From jerry.benton at mailborder.com Mon Feb 1 02:29:24 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sun, 31 Jan 2016 21:29:24 -0500 Subject: Permissions Message-ID: If someone could help me figure this out please … Ok, the MailScanner package works fine, but it bitches when running “MailScanner —lint” Sometimes it works, and sometimes it doesn’t. Specifically, the error below. Note that everything is installed correctly and the files exist with the right permissions. This is with a Postfix install. I have not seen the error on a sendmail install. You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 177. I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 178. WARNING: You are trying to use the Processing Attempts Database but your DBI and/or DBD::SQLite Perl modules are not properly installed! at /usr/sbin/MailScanner line 1753. ERROR: Could not connect to SQLite database /var/spool/MailScanner/incoming/Processing.db, either I cannot write to that location or your SQLite installation is screwed. at /usr/sbin/MailScanner line 1764. https://s3.amazonaws.com/msv4/deb/MailScanner-4.86.1-3.deb.tar.gz - Jerry Benton www.mailborder.com From jeremy at fluxlabs.net Mon Feb 1 05:00:22 2016 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon, 1 Feb 2016 05:00:22 +0000 Subject: Permissions In-Reply-To: References: Message-ID: I tested on a clean ubuntu 14 install. Couldn’t reproduce this. What distro are you testing on ? I had errors on mqueue. === Could not read directory /var/spool/mqueue at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2874. Error in configuration file line 181, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) at /usr/share/MailScanner/perl/MailScanner/Config.pm line 3238. File containing list of incoming queue dirs (/var/spool/mqueue) does not exist at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1819. Can't use string ("/var/spool/mqueue.in") as an ARRAY ref while "strict refs" in use at /usr/sbin/MailScanner line 537. === Make sure you install SA. Change your MailScanner.conf : MTA = postfix Incoming Work Dir = /var/spool/MailScanner/incoming Outgoing Queue Dir = /var/spool/MailScanner/hold -- Jeremy McSpadden Flux Labs, Inc | http://www.fluxlabs.net | Endless Solutions On Jan 31, 2016, at 8:29 PM, Jerry Benton > wrote: If someone could help me figure this out please … Ok, the MailScanner package works fine, but it bitches when running “MailScanner —lint” Sometimes it works, and sometimes it doesn’t. Specifically, the error below. Note that everything is installed correctly and the files exist with the right permissions. This is with a Postfix install. I have not seen the error on a sendmail install. You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 177. I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 178. WARNING: You are trying to use the Processing Attempts Database but your DBI and/or DBD::SQLite Perl modules are not properly installed! at /usr/sbin/MailScanner line 1753. ERROR: Could not connect to SQLite database /var/spool/MailScanner/incoming/Processing.db, either I cannot write to that location or your SQLite installation is screwed. at /usr/sbin/MailScanner line 1764. https://s3.amazonaws.com/msv4/deb/MailScanner-4.86.1-3.deb.tar.gz - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Mon Feb 1 05:03:13 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 1 Feb 2016 00:03:13 -0500 Subject: Permissions In-Reply-To: References: Message-ID: <78364DB6-626A-4ADD-8AB8-A902AEA0E296@mailborder.com> Ubuntu 14. It may be the box I am on. You changed you config to make those errors go away, right? - Jerry Benton www.mailborder.com > On Feb 1, 2016, at 12:00 AM, Jeremy McSpadden wrote: > > I tested on a clean ubuntu 14 install. Couldn’t reproduce this. What distro are you testing on ? > > I had errors on mqueue. > > === > Could not read directory /var/spool/mqueue at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2874. > Error in configuration file line 181, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) at /usr/share/MailScanner/perl/MailScanner/Config.pm line 3238. > File containing list of incoming queue dirs (/var/spool/mqueue) does not exist at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1819. > > Can't use string ("/var/spool/mqueue.in") as an ARRAY ref while "strict refs" in use at /usr/sbin/MailScanner line 537. > === > > Make sure you install SA. > Change your MailScanner.conf : > > MTA = postfix > Incoming Work Dir = /var/spool/MailScanner/incoming > Outgoing Queue Dir = /var/spool/MailScanner/hold > > > -- > Jeremy McSpadden > Flux Labs, Inc | http://www.fluxlabs.net | Endless Solutions > > >> On Jan 31, 2016, at 8:29 PM, Jerry Benton > wrote: >> >> If someone could help me figure this out please … >> >> >> Ok, the MailScanner package works fine, but it bitches when running “MailScanner —lint” >> >> Sometimes it works, and sometimes it doesn’t. Specifically, the error below. Note that everything is installed correctly and the files exist with the right permissions. This is with a Postfix install. I have not seen the error on a sendmail install. >> >> >> >> You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 177. >> I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 178. >> WARNING: You are trying to use the Processing Attempts Database but your DBI and/or DBD::SQLite Perl modules are not properly installed! at /usr/sbin/MailScanner line 1753. >> ERROR: Could not connect to SQLite database /var/spool/MailScanner/incoming/Processing.db, either I cannot write to that location or your SQLite installation is screwed. at /usr/sbin/MailScanner line 1764. >> >> >> https://s3.amazonaws.com/msv4/deb/MailScanner-4.86.1-3.deb.tar.gz >> >> >> >> - >> Jerry Benton >> www.mailborder.com >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at fluxlabs.net Mon Feb 1 05:08:54 2016 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon, 1 Feb 2016 05:08:54 +0000 Subject: Permissions In-Reply-To: <78364DB6-626A-4ADD-8AB8-A902AEA0E296@mailborder.com> References: <78364DB6-626A-4ADD-8AB8-A902AEA0E296@mailborder.com> Message-ID: <42CE3501-54FC-43B3-89B5-C7DA3B108072@fluxlabs.net> Yes. Clean install. Installed SA, clam, rar/unrar. Ran freshclam .. edited config and no errors. -- Jeremy McSpadden Flux Labs, Inc | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590 x 501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jan 31, 2016, at 11:03 PM, Jerry Benton > wrote: Ubuntu 14. It may be the box I am on. You changed you config to make those errors go away, right? - Jerry Benton www.mailborder.com On Feb 1, 2016, at 12:00 AM, Jeremy McSpadden > wrote: -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Mon Feb 1 05:10:43 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 31 Jan 2016 21:10:43 -0800 Subject: Permissions In-Reply-To: References: Message-ID: <56AEE8D3.4040904@msapiro.net> On 01/31/2016 09:00 PM, Jeremy McSpadden wrote: > > I had errors on mqueue. ... > === > > Make sure you install SA. > Change your MailScanner.conf : > > MTA = postfix > Incoming Work Dir = /var/spool/MailScanner/incoming > Outgoing Queue Dir = /var/spool/MailScanner/hold If you are using Postfix, you need Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming in either /etc/MailScanner/MailScanner.conf or a file in /etc/MailScanner/conf.d -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jeremy at fluxlabs.net Mon Feb 1 05:15:45 2016 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon, 1 Feb 2016 05:15:45 +0000 Subject: Permissions In-Reply-To: <56AEE8D3.4040904@msapiro.net> References: , <56AEE8D3.4040904@msapiro.net> Message-ID: <750F1775-4844-4BA1-87AB-B97DF372A957@fluxlabs.net> Yeah. Sorry was typing it quick. -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net On Jan 31, 2016, at 11:10 PM, Mark Sapiro > wrote: On 01/31/2016 09:00 PM, Jeremy McSpadden wrote: I had errors on mqueue. ... === Make sure you install SA. Change your MailScanner.conf : MTA = postfix Incoming Work Dir = /var/spool/MailScanner/incoming Outgoing Queue Dir = /var/spool/MailScanner/hold If you are using Postfix, you need Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming in either /etc/MailScanner/MailScanner.conf or a file in /etc/MailScanner/conf.d -- Mark Sapiro > The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From wcolburn at nrao.edu Mon Feb 1 15:08:52 2016 From: wcolburn at nrao.edu (William D. Colburn) Date: Mon, 1 Feb 2016 08:08:52 -0700 Subject: Virus Scanners In-Reply-To: References: Message-ID: <20160201150852.GA26633@anotheruvula.aoc.nrao.edu> On Sat, Jan 30, 2016 at 01:07:56AM -0500, Jerry Benton wrote: >Honestly, how many AV???s on that list are actually still in use? Maybe 6 or 8? Well, there are about 40 in the config when you include the daemonized versions as well. We could cut down SweepVirus.pm to about half the size with about a third of the checks. Which = faster scanning, less overhead, less dated code to maintain. SCEP is free (at least for us) and I'd love to see SCEP in the list. I've got a generic wrapper working, but the code appears to ignore the generic wrapper, so all I get are syslog messages about viruses that are then let through. --Schlake From jerry.benton at mailborder.com Mon Feb 1 16:42:24 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 1 Feb 2016 11:42:24 -0500 Subject: Virus Scanners In-Reply-To: <20160201150852.GA26633@anotheruvula.aoc.nrao.edu> References: <20160201150852.GA26633@anotheruvula.aoc.nrao.edu> Message-ID: <64427F40-CD59-4AB2-82B6-FA60CF35509C@mailborder.com> Send me what you have. - Jerry Benton www.mailborder.com > On Feb 1, 2016, at 10:08 AM, William D. Colburn wrote: > > On Sat, Jan 30, 2016 at 01:07:56AM -0500, Jerry Benton wrote: >> Honestly, how many AV???s on that list are actually still in use? Maybe 6 or 8? Well, there are about 40 in the config when you include the daemonized versions as well. We could cut down SweepVirus.pm to about half the size with about a third of the checks. Which = faster scanning, less overhead, less dated code to maintain. > > SCEP is free (at least for us) and I'd love to see SCEP in the list. > I've got a generic wrapper working, but the code appears to ignore the > generic wrapper, so all I get are syslog messages about viruses that are > then let through. > > --Schlake > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From kevin.miller at juneau.org Mon Feb 1 19:08:22 2016 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 1 Feb 2016 19:08:22 +0000 Subject: Virus Scanners In-Reply-To: <279EF311-4C86-4159-97FC-68B409D31065@mailborder.com> References: <279EF311-4C86-4159-97FC-68B409D31065@mailborder.com> Message-ID: <5e190f96d43c484c8dc53bafc8098dbd@City-Exch-DB1.cbj.local> It may be nice to have the old wrappers available for download so they can be applied in the event someone is still using them, or for educational purposes. Save reinventing the wheel. If the scanner checks are the result of "Virus Scanners = auto", then maybe the thing to do is to deprecate that. It's a nice little feature, but really, if one doesn't know what antivirus they have installed, maybe they shouldn't be running a mail server. Easy enough to just specify "Virus Scanners = clamd" or some such. I agree though that any scanners that are definitely past their "sell by date" should be pruned from the running code. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From gao at pztop.com Mon Feb 1 23:57:02 2016 From: gao at pztop.com (Gao) Date: Mon, 1 Feb 2016 15:57:02 -0800 Subject: maillog stops logging? In-Reply-To: <56AA7650.9010608@pztop.com> References: <56A9B2BF.4050309@msapiro.net> <56AA03D7.9040809@dld2000.com> <9EB16D8A-40A1-440A-A98B-C294DE0834FE@mailborder.com> <56AA04A0.8020004@dld2000.com> <37A25B26-D7CC-446E-8217-05DA80E1C4CA@mailborder.com> <56AA06A4.3080102@dld2000.com> <9D59755B-D3E2-4B70-863F-CBCF2F8D6A91@mailborder.com> <56AA4868.5010407@pztop.com> <3033FCA1-FB66-4E37-B295-E38CDCEB3568@mailborder.com> <56AA7650.9010608@pztop.com> Message-ID: <56AFF0CE.6030306@pztop.com> My log still going well. I just read this: https://www.centos.org/forums/viewtopic.php?f=47&t=55922#p237310 "You can try adding Compress=no to /etc/systemd/journald.conf but it won't help with existing files - those will need to be purged and deleted." You may try it as work around before the fix come out. Gao On 16-01-28 12:13 PM, Gao wrote: > No problem. I'll report back if it happens again. > > Also I just took a look on the yum.log and here is the update I did: > Jan 15 11:53:19 Updated: 1:openssl-libs-1.0.1e-51.el7_2.2.x86_64 > Jan 15 11:53:20 Updated: openssh-6.6.1p1-23.el7_2.x86_64 > Jan 15 11:53:20 Updated: nss-3.19.1-19.el7_2.x86_64 > Jan 15 11:53:20 Updated: nss-sysinit-3.19.1-19.el7_2.x86_64 > Jan 15 11:53:21 Updated: 1:grub2-tools-2.02-0.34.el7.centos.x86_64 > Jan 15 11:53:22 Updated: kernel-tools-libs-3.10.0-327.4.4.el7.x86_64 > Jan 15 11:53:22 Updated: kernel-tools-3.10.0-327.4.4.el7.x86_64 > Jan 15 11:53:23 Updated: 1:grub2-2.02-0.34.el7.centos.x86_64 > Jan 15 11:53:24 Updated: nss-tools-3.19.1-19.el7_2.x86_64 > Jan 15 11:53:24 Updated: openssh-clients-6.6.1p1-23.el7_2.x86_64 > Jan 15 11:53:24 Updated: openssh-server-6.6.1p1-23.el7_2.x86_64 > Jan 15 11:53:25 Updated: pure-ftpd-1.0.42-3.el7.x86_64 > Jan 15 11:53:26 Updated: 1:openssl-devel-1.0.1e-51.el7_2.2.x86_64 > Jan 15 11:53:27 Updated: 1:openssl-1.0.1e-51.el7_2.2.x86_64 > Jan 15 11:53:27 Updated: jwhois-4.0-44.el7.x86_64 > Jan 15 11:53:37 Installed: kernel-3.10.0-327.4.4.el7.x86_64 > Jan 15 11:53:38 Updated: gnutls-3.3.8-14.el7_2.x86_64 > Jan 15 11:53:48 Installed: kernel-devel-3.10.0-327.4.4.el7.x86_64 > Jan 15 11:53:49 Updated: kernel-headers-3.10.0-327.4.4.el7.x86_64 > Jan 15 11:53:50 Updated: python-perf-3.10.0-327.4.4.el7.x86_64 > > Could it be the kernel update fixed the issue? > > Gao > > > On 16-01-28 11:35 AM, Jerry Benton wrote: >> Gao, >> >> If you see this issue again, please tell me. I am really hoping that update you did contained the correction to the problem and it is not a problem with how Perl logs. >> >> - >> Jerry Benton >> www.mailborder.com >> >> >> >>> On Jan 28, 2016, at 11:57 AM, Gao wrote: >>> >>> I had this issue as well. >>> >>> I am using CentOS 7.2 64bit and during the last month maillog stopped twice without any reason. When the maillog stops, message log also stopped. But other log (secure, fail2ban.,etc) keep working. I also have MailWatch on the same box and MailScanner still send records to MailWatch. >>> >>> I tried to restart rsyslogd and MailScanner and that didn't bring the logging back. I have to reboot the server then everything back to normal. >>> >>> Last time the maillog stopped is a week ago. I did a full "yum update" and reboot. So far the maillog is working well. Not sure what happened. I still have my finger crossed... >>> >>> Gao >>> >>> >>> >>> On 16-01-28 04:17 AM, Jerry Benton wrote: >>>> What OS are you using? >>>> >>>> - >>>> Jerry Benton >>>> www.mailborder.com >>>> >>>> >>>> >>>>> On Jan 28, 2016, at 7:16 AM, Walt Thiessen wrote: >>>>> >>>>> My server at /etc/init.d/ doesn't have a file named rsyslog. >>>>> >>>>> Here's an ls -l for /etc/init.d/ >>>>> >>>>> >>>>> drwxr-xr-x. 2 root root 4096 Jan 27 21:11 ./ >>>>> drwxr-xr-x. 10 root root 4096 Jan 27 21:11 ../ >>>>> -rwxr--r--. 1 root wheel 1151 Feb 25 2015 bandmin* >>>>> -rw-r--r--. 1 root root 12972 Oct 10 00:07 cpfunctions >>>>> -rwxr-xr-x 1 root root 2502 Dec 16 11:06 dovecot* >>>>> -rwxr-xr-x 1 root root 1067 Jan 27 21:11 filelimits* >>>>> -rw-r--r-- 1 root root 13948 Sep 16 07:51 functions >>>>> -rwxr-xr-x 1 root root 2989 Sep 16 07:51 netconsole* >>>>> -rwxr-xr-x 1 root root 6630 Sep 16 07:51 network* >>>>> -rw-r--r-- 1 root root 1160 Nov 19 23:49 README >>>>> >>>>> >>>>> On 1/28/2016 7:09 AM, Jerry Benton wrote: >>>>>> /etc/init.d/rsyslog restart >>>>>> >>>>>> maybe? >>>>>> >>>>>> - >>>>>> Jerry Benton >>>>>> www.mailborder.com >>>>>> >>>>>> >>>>>> >>>>>>> On Jan 28, 2016, at 7:08 AM, Walt Thiessen wrote: >>>>>>> >>>>>>> Correct >>>>>>> >>>>>>> On 1/28/2016 7:05 AM, Jerry Benton wrote: >>>>>>>> Both the MTA and MailScanner are not logging to it? >>>>>>>> >>>>>>>> - >>>>>>>> Jerry Benton >>>>>>>> www.mailborder.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Jan 28, 2016, at 7:04 AM, Walt Thiessen wrote: >>>>>>>>> >>>>>>>>> For some unknown reason, my /var/log/maillog stopped recording entries >>>>>>>>> two days ago. There's plenty of available storage on the server ... only >>>>>>>>> about 9% has been used. >>>>>>>>> >>>>>>>>> Exim_mainlog continues to record entries, but not maillog. >>>>>>>>> >>>>>>>>> MailScanner continues to scan emails. I can see the results of it in >>>>>>>>> delivered emails' message source. X-org-name-MailScanner-Information >>>>>>>>> shows up in the message source. >>>>>>>>> >>>>>>>>> Is there some way to turn maillog off and on that I should check? >>>>>>>>> >>>>>>>>> Walt Thiessen >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> MailScanner mailing list >>>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>>> http://lists.mailscanner.info/listinfo/mailscanner >>>>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner at lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/listinfo/mailscanner >>>>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/listinfo/mailscanner >>>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/listinfo/mailscanner >>> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Tue Feb 2 00:09:21 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 1 Feb 2016 19:09:21 -0500 Subject: Virus Scanners In-Reply-To: <5e190f96d43c484c8dc53bafc8098dbd@City-Exch-DB1.cbj.local> References: <279EF311-4C86-4159-97FC-68B409D31065@mailborder.com> <5e190f96d43c484c8dc53bafc8098dbd@City-Exch-DB1.cbj.local> Message-ID: <7611DA86-8227-4DEF-AE82-B8B60007048E@mailborder.com> I am leaving the wrappers on Github. - Jerry Benton www.mailborder.com > On Feb 1, 2016, at 2:08 PM, Kevin Miller wrote: > > It may be nice to have the old wrappers available for download so they can be applied in the event someone is still using them, or for educational purposes. Save reinventing the wheel. > > If the scanner checks are the result of "Virus Scanners = auto", then maybe the thing to do is to deprecate that. It's a nice little feature, but really, if one doesn't know what antivirus they have installed, maybe they shouldn't be running a mail server. Easy enough to just specify "Virus Scanners = clamd" or some such. > > I agree though that any scanners that are definitely past their "sell by date" should be pruned from the running code. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From Pieter.Goris at cisanet.be Thu Feb 4 09:02:20 2016 From: Pieter.Goris at cisanet.be (Pieter Goris) Date: Thu, 4 Feb 2016 09:02:20 +0000 Subject: Blocking custom file extension is not working Message-ID: Hi, So I want to block .dll and .()bat but mailscanner is not doing it. I added this to the filename.rules at the bottom: deny \.dll$ dll-files are not allowed dll-files are not allowed deny \.()bat$ Possible malicious batch file script Batch files are often malicious Regards, Pieter Goris ------------------------------------------------------------------ This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. ------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Denis.Beauchemin at usherbrooke.ca Thu Feb 4 13:40:09 2016 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Thu, 4 Feb 2016 13:40:09 +0000 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: Peter, The first one should work as long as you separated each field with TABs (not spaces). You also have to reload/restart MailScanner. The second one looks strange with its “()”. What are you trying to block exactly with that? Denis De : MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Pieter Goris Envoyé : 4 février 2016 04:02 À : mailscanner at lists.mailscanner.info Objet : Blocking custom file extension is not working Hi, So I want to block .dll and .()bat but mailscanner is not doing it. I added this to the filename.rules at the bottom: deny \.dll$ dll-files are not allowed dll-files are not allowed deny \.()bat$ Possible malicious batch file script Batch files are often malicious Regards, Pieter Goris -- This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Pieter.Goris at cisanet.be Thu Feb 4 14:02:06 2016 From: Pieter.Goris at cisanet.be (Pieter Goris) Date: Thu, 4 Feb 2016 14:02:06 +0000 Subject: Blocking custom file extension is not working Message-ID: Denis, I'm trying to block .()bat files. Regards, Pieter Goris ------------------------------------------------------------------ This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. ------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Thu Feb 4 14:04:58 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 4 Feb 2016 09:04:58 -0500 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: What is a .()bat file? On Thu, Feb 4, 2016 at 9:02 AM, Pieter Goris wrote: > Denis, > > > > I’m trying to block *.()bat* files. > > > > Regards, > > Pieter Goris > > -- > This message has been scanned for viruses and dangerous content by > *Cisa Antispam Service*, and is believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard at fastnet.co.uk Thu Feb 4 15:09:50 2016 From: richard at fastnet.co.uk (Richard Mealing) Date: Thu, 4 Feb 2016 15:09:50 +0000 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: <6EE47AF64C339A4F8F7F50507241B3795F3357BC@BTN-EXCHANGE-V1.fastnet.local> I would think you need to escape the special characters - deny \.\(\)bat$ Possible malicious batch file script Batch files are often malicious From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Pieter Goris Sent: 04 February 2016 09:02 To: mailscanner at lists.mailscanner.info Subject: Blocking custom file extension is not working Hi, So I want to block .dll and .()bat but mailscanner is not doing it. I added this to the filename.rules at the bottom: deny \.dll$ dll-files are not allowed dll-files are not allowed deny \.()bat$ Possible malicious batch file script Batch files are often malicious Regards, Pieter Goris -- This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Feb 4 16:51:06 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 4 Feb 2016 11:51:06 -0500 Subject: Bug Message-ID: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> MailScanner has had a bug for the longest time. I am currently working on packaging for the new version, so if someone could investigate this I would appreciate it. In scan.message.rules you have three options: yes,no,virus Yes and No work correctly. However, Virus does not. The intent for that setting is to only scan for viruses. However, MailScanner seems to perform all of the normal checks as if the setting were Yes. Can someone take a look and do some testing please? - Jerry Benton www.mailborder.com From gao at pztop.com Thu Feb 4 19:40:22 2016 From: gao at pztop.com (Gao) Date: Thu, 4 Feb 2016 11:40:22 -0800 Subject: Bug In-Reply-To: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> Message-ID: <56B3A926.1080708@pztop.com> I am using MaiScanner 4.85 and I can confirm "From: domain.tld virus" setting is not working. Spamassassin scans and scores anyway. Gao On 16-02-04 08:51 AM, Jerry Benton wrote: > MailScanner has had a bug for the longest time. I am currently working on packaging for the new version, so if someone could investigate this I would appreciate it. > > In scan.message.rules you have three options: yes,no,virus > > Yes and No work correctly. However, Virus does not. The intent for that setting is to only scan for viruses. However, MailScanner seems to perform all of the normal checks as if the setting were Yes. > > > Can someone take a look and do some testing please? > > > - > Jerry Benton > www.mailborder.com > > > > > From wt at dld2000.com Thu Feb 4 19:52:36 2016 From: wt at dld2000.com (Walt Thiessen) Date: Thu, 4 Feb 2016 14:52:36 -0500 Subject: Bug In-Reply-To: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> Message-ID: <56B3AC04.3050001@dld2000.com> I'm glad to hear it. I thought it must just be me! So often, when something doesn't work in MailScanner, it tends to be something I did wrong! :) Yes, I verify the bug. On 2/4/2016 11:51 AM, Jerry Benton wrote: > MailScanner has had a bug for the longest time. I am currently working on packaging for the new version, so if someone could investigate this I would appreciate it. > > In scan.message.rules you have three options: yes,no,virus > > Yes and No work correctly. However, Virus does not. The intent for that setting is to only scan for viruses. However, MailScanner seems to perform all of the normal checks as if the setting were Yes. > > > Can someone take a look and do some testing please? > > > - > Jerry Benton > www.mailborder.com > > > > > From Antony.Stone at mailscanner.open.source.it Thu Feb 4 20:15:17 2016 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu, 4 Feb 2016 21:15:17 +0100 Subject: Bug In-Reply-To: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> Message-ID: <201602042115.17845.Antony.Stone@mailscanner.open.source.it> On Thursday 04 February 2016 at 17:51:06, Jerry Benton wrote: > MailScanner has had a bug for the longest time. I am currently working on > packaging for the new version, so if someone could investigate this I > would appreciate it. > > In scan.message.rules you have three options: yes,no,virus > > Yes and No work correctly. However, Virus does not. The intent for that > setting is to only scan for viruses. However, MailScanner seems to perform > all of the normal checks as if the setting were Yes. > > > Can someone take a look and do some testing please? Is it perhaps the case discrepancy between: scanmail = scanmessages and ScanMail 1 no 0 yes 1 virus 2 in mailscanner/bin/MailScanner/ConfigDefs.pl ? Antony. -- "A person lives in the UK, but commutes to France daily for work. He belongs in the UK." - From UK Revenue & Customs notice 741, page 13, paragraph 3.5.1 - http://tinyurl.com/o7gnm4 Please reply to the list; please *don't* CC me. From jerry.benton at mailborder.com Thu Feb 4 22:59:46 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 4 Feb 2016 17:59:46 -0500 Subject: Bug In-Reply-To: <201602042115.17845.Antony.Stone@mailscanner.open.source.it> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> Message-ID: This is why. # Decide if we want to scan this message at all $this->{scanmail} = MailScanner::Config::Value('scanmail', $this); if ($this->{scanmail} =~ /[12]/) { $this->{scanmail} = 1; } else { # Make sure it is set to something, and not left as undef. $this->{scanmail} = 0; } if ($this->{scanmail} !~ /1/) { $this->{scanvirusonly} = 1; } else { $this->{scanvirusonly} = 0; } - Jerry Benton www.mailborder.com > On Feb 4, 2016, at 3:15 PM, Antony Stone wrote: > > On Thursday 04 February 2016 at 17:51:06, Jerry Benton wrote: > >> MailScanner has had a bug for the longest time. I am currently working on >> packaging for the new version, so if someone could investigate this I >> would appreciate it. >> >> In scan.message.rules you have three options: yes,no,virus >> >> Yes and No work correctly. However, Virus does not. The intent for that >> setting is to only scan for viruses. However, MailScanner seems to perform >> all of the normal checks as if the setting were Yes. >> >> >> Can someone take a look and do some testing please? > > Is it perhaps the case discrepancy between: > > scanmail = scanmessages > and > ScanMail 1 no 0 yes 1 virus 2 > > in mailscanner/bin/MailScanner/ConfigDefs.pl > > ? > > > Antony. > > -- > "A person lives in the UK, but commutes to France daily for work. > He belongs in the UK." > > - From UK Revenue & Customs notice 741, page 13, paragraph 3.5.1 > - http://tinyurl.com/o7gnm4 > > Please reply to the list; > please *don't* CC me. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From jerry.benton at mailborder.com Thu Feb 4 23:09:24 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 4 Feb 2016 18:09:24 -0500 Subject: Bug In-Reply-To: References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> Message-ID: <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> Can someone test this please? - Jerry Benton www.mailborder.com -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.zip Type: application/zip Size: 76254 bytes Desc: not available URL: -------------- next part -------------- > On Feb 4, 2016, at 5:59 PM, Jerry Benton wrote: > > This is why. > > > # Decide if we want to scan this message at all > $this->{scanmail} = MailScanner::Config::Value('scanmail', $this); > if ($this->{scanmail} =~ /[12]/) { > $this->{scanmail} = 1; > } else { > # Make sure it is set to something, and not left as undef. > $this->{scanmail} = 0; > } > if ($this->{scanmail} !~ /1/) { > $this->{scanvirusonly} = 1; > } else { > $this->{scanvirusonly} = 0; > } > > > - > Jerry Benton > www.mailborder.com > > > >> On Feb 4, 2016, at 3:15 PM, Antony Stone wrote: >> >> On Thursday 04 February 2016 at 17:51:06, Jerry Benton wrote: >> >>> MailScanner has had a bug for the longest time. I am currently working on >>> packaging for the new version, so if someone could investigate this I >>> would appreciate it. >>> >>> In scan.message.rules you have three options: yes,no,virus >>> >>> Yes and No work correctly. However, Virus does not. The intent for that >>> setting is to only scan for viruses. However, MailScanner seems to perform >>> all of the normal checks as if the setting were Yes. >>> >>> >>> Can someone take a look and do some testing please? >> >> Is it perhaps the case discrepancy between: >> >> scanmail = scanmessages >> and >> ScanMail 1 no 0 yes 1 virus 2 >> >> in mailscanner/bin/MailScanner/ConfigDefs.pl >> >> ? >> >> >> Antony. >> >> -- >> "A person lives in the UK, but commutes to France daily for work. >> He belongs in the UK." >> >> - From UK Revenue & Customs notice 741, page 13, paragraph 3.5.1 >> - http://tinyurl.com/o7gnm4 >> >> Please reply to the list; >> please *don't* CC me. >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > From jerry.benton at mailborder.com Thu Feb 4 23:18:16 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 4 Feb 2016 18:18:16 -0500 Subject: Bug In-Reply-To: References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> Message-ID: Sending again without double extension. Can someone test this please? - Jerry Benton www.mailborder.com -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.zip Type: application/zip Size: 76254 bytes Desc: not available URL: -------------- next part -------------- > On Feb 4, 2016, at 5:59 PM, Jerry Benton wrote: > > This is why. > > > # Decide if we want to scan this message at all > $this->{scanmail} = MailScanner::Config::Value('scanmail', $this); > if ($this->{scanmail} =~ /[12]/) { > $this->{scanmail} = 1; > } else { > # Make sure it is set to something, and not left as undef. > $this->{scanmail} = 0; > } > if ($this->{scanmail} !~ /1/) { > $this->{scanvirusonly} = 1; > } else { > $this->{scanvirusonly} = 0; > } > > > - > Jerry Benton > www.mailborder.com > > > >> On Feb 4, 2016, at 3:15 PM, Antony Stone wrote: >> >> On Thursday 04 February 2016 at 17:51:06, Jerry Benton wrote: >> >>> MailScanner has had a bug for the longest time. I am currently working on >>> packaging for the new version, so if someone could investigate this I >>> would appreciate it. >>> >>> In scan.message.rules you have three options: yes,no,virus >>> >>> Yes and No work correctly. However, Virus does not. The intent for that >>> setting is to only scan for viruses. However, MailScanner seems to perform >>> all of the normal checks as if the setting were Yes. >>> >>> >>> Can someone take a look and do some testing please? >> >> Is it perhaps the case discrepancy between: >> >> scanmail = scanmessages >> and >> ScanMail 1 no 0 yes 1 virus 2 >> >> in mailscanner/bin/MailScanner/ConfigDefs.pl >> >> ? >> >> >> Antony. >> >> -- >> "A person lives in the UK, but commutes to France daily for work. >> He belongs in the UK." >> >> - From UK Revenue & Customs notice 741, page 13, paragraph 3.5.1 >> - http://tinyurl.com/o7gnm4 >> >> Please reply to the list; >> please *don't* CC me. >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > From mark at msapiro.net Fri Feb 5 00:29:17 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 4 Feb 2016 16:29:17 -0800 Subject: Bug In-Reply-To: <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> Message-ID: <56B3ECDD.90808@msapiro.net> On 02/04/2016 03:09 PM, Jerry Benton wrote: > Can someone test this please? I tested and it seems OK. With Scan Messages = yes and a message containing a virus, I get X-GPC-MailScanner-ID: A083311E1A7E.AA8CD X-GPC-MailScanner: Found to be infected X-GPC-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.85, required 5, autolearn=not spam, BAYES_00 -0.75, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HEADER_FROM_DIFFERENT_DOMAINS 0.00, NO_RELAYS -0.00) X-GPC-MailScanner-From: mark at sbh16.songbird.com X-Spam-Status: No and with Scan Messages = virus I get X-GPC-MailScanner-ID: 8C0CA11E1A7E.AAD33 X-GPC-MailScanner: Found to be infected X-GPC-MailScanner-SpamCheck: X-GPC-MailScanner-From: mark at sbh16.songbird.com X-Spam-Status: No so it appears in this case while it still adds the X-GPC-MailScanner-SpamCheck: and X-Spam-Status: No headers that it is not doing the Spam scan. I also tested with an attached junk.txt.exe file and with Scan Messages = yes it detects the bad file name and with Scan Messages = virus, it doesn't. I'd say the fix is good. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Fri Feb 5 00:32:08 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 4 Feb 2016 19:32:08 -0500 Subject: Bug In-Reply-To: <56B3ECDD.90808@msapiro.net> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> Message-ID: I’ll review the code and see where i can plug in “not checked” for the spam header when it is not scanned. Thanks for testing. - Jerry Benton www.mailborder.com > On Feb 4, 2016, at 7:29 PM, Mark Sapiro wrote: > > On 02/04/2016 03:09 PM, Jerry Benton wrote: >> Can someone test this please? > > > I tested and it seems OK. With Scan Messages = yes and a message > containing a virus, I get > > X-GPC-MailScanner-ID: A083311E1A7E.AA8CD > X-GPC-MailScanner: Found to be infected > X-GPC-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=-0.85, > required 5, autolearn=not spam, BAYES_00 -0.75, DKIM_SIGNED 0.10, > DKIM_VALID -0.10, DKIM_VALID_AU -0.10, > HEADER_FROM_DIFFERENT_DOMAINS 0.00, NO_RELAYS -0.00) > X-GPC-MailScanner-From: mark at sbh16.songbird.com > X-Spam-Status: No > > and with Scan Messages = virus I get > > X-GPC-MailScanner-ID: 8C0CA11E1A7E.AAD33 > X-GPC-MailScanner: Found to be infected > X-GPC-MailScanner-SpamCheck: > X-GPC-MailScanner-From: mark at sbh16.songbird.com > X-Spam-Status: No > > > so it appears in this case while it still adds the > > X-GPC-MailScanner-SpamCheck: > > and > > X-Spam-Status: No > > headers that it is not doing the Spam scan. I also tested with an > attached junk.txt.exe file and with Scan Messages = yes it detects the > bad file name and with Scan Messages = virus, it doesn't. > > I'd say the fix is good. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From jerry.benton at mailborder.com Fri Feb 5 08:47:57 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 5 Feb 2016 03:47:57 -0500 Subject: Bug In-Reply-To: References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> Message-ID: <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> Mark, Can you give this a whirl? Or anyone. -------------- next part -------------- A non-text attachment was scrubbed... Name: Archive.zip Type: application/zip Size: 84243 bytes Desc: not available URL: -------------- next part -------------- - Jerry Benton www.mailborder.com > On Feb 4, 2016, at 7:32 PM, Jerry Benton wrote: > > I’ll review the code and see where i can plug in “not checked” for the spam header when it is not scanned. Thanks for testing. > > - > Jerry Benton > www.mailborder.com > > > >> On Feb 4, 2016, at 7:29 PM, Mark Sapiro wrote: >> >> On 02/04/2016 03:09 PM, Jerry Benton wrote: >>> Can someone test this please? >> >> >> I tested and it seems OK. With Scan Messages = yes and a message >> containing a virus, I get >> >> X-GPC-MailScanner-ID: A083311E1A7E.AA8CD >> X-GPC-MailScanner: Found to be infected >> X-GPC-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, >> score=-0.85, >> required 5, autolearn=not spam, BAYES_00 -0.75, DKIM_SIGNED 0.10, >> DKIM_VALID -0.10, DKIM_VALID_AU -0.10, >> HEADER_FROM_DIFFERENT_DOMAINS 0.00, NO_RELAYS -0.00) >> X-GPC-MailScanner-From: mark at sbh16.songbird.com >> X-Spam-Status: No >> >> and with Scan Messages = virus I get >> >> X-GPC-MailScanner-ID: 8C0CA11E1A7E.AAD33 >> X-GPC-MailScanner: Found to be infected >> X-GPC-MailScanner-SpamCheck: >> X-GPC-MailScanner-From: mark at sbh16.songbird.com >> X-Spam-Status: No >> >> >> so it appears in this case while it still adds the >> >> X-GPC-MailScanner-SpamCheck: >> >> and >> >> X-Spam-Status: No >> >> headers that it is not doing the Spam scan. I also tested with an >> attached junk.txt.exe file and with Scan Messages = yes it detects the >> bad file name and with Scan Messages = virus, it doesn't. >> >> I'd say the fix is good. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > From richard at fastnet.co.uk Fri Feb 5 09:28:29 2016 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 5 Feb 2016 09:28:29 +0000 Subject: Bug In-Reply-To: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795F3364DC@BTN-EXCHANGE-V1.fastnet.local> Hi Jerry, Why is there also an option for "Virus Scanning" then? # Do you want to scan email for viruses? # A few people don't have a virus scanner licence and so want to disable # all the virus scanning. # If you use a ruleset for this setting, then the mail will be scanned if # *any* of the rules match (except the default). That way unscanned mail # never reaches a user who is having their mail virus-scanned. # # If you want to be able to switch scanning on/off for different users or # different domains, set this to the filename of a ruleset. # This can also be the filename of a ruleset. Virus Scanning = %rules-dir%/virus.scanning.rules What would happen if you set this for a domain to no, but then set the other option to yes? Thanks, Rich -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 04 February 2016 16:51 To: MailScanner Discussion Subject: Bug MailScanner has had a bug for the longest time. I am currently working on packaging for the new version, so if someone could investigate this I would appreciate it. In scan.message.rules you have three options: yes,no,virus Yes and No work correctly. However, Virus does not. The intent for that setting is to only scan for viruses. However, MailScanner seems to perform all of the normal checks as if the setting were Yes. Can someone take a look and do some testing please? - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From jerry.benton at mailborder.com Fri Feb 5 09:29:28 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 5 Feb 2016 04:29:28 -0500 Subject: Bug In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795F3364DC@BTN-EXCHANGE-V1.fastnet.local> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <6EE47AF64C339A4F8F7F50507241B3795F3364DC@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <407B715C-5628-4EBC-9D21-A8F7DC73266A@mailborder.com> This bug is related to the “Scan Messages” setting. - Jerry Benton www.mailborder.com > On Feb 5, 2016, at 4:28 AM, Richard Mealing wrote: > > Hi Jerry, > > Why is there also an option for "Virus Scanning" then? > > # Do you want to scan email for viruses? > # A few people don't have a virus scanner licence and so want to disable > # all the virus scanning. > # If you use a ruleset for this setting, then the mail will be scanned if > # *any* of the rules match (except the default). That way unscanned mail > # never reaches a user who is having their mail virus-scanned. > # > # If you want to be able to switch scanning on/off for different users or > # different domains, set this to the filename of a ruleset. > # This can also be the filename of a ruleset. > Virus Scanning = %rules-dir%/virus.scanning.rules > > What would happen if you set this for a domain to no, but then set the other option to yes? > > Thanks, > Rich > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: 04 February 2016 16:51 > To: MailScanner Discussion > Subject: Bug > > MailScanner has had a bug for the longest time. I am currently working on packaging for the new version, so if someone could investigate this I would appreciate it. > > In scan.message.rules you have three options: yes,no,virus > > Yes and No work correctly. However, Virus does not. The intent for that setting is to only scan for viruses. However, MailScanner seems to perform all of the normal checks as if the setting were Yes. > > > Can someone take a look and do some testing please? > > > - > Jerry Benton > www.mailborder.com > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From richard at fastnet.co.uk Fri Feb 5 09:40:39 2016 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 5 Feb 2016 09:40:39 +0000 Subject: Bug In-Reply-To: <407B715C-5628-4EBC-9D21-A8F7DC73266A@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <6EE47AF64C339A4F8F7F50507241B3795F3364DC@BTN-EXCHANGE-V1.fastnet.local> <407B715C-5628-4EBC-9D21-A8F7DC73266A@mailborder.com> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795F33652F@BTN-EXCHANGE-V1.fastnet.local> Yes, understood. I'm just wondering why you would have 2 options to toggle virus scanning. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 05 February 2016 09:29 To: MailScanner Discussion Subject: Re: Bug This bug is related to the “Scan Messages” setting. - Jerry Benton www.mailborder.com > On Feb 5, 2016, at 4:28 AM, Richard Mealing wrote: > > Hi Jerry, > > Why is there also an option for "Virus Scanning" then? > > # Do you want to scan email for viruses? > # A few people don't have a virus scanner licence and so want to > disable # all the virus scanning. > # If you use a ruleset for this setting, then the mail will be scanned > if # *any* of the rules match (except the default). That way unscanned > mail # never reaches a user who is having their mail virus-scanned. > # > # If you want to be able to switch scanning on/off for different users > or # different domains, set this to the filename of a ruleset. > # This can also be the filename of a ruleset. > Virus Scanning = %rules-dir%/virus.scanning.rules > > What would happen if you set this for a domain to no, but then set the other option to yes? > > Thanks, > Rich > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] > On Behalf Of Jerry Benton > Sent: 04 February 2016 16:51 > To: MailScanner Discussion > Subject: Bug > > MailScanner has had a bug for the longest time. I am currently working on packaging for the new version, so if someone could investigate this I would appreciate it. > > In scan.message.rules you have three options: yes,no,virus > > Yes and No work correctly. However, Virus does not. The intent for that setting is to only scan for viruses. However, MailScanner seems to perform all of the normal checks as if the setting were Yes. > > > Can someone take a look and do some testing please? > > > - > Jerry Benton > www.mailborder.com > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From Pieter.Goris at cisanet.be Fri Feb 5 09:56:23 2016 From: Pieter.Goris at cisanet.be (Pieter Goris) Date: Fri, 5 Feb 2016 09:56:23 +0000 Subject: Blocking custom file extension is not working Message-ID: .()bat are just bat files that you have to rename so I want them blocked. How long can the extension be, can I use a wildcard after the ()? .dll are being blocked from any source but 1, http://www.emailsecuritycheck.net/index.html Regards, Pieter Goris ------------------------------------------------------------------ This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. ------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Pieter.Goris at cisanet.be Fri Feb 5 13:41:50 2016 From: Pieter.Goris at cisanet.be (Pieter Goris) Date: Fri, 5 Feb 2016 13:41:50 +0000 Subject: Blocking custom file extension is not working Message-ID: So I managed to block the .()bat with this rule: deny \.[(][)][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9] Possible malicious file Files hiding behind () are often malicious Now the question is why dll are blocked but not the ones sent by the test system? Regards, Pieter Goris ------------------------------------------------------------------ This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. ------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at topdog.za.net Fri Feb 5 13:53:20 2016 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Fri, 5 Feb 2016 15:53:20 +0200 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: <5325E519-E996-40B2-B05A-455AA347906D@topdog.za.net> On 05 Feb 2016, at 3:41 PM, Pieter Goris wrote: > Now the question is why dll are blocked but not the ones sent by the test system? That is because, the test system is just a bogus grand standing system trying to get you to buy their "anti spam" solution instead. They are sending a text file as the supposed .dll file, if they sent an actual .dll file your system would block it because of the mime check. So all in all their supposed attack would never work. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry.benton at mailborder.com Fri Feb 5 14:10:19 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 5 Feb 2016 09:10:19 -0500 Subject: Blocking custom file extension is not working In-Reply-To: <5325E519-E996-40B2-B05A-455AA347906D@topdog.za.net> References: <5325E519-E996-40B2-B05A-455AA347906D@topdog.za.net> Message-ID: <8612DB91-48E4-42F4-A430-46DFE5FC33BC@mailborder.com> I get the same from customers all of the time. “How come your product does not stop … bah blah blah” And they are always using that same dumb website. Andrew is right. It is a bullshit file they are sending with a .dll extension. I could call myself a porn star, but it would not make it true. - Jerry Benton www.mailborder.com > On Feb 5, 2016, at 8:53 AM, Andrew Colin Kissa wrote: > > > On 05 Feb 2016, at 3:41 PM, Pieter Goris wrote: > >> Now the question is why dll are blocked but not the ones sent by the test system? > > That is because, the test system is just a bogus grand standing system trying to get > you to buy their "anti spam" solution instead. > > They are sending a text file as the supposed .dll file, if they sent an actual .dll file > your system would block it because of the mime check. > > So all in all their supposed attack would never work. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From Pieter.Goris at cisanet.be Fri Feb 5 14:12:54 2016 From: Pieter.Goris at cisanet.be (Pieter Goris) Date: Fri, 5 Feb 2016 14:12:54 +0000 Subject: Blocking custom file extension is not working Message-ID: Andrew, But the file is shown in outlook as a .dll So is there a way to block this? Regards, Pieter Goris ------------------------------------------------------------------ This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. ------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Fri Feb 5 14:17:22 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 5 Feb 2016 09:17:22 -0500 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: <8363ACCE-D1E8-4A48-B886-EB44B0E54083@mailborder.com> Open the file and you will see it contains something like echo “I am a bad file!” Ok, Yoda speak … make it a program the word echo not - Jerry Benton www.mailborder.com > On Feb 5, 2016, at 9:12 AM, Pieter Goris wrote: > > Andrew, > > But the file is shown in outlook as a .dll > So is there a way to block this? > > Regards, > Pieter Goris > > -- > This message has been scanned for viruses and dangerous content by > Cisa Antispam Service, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at topdog.za.net Fri Feb 5 14:19:39 2016 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Fri, 5 Feb 2016 16:19:39 +0200 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: <1D2D6571-00BE-41F3-9E05-7F1F7149B331@topdog.za.net> On 05 Feb 2016, at 4:12 PM, Pieter Goris wrote: > But the file is shown in outlook as a .dll > So is there a way to block this? Not with the way mailscanner currently checks the filenames, but i do not see the point in reimplementing the mailscanner functionality to be able to catch that as the mime checks would catch the real potentially dangerous attachments anyway. Like Jerry said, saying you are a pornstar does not make you one, file extensions do not always indicate what a file is, the mime check is more accurate. I would only worry if they were able to send through a real actual .dll file. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From kevin.miller at juneau.org Fri Feb 5 17:30:50 2016 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 5 Feb 2016 17:30:50 +0000 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: <1f6ad4d32fd84078bcda3ceaeea88310@City-Exch-DB1.cbj.local> That's because Windows determines file types based on the extension. Outlook sees .dll so figures "hmm, must be true". Linux uses the file command to determine what type of file it is, so recognizes that it isn't really a .dll. MailScanner blocks on both filetype and filename - just add a new line in filename.rules.conf and you're set. I'd copy an existing line and edit to suit. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Pieter Goris Sent: Friday, February 05, 2016 5:13 AM To: mailscanner at lists.mailscanner.info Subject: RE: Blocking custom file extension is not working Andrew, But the file is shown in outlook as a .dll So is there a way to block this? Regards, Pieter Goris -- This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Feb 5 17:44:09 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Feb 2016 09:44:09 -0800 Subject: Blocking custom file extension is not working In-Reply-To: <1f6ad4d32fd84078bcda3ceaeea88310@City-Exch-DB1.cbj.local> References: <1f6ad4d32fd84078bcda3ceaeea88310@City-Exch-DB1.cbj.local> Message-ID: <56B4DF69.4040106@msapiro.net> On 02/05/2016 09:30 AM, Kevin Miller wrote: > > MailScanner blocks on both filetype and filename – just add a new line > in filename.rules.conf and you’re set. I’d copy an existing line and > edit to suit. I think the OP's point is he already has a filename rule to block file names ending in .dll and this is generally effective, but not effective for mail from one sender. Quoting from > .dll are being blocked from any source but 1, http://www.emailsecuritycheck.net/index.html So, do you possibly have Scan Messages rules that exempt this sender? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 5 18:11:13 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Feb 2016 10:11:13 -0800 Subject: Bug In-Reply-To: <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> Message-ID: <56B4E5C1.2060901@msapiro.net> On 02/05/2016 12:47 AM, Jerry Benton wrote: > Mark, > > Can you give this a whirl? Or anyone. I found problems. With Scan Messages = yes, a message with a virus got the entire message body instead of just the infected part replaced by the Attachment-Warning.txt. And more seriously, with Scan Messages = virus, all messages, even clean ones disappeared. Logs show Feb 5 09:54:08 sbh16 postfix/cleanup[26404]: 98C4D11E1A7E: hold: header Received: by sbh16.songbird.com (Postfix, from userid 1000)??id 98C4D11E1A7E; Fri, 5 Feb 2016 09:54:08 -0800 (PST) from local; from= to= Feb 5 09:54:08 sbh16 postfix/cleanup[26404]: 98C4D11E1A7E: message-id=<20160205175408.GE25840 at sbh16.songbird.com> Feb 5 09:54:08 sbh16 opendkim[3264]: 98C4D11E1A7E: DKIM-Signature field added (s=default, d=msapiro.net) Feb 5 09:54:14 sbh16 MailScanner[26139]: New Batch: Scanning 1 messages, 1321 bytes Feb 5 09:54:14 sbh16 MailScanner[26139]: Virus and Content Scanning: Starting Feb 5 09:54:14 sbh16 MailScanner[26139]: Deleted 1 messages from processing-database and nothing further for that message and it isn't in quarantine. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Fri Feb 5 19:56:32 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 5 Feb 2016 14:56:32 -0500 Subject: Bug In-Reply-To: <56B4E5C1.2060901@msapiro.net> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> <56B4E5C1.2060901@msapiro.net> Message-ID: <5A3E79F6-8ED8-4ACC-8EA7-2B496F63545F@mailborder.com> Mark, Are you saying it is eating email with the new deb package I created? -4 ? - Jerry Benton www.mailborder.com > On Feb 5, 2016, at 1:11 PM, Mark Sapiro wrote: > > On 02/05/2016 12:47 AM, Jerry Benton wrote: >> Mark, >> >> Can you give this a whirl? Or anyone. > > > I found problems. > > With Scan Messages = yes, a message with a virus got the entire message > body instead of just the infected part replaced by the > Attachment-Warning.txt. > > And more seriously, with Scan Messages = virus, all messages, even clean > ones disappeared. Logs show > > Feb 5 09:54:08 sbh16 postfix/cleanup[26404]: 98C4D11E1A7E: hold: header > Received: by sbh16.songbird.com (Postfix, from userid 1000)??id > 98C4D11E1A7E; Fri, 5 Feb 2016 09:54:08 -0800 (PST) from local; > from= to= > > Feb 5 09:54:08 sbh16 postfix/cleanup[26404]: 98C4D11E1A7E: > message-id=<20160205175408.GE25840 at sbh16.songbird.com> > > Feb 5 09:54:08 sbh16 opendkim[3264]: 98C4D11E1A7E: DKIM-Signature field > added (s=default, d=msapiro.net) > > Feb 5 09:54:14 sbh16 MailScanner[26139]: New Batch: Scanning 1 > messages, 1321 bytes > > Feb 5 09:54:14 sbh16 MailScanner[26139]: Virus and Content Scanning: > Starting > > Feb 5 09:54:14 sbh16 MailScanner[26139]: Deleted 1 messages from > processing-database > > and nothing further for that message and it isn't in quarantine. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From mark at msapiro.net Fri Feb 5 20:15:09 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Feb 2016 12:15:09 -0800 Subject: Bug In-Reply-To: <5A3E79F6-8ED8-4ACC-8EA7-2B496F63545F@mailborder.com> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> <56B4E5C1.2060901@msapiro.net> <5A3E79F6-8ED8-4ACC-8EA7-2B496F63545F@mailborder.com> Message-ID: <56B502CD.6060509@msapiro.net> On 02/05/2016 11:56 AM, Jerry Benton wrote: > Mark, > > Are you saying it is eating email with the new deb package I created? -4 ? I didn't say that. I didn't look at the deb -4 package (I didn't realize there was one). I just tested replacing Message.pm and ConfigDefs.pl in the -3 package with the ones contained in the zip attached to . That one appears to eat any messages to which ScanMessages = virus applies (I use a rule set for this). It also appears that if ScanMessages = yes and the message contains a virus the entire message rather that just the infected attachment is replaced with Attachment-Warning.txt, but this is not new with this change. I only just noticed it, but it could have been that way for some time. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Fri Feb 5 21:00:16 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 5 Feb 2016 16:00:16 -0500 Subject: Bug In-Reply-To: <56B502CD.6060509@msapiro.net> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> <56B4E5C1.2060901@msapiro.net> <5A3E79F6-8ED8-4ACC-8EA7-2B496F63545F@mailborder.com> <56B502CD.6060509@msapiro.net> Message-ID: Mark, Ok, I rolled back a mod I put in. Here is the -4 (corrected) https://s3.amazonaws.com/msv4/deb/MailScanner-4.86.1-4.deb.tar.gz - Jerry Benton www.mailborder.com > On Feb 5, 2016, at 3:15 PM, Mark Sapiro wrote: > > On 02/05/2016 11:56 AM, Jerry Benton wrote: >> Mark, >> >> Are you saying it is eating email with the new deb package I created? -4 ? > > > I didn't say that. I didn't look at the deb -4 package (I didn't realize > there was one). I just tested replacing Message.pm and ConfigDefs.pl in > the -3 package with the ones contained in the zip attached to > . > > That one appears to eat any messages to which ScanMessages = virus > applies (I use a rule set for this). It also appears that if > ScanMessages = yes and the message contains a virus the entire message > rather that just the infected attachment is replaced with > Attachment-Warning.txt, but this is not new with this change. I only > just noticed it, but it could have been that way for some time. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From mark at msapiro.net Fri Feb 5 23:16:10 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Feb 2016 15:16:10 -0800 Subject: Bug In-Reply-To: References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> <56B4E5C1.2060901@msapiro.net> <5A3E79F6-8ED8-4ACC-8EA7-2B496F63545F@mailborder.com> <56B502CD.6060509@msapiro.net> Message-ID: <56B52D3A.2000705@msapiro.net> On 02/05/2016 01:00 PM, Jerry Benton wrote: > Mark, > > Ok, I rolled back a mod I put in. Here is the -4 (corrected) > > > https://s3.amazonaws.com/msv4/deb/MailScanner-4.86.1-4.deb.tar.gz OK. This one works in general and more or less as expected with Scan Messages = virus The two things I notice are as before, with Scan Messages = virus, only virus scanning is done, but the added MailScanner headers include X-GPC-MailScanner-SpamCheck: This is what you tried unsuccessfully to fix. I don't think it's a big deal. More importantly, with this version and going back I don't know how far, regardless of whether Scan Messages is yes or virus, if a message contains a part in which a virus is detected, the entire message body of the delivered message, not just the infected part, is replaced with the AttachmentWarning.txt file. And I verified, this behavior predates the change to fix Scan Messages = virus, so that fix is not the cause. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 5 23:43:05 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Feb 2016 15:43:05 -0800 Subject: Issue with cron.hourly/MailScanner In-Reply-To: <56B52D3A.2000705@msapiro.net> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> <56B4E5C1.2060901@msapiro.net> <5A3E79F6-8ED8-4ACC-8EA7-2B496F63545F@mailborder.com> <56B502CD.6060509@msapiro.net> <56B52D3A.2000705@msapiro.net> Message-ID: <56B53389.3010804@msapiro.net> On 02/05/2016 03:16 PM, Mark Sapiro wrote: The new cron.hourly/MailScanner does PIDFILE=`${QUICKPEEK} PIDfile ${ms_conf}` but ms_conf is not given a default value and in /etc/defaults/MailScanner, it's commented # ms_conf=/etc/MailScanner/MailScanner.conf -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sat Feb 6 04:39:49 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Feb 2016 20:39:49 -0800 Subject: Blocking custom file extension is not working In-Reply-To: References: Message-ID: <56B57915.8050908@msapiro.net> On 02/05/2016 01:56 AM, Pieter Goris wrote: > > .dll are being blocked from any source but 1, > http://www.emailsecuritycheck.net/index.html Just for curiousity, I ran the http://www.emailsecuritycheck.net/index.html tests to see what the mail looks like. Several of the messages disguise the filename in various ways. I found things such as name*0*="''attached%2E"; name*1*="%62"; name*2=at This is an RFC2231 encoded parameter and decodes to name=attached.bat The fact that MailScanner doesn't recognize this encoded name as *.bat can be considered a MailScanner bug. "name"=attached.bat This is not compliant with RFC 2047. Parameter name are not allowed to have quotes. Thus this should not be recognized as a name parameter. name=attached\ .bat This was part of a Content-Type: header (and Content-Disposition: had a similar filename= parameter) The fact that the .bat part does not begin with white space means that it is not a 'continuation' but is the start of a new header. The '\' is meaningless in this context and the name is simply 'attached\'. Based on these results, it is my opinion that this site is sending bogus, non-compliant messages and telling you that if your scanner doesn't stop them, you should buy theirs. This does point out one issue in that MailScanner should recognize the RFC 2231 encoded name and apparently doesn't, but the rest of it is non-compliant ways of making things that look like bad names but in fact are not valid names at all. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sat Feb 6 05:20:43 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Feb 2016 21:20:43 -0800 Subject: Bug In-Reply-To: <56B52D3A.2000705@msapiro.net> References: <277ADA21-263E-4EBD-A3BA-8A74E95C4E35@mailborder.com> <201602042115.17845.Antony.Stone@mailscanner.open.source.it> <525488D0-57D1-4A1D-AFF0-23CE4D449A09@mailborder.com> <56B3ECDD.90808@msapiro.net> <3CE8AA45-6865-46EF-822E-1B70557DC456@mailborder.com> <56B4E5C1.2060901@msapiro.net> <5A3E79F6-8ED8-4ACC-8EA7-2B496F63545F@mailborder.com> <56B502CD.6060509@msapiro.net> <56B52D3A.2000705@msapiro.net> Message-ID: <56B582AB.5010909@msapiro.net> On 02/05/2016 03:16 PM, Mark Sapiro wrote: > > More importantly, with this version and going back I don't know how far, > regardless of whether Scan Messages is yes or virus, if a message > contains a part in which a virus is detected, the entire message body of > the delivered message, not just the infected part, is replaced with the > AttachmentWarning.txt file. And I verified, this behavior predates the > change to fix Scan Messages = virus, so that fix is not the cause. The above is correct, but it is actually intended behavior and not a problem. If I were actually paying attention to what I was doing I would have seen in the delivered message: > Warning: This message has had one or more attachments removed > Warning: (eicar, the entire message). > Warning: Please read the "GPC-Attachment-Warning.txt" attachment(s) for more information. > > This is a message from the MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail attachment "the entire message" > was believed to be infected by a virus and has been replaced by this warning > message. In other words it is telling me plainly if I only look that it has replaced the entire message with the warning. Sorry for the noise. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Sat Feb 6 09:57:59 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 6 Feb 2016 04:57:59 -0500 Subject: Trimming the fat from MailScanner Message-ID: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> Here I sit creating the RPM build and I am thinking that there are some items that just are not needed anymore. For example, we don’t update_virus_scanners nor do we need update_spamassassin. I don’t know of any virus scanner package that does not have its own update platform. The same is true Spamassassin. sa-compile will automatically do what is needed as long as you have re2c installed and the Rule2XSBody module installed and loaded. So in addition to standardizing the directory structure across all platforms, I am also removing these scripts. They are far beyond their expiration date. I am also removing processing_messages_alert from being in any cron by default. - Jerry Benton www.mailborder.com From moriskod at yahoo.com Mon Feb 8 00:17:06 2016 From: moriskod at yahoo.com (Moris Kod) Date: Mon, 8 Feb 2016 00:17:06 +0000 (UTC) Subject: Virus Parser References: <2144907174.690828.1454890626517.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <2144907174.690828.1454890626517.JavaMail.yahoo@mail.yahoo.com> Where would one tweak the virus scanner parser for f-prot?   I'm trying to get MailScanner to strip macros off of word and excel documents.   -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at barendse.to Mon Feb 8 10:29:06 2016 From: mailscanner at barendse.to (Remco Barendse) Date: Mon, 8 Feb 2016 11:29:06 +0100 (CET) Subject: Trimming the fat from MailScanner In-Reply-To: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> References: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> Message-ID: On Sat, 6 Feb 2016, Jerry Benton wrote: > Here I sit creating the RPM build and I am thinking that there are some items that just are not needed anymore. For example, we don’t update_virus_scanners nor do we need update_spamassassin. I don’t know of any virus scanner package that does not have its own update platform. The same is true Spamassassin. sa-compile will automatically do what is needed as long as you have re2c installed and the Rule2XSBody module installed and loaded. > Sounds reasonable, will re2c and Rule2XSBody be included for installation by the installer ? ;) From wbaudler at gb.nrao.edu Mon Feb 8 14:51:53 2016 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Mon, 8 Feb 2016 09:51:53 -0500 Subject: Trimming the fat from MailScanner In-Reply-To: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> References: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> Message-ID: > Here I sit creating the RPM build and I am thinking that there are some > items that just are not needed anymore. For example, we don?t > update_virus_scanners nor do we need update_spamassassin. I don?t know of > any virus scanner package that does not have its own update platform. The > same is true Spamassassin. sa-compile will automatically do what is needed > as long as you have re2c installed and the Rule2XSBody module installed > and loaded. > update_spamassassin and update_virus_scanners are still used at our installations. This is with Sophos version 5.19.0 and it works fine. Wolfgang From kevin.miller at juneau.org Mon Feb 8 17:48:27 2016 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 8 Feb 2016 17:48:27 +0000 Subject: Trimming the fat from MailScanner In-Reply-To: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> References: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> Message-ID: <4eedb1408abd4056b9ddcae40a9b7d24@City-Exch-DB1.cbj.local> What is the expected behavior for an upgrade? As the new version won't have the update programs any more will it remove the older copies and revert the update process back to "factory specs" for the respective packages, i.e. antivirus and spamassassin? I think that would be fine, but if not it may be helpful to include some verbiage in the script describing what should be done to manually roll back the update processes. Thanks Jerry... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Saturday, February 06, 2016 12:58 AM To: MailScanner Discussion Subject: Trimming the fat from MailScanner Here I sit creating the RPM build and I am thinking that there are some items that just are not needed anymore. For example, we don’t update_virus_scanners nor do we need update_spamassassin. I don’t know of any virus scanner package that does not have its own update platform. The same is true Spamassassin. sa-compile will automatically do what is needed as long as you have re2c installed and the Rule2XSBody module installed and loaded. So in addition to standardizing the directory structure across all platforms, I am also removing these scripts. They are far beyond their expiration date. I am also removing processing_messages_alert from being in any cron by default. - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From maillists at conactive.com Mon Feb 8 18:31:06 2016 From: maillists at conactive.com (Kai Schaetzl) Date: Mon, 08 Feb 2016 19:31:06 +0100 Subject: Perl Code In-Reply-To: References: <233D2B71-637F-4509-BC1C-369D632B57A1@mailborder.com> <56AA8A3A.6030809@tweegy.nl> Message-ID: Jerry Benton wrote on Thu, 28 Jan 2016 16:40:21 -0500: > Yeah, that is what I figured. I moved the package away from compiling > and installing custom Perl modules last year in favor of distro provided > modules. I have been testing without that block and it seems ok. Seems I've been using standard RH/CentOS perl modules all the years without any problem. I actually installed them with yum first and then installed the core MailScanner rpm only. Has been working just fine. Go ahead with using the system provided stuff! Much better to update. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Feb 8 18:31:06 2016 From: maillists at conactive.com (Kai Schaetzl) Date: Mon, 08 Feb 2016 19:31:06 +0100 Subject: Trimming the fat from MailScanner In-Reply-To: References: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> Message-ID: Using them as well. The point back then was to not have to delete them after installation of MS, at least for spamassassin. So, they got reused. As for update_virus_scanners, I see I have it in cron.hourly, while the clamd updates insist on placing freshclam in cron.daily. May be keep them around, in a tools directory or so, but not move them to cron.* Just in case someone needs a working script. They really do not need many bytes ... Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Feb 8 18:31:06 2016 From: maillists at conactive.com (Kai Schaetzl) Date: Mon, 08 Feb 2016 19:31:06 +0100 Subject: RHEL 7 In-Reply-To: <3FC05D5F-0006-4256-B6A4-241E1F2A5B32@mailborder.com> References: <3FC05D5F-0006-4256-B6A4-241E1F2A5B32@mailborder.com> Message-ID: You won't be doing rpm for RH/Centos *5* then? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From jerry.benton at mailborder.com Mon Feb 8 18:42:56 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 8 Feb 2016 13:42:56 -0500 Subject: RHEL 7 In-Reply-To: References: <3FC05D5F-0006-4256-B6A4-241E1F2A5B32@mailborder.com> Message-ID: <5625423C-B042-4200-A939-15CDBC9462D7@mailborder.com> Yes, I will. 4.86.1 is not final yet. Mark and I were using the Debian package to iron out the bugs. - Jerry Benton www.mailborder.com Sent from my iPhone > On Feb 8, 2016, at 13:31, Kai Schaetzl wrote: > > You won't be doing rpm for RH/Centos *5* then? > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From jerry.benton at mailborder.com Mon Feb 8 18:44:53 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 8 Feb 2016 13:44:53 -0500 Subject: Trimming the fat from MailScanner In-Reply-To: References: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> Message-ID: I will leave the scripts in place. - Jerry Benton www.mailborder.com Sent from my iPhone > On Feb 8, 2016, at 13:31, Kai Schaetzl wrote: > > Using them as well. The point back then was to not have to delete them > after installation of MS, at least for spamassassin. So, they got reused. > > As for update_virus_scanners, I see I have it in cron.hourly, while the > clamd updates insist on placing freshclam in cron.daily. > > May be keep them around, in a tools directory or so, but not move them to > cron.* Just in case someone needs a working script. They really do not > need many bytes ... > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From mailscanner at replies.cyways.com Mon Feb 8 19:32:32 2016 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Mon, 8 Feb 2016 14:32:32 -0500 Subject: Virus Parser In-Reply-To: <2144907174.690828.1454890626517.JavaMail.yahoo@mail.yahoo.com> References: <2144907174.690828.1454890626517.JavaMail.yahoo.ref@mail.yahoo.com> <2144907174.690828.1454890626517.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56B8ED50.9030606@replies.cyways.com> We use ClamAV to handle those files with macros. If you install a version of ClamAV alongside f-prot that provides the clamd server and configure MailScanner accordingly, you can change the directive in /etc/clamd.conf to read ScanOLE2 yes OLE2BlockMacros yes then files with macros will be treated as malware. The macros will not be stripped though. The message will be quarantined by MailScanner like any other piece of malware. In the organization I consult to, ordinary users have no need of files with macros, so blocking them all is the easiest solution. The recipient will get a notice that the message was quarantined, so you can pull the occasional legitimate file from there. Peter On 02/07/2016 07:17 PM, Moris Kod wrote: > Where would one tweak the virus scanner parser for f-prot? I'm trying to get > MailScanner to strip macros off of word and excel documents. From sbanderson at impromed.com Mon Feb 8 19:39:24 2016 From: sbanderson at impromed.com (Scott B. Anderson) Date: Mon, 8 Feb 2016 19:39:24 +0000 Subject: Virus Parser In-Reply-To: <56B8ED50.9030606@replies.cyways.com> References: <2144907174.690828.1454890626517.JavaMail.yahoo.ref@mail.yahoo.com> <2144907174.690828.1454890626517.JavaMail.yahoo@mail.yahoo.com> <56B8ED50.9030606@replies.cyways.com> Message-ID: <86e299bce0ec433d8324083fd211d8a0@ES5.impromed.com> How do you handle the new Office 97-05 trojan documents without macros that still contain Trojans that abuse the rtf 'engine' in office 2010/13/16 to root workstations without the .doc or .xls actually containing a macro? I had to outright block all of them both within Outlook using group policies and MailScanner using filename rules. (while still allowing docx and xlsx without macros) Scott -----Original Message----- From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Lemieux Sent: Monday, February 8, 2016 1:33 PM To: MailScanner Discussion Subject: Re: Virus Parser We use ClamAV to handle those files with macros. If you install a version of ClamAV alongside f-prot that provides the clamd server and configure MailScanner accordingly, you can change the directive in /etc/clamd.conf to read ScanOLE2 yes OLE2BlockMacros yes then files with macros will be treated as malware. The macros will not be stripped though. The message will be quarantined by MailScanner like any other piece of malware. In the organization I consult to, ordinary users have no need of files with macros, so blocking them all is the easiest solution. The recipient will get a notice that the message was quarantined, so you can pull the occasional legitimate file from there. Peter On 02/07/2016 07:17 PM, Moris Kod wrote: > Where would one tweak the virus scanner parser for f-prot? I'm trying to get > MailScanner to strip macros off of word and excel documents. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- Rely On Us. ImproMed LLC Henry Schein Animal Health -- From mark at msapiro.net Mon Feb 8 20:31:54 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 8 Feb 2016 12:31:54 -0800 Subject: Trimming the fat from MailScanner In-Reply-To: References: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> Message-ID: <56B8FB3A.7090304@msapiro.net> On 02/08/2016 10:31 AM, Kai Schaetzl wrote: > > As for update_virus_scanners, I see I have it in cron.hourly, while the > clamd updates insist on placing freshclam in cron.daily. True, but if you run freshclam as a daemon instead, it defaults to 12 daily checks. The Debian/Ubuntu clamav-freshclam package runs freshclam as a daemon with 24 daily checks, so for Debian/Ubuntu at least, update_virus_scanners is redundant. I have Disabled=yes in /etc/cron.hourly/update_virus_scanners. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From steveb_clamav at sanesecurity.com Mon Feb 8 20:44:37 2016 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon, 8 Feb 2016 20:44:37 -0000 Subject: Virus Parser In-Reply-To: <86e299bce0ec433d8324083fd211d8a0@ES5.impromed.com> References: <2144907174.690828.1454890626517.JavaMail.yahoo.ref@mail.yahoo.com> <2144907174.690828.1454890626517.JavaMail.yahoo@mail.yahoo.com> <56B8ED50.9030606@replies.cyways.com> <86e299bce0ec433d8324083fd211d8a0@ES5.impromed.com> Message-ID: <719be673fcf14769bb92692bb8501de1.squirrel@sanesecurity.com> On Mon, February 8, 2016 7:39 pm, Scott B. Anderson wrote: > How do you handle the new Office 97-05 trojan documents without macros > that still contain Trojans that abuse the rtf 'engine' in office > 2010/13/16 to root workstations without the .doc or .xls actually > containing a macro? > If you are using ClamAV you can block these easily with badmacro.ndb. In addition phish.ndb will block xml types with rogue.hdb to fill in the rest of the crappy stuff. http://sanesecurity.com/usage/linux-scripts/ Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity From steveb_clamav at sanesecurity.com Mon Feb 8 20:49:17 2016 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon, 8 Feb 2016 20:49:17 -0000 Subject: Virus Parser In-Reply-To: <56B8ED50.9030606@replies.cyways.com> References: <2144907174.690828.1454890626517.JavaMail.yahoo.ref@mail.yahoo.com> <2144907174.690828.1454890626517.JavaMail.yahoo@mail.yahoo.com> <56B8ED50.9030606@replies.cyways.com> Message-ID: On Mon, February 8, 2016 7:32 pm, Peter Lemieux wrote: > > ScanOLE2 yes > OLE2BlockMacros yes > > > then files with macros will be treated as malware. The macros will not > be stripped though. The message will be quarantined by MailScanner like > any other piece of malware. In the organization I consult to, ordinary > users have no need of files with macros, so blocking them all is the > easiest solution. Agreed the above option changes do work... but a lot of my users at work , do have a lot of macros embedded in various price lists etc, which got blocked by these options... hence badmacro.ndb was born :) Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity From moriskod at yahoo.com Tue Feb 9 03:46:01 2016 From: moriskod at yahoo.com (Moris Kod) Date: Tue, 9 Feb 2016 03:46:01 +0000 (UTC) Subject: Virus Parser In-Reply-To: References: Message-ID: <1026581334.1305929.1454989561822.JavaMail.yahoo@mail.yahoo.com> So I'll need to run CLAMD to access this feature?   I'm compiling clamav .99 on the system now. Also I'm looking at those .ndb files! From: Steve Basford To: MailScanner Discussion Sent: Monday, February 8, 2016 2:49 PM Subject: Re: Virus Parser   On Mon, February 8, 2016 7:32 pm, Peter Lemieux wrote: > > ScanOLE2 yes > OLE2BlockMacros yes > > > then files with macros will be treated as malware.  The macros will not > be stripped though.  The message will be quarantined by MailScanner like > any other piece of malware.  In the organization I consult to, ordinary > users have no need of files with macros, so blocking them all is the > easiest solution. Agreed the above option changes do work... but a lot of my users at work , do have a lot of macros embedded in various price lists etc, which got blocked by these options... hence badmacro.ndb was born :) Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From gao at pztop.com Tue Feb 9 17:23:44 2016 From: gao at pztop.com (Gao) Date: Tue, 9 Feb 2016 09:23:44 -0800 Subject: maillog stops logging? In-Reply-To: <3033FCA1-FB66-4E37-B295-E38CDCEB3568@mailborder.com> References: <56A9B2BF.4050309@msapiro.net> <56AA03D7.9040809@dld2000.com> <9EB16D8A-40A1-440A-A98B-C294DE0834FE@mailborder.com> <56AA04A0.8020004@dld2000.com> <37A25B26-D7CC-446E-8217-05DA80E1C4CA@mailborder.com> <56AA06A4.3080102@dld2000.com> <9D59755B-D3E2-4B70-863F-CBCF2F8D6A91@mailborder.com> <56AA4868.5010407@pztop.com> <3033FCA1-FB66-4E37-B295-E38CDCEB3568@mailborder.com> Message-ID: <56BA20A0.8040608@pztop.com> maillog stopped again! 3 log files stopped at the same time on Feb 7 13:45.They are maillog, messages and cron. Some log files still logging, such as httpd/*.log, sa-update.log, clamd.scan.,etc. Check journald found file corruption: # journalctl --verify 1f46d38: unused data (entry_offset==0) 1f46d88: invalid object File corruption detected at /run/log/journal/822abf3b38544afcb5346a734f08a553/system.journal:1f46d88 (of 33554432 bytes, 97%). FAIL: /run/log/journal/822abf3b38544afcb5346a734f08a553/system.journal (Cannot assign requested address) PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-0000000000049c09-00052afaace2a075.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-00000000000409e2-00052ae4cec55f11.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-000000000003771a-00052acccca1c11e.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-000000000002e697-00052ab68d5d1e25.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-000000000002516e-00052a911a3bf907.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-000000000001be5a-00052a72742a9b9c.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-00000000000129c9-00052a5ac245cb21.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-000000000000959b-00052a426579c337.journal PASS: /run/log/journal/822abf3b38544afcb5346a734f08a553/system at 42c98256198545c485bbd99e9e589bf5-0000000000000001-00052a2b501c1ac9.journal This time I fix the issue without restart my server. I just remove the corrupted file and restart the journald then the maillog back to work: cd /run/log/journal/822abf3b38544afcb5346a734f08a553/ mv system.journal system.journal.bak systemctl restart systemd-journald Now it created a new system.journal file automatically. Run "journalctl --verify" shows all PASS. Check maillog it works fine now. Gao On 16-01-28 11:35 AM, Jerry Benton wrote: > Gao, > > If you see this issue again, please tell me. I am really hoping that update you did contained the correction to the problem and it is not a problem with how Perl logs. > > - > Jerry Benton > www.mailborder.com > > > >> On Jan 28, 2016, at 11:57 AM, Gao wrote: >> >> I had this issue as well. >> >> I am using CentOS 7.2 64bit and during the last month maillog stopped twice without any reason. When the maillog stops, message log also stopped. But other log (secure, fail2ban.,etc) keep working. I also have MailWatch on the same box and MailScanner still send records to MailWatch. >> >> I tried to restart rsyslogd and MailScanner and that didn't bring the logging back. I have to reboot the server then everything back to normal. >> >> Last time the maillog stopped is a week ago. I did a full "yum update" and reboot. So far the maillog is working well. Not sure what happened. I still have my finger crossed... >> >> Gao >> >> >> >> On 16-01-28 04:17 AM, Jerry Benton wrote: >>> What OS are you using? >>> >>> - >>> Jerry Benton >>> www.mailborder.com >>> >>> >>> >>>> On Jan 28, 2016, at 7:16 AM, Walt Thiessen wrote: >>>> >>>> My server at /etc/init.d/ doesn't have a file named rsyslog. >>>> >>>> Here's an ls -l for /etc/init.d/ >>>> >>>> >>>> drwxr-xr-x. 2 root root 4096 Jan 27 21:11 ./ >>>> drwxr-xr-x. 10 root root 4096 Jan 27 21:11 ../ >>>> -rwxr--r--. 1 root wheel 1151 Feb 25 2015 bandmin* >>>> -rw-r--r--. 1 root root 12972 Oct 10 00:07 cpfunctions >>>> -rwxr-xr-x 1 root root 2502 Dec 16 11:06 dovecot* >>>> -rwxr-xr-x 1 root root 1067 Jan 27 21:11 filelimits* >>>> -rw-r--r-- 1 root root 13948 Sep 16 07:51 functions >>>> -rwxr-xr-x 1 root root 2989 Sep 16 07:51 netconsole* >>>> -rwxr-xr-x 1 root root 6630 Sep 16 07:51 network* >>>> -rw-r--r-- 1 root root 1160 Nov 19 23:49 README >>>> >>>> >>>> On 1/28/2016 7:09 AM, Jerry Benton wrote: >>>>> /etc/init.d/rsyslog restart >>>>> >>>>> maybe? >>>>> >>>>> - >>>>> Jerry Benton >>>>> www.mailborder.com >>>>> >>>>> >>>>> >>>>>> On Jan 28, 2016, at 7:08 AM, Walt Thiessen wrote: >>>>>> >>>>>> Correct >>>>>> >>>>>> On 1/28/2016 7:05 AM, Jerry Benton wrote: >>>>>>> Both the MTA and MailScanner are not logging to it? >>>>>>> >>>>>>> - >>>>>>> Jerry Benton >>>>>>> www.mailborder.com >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Jan 28, 2016, at 7:04 AM, Walt Thiessen wrote: >>>>>>>> >>>>>>>> For some unknown reason, my /var/log/maillog stopped recording entries >>>>>>>> two days ago. There's plenty of available storage on the server ... only >>>>>>>> about 9% has been used. >>>>>>>> >>>>>>>> Exim_mainlog continues to record entries, but not maillog. >>>>>>>> >>>>>>>> MailScanner continues to scan emails. I can see the results of it in >>>>>>>> delivered emails' message source. X-org-name-MailScanner-Information >>>>>>>> shows up in the message source. >>>>>>>> >>>>>>>> Is there some way to turn maillog off and on that I should check? >>>>>>>> >>>>>>>> Walt Thiessen >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> MailScanner mailing list >>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>> http://lists.mailscanner.info/listinfo/mailscanner >>>>>>>> >>>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/listinfo/mailscanner >>>>>> >>>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/listinfo/mailscanner >>>> >>> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > From moriskod at yahoo.com Wed Feb 10 07:53:43 2016 From: moriskod at yahoo.com (Moris Kod) Date: Wed, 10 Feb 2016 07:53:43 +0000 (UTC) Subject: Virus Parser In-Reply-To: References: Message-ID: <610391030.1939867.1455090823590.JavaMail.yahoo@mail.yahoo.com> I got this working today!   I compiled the latest clam and got the clamdrunning on my box.  I had to tweak some mailscanner stuff and got the sanesecurity dbs downloading.    So far I have not found a bad macro doc or xls that the badmacro.ndb doesn't pickup on.  From: Steve Basford To: MailScanner Discussion Sent: Monday, February 8, 2016 2:49 PM Subject: Re: Virus Parser On Mon, February 8, 2016 7:32 pm, Peter Lemieux wrote: > > ScanOLE2 yes > OLE2BlockMacros yes > > > then files with macros will be treated as malware.  The macros will not > be stripped though.  The message will be quarantined by MailScanner like > any other piece of malware.  In the organization I consult to, ordinary > users have no need of files with macros, so blocking them all is the > easiest solution. Agreed the above option changes do work... but a lot of my users at work , do have a lot of macros embedded in various price lists etc, which got blocked by these options... hence badmacro.ndb was born :) Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jp_mailscanner at gcfl.net Thu Feb 11 04:31:32 2016 From: jp_mailscanner at gcfl.net (John Price) Date: Wed, 10 Feb 2016 22:31:32 -0600 Subject: Disable scanning outgoing mailing list mail Message-ID: <20160211043132.GA28900@gcfl.net> I've installed MailScanner on a Ubuntu machine with postfix. Seems to be working well, except all outgoing email is scanned. I run a mailing list (mailman) with some lists having thousands of subscribers, and I don't want to scan all those outgoing emails. How should I disable scanning those? Thanks, John -- All my life I said I wanted to be someone...I can see now that I should have been more specific. Have a great day and don't forget to laugh! http://www.gcfl.net (The Good, Clean Funnies List): Good, clean daily funnies you can safely tell your Mom! From mailscanner at replies.cyways.com Thu Feb 11 05:09:13 2016 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Thu, 11 Feb 2016 00:09:13 -0500 Subject: Disable scanning outgoing mailing list mail In-Reply-To: <20160211043132.GA28900@gcfl.net> References: <20160211043132.GA28900@gcfl.net> Message-ID: <56BC1779.9000904@replies.cyways.com> It depends on how the list messages are addressed. If there's a common address in the To field, like list at example.com, you can add whitelist entries for mail To: that address. E.g, in MailScanner.conf, use this directive: Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules and create the spam.whitelist.rules file to include the line: To: list at example.com yes FromOrTo: default no Now all mail to list at example.com will be sent unscanned, but all other messages will still be scanned. If you want to exempt list traffic from virus scanning as well, create a parallel virus.whitelist.rules file in that same directory, and use the directive Virus Scanning = %rules-dir%/virus.whitelist.rules in MailScanner.conf. One quirk of MailScanner is that you need to use "no" to exempt from virus scanning, so the rules file would read: To: list at example.com no FromOrTo: default yes My %rules-dir% is /etc/MailScanner/rules/. You could also key on things like "From: owner-listname" or some similar characteristic depending on how the list is configured. You do, I presume, scan inbound messages from the list subscribers, yes? I only screen them for malware and exempt list traffic from spam scanning. Since the lists I manage are all closed, I rely on the listserver software (majordomo2 in my case) to reject spams sent to the list. Of course, I can't do anything about bogus messages sent from hijacked accounts belonging to legitimate subscribers. Peter On 2/10/2016 11:31 PM, John Price wrote: > I run a mailing list (mailman) with some lists having thousands of > subscribers, and I don't want to scan all those outgoing emails. How > should I disable scanning those? From mark at msapiro.net Thu Feb 11 05:09:19 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 10 Feb 2016 21:09:19 -0800 Subject: Disable scanning outgoing mailing list mail In-Reply-To: <20160211043132.GA28900@gcfl.net> References: <20160211043132.GA28900@gcfl.net> Message-ID: <56BC177F.3000405@msapiro.net> On 02/10/2016 08:31 PM, John Price wrote: > > I run a mailing list (mailman) with some lists having thousands of > subscribers, and I don't want to scan all those outgoing emails. How > should I disable scanning those? Set Scan Messages to be a rule set and in that rule set you can put things like From: 127.0.0.1 no or whatever you need to not scan the mail you want to exempt. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maxsec at gmail.com Thu Feb 11 09:11:34 2016 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 11 Feb 2016 09:11:34 +0000 Subject: Disable scanning outgoing mailing list mail In-Reply-To: <56BC177F.3000405@msapiro.net> References: <20160211043132.GA28900@gcfl.net> <56BC177F.3000405@msapiro.net> Message-ID: Yeah Id use the ip-address of the mailman server as the whitelist entry to avoid the scanning On Thu, 11 Feb 2016 at 05:09, Mark Sapiro wrote: > On 02/10/2016 08:31 PM, John Price wrote: > > > > I run a mailing list (mailman) with some lists having thousands of > > subscribers, and I don't want to scan all those outgoing emails. How > > should I disable scanning those? > > > Set Scan Messages to be a rule set and in that rule set you can put > things like > > From: 127.0.0.1 no > > or whatever you need to not scan the mail you want to exempt. > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Feb 11 13:29:17 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 11 Feb 2016 08:29:17 -0500 Subject: Testing Server Status Message-ID: <281639AD-44F0-47BE-AC41-326DADBD7B55@mailborder.com> Server was down. (Thanks, Rackspace.) Testing functionality. - Jerry Benton www.mailborder.com From Pieter.Goris at cisanet.be Thu Feb 11 16:28:26 2016 From: Pieter.Goris at cisanet.be (Pieter Goris) Date: Thu, 11 Feb 2016 16:28:26 +0000 Subject: drobox Message-ID: Hi, Why is www.dropbox.com in phishing.bad.sites.conf? I tried to add it to phishing.safe.sites.conf to override this listing but the safe sites don't supersede the bad sites. Regards, Pieter Goris ------------------------------------------------------------------ This message has been scanned for viruses and dangerous content by Cisa Antispam Service, and is believed to be clean. ------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Feb 11 16:30:03 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 11 Feb 2016 11:30:03 -0500 Subject: drobox In-Reply-To: References: Message-ID: <96013737-5996-43EC-8C70-12221FB0FF15@mailborder.com> Add it to phishing.safe.sites.custom Drop box is there because asshat malware hackers use it to deliver payloads. - Jerry Benton www.mailborder.com > On Feb 11, 2016, at 11:28 AM, Pieter Goris wrote: > > Hi, > > Why is www.dropbox.com in phishing.bad.sites.conf? I tried to add it to phishing.safe.sites.conf to override this listing but the safe sites don't supersede the bad sites. > > Regards, > Pieter Goris > > -- > This message has been scanned for viruses and dangerous content by > Cisa Antispam Service, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From pparsons at techeez.com Fri Feb 12 00:42:53 2016 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 12 Feb 2016 00:42:53 +0000 Subject: Has anyone else seen clamscan takeup 99% cpu Message-ID: <11D8E491D9562549A61FD3186F363420027CFBB04C@exchange.techeez.com> I have update mailscanner to the latest and clamav .99 and now when there is 30 messages clamscan take all the cpu ? any idea's Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: From moriskod at yahoo.com Fri Feb 12 18:12:05 2016 From: moriskod at yahoo.com (Moris Kod) Date: Fri, 12 Feb 2016 18:12:05 +0000 (UTC) Subject: Has anyone else seen clamscan takeup 99% cpu In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFBB04C@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F363420027CFBB04C@exchange.techeez.com> Message-ID: <1911800359.3430827.1455300725104.JavaMail.yahoo@mail.yahoo.com> I would recommend setting up clamd.   I'm running this with 3rd party definitions and have minimal impact on server performance and cpu.  From: Philip Parsons To: MailScanner Discussion Sent: Thursday, February 11, 2016 6:42 PM Subject: Has anyone else seen clamscan takeup 99% cpu I have update mailscanner to the latest and clamav .99 and now when there is 30 messages clamscan take all the cpu ? any idea’s     Thank you. Philip Parsons   -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at replies.cyways.com Fri Feb 12 18:26:25 2016 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Fri, 12 Feb 2016 13:26:25 -0500 Subject: Has anyone else seen clamscan takeup 99% cpu In-Reply-To: <1911800359.3430827.1455300725104.JavaMail.yahoo@mail.yahoo.com> References: <11D8E491D9562549A61FD3186F363420027CFBB04C@exchange.techeez.com> <1911800359.3430827.1455300725104.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56BE23D1.6040204@replies.cyways.com> We also use clamd, and it is definitely much faster than running clamscan on each message. In our implementation, clamd is also supporting SquidClamAV which scans every object downloaded via the "transparent" Squid proxy running on the same machine. Even with both MailScanner and SquidClamAV+c-icap making calls to clamd, it usually stays below 20% CPU usage. (This is a dual-Xeon machine which I'm sure helps a lot! It shows a long-term load average of just 0.5.) Peter On 02/12/2016 01:12 PM, Moris Kod wrote: > I would recommend setting up clamd. I'm running this with 3rd party > definitions and > have minimal impact on server performance and cpu. > > > ---------------------------------------------------------------------------- > *From:* Philip Parsons > *To:* MailScanner Discussion > *Sent:* Thursday, February 11, 2016 6:42 PM > *Subject:* Has anyone else seen clamscan takeup 99% cpu > > I have update mailscanner to the latest and clamav .99 and now when there is > 30 messages clamscan take all the cpu ? any idea’s > Thank you. > Philip Parsons From ci at holmco.de Tue Feb 16 10:47:55 2016 From: ci at holmco.de (Ralf Cirksena) Date: Tue, 16 Feb 2016 11:47:55 +0100 Subject: filetype permisson on per user base Message-ID: <20160216104755.GB10898@edv20.holmco.de> Hello, I need to build filetype and filename restrictions based on email addresses or domains (envelope from / to). I know for sure that is possible but I don't get it working. Where can I get some help? Thank you and greetings -- R. Cirksena From Antony.Stone at mailscanner.open.source.it Tue Feb 16 11:11:57 2016 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 16 Feb 2016 12:11:57 +0100 Subject: filetype permisson on per user base In-Reply-To: <20160216104755.GB10898@edv20.holmco.de> References: <20160216104755.GB10898@edv20.holmco.de> Message-ID: <201602161211.57416.Antony.Stone@mailscanner.open.source.it> On Tuesday 16 February 2016 at 11:47:55, Ralf Cirksena wrote: > Hello, > > I need to build filetype and filename restrictions based on email > addresses or domains (envelope from / to). MailScanner doesn't know about envelope addresses. You can only process header addresses. > I know for sure that is possible but I don't get it working. > Where can I get some help? See http://www.configserver.com/techfaq/faqlist.php?catid=5&faqid=21&page=2 for some examples. You can change the "FromOrTo" at the start of the lines to just "From" or just "To" depending on what you want to filter. For more details, look up "MailScanner Rulesets" - for example https://www.mailscanner.info/ - Docs - Manual - Chapter 5 (page 67). Antony. -- "Once you have a panic, things tend to become rather undefined." - murble Please reply to the list; please *don't* CC me. From ci at holmco.de Tue Feb 16 15:07:37 2016 From: ci at holmco.de (Ralf Cirksena) Date: Tue, 16 Feb 2016 16:07:37 +0100 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <201602161211.57416.Antony.Stone@mailscanner.open.source.it> References: <20160216104755.GB10898@edv20.holmco.de> <201602161211.57416.Antony.Stone@mailscanner.open.source.it> Message-ID: <20160216150737.GD10898@edv20.holmco.de> On Tue, Feb 16, 2016 at 12:11:57PM +0100 you wrote: > MailScanner doesn't know about envelope addresses. You can only process > header addresses. O.k., I should have known that. ;-) > See http://www.configserver.com/techfaq/faqlist.php?catid=5&faqid=21&page=2 for > some examples. Thank you. What I have now is: /etc/Mailscanner/Mailscanner.conf: Filetype Rules = %etc-dir%/filetype.rules /etc/Mailscanner/filetype.rules: From: *@domain1.tld %rules-dir%/filetype.rules.domain1.conf FromOrTo: *@domain2.tld %rules-dir%/filetype.rules.domain2.conf FromOrTo: default %rules-dir%/filetype.rules.conf /etc/Mailscanner/rules/filetype.rules.conf /etc/Mailscanner/rules/filetype.rules.domain1.conf /etc/Mailscanner/rules/filetype.rules.domain2,conf These 3 files are complete filetype rule files like: allow text - - allow \bscript - - allow archive - - allow postscript - - deny self-extract No self-extracting archives No self-extracting archives allowed deny Registry No Windows Registry entries No Windows Registry files allowed deny executable No executables No programs allowed deny ELF No executables No programs allowed The only differences are the last 2 lines. %rules-dir%/filetype.rules.domain1.conf: allow executable No executables No programs allowed deny ELF No executables No programs allowed %rules-dir%/filetype.rules.domain1.conf: deny executable No executables No programs allowed allow ELF No executables No programs allowed Is that the right way to assume that for every To: / From: / FormOrTo: line in /etc/Mailscanner/filetype.conf will be checked only the file in *that* line? > For more details, look up "MailScanner Rulesets" - for example > https://www.mailscanner.info/ - Docs - Manual - Chapter 5 (page 67). I will read that. Thanks, that seems to be as datailled as I need it. Greetings, -- R. Cirksena From Antony.Stone at mailscanner.open.source.it Tue Feb 16 15:40:58 2016 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 16 Feb 2016 16:40:58 +0100 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <20160216150737.GD10898@edv20.holmco.de> References: <20160216104755.GB10898@edv20.holmco.de> <201602161211.57416.Antony.Stone@mailscanner.open.source.it> <20160216150737.GD10898@edv20.holmco.de> Message-ID: <201602161640.58320.Antony.Stone@mailscanner.open.source.it> On Tuesday 16 February 2016 at 16:07:37, Ralf Cirksena wrote: > /etc/Mailscanner/filetype.rules: > From: *@domain1.tld %rules-dir%/filetype.rules.domain1.conf > FromOrTo: *@domain2.tld %rules-dir%/filetype.rules.domain2.conf Remove the * so that you just have "@domain1.tld" Antony. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. - Damian Conway, Perl God Please reply to the list; please *don't* CC me. From Antony.Stone at mailscanner.open.source.it Tue Feb 16 15:57:03 2016 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 16 Feb 2016 16:57:03 +0100 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <201602161640.58320.Antony.Stone@mailscanner.open.source.it> References: <20160216104755.GB10898@edv20.holmco.de> <20160216150737.GD10898@edv20.holmco.de> <201602161640.58320.Antony.Stone@mailscanner.open.source.it> Message-ID: <201602161657.04302.Antony.Stone@mailscanner.open.source.it> On Tuesday 16 February 2016 at 16:40:58, Antony Stone wrote: > On Tuesday 16 February 2016 at 16:07:37, Ralf Cirksena wrote: > > /etc/Mailscanner/filetype.rules: > > From: *@domain1.tld %rules-dir%/filetype.rules.domain1.conf > > FromOrTo: *@domain2.tld %rules-dir%/filetype.rules.domain2.conf > > Remove the * so that you just have "@domain1.tld" Actually, no, that may not make a difference - I was thinking that this regexp parser interpeted * as being "zero or more of the previous symbol", but according to the manual it's just the "anything of any length" wildcard. So, I hope someone else can provide an idea, because I don't see anything wrong with your ruleset (except for the comments, where you have both: deny ELF No executables No programs allowed allow ELF No executables No programs allowed which, although MailScanner itself won't care, looks a bit odd and may be puzzling for future maintenance...) Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please *don't* CC me. From moriskod at yahoo.com Tue Feb 16 17:48:41 2016 From: moriskod at yahoo.com (Moris Kod) Date: Tue, 16 Feb 2016 17:48:41 +0000 (UTC) Subject: Maximum line length in spam.blacklist.rules In-Reply-To: <20160216150737.GD10898@edv20.holmco.de> References: <20160216150737.GD10898@edv20.holmco.de> Message-ID: <1924932712.5078617.1455644921979.JavaMail.yahoo@mail.yahoo.com> What's the maximum line length in a config file?  -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Tue Feb 16 17:52:49 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 16 Feb 2016 12:52:49 -0500 Subject: Maximum line length in spam.blacklist.rules In-Reply-To: <1924932712.5078617.1455644921979.JavaMail.yahoo@mail.yahoo.com> References: <20160216150737.GD10898@edv20.holmco.de> <1924932712.5078617.1455644921979.JavaMail.yahoo@mail.yahoo.com> Message-ID: <631BC523-58B0-40E4-AD76-6BA5F56492F3@mailborder.com> depends on how much RAM and how many child processes you are running. - Jerry Benton www.mailborder.com Sent from my iPhone > On Feb 16, 2016, at 12:48, Moris Kod wrote: > > What's the maximum line length in a config file? > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Denis.Beauchemin at usherbrooke.ca Tue Feb 16 18:01:43 2016 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue, 16 Feb 2016 18:01:43 +0000 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <20160216150737.GD10898@edv20.holmco.de> References: <20160216104755.GB10898@edv20.holmco.de> <201602161211.57416.Antony.Stone@mailscanner.open.source.it> <20160216150737.GD10898@edv20.holmco.de> Message-ID: Maybe your problem lies with emails with multiple recipients where multiple rules could hit and the results would be unpredictable? Or the from hits one rule and the recipient another one? Denis -----Message d'origine----- De : MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Ralf Cirksena Envoyé : 16 février 2016 10:08 À : MailScanner Discussion Objet : Re: [mailscanner] Re: filetype permisson on per user base On Tue, Feb 16, 2016 at 12:11:57PM +0100 you wrote: > MailScanner doesn't know about envelope addresses. You can only > process header addresses. O.k., I should have known that. ;-) > See > http://www.configserver.com/techfaq/faqlist.php?catid=5&faqid=21&page=2 for some examples. Thank you. What I have now is: /etc/Mailscanner/Mailscanner.conf: Filetype Rules = %etc-dir%/filetype.rules /etc/Mailscanner/filetype.rules: From: *@domain1.tld %rules-dir%/filetype.rules.domain1.conf FromOrTo: *@domain2.tld %rules-dir%/filetype.rules.domain2.conf FromOrTo: default %rules-dir%/filetype.rules.conf /etc/Mailscanner/rules/filetype.rules.conf /etc/Mailscanner/rules/filetype.rules.domain1.conf /etc/Mailscanner/rules/filetype.rules.domain2,conf These 3 files are complete filetype rule files like: allow text - - allow \bscript - - allow archive - - allow postscript - - deny self-extract No self-extracting archives No self-extracting archives allowed deny Registry No Windows Registry entries No Windows Registry files allowed deny executable No executables No programs allowed deny ELF No executables No programs allowed The only differences are the last 2 lines. %rules-dir%/filetype.rules.domain1.conf: allow executable No executables No programs allowed deny ELF No executables No programs allowed %rules-dir%/filetype.rules.domain1.conf: deny executable No executables No programs allowed allow ELF No executables No programs allowed Is that the right way to assume that for every To: / From: / FormOrTo: line in /etc/Mailscanner/filetype.conf will be checked only the file in *that* line? > For more details, look up "MailScanner Rulesets" - for example > https://www.mailscanner.info/ - Docs - Manual - Chapter 5 (page 67). I will read that. Thanks, that seems to be as datailled as I need it. Greetings, -- R. Cirksena -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From ci at holmco.de Wed Feb 17 07:04:27 2016 From: ci at holmco.de (Ralf Cirksena) Date: Wed, 17 Feb 2016 08:04:27 +0100 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <201602161657.04302.Antony.Stone@mailscanner.open.source.it> References: <20160216104755.GB10898@edv20.holmco.de> <20160216150737.GD10898@edv20.holmco.de> <201602161640.58320.Antony.Stone@mailscanner.open.source.it> <201602161657.04302.Antony.Stone@mailscanner.open.source.it> Message-ID: <20160217070427.GC22759@edv20.holmco.de> On Tue, Feb 16, 2016 at 04:57:03PM +0100 you wrote: > So, I hope someone else can provide an idea, because I don't see anything > wrong with your ruleset (except for the comments, where you have both: > > deny ELF No executables No programs allowed > allow ELF No executables No programs allowed These are in different rule files. One for domain1 (deny), one for domain2 (allow). That is what I am trying to get working. Domain1 should not be able to get mails with ELF files atached, domain2 should be able to receive such files. For "everyone" (default) ELF attachments should be blocked. > which, although MailScanner itself won't care, looks a bit odd and may be > puzzling for future maintenance...) It's only an example. In real life there are quite different file types between different groups of From: and To:. Thank you for your help. Greetings -- R. Cirksena From ci at holmco.de Wed Feb 17 07:05:28 2016 From: ci at holmco.de (Ralf Cirksena) Date: Wed, 17 Feb 2016 08:05:28 +0100 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <631BC523-58B0-40E4-AD76-6BA5F56492F3@mailborder.com> References: <20160216150737.GD10898@edv20.holmco.de> <1924932712.5078617.1455644921979.JavaMail.yahoo@mail.yahoo.com> <631BC523-58B0-40E4-AD76-6BA5F56492F3@mailborder.com> Message-ID: <20160217070528.GD22759@edv20.holmco.de> On Tue, Feb 16, 2016 at 12:52:49PM -0500 you wrote: > depends on how much RAM and how many child processes you are running. So I assume that everything below 200 caracters is o.k.? Greetings -- R. Cirksena From jerry.benton at mailborder.com Wed Feb 17 12:21:22 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 17 Feb 2016 07:21:22 -0500 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <20160217070528.GD22759@edv20.holmco.de> References: <20160216150737.GD10898@edv20.holmco.de> <1924932712.5078617.1455644921979.JavaMail.yahoo@mail.yahoo.com> <631BC523-58B0-40E4-AD76-6BA5F56492F3@mailborder.com> <20160217070528.GD22759@edv20.holmco.de> Message-ID: <736BAF3B-4827-435A-B884-43655CD5C478@mailborder.com> Yes. Should be no problem at all. - Jerry Benton www.mailborder.com > On Feb 17, 2016, at 2:05 AM, Ralf Cirksena wrote: > > On Tue, Feb 16, 2016 at 12:52:49PM -0500 you wrote: > >> depends on how much RAM and how many child processes you are running. > > So I assume that everything below 200 caracters is o.k.? > > > Greetings > -- > R. Cirksena > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From egobrc at gmail.com Wed Feb 17 22:59:53 2016 From: egobrc at gmail.com (egobrc at gmail.com) Date: Wed, 17 Feb 2016 23:59:53 +0100 Subject: Which distro? Message-ID: Hi everybody, I am about to configure a new mail filter server based on MailScanner + MailWatch. Since I do not have any distro preferences or requirements, do you suggest a specific one? In the install guide Debian 8 is not mentioned (is it too recent?), so I think I will choose between CentOS 7 and Ubuntu LTS 14: is there a best distro for MailScanner? -------------- next part -------------- An HTML attachment was scrubbed... URL: From joh.hendriks at gmail.com Wed Feb 17 23:16:32 2016 From: joh.hendriks at gmail.com (Johan Hendriks) Date: Thu, 18 Feb 2016 00:16:32 +0100 Subject: Which distro? In-Reply-To: References: Message-ID: The best distro is the distro you feel most comfortabel with. If you feel like you own the OS, then that distro is the best choice. If you feel lost in the OS then that OS is not the OS you want to use. For me FreeBSD is the OS off choice. Ubuntu in my case is the OS where I feel lost. Op 18 feb. 2016 00:00 schreef "egobrc at gmail.com" : > Hi everybody, > I am about to configure a new mail filter server based on MailScanner + > MailWatch. Since I do not have any distro preferences or requirements, do > you suggest a specific one? In the install guide Debian 8 is not mentioned > (is it too recent?), so I think I will choose between CentOS 7 and Ubuntu > LTS 14: is there a best distro for MailScanner? > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Wed Feb 17 23:17:35 2016 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 17 Feb 2016 23:17:35 +0000 Subject: Which distro? In-Reply-To: References: Message-ID: <99b1d000207348f89d50eeb07477cc3b@City-Exch-DB1.cbj.local> I’m running several MailScanner/MailWatch boxes on Debian Jessie. Works just fine. I did change the email server to Postfix from Exim but other than that it was pretty seamless. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of egobrc at gmail.com Sent: Wednesday, February 17, 2016 2:00 PM To: mailscanner at lists.mailscanner.info Subject: Which distro? Hi everybody, I am about to configure a new mail filter server based on MailScanner + MailWatch. Since I do not have any distro preferences or requirements, do you suggest a specific one? In the install guide Debian 8 is not mentioned (is it too recent?), so I think I will choose between CentOS 7 and Ubuntu LTS 14: is there a best distro for MailScanner? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Wed Feb 17 23:50:48 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 17 Feb 2016 18:50:48 -0500 Subject: Which distro? In-Reply-To: <99b1d000207348f89d50eeb07477cc3b@City-Exch-DB1.cbj.local> References: <99b1d000207348f89d50eeb07477cc3b@City-Exch-DB1.cbj.local> Message-ID: <75240F2C-B777-471D-BBF1-DA4112D27C5B@mailborder.com> Kevin, I was actually thinking of switching from Postfix to Exim. What made you do the opposite? - Jerry Benton www.mailborder.com > On Feb 17, 2016, at 6:17 PM, Kevin Miller wrote: > > I’m running several MailScanner/MailWatch boxes on Debian Jessie. Works just fine. I did change the email server to Postfix from Exim but other than that it was pretty seamless. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 > > From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of egobrc at gmail.com > Sent: Wednesday, February 17, 2016 2:00 PM > To: mailscanner at lists.mailscanner.info > Subject: Which distro? > > Hi everybody, > I am about to configure a new mail filter server based on MailScanner + MailWatch. Since I do not have any distro preferences or requirements, do you suggest a specific one? In the install guide Debian 8 is not mentioned (is it too recent?), so I think I will choose between CentOS 7 and Ubuntu LTS 14: is there a best distro for MailScanner? > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Thu Feb 18 00:22:58 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 17 Feb 2016 16:22:58 -0800 Subject: Test Message-ID: <56C50EE2.4010001@msapiro.net> -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Thu Feb 18 00:25:26 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 17 Feb 2016 19:25:26 -0500 Subject: List Server Change Notice Message-ID: We moved the list server to a new host. It may take a day for global DNS records to update. It will work now if you use mailscanner at ms1.mailscanner.info instead of mailscanner at lists.mailscanner.info. - Jerry Benton www.mailborder.com From arung at cdac.in Thu Feb 18 09:18:26 2016 From: arung at cdac.in (Arun Gupta) Date: Thu, 18 Feb 2016 14:48:26 +0530 (IST) Subject: ransomware malware Message-ID: Dear Sir/Madam, Is there any free opensource antivirus which MailScanner can use to catch ransomware malware. -- Thanks & Regards, Arun ------------------------------------------------------------------------------------------------------------------------------- [ C-DAC is on Social-Media too. Kindly follow us at: Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ] This e-mail is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email is strictly prohibited and appropriate legal action will be taken. ------------------------------------------------------------------------------------------------------------------------------- From jerry.benton at mailborder.com Thu Feb 18 12:18:48 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 18 Feb 2016 07:18:48 -0500 Subject: ransomware malware In-Reply-To: References: Message-ID: The ransomware that comes though email is typically not the ransomeware itself. Usually it is a zipped HTML file labeled ?resume.html? or something similar. The target user typically unzips the file, opens the HTML attachment, which then downloads a file via an iframe. The user then typically opens the downloaded file, which is a trojan. So, if you look at that process the obvious weak point is the user. The first thing you need to do is train your users not to open attachments from people they do not know. The next step is you must run a respectable antivirus package on your workstations. Preferably one that is centrally managed so that you can see if a workstation is falling out of date. Use incremental cloud backups for critical data. Note that if you have a backup solution on site that is accessible from the user?s workstation, it is not much good. Do not attach network shares to a user?s workstation unless they absolutely need it. Set the correct permissions on network shares. If everyone can write to everything, you are just asking for disaster. Note that some of this ransomware also comes through flash advertisements on valid websites. Disable and uninstall flash on everything. You do not need flash anymore. You can block HTML attachments in MailScanner if you like, even if they are in zip files. The biggest exploit for ransomware is uneducated users and lax architecture. If you do things the way they are supposed to be done, you greatly reduce your risk to ransomeware and a whole host of other problems. - Jerry Benton www.mailborder.com > On Feb 18, 2016, at 4:18 AM, Arun Gupta wrote: > > Dear Sir/Madam, > > Is there any free opensource antivirus which MailScanner can use to catch ransomware malware. > > > -- > > Thanks & Regards, > > Arun > > ------------------------------------------------------------------------------------------------------------------------------- > [ C-DAC is on Social-Media too. Kindly follow us at: > Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ] > > This e-mail is for the sole use of the intended recipient(s) and may > contain confidential and privileged information. If you are not the > intended recipient, please contact the sender by reply e-mail and destroy > all copies and the original message. Any unauthorized review, use, > disclosure, dissemination, forwarding, printing or copying of this email > is strictly prohibited and appropriate legal action will be taken. > ------------------------------------------------------------------------------------------------------------------------------- > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From jerry.benton at mailborder.com Thu Feb 18 12:58:09 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 18 Feb 2016 07:58:09 -0500 Subject: Spam on List Message-ID: I see the spam coming through the list server. We will work on it today. - Jerry Benton www.mailborder.com From endelwar at aregar.it Thu Feb 18 07:26:31 2016 From: endelwar at aregar.it (Manuel Dalla Lana) Date: Thu, 18 Feb 2016 08:26:31 +0100 Subject: Which distro? In-Reply-To: References: Message-ID: <56C57227.90907@aregar.it> Il 17/02/16 23:59, egobrc at gmail.com ha scritto: > Since I do not have any distro preferences or requirements, do you > suggest a specific one? Beware of systemd centric distros like RHEL 7 and its clones. Personally I'm on Debian 7 for all my MailScanner/MailWatch servers (running with postfix) until devuan (https://devuan.org/) is marked stable; also development of MailWatch and MailWatch2 is done on Debian 7 Manuel From heino.backhaus at fink-computer.de Thu Feb 18 14:18:31 2016 From: heino.backhaus at fink-computer.de (Heino Backhaus) Date: Thu, 18 Feb 2016 15:18:31 +0100 Subject: Virus detected by Clamd is not blocked by Mailscanner Message-ID: <56C5D2B7.8080909@fink-computer.de> Hello List, Today I recognized a quarantined mail, detected as spam, with a word document attached. So i downloaded this word document and scanned it with clamdscan on my mailscanner machine and clamd found a virus: root at mailscanner2014:~# clamdscan VIRUS-invoice_27638121.doc VIRUS-invoice_27638121.doc: Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.129 sec (0 m 0 s) I was wondering why it was detected as spam and not as a virus... I attached this word document to a mail and sent it to through my mailscanner machine...and it whent through. Does anybody's got an Idea where i could look for a configuration error? Other viruses like clamav-testfile attached to mails are being detected correctly. It's MailScanner-4.84.6-1 and ClamAV devel-clamav-0.99-beta1-363-g0ea036a/21384/Wed Feb 17 21:12:50 2016 MailScanner.conf: ... # This *cannot* be the filename of a ruleset. Virus Scanners = clamd ... clamd.conf: ... OLE2BlockMacros yes ... -- Mit freundlichen Gruessen H. Backhaus Fink-Computer Systeme Heggrabenstr. 9, 35435 Wettenberg Email: heino.backhaus at fink-computer.de Web: www.fink-computer.de Fax: +49-641-98444638 Fon: +49-641-98444640 UST-ID: DE151040770 HRB: 2143 Gie?en GF: Fredi Fink "In retrospect it becomes clear that hindsight is definitely overrated!" -Alfred E. Neumann From iversons at rushville.k12.in.us Thu Feb 18 16:39:57 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 18 Feb 2016 11:39:57 -0500 Subject: Virus detected by Clamd is not blocked by Mailscanner In-Reply-To: <56C5D2B7.8080909@fink-computer.de> References: <56C5D2B7.8080909@fink-computer.de> Message-ID: That's an "UNOFFICIAL" rule, I believe there some "viruses" are treated as spam in the MailScanner.conf file. There's an exceptions list... On Thu, Feb 18, 2016 at 9:18 AM, Heino Backhaus < heino.backhaus at fink-computer.de> wrote: > Hello List, > > Today I recognized a quarantined mail, detected as spam, with a word > document attached. So i downloaded > this word document and scanned it with clamdscan on my mailscanner machine > and clamd found a virus: > > root at mailscanner2014:~# clamdscan VIRUS-invoice_27638121.doc > VIRUS-invoice_27638121.doc: > Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL FOUND > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.129 sec (0 m 0 s) > > I was wondering why it was detected as spam and not as a virus... I > attached this word document > to a mail and sent it to through my mailscanner machine...and it whent > through. > > Does anybody's got an Idea where i could look for a configuration error? > Other viruses like clamav-testfile attached to mails are being detected > correctly. > > It's MailScanner-4.84.6-1 and ClamAV > devel-clamav-0.99-beta1-363-g0ea036a/21384/Wed Feb 17 21:12:50 2016 > > MailScanner.conf: > ... > # This *cannot* be the filename of a ruleset. > Virus Scanners = clamd > ... > > clamd.conf: > ... > OLE2BlockMacros yes > ... > > -- > Mit freundlichen Gruessen > > H. Backhaus > > Fink-Computer Systeme > Heggrabenstr. 9, 35435 Wettenberg > Email: heino.backhaus at fink-computer.de > Web: www.fink-computer.de > Fax: +49-641-98444638 > Fon: +49-641-98444640 > UST-ID: DE151040770 > HRB: 2143 Gie?en > GF: Fredi Fink > > "In retrospect it becomes clear that hindsight is definitely overrated!" > -Alfred E. Neumann > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Thu Feb 18 16:59:28 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 18 Feb 2016 11:59:28 -0500 Subject: Virus detected by Clamd is not blocked by Mailscanner In-Reply-To: References: <56C5D2B7.8080909@fink-computer.de> Message-ID: Here it is... Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* On Thu, Feb 18, 2016 at 11:39 AM, Shawn Iverson < iversons at rushville.k12.in.us> wrote: > That's an "UNOFFICIAL" rule, I believe there some "viruses" are treated as > spam in the MailScanner.conf file. There's an exceptions list... > > On Thu, Feb 18, 2016 at 9:18 AM, Heino Backhaus < > heino.backhaus at fink-computer.de> wrote: > >> Hello List, >> >> Today I recognized a quarantined mail, detected as spam, with a word >> document attached. So i downloaded >> this word document and scanned it with clamdscan on my mailscanner >> machine and clamd found a virus: >> >> root at mailscanner2014:~# clamdscan VIRUS-invoice_27638121.doc >> VIRUS-invoice_27638121.doc: >> Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL FOUND >> >> ----------- SCAN SUMMARY ----------- >> Infected files: 1 >> Time: 0.129 sec (0 m 0 s) >> >> I was wondering why it was detected as spam and not as a virus... I >> attached this word document >> to a mail and sent it to through my mailscanner machine...and it whent >> through. >> >> Does anybody's got an Idea where i could look for a configuration error? >> Other viruses like clamav-testfile attached to mails are being detected >> correctly. >> >> It's MailScanner-4.84.6-1 and ClamAV >> devel-clamav-0.99-beta1-363-g0ea036a/21384/Wed Feb 17 21:12:50 2016 >> >> MailScanner.conf: >> ... >> # This *cannot* be the filename of a ruleset. >> Virus Scanners = clamd >> ... >> >> clamd.conf: >> ... >> OLE2BlockMacros yes >> ... >> >> -- >> Mit freundlichen Gruessen >> >> H. Backhaus >> >> Fink-Computer Systeme >> Heggrabenstr. 9, 35435 Wettenberg >> Email: heino.backhaus at fink-computer.de >> Web: www.fink-computer.de >> Fax: +49-641-98444638 >> Fon: +49-641-98444640 >> UST-ID: DE151040770 >> HRB: 2143 Gie?en >> GF: Fredi Fink >> >> "In retrospect it becomes clear that hindsight is definitely overrated!" >> -Alfred E. Neumann >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From steveb_clamav at sanesecurity.com Thu Feb 18 17:07:58 2016 From: steveb_clamav at sanesecurity.com (Steve basford) Date: Thu, 18 Feb 2016 17:07:58 +0000 Subject: Virus detected by Clamd is not blocked by Mailscanner In-Reply-To: References: <56C5D2B7.8080909@fink-computer.de> Message-ID: <152f55a3db0.27d8.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> On 18 February 2016 17:00:36 Shawn Iverson wrote: > Here it is... > > Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* > > > There some map names here that could be adjusted to mailscanner format.. http://sanesecurity.com/support/problems/ Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Thu Feb 18 00:19:36 2016 From: kevin.miller at juneau.org (Kevin Miller) Date: Thu, 18 Feb 2016 00:19:36 +0000 Subject: Which distro? In-Reply-To: <75240F2C-B777-471D-BBF1-DA4112D27C5B@mailborder.com> References: <99b1d000207348f89d50eeb07477cc3b@City-Exch-DB1.cbj.local> <75240F2C-B777-471D-BBF1-DA4112D27C5B@mailborder.com> Message-ID: <02e8974b5ec543abaa76655f7dbaedd2@City-Exch-DB1.cbj.local> Postfix seemed to be a bit more intuitive I guess. Of course, anything new is going to look daunting at first. I started out with sendmail years ago. Never delved to deeply into it but was able to manage the macro files OK and get basic things like greet-pause working. Never tried to edit a .cf file by hand. Extending Postfix looked to be easier than sendmail so when I was building the new servers I figured it was time to learn it. That and having followed the MailScanner discussion list for somewhere around 13 years now it seems that most folks were using sendmail or postfix with a handful using Exim. I figure I had a better chance of getting help and finding wiki pages about setting up Postfix. Whether true or not I don?t know but that was my gut feeling. I thought you were already a Exim fan. I tried to get mailborder up a couple years ago, but all the additional python stuff threw me for a loop. I stumbled through it but then it was giving me some other errors finally cut my losses. It was configured for Exim IIRC? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Wednesday, February 17, 2016 2:51 PM To: MailScanner Discussion Subject: Re: Which distro? Kevin, I was actually thinking of switching from Postfix to Exim. What made you do the opposite? - Jerry Benton www.mailborder.com On Feb 17, 2016, at 6:17 PM, Kevin Miller > wrote: I?m running several MailScanner/MailWatch boxes on Debian Jessie. Works just fine. I did change the email server to Postfix from Exim but other than that it was pretty seamless. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of egobrc at gmail.com Sent: Wednesday, February 17, 2016 2:00 PM To: mailscanner at lists.mailscanner.info Subject: Which distro? Hi everybody, I am about to configure a new mail filter server based on MailScanner + MailWatch. Since I do not have any distro preferences or requirements, do you suggest a specific one? In the install guide Debian 8 is not mentioned (is it too recent?), so I think I will choose between CentOS 7 and Ubuntu LTS 14: is there a best distro for MailScanner? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From ci at holmco.de Fri Feb 19 07:54:35 2016 From: ci at holmco.de (Ralf Cirksena) Date: Fri, 19 Feb 2016 08:54:35 +0100 Subject: [mailscanner] Re: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <20160216150737.GD10898@edv20.holmco.de> References: <20160216104755.GB10898@edv20.holmco.de> <201602161211.57416.Antony.Stone@mailscanner.open.source.it> <20160216150737.GD10898@edv20.holmco.de> Message-ID: <20160219075435.GB31269@edv20.holmco.de> On Tue, Feb 16, 2016 at 04:07:37PM +0100 I wrote: > On Tue, Feb 16, 2016 at 12:11:57PM +0100 you wrote: > /etc/Mailscanner/Mailscanner.conf: > Filetype Rules = %etc-dir%/filetype.rules > > /etc/Mailscanner/filetype.rules: > From: *@domain1.tld %rules-dir%/filetype.rules.domain1.conf > FromOrTo: *@domain2.tld %rules-dir%/filetype.rules.domain2.conf > FromOrTo: default %rules-dir%/filetype.rules.conf > > /etc/Mailscanner/rules/filetype.rules.conf > /etc/Mailscanner/rules/filetype.rules.domain1.conf > /etc/Mailscanner/rules/filetype.rules.domain2,conf > .... meanwhile I wrote the filename rules fresh from scratch. That finally worked. Thanks for all helpful hints. Greetings -- R. Cirksena From heino.backhaus at fink-computer.de Fri Feb 19 08:24:03 2016 From: heino.backhaus at fink-computer.de (Heino Backhaus) Date: Fri, 19 Feb 2016 09:24:03 +0100 Subject: Virus detected by Clamd is not blocked by Mailscanner In-Reply-To: References: <56C5D2B7.8080909@fink-computer.de> Message-ID: <56C6D123.3090101@fink-computer.de> Thanks for the Answer. Good shot - but why did a new mail with the virus/Word-Document attached go through. Clamd stil detects the word document as Virus on manual command line scan. If you're right it should be detected as spam as soon as the Document is attached, right? Kind of strange to me this is.Am 18.02.2016 um 17:59 schrieb Shawn Iverson: > Here it is... > > Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* > > > On Thu, Feb 18, 2016 at 11:39 AM, Shawn Iverson > > > wrote: > > That's an "UNOFFICIAL" rule, I believe there some "viruses" are > treated as spam in the MailScanner.conf file. There's an > exceptions list... > > On Thu, Feb 18, 2016 at 9:18 AM, Heino Backhaus > > wrote: > > Hello List, > > Today I recognized a quarantined mail, detected as spam, with > a word document attached. So i downloaded > this word document and scanned it with clamdscan on my > mailscanner machine and clamd found a virus: > > root at mailscanner2014:~# clamdscan VIRUS-invoice_27638121.doc > VIRUS-invoice_27638121.doc: > Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL FOUND > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.129 sec (0 m 0 s) > > I was wondering why it was detected as spam and not as a > virus... I attached this word document > to a mail and sent it to through my mailscanner machine...and > it whent through. > > Does anybody's got an Idea where i could look for a > configuration error? > Other viruses like clamav-testfile attached to mails are being > detected correctly. > > It's MailScanner-4.84.6-1 and ClamAV > devel-clamav-0.99-beta1-363-g0ea036a/21384/Wed Feb 17 21:12:50 > 2016 > > MailScanner.conf: > ... > # This *cannot* be the filename of a ruleset. > Virus Scanners = clamd > ... > > clamd.conf: > ... > OLE2BlockMacros yes > ... > > -- > Mit freundlichen Gruessen > > H. Backhaus > > Fink-Computer Systeme > Heggrabenstr. 9, 35435 Wettenberg > Email: heino.backhaus at fink-computer.de > > Web: www.fink-computer.de > Fax: +49-641-98444638 > Fon: +49-641-98444640 > UST-ID: DE151040770 > HRB: 2143 Gie?en > GF: Fredi Fink > > "In retrospect it becomes clear that hindsight is definitely > overrated!" > -Alfred E. Neumann > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From email at ace.net.au Fri Feb 19 08:36:05 2016 From: email at ace.net.au (Peter Nitschke) Date: Fri, 19 Feb 2016 19:06:05 +1030 Subject: Which distro? In-Reply-To: <56C57227.90907@aregar.it> References: <56C57227.90907@aregar.it> Message-ID: <201602191906050197.0F507BEB@web.ace.net.au> I am curious, why does systemd bother you? I freaked at first, but after taking a deep breath I find it very good. Peter *********** REPLY SEPARATOR *********** On 18/02/2016 at 8:26 AM Manuel Dalla Lana wrote: >Il 17/02/16 23:59, egobrc at gmail.com ha scritto: >> Since I do not have any distro preferences or requirements, do you >> suggest a specific one? >Beware of systemd centric distros like RHEL 7 and its clones. >Personally I'm on Debian 7 for all my MailScanner/MailWatch servers >(running with postfix) until devuan (https://devuan.org/) is marked >stable; also development of MailWatch and MailWatch2 is done on Debian 7 > >Manuel > > >-- >MailScanner mailing list >mailscanner at lists.mailscanner.info >http://lists.mailscanner.info/listinfo/mailscanner From mark at msapiro.net Fri Feb 19 17:42:12 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 19 Feb 2016 09:42:12 -0800 Subject: Virus detected by Clamd is not blocked by Mailscanner In-Reply-To: <56C6D123.3090101@fink-computer.de> References: <56C5D2B7.8080909@fink-computer.de> <56C6D123.3090101@fink-computer.de> Message-ID: <56C753F4.3000301@msapiro.net> On 02/19/2016 12:24 AM, Heino Backhaus wrote: > Thanks for the Answer. > > Good shot - but why did a new mail with the virus/Word-Document attached > go through. > Clamd stil detects the word document as Virus on manual command line scan. > If you're right it should be detected as spam as soon as the Document is > attached, right? It is detected by clamd as Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL This matches something in your MailScanner configuration setting "Virus Names Which Are Spam" so Mailscanner does not treat this detection as a virus but rather as spam. What it then does is add a header as defined by "Spam-Virus Header" in your MailScanner config together with the name of the detection. The default setting is Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: So for example in my case this detection would be X-GPC-MailScanner-SpamVirus-Report: Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL Then the next step is in /etc/MailScanner/spam.assassin.prefs.conf as distributed, you'll see # # The header name in the next line must have your %org-name% added into it, # so that it matches what is set in "Spam-Virus Header" in your # MailScanner.conf file. # header MS_FOUND_SPAMVIRUS exists:X-MailScanner-SpamVirus-Report score MS_FOUND_SPAMVIRUS 3.0 You need to edit that as it says. Again in my case I change the header line to header MS_FOUND_SPAMVIRUS exists:X-GPC-MailScanner-SpamVirus-Report and you can also adjust the score as you wish. Then this clamd detection will score that many points in spamassassin. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From patrick at yoopermail.us Sat Feb 20 23:47:18 2016 From: patrick at yoopermail.us (Patrick Goupell) Date: Sat, 20 Feb 2016 18:47:18 -0500 Subject: MailScanner-4.85.2-3.deb package install Message-ID: <56C8FB06.60202@yoopermail.us> During install of this package on debian jessie I got the following error: Can't open /etc/freshclam.conf: No such file or directory. The freshclam.conf file resides in /etc/clamav. I set a symbolic link ln -s /etc/clamav/freshclam.conf /etc/freshclam.conf and it appears to work. Just wanted to let you know. -- Patrick Goupell Are you free? Find out at http://www.sedm.org/ Income taxes? Find out at http://www.whatistaxed.com From mark at msapiro.net Sun Feb 21 01:21:16 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 20 Feb 2016 17:21:16 -0800 Subject: MailScanner-4.85.2-3.deb package install In-Reply-To: <56C8FB06.60202@yoopermail.us> References: <56C8FB06.60202@yoopermail.us> Message-ID: <56C9110C.50105@msapiro.net> On 02/20/2016 03:47 PM, Patrick Goupell wrote: > During install of this package on debian jessie I got the following error: > > Can't open /etc/freshclam.conf: No such file or directory. Strange... The only reference to /etc/freshclam.conf I can find is in the install.sh script which does # fix the stupid line in /etc/freshclam.conf that disables freshclam if [ $CAV == 1 ]; then clear echo; echo "Installing Clam AV via apt ... "; echo; timewait 3 $APTGET -y install $CAVOPTION COUT='#Example'; if [ -f "/etc/freshclam.conf" ]; then perl -pi -e 's/Example/'$COUT'/;' /etc/freshclam.conf fi fi which, if you're installing clamav, calls apt-get to install clamav and then attempts to comment out an 'Example' line in /etc/freshclam.conf, but only if /etc/freshclam.conf is a file. This should not be complaining if /etc/freshclam.conf doesn't exist. Can you be more specific about the context in which you saw this? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From patrick at yoopermail.us Sun Feb 21 13:33:17 2016 From: patrick at yoopermail.us (Patrick Goupell) Date: Sun, 21 Feb 2016 08:33:17 -0500 Subject: MailScanner-4.85.2-3.deb package install In-Reply-To: <56C9110C.50105@msapiro.net> References: <56C8FB06.60202@yoopermail.us> <56C9110C.50105@msapiro.net> Message-ID: <56C9BC9D.7070904@yoopermail.us> From a terminal shell (/bin/bash) as root I run wget https://s3.amazonaws.com/mailscanner/release/v4/deb/MailScanner-4.85.2-3.deb.tar.gz tar -xvf MailScanner*.tar.gz cd MailScanner* ./install.sh I select postfix for the mta, take the defaults for all other questions. Attached is the mailscanner-install.log. At line 453 the error message appears. On 02/20/2016 08:21 PM, Mark Sapiro wrote: > On 02/20/2016 03:47 PM, Patrick Goupell wrote: >> During install of this package on debian jessie I got the following error: >> >> Can't open /etc/freshclam.conf: No such file or directory. > > Strange... > > The only reference to /etc/freshclam.conf I can find is in the > install.sh script which does > > > # fix the stupid line in /etc/freshclam.conf that disables freshclam > if [ $CAV == 1 ]; then > clear > echo; > echo "Installing Clam AV via apt ... "; echo; > timewait 3 > $APTGET -y install $CAVOPTION > COUT='#Example'; > if [ -f "/etc/freshclam.conf" ]; then > perl -pi -e 's/Example/'$COUT'/;' /etc/freshclam.conf > fi > fi > > which, if you're installing clamav, calls apt-get to install clamav and > then attempts to comment out an 'Example' line in /etc/freshclam.conf, > but only if /etc/freshclam.conf is a file. > > This should not be complaining if /etc/freshclam.conf doesn't exist. > > Can you be more specific about the context in which you saw this? > -- Patrick Goupell Are you free? Find out at http://www.sedm.org/ Income taxes? Find out at http://www.whatistaxed.com -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner-install.log.tar.gz Type: application/gzip Size: 16816 bytes Desc: not available URL: From patrick at yoopermail.us Sun Feb 21 13:47:37 2016 From: patrick at yoopermail.us (Patrick Goupell) Date: Sun, 21 Feb 2016 08:47:37 -0500 Subject: MailScanner-4.85.2-3.deb package install In-Reply-To: <56C9BC9D.7070904@yoopermail.us> References: <56C8FB06.60202@yoopermail.us> <56C9110C.50105@msapiro.net> <56C9BC9D.7070904@yoopermail.us> Message-ID: <56C9BFF9.7020507@yoopermail.us> I may have found the prooblem. I think I did the ln -s symbolic link before I ran the install.sh. I will restore the vm images and rerun. On 02/21/2016 08:33 AM, Patrick Goupell wrote: > From a terminal shell (/bin/bash) as root I run > > wget > https://s3.amazonaws.com/mailscanner/release/v4/deb/MailScanner-4.85.2-3.deb.tar.gz > > tar -xvf MailScanner*.tar.gz > cd MailScanner* > ./install.sh > > I select postfix for the mta, take the defaults for all other questions. > > Attached is the mailscanner-install.log. At line 453 the error > message appears. > > > > On 02/20/2016 08:21 PM, Mark Sapiro wrote: >> On 02/20/2016 03:47 PM, Patrick Goupell wrote: >>> During install of this package on debian jessie I got the following >>> error: >>> >>> Can't open /etc/freshclam.conf: No such file or directory. >> >> Strange... >> >> The only reference to /etc/freshclam.conf I can find is in the >> install.sh script which does >> >> >> # fix the stupid line in /etc/freshclam.conf that disables freshclam >> if [ $CAV == 1 ]; then >> clear >> echo; >> echo "Installing Clam AV via apt ... "; echo; >> timewait 3 >> $APTGET -y install $CAVOPTION >> COUT='#Example'; >> if [ -f "/etc/freshclam.conf" ]; then >> perl -pi -e 's/Example/'$COUT'/;' /etc/freshclam.conf >> fi >> fi >> >> which, if you're installing clamav, calls apt-get to install clamav and >> then attempts to comment out an 'Example' line in /etc/freshclam.conf, >> but only if /etc/freshclam.conf is a file. >> >> This should not be complaining if /etc/freshclam.conf doesn't exist. >> >> Can you be more specific about the context in which you saw this? >> > > > > -- Patrick Goupell Are you free? Find out at http://www.sedm.org/ Income taxes? Find out at http://www.whatistaxed.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick at yoopermail.us Sun Feb 21 14:10:21 2016 From: patrick at yoopermail.us (Patrick Goupell) Date: Sun, 21 Feb 2016 09:10:21 -0500 Subject: MailScanner-4.85.2-3.deb package install In-Reply-To: <56C9BFF9.7020507@yoopermail.us> References: <56C8FB06.60202@yoopermail.us> <56C9110C.50105@msapiro.net> <56C9BC9D.7070904@yoopermail.us> <56C9BFF9.7020507@yoopermail.us> Message-ID: <56C9C54D.7090408@yoopermail.us> My mistake. Ignore the reported problem. On 02/21/2016 08:47 AM, Patrick Goupell wrote: > I may have found the prooblem. > > I think I did the ln -s symbolic link before I ran the install.sh. > > I will restore the vm images and rerun. > > > > On 02/21/2016 08:33 AM, Patrick Goupell wrote: >> From a terminal shell (/bin/bash) as root I run >> >> wget >> https://s3.amazonaws.com/mailscanner/release/v4/deb/MailScanner-4.85.2-3.deb.tar.gz >> >> tar -xvf MailScanner*.tar.gz >> cd MailScanner* >> ./install.sh >> >> I select postfix for the mta, take the defaults for all other questions. >> >> Attached is the mailscanner-install.log. At line 453 the error >> message appears. >> >> >> >> On 02/20/2016 08:21 PM, Mark Sapiro wrote: >>> On 02/20/2016 03:47 PM, Patrick Goupell wrote: >>>> During install of this package on debian jessie I got the following >>>> error: >>>> >>>> Can't open /etc/freshclam.conf: No such file or directory. >>> >>> Strange... >>> >>> The only reference to /etc/freshclam.conf I can find is in the >>> install.sh script which does >>> >>> >>> # fix the stupid line in /etc/freshclam.conf that disables freshclam >>> if [ $CAV == 1 ]; then >>> clear >>> echo; >>> echo "Installing Clam AV via apt ... "; echo; >>> timewait 3 >>> $APTGET -y install $CAVOPTION >>> COUT='#Example'; >>> if [ -f "/etc/freshclam.conf" ]; then >>> perl -pi -e 's/Example/'$COUT'/;' /etc/freshclam.conf >>> fi >>> fi >>> >>> which, if you're installing clamav, calls apt-get to install clamav and >>> then attempts to comment out an 'Example' line in /etc/freshclam.conf, >>> but only if /etc/freshclam.conf is a file. >>> >>> This should not be complaining if /etc/freshclam.conf doesn't exist. >>> >>> Can you be more specific about the context in which you saw this? >>> >> >> >> > > -- > Patrick Goupell > > Are you free? Find out athttp://www.sedm.org/ > Income taxes? Find out athttp://www.whatistaxed.com > > > -- Patrick Goupell Are you free? Find out at http://www.sedm.org/ Income taxes? Find out at http://www.whatistaxed.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From endelwar at aregar.it Mon Feb 22 15:57:21 2016 From: endelwar at aregar.it (Manuel Dalla Lana) Date: Mon, 22 Feb 2016 16:57:21 +0100 Subject: Which distro? In-Reply-To: <201602191906050197.0F507BEB@web.ace.net.au> References: <56C57227.90907@aregar.it> <201602191906050197.0F507BEB@web.ace.net.au> Message-ID: <56CB2FE1.6020003@aregar.it> Il 19/02/16 09:36, Peter Nitschke ha scritto: > I am curious, why does systemd bother you? > > I freaked at first, but after taking a deep breath I find it very good. > It's not a "new" command line syntax for system administration that hurts me (jumping from linux to bds to osx to windows to android it's not a problem), but the overwhelming sensation that the installed server doesn't do what I want it to do and doesn't do it in a predictable way: it has been observed by many (including me) that Linux stability has been reduced a lot by introducing systemd, making things work is harder now, also add binary logs and a lead developer that doesn't understand the difference from a pc and a banana to the mix and you get frustrated by only turning on a systemd box. Linux (and all unixes in general) was build on one good principle: one software shall do one thing and make it good, systemd want to do everything (from sys init to logging, to ip management, dns, web server...) and it does them bad. Manuel From jerry.benton at mailborder.com Mon Feb 22 16:22:09 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 22 Feb 2016 11:22:09 -0500 Subject: Which distro? In-Reply-To: <56CB2FE1.6020003@aregar.it> References: <56C57227.90907@aregar.it> <201602191906050197.0F507BEB@web.ace.net.au> <56CB2FE1.6020003@aregar.it> Message-ID: <33015A23-7191-47BA-8D7F-B28476A21DC0@mailborder.com> a PC and a banana... hah. awesome - Jerry Benton www.mailborder.com Sent from my iPhone > On Feb 22, 2016, at 10:57, Manuel Dalla Lana wrote: > > Il 19/02/16 09:36, Peter Nitschke ha scritto: >> I am curious, why does systemd bother you? >> >> I freaked at first, but after taking a deep breath I find it very good. > It's not a "new" command line syntax for system administration that hurts me (jumping from linux to bds to osx to windows to android it's not a problem), but the overwhelming sensation that the installed server doesn't do what I want it to do and doesn't do it in a predictable way: it has been observed by many (including me) that Linux stability has been reduced a lot by introducing systemd, making things work is harder now, also add binary logs and a lead developer that doesn't understand the difference from a pc and a banana to the mix and you get frustrated by only turning on a systemd box. > > Linux (and all unixes in general) was build on one good principle: one software shall do one thing and make it good, systemd want to do everything (from sys init to logging, to ip management, dns, web server...) and it does them bad. > > Manuel > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From aetienne at ilw.com Mon Feb 22 22:21:35 2016 From: aetienne at ilw.com (Alix Etienne) Date: Mon, 22 Feb 2016 17:21:35 -0500 Subject: My companies website is flagged by your service if casing is incorrect. Message-ID: My email signature has a link to our webpage http://ilw.com/. some people in my companies office use the capital ILW.com in their signature instead of the lowercase ilw.com. because both versions point to http://ilw.com/ , mailscanner gives a phishing warning to colleagues with the uppercase version who happen to send an email to any server which uses mailscanner. I just wanted to know if this case-sensitive treatment of urls is intended behavior of your mailscanner service or if it was a bug. -- Regards, Alix S. Etienne ilw.com aetienne at ilw.com | *Office*: 212-545-0818 | *fax*: 212-545-0869 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Mon Feb 22 23:37:30 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 22 Feb 2016 15:37:30 -0800 Subject: My companies website is flagged by your service if casing is incorrect. In-Reply-To: References: Message-ID: <56CB9BBA.3000009@msapiro.net> On 02/22/2016 02:21 PM, Alix Etienne wrote: > My email signature has a link to our webpage http://ilw.com/. some > people in my companies office use the capital ILW.com in their signature > instead of the lowercase ilw.com . because both versions > point to http://ilw.com/ , mailscanner gives a phishing warning to > colleagues with the uppercase version who happen to send an email to any > server which uses mailscanner. I just wanted to know if this > case-sensitive treatment of urls is intended behavior of your > mailscanner service or if it was a bug. It would be a bug, but I am unable to duplicate it in current MailScanner. I have tried ilw.com ILW.com ILW.com ilw.com And none of these is disarmed by MailScanner. What exactly are the domains in the "MailScanner has detected a possible fraud attempt from "example.net" claiming to be http://example.com/" message from MailScanner > > ilw.com > aetienne at ilw.com ... -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at vidadigital.com.pa Mon Feb 22 23:39:48 2016 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Mon, 22 Feb 2016 18:39:48 -0500 Subject: My companies website is flagged by your service if casing is incorrect. In-Reply-To: <56CB9BBA.3000009@msapiro.net> References: <56CB9BBA.3000009@msapiro.net> Message-ID: Sounds like a "with www in the a href" and "without www in the sig" problem. Example, ILW.com Still, using caps for domain names isn't kosher. > On Feb 22, 2016, at 6:37 PM, Mark Sapiro wrote: > > On 02/22/2016 02:21 PM, Alix Etienne wrote: >> My email signature has a link to our webpage http://ilw.com/. some >> people in my companies office use the capital ILW.com in their signature >> instead of the lowercase ilw.com . because both versions >> point to http://ilw.com/ , mailscanner gives a phishing warning to >> colleagues with the uppercase version who happen to send an email to any >> server which uses mailscanner. I just wanted to know if this >> case-sensitive treatment of urls is intended behavior of your >> mailscanner service or if it was a bug. > > > It would be a bug, but I am unable to duplicate it in current MailScanner. > > > I have tried > > ilw.com > ILW.com > ILW.com > ilw.com > > And none of these is disarmed by MailScanner. > > What exactly are the domains in the "MailScanner has detected a possible > fraud attempt from "example.net" claiming to be http://example.com/" > message from MailScanner > >> >> ilw.com >> aetienne at ilw.com ... > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Antony.Stone at mailscanner.open.source.it Mon Feb 22 23:47:01 2016 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 23 Feb 2016 00:47:01 +0100 Subject: My companies website is flagged by your service if casing is incorrect. In-Reply-To: References: <56CB9BBA.3000009@msapiro.net> Message-ID: <201602230047.01369.Antony.Stone@mailscanner.open.source.it> On Tuesday 23 February 2016 at 00:39:48, Alex Neuman van der Hans wrote: > Sounds like a "with www in the a href" and "without www in the sig" > problem. > > ILW.com > > > Still, using caps for domain names isn't kosher. "According to the original DNS design decision, comparisons on name lookup for DNS queries should be case insensitive." https://tools.ietf.org/html/rfc4343 Antony. -- Pavlov is in the pub enjoying a pint. The barman rings for last orders, and Pavlov jumps up exclaiming "Damn! I forgot to feed the dog!" Please reply to the list; please *don't* CC me. From mark at msapiro.net Mon Feb 22 23:52:12 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 22 Feb 2016 15:52:12 -0800 Subject: My companies website is flagged by your service if casing is incorrect. In-Reply-To: <201602230047.01369.Antony.Stone@mailscanner.open.source.it> References: <56CB9BBA.3000009@msapiro.net> <201602230047.01369.Antony.Stone@mailscanner.open.source.it> Message-ID: <56CB9F2C.2090401@msapiro.net> On 02/22/2016 03:47 PM, Antony Stone wrote: > On Tuesday 23 February 2016 at 00:39:48, Alex Neuman van der Hans wrote: > >> Sounds like a "with www in the a href" and "without www in the sig" >> problem. >> >> ILW.com >> >> >> Still, using caps for domain names isn't kosher. > > "According to the original DNS design decision, comparisons on name lookup for > DNS queries should be case insensitive." And the code (the "} elsif ($tagname eq 'a' && $DisarmPhishing) {" block in "sub DisarmEndtagCallback {" in MailScanner/Message.pm) is hard to follow, but I believe 'www.' is removed from both sides of the comparison and the comparison is done case insensitively. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at vidadigital.com.pa Tue Feb 23 13:45:00 2016 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Tue, 23 Feb 2016 08:45:00 -0500 Subject: My companies website is flagged by your service if casing is incorrect. In-Reply-To: <201602230047.01369.Antony.Stone@mailscanner.open.source.it> References: <56CB9BBA.3000009@msapiro.net> <201602230047.01369.Antony.Stone@mailscanner.open.source.it> Message-ID: <962BCB2F-42BB-4C39-87AF-7932B80D853E@vidadigital.com.pa> Sure, but it looks ugly ;-) > On Feb 22, 2016, at 6:47 PM, Antony Stone wrote: > > "According to the original DNS design decision, comparisons on name lookup for > DNS queries should be case insensitive." > > https://tools.ietf.org/html/rfc4343 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From moriskod at yahoo.com Wed Feb 24 03:10:37 2016 From: moriskod at yahoo.com (Moris Kod) Date: Wed, 24 Feb 2016 03:10:37 +0000 (UTC) Subject: Virus Parser In-Reply-To: <719be673fcf14769bb92692bb8501de1.squirrel@sanesecurity.com> References: <719be673fcf14769bb92692bb8501de1.squirrel@sanesecurity.com> Message-ID: <651284014.9210410.1456283437066.JavaMail.yahoo@mail.yahoo.com> Do you have an email to submit infected ole files to be added to the badmacro.ndb???? I have one now that is several days old that is notflagged by clamd with badmacro.ndb.???? It is up to 26 of 55 on virustotal now. From: Steve Basford To: MailScanner Discussion Sent: Monday, February 8, 2016 2:44 PM Subject: RE: Virus Parser On Mon, February 8, 2016 7:39 pm, Scott B. Anderson wrote: > How do you handle the new Office 97-05 trojan documents without macros > that still contain Trojans that abuse the rtf 'engine' in office > 2010/13/16 to root workstations without the .doc or .xls actually > containing a macro? > If you are using ClamAV you can block these easily with badmacro.ndb. In addition phish.ndb will block xml types with rogue.hdb to fill in the rest of the crappy stuff. http://sanesecurity.com/usage/linux-scripts/ Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Feb 24 04:20:49 2016 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 23 Feb 2016 20:20:49 -0800 Subject: Virus Parser In-Reply-To: <651284014.9210410.1456283437066.JavaMail.yahoo@mail.yahoo.com> References: <719be673fcf14769bb92692bb8501de1.squirrel@sanesecurity.com> <651284014.9210410.1456283437066.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56CD2FA1.8090408@msapiro.net> On 02/23/2016 07:10 PM, Moris Kod via MailScanner wrote: > Do you have an email to submit infected ole files to be added to the > badmacro.ndb? I have one now that is several days old that is not > flagged by clamd with badmacro.ndb. It is up to 26 of 55 on > virustotal now. See for information on reporting samples relative to badmacro.ndb or any of the SaneSecurity signature files. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ci at holmco.de Thu Feb 25 13:46:01 2016 From: ci at holmco.de (Ralf Cirksena) Date: Thu, 25 Feb 2016 14:46:01 +0100 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <201602161211.57416.Antony.Stone@mailscanner.open.source.it> References: <20160216104755.GB10898@edv20.holmco.de> <201602161211.57416.Antony.Stone@mailscanner.open.source.it> Message-ID: <20160225134601.GA30656@edv20.holmco.de> Hello, On Tue, Feb 16, 2016 at 12:11:57PM +0100 you wrote: > On Tuesday 16 February 2016 at 11:47:55, Ralf Cirksena wrote: > > > Hello, > > > > I need to build filetype and filename restrictions based on email > > addresses or domains (envelope from / to). > > MailScanner doesn't know about envelope addresses. You can only process > header addresses. there is a configuration setting Add Envelope From Header = yes and Envelope From Header = X-%org-name%-MailScanner-From: How can that be used to deny filenames/filetypes? I want to catch mail from "outside" which has a forged From: Greetings -- R. Cirksena From Antony.Stone at mailscanner.open.source.it Thu Feb 25 14:01:18 2016 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu, 25 Feb 2016 15:01:18 +0100 Subject: [mailscanner] Re: filetype permisson on per user base In-Reply-To: <20160225134601.GA30656@edv20.holmco.de> References: <20160216104755.GB10898@edv20.holmco.de> <201602161211.57416.Antony.Stone@mailscanner.open.source.it> <20160225134601.GA30656@edv20.holmco.de> Message-ID: <201602251501.19151.Antony.Stone@mailscanner.open.source.it> On Thursday 25 February 2016 at 14:46:01, Ralf Cirksena wrote: > Hello, > > On Tue, Feb 16, 2016 at 12:11:57PM +0100 you wrote: > > On Tuesday 16 February 2016 at 11:47:55, Ralf Cirksena wrote: > > > Hello, > > > > > > I need to build filetype and filename restrictions based on email > > > addresses or domains (envelope from / to). > > > > MailScanner doesn't know about envelope addresses. You can only process > > header addresses. > > there is a configuration setting > > Add Envelope From Header = yes > and > Envelope From Header = X-%org-name%-MailScanner-From: As far as I know that simply adds a header (containg the envelope address), but cannot be used in any filtering rules to identify the email as unwanted. > How can that be used to deny filenames/filetypes? It has nothing to do with attachments. > I want to catch mail from "outside" which has a forged From: Configure SPF / DKIM for your domain's authorised mail servers, and reject anything pretending to be "internal" which comes from elsewhere. Antony. -- I love deadlines. I love the whooshing noise they make as they go by. - Douglas Noel Adams Please reply to the list; please *don't* CC me. From maillists at conactive.com Thu Feb 25 14:31:04 2016 From: maillists at conactive.com (Kai Schaetzl) Date: Thu, 25 Feb 2016 15:31:04 +0100 Subject: Trimming the fat from MailScanner In-Reply-To: <56B8FB3A.7090304@msapiro.net> References: <8D37D601-3DA4-475E-AAAD-73B7652C3E17@mailborder.com> <56B8FB3A.7090304@msapiro.net> Message-ID: Mark Sapiro wrote on Mon, 8 Feb 2016 12:31:54 -0800: > The Debian/Ubuntu clamav-freshclam package runs freshclam as a daemon > with 24 daily checks, so for Debian/Ubuntu at least, I see. No such daemon on the CentOS we use. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Feb 25 14:31:05 2016 From: maillists at conactive.com (Kai Schaetzl) Date: Thu, 25 Feb 2016 15:31:05 +0100 Subject: RHEL 7 In-Reply-To: <5625423C-B042-4200-A939-15CDBC9462D7@mailborder.com> References: <3FC05D5F-0006-4256-B6A4-241E1F2A5B32@mailborder.com> <5625423C-B042-4200-A939-15CDBC9462D7@mailborder.com> Message-ID: Jerry Benton wrote on Mon, 8 Feb 2016 13:42:56 -0500: > Yes, I will. Ah, thanks, very nice! Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Feb 25 14:31:05 2016 From: maillists at conactive.com (Kai Schaetzl) Date: Thu, 25 Feb 2016 15:31:05 +0100 Subject: Spam on List In-Reply-To: References: Message-ID: which spam? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From jeremy at fluxlabs.net Thu Feb 25 14:47:03 2016 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Thu, 25 Feb 2016 14:47:03 +0000 Subject: Spam on List In-Reply-To: References: Message-ID: <24EB6D0B-C42E-44B9-8BDC-5B65967C5C99@fluxlabs.net> Bad marketing .. Spam on mailscanners ml. Haha -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net On Feb 18, 2016, at 6:58 AM, Jerry Benton > wrote: I see the spam coming through the list server. We will work on it today. - Jerry Benton www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From ci at holmco.de Thu Feb 25 15:23:24 2016 From: ci at holmco.de (Ralf Cirksena) Date: Thu, 25 Feb 2016 16:23:24 +0100 Subject: filetype permisson on per user base In-Reply-To: <201602251501.19151.Antony.Stone@mailscanner.open.source.it> References: <20160216104755.GB10898@edv20.holmco.de> <201602161211.57416.Antony.Stone@mailscanner.open.source.it> <20160225134601.GA30656@edv20.holmco.de> <201602251501.19151.Antony.Stone@mailscanner.open.source.it> Message-ID: <20160225152324.GC30656@edv20.holmco.de> On Thu, Feb 25, 2016 at 03:01:18PM +0100 Antony wrote: > As far as I know that simply adds a header (containg the envelope address), > but cannot be used in any filtering rules to identify the email as unwanted. yes, that's right, > > I want to catch mail from "outside" which has a forged From: > > Configure SPF / DKIM for your domain's authorised mail servers, and reject > anything pretending to be "internal" which comes from elsewhere. I will try it with SPF. But it's a pity that Mailscanner does not has support for that. Greetings -- R. Cirksena From Antony.Stone at mailscanner.open.source.it Thu Feb 25 15:56:02 2016 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu, 25 Feb 2016 16:56:02 +0100 Subject: filetype permisson on per user base In-Reply-To: <20160225152324.GC30656@edv20.holmco.de> References: <20160216104755.GB10898@edv20.holmco.de> <201602251501.19151.Antony.Stone@mailscanner.open.source.it> <20160225152324.GC30656@edv20.holmco.de> Message-ID: <201602251656.02890.Antony.Stone@mailscanner.open.source.it> On Thursday 25 February 2016 at 16:23:24, Ralf Cirksena wrote: > On Thu, Feb 25, 2016 at 03:01:18PM +0100 Antony wrote: > > As far as I know that simply adds a header (containg the envelope > > address), but cannot be used in any filtering rules to identify the > > email as unwanted. > > yes, that's right, > > > > I want to catch mail from "outside" which has a forged From: > > > > Configure SPF / DKIM for your domain's authorised mail servers, and > > reject anything pretending to be "internal" which comes from elsewhere. > > I will try it with SPF. > But it's a pity that Mailscanner does not has support for that. No. This sort of thing is much better done by the MTA, before MailScanner can even get to see it. Until we get the facility of "MailScanner as a milter", this functionality doesn't belong in MailScanner. Far better to reject the mail ASAP without accepting it at all. Antony. -- This sentence contains exacly three erors. Please reply to the list; please *don't* CC me. From iversons at rushville.k12.in.us Thu Feb 25 16:12:13 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 25 Feb 2016 11:12:13 -0500 Subject: Spam on List In-Reply-To: References: Message-ID: Guess the list should use mailscanner, haha On Thu, Feb 25, 2016 at 9:31 AM, Kai Schaetzl wrote: > which spam? > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Thu Feb 25 16:12:13 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 25 Feb 2016 11:12:13 -0500 Subject: Spam on List In-Reply-To: References: Message-ID: Guess the list should use mailscanner, haha On Thu, Feb 25, 2016 at 9:31 AM, Kai Schaetzl wrote: > which spam? > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Fri Feb 26 19:35:59 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 26 Feb 2016 14:35:59 -0500 Subject: 4.86.1-4 Deb Message-ID: <2B08D998-3F30-4930-B6F6-5AD75B0E5444@mailborder.com> Mark, While doing some testing I noticed that the ?service MailScanner status? does not work correctly. Can you confirm the same? I have tested this on two different systems with the Debian package. - Jerry Benton www.mailborder.com From mark at msapiro.net Fri Feb 26 21:27:21 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 26 Feb 2016 13:27:21 -0800 Subject: 4.86.1-4 Deb In-Reply-To: <2B08D998-3F30-4930-B6F6-5AD75B0E5444@mailborder.com> References: <2B08D998-3F30-4930-B6F6-5AD75B0E5444@mailborder.com> Message-ID: <56D0C339.7070700@msapiro.net> On 02/26/2016 11:35 AM, Jerry Benton wrote: > Mark, > > While doing some testing I noticed that the ?service MailScanner status? does not work correctly. Can you confirm the same? I have tested this on two different systems with the Debian package. It seems to work for me: root at sbh16:~# service MailScanner status * MailScanner is running root at sbh16:~# service MailScanner stop * Stopping email processor - MailScanner [ OK ] root at sbh16:~# service MailScanner status * MailScanner is not running root at sbh16:~# service MailScanner start * Starting email processor - MailScanner [ OK ] root at sbh16:~# -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan