScanner (spam and virus) which scans the mail before passing it onto "mydomain.tld". For the purposes of this exercise let's call this "mailscanner hub" host : "mailscanner.anotherdomain.tld" So, In order that mail for mydomain.tld is first sent to "mailscanner.anotherdomain.tld" we have to have access to the DNS - MX records for "mydomain,tld" We set-up two MX records: mydomain.tld MX10 mailscanner.anotherdomain.tld. mydomain.tld MX20 mydomain.tld. This makes sure that if there's a problem with our "mailscanner hub" mail still gets through.... Don't forget that anotherdomain.tld is also going to accept e-mail via it's own MX records AND that mailscanner.anotherdomain.tld should be pointed to by an A-record and should NOT be a CNAME. Now, on mailscanner.anotherdomain.tld - we set up the mail server (my experience is with Sendmail and Postfix) - we set up Mailscanner and we test that it all works for mail going to anotherdomain.tld Then we set up Sendmail or Postfix to forward non-local mail to "mydomain.tld" From experience, the problem with this concept is the spammers who ignore the dns and send directly to the smtp server at "domain.tld". And, this is where someone else could help out with a good solution that doesn't mean installing another mailscanner on "domain.tld" Does this sound about right? -Graham- PS: there are a couple of other tools needed of course - maildrop and MailWatch Manuel K?lin wrote on 2016-12-08 16:13: > Hi > > Yes, we need this second solution with incoming and outgoing direct trom the > final hosts. > Have you set this up with postfix and how did you forward the mails? As files or > something like smarthost? > > Manuel > > > ----- Urspr?ngliche Nachricht ----- > Von: > "MailScanner Discussion" > > An: > "MailScanner Discussion" > Cc: > > Gesendet: > Thu, 8 Dec 2016 10:03:38 -0500 > Betreff: > Re: Mailscanner initial Setup help > > > That's my solution as well. All the mail comes in to the central > scanning server and is then forwarded on to the final destinations. The > model where the final delivery servers receive the mail, forward it to a > central scanner, and then receive the results, is much harder to set up. > In the first stage you don't want the server to be the final delivery > host, while in the second you do. > > Peter > > > On 12/08/2016 08:42 AM, Heino Backhaus wrote: > > I think I would prefer to receive the mails with Mailscanner, check them > > and forward them to Server A or B. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > From jason at geeknocity.com Thu Dec 8 16:41:07 2016 From: jason at geeknocity.com (Jason Waters) Date: Thu, 8 Dec 2016 11:41:07 -0500 Subject: Messages being disarmed In-Reply-To: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: Great that seemed to fix it. So does that mean any email that had those tags failed? Because it didn't seem to be the case. I would think the majority of the emails have html in them. Thanks for your help! Jason On Thu, Dec 8, 2016 at 11:35 AM, Mark Sapiro wrote: > On 12/08/2016 08:14 AM, Jason Waters wrote: > > Ok I did that. Any way to officially test it? I sent a test email in > > from the outside and go that so I know it is still working. But would > > love to trigger the content check and make sure it doesn't do that. > > Could it be that it only does it on some emails and not all? > > > Your initial log excerpt showed the message had an A tag and an IMG tag. > > You might try this message: > > To: user at example.com > From: user at example.com > Subject: test it > MIME-Version: 1.0 > Content-Type: Text/html > Content-Transfer-Encoding: quoted-printable > > Here's a test
> > http://www.goodsite.com/good
> see about that. >
> > > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkaelin at hosttech.ch Thu Dec 8 17:02:00 2016 From: mkaelin at hosttech.ch (=?UTF-8?B?TWFudWVsIEvDpGxpbg==?=) Date: Thu, 08 Dec 2016 18:02:00 +0100 Subject: Mailscanner initial Setup help In-Reply-To: <8372b11d-5fc0-0376-ebce-f147a6abf248@pt.lu> Message-ID: <1e498f7f440e55ee98cea31b35ab5b61043175a7@mylogin.email> Hi This could be solved with a 2nd mailscanner as 2nd mx and change mydomain.tld Server that it accepts just from the mailscanner server. Or am i missing something? Manuel ----- Urspr?ngliche Nachricht ----- Von: "MailScanner Discussion" An:"MailScanner Discussion" Cc: Gesendet:Thu, 8 Dec 2016 17:38:02 +0100 Betreff:Re: Mailscanner initial Setup help Hello everybody, this is exactly how we have our set-up - should we write some documentation and try to get it added to the MailScanner docs on the web site? - It's actually more DNS and PostFix/Sendmail set-up issue than MailScanner but I always thought that the MailScanner site would be a good place to centralise this information because it's going to be a "standard" requirement. Here's the concept: The domain is "mydomain.tld" and this IP_Addr is running a web and e-mail server (etc.,etc., etc.) We want to set up a separate host to act as a mail "hub" with MailScanner (spam and virus) which scans the mail before passing it onto "mydomain.tld". For the purposes of this exercise let's call this "mailscanner hub" host : "mailscanner.anotherdomain.tld" So, In order that mail for mydomain.tld is first sent to "mailscanner.anotherdomain.tld" we have to have access to the DNS - MX records for "mydomain,tld" We set-up two MX records: mydomain.tld MX10 mailscanner.anotherdomain.tld. mydomain.tld MX20 mydomain.tld. This makes sure that if there's a problem with our "mailscanner hub" mail still gets through.... Don't forget that anotherdomain.tld is also going to accept e-mail via it's own MX records AND that mailscanner.anotherdomain.tld should be pointed to by an A-record and should NOT be a CNAME. Now, on mailscanner.anotherdomain.tld - we set up the mail server (my experience is with Sendmail and Postfix) - we set up Mailscanner and we test that it all works for mail going to anotherdomain.tld Then we set up Sendmail or Postfix to forward non-local mail to "mydomain.tld" From experience, the problem with this concept is the spammers who ignore the dns and send directly to the smtp server at "domain.tld". And, this is where someone else could help out with a good solution that doesn't mean installing another mailscanner on "domain.tld" Does this sound about right? -Graham- PS: there are a couple of other tools needed of course - maildrop and MailWatch Manuel K?lin wrote on 2016-12-08 16:13: > Hi > > Yes, we need this second solution with incoming and outgoing direct trom the > final hosts. > Have you set this up with postfix and how did you forward the mails? As files or > something like smarthost? > > Manuel > > > ----- Urspr?ngliche Nachricht ----- > Von: > "MailScanner Discussion" > > An: > "MailScanner Discussion" > Cc: > > Gesendet: > Thu, 8 Dec 2016 10:03:38 -0500 > Betreff: > Re: Mailscanner initial Setup help > > > That's my solution as well. All the mail comes in to the central > scanning server and is then forwarded on to the final destinations. The > model where the final delivery servers receive the mail, forward it to a > central scanner, and then receive the results, is much harder to set up. > In the first stage you don't want the server to be the final delivery > host, while in the second you do. > > Peter > > > On 12/08/2016 08:42 AM, Heino Backhaus wrote: > > I think I would prefer to receive the mails with Mailscanner, check them > > and forward them to Server A or B. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Thu Dec 8 17:08:56 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 8 Dec 2016 09:08:56 -0800 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: On 12/08/2016 08:41 AM, Jason Waters wrote: > Great that seemed to fix it. So does that mean any email that had those > tags failed? Because it didn't seem to be the case. I would think the > majority of the emails have html in them. Thanks for your help! I'm not sure what it was that triggered the issue. I think you'll just have to wait and see if it recurs or not. If the test message was flagged as {disarmed} by MailScanner or you see "Content Checks: Detected and have disarmed xxx tags in HTML message" where xxx isn't KILLED, you're probably OK. One thing you can check is if all such log messages said KILLED prior to your changing the ownership and now they say other things and not KILLED, I'm sure it's fixed. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jason at geeknocity.com Thu Dec 8 17:52:26 2016 From: jason at geeknocity.com (Jason Waters) Date: Thu, 8 Dec 2016 12:52:26 -0500 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: Thanks for the help! I'll grep the log file and see what I see! On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro wrote: > On 12/08/2016 08:41 AM, Jason Waters wrote: > > Great that seemed to fix it. So does that mean any email that had those > > tags failed? Because it didn't seem to be the case. I would think the > > majority of the emails have html in them. Thanks for your help! > > > I'm not sure what it was that triggered the issue. I think you'll just > have to wait and see if it recurs or not. If the test message was > flagged as {disarmed} by MailScanner or you see "Content Checks: > Detected and have disarmed xxx tags in HTML message" where xxx isn't > KILLED, you're probably OK. > > One thing you can check is if all such log messages said KILLED prior to > your changing the ownership and now they say other things and not > KILLED, I'm sure it's fixed. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gsjarvis at pt.lu Thu Dec 8 19:09:26 2016 From: gsjarvis at pt.lu (Graham S. Jarvis) Date: Thu, 8 Dec 2016 20:09:26 +0100 Subject: Mailscanner initial Setup help In-Reply-To: <1e498f7f440e55ee98cea31b35ab5b61043175a7@mylogin.email> References: <1e498f7f440e55ee98cea31b35ab5b61043175a7@mylogin.email> Message-ID: <22f24387-e2ac-000d-118d-fb16aeeabece@pt.lu> I've "been there" and just running a MailScanner (our spamassassin and clamav) on mydomain.tld would be enough - but this rather negates the idea of using a central hub...... Setting up mydomain.tld to only accept mail from mailscanner.anotherdomain.tld would mean that you have a problem if mailscanner.anotherdomain.tld goes down. Some senders don't keep trying for 5 days and you'd loose mail if you didn't notice and get a (already configured) solution on-line very quickly. (I've been there too....) :( For me, one of the advantages of running via MX records is the failover. Running a separate mail host means that you can plan things so that the end-user doesn't notice or loose mail if you move from one host (or ISP) to another. DNS propagation times can be a real headache for multinational mail sources...... If you don't have to move hosts around that often it's not a problem - make sure that your ISP keeps giving you DNS access though. Whatever you do, you still need a good backup as a way of getting a machine (the hub) up and running quickly in case of hardware failure though. I still have a load of questions about this whole idea because there's the issue of the Sender Policy Framework (SPF) records - which is important if you are using the MailScanner "hub" to scan outgoing mail as well...... For me this is still "work in progress" ;) -Graham- Manuel K?lin wrote on 2016-12-08 18:02: > Hi > > This could be solved with a 2nd mailscanner as 2nd mx and change mydomain.tld > Server that it accepts just from the mailscanner server. > Or am i missing something? > > Manuel > > > ----- Urspr?ngliche Nachricht ----- > Von: > "MailScanner Discussion" > > An: > "MailScanner Discussion" > Cc: > > Gesendet: > Thu, 8 Dec 2016 17:38:02 +0100 > Betreff: > Re: Mailscanner initial Setup help > > > Hello everybody, > > this is exactly how we have our set-up - should we write some > documentation and > try to get it added to the MailScanner docs on the web site? > > - It's actually more DNS and PostFix/Sendmail set-up issue than > MailScanner but > I always thought that the MailScanner site would be a good place to > centralise > this information because it's going to be a "standard" requirement. > > Here's the concept: > > The domain is "mydomain.tld" and this IP_Addr is running a web and e-mail > server > (etc.,etc., etc.) > > We want to set up a separate host to act as a mail "hub" with MailScanner > (spam > and virus) which scans the mail before passing it onto "mydomain.tld". > > For the purposes of this exercise let's call this "mailscanner hub" host : > "mailscanner.anotherdomain.tld" > > So, > In order that mail for mydomain.tld is first sent to > "mailscanner.anotherdomain.tld" we have to have access to the DNS - MX > records > for "mydomain,tld" > We set-up two MX records: > mydomain.tld MX10 mailscanner.anotherdomain.tld. > mydomain.tld MX20 mydomain.tld. > > This makes sure that if there's a problem with our "mailscanner hub" mail > still > gets through.... > > Don't forget that anotherdomain.tld is also going to accept e-mail via > it's own > MX records AND that mailscanner.anotherdomain.tld should be pointed to by an > A-record and should NOT be a CNAME. > > Now, on mailscanner.anotherdomain.tld > - we set up the mail server (my experience is with Sendmail and Postfix) > - we set up Mailscanner > and we test that it all works for mail going to anotherdomain.tld > > Then we set up Sendmail or Postfix to forward non-local mail to "mydomain.tld" > > From experience, the problem with this concept is the spammers who ignore the > dns and send directly to the smtp server at "domain.tld". > And, this is where someone else could help out with a good solution that > doesn't > mean installing another mailscanner on "domain.tld" > > Does this sound about right? > > -Graham- > > PS: there are a couple of other tools needed of course - maildrop and > MailWatch > > > > Manuel K?lin wrote on 2016-12-08 16:13: > > Hi > > > > Yes, we need this second solution with incoming and outgoing direct trom the > > final hosts. > > Have you set this up with postfix and how did you forward the mails? As > files or > > something like smarthost? > > > > Manuel > > > > > > ----- Urspr?ngliche Nachricht ----- > > Von: > > "MailScanner Discussion" > > > > An: > > "MailScanner Discussion" > > Cc: > > > > Gesendet: > > Thu, 8 Dec 2016 10:03:38 -0500 > > Betreff: > > Re: Mailscanner initial Setup help > > > > > > That's my solution as well. All the mail comes in to the central > > scanning server and is then forwarded on to the final destinations. The > > model where the final delivery servers receive the mail, forward it to a > > central scanner, and then receive the results, is much harder to set up. > > In the first stage you don't want the server to be the final delivery > > host, while in the second you do. > > > > Peter > > > > > > On 12/08/2016 08:42 AM, Heino Backhaus wrote: > > > I think I would prefer to receive the mails with Mailscanner, check them > > > and forward them to Server A or B. > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heino.backhaus at fink-computer.de Fri Dec 9 09:09:30 2016 From: heino.backhaus at fink-computer.de (Heino Backhaus) Date: Fri, 9 Dec 2016 10:09:30 +0100 Subject: Mailscanner initial Setup help In-Reply-To: References: Message-ID: <89fcae12-3467-4a45-42cf-ee84021e0206@fink-computer.de> Hi, maybe this could be your solution: Postfix supports instances. So if you configure one instance on server A and B to receive the mails and forward them to the Mailscanner and another instance on server A and B to receive the mails from Mailscanner an store them in the users mailboxes? http://www.postfix.org/MULTI_INSTANCE_README.html https://www.mailscanner.info/postfix/ ------------------------------snip------------------------ Why multiple Postfix instances Postfix is a general-purpose mail system that can be configured to serve a variety of needs. Examples of Postfix applications are: * Local mail submission for shell users and system processes. * Incoming (MX host) email from the Internet. * Outbound mail relay for a corporate network. * Authenticated submission for roaming users. * *Before/after content-filter mail. * --------------------------------snap---------------------------- Mit freundlichen Gruessen H. Backhaus Fink-Computer Systeme Heggrabenstr. 9, 35435 Wettenberg Email: heino.backhaus at fink-computer.de Web: www.fink-computer.de Fax: +49-641-98444638 Fon: +49-641-98444640 UST-ID: DE151040770 HRB: 2143 Gie?en GF: Fredi Fink "In retrospect it becomes clear that hindsight is definitely overrated!" -Alfred E. Neumann Am 08.12.2016 um 16:13 schrieb Manuel K?lin: > Hi > > Yes, we need this second solution with incoming and outgoing direct > trom the final hosts. > Have you set this up with postfix and how did you forward the mails? > As files or something like smarthost? > > Manuel > > > ----- Urspr?ngliche Nachricht ----- > Von: > "MailScanner Discussion" > > An: > "MailScanner Discussion" > Cc: > > Gesendet: > Thu, 8 Dec 2016 10:03:38 -0500 > Betreff: > Re: Mailscanner initial Setup help > > > That's my solution as well. All the mail comes in to the central > scanning server and is then forwarded on to the final > destinations. The > model where the final delivery servers receive the mail, forward > it to a > central scanner, and then receive the results, is much harder to > set up. > In the first stage you don't want the server to be the final delivery > host, while in the second you do. > > Peter > > > On 12/08/2016 08:42 AM, Heino Backhaus wrote: > > I think I would prefer to receive the mails with Mailscanner, > check them > > and forward them to Server A or B. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wt at dld2000.com Tue Dec 13 23:18:49 2016 From: wt at dld2000.com (Walt Thiessen) Date: Tue, 13 Dec 2016 18:18:49 -0500 Subject: maillog vs Mailwatch log In-Reply-To: <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: With v4, I remember that MailScanner logged to /var/log/maillog. However, after my server admins moved me to a different server this past September and upgraded to v5, it seems that /var/log/maillog isn't where MailScanner logs anymore ... at least on our server. My server admins claim that this is because MailScanner now logs to MailWatch instead. I always remembered MailWatch as an application that maintained its own database, separate from MailScanner. Maybe I'm wrong. Is this truly the new configuration, or is this a reflection of something wrong my server admins did? Walt From jerry.benton at mailborder.com Wed Dec 14 00:55:31 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 13 Dec 2016 19:55:31 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: MailScanner does log to /var/log/maillog MailWatch is an additional .pm file that logs to mysql. You server admins are wrong. - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Dec 13, 2016, at 6:18 PM, Walt Thiessen wrote: > > With v4, I remember that MailScanner logged to /var/log/maillog. > > However, after my server admins moved me to a different server this past September and upgraded to v5, it seems that /var/log/maillog isn't where MailScanner logs anymore ... at least on our server. > > My server admins claim that this is because MailScanner now logs to MailWatch instead. > > I always remembered MailWatch as an application that maintained its own database, separate from MailScanner. Maybe I'm wrong. > > Is this truly the new configuration, or is this a reflection of something wrong my server admins did? > > Walt > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Dec 14 01:18:01 2016 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 13 Dec 2016 17:18:01 -0800 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: On 12/13/2016 03:18 PM, Walt Thiessen wrote: > With v4, I remember that MailScanner logged to /var/log/maillog. > > However, after my server admins moved me to a different server this past > September and upgraded to v5, it seems that /var/log/maillog isn't where > MailScanner logs anymore ... at least on our server. On my Ubuntu 16.04 server MailScanner's log messages are written to both /var/log/mail.log and /var/log/syslog. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From gao at pztop.com Wed Dec 14 17:42:10 2016 From: gao at pztop.com (Gao) Date: Wed, 14 Dec 2016 09:42:10 -0800 Subject: Releasing Messages In-Reply-To: References: <5cc00856-a268-49bf-f280-962a5092ad7c@msapiro.net> Message-ID: Sometime I manually release quarantined email. ?? MailWatch you can see MailScanner put the quarantined mail ID. For example: 65F7320B9A615.A8F61 Then I can release it: sendmail -t -i < /var/spool/MailScanner/quarantine/20151217/65F7320B9A615.A8F61 Gao On 2016-12-07 06:31 AM, Jason Waters wrote: > I wasn't sure, since it uses Mailscanner. But thanks, I will ask my > question there. > > On Wed, Dec 7, 2016 at 9:25 AM, Mark Sapiro > wrote: > > On 12/07/2016 05:46 AM, Jason Waters wrote: > > I'm using mailscanner with MailWatch. When I release a mail it > comes > > gets sent to the end user, but it says Message was released from > > quarantine. I would prefer that they just got the original email > > instead of knowing that it was caught by the mail gateway. Is there > > anyway to do this? Thanks. > > > This is a question for MailWatch, not MailScanner. > > -- > Mark Sapiro > The > highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mace68 at chavis.us Wed Dec 14 19:03:13 2016 From: mace68 at chavis.us (Sterling Chavis) Date: Wed, 14 Dec 2016 12:03:13 -0700 Subject: Obvious spam getting through Message-ID: The other day I started to get slammed with spam. SpamAssassin was doing a very good job before that, and is still catching many. Couldthey be spoofing the X-Mailscanner headers to bypass my mailscan rules? Here is an example of the ones that are getting through: Return-Path: X-Original-To: -redacted- Delivered-To: -redacted- Received: from pessimist.rightcontipationscare.top (unknown [87.117.234.136]) by -redacted- (Postfix) with ESMTP id B988F18A32D7 for <-redacted->; Wed, 14 Dec 2016 11:53:34 -0700 (MST) Date: Wed, 14 Dec 2016 11:57:10 -0700 To: <-redacted-> Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-ID: <235388608021263-7887ef6af8a0077590fc3928816e23e0-redacted-> Mime-Version: 1.0 From: Chronic Constipation Remedy X-MailScanner-ID: B988F18A32D7.A0500 X-MailScanner: Found to be clean X-MailScanner-SpamScore: s X-MailScanner-From: chronic.constipation.remedy at pessimist.rightcontipationscare.top Subject: Constipation is Not Due to "Bad Diet". New Treatment Available X-Spam-Status: No The ONLY Digestive Problem Cure That Actually Works. Newsletter No. 23538860 Date: 14Dec16 ================================================== Critical Digestive Information for -redacted-, A new essential breakthrough has been developed that relieves bowel and digestive issues in less than 3 weeks. 72,485 people have already used this incredible method and have completely eliminated constipation and stomach pains. Every person who has tried this scientifically proven remedy has confirmed that their bowel problem improved as soon as they started using it. The remecy is highly effective and simple to use. It only takes a couple of minutes. Symptom disappear in a matter of days. Watch the Video to See How to Eliminate Painful Bowel Problems Quickly, Easily and For Good: http://endingsoon.rightcontipationscare.top/n/23538860 Live Well, Ali Kantu 8021263 Views To reject future ads, head this way--> http://endingsoon.rightcontipationscare.top/q/8021263 Ap #284-9699 Penatibus Street|||Aylesbury|||G0O 1MQ|||United Kingdom Every time I visit the tri-cities, this is my favorite spot ever. Hands down my favorite Mexican place ever. Their Fiji mango chicken is to die for. Tacos.... A group of sixteen of us stopped on our way out of Walla Walla and back to Seattle on Halloween. The town was busy with trick or treaters along town, but... Best place for a date, family dinner, or just a night out. Call early for a reservation. ..Try the bread pudding, or tiramisu. Italian cream sodas served in... Crab fried rice. Possibly one of the single most delicious things I've ever had.....Crab...Fried...Rice.....Doo Itt!! Wow! So, so, so delicious. I had the thali style lamb curry and I am totally pleased with my decision. I'm so stuffed with amazingly delicious food.......My... Spectacular explosion of flavors and generous portions! I especially liked the accompanying sides to my Bool-Go-Kee. My daughter had the Shrimp Chowmein and... After a morning of chai latte and cookies it was time for something more substantial for lunch. ..Got this place from Yelp as we were passing through... Great food, cool atmosphere and I discovered D's Wicked Cider, also from Kennewick. My favorite was the deep fried dill pickles! How is it I've lived this... Read this and here again on 12-1-16. Still feel the same. ....Here again. My go to Mexican place. I make this a regular stop while in Kennewick. I get to... Well here playing tennis at Palmetto and needed some healthy food. Hard to find here in Sumter among all the fried food. This was a delightful surprise!... On our way through town we stopped at Mariachis for lunch and enjoyed it. We received chips and salsa immediately and our server was right over. Lucy was... My husband and I spent the night in Sumter, SC and were trying to find a good place to eat. We came across this place, and was so amazed. The food we... Incredible Southern BBQ....This small shack off 95 packs a serious punch while maintaining a casual and friendly atmosphere. The restaurant is extremely clean... Their version of shepherds pie is fabulous. The place is very clean. Every employee was nice and clean also. Try the fried macaroni and cheese. Authentic, affordable, great atmosphere and good service... I've tried plenty of options here, from the Tres Amigos combo (make sure you are hungry),... I've been here a couple of times, it's one of the better places to eat in Sumter. ..A lot of guys have them prepare food for their retirements. I live in... Pizza like no other... Finally found pizza that taste like what I grew up with. Real ingredients and made to order... I'm addicted. Easily the best mexi joint in Sumter. I HIGHLY recommend you give the SWEET FRIED BURRITOS a try! They are epic and a unique dish you won't find any other...7887ef6af8a0077590fc3928816e23e0 From mailscanner at replies.cyways.com Wed Dec 14 19:10:52 2016 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Wed, 14 Dec 2016 14:10:52 -0500 Subject: Obvious spam getting through In-Reply-To: References: Message-ID: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> I deal with these by refusing mail for most of the new top-level domains like .top. I've never seen any legitimate mail from any of those, nor have I received any complaints about missing messages. My current blacklist includes: click date faith party link xyz download top space win stream gdn website bid loan review science I handle this screening via the access database in sendmail, not through MailScanner. Peter On 12/14/2016 02:03 PM, Sterling Chavis wrote: > The other day I started to get slammed with spam. SpamAssassin was doing a > very good job before that, and is still catching many. Couldthey be spoofing > the X-Mailscanner headers to bypass my mailscan rules? Here is an example of > the ones that are getting through: > > Return-Path: From mark at msapiro.net Wed Dec 14 19:44:38 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Dec 2016 11:44:38 -0800 Subject: {Spam?} Obvious spam getting through In-Reply-To: References: Message-ID: <4664ad83-86ef-56e6-641d-2caae8055554@msapiro.net> On 12/14/2016 11:03 AM, Sterling Chavis wrote: > The other day I started to get slammed with spam. SpamAssassin was doing > a very good job before that, and is still catching many. Couldthey be > spoofing the X-Mailscanner headers to bypass my mailscan rules? Here is > an example of the ones that are getting through: Interesting. Your message to the list got blocked as spam by my MailScanner. X-GPC-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.311, required 5, BAYES_00 -0.75, DKIM_SIGNED 0.10, HEADER_FROM_DIFFERENT_DOMAINS 0.00, KAM_INFOUSMEBIZ 0.75, KAM_MX4 1.00, KAM_VERY_BLACK_DBL 5.00, RCVD_IN_DNSWL_NONE -0.00, RP_MATCHES_RCVD -3.10, SPF_PASS -0.00, T_DKIM_INVALID 0.01, URIBL_BLACK 1.70, URIBL_DBL_SPAM 2.50, URIBL_SBL_A 0.10) X-GPC-MailScanner-SpamScore: sssssss Mostly due to the KAM rules. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Wed Dec 14 19:49:10 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Dec 2016 11:49:10 -0800 Subject: {Spam?} Re: Obvious spam getting through In-Reply-To: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> References: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> Message-ID: On 12/14/2016 11:10 AM, Peter Lemieux wrote: > I deal with these by refusing mail for most of the new top-level domains > like .top. I've never seen any legitimate mail from any of those, nor > have I received any complaints about missing messages. My current > blacklist includes: > > click > ... Based on recent experience, I'd add 'mom', 'work', 'audio' and 'rocks' to that list. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mace68 at chavis.us Wed Dec 14 20:55:19 2016 From: mace68 at chavis.us (Sterling Chavis) Date: Wed, 14 Dec 2016 13:55:19 -0700 Subject: {Spam?} Obvious spam getting through In-Reply-To: <4664ad83-86ef-56e6-641d-2caae8055554@msapiro.net> References: <4664ad83-86ef-56e6-641d-2caae8055554@msapiro.net> Message-ID: Does Mailscanner have the option to allow the message without checking it if it already has X-Mailscanner headers indicating that it's not spam? If so what config option is responsible for it? On 12/14/2016 12:44 PM, Mark Sapiro wrote: > On 12/14/2016 11:03 AM, Sterling Chavis wrote: >> The other day I started to get slammed with spam. SpamAssassin was doing >> a very good job before that, and is still catching many. Couldthey be >> spoofing the X-Mailscanner headers to bypass my mailscan rules? Here is >> an example of the ones that are getting through: > > Interesting. Your message to the list got blocked as spam by my MailScanner. > > X-GPC-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.311, > required 5, BAYES_00 -0.75, DKIM_SIGNED 0.10, > HEADER_FROM_DIFFERENT_DOMAINS 0.00, KAM_INFOUSMEBIZ 0.75, > KAM_MX4 1.00, KAM_VERY_BLACK_DBL 5.00, RCVD_IN_DNSWL_NONE -0.00, > RP_MATCHES_RCVD -3.10, SPF_PASS -0.00, T_DKIM_INVALID 0.01, > URIBL_BLACK 1.70, URIBL_DBL_SPAM 2.50, URIBL_SBL_A 0.10) > X-GPC-MailScanner-SpamScore: sssssss > > Mostly due to the KAM rules. See > . > From wt at dld2000.com Wed Dec 14 21:21:30 2016 From: wt at dld2000.com (Walt Thiessen) Date: Wed, 14 Dec 2016 16:21:30 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: Thanks for that, Jerry. I confronted them with what you said. However, while they hava ceased to claim that MailScanner doesn't log to /var/log/maillog, they insist that they have checked and there's nothing wrong with the logging function on the system. Can you think of anything that might block MailScanner from logging successfully to /var/log/maillog? On 12/13/2016 7:55 PM, Jerry Benton wrote: > MailScanner does log to /var/log/maillog > > MailWatch is an additional .pm file that logs to mysql. > > You server admins are wrong. > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > >> On Dec 13, 2016, at 6:18 PM, Walt Thiessen > > wrote: >> >> With v4, I remember that MailScanner logged to /var/log/maillog. >> >> However, after my server admins moved me to a different server this >> past September and upgraded to v5, it seems that /var/log/maillog >> isn't where MailScanner logs anymore ... at least on our server. >> >> My server admins claim that this is because MailScanner now logs to >> MailWatch instead. >> >> I always remembered MailWatch as an application that maintained its >> own database, separate from MailScanner. Maybe I'm wrong. >> >> Is this truly the new configuration, or is this a reflection of >> something wrong my server admins did? >> >> Walt >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Wed Dec 14 21:24:02 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 14 Dec 2016 16:24:02 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: <881DBB89-8BA5-4CEA-B67A-5FC2225DFC89@mailborder.com> Walt, Checking the logging section of MailScanner.conf. The most obvious candidate would be: # This is the syslog "facility" name that MailScanner uses. If you don't # know what a syslog facility name is, then either don't change this value # or else go and read "man syslog.conf". The default value of "mail" will # cause the MailScanner logs to go into the same place as all your other # mail logs. Syslog Facility = mail - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Dec 14, 2016, at 4:21 PM, Walt Thiessen wrote: > > Thanks for that, Jerry. > > I confronted them with what you said. However, while they hava ceased to claim that MailScanner doesn't log to /var/log/maillog, they insist that they have checked and there's nothing wrong with the logging function on the system. > > Can you think of anything that might block MailScanner from logging successfully to /var/log/maillog? > > On 12/13/2016 7:55 PM, Jerry Benton wrote: >> MailScanner does log to /var/log/maillog >> >> MailWatch is an additional .pm file that logs to mysql. >> >> You server admins are wrong. >> >> - >> Jerry Benton >> www.mailborder.com >> +1 - 844-436-6245 >> >> >> >>> On Dec 13, 2016, at 6:18 PM, Walt Thiessen > wrote: >>> >>> With v4, I remember that MailScanner logged to /var/log/maillog. >>> >>> However, after my server admins moved me to a different server this past September and upgraded to v5, it seems that /var/log/maillog isn't where MailScanner logs anymore ... at least on our server. >>> >>> My server admins claim that this is because MailScanner now logs to MailWatch instead. >>> >>> I always remembered MailWatch as an application that maintained its own database, separate from MailScanner. Maybe I'm wrong. >>> >>> Is this truly the new configuration, or is this a reflection of something wrong my server admins did? >>> >>> Walt >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >> >> >> >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wt at dld2000.com Wed Dec 14 21:34:25 2016 From: wt at dld2000.com (Walt Thiessen) Date: Wed, 14 Dec 2016 16:34:25 -0500 Subject: maillog vs Mailwatch log In-Reply-To: <881DBB89-8BA5-4CEA-B67A-5FC2225DFC89@mailborder.com> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <881DBB89-8BA5-4CEA-B67A-5FC2225DFC89@mailborder.com> Message-ID: <1272e830-5aba-94d9-6de0-b542a3c1b026@dld2000.com> Thanks Jerry. I checked, and it's already set to Syslog Facility = mail. Any other ideas? On 12/14/2016 4:24 PM, Jerry Benton wrote: > Walt, > > Checking the logging section of MailScanner.conf. The most obvious > candidate would be: > > # This is the syslog "facility" name that MailScanner uses. If you don't > # know what a syslog facility name is, then either don't change this value > # or else go and read "man syslog.conf". The default value of "mail" will > # cause the MailScanner logs to go into the same place as all your other > # mail logs. > Syslog Facility = mail > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > >> On Dec 14, 2016, at 4:21 PM, Walt Thiessen > > wrote: >> >> Thanks for that, Jerry. >> >> I confronted them with what you said. However, while they hava ceased >> to claim that MailScanner doesn't log to /var/log/maillog, they >> insist that they have checked and there's nothing wrong with the >> logging function on the system. >> >> Can you think of anything that might block MailScanner from logging >> successfully to /var/log/maillog? >> >> >> On 12/13/2016 7:55 PM, Jerry Benton wrote: >>> MailScanner does log to /var/log/maillog >>> >>> MailWatch is an additional .pm file that logs to mysql. >>> >>> You server admins are wrong. >>> >>> - >>> Jerry Benton >>> www.mailborder.com >>> +1 - 844-436-6245 >>> >>> >>> >>>> On Dec 13, 2016, at 6:18 PM, Walt Thiessen >>> > wrote: >>>> >>>> With v4, I remember that MailScanner logged to /var/log/maillog. >>>> >>>> However, after my server admins moved me to a different server this >>>> past September and upgraded to v5, it seems that /var/log/maillog >>>> isn't where MailScanner logs anymore ... at least on our server. >>>> >>>> My server admins claim that this is because MailScanner now logs to >>>> MailWatch instead. >>>> >>>> I always remembered MailWatch as an application that maintained its >>>> own database, separate from MailScanner. Maybe I'm wrong. >>>> >>>> Is this truly the new configuration, or is this a reflection of >>>> something wrong my server admins did? >>>> >>>> Walt >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>> >>> >>> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Wed Dec 14 21:37:08 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 14 Dec 2016 16:37:08 -0500 Subject: maillog vs Mailwatch log In-Reply-To: <1272e830-5aba-94d9-6de0-b542a3c1b026@dld2000.com> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <881DBB89-8BA5-4CEA-B67A-5FC2225DFC89@mailborder.com> <1272e830-5aba-94d9-6de0-b542a3c1b026@dld2000.com> Message-ID: <9445C301-8DA4-4D81-A64A-47F1166B635E@mailborder.com> It is running, right? MailScanner was decoupled from the MTA in v5. What does MailScanner ?lint produce? What OS is this on? Is the OS preventing it from logging? Does your MTA log to /var/log/maillog? - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Dec 14, 2016, at 4:34 PM, Walt Thiessen wrote: > > Thanks Jerry. I checked, and it's already set to Syslog Facility = mail. > > Any other ideas? > > On 12/14/2016 4:24 PM, Jerry Benton wrote: >> Walt, >> >> Checking the logging section of MailScanner.conf. The most obvious candidate would be: >> >> # This is the syslog "facility" name that MailScanner uses. If you don't >> # know what a syslog facility name is, then either don't change this value >> # or else go and read "man syslog.conf". The default value of "mail" will >> # cause the MailScanner logs to go into the same place as all your other >> # mail logs. >> Syslog Facility = mail >> >> - >> Jerry Benton >> www.mailborder.com >> +1 - 844-436-6245 >> >> >> >>> On Dec 14, 2016, at 4:21 PM, Walt Thiessen > wrote: >>> >>> Thanks for that, Jerry. >>> >>> I confronted them with what you said. However, while they hava ceased to claim that MailScanner doesn't log to /var/log/maillog, they insist that they have checked and there's nothing wrong with the logging function on the system. >>> >>> Can you think of anything that might block MailScanner from logging successfully to /var/log/maillog? >>> >>> On 12/13/2016 7:55 PM, Jerry Benton wrote: >>>> MailScanner does log to /var/log/maillog >>>> >>>> MailWatch is an additional .pm file that logs to mysql. >>>> >>>> You server admins are wrong. >>>> >>>> - >>>> Jerry Benton >>>> www.mailborder.com >>>> +1 - 844-436-6245 >>>> >>>> >>>> >>>>> On Dec 13, 2016, at 6:18 PM, Walt Thiessen > wrote: >>>>> >>>>> With v4, I remember that MailScanner logged to /var/log/maillog. >>>>> >>>>> However, after my server admins moved me to a different server this past September and upgraded to v5, it seems that /var/log/maillog isn't where MailScanner logs anymore ... at least on our server. >>>>> >>>>> My server admins claim that this is because MailScanner now logs to MailWatch instead. >>>>> >>>>> I always remembered MailWatch as an application that maintained its own database, separate from MailScanner. Maybe I'm wrong. >>>>> >>>>> Is this truly the new configuration, or is this a reflection of something wrong my server admins did? >>>>> >>>>> Walt >>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>> >>>> >>>> >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >> >> >> >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at vidadigital.com.pa Wed Dec 14 21:41:29 2016 From: alex at vidadigital.com.pa (Alex Neuman) Date: Wed, 14 Dec 2016 16:41:29 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: Selinux? Permissions? On Dec 14, 2016 4:21 PM, "Walt Thiessen" wrote: > Thanks for that, Jerry. > > I confronted them with what you said. However, while they hava ceased to > claim that MailScanner doesn't log to /var/log/maillog, they insist that > they have checked and there's nothing wrong with the logging function on > the system. > > Can you think of anything that might block MailScanner from logging > successfully to /var/log/maillog? > > On 12/13/2016 7:55 PM, Jerry Benton wrote: > > MailScanner does log to /var/log/maillog > > MailWatch is an additional .pm file that logs to mysql. > > You server admins are wrong. > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 <(844)%20436-6245> > > > > On Dec 13, 2016, at 6:18 PM, Walt Thiessen wrote: > > With v4, I remember that MailScanner logged to /var/log/maillog. > > However, after my server admins moved me to a different server this past > September and upgraded to v5, it seems that /var/log/maillog isn't where > MailScanner logs anymore ... at least on our server. > > My server admins claim that this is because MailScanner now logs to > MailWatch instead. > > I always remembered MailWatch as an application that maintained its own > database, separate from MailScanner. Maybe I'm wrong. > > Is this truly the new configuration, or is this a reflection of something > wrong my server admins did? > > Walt > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Dec 14 21:42:20 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Dec 2016 13:42:20 -0800 Subject: {Spam?} Obvious spam getting through In-Reply-To: References: <4664ad83-86ef-56e6-641d-2caae8055554@msapiro.net> Message-ID: On 12/14/2016 12:55 PM, Sterling Chavis wrote: > Does Mailscanner have the option to allow the message without checking > it if it already has X-Mailscanner headers indicating that it's not > spam? If so what config option is responsible for it? Only if you have a rule set for Scan Messages, but even with a rule set, you couldn't bypass scanning based on X-*-Mailscanner headers, only on from or to. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From wt at dld2000.com Wed Dec 14 21:59:52 2016 From: wt at dld2000.com (Walt Thiessen) Date: Wed, 14 Dec 2016 16:59:52 -0500 Subject: maillog vs Mailwatch log In-Reply-To: <9445C301-8DA4-4D81-A64A-47F1166B635E@mailborder.com> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <881DBB89-8BA5-4CEA-B67A-5FC2225DFC89@mailborder.com> <1272e830-5aba-94d9-6de0-b542a3c1b026@dld2000.com> <9445C301-8DA4-4D81-A64A-47F1166B635E@mailborder.com> Message-ID: In WHM: ConfigServer MailScanner FE shows: MailScanner Status: Running MailScanner --lint produces -bash: MailScanner: command not found OS is CentOS7 with WHM/Cpanel Is the OS preventing it from logging? My admins says no. I'm not so sure. Nothing is logging to /var/log/maillog right now, so the answer to your last question is No. The MTA is Exim, which is logging to /var/log/exim_mainlog On 12/14/2016 4:37 PM, Jerry Benton wrote: > It is running, right? MailScanner was decoupled from the MTA in v5. > > What does MailScanner ?lint produce? > > What OS is this on? > > Is the OS preventing it from logging? > > Does your MTA log to /var/log/maillog? > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > >> On Dec 14, 2016, at 4:34 PM, Walt Thiessen > > wrote: >> >> Thanks Jerry. I checked, and it's already set to Syslog Facility = mail. >> >> Any other ideas? >> >> >> On 12/14/2016 4:24 PM, Jerry Benton wrote: >>> Walt, >>> >>> Checking the logging section of MailScanner.conf. The most obvious >>> candidate would be: >>> >>> # This is the syslog "facility" name that MailScanner uses. If you don't >>> # know what a syslog facility name is, then either don't change this >>> value >>> # or else go and read "man syslog.conf". The default value of "mail" >>> will >>> # cause the MailScanner logs to go into the same place as all your other >>> # mail logs. >>> Syslog Facility = mail >>> >>> - >>> Jerry Benton >>> www.mailborder.com >>> +1 - 844-436-6245 >>> >>> >>> >>>> On Dec 14, 2016, at 4:21 PM, Walt Thiessen >>> > wrote: >>>> >>>> Thanks for that, Jerry. >>>> >>>> I confronted them with what you said. However, while they hava >>>> ceased to claim that MailScanner doesn't log to /var/log/maillog, >>>> they insist that they have checked and there's nothing wrong with >>>> the logging function on the system. >>>> >>>> Can you think of anything that might block MailScanner from logging >>>> successfully to /var/log/maillog? >>>> >>>> >>>> On 12/13/2016 7:55 PM, Jerry Benton wrote: >>>>> MailScanner does log to /var/log/maillog >>>>> >>>>> MailWatch is an additional .pm file that logs to mysql. >>>>> >>>>> You server admins are wrong. >>>>> >>>>> - >>>>> Jerry Benton >>>>> www.mailborder.com >>>>> +1 - 844-436-6245 >>>>> >>>>> >>>>> >>>>>> On Dec 13, 2016, at 6:18 PM, Walt Thiessen >>>>> > wrote: >>>>>> >>>>>> With v4, I remember that MailScanner logged to /var/log/maillog. >>>>>> >>>>>> However, after my server admins moved me to a different server >>>>>> this past September and upgraded to v5, it seems that >>>>>> /var/log/maillog isn't where MailScanner logs anymore ... at >>>>>> least on our server. >>>>>> >>>>>> My server admins claim that this is because MailScanner now logs >>>>>> to MailWatch instead. >>>>>> >>>>>> I always remembered MailWatch as an application that maintained >>>>>> its own database, separate from MailScanner. Maybe I'm wrong. >>>>>> >>>>>> Is this truly the new configuration, or is this a reflection of >>>>>> something wrong my server admins did? >>>>>> >>>>>> Walt >>>>>> >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>> >>> >>> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mace68 at chavis.us Wed Dec 14 22:26:15 2016 From: mace68 at chavis.us (Sterling Chavis) Date: Wed, 14 Dec 2016 15:26:15 -0700 Subject: Obvious spam getting through In-Reply-To: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> References: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> Message-ID: <9d0c76ff-ce0e-a54c-638c-2b4dc602532d@chavis.us> Thank you. The ones that are getting through are all .top domains as far as I can see. I'll use this method and see how it goes. On 12/14/2016 12:10 PM, Peter Lemieux wrote: > I deal with these by refusing mail for most of the new top-level > domains like .top. I've never seen any legitimate mail from any of > those, nor have I received any complaints about missing messages. My > current blacklist includes: > > click > date > faith > party > link > xyz > download > top > space > win > stream > gdn > website > bid > loan > review > science > > I handle this screening via the access database in sendmail, not > through MailScanner. > > Peter > > > On 12/14/2016 02:03 PM, Sterling Chavis wrote: >> The other day I started to get slammed with spam. SpamAssassin was >> doing a >> very good job before that, and is still catching many. Couldthey be >> spoofing >> the X-Mailscanner headers to bypass my mailscan rules? Here is an >> example of >> the ones that are getting through: >> >> Return-Path: >> > > From wt at dld2000.com Wed Dec 14 22:35:29 2016 From: wt at dld2000.com (Walt Thiessen) Date: Wed, 14 Dec 2016 17:35:29 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: By the way, when I run: service MailScanner status -l I get the following result: Redirecting to /bin/systemctl status -l MailScanner.service * MailScanner.service - MailScanner AntiSpam and AntiVirus Loaded: loaded (/usr/lib/systemd/system/MailScanner.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2016-12-14 17:30:34 EST; 2min 5s ago Process: 19635 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 11200 ExecStart=/usr/mailscanner/usr/sbin/MailScanner (code=exited, status=0/SUCCESS) Main PID: 11210 (MailScanner: ma) CGroup: /system.slice/MailScanner.service |-11210 MailScanner: master process sleepin |-11211 MailScanner: waiting for message |-11223 MailScanner: waiting for message |-11244 MailScanner: waiting for message |-11259 MailScanner: waiting for message `-11269 MailScanner: waiting for message Dec 14 17:32:09 [hostname] MailScanner[11259]: New Batch: Scanning 1 messages, 1126 bytes Dec 14 17:32:09 [hostname] MailScanner[11259]: Filename Checks: Allowing 1cHI5o-0003rC-5v msg-11259-2.txt Dec 14 17:32:09 [hostname] MailScanner[11259]: Filetype Checks: Allowing 1cHI5o-0003rC-5v msg-11259-2.txt Dec 14 17:32:09 [hostname] MailScanner[11259]: Virus and Content Scanning: Starting Dec 14 17:32:09 [hostname] MailScanner[11259]: Spam Checks: Starting Dec 14 17:32:10 [hostname] MailScanner[11259]: Message 1cHI5o-0003rC-5v from 127.0.0.1 (root@[hostname]) to [hostname] is not spam, SpamAssassin (not cached, score=-0.801, required 5, BAYES_00 -1.90, DCC_CHECK 1.10, NO_RELAYS -0.00) Dec 14 17:32:10 [hostname] MailScanner[11259]: Delivery of nonspam: message 1cHI5o-0003rC-5v from root@[hostname] to root@[hostname] with subject lfd on [hostname]: Excessive resource usage: nolan (14823 (Parent PID:5792)) Dec 14 17:32:10 [hostname] MailScanner[11259]: Uninfected: Delivered 1 messages Dec 14 17:32:10 [hostname] MailScanner[11259]: Connected to MailControl MySQL database However, again, none of that is logging to /var/log/maillog From mailscanner at replies.cyways.com Wed Dec 14 22:42:09 2016 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Wed, 14 Dec 2016 17:42:09 -0500 Subject: Obvious spam getting through In-Reply-To: <9d0c76ff-ce0e-a54c-638c-2b4dc602532d@chavis.us> References: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> <9d0c76ff-ce0e-a54c-638c-2b4dc602532d@chavis.us> Message-ID: <5892512e-116a-aeb8-f968-06f59432481d@replies.cyways.com> If you don't want to reject them outright, bump up their scores in SpamAssassin with a rule like header TOP_DOMAIN /Return-Path.*\.top/ score TOP_DOMAIN 3 Peter On 12/14/2016 05:26 PM, Sterling Chavis wrote: > Thank you. The ones that are getting through are all .top domains as far > as I can see. I'll use this method and see how it goes. > > > On 12/14/2016 12:10 PM, Peter Lemieux wrote: >> I deal with these by refusing mail for most of the new top-level >> domains like .top. I've never seen any legitimate mail from any of >> those, nor have I received any complaints about missing messages. My >> current blacklist includes: >> >> click >> date >> faith >> party >> link >> xyz >> download >> top >> space >> win >> stream >> gdn >> website >> bid >> loan >> review >> science >> >> I handle this screening via the access database in sendmail, not >> through MailScanner. >> >> Peter >> >> >> On 12/14/2016 02:03 PM, Sterling Chavis wrote: >>> The other day I started to get slammed with spam. SpamAssassin was >>> doing a >>> very good job before that, and is still catching many. Couldthey be >>> spoofing >>> the X-Mailscanner headers to bypass my mailscan rules? Here is an >>> example of >>> the ones that are getting through: >>> >>> Return-Path: >>> >> >> > > > From mark at msapiro.net Wed Dec 14 23:00:54 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Dec 2016 15:00:54 -0800 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> Message-ID: <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> The system logging configuration is generally in /etc/rsyslog.conf and /etc/rsyslog.d/* Look there for where 'mail' entries are written. For example, my /etc/rsyslog.d/50-default.conf has entries like *.*;auth,authpriv.none -/var/log/syslog mail.* -/var/log/mail.log mail.err /var/log/mail.err which essentially says everything except auth and authpriv gets logged to /var/log/syslog, all 'mail' log messages of any severity are logged to /var/log/mail.log and 'mail' messages of severity 'err' or greater are logged to /var/log/mail.err. With this config, all 'mail' syslog entries of any severity will be written to both /var/log/syslog and /var/log/mail.log. What does yours say? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From wt at dld2000.com Wed Dec 14 23:49:09 2016 From: wt at dld2000.com (Walt Thiessen) Date: Wed, 14 Dec 2016 18:49:09 -0500 Subject: maillog vs Mailwatch log In-Reply-To: <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> Message-ID: Thanks Mark. My server is apparently missing some key directories. In /etc/rsyslog.d/ there is only one file: listen.conf That's it! Walt From mark at msapiro.net Wed Dec 14 23:54:19 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Dec 2016 15:54:19 -0800 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> Message-ID: On 12/14/2016 03:49 PM, Walt Thiessen wrote: > Thanks Mark. > > My server is apparently missing some key directories. > > In /etc/rsyslog.d/ there is only one file: listen.conf > > That's it! Did you look at the contents of /etc/rsyslog.conf and /etc/rsyslog.d/ listen.conf and any other files that might be included from either of those? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jlovejoy at lovejoytech.com Thu Dec 15 00:04:49 2016 From: jlovejoy at lovejoytech.com (James Lovejoy) Date: Wed, 14 Dec 2016 19:04:49 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> Message-ID: For CentOS 7 the config file for rsyslog is in /etc/rsyslog.conf. Mine is configured as this for mail. Default settings for a CentOS 7 server: # Log all the mail messages in one place. mail.* -/var/log/maillog On 12/14/2016 6:49 PM, Walt Thiessen wrote: > Thanks Mark. > > My server is apparently missing some key directories. > > In /etc/rsyslog.d/ there is only one file: listen.conf > > That's it! > > Walt > > From wt at dld2000.com Thu Dec 15 00:23:33 2016 From: wt at dld2000.com (Walt Thiessen) Date: Wed, 14 Dec 2016 19:23:33 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> Message-ID: <8a4f213c-6abf-9b04-754f-b1356885604f@dld2000.com> /etc/rsyslog.conf has many settings including the following: mail.* /var/log/maillog It also has this: # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf /etc/rsyslog.d/listen.conf contains only one line: SystemLogSocketName /run/systemd/journal/syslog On 12/14/2016 6:54 PM, Mark Sapiro wrote: > Did you look at the contents of/etc/rsyslog.conf and /etc/rsyslog.d/ > listen.conf and any other files that might be included from either of those? -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Thu Dec 15 00:30:50 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Dec 2016 16:30:50 -0800 Subject: maillog vs Mailwatch log In-Reply-To: <8a4f213c-6abf-9b04-754f-b1356885604f@dld2000.com> References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> <8a4f213c-6abf-9b04-754f-b1356885604f@dld2000.com> Message-ID: On 12/14/2016 04:23 PM, Walt Thiessen wrote: > /etc/rsyslog.conf has many settings including the following: > > mail.* /var/log/maillog Unless there are other 'mail*none' like entries that trump that one, MailScanner with it's Syslog Facility = mail directive should be logging to /var/log/maillog. If not, perhaps as was suggested earlier in this thread there is a permissions or SELinux issue preventing MailScanner's Run As User:Run As Group from writing this file. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From sriccio at openbusiness.com Thu Dec 15 16:52:43 2016 From: sriccio at openbusiness.com (=?iso-8859-1?Q?S=E9bastien_Riccio?=) Date: Thu, 15 Dec 2016 16:52:43 +0000 Subject: Adding Spamassassin's TextCat X-Language header to scanned messages. Message-ID: <565278c8dfda4f60870b140c4f870aa6@ex1.obs.local> Hi list, I'm not sure if this has been already asked but I can't find any clues for it. We are actually trying mailscanner and I would like to know if it's possible to add TextCat's X-Language header to the mails that are scanned by MailScanner. I activated the TextCat plugin but I can't see the X-Language header added in the message forwarded to our MTA. We don't want to use ok_languages to restrict any language, but only have a hint about the language in the headers so we can create rules based on it. Thanks for your help ! Kind regards, S?bastien From wt at dld2000.com Thu Dec 15 19:21:35 2016 From: wt at dld2000.com (Walt Thiessen) Date: Thu, 15 Dec 2016 14:21:35 -0500 Subject: maillog vs Mailwatch log In-Reply-To: References: <3a4c3b15a9e409b13afe7adda6d9cd104b0ba025@mylogin.email> <06d0ff12-b7c0-51b0-a5a9-fd9568942784@fink-computer.de> <0abaa6f4-7dd9-d5cb-9d91-6d6ade9d113a@replies.cyways.com> <62606c77-dee9-ede8-087b-c361623a1b7e@msapiro.net> <8a4f213c-6abf-9b04-754f-b1356885604f@dld2000.com> Message-ID: We resolved the issue. In case someone finds this thread sometime and needs to know what we did, here's what happened. We contacted cPanel support, and they logged in and looked things over. cPanel support suggested changing option RESTRICT_SYSLOG_GROUP to 0 or 2,and changing permissions on /dev/log socket afterwards since when option is set to 3 it changes permissions on /dev/log to 660 instead 666 which may prevent non-root users from writing to file. After rsyslog service was restarted, service started logging into /var/log/maillog again. Walt From mailscanner-list at okla.com Fri Dec 16 14:37:30 2016 From: mailscanner-list at okla.com (Tracy Greggs) Date: Fri, 16 Dec 2016 08:37:30 -0600 Subject: Obvious spam getting through In-Reply-To: <5892512e-116a-aeb8-f968-06f59432481d@replies.cyways.com> References: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> <9d0c76ff-ce0e-a54c-638c-2b4dc602532d@chavis.us> <5892512e-116a-aeb8-f968-06f59432481d@replies.cyways.com> Message-ID: <007701d257a9$f1cb7ca0$d56275e0$@okla.com> I create a file called x-blacklisted-tlds.cf and put it in the same folder as your local.cf, on Centos in /etc/mail/spamassassin/. When spamassassin fires it looks at all cf files there in alphabetical order, so in my case the x-blacklisted-tlds.cf is read last on purpose. The contents look like this: blacklist_from *@*.top blacklist_from *@*.xzy etc.etc.etc. Since I use the latest version of MailWatch also, this allows me to whitelist any that are legit although like Peter says, I haven't had a single complaint either. In MW, these will be color coded black just like they would if you had them in the MW SQL blacklist unless you whitelist the sender with MW which overrides the SA blacklist_from in your cf file. Regards, Tracy Greggs -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info ] On Behalf Of Peter H. Lemieux Sent: Wednesday, December 14, 2016 4:42 PM To: MailScanner Discussion Subject: Re: Obvious spam getting through If you don't want to reject them outright, bump up their scores in SpamAssassin with a rule like header TOP_DOMAIN /Return-Path.*\.top/ score TOP_DOMAIN 3 Peter On 12/14/2016 05:26 PM, Sterling Chavis wrote: > Thank you. The ones that are getting through are all .top domains as > far as I can see. I'll use this method and see how it goes. > > > On 12/14/2016 12:10 PM, Peter Lemieux wrote: >> I deal with these by refusing mail for most of the new top-level >> domains like .top. I've never seen any legitimate mail from any of >> those, nor have I received any complaints about missing messages. My >> current blacklist includes: >> >> click >> date >> faith >> party >> link >> xyz >> download >> top >> space >> win >> stream >> gdn >> website >> bid >> loan >> review >> science >> >> I handle this screening via the access database in sendmail, not >> through MailScanner. >> >> Peter >> >> >> On 12/14/2016 02:03 PM, Sterling Chavis wrote: >>> The other day I started to get slammed with spam. SpamAssassin was >>> doing a very good job before that, and is still catching many. >>> Couldthey be spoofing the X-Mailscanner headers to bypass my >>> mailscan rules? Here is an example of the ones that are getting >>> through: >>> >>> Return-Path: >>> >> >> > > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at replies.cyways.com Fri Dec 16 15:08:38 2016 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Fri, 16 Dec 2016 10:08:38 -0500 Subject: Obvious spam getting through In-Reply-To: <007701d257a9$f1cb7ca0$d56275e0$@okla.com> References: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> <9d0c76ff-ce0e-a54c-638c-2b4dc602532d@chavis.us> <5892512e-116a-aeb8-f968-06f59432481d@replies.cyways.com> <007701d257a9$f1cb7ca0$d56275e0$@okla.com> Message-ID: <068ee34c-faae-9c67-d374-c85a802aaf0a@replies.cyways.com> I didn't even know there was a "blacklist_from" directive in SpamAssassin. In fact, there are quite a variety of such controls. I noticed that while there is a whitelist_from_rcvd which looks at Received headers, there is no corresponding blacklist_from_rcvd. I wonder if that means blacklist_from includes both Received and From headers? Details here: https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options I generally use the whitelisting and blacklisting rulesets in MailScanner itself for these tasks. Maybe someone here can remind us whether a blacklisted From in those rulesets applies to the Received headers, or to the Return-Path, as well as the From address itself. See the "Is Definitely Spam" directive in MailScanner.conf. Peter On 12/16/2016 09:37 AM, Tracy Greggs wrote: > I create a file called x-blacklisted-tlds.cf and put it in the same folder > as your local.cf, on Centos in /etc/mail/spamassassin/. When spamassassin > fires it looks at all cf files there in alphabetical order, so in my case > the x-blacklisted-tlds.cf is read last on purpose. > > The contents look like this: > > blacklist_from *@*.top > blacklist_from *@*.xzy > > etc.etc.etc. > > Since I use the latest version of MailWatch also, this allows me to > whitelist any that are legit although like Peter says, I haven't had a > single complaint either. In MW, these will be color coded black just like > they would if you had them in the MW SQL blacklist unless you whitelist the > sender with MW which overrides the SA blacklist_from in your cf file. > > Regards, > Tracy Greggs > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info > ] On Behalf Of Peter H. Lemieux > Sent: Wednesday, December 14, 2016 4:42 PM > To: MailScanner Discussion > Subject: Re: Obvious spam getting through > > If you don't want to reject them outright, bump up their scores in > SpamAssassin with a rule like > > header TOP_DOMAIN /Return-Path.*\.top/ > score TOP_DOMAIN 3 > > Peter > > > On 12/14/2016 05:26 PM, Sterling Chavis wrote: >> Thank you. The ones that are getting through are all .top domains as >> far as I can see. I'll use this method and see how it goes. >> >> >> On 12/14/2016 12:10 PM, Peter Lemieux wrote: >>> I deal with these by refusing mail for most of the new top-level >>> domains like .top. I've never seen any legitimate mail from any of >>> those, nor have I received any complaints about missing messages. My >>> current blacklist includes: >>> >>> click >>> date >>> faith >>> party >>> link >>> xyz >>> download >>> top >>> space >>> win >>> stream >>> gdn >>> website >>> bid >>> loan >>> review >>> science >>> >>> I handle this screening via the access database in sendmail, not >>> through MailScanner. >>> >>> Peter >>> >>> >>> On 12/14/2016 02:03 PM, Sterling Chavis wrote: >>>> The other day I started to get slammed with spam. SpamAssassin was >>>> doing a very good job before that, and is still catching many. >>>> Couldthey be spoofing the X-Mailscanner headers to bypass my >>>> mailscan rules? Here is an example of the ones that are getting >>>> through: >>>> >>>> Return-Path: >>>> >>> >>> >> >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From sriccio at openbusiness.com Sat Dec 17 06:00:28 2016 From: sriccio at openbusiness.com (=?iso-8859-1?Q?S=E9bastien_Riccio?=) Date: Sat, 17 Dec 2016 06:00:28 +0000 Subject: MailScanner/Postfix Per recipient mail splitting Message-ID: Hi, In an attempt to have per user spam rules I was googling about it and found that first thing is to have Postfix to split mail on a per recipient basis (understandable). I found this post: http://mailscanner.mailscanner.narkive.com/m0Cnyoy3/how-to-split-messages-per-recipient-with-postfix Okay it's 11 years old, and the link to the wiki is not working anymore. My question is, is it now in 2016 possible to do it, with MailScanner ? Any hints would be appreciated. Thanks a lot! S?bastien -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonas at jkvinge.net Mon Dec 19 17:11:51 2016 From: jonas at jkvinge.net (Jonas Kvinge) Date: Mon, 19 Dec 2016 18:11:51 +0100 Subject: MailScanner has detected a possible fraud attempt Message-ID: <9a2e1a9c-66e2-eb70-904d-035f2610c594@jkvinge.net> How can I remove MailScanner editing e-mails like this: MailScanner has detected a possible fraud attempt from "r20.rs6.net" claiming to be www.mcintoshgroup.com Didn't find it in the configuration. Jonas From iversons at rushville.k12.in.us Mon Dec 19 17:41:23 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Dec 2016 12:41:23 -0500 Subject: MailScanner has detected a possible fraud attempt In-Reply-To: <9a2e1a9c-66e2-eb70-904d-035f2610c594@jkvinge.net> References: <9a2e1a9c-66e2-eb70-904d-035f2610c594@jkvinge.net> Message-ID: In MailScanner.conf: Highlight Phishing Fraud = no On Mon, Dec 19, 2016 at 12:11 PM, Jonas Kvinge wrote: > How can I remove MailScanner editing e-mails like this: > > MailScanner has detected a possible fraud attempt from "r20.rs6.net" > claiming to be www.mcintoshgroup.com > > Didn't find it in the configuration. > > Jonas > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Mon Dec 19 22:45:38 2016 From: mailscanner-list at okla.com (Tracy Greggs) Date: Mon, 19 Dec 2016 16:45:38 -0600 Subject: Obvious spam getting through In-Reply-To: <068ee34c-faae-9c67-d374-c85a802aaf0a@replies.cyways.com> References: <64b1c40b-fee0-0cbf-f780-16bba3379fc6@replies.cyways.com> <9d0c76ff-ce0e-a54c-638c-2b4dc602532d@chavis.us> <5892512e-116a-aeb8-f968-06f59432481d@replies.cyways.com> <007701d257a9$f1cb7ca0$d56275e0$@okla.com> <068ee34c-faae-9c67-d374-c85a802aaf0a@replies.cyways.com> Message-ID: <01bc01d25a49$a18731b0$e4959510$@okla.com> While there is usually more than one way to accomplish the same thing, I use xtables-addons to block everything where the last external relay is not in the US or Canada for most of my clients servers that do not have any legit email from outside the US or CA. The SA rules I described are to catch those TLDs that are 100% spam generally speaking and that are being relayed from the US or CA. I have quite a lengthy list of them in my x-blacklisted-tlds.cf, and along with RBLDNSD it solves 99% of the spam issues. Tracy -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info ] On Behalf Of Peter Lemieux Sent: Friday, December 16, 2016 9:09 AM To: MailScanner Discussion Subject: Re: Obvious spam getting through I didn't even know there was a "blacklist_from" directive in SpamAssassin. In fact, there are quite a variety of such controls. I noticed that while there is a whitelist_from_rcvd which looks at Received headers, there is no corresponding blacklist_from_rcvd. I wonder if that means blacklist_from includes both Received and From headers? Details here: https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#w hitelist_and_blacklist_options I generally use the whitelisting and blacklisting rulesets in MailScanner itself for these tasks. Maybe someone here can remind us whether a blacklisted From in those rulesets applies to the Received headers, or to the Return-Path, as well as the From address itself. See the "Is Definitely Spam" directive in MailScanner.conf. Peter On 12/16/2016 09:37 AM, Tracy Greggs wrote: > I create a file called x-blacklisted-tlds.cf and put it in the same > folder as your local.cf, on Centos in /etc/mail/spamassassin/. When > spamassassin fires it looks at all cf files there in alphabetical > order, so in my case the x-blacklisted-tlds.cf is read last on purpose. > > The contents look like this: > > blacklist_from *@*.top > blacklist_from *@*.xzy > > etc.etc.etc. > > Since I use the latest version of MailWatch also, this allows me to > whitelist any that are legit although like Peter says, I haven't had a > single complaint either. In MW, these will be color coded black just > like they would if you had them in the MW SQL blacklist unless you > whitelist the sender with MW which overrides the SA blacklist_from in your cf file. > > Regards, > Tracy Greggs > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanne > r.info > ] On Behalf Of Peter H. Lemieux > Sent: Wednesday, December 14, 2016 4:42 PM > To: MailScanner Discussion > Subject: Re: Obvious spam getting through > > If you don't want to reject them outright, bump up their scores in > SpamAssassin with a rule like > > header TOP_DOMAIN /Return-Path.*\.top/ > score TOP_DOMAIN 3 > > Peter > > > On 12/14/2016 05:26 PM, Sterling Chavis wrote: >> Thank you. The ones that are getting through are all .top domains as >> far as I can see. I'll use this method and see how it goes. >> >> >> On 12/14/2016 12:10 PM, Peter Lemieux wrote: >>> I deal with these by refusing mail for most of the new top-level >>> domains like .top. I've never seen any legitimate mail from any of >>> those, nor have I received any complaints about missing messages. >>> My current blacklist includes: >>> >>> click >>> date >>> faith >>> party >>> link >>> xyz >>> download >>> top >>> space >>> win >>> stream >>> gdn >>> website >>> bid >>> loan >>> review >>> science >>> >>> I handle this screening via the access database in sendmail, not >>> through MailScanner. >>> >>> Peter >>> >>> >>> On 12/14/2016 02:03 PM, Sterling Chavis wrote: >>>> The other day I started to get slammed with spam. SpamAssassin was >>>> doing a very good job before that, and is still catching many. >>>> Couldthey be spoofing the X-Mailscanner headers to bypass my >>>> mailscan rules? Here is an example of the ones that are getting >>>> through: >>>> >>>> Return-Path: >>>> >>> >>> >> >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jason at geeknocity.com Tue Dec 20 13:10:04 2016 From: jason at geeknocity.com (Jason Waters) Date: Tue, 20 Dec 2016 08:10:04 -0500 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: Well I thought it was fixed because I didn't get any for awhile but they seem to be back. That is what I don't get. Why it works and then just stops! I also have some issues where it stops logging to SQL. Still does all the checks and it says it logs to SQL, but it doesn't. I reboot and then it starts again. So here is some more information: cat /var/log/mail.log |grep "died, status = 13" -B5 -A5 Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content Scanning: Starting Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Dec 20 07:03:28 mailscanner MailScanner[12173]: tag found in message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@ in.constantcontact.com Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@ in.constantcontact.com Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from unknown[78.142.18.89] Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, status = 13 Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@ in.constantcontact.com Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue: D45B4E0B1B.A2260 to 14619E0B20 Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20: from=, size=19291, nrcpt=1 (queue active) Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1 messages Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from processing-database -- Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from processing-database Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message 2EDE1E0B20.ACEF5 to SQL Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2 messages waiting Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1 messages, 707697 bytes Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content Scanning: Starting Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, status = 13 Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue: D0DA1E0B21.A9AD3 to B6E49E0B20 Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from=< bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1 (queue active) Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1 messages Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from processing-database I thought I had everything setup to run as postfix.. root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf #Run As User = postfix Run As User = postfix #Run As Group = postfix Run As Group = postfix MTA = postfix Incoming Work User = postfix Incoming Work Group = postfix Quarantine User = postfix Quarantine Group = postfix Here is the entry for postfix in /etc/group postfix:x:117:clamav,www-data,mail Spool Permissions root at mailscanner:/var/spool/MailScanner# ls -l * -rw------- 1 postfix postfix 23 Nov 15 13:14 servers archive: total 0 incoming: total 576 drwxrwx--- 2 postfix postfix 4096 Dec 13 14:49 11490 drwxrwx--- 2 postfix postfix 4096 Dec 20 07:43 12173 drwxrwx--- 2 postfix postfix 4096 Dec 18 01:10 15039 drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1934 drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1972 drwxrwx--- 2 postfix postfix 4096 Dec 20 08:05 2006 drwxrwx--- 2 postfix postfix 4096 Dec 20 08:02 2042 drwxrwx--- 2 postfix postfix 4096 Dec 20 08:03 2096 drwxrwx--- 2 postfix postfix 4096 Dec 14 11:24 21119 drwxrwx--- 2 postfix postfix 4096 Dec 9 07:18 25816 drwxrwx--- 2 postfix postfix 4096 Dec 12 01:31 26221 drwxrwx--- 2 postfix postfix 4096 Dec 19 11:03 2718 drwxrwx--- 3 postfix postfix 4096 Dec 8 11:14 27928 drwxrwx--- 2 postfix postfix 4096 Dec 19 16:01 5050 drwxrwx--- 2 postfix postfix 4096 Dec 7 09:08 5209 drwxr-xr-x 2 postfix postfix 4096 Dec 20 07:45 Locks -rw-rw---- 1 postfix postfix 11264 Dec 20 08:08 Processing.db -rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db drwxr-xr-x 2 postfix postfix 4096 Dec 20 08:08 SpamAssassin-Temp quarantine: total 128 drwxrwx--- 4 postfix postfix 4096 Nov 19 00:05 20161119 drwxrwx--- 4 postfix postfix 4096 Nov 20 00:35 20161120 drwxrwx--- 6 postfix postfix 4096 Nov 21 17:20 20161121 drwxrwx--- 9 postfix postfix 4096 Nov 22 17:48 20161122 drwxrwx--- 5 postfix postfix 4096 Nov 23 08:21 20161123 drwxrwx--- 5 postfix postfix 4096 Nov 24 08:12 20161124 drwxrwx--- 6 postfix postfix 4096 Nov 25 00:55 20161125 drwxrwx--- 4 postfix postfix 4096 Nov 26 01:00 20161126 drwxrwx--- 4 postfix postfix 4096 Nov 27 01:38 20161127 drwxrwx--- 4 postfix postfix 4096 Nov 28 00:01 20161128 drwxrwx--- 7 postfix postfix 4096 Nov 29 09:41 20161129 drwxrwx--- 7 postfix postfix 4096 Nov 30 22:28 20161130 drwxrwx--- 6 postfix postfix 4096 Dec 1 20:15 20161201 drwxrwx--- 9 postfix postfix 4096 Dec 2 10:15 20161202 drwxrwx--- 4 postfix postfix 4096 Dec 3 01:33 20161203 drwxrwx--- 4 postfix postfix 4096 Dec 4 01:05 20161204 drwxrwx--- 6 postfix postfix 4096 Dec 5 21:56 20161205 drwxrwx--- 8 postfix postfix 4096 Dec 6 22:40 20161206 drwxrwx--- 5 postfix postfix 4096 Dec 7 19:16 20161207 drwxrwx--- 59 postfix postfix 4096 Dec 8 13:51 20161208 drwxrwx--- 14 postfix postfix 4096 Dec 9 19:05 20161209 drwxrwx--- 5 postfix postfix 4096 Dec 10 07:18 20161210 drwxrwx--- 6 postfix postfix 4096 Dec 11 13:35 20161211 drwxrwx--- 9 postfix postfix 4096 Dec 12 20:51 20161212 drwxrwx--- 7 postfix postfix 4096 Dec 13 15:11 20161213 drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214 drwxrwx--- 7 postfix postfix 4096 Dec 15 15:40 20161215 drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216 drwxrwx--- 6 postfix postfix 4096 Dec 17 15:11 20161217 drwxrwx--- 7 postfix postfix 4096 Dec 18 15:10 20161218 drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219 drwxrwx--- 6 postfix postfix 4096 Dec 20 07:18 20161220 spamassassin: total 28 -rwxrwx--- 1 postfix postfix 6 Nov 9 14:48 bayes.mutex -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_seen -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_toks Any other thoughts or places to check? Can I get more detail on the status 13? On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters wrote: > Thanks for the help! I'll grep the log file and see what I see! > > On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro wrote: > >> On 12/08/2016 08:41 AM, Jason Waters wrote: >> > Great that seemed to fix it. So does that mean any email that had those >> > tags failed? Because it didn't seem to be the case. I would think the >> > majority of the emails have html in them. Thanks for your help! >> >> >> I'm not sure what it was that triggered the issue. I think you'll just >> have to wait and see if it recurs or not. If the test message was >> flagged as {disarmed} by MailScanner or you see "Content Checks: >> Detected and have disarmed xxx tags in HTML message" where xxx isn't >> KILLED, you're probably OK. >> >> One thing you can check is if all such log messages said KILLED prior to >> your changing the ownership and now they say other things and not >> KILLED, I'm sure it's fixed. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at geeknocity.com Wed Dec 21 12:21:55 2016 From: jason at geeknocity.com (Jason Waters) Date: Wed, 21 Dec 2016 07:21:55 -0500 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: Any ideas? I seem to be getting this a lot. I wouldn't care if I could still see the email, but the email is just gone! root at mailscanner:/var/log# cat /var/log/mail.log |grep "died, status = 13" Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died, status = 13 Dec 19 11:02:59 mailscanner MailScanner[2718]: HTML disarming died, status = 13 Dec 19 14:33:51 mailscanner MailScanner[5050]: HTML disarming died, status = 13 Dec 19 14:40:52 mailscanner MailScanner[5050]: HTML disarming died, status = 13 Dec 19 14:54:22 mailscanner MailScanner[5050]: HTML disarming died, status = 13 Dec 19 15:13:40 mailscanner MailScanner[5050]: HTML disarming died, status = 13 Dec 19 15:32:42 mailscanner MailScanner[5050]: HTML disarming died, status = 13 Dec 19 15:46:28 mailscanner MailScanner[5050]: HTML disarming died, status = 13 Dec 19 16:01:04 mailscanner MailScanner[5050]: HTML disarming died, status = 13 Dec 19 20:24:19 mailscanner MailScanner[6774]: HTML disarming died, status = 13 Dec 20 06:27:09 mailscanner MailScanner[12173]: HTML disarming died, status = 13 Dec 20 07:02:15 mailscanner MailScanner[12173]: HTML disarming died, status = 13 Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, status = 13 Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, status = 13 Dec 20 18:47:15 mailscanner MailScanner[29724]: HTML disarming died, status = 13 Dec 20 19:48:13 mailscanner MailScanner[29724]: HTML disarming died, status = 13 Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, status = 13 Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, status = 13 Dec 20 20:02:16 mailscanner MailScanner[29724]: HTML disarming died, status = 13 Dec 20 21:32:22 mailscanner MailScanner[29724]: HTML disarming died, status = 13 Dec 21 06:28:23 mailscanner MailScanner[416]: HTML disarming died, status = 13 Dec 21 06:31:59 mailscanner MailScanner[416]: HTML disarming died, status = 13 Dec 21 06:35:14 mailscanner MailScanner[416]: HTML disarming died, status = 13 Dec 21 06:54:42 mailscanner MailScanner[416]: HTML disarming died, status = 13 Dec 21 07:01:20 mailscanner MailScanner[416]: HTML disarming died, status = 13 Dec 21 07:02:34 mailscanner MailScanner[416]: HTML disarming died, status = 13 Dec 21 07:07:01 mailscanner MailScanner[416]: HTML disarming died, status = 13 On Tue, Dec 20, 2016 at 8:10 AM, Jason Waters wrote: > Well I thought it was fixed because I didn't get any for awhile but they > seem to be back. That is what I don't get. Why it works and then just > stops! I also have some issues where it stops logging to SQL. Still does > all the checks and it says it logs to SQL, but it doesn't. I reboot and > then it starts again. So here is some more information: > > cat /var/log/mail.log |grep "died, status = 13" -B5 -A5 > > Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content > Scanning: Starting > Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from > ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1 > quit=1 commands=5 > Dec 20 07:03:28 mailscanner MailScanner[12173]: tag found in message > D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+ > leeokdtsuuo6t6q==@in.constantcontact.com > Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in > message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_ > 1103817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com > Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from > unknown[78.142.18.89] > Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, > status = 13 > Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected > and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from > aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@in. > constantcontact.com > Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue: D45B4E0B1B.A2260 > to 14619E0B20 > Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20: > from= constantcontact.com>, size=19291, nrcpt=1 (queue active) > Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1 > messages > Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from > processing-database > -- > Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from > processing-database > Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message > 2EDE1E0B20.ACEF5 to SQL > Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2 > messages waiting > Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1 > messages, 707697 bytes > Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content > Scanning: Starting > Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, > status = 13 > Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected > and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from bo- > b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com > Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue: D0DA1E0B21.A9AD3 > to B6E49E0B20 > Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from= b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1 (queue > active) > Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1 > messages > Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from > processing-database > > I thought I had everything setup to run as postfix.. > > root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf > #Run As User = postfix > Run As User = postfix > #Run As Group = postfix > Run As Group = postfix > MTA = postfix > Incoming Work User = postfix > Incoming Work Group = postfix > Quarantine User = postfix > Quarantine Group = postfix > > Here is the entry for postfix in /etc/group > postfix:x:117:clamav,www-data,mail > > > Spool Permissions > root at mailscanner:/var/spool/MailScanner# ls -l * > -rw------- 1 postfix postfix 23 Nov 15 13:14 servers > > archive: > total 0 > > incoming: > total 576 > drwxrwx--- 2 postfix postfix 4096 Dec 13 14:49 11490 > drwxrwx--- 2 postfix postfix 4096 Dec 20 07:43 12173 > drwxrwx--- 2 postfix postfix 4096 Dec 18 01:10 15039 > drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1934 > drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1972 > drwxrwx--- 2 postfix postfix 4096 Dec 20 08:05 2006 > drwxrwx--- 2 postfix postfix 4096 Dec 20 08:02 2042 > drwxrwx--- 2 postfix postfix 4096 Dec 20 08:03 2096 > drwxrwx--- 2 postfix postfix 4096 Dec 14 11:24 21119 > drwxrwx--- 2 postfix postfix 4096 Dec 9 07:18 25816 > drwxrwx--- 2 postfix postfix 4096 Dec 12 01:31 26221 > drwxrwx--- 2 postfix postfix 4096 Dec 19 11:03 2718 > drwxrwx--- 3 postfix postfix 4096 Dec 8 11:14 27928 > drwxrwx--- 2 postfix postfix 4096 Dec 19 16:01 5050 > drwxrwx--- 2 postfix postfix 4096 Dec 7 09:08 5209 > drwxr-xr-x 2 postfix postfix 4096 Dec 20 07:45 Locks > -rw-rw---- 1 postfix postfix 11264 Dec 20 08:08 Processing.db > -rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db > drwxr-xr-x 2 postfix postfix 4096 Dec 20 08:08 SpamAssassin-Temp > > quarantine: > total 128 > drwxrwx--- 4 postfix postfix 4096 Nov 19 00:05 20161119 > drwxrwx--- 4 postfix postfix 4096 Nov 20 00:35 20161120 > drwxrwx--- 6 postfix postfix 4096 Nov 21 17:20 20161121 > drwxrwx--- 9 postfix postfix 4096 Nov 22 17:48 20161122 > drwxrwx--- 5 postfix postfix 4096 Nov 23 08:21 20161123 > drwxrwx--- 5 postfix postfix 4096 Nov 24 08:12 20161124 > drwxrwx--- 6 postfix postfix 4096 Nov 25 00:55 20161125 > drwxrwx--- 4 postfix postfix 4096 Nov 26 01:00 20161126 > drwxrwx--- 4 postfix postfix 4096 Nov 27 01:38 20161127 > drwxrwx--- 4 postfix postfix 4096 Nov 28 00:01 20161128 > drwxrwx--- 7 postfix postfix 4096 Nov 29 09:41 20161129 > drwxrwx--- 7 postfix postfix 4096 Nov 30 22:28 20161130 > drwxrwx--- 6 postfix postfix 4096 Dec 1 20:15 20161201 > drwxrwx--- 9 postfix postfix 4096 Dec 2 10:15 20161202 > drwxrwx--- 4 postfix postfix 4096 Dec 3 01:33 20161203 > drwxrwx--- 4 postfix postfix 4096 Dec 4 01:05 20161204 > drwxrwx--- 6 postfix postfix 4096 Dec 5 21:56 20161205 > drwxrwx--- 8 postfix postfix 4096 Dec 6 22:40 20161206 > drwxrwx--- 5 postfix postfix 4096 Dec 7 19:16 20161207 > drwxrwx--- 59 postfix postfix 4096 Dec 8 13:51 20161208 > drwxrwx--- 14 postfix postfix 4096 Dec 9 19:05 20161209 > drwxrwx--- 5 postfix postfix 4096 Dec 10 07:18 20161210 > drwxrwx--- 6 postfix postfix 4096 Dec 11 13:35 20161211 > drwxrwx--- 9 postfix postfix 4096 Dec 12 20:51 20161212 > drwxrwx--- 7 postfix postfix 4096 Dec 13 15:11 20161213 > drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214 > drwxrwx--- 7 postfix postfix 4096 Dec 15 15:40 20161215 > drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216 > drwxrwx--- 6 postfix postfix 4096 Dec 17 15:11 20161217 > drwxrwx--- 7 postfix postfix 4096 Dec 18 15:10 20161218 > drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219 > drwxrwx--- 6 postfix postfix 4096 Dec 20 07:18 20161220 > > spamassassin: > total 28 > -rwxrwx--- 1 postfix postfix 6 Nov 9 14:48 bayes.mutex > -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_seen > -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_toks > > > > Any other thoughts or places to check? Can I get more detail on the > status 13? > > > > > > On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters > wrote: > >> Thanks for the help! I'll grep the log file and see what I see! >> >> On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro wrote: >> >>> On 12/08/2016 08:41 AM, Jason Waters wrote: >>> > Great that seemed to fix it. So does that mean any email that had >>> those >>> > tags failed? Because it didn't seem to be the case. I would think the >>> > majority of the emails have html in them. Thanks for your help! >>> >>> >>> I'm not sure what it was that triggered the issue. I think you'll just >>> have to wait and see if it recurs or not. If the test message was >>> flagged as {disarmed} by MailScanner or you see "Content Checks: >>> Detected and have disarmed xxx tags in HTML message" where xxx isn't >>> KILLED, you're probably OK. >>> >>> One thing you can check is if all such log messages said KILLED prior to >>> your changing the ownership and now they say other things and not >>> KILLED, I'm sure it's fixed. >>> >>> -- >>> Mark Sapiro The highway is for gamblers, >>> San Francisco Bay Area, California better use your sense - B. Dylan >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Wed Dec 21 12:29:24 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 21 Dec 2016 07:29:24 -0500 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: Permissions and/or MAC (selinux, etc.) related. On Wed, Dec 21, 2016 at 7:21 AM, Jason Waters wrote: > Any ideas? I seem to be getting this a lot. I wouldn't care if I could > still see the email, but the email is just gone! > > root at mailscanner:/var/log# cat /var/log/mail.log |grep "died, status = 13" > Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died, status > = 13 > Dec 19 11:02:59 mailscanner MailScanner[2718]: HTML disarming died, status > = 13 > Dec 19 14:33:51 mailscanner MailScanner[5050]: HTML disarming died, status > = 13 > Dec 19 14:40:52 mailscanner MailScanner[5050]: HTML disarming died, status > = 13 > Dec 19 14:54:22 mailscanner MailScanner[5050]: HTML disarming died, status > = 13 > Dec 19 15:13:40 mailscanner MailScanner[5050]: HTML disarming died, status > = 13 > Dec 19 15:32:42 mailscanner MailScanner[5050]: HTML disarming died, status > = 13 > Dec 19 15:46:28 mailscanner MailScanner[5050]: HTML disarming died, status > = 13 > Dec 19 16:01:04 mailscanner MailScanner[5050]: HTML disarming died, status > = 13 > Dec 19 20:24:19 mailscanner MailScanner[6774]: HTML disarming died, status > = 13 > Dec 20 06:27:09 mailscanner MailScanner[12173]: HTML disarming died, > status = 13 > Dec 20 07:02:15 mailscanner MailScanner[12173]: HTML disarming died, > status = 13 > Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, > status = 13 > Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, > status = 13 > Dec 20 18:47:15 mailscanner MailScanner[29724]: HTML disarming died, > status = 13 > Dec 20 19:48:13 mailscanner MailScanner[29724]: HTML disarming died, > status = 13 > Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, > status = 13 > Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, > status = 13 > Dec 20 20:02:16 mailscanner MailScanner[29724]: HTML disarming died, > status = 13 > Dec 20 21:32:22 mailscanner MailScanner[29724]: HTML disarming died, > status = 13 > Dec 21 06:28:23 mailscanner MailScanner[416]: HTML disarming died, status > = 13 > Dec 21 06:31:59 mailscanner MailScanner[416]: HTML disarming died, status > = 13 > Dec 21 06:35:14 mailscanner MailScanner[416]: HTML disarming died, status > = 13 > Dec 21 06:54:42 mailscanner MailScanner[416]: HTML disarming died, status > = 13 > Dec 21 07:01:20 mailscanner MailScanner[416]: HTML disarming died, status > = 13 > Dec 21 07:02:34 mailscanner MailScanner[416]: HTML disarming died, status > = 13 > Dec 21 07:07:01 mailscanner MailScanner[416]: HTML disarming died, status > = 13 > > > On Tue, Dec 20, 2016 at 8:10 AM, Jason Waters > wrote: > >> Well I thought it was fixed because I didn't get any for awhile but they >> seem to be back. That is what I don't get. Why it works and then just >> stops! I also have some issues where it stops logging to SQL. Still does >> all the checks and it says it logs to SQL, but it doesn't. I reboot and >> then it starts again. So here is some more information: >> >> cat /var/log/mail.log |grep "died, status = 13" -B5 -A5 >> >> Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content >> Scanning: Starting >> Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from >> ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1 >> quit=1 commands=5 >> Dec 20 07:03:28 mailscanner MailScanner[12173]: tag found in message >> D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103 >> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com >> Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in >> message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103 >> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com >> Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from >> unknown[78.142.18.89] >> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, >> status = 13 >> Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected >> and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from >> aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@ >> in.constantcontact.com >> Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue: D45B4E0B1B.A2260 >> to 14619E0B20 >> Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20: >> from=> in.constantcontact.com>, size=19291, nrcpt=1 (queue active) >> Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1 >> messages >> Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from >> processing-database >> -- >> Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from >> processing-database >> Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message >> 2EDE1E0B20.ACEF5 to SQL >> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2 >> messages waiting >> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1 >> messages, 707697 bytes >> Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content >> Scanning: Starting >> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, >> status = 13 >> Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected >> and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from >> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com >> Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue: D0DA1E0B21.A9AD3 >> to B6E49E0B20 >> Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from=< >> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1 >> (queue active) >> Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1 >> messages >> Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from >> processing-database >> >> I thought I had everything setup to run as postfix.. >> >> root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf >> #Run As User = postfix >> Run As User = postfix >> #Run As Group = postfix >> Run As Group = postfix >> MTA = postfix >> Incoming Work User = postfix >> Incoming Work Group = postfix >> Quarantine User = postfix >> Quarantine Group = postfix >> >> Here is the entry for postfix in /etc/group >> postfix:x:117:clamav,www-data,mail >> >> >> Spool Permissions >> root at mailscanner:/var/spool/MailScanner# ls -l * >> -rw------- 1 postfix postfix 23 Nov 15 13:14 servers >> >> archive: >> total 0 >> >> incoming: >> total 576 >> drwxrwx--- 2 postfix postfix 4096 Dec 13 14:49 11490 >> drwxrwx--- 2 postfix postfix 4096 Dec 20 07:43 12173 >> drwxrwx--- 2 postfix postfix 4096 Dec 18 01:10 15039 >> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1934 >> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1972 >> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:05 2006 >> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:02 2042 >> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:03 2096 >> drwxrwx--- 2 postfix postfix 4096 Dec 14 11:24 21119 >> drwxrwx--- 2 postfix postfix 4096 Dec 9 07:18 25816 >> drwxrwx--- 2 postfix postfix 4096 Dec 12 01:31 26221 >> drwxrwx--- 2 postfix postfix 4096 Dec 19 11:03 2718 >> drwxrwx--- 3 postfix postfix 4096 Dec 8 11:14 27928 >> drwxrwx--- 2 postfix postfix 4096 Dec 19 16:01 5050 >> drwxrwx--- 2 postfix postfix 4096 Dec 7 09:08 5209 >> drwxr-xr-x 2 postfix postfix 4096 Dec 20 07:45 Locks >> -rw-rw---- 1 postfix postfix 11264 Dec 20 08:08 Processing.db >> -rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db >> drwxr-xr-x 2 postfix postfix 4096 Dec 20 08:08 SpamAssassin-Temp >> >> quarantine: >> total 128 >> drwxrwx--- 4 postfix postfix 4096 Nov 19 00:05 20161119 >> drwxrwx--- 4 postfix postfix 4096 Nov 20 00:35 20161120 >> drwxrwx--- 6 postfix postfix 4096 Nov 21 17:20 20161121 >> drwxrwx--- 9 postfix postfix 4096 Nov 22 17:48 20161122 >> drwxrwx--- 5 postfix postfix 4096 Nov 23 08:21 20161123 >> drwxrwx--- 5 postfix postfix 4096 Nov 24 08:12 20161124 >> drwxrwx--- 6 postfix postfix 4096 Nov 25 00:55 20161125 >> drwxrwx--- 4 postfix postfix 4096 Nov 26 01:00 20161126 >> drwxrwx--- 4 postfix postfix 4096 Nov 27 01:38 20161127 >> drwxrwx--- 4 postfix postfix 4096 Nov 28 00:01 20161128 >> drwxrwx--- 7 postfix postfix 4096 Nov 29 09:41 20161129 >> drwxrwx--- 7 postfix postfix 4096 Nov 30 22:28 20161130 >> drwxrwx--- 6 postfix postfix 4096 Dec 1 20:15 20161201 >> drwxrwx--- 9 postfix postfix 4096 Dec 2 10:15 20161202 >> drwxrwx--- 4 postfix postfix 4096 Dec 3 01:33 20161203 >> drwxrwx--- 4 postfix postfix 4096 Dec 4 01:05 20161204 >> drwxrwx--- 6 postfix postfix 4096 Dec 5 21:56 20161205 >> drwxrwx--- 8 postfix postfix 4096 Dec 6 22:40 20161206 >> drwxrwx--- 5 postfix postfix 4096 Dec 7 19:16 20161207 >> drwxrwx--- 59 postfix postfix 4096 Dec 8 13:51 20161208 >> drwxrwx--- 14 postfix postfix 4096 Dec 9 19:05 20161209 >> drwxrwx--- 5 postfix postfix 4096 Dec 10 07:18 20161210 >> drwxrwx--- 6 postfix postfix 4096 Dec 11 13:35 20161211 >> drwxrwx--- 9 postfix postfix 4096 Dec 12 20:51 20161212 >> drwxrwx--- 7 postfix postfix 4096 Dec 13 15:11 20161213 >> drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214 >> drwxrwx--- 7 postfix postfix 4096 Dec 15 15:40 20161215 >> drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216 >> drwxrwx--- 6 postfix postfix 4096 Dec 17 15:11 20161217 >> drwxrwx--- 7 postfix postfix 4096 Dec 18 15:10 20161218 >> drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219 >> drwxrwx--- 6 postfix postfix 4096 Dec 20 07:18 20161220 >> >> spamassassin: >> total 28 >> -rwxrwx--- 1 postfix postfix 6 Nov 9 14:48 bayes.mutex >> -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_seen >> -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_toks >> >> >> >> Any other thoughts or places to check? Can I get more detail on the >> status 13? >> >> >> >> >> >> On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters >> wrote: >> >>> Thanks for the help! I'll grep the log file and see what I see! >>> >>> On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro wrote: >>> >>>> On 12/08/2016 08:41 AM, Jason Waters wrote: >>>> > Great that seemed to fix it. So does that mean any email that had >>>> those >>>> > tags failed? Because it didn't seem to be the case. I would think >>>> the >>>> > majority of the emails have html in them. Thanks for your help! >>>> >>>> >>>> I'm not sure what it was that triggered the issue. I think you'll just >>>> have to wait and see if it recurs or not. If the test message was >>>> flagged as {disarmed} by MailScanner or you see "Content Checks: >>>> Detected and have disarmed xxx tags in HTML message" where xxx isn't >>>> KILLED, you're probably OK. >>>> >>>> One thing you can check is if all such log messages said KILLED prior to >>>> your changing the ownership and now they say other things and not >>>> KILLED, I'm sure it's fixed. >>>> >>>> -- >>>> Mark Sapiro The highway is for gamblers, >>>> San Francisco Bay Area, California better use your sense - B. Dylan >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >>> >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at geeknocity.com Wed Dec 21 12:37:02 2016 From: jason at geeknocity.com (Jason Waters) Date: Wed, 21 Dec 2016 07:37:02 -0500 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: I would tend to agree...I just can't find where! I have everything set as postfix. All the permissions seem to still be postfix. Do I need to run clamd or spamassassin as postfix? Can I turn the logging up so I can see what is actually happening? Thanks for the reply! Jason On Wed, Dec 21, 2016 at 7:29 AM, Shawn Iverson wrote: > Permissions and/or MAC (selinux, etc.) related. > > On Wed, Dec 21, 2016 at 7:21 AM, Jason Waters > wrote: > >> Any ideas? I seem to be getting this a lot. I wouldn't care if I could >> still see the email, but the email is just gone! >> >> root at mailscanner:/var/log# cat /var/log/mail.log |grep "died, status = >> 13" >> Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died, >> status = 13 >> Dec 19 11:02:59 mailscanner MailScanner[2718]: HTML disarming died, >> status = 13 >> Dec 19 14:33:51 mailscanner MailScanner[5050]: HTML disarming died, >> status = 13 >> Dec 19 14:40:52 mailscanner MailScanner[5050]: HTML disarming died, >> status = 13 >> Dec 19 14:54:22 mailscanner MailScanner[5050]: HTML disarming died, >> status = 13 >> Dec 19 15:13:40 mailscanner MailScanner[5050]: HTML disarming died, >> status = 13 >> Dec 19 15:32:42 mailscanner MailScanner[5050]: HTML disarming died, >> status = 13 >> Dec 19 15:46:28 mailscanner MailScanner[5050]: HTML disarming died, >> status = 13 >> Dec 19 16:01:04 mailscanner MailScanner[5050]: HTML disarming died, >> status = 13 >> Dec 19 20:24:19 mailscanner MailScanner[6774]: HTML disarming died, >> status = 13 >> Dec 20 06:27:09 mailscanner MailScanner[12173]: HTML disarming died, >> status = 13 >> Dec 20 07:02:15 mailscanner MailScanner[12173]: HTML disarming died, >> status = 13 >> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, >> status = 13 >> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, >> status = 13 >> Dec 20 18:47:15 mailscanner MailScanner[29724]: HTML disarming died, >> status = 13 >> Dec 20 19:48:13 mailscanner MailScanner[29724]: HTML disarming died, >> status = 13 >> Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, >> status = 13 >> Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, >> status = 13 >> Dec 20 20:02:16 mailscanner MailScanner[29724]: HTML disarming died, >> status = 13 >> Dec 20 21:32:22 mailscanner MailScanner[29724]: HTML disarming died, >> status = 13 >> Dec 21 06:28:23 mailscanner MailScanner[416]: HTML disarming died, status >> = 13 >> Dec 21 06:31:59 mailscanner MailScanner[416]: HTML disarming died, status >> = 13 >> Dec 21 06:35:14 mailscanner MailScanner[416]: HTML disarming died, status >> = 13 >> Dec 21 06:54:42 mailscanner MailScanner[416]: HTML disarming died, status >> = 13 >> Dec 21 07:01:20 mailscanner MailScanner[416]: HTML disarming died, status >> = 13 >> Dec 21 07:02:34 mailscanner MailScanner[416]: HTML disarming died, status >> = 13 >> Dec 21 07:07:01 mailscanner MailScanner[416]: HTML disarming died, status >> = 13 >> >> >> On Tue, Dec 20, 2016 at 8:10 AM, Jason Waters >> wrote: >> >>> Well I thought it was fixed because I didn't get any for awhile but they >>> seem to be back. That is what I don't get. Why it works and then just >>> stops! I also have some issues where it stops logging to SQL. Still does >>> all the checks and it says it logs to SQL, but it doesn't. I reboot and >>> then it starts again. So here is some more information: >>> >>> cat /var/log/mail.log |grep "died, status = 13" -B5 -A5 >>> >>> Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content >>> Scanning: Starting >>> Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from >>> ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1 >>> quit=1 commands=5 >>> Dec 20 07:03:28 mailscanner MailScanner[12173]: tag found in message >>> D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103 >>> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com >>> Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in >>> message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103 >>> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com >>> Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from >>> unknown[78.142.18.89] >>> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, >>> status = 13 >>> Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected >>> and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from >>> aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@ >>> in.constantcontact.com >>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue: >>> D45B4E0B1B.A2260 to 14619E0B20 >>> Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20: >>> from=>> in.constantcontact.com>, size=19291, nrcpt=1 (queue active) >>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1 >>> messages >>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from >>> processing-database >>> -- >>> Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from >>> processing-database >>> Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message >>> 2EDE1E0B20.ACEF5 to SQL >>> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2 >>> messages waiting >>> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1 >>> messages, 707697 bytes >>> Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content >>> Scanning: Starting >>> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, >>> status = 13 >>> Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected >>> and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from >>> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com >>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue: >>> D0DA1E0B21.A9AD3 to B6E49E0B20 >>> Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from=< >>> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1 >>> (queue active) >>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1 >>> messages >>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from >>> processing-database >>> >>> I thought I had everything setup to run as postfix.. >>> >>> root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf >>> #Run As User = postfix >>> Run As User = postfix >>> #Run As Group = postfix >>> Run As Group = postfix >>> MTA = postfix >>> Incoming Work User = postfix >>> Incoming Work Group = postfix >>> Quarantine User = postfix >>> Quarantine Group = postfix >>> >>> Here is the entry for postfix in /etc/group >>> postfix:x:117:clamav,www-data,mail >>> >>> >>> Spool Permissions >>> root at mailscanner:/var/spool/MailScanner# ls -l * >>> -rw------- 1 postfix postfix 23 Nov 15 13:14 servers >>> >>> archive: >>> total 0 >>> >>> incoming: >>> total 576 >>> drwxrwx--- 2 postfix postfix 4096 Dec 13 14:49 11490 >>> drwxrwx--- 2 postfix postfix 4096 Dec 20 07:43 12173 >>> drwxrwx--- 2 postfix postfix 4096 Dec 18 01:10 15039 >>> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1934 >>> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1972 >>> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:05 2006 >>> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:02 2042 >>> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:03 2096 >>> drwxrwx--- 2 postfix postfix 4096 Dec 14 11:24 21119 >>> drwxrwx--- 2 postfix postfix 4096 Dec 9 07:18 25816 >>> drwxrwx--- 2 postfix postfix 4096 Dec 12 01:31 26221 >>> drwxrwx--- 2 postfix postfix 4096 Dec 19 11:03 2718 >>> drwxrwx--- 3 postfix postfix 4096 Dec 8 11:14 27928 >>> drwxrwx--- 2 postfix postfix 4096 Dec 19 16:01 5050 >>> drwxrwx--- 2 postfix postfix 4096 Dec 7 09:08 5209 >>> drwxr-xr-x 2 postfix postfix 4096 Dec 20 07:45 Locks >>> -rw-rw---- 1 postfix postfix 11264 Dec 20 08:08 Processing.db >>> -rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db >>> drwxr-xr-x 2 postfix postfix 4096 Dec 20 08:08 SpamAssassin-Temp >>> >>> quarantine: >>> total 128 >>> drwxrwx--- 4 postfix postfix 4096 Nov 19 00:05 20161119 >>> drwxrwx--- 4 postfix postfix 4096 Nov 20 00:35 20161120 >>> drwxrwx--- 6 postfix postfix 4096 Nov 21 17:20 20161121 >>> drwxrwx--- 9 postfix postfix 4096 Nov 22 17:48 20161122 >>> drwxrwx--- 5 postfix postfix 4096 Nov 23 08:21 20161123 >>> drwxrwx--- 5 postfix postfix 4096 Nov 24 08:12 20161124 >>> drwxrwx--- 6 postfix postfix 4096 Nov 25 00:55 20161125 >>> drwxrwx--- 4 postfix postfix 4096 Nov 26 01:00 20161126 >>> drwxrwx--- 4 postfix postfix 4096 Nov 27 01:38 20161127 >>> drwxrwx--- 4 postfix postfix 4096 Nov 28 00:01 20161128 >>> drwxrwx--- 7 postfix postfix 4096 Nov 29 09:41 20161129 >>> drwxrwx--- 7 postfix postfix 4096 Nov 30 22:28 20161130 >>> drwxrwx--- 6 postfix postfix 4096 Dec 1 20:15 20161201 >>> drwxrwx--- 9 postfix postfix 4096 Dec 2 10:15 20161202 >>> drwxrwx--- 4 postfix postfix 4096 Dec 3 01:33 20161203 >>> drwxrwx--- 4 postfix postfix 4096 Dec 4 01:05 20161204 >>> drwxrwx--- 6 postfix postfix 4096 Dec 5 21:56 20161205 >>> drwxrwx--- 8 postfix postfix 4096 Dec 6 22:40 20161206 >>> drwxrwx--- 5 postfix postfix 4096 Dec 7 19:16 20161207 >>> drwxrwx--- 59 postfix postfix 4096 Dec 8 13:51 20161208 >>> drwxrwx--- 14 postfix postfix 4096 Dec 9 19:05 20161209 >>> drwxrwx--- 5 postfix postfix 4096 Dec 10 07:18 20161210 >>> drwxrwx--- 6 postfix postfix 4096 Dec 11 13:35 20161211 >>> drwxrwx--- 9 postfix postfix 4096 Dec 12 20:51 20161212 >>> drwxrwx--- 7 postfix postfix 4096 Dec 13 15:11 20161213 >>> drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214 >>> drwxrwx--- 7 postfix postfix 4096 Dec 15 15:40 20161215 >>> drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216 >>> drwxrwx--- 6 postfix postfix 4096 Dec 17 15:11 20161217 >>> drwxrwx--- 7 postfix postfix 4096 Dec 18 15:10 20161218 >>> drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219 >>> drwxrwx--- 6 postfix postfix 4096 Dec 20 07:18 20161220 >>> >>> spamassassin: >>> total 28 >>> -rwxrwx--- 1 postfix postfix 6 Nov 9 14:48 bayes.mutex >>> -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_seen >>> -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_toks >>> >>> >>> >>> Any other thoughts or places to check? Can I get more detail on the >>> status 13? >>> >>> >>> >>> >>> >>> On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters >>> wrote: >>> >>>> Thanks for the help! I'll grep the log file and see what I see! >>>> >>>> On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro wrote: >>>> >>>>> On 12/08/2016 08:41 AM, Jason Waters wrote: >>>>> > Great that seemed to fix it. So does that mean any email that had >>>>> those >>>>> > tags failed? Because it didn't seem to be the case. I would think >>>>> the >>>>> > majority of the emails have html in them. Thanks for your help! >>>>> >>>>> >>>>> I'm not sure what it was that triggered the issue. I think you'll just >>>>> have to wait and see if it recurs or not. If the test message was >>>>> flagged as {disarmed} by MailScanner or you see "Content Checks: >>>>> Detected and have disarmed xxx tags in HTML message" where xxx isn't >>>>> KILLED, you're probably OK. >>>>> >>>>> One thing you can check is if all such log messages said KILLED prior >>>>> to >>>>> your changing the ownership and now they say other things and not >>>>> KILLED, I'm sure it's fixed. >>>>> >>>>> -- >>>>> Mark Sapiro The highway is for gamblers, >>>>> San Francisco Bay Area, California better use your sense - B. Dylan >>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> >>>> >>> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 <(765)%20932-3901> > iversons at rushville.k12.in.us > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Dec 21 16:21:29 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 21 Dec 2016 08:21:29 -0800 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: On 12/21/2016 04:37 AM, Jason Waters wrote: > I would tend to agree...I just can't find where! I have everything set > as postfix. All the permissions seem to still be postfix. Do I need to > run clamd or spamassassin as postfix? You said you have in /etc/group postfix:x:117:clamav,www-data,mail I.e. clamav is in the postfix group. If you have User clamav in /etc/clamav/clamd.conf and Incoming Work Permissions = 0660 in MailScanner.conf, that "should" be OK. As Shawn suggests, are you running any security manager like SELinux or apparmor? > Can I turn the logging up so I can > see what is actually happening? Unfortunately no. You have to go through the code in /usr/share/MailScanner/perl/MailScanner/Message.pm and manually add logging statements. There might possibly be something in some other system log. Given something like Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died, status = 13 you could sudo zgrep -r 'Dec 19 10:31:0' /var/log (I intentionally dropped the 5 from 05) to see if anything interesting is logged in that time frame. Note that the PID that died is not 2718 in this case. The process forks and 2718 is the parent while the process that died is the child. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jason at geeknocity.com Wed Dec 21 18:02:47 2016 From: jason at geeknocity.com (Jason Waters) Date: Wed, 21 Dec 2016 13:02:47 -0500 Subject: Messages being disarmed In-Reply-To: References: <284ca73d-484c-4363-5016-1baa023037a8@msapiro.net> Message-ID: I didn't think I was running apparmor, but I thought I should double check. Normally I delete this after install. root at mailscanner:~# dpkg -l |grep apparm ii apparmor 2.10.95-0ubuntu2.5 amd64 user-space parser utility for AppArmor ii libapparmor-perl 2.10.95-0ubuntu2.5 amd64 AppArmor library Perl bindings ii libapparmor1:amd64 2.10.95-0ubuntu2.5 amd64 changehat AppArmor library but now if I goto remove it it wants to uninstall mysql as well! I'll disable it and see if that keeps things running! Thanks! On Wed, Dec 21, 2016 at 11:21 AM, Mark Sapiro wrote: > On 12/21/2016 04:37 AM, Jason Waters wrote: > > I would tend to agree...I just can't find where! I have everything set > > as postfix. All the permissions seem to still be postfix. Do I need to > > run clamd or spamassassin as postfix? > > > You said you have in /etc/group > postfix:x:117:clamav,www-data,mail > > I.e. clamav is in the postfix group. If you have > > User clamav > > in /etc/clamav/clamd.conf and > > Incoming Work Permissions = 0660 > > in MailScanner.conf, that "should" be OK. As Shawn suggests, are you > running any security manager like SELinux or apparmor? > > > > Can I turn the logging up so I can > > see what is actually happening? > > > Unfortunately no. You have to go through the code in > /usr/share/MailScanner/perl/MailScanner/Message.pm and manually add > logging statements. > > There might possibly be something in some other system log. Given > something like > > Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died, > status = 13 > > you could > > sudo zgrep -r 'Dec 19 10:31:0' /var/log > > (I intentionally dropped the 5 from 05) to see if anything interesting > is logged in that time frame. > > Note that the PID that died is not 2718 in this case. The process forks > and 2718 is the parent while the process that died is the child. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michaswr at gmail.com Thu Dec 22 11:01:58 2016 From: michaswr at gmail.com (michaswr) Date: Thu, 22 Dec 2016 12:01:58 +0100 Subject: Essets and Mailscanner initialization filied Message-ID: Hello, I have problem Mailscanner + esets 1. Wraper /usr/lib/MailScanner/wrapper/esets-wrapper PackageDir=$1 shift Prog=esets_scan if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/$Prog ] && exit 0 exit 1 fi echo "exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@" " >> /var/log/essets.log exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@? 2. Mailscanner run wrapper but esets error : exec /opt/eset/esets/sbin/esets_scan --log-all --log-file /var/log/essets.log . ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. Using license: XXXXX (/etc/opt/eset/esets/license/esets_927d86.lic) Scanner initialization failed. I have Mailscanner 5.0.3. Please Help. Regards, michaswr -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Dec 22 15:07:52 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 22 Dec 2016 10:07:52 -0500 Subject: Essets and Mailscanner initialization filied In-Reply-To: References: Message-ID: The error message is pretty clear. It is having an issue with you ESETS license. This is not an error from MailScanner. - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Dec 22, 2016, at 6:01 AM, michaswr wrote: > > Hello, > > I have problem Mailscanner + esets > > 1. Wraper /usr/lib/MailScanner/wrapper/esets-wrapper > > PackageDir=$1 > shift > Prog=esets_scan > > if [ "x$1" = "x-IsItInstalled" ]; then > [ -x ${PackageDir}/$Prog ] && exit 0 > exit 1 > fi > > echo "exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@" " >> /var/log/essets.log > exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@? > > > 2. Mailscanner run wrapper but esets error : > > exec /opt/eset/esets/sbin/esets_scan --log-all --log-file /var/log/essets.log . > > ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. > Using license: XXXXX (/etc/opt/eset/esets/license/esets_927d86.lic) > Scanner initialization failed. > > > > I have Mailscanner 5.0.3. > > Please Help. > > Regards, > michaswr > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbanderson at impromed.com Thu Dec 22 15:46:01 2016 From: sbanderson at impromed.com (Scott B. Anderson) Date: Thu, 22 Dec 2016 15:46:01 +0000 Subject: Essets and Mailscanner initialization filied In-Reply-To: References: Message-ID: <96b53ae42c824b97aa3eef38939e6b32@ES5.impromed.com> Not sure about the linux version, but the windows version decided that the last minor rev of the client was 'too told' and needs to be updated before it will be happy. Scott -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+sbanderson=impromed.com at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Thursday, December 22, 2016 9:08 AM To: MailScanner Discussion Subject: Re: Essets and Mailscanner initialization filied The error message is pretty clear. It is having an issue with you ESETS license. This is not an error from MailScanner. - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Dec 22, 2016, at 6:01 AM, michaswr wrote: > > Hello, > > I have problem Mailscanner + esets > > 1. Wraper /usr/lib/MailScanner/wrapper/esets-wrapper > > PackageDir=$1 > shift > Prog=esets_scan > > if [ "x$1" = "x-IsItInstalled" ]; then > [ -x ${PackageDir}/$Prog ] && exit 0 > exit 1 > fi > > echo "exec ${PackageDir}/$Prog --log-all --log-file > /var/log/essets.log "$@" " >> /var/log/essets.log exec > ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@? > > > 2. Mailscanner run wrapper but esets error : > > exec /opt/eset/esets/sbin/esets_scan --log-all --log-file /var/log/essets.log . > > ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. > Using license: XXXXX (/etc/opt/eset/esets/license/esets_927d86.lic) > Scanner initialization failed. > > > > I have Mailscanner 5.0.3. > > Please Help. > > Regards, > michaswr > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -- Rely On Us. ImproMed LLC Henry Schein Animal Health -- From michaswr at gmail.com Thu Dec 22 20:03:00 2016 From: michaswr at gmail.com (Michal Janik) Date: Thu, 22 Dec 2016 21:03:00 +0100 Subject: Essets and Mailscanner initialization filied In-Reply-To: References: Message-ID: <3D6D0A62-53C5-4309-8BE0-903F9E7B13A0@gmail.com> Hello, No. I have ok license but i run manual esets_scan and this work ok. Pozdr. Michal Dnia 22.12.2016 o godz. 16:07 Jerry Benton napisa?(a): > The error message is pretty clear. It is having an issue with you ESETS license. This is not an error from MailScanner. > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > >> On Dec 22, 2016, at 6:01 AM, michaswr wrote: >> >> Hello, >> >> I have problem Mailscanner + esets >> >> 1. Wraper /usr/lib/MailScanner/wrapper/esets-wrapper >> >> PackageDir=$1 >> shift >> Prog=esets_scan >> >> if [ "x$1" = "x-IsItInstalled" ]; then >> [ -x ${PackageDir}/$Prog ] && exit 0 >> exit 1 >> fi >> >> echo "exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@" " >> /var/log/essets.log >> exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@? >> >> >> 2. Mailscanner run wrapper but esets error : >> >> exec /opt/eset/esets/sbin/esets_scan --log-all --log-file /var/log/essets.log . >> >> ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. >> Using license: XXXXX (/etc/opt/eset/esets/license/esets_927d86.lic) >> Scanner initialization failed. >> >> >> >> I have Mailscanner 5.0.3. >> >> Please Help. >> >> Regards, >> michaswr >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michaswr at gmail.com Fri Dec 23 07:36:16 2016 From: michaswr at gmail.com (=?utf-8?Q?Micha=C5=82_Janik?=) Date: Fri, 23 Dec 2016 08:36:16 +0100 Subject: Essets and Mailscanner initialization filied In-Reply-To: <3D6D0A62-53C5-4309-8BE0-903F9E7B13A0@gmail.com> References: <3D6D0A62-53C5-4309-8BE0-903F9E7B13A0@gmail.com> Message-ID: Hello, I run manual and this is ok /usr/lib/MailScanner/wrapper/esets-wrapper /opt/eset/esets/sbin/ ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. Using license:XXX (/etc/opt/eset/esets/license/esets_927d86.lic) Module loader, version 1069 (20161122), build 1112 Module perseus, version 1507 (20161209), build 1810 Module scanner, version 14641 (20161221), build 31807 Module archiver, version 1258 (20161117), build 1293 Module advheur, version 1175 (20161110), build 1141 Module cleaner, version 1128 (20161025), build 1159 Command line: --log-all --log-file /var/log/essets.log Scan started at: pi?, 23 gru 2016, 08:29:01 name="./filepos", threat="is OK", action="", info="" name="./Tree", threat="is OK", action="", info="" name="./ini", threat="is OK", action="", info="" name="./panels.ini", threat="is OK", action="", info="" name="./history", threat="is OK", action="", info="" Scan completed at: pi?, 23 gru 2016, 08:29:01 Scan time: 0 sec (0:00:00) Total: files - 5, objects 5 Infected: files - 0, objects 0 Cleaned: files - 0, objects 0 but if Mailscaner run ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. Using license: XXXX. (/etc/opt/eset/esets/license/esets_927d86.lic) Scanner initialization failed. Mascanner running this command: exec /opt/eset/esets/sbin//esets_scan --log-all --log-file /var/log/essets.log Why? Regards, Michal > Wiadomo?? napisana przez Michal Janik w dniu 22.12.2016, o godz. 21:03: > > Hello, > > No. I have ok license but i run manual esets_scan and this work ok. > > Pozdr. > Michal > > Dnia 22.12.2016 o godz. 16:07 Jerry Benton > napisa?(a): > >> The error message is pretty clear. It is having an issue with you ESETS license. This is not an error from MailScanner. >> >> - >> Jerry Benton >> www.mailborder.com >> +1 - 844-436-6245 >> >> >> >>> On Dec 22, 2016, at 6:01 AM, michaswr > wrote: >>> >>> Hello, >>> >>> I have problem Mailscanner + esets >>> >>> 1. Wraper /usr/lib/MailScanner/wrapper/esets-wrapper >>> >>> PackageDir=$1 >>> shift >>> Prog=esets_scan >>> >>> if [ "x$1" = "x-IsItInstalled" ]; then >>> [ -x ${PackageDir}/$Prog ] && exit 0 >>> exit 1 >>> fi >>> >>> echo "exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@" " >> /var/log/essets.log >>> exec ${PackageDir}/$Prog --log-all --log-file /var/log/essets.log "$@? >>> >>> >>> 2. Mailscanner run wrapper but esets error : >>> >>> exec /opt/eset/esets/sbin/esets_scan --log-all --log-file /var/log/essets.log . >>> >>> ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. >>> Using license: XXXXX (/etc/opt/eset/esets/license/esets_927d86.lic) >>> Scanner initialization failed. >>> >>> >>> >>> I have Mailscanner 5.0.3. >>> >>> Please Help. >>> >>> Regards, >>> michaswr >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Dec 23 16:55:35 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 23 Dec 2016 08:55:35 -0800 Subject: Essets and Mailscanner initialization filied In-Reply-To: References: <3D6D0A62-53C5-4309-8BE0-903F9E7B13A0@gmail.com> Message-ID: On 12/22/2016 11:36 PM, Micha? Janik wrote: > > I run manual and this is ok > > /usr/lib/MailScanner/wrapper/esets-wrapper /opt/eset/esets/sbin/ ... > but if Mailscaner run > > ESET Command-line scanner, version 4.5.6, (C) 1992-2016 ESET, spol. s r.o. > Using license: XXXX. (/etc/opt/eset/esets/license/esets_927d86.lic) > Scanner initialization failed. > > Mascanner running this command: > > exec /opt/eset/esets/sbin//esets_scan --log-all --log-file > /var/log/essets.log > > Why? This is almost certainly a permissions issue. You are running the command as some user (root ?) that is different from MailScanner's Run As User. What happens if you manually run sudo -u xxx /usr/lib/MailScanner/wrapper/esets-wrapper /opt/eset/esets/sbin/ where xxx is MailScanner's Run As User? I expect that this will fail as it does when MailScanner runs it. In particular, ensure that MailScanner's Run As User can write to /var/log/essets.log. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pparsons at techeez.com Fri Dec 23 20:00:10 2016 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 23 Dec 2016 20:00:10 +0000 Subject: How to reject/detect emails claiming to be from my own domain? Message-ID: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> I use Mailscanner and Send mail. We have a few instances that we are receiving spam from jack at example.com to jack at example.com and it is getting through. I have not seemed to find and answers as to how to stop this? Anyone got an Idea. We already have SPF setup which helps but is not fully for this situation. Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at geeknocity.com Fri Dec 23 21:06:56 2016 From: jason at geeknocity.com (Jason Waters) Date: Fri, 23 Dec 2016 16:06:56 -0500 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> Message-ID: What do you use for an MTA? I know with postfix you can use some smtp restrictions to solve this problem. On Fri, Dec 23, 2016 at 3:00 PM, Philip Parsons wrote: > I use Mailscanner and Send mail. We have a few instances that we are > receiving spam from jack at example.com to jack at example.com and it is > getting through. I have not seemed to find and answers as to how to stop > this? Anyone got an Idea. We already have SPF setup which helps but is not > fully for this situation. > > > > > > Thank you. > Philip Parsons > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at jonesol.com Sat Dec 24 01:10:56 2016 From: dave at jonesol.com (Dave Jones) Date: Fri, 23 Dec 2016 19:10:56 -0600 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> Message-ID: This one is going to be tough. It would be best to do this at the MTA and not in SA since SA only works with the visible From: (header) address and not the envelope-from that the MTA has access to. The envelope-from is what SPF checks and DMARC checks the visible From: header. Assuming that all legit mail from your own domain comes from trusted/internal networks by your MTA, you could put a block on the envelope-from address having your own domain. In Postfix this is fairly easy since you can order the checks the way you need them. Standard practice is to allow your networks first then do sender checks later which would handle this scenario. I switched from sendmail to Postfix about 5 years ago and haven't looked back. So many things that required milters in sendmail were built-in to Postfix. I never liked dealing with the sendmail config file either. Switching from sendmail to Postfix is not that hard to do basic mail flow but it takes some time to wrap your head around the advanced Postfix settings since it's so flexible. If you want to look at an example config, take a look at the EFA project which is a prebuilt VM image with MailScanner, Mailwatch, and pretty good default Postfix settings to get started with. https://efa-project.org/ Dave On Fri, Dec 23, 2016 at 3:06 PM, Jason Waters wrote: > What do you use for an MTA? I know with postfix you can use some smtp > restrictions to solve this problem. > > On Fri, Dec 23, 2016 at 3:00 PM, Philip Parsons > wrote: > >> I use Mailscanner and Send mail. We have a few instances that we are >> receiving spam from jack at example.com to jack at example.com and it is >> getting through. I have not seemed to find and answers as to how to stop >> this? Anyone got an Idea. We already have SPF setup which helps but is not >> fully for this situation. >> >> >> >> >> >> Thank you. >> Philip Parsons >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Sat Dec 24 07:29:08 2016 From: it at festa.bg (Valentin Laskov) Date: Sat, 24 Dec 2016 09:29:08 +0200 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> Message-ID: <1482564548.2024.1.camel@festa.bg> ? 20:00 +0000 ?? 23.12.2016 (??), Philip Parsons ??????: > I use Mailscanner and Send mail. Hi all, I would suggest?one of (or both) 1. setting and relay only after authentication in sendmail 2. these letters usually contain files that MailScanner denies. MailScanner then sends reports to sender/recipient/postmaster about quarantined attachment file. I changed in filename.rules.conf and in archive.filename.rules.conf not to deny these files but to forward to other email address like me at example.com . You must clean this box regularly :) Regards and Happy Holidays Valentin From thom at vdb.nl Sat Dec 24 08:19:55 2016 From: thom at vdb.nl (Thom van der Boon) Date: Sat, 24 Dec 2016 09:19:55 +0100 (CET) Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> Message-ID: <1048846259.410460.1482567595173.JavaMail.zimbra@vdb.nl> I have more or less the same problem. I have a Mailscanner server which handles all mails from external sources, any internal mail is handled on a other server (which can not be reached from the Internet). This means that I can be pretty rude to any mail claiming to be from a local domain received from an external server on the MailScanner server I am currently testing the following setup: I added the file domaincom.cf to /etc/mail/spamassassin with the following lines header __DSR_DOMAINCOM_VALID000 From =~ /\@domain.com/i header __DSR_DOMAINCOM_VALID001 To =~ /\@domain.com/i ifplugin Mail::SpamAssassin::Plugin::DKIM meta DSR_DOMAINCOM_VALID __DSR_DOMAINCOM_VALID000 && __DSR_DOMAINCOM_VALID001 && !DKIM_VALID else meta DSR_DOMAINCOM_VALID __DSR_DOMAINCOM_VALID000 && __DSR_DOMAINCOM_VALID001 endif describe DSR_DOMAINCOM_VALID No valid domain.com mail score DSR_DOMAINCOM_VALID 20.0 Start testing with a lower score..... :) Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: +31 (0)88 4272727 Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ Van: "Philip Parsons" Aan: "MailScanner Discussion" Verzonden: Vrijdag 23 december 2016 21:00:10 Onderwerp: How to reject/detect emails claiming to be from my own domain? I use Mailscanner and Send mail. We have a few instances that we are receiving spam from jack at example.com to jack at example.com and it is getting through. I have not seemed to find and answers as to how to stop this? Anyone got an Idea. We already have SPF setup which helps but is not fully for this situation. Thank you. Philip Parsons -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From faisal.telecomm at gmail.com Sun Dec 25 19:50:56 2016 From: faisal.telecomm at gmail.com (Faisal Naeem) Date: Mon, 26 Dec 2016 00:50:56 +0500 Subject: Need Support on MailScanner+Exim+CentOS7 Message-ID: Dear All, Can anyone please help me to setup MailScanner+Exim+CentOS7 Server ........ I need some guidelines or help regarding setup with CentOS 7. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Sun Dec 25 22:02:24 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 25 Dec 2016 14:02:24 -0800 Subject: Need Support on MailScanner+Exim+CentOS7 In-Reply-To: References: Message-ID: <4d54b2fc-fa19-d702-04ba-f337326fb918@msapiro.net> On 12/25/2016 11:50 AM, Faisal Naeem wrote: > > Can anyone please help me to setup MailScanner+Exim+CentOS7 Server > ........ I need some guidelines or help regarding setup with CentOS 7. Download the package from , unpack it and run the install.sh script to install Mailscanner. See the Exim guide at . If you still have difficulty, tell us more specifically what the issues are. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pparsons at techeez.com Tue Dec 27 15:04:06 2016 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 27 Dec 2016 15:04:06 +0000 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> Message-ID: <1482851046.2279.0.camel@techeez.com> I use sendmail On Fri, 2016-12-23 at 16:06 -0500, Jason Waters wrote: What do you use for an MTA? I know with postfix you can use some smtp restrictions to solve this problem. On Fri, Dec 23, 2016 at 3:00 PM, Philip Parsons > wrote: I use Mailscanner and Send mail. We have a few instances that we are receiving spam from jack at example.com to jack at example.com and it is getting through. I have not seemed to find and answers as to how to stop this? Anyone got an Idea. We already have SPF setup which helps but is not fully for this situation. Thank you. Philip Parsons -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Thank You Philip Parsons Techeez on the go please excuse the spelling. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pparsons at techeez.com Tue Dec 27 15:16:16 2016 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 27 Dec 2016 15:16:16 +0000 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <1048846259.410460.1482567595173.JavaMail.zimbra@vdb.nl> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1048846259.410460.1482567595173.JavaMail.zimbra@vdb.nl> Message-ID: <1482851775.2279.4.camel@techeez.com> So what I get from this rule is that it is checking DKIM and is fails it scores it 20 this I think will work.. Will try thanks. anyone else doing it a different way ? On Sat, 2016-12-24 at 09:19 +0100, Thom van der Boon wrote: I have more or less the same problem. I have a Mailscanner server which handles all mails from external sources, any internal mail is handled on a other server (which can not be reached from the Internet). This means that I can be pretty rude to any mail claiming to be from a local domain received from an external server on the MailScanner server I am currently testing the following setup: I added the file domaincom.cf to /etc/mail/spamassassin with the following lines header __DSR_DOMAINCOM_VALID000 From =~ /\@domain.com/i header __DSR_DOMAINCOM_VALID001 To =~ /\@domain.com/i ifplugin Mail::SpamAssassin::Plugin::DKIM meta DSR_DOMAINCOM_VALID __DSR_DOMAINCOM_VALID000 && __DSR_DOMAINCOM_VALID001 && !DKIM_VALID else meta DSR_DOMAINCOM_VALID __DSR_DOMAINCOM_VALID000 && __DSR_DOMAINCOM_VALID001 endif describe DSR_DOMAINCOM_VALID No valid domain.com mail score DSR_DOMAINCOM_VALID 20.0 Start testing with a lower score..... :) Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: +31 (0)88 4272727 Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ ________________________________ Van: "Philip Parsons" Aan: "MailScanner Discussion" Verzonden: Vrijdag 23 december 2016 21:00:10 Onderwerp: How to reject/detect emails claiming to be from my own domain? I use Mailscanner and Send mail. We have a few instances that we are receiving spam from jack at example.com to jack at example.com and it is getting through. I have not seemed to find and answers as to how to stop this? Anyone got an Idea. We already have SPF setup which helps but is not fully for this situation. Thank you. Philip Parsons -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Thank You Philip Parsons Techeez on the go please excuse the spelling. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pparsons at techeez.com Tue Dec 27 15:17:57 2016 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 27 Dec 2016 15:17:57 +0000 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <1482564548.2024.1.camel@festa.bg> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> Message-ID: <1482851877.2279.6.camel@techeez.com> Can you explain number 1 more ?? On Sat, 2016-12-24 at 09:29 +0200, Valentin Laskov wrote: > ? 20:00 +0000 ?? 23.12.2016 (??), Philip Parsons ??????: > > > > I use Mailscanner and Send mail. > Hi all, > > I would suggest?one of (or both) > 1. setting and relay only after authentication in sendmail > 2. these letters usually contain files that MailScanner denies. > MailScanner then sends reports to sender/recipient/postmaster about > quarantined attachment file. I changed in filename.rules.conf and in > archive.filename.rules.conf not to deny these files but to forward to > other email address like me at example.com . You must clean this box > regularly :) > > Regards and Happy Holidays > > Valentin > > > --? > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Thank You Philip Parsons Techeez on the go please excuse the spelling. From dave at jonesol.com Tue Dec 27 22:21:02 2016 From: dave at jonesol.com (Dave Jones) Date: Tue, 27 Dec 2016 16:21:02 -0600 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <1482851877.2279.6.camel@techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> Message-ID: Which From address are you trying to protect from spoofing? Emails have an envelope-from and a From: header. The From: header is what is visible in most mail clients. From my experience (someone please correct me if I am wrong), the "header From" rule does not examine the envelope-from. This needs to be done at the MTA level before SA. There was a recent thread on the SA mailing list about how tough it is to protect the visibile From: header from spoofing. Spammers are getting very sophisticated with their spear phishing by using a visible display name of the CEO with an incorrect email address. People still fall for it without looking closely at the From email address. More importantly is to setup proper RBLs at the MTA level that block these low reputation sending IPs that tend to be the source of these spoofs. I use Postfix postscreen with about two dozen RBLs and DBLs weighted based on their reliability which works very well. It takes some time to setup and adjust but it has been worth it. I used to have to spend hours each day on tweaking SA rules always behind the latest spam campaigns from botnets all over the world. I did have to setup whitelisting with postwhite to whitelist the major mail providers based on their SPF record since some of them allow their outbound mail server IPs to become listed on RBLs. Now my MailScanner blocks more than 90% of the junk at the MTA level including spoofed email of all kinds. Now I only have to deal with the occasional sender that gets listed on RBLs from it's own compromised accounts. At least the Postfix bounce message is very clear as to why it was rejected and usually the sending mail admins can figure out what the problem is before contacting our support. I still have to tweak SA rules and scores based on new spam campaigns but it's only a few hours a week now instead of a few hours a day. We filter for about 30,000 mailboxes and do outbound relaying for millions of emails each week. MTA level checks: - RBLs - DBLs - DNS PTR exists (not if it is correct/matches which is done in SA) - SPF (header added for SA) - number of recipients (header added since BCC can't be seen in SA) - rate limiting - greylisting Dave On Tue, Dec 27, 2016 at 9:17 AM, Philip Parsons wrote: > Can you explain number 1 more ? > > > On Sat, 2016-12-24 at 09:29 +0200, Valentin Laskov wrote: > > ? 20:00 +0000 ?? 23.12.2016 (??), Philip Parsons ??????: > > > > > > I use Mailscanner and Send mail. > > Hi all, > > > > I would suggest one of (or both) > > 1. setting and relay only after authentication in sendmail > > 2. these letters usually contain files that MailScanner denies. > > MailScanner then sends reports to sender/recipient/postmaster about > > quarantined attachment file. I changed in filename.rules.conf and in > > archive.filename.rules.conf not to deny these files but to forward to > > other email address like me at example.com . You must clean this box > > regularly :) > > > > Regards and Happy Holidays > > > > Valentin > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > -- > > Thank You > Philip Parsons > Techeez on the go > please excuse the spelling. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Dec 27 22:38:21 2016 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 27 Dec 2016 14:38:21 -0800 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> Message-ID: <06c2466f-ebd0-7711-7c6f-1a780b5d711d@msapiro.net> On 12/27/2016 02:21 PM, Dave Jones wrote: > Which From address are you trying to protect from spoofing? Emails have > an envelope-from and a From: header. The From: header is what is > visible in most mail clients. From my experience (someone please > correct me if I am wrong), the "header From" rule does not examine the > envelope-from. This needs to be done at the MTA level before SA. You are correct that SA doesn't see the envelope sender directly, but RFC's say that upon final delivery the MTA/MDA MUST put the envelope sender in a Return-Path: header. Quoting from RFC 5321 When the delivery SMTP server makes the "final delivery" of a message, it inserts a return-path line at the beginning of the mail data. This use of return-path is required; mail systems MUST support it. The return-path line preserves the information in the from the MAIL command. Of course, not all MTAs are compliant, but the major ones including Courier, Exchange, Exim, Postfix, Qmail and Sendmail are. See (several years old at this point). -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pparsons at techeez.com Thu Dec 29 17:50:03 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 29 Dec 2016 17:50:03 +0000 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> Message-ID: <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> I am trying to get one that does the envelope-from header so at the MTA side of things. I am hoping someone has done this with sendmail as changing the MTA is not possible at the moment. The rule set from Thom van der Boon works great on the From header. From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Dave Jones Sent: December 27, 2016 2:21 PM To: MailScanner Discussion Subject: Re: How to reject/detect emails claiming to be from my own domain? Which From address are you trying to protect from spoofing? Emails have an envelope-from and a From: header. The From: header is what is visible in most mail clients. From my experience (someone please correct me if I am wrong), the "header From" rule does not examine the envelope-from. This needs to be done at the MTA level before SA. There was a recent thread on the SA mailing list about how tough it is to protect the visibile From: header from spoofing. Spammers are getting very sophisticated with their spear phishing by using a visible display name of the CEO with an incorrect email address. People still fall for it without looking closely at the From email address. More importantly is to setup proper RBLs at the MTA level that block these low reputation sending IPs that tend to be the source of these spoofs. I use Postfix postscreen with about two dozen RBLs and DBLs weighted based on their reliability which works very well. It takes some time to setup and adjust but it has been worth it. I used to have to spend hours each day on tweaking SA rules always behind the latest spam campaigns from botnets all over the world. I did have to setup whitelisting with postwhite to whitelist the major mail providers based on their SPF record since some of them allow their outbound mail server IPs to become listed on RBLs. Now my MailScanner blocks more than 90% of the junk at the MTA level including spoofed email of all kinds. Now I only have to deal with the occasional sender that gets listed on RBLs from it's own compromised accounts. At least the Postfix bounce message is very clear as to why it was rejected and usually the sending mail admins can figure out what the problem is before contacting our support. I still have to tweak SA rules and scores based on new spam campaigns but it's only a few hours a week now instead of a few hours a day. We filter for about 30,000 mailboxes and do outbound relaying for millions of emails each week. MTA level checks: - RBLs - DBLs - DNS PTR exists (not if it is correct/matches which is done in SA) - SPF (header added for SA) - number of recipients (header added since BCC can't be seen in SA) - rate limiting - greylisting Dave On Tue, Dec 27, 2016 at 9:17 AM, Philip Parsons > wrote: Can you explain number 1 more ? On Sat, 2016-12-24 at 09:29 +0200, Valentin Laskov wrote: > ? 20:00 +0000 ?? 23.12.2016 (??), Philip Parsons ??????: > > > > I use Mailscanner and Send mail. > Hi all, > > I would suggest one of (or both) > 1. setting and relay only after authentication in sendmail > 2. these letters usually contain files that MailScanner denies. > MailScanner then sends reports to sender/recipient/postmaster about > quarantined attachment file. I changed in filename.rules.conf and in > archive.filename.rules.conf not to deny these files but to forward to > other email address like me at example.com . You must clean this box > regularly :) > > Regards and Happy Holidays > > Valentin > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Thank You Philip Parsons Techeez on the go please excuse the spelling. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Thu Dec 29 18:10:25 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 29 Dec 2016 10:10:25 -0800 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> Message-ID: <26e42768-bfd4-c584-f517-036558924efb@msapiro.net> On 12/29/2016 09:50 AM, Philip Parsons wrote: > I am trying to get one that does the envelope-from header so at the MTA > side of things. I am hoping someone has done this with sendmail as > changing the MTA is not possible at the moment. The rule set from Thom > van der Boon works great on the From header. But, with sendmail and other compliant MTAs, the envelope sender will be put in a Return-Path: header, so if you alter the From: rules that work to look at Return-Path: instead, that should deal with envelope senders. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pparsons at techeez.com Thu Dec 29 18:12:33 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 29 Dec 2016 18:12:33 +0000 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <26e42768-bfd4-c584-f517-036558924efb@msapiro.net> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> <26e42768-bfd4-c584-f517-036558924efb@msapiro.net> Message-ID: <11D8E491D9562549A61FD3186F36342002852041D7@exchange.techeez.com> Any chance you have an example ? -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: December 29, 2016 10:10 AM To: mailscanner at lists.mailscanner.info Subject: Re: How to reject/detect emails claiming to be from my own domain? On 12/29/2016 09:50 AM, Philip Parsons wrote: > I am trying to get one that does the envelope-from header so at the > MTA side of things. I am hoping someone has done this with sendmail > as changing the MTA is not possible at the moment. The rule set from > Thom van der Boon works great on the From header. But, with sendmail and other compliant MTAs, the envelope sender will be put in a Return-Path: header, so if you alter the From: rules that work to look at Return-Path: instead, that should deal with envelope senders. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Thu Dec 29 19:28:14 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 29 Dec 2016 11:28:14 -0800 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F36342002852041D7@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> <26e42768-bfd4-c584-f517-036558924efb@msapiro.net> <11D8E491D9562549A61FD3186F36342002852041D7@exchange.techeez.com> Message-ID: <5c4f612d-6215-0980-be3d-26e8c6ffa96b@msapiro.net> On 12/29/2016 10:12 AM, Philip Parsons wrote: > Any chance you have an example ? You said: >> The rule set from >> Thom van der Boon works great on the From header. By that I assume you meant (from ) > header __DSR_DOMAINCOM_VALID000 From =~ /\@domain.com/i > header __DSR_DOMAINCOM_VALID001 To =~ /\@domain.com/i > ifplugin Mail::SpamAssassin::Plugin::DKIM > meta DSR_DOMAINCOM_VALID __DSR_DOMAINCOM_VALID000 && __DSR_DOMAINCOM_VALID001 && !DKIM_VALID > else > meta DSR_DOMAINCOM_VALID __DSR_DOMAINCOM_VALID000 && __DSR_DOMAINCOM_VALID001 > endif > describe DSR_DOMAINCOM_VALID No valid domain.com mail > score DSR_DOMAINCOM_VALID 20.O All you need to do to make that work with the envelope sender instead of From: is change the first line to header __DSR_DOMAINCOM_VALID000 Return-Path =~ /\@domain.com/i -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner at replies.cyways.com Thu Dec 29 20:00:50 2016 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Thu, 29 Dec 2016 15:00:50 -0500 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> Message-ID: The access database in sendmail uses the envelope sender. On my systems no legitimate inbound mail comes to my SMTP listener from someone at mydomain.com so I can block mydomain.com in /etc/mail/access with mydomain.com REJECT However that may not be possible for you if you must support inbound mail from senders on the Internet. Depending on who they are and where they are located, you can add them to /etc/mail/access with From:goodguy at mydomain.com RELAY then block the residual as in the first example. You can also permit certain IP addresses or subnets with Connect:10.10.10. RELAY That matches the 10.10.10.0/24 subnet. For more details, read http://www.sendmail.com/sm/open_source/docs/m4/anti_spam.html#access_db Sendmail is not as flexible as Postfix in this regard. The latter can use regular expressions, but sendmail's access database only matches text strings. Peter On 12/29/2016 12:50 PM, Philip Parsons wrote: > I am trying to get one that does the envelope-from header so at the MTA side of things. I am hoping someone has done this with sendmail as changing the MTA is not possible at the moment. From pparsons at techeez.com Thu Dec 29 20:32:40 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 29 Dec 2016 20:32:40 +0000 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F36342002852043EF@exchange.techeez.com> I thought about the access file but did not know it looked at envelope sender. This might work for me, like you no inbound SMTP should be from someone at mydomain.com I will run some tests. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Peter H. Lemieux Sent: December 29, 2016 12:01 PM To: MailScanner Discussion Subject: Re: How to reject/detect emails claiming to be from my own domain? The access database in sendmail uses the envelope sender. On my systems no legitimate inbound mail comes to my SMTP listener from someone at mydomain.com so I can block mydomain.com in /etc/mail/access with mydomain.com REJECT However that may not be possible for you if you must support inbound mail from senders on the Internet. Depending on who they are and where they are located, you can add them to /etc/mail/access with From:goodguy at mydomain.com RELAY then block the residual as in the first example. You can also permit certain IP addresses or subnets with Connect:10.10.10. RELAY That matches the 10.10.10.0/24 subnet. For more details, read http://www.sendmail.com/sm/open_source/docs/m4/anti_spam.html#access_db Sendmail is not as flexible as Postfix in this regard. The latter can use regular expressions, but sendmail's access database only matches text strings. Peter On 12/29/2016 12:50 PM, Philip Parsons wrote: > I am trying to get one that does the envelope-from header so at the MTA side of things. I am hoping someone has done this with sendmail as changing the MTA is not possible at the moment. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pparsons at techeez.com Thu Dec 29 21:28:27 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 29 Dec 2016 21:28:27 +0000 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F36342002852043EF@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342002852043EF@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F363420028520466B@exchange.techeez.com> Kind of weird issue if I add the mydomain.com REJECT rule to access and reload it does reject it but all good mail throws this error Mailbox disabled for this recipient? It seems to try and deliver direct to the server instead of using the generated mailhost file that normally works. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: December 29, 2016 12:33 PM To: MailScanner Discussion Subject: RE: How to reject/detect emails claiming to be from my own domain? I thought about the access file but did not know it looked at envelope sender. This might work for me, like you no inbound SMTP should be from someone at mydomain.com I will run some tests. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Peter H. Lemieux Sent: December 29, 2016 12:01 PM To: MailScanner Discussion Subject: Re: How to reject/detect emails claiming to be from my own domain? The access database in sendmail uses the envelope sender. On my systems no legitimate inbound mail comes to my SMTP listener from someone at mydomain.com so I can block mydomain.com in /etc/mail/access with mydomain.com REJECT However that may not be possible for you if you must support inbound mail from senders on the Internet. Depending on who they are and where they are located, you can add them to /etc/mail/access with From:goodguy at mydomain.com RELAY then block the residual as in the first example. You can also permit certain IP addresses or subnets with Connect:10.10.10. RELAY That matches the 10.10.10.0/24 subnet. For more details, read http://www.sendmail.com/sm/open_source/docs/m4/anti_spam.html#access_db Sendmail is not as flexible as Postfix in this regard. The latter can use regular expressions, but sendmail's access database only matches text strings. Peter On 12/29/2016 12:50 PM, Philip Parsons wrote: > I am trying to get one that does the envelope-from header so at the MTA side of things. I am hoping someone has done this with sendmail as changing the MTA is not possible at the moment. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From it at festa.bg Fri Dec 30 08:50:14 2016 From: it at festa.bg (Valentin Laskov) Date: Fri, 30 Dec 2016 10:50:14 +0200 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <1482851877.2279.6.camel@techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> Message-ID: <006d87d8-5cd5-e059-a8eb-ab5f95c20f66@festa.bg> ?? 27.12.2016 ? 17:17, Philip Parsons ??????: > Can you explain number 1 more ? Imagine that Everyone @example.com use mail.example.com as SMTP server. Everyone @example.com *must* authenticate before sending mail. All letters from user at example.com to someone @example.com without authentication are rejected I'm sorry, I can't provide an example config. > > On Sat, 2016-12-24 at 09:29 +0200, Valentin Laskov wrote: >> ? 20:00 +0000 ?? 23.12.2016 (??), Philip Parsons ??????: >>> I use Mailscanner and Send mail. >> Hi all, >> >> I would suggest one of (or both) >> 1. setting and relay only after authentication in sendmail >> 2. these letters usually contain files that MailScanner denies. >> MailScanner then sends reports to sender/recipient/postmaster about >> quarantined attachment file. I changed in filename.rules.conf and in >> archive.filename.rules.conf not to deny these files but to forward to >> other email address like me at example.com . You must clean this box >> regularly :) >> >> Regards and Happy Holidays >> >> Valentin >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- ????????! ???????? ?????? ?????????? ???? "????? ???????" ?? ???. "??. ?????????" 48 9000 ??. ????? ???.: +359 52 669137 GSM: +359 888 669137 Fax: +359 52 669110 From it at festa.bg Fri Dec 30 10:22:47 2016 From: it at festa.bg (Valentin Laskov) Date: Fri, 30 Dec 2016 12:22:47 +0200 Subject: How to reject/detect emails claiming to be from my own domain? In-Reply-To: <11D8E491D9562549A61FD3186F363420028520466B@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002851D701C@exchange.techeez.com> <1482564548.2024.1.camel@festa.bg> <1482851877.2279.6.camel@techeez.com> <11D8E491D9562549A61FD3186F36342002852030A7@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342002852043EF@exchange.techeez.com> <11D8E491D9562549A61FD3186F363420028520466B@exchange.techeez.com> Message-ID: <5295d96b-d7cd-0703-5d5d-f90acb5d9103@festa.bg> In this case access.db must be e.g. mailbox1 at example.com OK mailbox2 at example.com OK mailbox3 at example.com OK .. #all your possible senders .. from:example.com REJECT 550 Invalid sender ?? 29.12.2016 ? 23:28, Philip Parsons ??????: > Kind of weird issue