From mark at msapiro.net Wed Jun 1 00:02:33 2016 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 31 May 2016 17:02:33 -0700 Subject: survey.medallia.com in phishing.bad.sites.conf? In-Reply-To: References: <20160531170817.GA7991@cisunix.unh.edu> <23FA53A4-F950-4F2A-B335-5CF05E782F25@mailborder.com> <20160531185817.GA11260@cisunix.unh.edu> <20160531194444.GA13052@cisunix.unh.edu> Message-ID: <27c1edd1-f6be-4dc5-d48a-cbd6eff077f8@msapiro.net> On 5/31/16 4:53 PM, saifur rahman wrote: > > how do i whitelist a domain in MailScanner? Add it to phishing.safe.sites.custom. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From saifurcse at gmail.com Wed Jun 1 00:19:47 2016 From: saifurcse at gmail.com (saifur rahman) Date: Wed, 1 Jun 2016 06:19:47 +0600 Subject: survey.medallia.com in phishing.bad.sites.conf? In-Reply-To: <27c1edd1-f6be-4dc5-d48a-cbd6eff077f8@msapiro.net> References: <20160531170817.GA7991@cisunix.unh.edu> <23FA53A4-F950-4F2A-B335-5CF05E782F25@mailborder.com> <20160531185817.GA11260@cisunix.unh.edu> <20160531194444.GA13052@cisunix.unh.edu> <27c1edd1-f6be-4dc5-d48a-cbd6eff077f8@msapiro.net> Message-ID: Dear Sir, How do i allow double extension for perticular domain in MailScanner? There are certain domains on my server that I do not want MailScanner to scan AT ALL, How do I set this up? Can I configure MailScanner to not check zip/archive files for only one domain? BR Saiful On Wed, Jun 1, 2016 at 6:02 AM, Mark Sapiro wrote: > On 5/31/16 4:53 PM, saifur rahman wrote: > > > > how do i whitelist a domain in MailScanner? > > > Add it to phishing.safe.sites.custom. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -- *With Regards**,* Md. Sayfur Rahman ( RHCE, MCSE, CCNA, HP-UX) System Administrator Spark Systems Limited -------------- next part -------------- An HTML attachment was scrubbed... URL: From saifurcse at gmail.com Wed Jun 1 00:23:33 2016 From: saifurcse at gmail.com (saifur rahman) Date: Wed, 1 Jun 2016 06:23:33 +0600 Subject: Outbound e-mail through MailScanner : JPG gets corrupted. In-Reply-To: References: <14e9175e994d433083b4f099d088c516@DC01.meelhuysen.com> <3afd735b72f0475887583e548686f679@DC01.meelhuysen.com> <28FB3B13-C0F2-4B4B-8A52-FD8A24B7066A@vidadigital.com.pa> <2b01f06950a94a0f8705b9916010593e@DC01.meelhuysen.com> <441D39B3-61DA-4BB9-963B-FAEA368F456C@vidadigital.com.pa> <62EEF173-CDE3-4807-8D71-D26A6B770C3E@mailborder.com> <372f4f3d46b14958af576d62afb2ab3a@DC01.meelhuysen.com> <76944434-7522-4232-9F57-9DB765EB21BE@mailborder.com> <7217aaf759534903a07316579c5f2696@DC01.meelhuysen.com> Message-ID: Dear Sir, How do i allow double extension for perticular domain in MailScanner? There are certain domains on my server that I do not want MailScanner to scan AT ALL, How do I set this up? Can I configure MailScanner to not check zip/archive files for only one domain? BR Saiful On Tue, May 31, 2016 at 7:18 PM, Rick Cooper wrote: > But what about the line Use TNEF Contents = replace ? > That was the question and most likely resolution to your issue > > ------------------------------ > *From:* MailScanner [mailto:mailscanner-bounces+rcooper= > dwford.com at lists.mailscanner.info] *On Behalf Of *Mark Meelhuysen > *Sent:* Monday, May 30, 2016 12:08 PM > *To:* MailScanner Discussion > *Subject:* RE: Outbound e-mail through MailScanner : JPG gets corrupted. > > Haha, the minute i pressed send i knew i could get that answer J > > I was rather hoping you could tell me what the best practise in this > situation is. Which option can I change best? > > Use TNEF Contents = no does not make a difference. > > Expand TNEF = no does not make a difference > > > > *Van:* MailScanner [mailto:mailscanner-bounces+mark= > meelhuysen.com at lists.mailscanner.info] *Namens *Jerry Benton > *Verzonden:* maandag 30 mei 2016 17:53 > *Aan:* MailScanner Discussion > *Onderwerp:* Re: Outbound e-mail through MailScanner : JPG gets corrupted. > > > > the answer is staring you in the face. > > - > > Jerry Benton > > www.mailborder.com > > Sent from my iPhone > > > On May 30, 2016, at 11:46, Mark Meelhuysen wrote: > > Ow oke, my mailscanner.conf : > > > > Expand TNEF = yes > > Use TNEF Contents = replace > > Deliver Unparsable TNEF = no > > TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > TNEF Timeout = 120 > > > > I never changed these values, so i asume they are default. > > > > > > *Van:* MailScanner [ > mailto:mailscanner-bounces+mark=meelhuysen.com at lists.mailscanner.info > ] *Namens > *Jerry Benton > *Verzonden:* maandag 30 mei 2016 17:19 > *Aan:* MailScanner Discussion > *Onderwerp:* Re: Outbound e-mail through MailScanner : JPG gets corrupted. > > > > it is a mail scanner setting > > - > > Jerry Benton > > www.mailborder.com > > Sent from my iPhone > > > On May 30, 2016, at 11:15, Mark Meelhuysen wrote: > > I lookup it up what that does, but have not set that up manually, so > Exchange is acting standard. > > > > *Van:* MailScanner [ > mailto:mailscanner-bounces+mark=meelhuysen.com at lists.mailscanner.info > ] *Namens > *Jerry Benton > *Verzonden:* maandag 30 mei 2016 16:58 > *Aan:* MailScanner Discussion > *Onderwerp:* Re: Outbound e-mail through MailScanner : JPG gets corrupted. > > > > Are you converting TNEF? > > > - > > Jerry Benton > > www.mailborder.com > > > > > > > > On May 30, 2016, at 10:54 AM, Mark Meelhuysen wrote: > > > > Thats correct : > > > > ? Exchange sends the email directly to the recipient by DNS and > throught the local gateway (so not through MailScanner) : Everything is fine > > ? Exchange sends the email to MailScanner and MailScanner sends > the e-mail to the recipient : Not the message but the pictures get mangled. > > > > *Van:* MailScanner [ > mailto:mailscanner-bounces+mark=meelhuysen.com at lists.mailscanner.info > ] > *Namens *Alex Neuman van der Hans > *Verzonden:* maandag 30 mei 2016 16:50 > *Aan:* MailScanner discussion > *Onderwerp:* Re: Outbound e-mail through MailScanner : JPG gets corrupted. > > > > Should I understand from that that depending on how you configure Exchange > the message either gets mangled or not? > > > > On May 30, 2016, at 9:46 AM, Mark Meelhuysen wrote: > > > > When i create a new send connector that makes sure that for the particular > domain the mail is delivered to the ISP smarthost the images arrive fine. > > > > > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke inhoud en lijkt > schoon te zijn. > Meelhuysen IT Solutions . > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- *With Regards**,* Md. Sayfur Rahman ( RHCE, MCSE, CCNA, HP-UX) System Administrator Spark Systems Limited -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Jun 1 02:12:14 2016 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 31 May 2016 19:12:14 -0700 Subject: Outbound e-mail through MailScanner : JPG gets corrupted. In-Reply-To: References: <14e9175e994d433083b4f099d088c516@DC01.meelhuysen.com> <3afd735b72f0475887583e548686f679@DC01.meelhuysen.com> <28FB3B13-C0F2-4B4B-8A52-FD8A24B7066A@vidadigital.com.pa> <2b01f06950a94a0f8705b9916010593e@DC01.meelhuysen.com> <441D39B3-61DA-4BB9-963B-FAEA368F456C@vidadigital.com.pa> <62EEF173-CDE3-4807-8D71-D26A6B770C3E@mailborder.com> <372f4f3d46b14958af576d62afb2ab3a@DC01.meelhuysen.com> <76944434-7522-4232-9F57-9DB765EB21BE@mailborder.com> <7217aaf759534903a07316579c5f2696@DC01.meelhuysen.com>

Message-ID: <674b2e36-a1c0-7d3a-b161-e2917ef1fec3@msapiro.net> On 5/31/16 5:23 PM, saifur rahman wrote: > Dear Sir, > How do i allow double extension for perticular domain in MailScanner? > There are certain domains on my server that I do not want MailScanner to > scan AT ALL, How do I set this up? > Can I configure MailScanner to not check zip/archive files for only one > domain? Please don't hijack existing threads for new topics and please don't post the same question more than once. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Wed Jun 1 02:13:22 2016 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 31 May 2016 19:13:22 -0700 Subject: survey.medallia.com in phishing.bad.sites.conf? In-Reply-To: References: <20160531170817.GA7991@cisunix.unh.edu> <23FA53A4-F950-4F2A-B335-5CF05E782F25@mailborder.com> <20160531185817.GA11260@cisunix.unh.edu> <20160531194444.GA13052@cisunix.unh.edu> <27c1edd1-f6be-4dc5-d48a-cbd6eff077f8@msapiro.net> Message-ID: On 5/31/16 5:19 PM, saifur rahman wrote: > > Dear Sir, > How do i allow double extension for perticular domain in MailScanner? > There are certain domains on my server that I do not want MailScanner to > scan AT ALL, How do I set this up? > Can I configure MailScanner to not check zip/archive files for only one > domain? You can do these things with rule sets. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From steve at mjnservices.com Wed Jun 1 17:50:01 2016 From: steve at mjnservices.com (Steven Jardine) Date: Wed, 1 Jun 2016 11:50:01 -0600 Subject: Denial Of Service Attack Messages In-Reply-To: <3B0448D0-B222-46F8-8BE0-9C28DC32FD78@mailborder.com> References:

Message-ID: <62145957765b4371949010c43e032d80@ex13mbx03.sti.usherbrooke.ca> Wow! Fast answer. A first look at it seems pretty much on the nail! Thanks Alex! Denis De?: MailScanner [mailto:mailscanner-bounces+denis.beauchemin=usherbrooke.ca at lists.mailscanner.info] De la part de Alex Neuman van der Hans Envoy??: 3 juin 2016 09:30 ??: MailScanner discussion Objet?: Re: Any ideas how to accomplish this? http://www.snertsoft.com/sendmail/roundhouse/ On Jun 3, 2016, at 8:28 AM, Denis Beauchemin wrote: Hello, I am trying to do the following and can't find a simple solution to it: I want to duplicate all incoming mail so that one copy goes to the intended destination and the other one goes to a set email address. The first copy should go through MailScanner before reaching its intended destination while the second copy should go directly to the set email address without any MailScanner intervention. Is this possible? I tried a milter-bcc and all it did was to add a bcc to all incoming emails so the set email address received the email after it was scanned by MailScanner. Not what I am trying to achieve. We are using sendmail with LDAP queries. Thanks. Denis PS: we want to test EOP (Exchange Online Protection from Office365) before moving all our students there. -- MailScanner mailing list mailto:mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner From alex at vidadigital.com.pa Fri Jun 3 13:45:14 2016 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Fri, 3 Jun 2016 08:45:14 -0500 Subject: Any ideas how to accomplish this? In-Reply-To: <62145957765b4371949010c43e032d80@ex13mbx03.sti.usherbrooke.ca> References:

<62145957765b4371949010c43e032d80@ex13mbx03.sti.usherbrooke.ca> Message-ID: Glad to help. You *may* need to run an additional process to ?hand off? mail to the ?real? sendmail/MailScanner process; maybe on an additional VM. Also the ?original? process may have to do a ?smarthost" setup to hand off the email to the splitter. I know it?s been done before for compliance purposes, but I haven?t done it in a while. Let us know how it goes. > On Jun 3, 2016, at 8:43 AM, Denis Beauchemin wrote: > > Wow! Fast answer. A first look at it seems pretty much on the nail! > > Thanks Alex! > > Denis > > > De : MailScanner [mailto:mailscanner-bounces+denis.beauchemin=usherbrooke.ca at lists.mailscanner.info ] De la part de Alex Neuman van der Hans > Envoy? : 3 juin 2016 09:30 > ? : MailScanner discussion > > Objet : Re: Any ideas how to accomplish this? > > http://www.snertsoft.com/sendmail/roundhouse/ > > On Jun 3, 2016, at 8:28 AM, Denis Beauchemin > wrote: > > Hello, > > I am trying to do the following and can't find a simple solution to it: I want to duplicate all incoming mail so that one copy goes to the intended destination and the other one goes to a set email address. > > The first copy should go through MailScanner before reaching its intended destination while the second copy should go directly to the set email address without any MailScanner intervention. > > Is this possible? I tried a milter-bcc and all it did was to add a bcc to all incoming emails so the set email address received the email after it was scanned by MailScanner. Not what I am trying to achieve. > > We are using sendmail with LDAP queries. > > Thanks. > > Denis > > PS: we want to test EOP (Exchange Online Protection from Office365) before moving all our students there. > > > -- > MailScanner mailing list > mailto:mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Sat Jun 4 05:51:09 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 3 Jun 2016 22:51:09 -0700 Subject: OpenDKIM and MailScanner In-Reply-To: <574DD9C1.9010104@pztop.com> References: <574DD466.1090305@pztop.com> <574DD9C1.9010104@pztop.com> Message-ID: <89b739a7-28ea-e398-d293-701de05675a1@msapiro.net> On 5/31/16 11:36 AM, Gao wrote: > Thank you Jerry for the quick reply. > > The issue happens for outgoing emails. > > Postfix has these lines: > smtpd_milters = inet:127.0.0.1:8891 > non_smtpd_milters = $smtpd_milters I am not a Postfix expert, but I think it might work to remove the smtpd_milters setting and set just non_smtpd_milters = inet:127.0.0.1:8891 Try that, and if it doesn't work, ask on a Postfix list. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pascal.maes at uclouvain.be Sat Jun 4 10:21:01 2016 From: pascal.maes at uclouvain.be (Pascal Maes) Date: Sat, 4 Jun 2016 10:21:01 +0000 Subject: SpamAssasin not installed ! Message-ID: <2D4EBC0F-0923-4E65-BC67-B428FDCFD316@uclouvain.be> Hello, We have installed SpamAssasin : # apt-get install spamassassin Reading package lists... Done Building dependency tree Reading state information... Done spamassassin is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. The following script is running well : #!/usr/bin/perl if (eval "require Mail::SpamAssassin") { print "SpamAssassin : OK\n"; } else { print "SpamAssassin : KO\n"; } # ./test-sa.pl SpamAssassin : OK but MailScanner complains about SpamAssassin not installed : # MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Reading configuration file /etc/MailScanner/conf.d/UCL.conf Read 501 hostnames from the phishing whitelist Read 18378 hostnames from the phishing blacklists Config: calling custom init function CheckSMTPAuth Checking version numbers... Version number in MailScanner.conf (5.0.1) is correct. Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to (117) MailScanner setting UID to (111) Checking for SpamAssassin errors (if you use it)... You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 169. I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 170. Do you have an idea about the problem ? Thanks -- Pascal From patrick at yoopermail.us Sat Jun 4 13:35:19 2016 From: patrick at yoopermail.us (Patrick Goupell) Date: Sat, 4 Jun 2016 09:35:19 -0400 Subject: MailScanner v5 directory structure Message-ID: <5752D917.6040608@yoopermail.us> Hello Jerry, I know you posted something about the new folder/file structure for mailscanner v5 but I cannot find it in the mailing list archive. Could you please post it again. Thank you -- Patrick Goupell Are you free? Find out at http://www.sedm.org/ Income taxes? Find out at http://www.whatistaxed.com From mark at msapiro.net Sat Jun 4 16:06:28 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 4 Jun 2016 09:06:28 -0700 Subject: SpamAssasin not installed ! In-Reply-To: <2D4EBC0F-0923-4E65-BC67-B428FDCFD316@uclouvain.be> References: <2D4EBC0F-0923-4E65-BC67-B428FDCFD316@uclouvain.be> Message-ID: <527dadbd-edf8-1861-0df4-d467c492496b@msapiro.net> On 6/4/16 3:21 AM, Pascal Maes wrote: > > The following script is running well : > > #!/usr/bin/perl > > if (eval "require Mail::SpamAssassin") > { > print "SpamAssassin : OK\n"; > } > else > { > print "SpamAssassin : KO\n"; > } > > > # ./test-sa.pl > SpamAssassin : OK What happens if you run sudo -u'#111' -g'#117' ./test-sa.pl > but MailScanner complains about SpamAssassin not installed : > > # MailScanner --lint ... > MailScanner setting GID to (117) > MailScanner setting UID to (111) > > Checking for SpamAssassin errors (if you use it)... > You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 169. > I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 170. Somehow the directory containing perl's Mail/SpamAssassin.pm is not in the perl's include path, or the effective user/group can't read it. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Sat Jun 4 16:10:53 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 4 Jun 2016 12:10:53 -0400 Subject: MailScanner v5 directory structure In-Reply-To: <5752D917.6040608@yoopermail.us> References: <5752D917.6040608@yoopermail.us> Message-ID: <43B75838-87C7-4487-A6C8-2B3F20D07CC3@mailborder.com> /etc/MailScanner /usr/share/MailScanner /usr/lib/MailScanner /var/spool/MailScanner > On Jun 4, 2016, at 9:35 AM, Patrick Goupell wrote: > > Hello Jerry, > > I know you posted something about the new folder/file structure for mailscanner v5 but I cannot find it in the mailing list archive. > > Could you please post it again. > > Thank you > > -- > Patrick Goupell > > Are you free? Find out at http://www.sedm.org/ > Income taxes? Find out at http://www.whatistaxed.com > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From jerry.benton at mailborder.com Sat Jun 4 16:11:55 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Sat, 4 Jun 2016 12:11:55 -0400 Subject: SpamAssasin not installed ! In-Reply-To: <527dadbd-edf8-1861-0df4-d467c492496b@msapiro.net> References: <2D4EBC0F-0923-4E65-BC67-B428FDCFD316@uclouvain.be> <527dadbd-edf8-1861-0df4-d467c492496b@msapiro.net> Message-ID: <392E2000-992D-49D3-83D3-6321DD647D74@mailborder.com> Make sure you are not running MailScanner --lint from the /root directory as well. > On Jun 4, 2016, at 12:06 PM, Mark Sapiro wrote: > > On 6/4/16 3:21 AM, Pascal Maes wrote: >> >> The following script is running well : >> >> #!/usr/bin/perl >> >> if (eval "require Mail::SpamAssassin") >> { >> print "SpamAssassin : OK\n"; >> } >> else >> { >> print "SpamAssassin : KO\n"; >> } >> >> >> # ./test-sa.pl >> SpamAssassin : OK > > > What happens if you run > > sudo -u'#111' -g'#117' ./test-sa.pl > >> but MailScanner complains about SpamAssassin not installed : >> >> # MailScanner --lint > ... >> MailScanner setting GID to (117) >> MailScanner setting UID to (111) >> >> Checking for SpamAssassin errors (if you use it)... >> You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 169. >> I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 170. > > > Somehow the directory containing perl's Mail/SpamAssassin.pm is not in > the perl's include path, or the effective user/group can't read it. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From pascal.maes at uclouvain.be Sat Jun 4 17:17:06 2016 From: pascal.maes at uclouvain.be (Pascal Maes) Date: Sat, 4 Jun 2016 17:17:06 +0000 Subject: SpamAssasin not installed ! In-Reply-To: <392E2000-992D-49D3-83D3-6321DD647D74@mailborder.com> References: <2D4EBC0F-0923-4E65-BC67-B428FDCFD316@uclouvain.be> <527dadbd-edf8-1861-0df4-d467c492496b@msapiro.net> <392E2000-992D-49D3-83D3-6321DD647D74@mailborder.com> Message-ID: <34A89AB6-1149-4D18-870F-C63C3EE3A729@uclouvain.be> That was probably the reason # sudo -u'#111' -g'#117' ./test-sa.pl SpamAssassin : OK but I have to move the script first because it was in ~root Thanks > Le 4 juin 2016 ? 18:11, Jerry Benton a ?crit : > > Make sure you are not running MailScanner --lint from the /root directory as well. > > > >> On Jun 4, 2016, at 12:06 PM, Mark Sapiro wrote: >> >> On 6/4/16 3:21 AM, Pascal Maes wrote: >>> >>> The following script is running well : >>> >>> #!/usr/bin/perl >>> >>> if (eval "require Mail::SpamAssassin") >>> { >>> print "SpamAssassin : OK\n"; >>> } >>> else >>> { >>> print "SpamAssassin : KO\n"; >>> } >>> >>> >>> # ./test-sa.pl >>> SpamAssassin : OK >> >> >> What happens if you run >> >> sudo -u'#111' -g'#117' ./test-sa.pl >> >>> but MailScanner complains about SpamAssassin not installed : >>> >>> # MailScanner --lint >> ... >>> MailScanner setting GID to (117) >>> MailScanner setting UID to (111) >>> >>> Checking for SpamAssassin errors (if you use it)... >>> You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 169. >>> I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 170. >> >> >> Somehow the directory containing perl's Mail/SpamAssassin.pm is not in >> the perl's include path, or the effective user/group can't read it. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -- Pascal From gao at pztop.com Mon Jun 6 16:51:22 2016 From: gao at pztop.com (Gao) Date: Mon, 6 Jun 2016 09:51:22 -0700 Subject: OpenDKIM and MailScanner In-Reply-To: <89b739a7-28ea-e398-d293-701de05675a1@msapiro.net> References: <574DD466.1090305@pztop.com> <574DD9C1.9010104@pztop.com> <89b739a7-28ea-e398-d293-701de05675a1@msapiro.net> Message-ID: <5755AA0A.1060300@pztop.com> On 16-06-03 10:51 PM, Mark Sapiro wrote: > I am not a Postfix expert, but I think it might work to remove the > smtpd_milters setting and set just non_smtpd_milters = > inet:127.0.0.1:8891 Try that, and if it doesn't work, ask on a Postfix > list. Tested with your recommended configuration, OpenDKIM will not sign the message at all. Gao From steve at mjnservices.com Mon Jun 6 17:23:05 2016 From: steve at mjnservices.com (Steven Jardine) Date: Mon, 6 Jun 2016 11:23:05 -0600 Subject: Denial Of Service Attack Messages In-Reply-To: <574F2049.10306@mjnservices.com> References:

<023101d1ad42$4198ba30$c4ca2e90$@z00b.com> <493D6AA0-8AB3-43C2-9A11-AB2D4A639DDF@crossip.net> <573FAF9E.9070701@msapiro.net> <058e01d1b4c9$332bcdf0$998369d0$@com> <58AEE94E-2FB0-41CE-B054-4A665DA9EDE7@mailborder.com> <5744B410.2000509@mjnservices.com> <5744C0C4.4070204@msapiro.net> <5744C75E.5080900@mjnservices.com> <5749172F.8020501@msapiro.net> <3B0448D0-B222-46F8-8BE0-9C28DC32FD78@mailborder.com> <574F2049.10306@mjnservices.com> <5755B179.6040206@mjnservices.com> Message-ID: <575665F8.4030408@msapiro.net> On 06/06/2016 10:23 AM, Steven Jardine wrote: > I am not really trying to be a nuisance on this but this is still > happening way too often. Legitimate emails are getting completely wiped > out. Are there any ideas for how to best find out what is causing the > "status = 13" error? You could try the attached patch to /usr/share/MailScanner/perl/MailScanner/Message.pm. It just logs the paths of the files that it's working with. I don't actually see how this is happening with the regularity that you see it with that error. Unless: > On 06/01/2016 11:50 AM, Steven Jardine wrote: >> OK. So I upgraded to v5.0.2-1 and I created a group called mtagroup >> and added smmsp, smmta, www-data, clamav to the group. I changed the: >> >> Incoming Work User = clamav >> Incoming Work Group = mtagroup >> Incoming Work Permissions = 0660 What is MailScanner's Run As User and Run As Group? The Run As Group should be in the mtagroup. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.diff Type: text/x-diff Size: 631 bytes Desc: not available URL: From pparsons at techeez.com Tue Jun 7 23:54:02 2016 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 7 Jun 2016 23:54:02 +0000 Subject: Mail watch issue Message-ID: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. Techeez on the go so please excuse the spelling. From gao at pztop.com Wed Jun 8 00:07:46 2016 From: gao at pztop.com (Gao) Date: Tue, 7 Jun 2016 17:07:46 -0700 Subject: Mail watch issue In-Reply-To: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> Message-ID: <575761D2.7010708@pztop.com> On 16-06-07 04:54 PM, Philip Parsons wrote: > I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. > > Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. > > Techeez on the go so please excuse the spelling. > > I just looked my MailWatch and I don't see the release section at all. (Spam mail have a release section on the bottom). Anyway, you should be able to release quarantined mail in command line, for example: sendmail -t -i < /var/spool/MailScanner/quarantine/20151217/65F7320B9A615.A8F61/message I did not test the above command on mail marked as Virus. Gao From alex at vidadigital.com.pa Wed Jun 8 02:30:15 2016 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Tue, 7 Jun 2016 21:30:15 -0500 Subject: Mail watch issue In-Reply-To: <575761D2.7010708@pztop.com> References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> <575761D2.7010708@pztop.com> Message-ID: Probably a permissions issue. Alex Neuman van der Hans Producer/Host, Vida Digital +1 (440) 253-9789 | +507 6781-9505 | Panama |alex at vidadigital.com.pa | http://vidadigital.com.pa/ |Skype: alexneuman > On Jun 7, 2016, at 7:07 PM, Gao wrote: > > > > On 16-06-07 04:54 PM, Philip Parsons wrote: >> I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. >> >> Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. >> >> Techeez on the go so please excuse the spelling. >> >> > I just looked my MailWatch and I don't see the release section at all. (Spam mail have a release section on the bottom). > > Anyway, you should be able to release quarantined mail in command line, for example: > > sendmail -t -i < /var/spool/MailScanner/quarantine/20151217/65F7320B9A615.A8F61/message > > I did not test the above command on mail marked as Virus. > > Gao > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gao at pztop.com Wed Jun 8 16:09:25 2016 From: gao at pztop.com (Gao) Date: Wed, 8 Jun 2016 09:09:25 -0700 Subject: Mail watch issue In-Reply-To: References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> <575761D2.7010708@pztop.com> Message-ID: <57584335.4020700@pztop.com> On 16-06-07 07:30 PM, Alex Neuman van der Hans wrote: > Probably a permissions issue. > >> > > > I doubt it's a permission issue, because there is no error logging in the web server log. I looked the PHP code of the detail.php, line 422: foreach ($quarantined as $item) { echo " \n"; // Don't allow message to be released if it is marked as 'dangerous' // Currently this only applies to messages that contain viruses. if ($item['dangerous'] !== "Y" || $_SESSION['user_type'] == 'A') { ... So I think it is designed to not allow release a mail if it is marked as "dangerous" in MailWatch. I think ALL the virus and SOME of spam are labelled as "dangerous". Gao -------------- next part -------------- An HTML attachment was scrubbed... URL: From pparsons at techeez.com Thu Jun 9 00:54:16 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 9 Jun 2016 00:54:16 +0000 Subject: Mail watch issue In-Reply-To: References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> <575761D2.7010708@pztop.com> Message-ID: <11D8E491D9562549A61FD3186F36342002800A0B11@exchange.techeez.com> I had high hopes for a permission issue but the permissions are set the same as the spam messages which allow me to release. From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Tuesday, June 7, 2016 7:30 PM To: MailScanner discussion Subject: Re: Mail watch issue Probably a permissions issue. [logo] Alex Neuman van der Hans Producer/Host, Vida Digital +1 (440) 253-9789 | +507 6781-9505 | Panama |alex at vidadigital.com.pa | http://vidadigital.com.pa/ |Skype: alexneuman [https://s3.amazonaws.com/images.wisestamp.com/icons_32/facebook.png] [https://s3.amazonaws.com/images.wisestamp.com/icons_32/linkedin.png] [https://s3.amazonaws.com/images.wisestamp.com/icons_32/twitter.png] [https://s3.amazonaws.com/images.wisestamp.com/icons_32/pinterest.png] [https://s3.amazonaws.com/images.wisestamp.com/icons_32/youtube.png] [https://s3.amazonaws.com/images.wisestamp.com/icons_32/instagram.png] [https://s3.amazonaws.com/images.wisestamp.com/icons_32/wordpress.png] [https://s3.amazonaws.com/images.wisestamp.com/icons_32/amazon.png] [https://s3.amazonaws.com/webapp.wisestamp.com/XT9yavvmRJaZZvINZFTQ_skype.png] [https://s3.amazonaws.com/webapp.wisestamp.com/wEM3vsigQhq5yev6iwEV_whatsapp.png] On Jun 7, 2016, at 7:07 PM, Gao > wrote: On 16-06-07 04:54 PM, Philip Parsons wrote: I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. Techeez on the go so please excuse the spelling. I just looked my MailWatch and I don't see the release section at all. (Spam mail have a release section on the bottom). Anyway, you should be able to release quarantined mail in command line, for example: sendmail -t -i < /var/spool/MailScanner/quarantine/20151217/65F7320B9A615.A8F61/message I did not test the above command on mail marked as Virus. Gao -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Jun 9 02:27:44 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 8 Jun 2016 22:27:44 -0400 Subject: Mail watch issue In-Reply-To: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> Message-ID: "Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it? I am going to go out on a limb here with a really crazy notion ? does the file even exist on the hard drive? Was it actually quarantined? Did you review these settings? # There is no point quarantining most viruses these days as the infected # messages contain no useful content, so if you set this to "no" then no # infections listed in your "Silent Viruses" setting will be quarantined, # even if you have chosen to quarantine infections in general. This is # currently set to "yes" so the behaviour is the same as it was in # previous versions. # This can also be the filename of a ruleset. Quarantine Silent Viruses = no # Do you want to store copies of messages which have been disarmed by # having their HTML modified at all? # This can also be the filename of a ruleset. Quarantine Modified Body = no # Do you want to quarantine the original *entire* message as well as # just the infected attachments? # This can also be the filename of a ruleset. Quarantine Whole Message = no # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = no - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Jun 7, 2016, at 7:54 PM, Philip Parsons wrote: > > I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. > > Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. > > Techeez on the go so please excuse the spelling. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From mailscanner at replies.cyways.com Thu Jun 9 14:40:35 2016 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Thu, 9 Jun 2016 10:40:35 -0400 Subject: Sharp drop in JScript attacks Message-ID: <57597FE3.7020405@replies.cyways.com> This isn't directly pertinent to MailScanner, but since you all are pretty experienced in fighting malware, I thought I'd ask. I have a healthcare client who was being deluged with JScript attacks. On one day alone, the quarantine directory in MailScanner exceeded 7 GB in size. For weeks MS was blocking thousands of JS files. Now the attacks have abruptly stopped. Has anyone else seen this behavior, or have any ideas about what might have happened? Thanks! Peter From jorgeaaq at gmail.com Thu Jun 9 15:00:38 2016 From: jorgeaaq at gmail.com (Jorge A Arenas Quezada) Date: Thu, 09 Jun 2016 10:00:38 -0500 Subject: Sharp drop in JScript attacks In-Reply-To: <57597FE3.7020405@replies.cyways.com> References: <57597FE3.7020405@replies.cyways.com> Message-ID: <830C0EDB-A652-4C24-869A-8468C6BA6244@gmail.com> I have no answer of what happened but i have the same behavior with some clients Thousands of mails on one day and completely stop the next This has happened in the last two months Jorge Arenas On 6/9/16, 9:40 AM, "MailScanner on behalf of Peter Lemieux" wrote: >This isn't directly pertinent to MailScanner, but since you all are pretty >experienced in fighting malware, I thought I'd ask. > >I have a healthcare client who was being deluged with JScript attacks. On one >day alone, the quarantine directory in MailScanner exceeded 7 GB in size. For >weeks MS was blocking thousands of JS files. Now the attacks have abruptly >stopped. Has anyone else seen this behavior, or have any ideas about what >might have happened? > >Thanks! > >Peter > > >-- >MailScanner mailing list >mailscanner at lists.mailscanner.info >http://lists.mailscanner.info/listinfo/mailscanner > From pparsons at techeez.com Thu Jun 9 15:22:10 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 9 Jun 2016 15:22:10 +0000 Subject: Mail watch issue In-Reply-To: References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> Message-ID: <11D8E491D9562549A61FD3186F36342002800A33EA@exchange.techeez.com> Thanks Jerry but I have just found the reason. if the virus scanner returns infected status then MailWatch will not let you release the message, this is a feature and not a bug. I'm probably not going to change how this works - even for admins (they should know how to do this from the command-line anyway) as it is too dangerous. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Wednesday, June 8, 2016 7:28 PM To: MailScanner Discussion Subject: Re: Mail watch issue "Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it? I am going to go out on a limb here with a really crazy notion ? does the file even exist on the hard drive? Was it actually quarantined? Did you review these settings? # There is no point quarantining most viruses these days as the infected # messages contain no useful content, so if you set this to "no" then no # infections listed in your "Silent Viruses" setting will be quarantined, # even if you have chosen to quarantine infections in general. This is # currently set to "yes" so the behaviour is the same as it was in # previous versions. # This can also be the filename of a ruleset. Quarantine Silent Viruses = no # Do you want to store copies of messages which have been disarmed by # having their HTML modified at all? # This can also be the filename of a ruleset. Quarantine Modified Body = no # Do you want to quarantine the original *entire* message as well as # just the infected attachments? # This can also be the filename of a ruleset. Quarantine Whole Message = no # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = no - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Jun 7, 2016, at 7:54 PM, Philip Parsons wrote: > > I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. > > Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. > > Techeez on the go so please excuse the spelling. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jerry.benton at mailborder.com Thu Jun 9 16:24:36 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 9 Jun 2016 12:24:36 -0400 Subject: Mail watch issue In-Reply-To: <11D8E491D9562549A61FD3186F36342002800A33EA@exchange.techeez.com> References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> <11D8E491D9562549A61FD3186F36342002800A33EA@exchange.techeez.com> Message-ID: <4141A9F5-1726-4BDB-AC19-75802EBFDCCF@mailborder.com> His approach is flawed as sometimes ClamAV and Sophos identify files as viruses if they contain macros, even when they are not viruses. This is also true for Sane Security signatures. - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Jun 9, 2016, at 11:22 AM, Philip Parsons wrote: > > Thanks Jerry but I have just found the reason. > > > if the virus scanner returns infected status then > MailWatch will not let you release the message, this is a feature and > not a bug. I'm probably not going to change how this works - even for > admins (they should know how to do this from the command-line anyway) as > it is too dangerous. > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: Wednesday, June 8, 2016 7:28 PM > To: MailScanner Discussion > Subject: Re: Mail watch issue > > "Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it? > > I am going to go out on a limb here with a really crazy notion ? does the file even exist on the hard drive? Was it actually quarantined? Did you review these settings? > > > # There is no point quarantining most viruses these days as the infected > # messages contain no useful content, so if you set this to "no" then no > # infections listed in your "Silent Viruses" setting will be quarantined, > # even if you have chosen to quarantine infections in general. This is > # currently set to "yes" so the behaviour is the same as it was in > # previous versions. > # This can also be the filename of a ruleset. > Quarantine Silent Viruses = no > > # Do you want to store copies of messages which have been disarmed by > # having their HTML modified at all? > # This can also be the filename of a ruleset. > Quarantine Modified Body = no > > # Do you want to quarantine the original *entire* message as well as > # just the infected attachments? > # This can also be the filename of a ruleset. > Quarantine Whole Message = no > > # When you quarantine an entire message, do you want to store it as > # raw mail queue files (so you can easily send them onto users) or > # as human-readable files (header then body in 1 file)? > Quarantine Whole Messages As Queue Files = no > > > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > > > > >> On Jun 7, 2016, at 7:54 PM, Philip Parsons wrote: >> >> I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. >> >> Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. >> >> Techeez on the go so please excuse the spelling. >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > From pparsons at techeez.com Thu Jun 9 16:57:14 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 9 Jun 2016 16:57:14 +0000 Subject: Whitelist issue Message-ID: <11D8E491D9562549A61FD3186F36342002800A39B7@exchange.techeez.com> MailScanner version 4.85.2 Using Mailwatch for the whitelisting For the exact same email. The issue I am having is for example whitelsted email comes in at 3:52 is whitelisted whitelsted email comes in at 3:54 does not get whitelisted.. Log entries for whitelisted mail un 2 15:51:54 mailscanner MailScanner[20125]: New Batch: Scanning 1 messages, 13707 bytes Jun 2 15:51:55 mailscanner MailScanner[20125]: Virus and Content Scanning: Starting Jun 2 15:52:29 mailscanner MailScanner[20125]: tag found in message u52Mpria030161 from sales at xxxxxxxx Jun 2 15:52:29 mailscanner MailScanner[20125]: HTML Img tag found in message u52Mpria030161 from sales at xxxxxxxx Jun 2 15:52:29 mailscanner MailScanner[20125]: MCP Checks: Starting Jun 2 15:52:29 mailscanner MailScanner[20125]: Spam Checks: Starting Jun 2 15:52:29 mailscanner MailScanner[20125]: Expired 2 records from the SpamAssassin cache Jun 2 15:52:29 mailscanner MailScanner[20125]: Whitelist refresh time reached Jun 2 15:52:29 mailscanner MailScanner[20125]: Starting up SQL Whitelist Jun 2 15:52:29 mailscanner MailScanner[20125]: Read 6587 whitelist entries Jun 2 15:52:30 mailscanner MailScanner[20125]: Message u52Mpria030161 from 192.168.2.10 (sales at xxxxxxxx) is whitelisted Jun 2 15:52:30 mailscanner MailScanner[20125]: SpamAssassin cache hit for message u52Mpria030161 Jun 2 15:52:30 mailscanner MailScanner[20125]: Message u52Mpria030161 from 192.168.2.10 (sales at xxxxxxxx) to xxxxxxxx is not spam (whitelisted), SpamAssassin (cached, score=5.205, required 5, BAYES_50 0.80, HTML_MESSAGE 1.00, KAM_EU 0.50, MIME_HTML_ONLY 0.72, TVD_RCVD_SINGLE 2.17, T_FILL_THIS_FORM_SHORT 0.01) Jun 2 15:52:30 mailscanner MailScanner[20125]: Delivery of nonspam: message u52Mpria030161 from sales at xxxxxxxx to rodd at xxxxxxxx with subject Connect with Collect! at the ACA International Convention & Expo in Denver Log for spam listed Jun 2 15:53:59 mailscanner MailScanner[16421]: tag found in message u52MrUIa032159 from sales at xxxxxxxx Jun 2 15:53:59 mailscanner MailScanner[16421]: HTML Img tag found in message u52MrUIa032159 from sales at xxxxxxxx Jun 2 15:53:59 mailscanner MailScanner[16421]: MCP Checks: Starting Jun 2 15:53:59 mailscanner MailScanner[16421]: Spam Checks: Starting Jun 2 15:54:07 mailscanner MailScanner[16421]: Message u52MrUIa032159 from 192.168.2.10 (sales at xxxxxxxx) to xxxxxxxx is spam, SpamAssassin (not cached, score=5.205, required 5, BAYES_50 0.80, HTML_MESSAGE 1.00, KAM_EU 0.50, MIME_HTML_ONLY 0.72, TVD_RCVD_SINGLE 2.17, T_FILL_THIS_FORM_SHORT 0.01) Jun 2 15:54:07 mailscanner MailScanner[16421]: Spam Checks: Found 1 spam messages Jun 2 15:54:07 mailscanner MailScanner[16421]: Non-delivery of spam: message u52MrUIa032159 from sales at xxxxxxxx to rodd at xxxxxxxx with subject Connect with Collect! at the ACA International Convention & Expo in Denver Jun 2 15:54:07 mailscanner MailScanner[16421]: Spam Actions: message u52MrUIa032159 actions are store,header Jun 2 15:54:07 mailscanner MailScanner[16421]: Deleted 1 messages from processing-database Jun 2 15:54:07 mailscanner MailScanner[16421]: Logging message u52MrUIa032159 to SQL Jun 2 15:54:07 mailscanner MailScanner[22363]: u52MrUIa032159: Logged to MailWatch SQL Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: From pparsons at techeez.com Thu Jun 9 17:41:31 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 9 Jun 2016 17:41:31 +0000 Subject: Mail watch issue In-Reply-To: <4141A9F5-1726-4BDB-AC19-75802EBFDCCF@mailborder.com> References: <22CA997B-ACE4-4B96-BE2D-C3C411838824@techeez.com> <11D8E491D9562549A61FD3186F36342002800A33EA@exchange.techeez.com> <4141A9F5-1726-4BDB-AC19-75802EBFDCCF@mailborder.com> Message-ID: <11D8E491D9562549A61FD3186F36342002800A3CA0@exchange.techeez.com> Yeah I agree but will have to wait until some coders want to have it changed. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: Thursday, June 9, 2016 9:25 AM To: MailScanner Discussion Subject: Re: Mail watch issue His approach is flawed as sometimes ClamAV and Sophos identify files as viruses if they contain macros, even when they are not viruses. This is also true for Sane Security signatures. - Jerry Benton www.mailborder.com +1 - 844-436-6245 > On Jun 9, 2016, at 11:22 AM, Philip Parsons wrote: > > Thanks Jerry but I have just found the reason. > > > if the virus scanner returns infected status then > MailWatch will not let you release the message, this is a feature and > not a bug. I'm probably not going to change how this works - even for > admins (they should know how to do this from the command-line anyway) as > it is too dangerous. > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Jerry Benton > Sent: Wednesday, June 8, 2016 7:28 PM > To: MailScanner Discussion > Subject: Re: Mail watch issue > > "Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it? > > I am going to go out on a limb here with a really crazy notion ? does the file even exist on the hard drive? Was it actually quarantined? Did you review these settings? > > > # There is no point quarantining most viruses these days as the infected > # messages contain no useful content, so if you set this to "no" then no > # infections listed in your "Silent Viruses" setting will be quarantined, > # even if you have chosen to quarantine infections in general. This is > # currently set to "yes" so the behaviour is the same as it was in > # previous versions. > # This can also be the filename of a ruleset. > Quarantine Silent Viruses = no > > # Do you want to store copies of messages which have been disarmed by > # having their HTML modified at all? > # This can also be the filename of a ruleset. > Quarantine Modified Body = no > > # Do you want to quarantine the original *entire* message as well as > # just the infected attachments? > # This can also be the filename of a ruleset. > Quarantine Whole Message = no > > # When you quarantine an entire message, do you want to store it as > # raw mail queue files (so you can easily send them onto users) or > # as human-readable files (header then body in 1 file)? > Quarantine Whole Messages As Queue Files = no > > > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > > > > >> On Jun 7, 2016, at 7:54 PM, Philip Parsons wrote: >> >> I know this is the MailScanner list but I have posted to the mail watch list and there does not seem to be any takers so I am hopping a MailScanner user might have come across this issues as well. >> >> Everything is working 100% except for when you look at the mail watch list page and an email has been marked as a virus you cannot release it, it looks like the path is incorrect but I cannot find where that path is set. Anyone got any ideas. >> >> Techeez on the go so please excuse the spelling. >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kimmo at hedman.fi Mon Jun 13 09:34:21 2016 From: kimmo at hedman.fi (Kimmo (CollaMail)) Date: Mon, 13 Jun 2016 09:34:21 +0000 Subject: Custom spamassassin values per user , is it possible ? Message-ID: Hi planning to test mailscanner for first time, i try to dig info that is it possible that user (with MailWatch) could change spamassasin trigger values by themselves from webUI ? And whatabout teaching bayes if some spam gets thru ? Regards, Kimmo -------------- next part -------------- An HTML attachment was scrubbed... URL: From gao at pztop.com Mon Jun 13 16:08:11 2016 From: gao at pztop.com (Gao) Date: Mon, 13 Jun 2016 09:08:11 -0700 Subject: {Disarmed} How to deal with this carefully crafted HTML spam Message-ID: <575EDA6B.2000106@pztop.com> Hi all, There is a type of spam with use carefully crafted HTML to form the message body which always got low score. Is there a better way to filter this out? Here is the email looks like: Here is the email source looks like: Return-Path: X-Original-To: mike at mydomain.com Delivered-To: mike at mydomain.com Received: by zeta.mydomain.com (Postfix, from userid 5001) id 381A32003197E; Mon, 13 Jun 2016 02:41:57 -0700 (PDT) Received-SPF: none (g-narration.com: No applicable sender policy available) receiver=zeta.mydomain.com; identity=mailfrom; envelope-from="noreply at g-narration.com"; helo=g-narration.com; client-ip=210.178.72.8 Received: from g-narration.com (unknown [210.178.72.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by zeta.mydomain.com (Postfix) with ESMTPS id D23582003197B; Mon, 13 Jun 2016 02:41:48 -0700 (PDT) Date: Mon, 13 Jun 2016 11:26:54 +0100 From: Canadian-Meds X-Priority: 3 To: , , Content-Type: multipart/alternative; boundary="7Y696D91821252448Kr" Message-ID: <4C1E46F4.1033858 at g-narration.com> Subject: Throughout the long years of operation our company has become synonymous to quality! MIME-Version: 1.0 X-mydomain-MailScanner-Information: Please contact the IT Administrator for more information X-mydomain-MailScanner-ID: D23582003197B.A3D74 X-mydomain-MailScanner: Found to be clean X-mydomain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=1.969, required 3, BAYES_50 0.80, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.38, RDNS_NONE 0.79) X-mydomain-MailScanner-SpamScore: 1 X-mydomain-MailScanner-From: noreply at g-narration.com X-Spam-Status: No --7Y696D91821252448Kr Content-Type: text/plain; charset="windows-1251"; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable =0A=0A=09=09League came up into a-power transmission oil missed, and=0Ai= ncludingtheir views. Meats tableside in i-look sanjaya up that this=0Ajust = didnt. =0A=0A=09=09Me=0A=09=09ds=0A=09=099f=0A=09=09or=0A=09=098M=0A=09=09e= n=0A=0AVi=0ACi=0ACi=0ALe=0APr=0A ag=0Aal=0Aal=0Avi=0Aop=0A ra=0Ais=0Ais=0At= r=0Aec=0A=0A S=0Aa =0Aia=0A=0Aof=0A=0At =0A=0ATa=0A=0Abs=0A=0A $0=0A$1=0A$2= =0A$2=0A$0=0A .9=0A.6=0A.5=0A.5=0A.4=0A 9=0A5=0A0=0A0=0A5=0A=0A=09=09Me=0A= =09=09ds=0A=09=098f=0A=09=09or=0A=09=092W=0A=09=09om=0A=09=09en=0A=0AAc=0AC= l=0ADe=0AFe=0AFe=0A om=0Aom=0Afl=0Ama=0Ama=0A pl=0Aid=0Auc=0Ale=0Ale=0A ia= =0A=0Aan=0A C=0A V=0A=0Aia=0Aia=0A=0Ali=0Agr=0A=0As =0Aa =0A=0A $1=0A$0=0A$= 1=0A$1=0A$0=0A .7=0A.4=0A.2=0A.1=0A.7=0A 5=0A5=0A5=0A1=0A2=0A=0A 24=0ANo=0A= An=0ASp /7=0A p=0Aon=0Aec c=0Are=0Aym=0Aia us=0Asc=0Aou=0Al to=0Ari=0As = =0Ain me=0Apt=0Ade=0Ate r =0Aio=0Ali=0Arn su=0An =0Ave=0Aet pp=0Are=0Ary=0A= p or=0Aqu=0A=0Ari t =0Air=0A=0Ace =0Aed=0A=0As =0A=0A O=0A 1=0A V=0A = F nl=0A00=0Ais=0Aas y =0A% =0Aa,=0At re=0AAu=0AMa=0Awo li=0Ath=0Ast=0Arl a= b=0Aen=0Aer=0Adw le=0Ati=0Aca=0Aid s=0Ac =0Ard=0Ae up=0AMe=0A,E=0Ash pl= =0Ads=0Ach=0Aip ie=0A=0Aec=0Api rs=0A=0Ak =0Ang =0A=0A=09=09>> Enter Here= =20 --7Y696D91821252448Kr Content-Type: text/html; charset="windows-1251" Content-Transfer-Encoding: quoted-printable =0A=0A=0A=0A=0A

=0A=0A=0A=0A=0A

League came up into a-power transmission = oil missed, and includingtheir views. Meats tableside in i-look sanjaya up = that this just didnt.

=0A=0A=0A=0A=0A=0A=0A

=0A=0A=0A=0A

=0A=0A=0A

Vi
C= i
Ci
Le
Pr

ag
al
al
vi
op

ra
is
is
tr
ec

S
a
ia

of


<= /td>

t

  =

Ta


<= /td>