From egobrc at gmail.com  Tue Mar  1 23:45:18 2016
From: egobrc at gmail.com (egobrc at gmail.com)
Date: Wed, 2 Mar 2016 00:45:18 +0100
Subject: Which distro?
In-Reply-To: <33015A23-7191-47BA-8D7F-B28476A21DC0@mailborder.com>
References: <CACYePgOT5XunZqdioVnxoWcfbk=NYQww52GFo2V0mk+nX7ahXg@mail.gmail.com>
 <56C57227.90907@aregar.it> <201602191906050197.0F507BEB@web.ace.net.au>
 <56CB2FE1.6020003@aregar.it>
 <33015A23-7191-47BA-8D7F-B28476A21DC0@mailborder.com>
Message-ID: <CACYePgN-Q34-BX9kUxKEoR24SdH1ifNPVNzRVDHXhX8nEqZRZQ@mail.gmail.com>

For your information, everything went well with CentOS 7. Thank you all for
your advices and opinions!

2016-02-22 17:22 GMT+01:00 Jerry Benton <jerry.benton at mailborder.com>:

> a PC and a banana... hah. awesome
>
> -
> Jerry Benton
> www.mailborder.com
> Sent from my iPhone
>
> > On Feb 22, 2016, at 10:57, Manuel Dalla Lana <endelwar at aregar.it> wrote:
> >
> > Il 19/02/16 09:36, Peter Nitschke ha scritto:
> >> I am curious, why does systemd bother you?
> >>
> >> I freaked at first, but after taking a deep breath I find it very good.
> > It's not a "new" command line syntax for system administration that
> hurts me (jumping from linux to bds to osx to windows to android it's not a
> problem), but the overwhelming sensation that the installed server doesn't
> do what I want it to do and doesn't do it in a predictable way: it has been
> observed by many (including me) that Linux stability has been reduced a lot
> by introducing systemd, making things work is harder now, also add binary
> logs and a lead developer that doesn't understand the difference from a pc
> and a banana to the mix and you get frustrated by only turning on a systemd
> box.
> >
> > Linux (and all unixes in general) was build on one good principle: one
> software shall do one thing and make it good, systemd want to do everything
> (from sys init to logging, to ip management, dns, web server...) and it
> does them bad.
> >
> > Manuel
> >
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/listinfo/mailscanner
> >
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160302/9f77581c/attachment.html>

From tmeireles at electroind.com  Thu Mar  3 23:54:50 2016
From: tmeireles at electroind.com (Tiago Meireles)
Date: Thu, 3 Mar 2016 18:54:50 -0500
Subject: Icon files
Message-ID: <021201d175a8$12eea400$38cbec00$@electroind.com>

Hello,

 

I received a complaint from a software engineer regarding our email server
blocking .ico files.

 

Ie.. Report: MailScanner: Possible buffer overflow in Windows (filename.ico)

 

Only thing I can find regarding this is
https://technet.microsoft.com/library/security/ms05-002

 

Is there anything else that I should be aware of before potentially allowing
.ico files?

 

Thanks,

Tiago

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160303/63217781/attachment.html>

From daniel at kolefors.se  Fri Mar  4 14:36:45 2016
From: daniel at kolefors.se (Daniel Malmgren)
Date: Fri, 4 Mar 2016 15:36:45 +0100
Subject: MailScanner scanning everything twice
Message-ID: <56D99D7D.4080000@kolefors.se>

Hi.
I'm completely new to MailScanner (installed it today), so please don't 
shoot me if this is dead simple. I got everything working, but it seems 
for some reason all mails are being scanned twice. I suspect this isn't 
MailScanners fault, but rather me having set up my postfix in a stupid 
manner. There are different message id's for the two mails being 
scanned. Any hints about what could be wrong? Please tell me what 
further information could be useful. This is on a Debian 8.3 server, 
running postfix and dovecot.

This is what I get in my mail.log (domains replaced):
(note that daniel is an alias for malmgren, so all mail to daniel ends 
up in malmgrens mailbox. I get the exact same problem when sending 
directly to malmgren though.)

Mar  4 14:14:16 cube postfix/smtpd[29904]: connect from 
webadmin.myworkdomain.se[193.42.159.5]
Mar  4 14:14:17 cube postfix/cleanup[29908]: 1B4BD4004F: hold: header 
Received: from smtp.myworkdomain.se (webadmin.myworkdomain.se 
[193.42.159.5])??by cube (Postfix) with ESMTPS id 1B4BD4004F??for 
<daniel at myhomedomain.se>; Fri,  4 Mar 2016 14:14:16 +0100 (CET) from 
webadmin.myworkdomain.se[193.42.159.5]; 
from=<prvs=187193eaf2=Daniel.Malmgren at myworkdomain.se> 
to=<daniel at myhomedomain.se> proto=ESMTP helo=<smtp.myworkdomain.se>
Mar  4 14:14:17 cube postfix/cleanup[29908]: 1B4BD4004F: 
message-id=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>
Mar  4 14:14:17 cube postfix/smtpd[29904]: disconnect from 
webadmin.myworkdomain.se[193.42.159.5]
Mar  4 14:14:22 cube MailScanner[29485]: New Batch: Scanning 1 messages, 
14054 bytes
Mar  4 14:14:22 cube MailScanner[29485]: Virus and Content Scanning: 
Starting
Mar  4 14:15:04 cube postfix/smtpd[29904]: connect from localhost[127.0.0.1]
Mar  4 14:15:04 cube postfix/smtpd[29904]: disconnect from 
localhost[127.0.0.1]
Mar  4 14:15:27 cube MailScanner[29485]: Requeue: 1B4BD4004F.AB70C to 
EC1A64028E
Mar  4 14:15:27 cube postfix/qmgr[15119]: EC1A64028E: 
from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se>, size=13369, 
nrcpt=1 (queue active)
Mar  4 14:15:27 cube MailScanner[29485]: Uninfected: Delivered 1 messages
Mar  4 14:15:27 cube spamd[9821]: spamd: connection from localhost 
[127.0.0.1]:47051 to port 783, fd 5
Mar  4 14:15:27 cube spamd[9821]: spamd: setuid to debian-spamd succeeded
Mar  4 14:15:27 cube spamd[9821]: spamd: processing message 
<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se> for 
debian-spamd:116
Mar  4 14:15:27 cube MailScanner[29485]: Deleted 1 messages from 
processing-database
Mar  4 14:15:27 cube MailScanner[29485]: Logging message 
1B4BD4004F.AB70C to SQL
Mar  4 14:15:35 cube spamd[9821]: spamd: clean message (0.0/5.0) for 
debian-spamd:116 in 7.9 seconds, 13418 bytes.
Mar  4 14:15:35 cube spamd[9821]: spamd: result: . 0 - 
HTML_IMAGE_ONLY_32,HTML_MESSAGE,RCVD_IN_DNSWL_NONE 
scantime=7.9,size=13418,user=debian-spamd,uid=116,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47051,mid=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>,autolearn=ham 
autolearn_force=no
Mar  4 14:15:36 cube spamd[4003]: prefork: child states: I
Mar  4 14:15:36 cube postfix/pickup[23000]: 289EE4004F: uid=116 
from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se>
Mar  4 14:15:36 cube postfix/pipe[29946]: EC1A64028E: 
to=<malmgren at myhomedomain.se>, orig_to=<daniel at myhomedomain.se>, 
relay=spamfilter, delay=79, delays=71/0.02/0/8.2, dsn=2.0.0, status=sent 
(delivered via spamfilter service)
Mar  4 14:15:36 cube postfix/qmgr[15119]: EC1A64028E: removed
Mar  4 14:15:36 cube postfix/cleanup[29908]: 289EE4004F: hold: header 
Received: by cube (Postfix, from userid 116)??id 289EE4004F; Fri,  4 Mar 
2016 14:15:35 +0100 (CET) from local; 
from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se> 
to=<malmgren at myhomedomain.se>
Mar  4 14:15:36 cube postfix/cleanup[29908]: 289EE4004F: 
message-id=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>
Mar  4 14:15:43 cube MailScanner[29485]: New Batch: Scanning 1 messages, 
14059 bytes
Mar  4 14:15:43 cube MailScanner[29485]: Virus and Content Scanning: 
Starting
Mar  4 14:16:44 cube MailScanner[29485]: SpamAssassin cache hit for 
message 289EE4004F.A3592
Mar  4 14:16:44 cube MailScanner[29485]: Requeue: 289EE4004F.A3592 to 
7F6B1402AB
Mar  4 14:16:44 cube postfix/qmgr[15119]: 7F6B1402AB: 
from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se>, size=13818, 
nrcpt=1 (queue active)
Mar  4 14:16:44 cube MailScanner[29485]: Uninfected: Delivered 1 messages
Mar  4 14:16:44 cube MailScanner[29485]: Deleted 1 messages from 
processing-database
Mar  4 14:16:44 cube MailScanner[29485]: Logging message 
289EE4004F.A3592 to SQL
Mar  4 14:16:44 cube dovecot: lmtp(30007): Connect from local
Mar  4 14:16:45 cube dovecot: lmtp(30007, malmgren): 
XKKvNbyK2VY3dQAAs8rsrw: sieve: 
msgid=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>: 
stored mail into mailbox 'Daniel'
Mar  4 14:16:45 cube postfix/lmtp[30006]: 7F6B1402AB: 
to=<malmgren at myhomedomain.se>, relay=cube[private/dovecot-lmtp], 
delay=78, delays=77/0.02/0.05/0.91, dsn=2.0.0, status=sent (250 2.0.0 
<malmgren at myhomedomain.se> XKKvNbyK2VY3dQAAs8rsrw Saved)
Mar  4 14:16:45 cube dovecot: lmtp(30007): Disconnect from local: 
Successful quit
Mar  4 14:16:45 cube postfix/qmgr[15119]: 7F6B1402AB: removed

Regards
Daniel Malmgren

From maxsec at gmail.com  Fri Mar  4 16:14:36 2016
From: maxsec at gmail.com (Martin Hepworth)
Date: Fri, 4 Mar 2016 16:14:36 +0000
Subject: MailScanner scanning everything twice
In-Reply-To: <56D99D7D.4080000@kolefors.se>
References: <56D99D7D.4080000@kolefors.se>
Message-ID: <CAGDKorLtry7vpBnQJNydDUy9Ea_-zMLL-CixGvkeq=j5vnuZCw@mail.gmail.com>

Yeah I'd take a good look at the setup as you're also running spamd
explicitly as well, rathan than the internal calls to spamassassin from
mailscanner.

What instructions did you use to install MailScanner?

-- 
Martin Hepworth, CISSP
Oxford, UK

On 4 March 2016 at 14:36, Daniel Malmgren <daniel at kolefors.se> wrote:

> Hi.
> I'm completely new to MailScanner (installed it today), so please don't
> shoot me if this is dead simple. I got everything working, but it seems for
> some reason all mails are being scanned twice. I suspect this isn't
> MailScanners fault, but rather me having set up my postfix in a stupid
> manner. There are different message id's for the two mails being scanned.
> Any hints about what could be wrong? Please tell me what further
> information could be useful. This is on a Debian 8.3 server, running
> postfix and dovecot.
>
> This is what I get in my mail.log (domains replaced):
> (note that daniel is an alias for malmgren, so all mail to daniel ends up
> in malmgrens mailbox. I get the exact same problem when sending directly to
> malmgren though.)
>
> Mar  4 14:14:16 cube postfix/smtpd[29904]: connect from
> webadmin.myworkdomain.se[193.42.159.5]
> Mar  4 14:14:17 cube postfix/cleanup[29908]: 1B4BD4004F: hold: header
> Received: from smtp.myworkdomain.se (webadmin.myworkdomain.se
> [193.42.159.5])??by cube (Postfix) with ESMTPS id 1B4BD4004F??for <
> daniel at myhomedomain.se>; Fri,  4 Mar 2016 14:14:16 +0100 (CET) from
> webadmin.myworkdomain.se[193.42.159.5]; from=<prvs=187193eaf2=
> Daniel.Malmgren at myworkdomain.se> to=<daniel at myhomedomain.se> proto=ESMTP
> helo=<smtp.myworkdomain.se>
> Mar  4 14:14:17 cube postfix/cleanup[29908]: 1B4BD4004F: message-id=<
> 1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>
> Mar  4 14:14:17 cube postfix/smtpd[29904]: disconnect from
> webadmin.myworkdomain.se[193.42.159.5]
> Mar  4 14:14:22 cube MailScanner[29485]: New Batch: Scanning 1 messages,
> 14054 bytes
> Mar  4 14:14:22 cube MailScanner[29485]: Virus and Content Scanning:
> Starting
> Mar  4 14:15:04 cube postfix/smtpd[29904]: connect from
> localhost[127.0.0.1]
> Mar  4 14:15:04 cube postfix/smtpd[29904]: disconnect from
> localhost[127.0.0.1]
> Mar  4 14:15:27 cube MailScanner[29485]: Requeue: 1B4BD4004F.AB70C to
> EC1A64028E
> Mar  4 14:15:27 cube postfix/qmgr[15119]: EC1A64028E:
> from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se>, size=13369,
> nrcpt=1 (queue active)
> Mar  4 14:15:27 cube MailScanner[29485]: Uninfected: Delivered 1 messages
> Mar  4 14:15:27 cube spamd[9821]: spamd: connection from localhost
> [127.0.0.1]:47051 to port 783, fd 5
> Mar  4 14:15:27 cube spamd[9821]: spamd: setuid to debian-spamd succeeded
> Mar  4 14:15:27 cube spamd[9821]: spamd: processing message <
> 1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se> for
> debian-spamd:116
> Mar  4 14:15:27 cube MailScanner[29485]: Deleted 1 messages from
> processing-database
> Mar  4 14:15:27 cube MailScanner[29485]: Logging message 1B4BD4004F.AB70C
> to SQL
> Mar  4 14:15:35 cube spamd[9821]: spamd: clean message (0.0/5.0) for
> debian-spamd:116 in 7.9 seconds, 13418 bytes.
> Mar  4 14:15:35 cube spamd[9821]: spamd: result: . 0 -
> HTML_IMAGE_ONLY_32,HTML_MESSAGE,RCVD_IN_DNSWL_NONE
> scantime=7.9,size=13418,user=debian-spamd,uid=116,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47051,mid=<
> 1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>,autolearn=ham
> autolearn_force=no
> Mar  4 14:15:36 cube spamd[4003]: prefork: child states: I
> Mar  4 14:15:36 cube postfix/pickup[23000]: 289EE4004F: uid=116
> from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se>
> Mar  4 14:15:36 cube postfix/pipe[29946]: EC1A64028E: to=<
> malmgren at myhomedomain.se>, orig_to=<daniel at myhomedomain.se>,
> relay=spamfilter, delay=79, delays=71/0.02/0/8.2, dsn=2.0.0, status=sent
> (delivered via spamfilter service)
> Mar  4 14:15:36 cube postfix/qmgr[15119]: EC1A64028E: removed
> Mar  4 14:15:36 cube postfix/cleanup[29908]: 289EE4004F: hold: header
> Received: by cube (Postfix, from userid 116)??id 289EE4004F; Fri,  4 Mar
> 2016 14:15:35 +0100 (CET) from local; from=<prvs=187193eaf2=
> daniel.malmgren at myworkdomain.se> to=<malmgren at myhomedomain.se>
> Mar  4 14:15:36 cube postfix/cleanup[29908]: 289EE4004F: message-id=<
> 1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>
> Mar  4 14:15:43 cube MailScanner[29485]: New Batch: Scanning 1 messages,
> 14059 bytes
> Mar  4 14:15:43 cube MailScanner[29485]: Virus and Content Scanning:
> Starting
> Mar  4 14:16:44 cube MailScanner[29485]: SpamAssassin cache hit for
> message 289EE4004F.A3592
> Mar  4 14:16:44 cube MailScanner[29485]: Requeue: 289EE4004F.A3592 to
> 7F6B1402AB
> Mar  4 14:16:44 cube postfix/qmgr[15119]: 7F6B1402AB:
> from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se>, size=13818,
> nrcpt=1 (queue active)
> Mar  4 14:16:44 cube MailScanner[29485]: Uninfected: Delivered 1 messages
> Mar  4 14:16:44 cube MailScanner[29485]: Deleted 1 messages from
> processing-database
> Mar  4 14:16:44 cube MailScanner[29485]: Logging message 289EE4004F.A3592
> to SQL
> Mar  4 14:16:44 cube dovecot: lmtp(30007): Connect from local
> Mar  4 14:16:45 cube dovecot: lmtp(30007, malmgren):
> XKKvNbyK2VY3dQAAs8rsrw: sieve: msgid=<
> 1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>: stored mail
> into mailbox 'Daniel'
> Mar  4 14:16:45 cube postfix/lmtp[30006]: 7F6B1402AB: to=<
> malmgren at myhomedomain.se>, relay=cube[private/dovecot-lmtp], delay=78,
> delays=77/0.02/0.05/0.91, dsn=2.0.0, status=sent (250 2.0.0 <
> malmgren at myhomedomain.se> XKKvNbyK2VY3dQAAs8rsrw Saved)
> Mar  4 14:16:45 cube dovecot: lmtp(30007): Disconnect from local:
> Successful quit
> Mar  4 14:16:45 cube postfix/qmgr[15119]: 7F6B1402AB: removed
>
> Regards
> Daniel Malmgren
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160304/43958b33/attachment.html>

From daniel at kolefors.se  Fri Mar  4 16:21:01 2016
From: daniel at kolefors.se (Daniel Malmgren)
Date: Fri, 4 Mar 2016 17:21:01 +0100
Subject: MailScanner scanning everything twice
In-Reply-To: <CAGDKorLtry7vpBnQJNydDUy9Ea_-zMLL-CixGvkeq=j5vnuZCw@mail.gmail.com>
References: <56D99D7D.4080000@kolefors.se>
 <CAGDKorLtry7vpBnQJNydDUy9Ea_-zMLL-CixGvkeq=j5vnuZCw@mail.gmail.com>
Message-ID: <56D9B5ED.7000609@kolefors.se>

I actually think I solved this myself.

You're quite correct. I've been running spamd explicitly, I set it up 
years ago and had completely forgotten. In my master.cf, on the end of 
smtp line I had "-o content_filter=spamfilter", and a declaration of 
spamfilter in the end of the file, calling a shell script, which in turn 
was calling spamd. Cleaned this up and now it seems things are only 
filtered once :-)

/Daniel

Den 2016-03-04 kl. 17:14, skrev Martin Hepworth:
> Yeah I'd take a good look at the setup as you're also running spamd 
> explicitly as well, rathan than the internal calls to spamassassin 
> from mailscanner.
>
> What instructions did you use to install MailScanner?
>
> -- 
> Martin Hepworth, CISSP
> Oxford, UK
>
> On 4 March 2016 at 14:36, Daniel Malmgren <daniel at kolefors.se 
> <mailto:daniel at kolefors.se>> wrote:
>
>     Hi.
>     I'm completely new to MailScanner (installed it today), so please
>     don't shoot me if this is dead simple. I got everything working,
>     but it seems for some reason all mails are being scanned twice. I
>     suspect this isn't MailScanners fault, but rather me having set up
>     my postfix in a stupid manner. There are different message id's
>     for the two mails being scanned. Any hints about what could be
>     wrong? Please tell me what further information could be useful.
>     This is on a Debian 8.3 server, running postfix and dovecot.
>
>     This is what I get in my mail.log (domains replaced):
>     (note that daniel is an alias for malmgren, so all mail to daniel
>     ends up in malmgrens mailbox. I get the exact same problem when
>     sending directly to malmgren though.)
>
>     Mar  4 14:14:16 cube postfix/smtpd[29904]: connect from
>     webadmin.myworkdomain.se
>     <http://webadmin.myworkdomain.se>[193.42.159.5]
>     Mar  4 14:14:17 cube postfix/cleanup[29908]: 1B4BD4004F: hold:
>     header Received: from smtp.myworkdomain.se
>     <http://smtp.myworkdomain.se> (webadmin.myworkdomain.se
>     <http://webadmin.myworkdomain.se> [193.42.159.5])??by cube
>     (Postfix) with ESMTPS id 1B4BD4004F??for <daniel at myhomedomain.se
>     <mailto:daniel at myhomedomain.se>>; Fri,  4 Mar 2016 14:14:16 +0100
>     (CET) from webadmin.myworkdomain.se
>     <http://webadmin.myworkdomain.se>[193.42.159.5];
>     from=<prvs=187193eaf2=Daniel.Malmgren at myworkdomain.se
>     <mailto:Daniel.Malmgren at myworkdomain.se>>
>     to=<daniel at myhomedomain.se <mailto:daniel at myhomedomain.se>>
>     proto=ESMTP helo=<smtp.myworkdomain.se <http://smtp.myworkdomain.se>>
>     Mar  4 14:14:17 cube postfix/cleanup[29908]: 1B4BD4004F:
>     message-id=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se
>     <mailto:1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>>
>     Mar  4 14:14:17 cube postfix/smtpd[29904]: disconnect from
>     webadmin.myworkdomain.se
>     <http://webadmin.myworkdomain.se>[193.42.159.5]
>     Mar  4 14:14:22 cube MailScanner[29485]: New Batch: Scanning 1
>     messages, 14054 bytes
>     Mar  4 14:14:22 cube MailScanner[29485]: Virus and Content
>     Scanning: Starting
>     Mar  4 14:15:04 cube postfix/smtpd[29904]: connect from
>     localhost[127.0.0.1]
>     Mar  4 14:15:04 cube postfix/smtpd[29904]: disconnect from
>     localhost[127.0.0.1]
>     Mar  4 14:15:27 cube MailScanner[29485]: Requeue: 1B4BD4004F.AB70C
>     to EC1A64028E
>     Mar  4 14:15:27 cube postfix/qmgr[15119]: EC1A64028E:
>     from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se
>     <mailto:daniel.malmgren at myworkdomain.se>>, size=13369, nrcpt=1
>     (queue active)
>     Mar  4 14:15:27 cube MailScanner[29485]: Uninfected: Delivered 1
>     messages
>     Mar  4 14:15:27 cube spamd[9821]: spamd: connection from localhost
>     [127.0.0.1]:47051 to port 783, fd 5
>     Mar  4 14:15:27 cube spamd[9821]: spamd: setuid to debian-spamd
>     succeeded
>     Mar  4 14:15:27 cube spamd[9821]: spamd: processing message
>     <1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se
>     <mailto:1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>>
>     for debian-spamd:116
>     Mar  4 14:15:27 cube MailScanner[29485]: Deleted 1 messages from
>     processing-database
>     Mar  4 14:15:27 cube MailScanner[29485]: Logging message
>     1B4BD4004F.AB70C to SQL
>     Mar  4 14:15:35 cube spamd[9821]: spamd: clean message (0.0/5.0)
>     for debian-spamd:116 in 7.9 seconds, 13418 bytes.
>     Mar  4 14:15:35 cube spamd[9821]: spamd: result: . 0 -
>     HTML_IMAGE_ONLY_32,HTML_MESSAGE,RCVD_IN_DNSWL_NONE
>     scantime=7.9,size=13418,user=debian-spamd,uid=116,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47051,mid=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se
>     <mailto:1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>>,autolearn=ham
>     autolearn_force=no
>     Mar  4 14:15:36 cube spamd[4003]: prefork: child states: I
>     Mar  4 14:15:36 cube postfix/pickup[23000]: 289EE4004F: uid=116
>     from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se
>     <mailto:daniel.malmgren at myworkdomain.se>>
>     Mar  4 14:15:36 cube postfix/pipe[29946]: EC1A64028E:
>     to=<malmgren at myhomedomain.se <mailto:malmgren at myhomedomain.se>>,
>     orig_to=<daniel at myhomedomain.se <mailto:daniel at myhomedomain.se>>,
>     relay=spamfilter, delay=79, delays=71/0.02/0/8.2, dsn=2.0.0,
>     status=sent (delivered via spamfilter service)
>     Mar  4 14:15:36 cube postfix/qmgr[15119]: EC1A64028E: removed
>     Mar  4 14:15:36 cube postfix/cleanup[29908]: 289EE4004F: hold:
>     header Received: by cube (Postfix, from userid 116)??id
>     289EE4004F; Fri,  4 Mar 2016 14:15:35 +0100 (CET) from local;
>     from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se
>     <mailto:daniel.malmgren at myworkdomain.se>>
>     to=<malmgren at myhomedomain.se <mailto:malmgren at myhomedomain.se>>
>     Mar  4 14:15:36 cube postfix/cleanup[29908]: 289EE4004F:
>     message-id=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se
>     <mailto:1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>>
>     Mar  4 14:15:43 cube MailScanner[29485]: New Batch: Scanning 1
>     messages, 14059 bytes
>     Mar  4 14:15:43 cube MailScanner[29485]: Virus and Content
>     Scanning: Starting
>     Mar  4 14:16:44 cube MailScanner[29485]: SpamAssassin cache hit
>     for message 289EE4004F.A3592
>     Mar  4 14:16:44 cube MailScanner[29485]: Requeue: 289EE4004F.A3592
>     to 7F6B1402AB
>     Mar  4 14:16:44 cube postfix/qmgr[15119]: 7F6B1402AB:
>     from=<prvs=187193eaf2=daniel.malmgren at myworkdomain.se
>     <mailto:daniel.malmgren at myworkdomain.se>>, size=13818, nrcpt=1
>     (queue active)
>     Mar  4 14:16:44 cube MailScanner[29485]: Uninfected: Delivered 1
>     messages
>     Mar  4 14:16:44 cube MailScanner[29485]: Deleted 1 messages from
>     processing-database
>     Mar  4 14:16:44 cube MailScanner[29485]: Logging message
>     289EE4004F.A3592 to SQL
>     Mar  4 14:16:44 cube dovecot: lmtp(30007): Connect from local
>     Mar  4 14:16:45 cube dovecot: lmtp(30007, malmgren):
>     XKKvNbyK2VY3dQAAs8rsrw: sieve:
>     msgid=<1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se
>     <mailto:1193eba94cd847849abfc1e6e595511a at ucs-ex-02.myworkdomain.se>>:
>     stored mail into mailbox 'Daniel'
>     Mar  4 14:16:45 cube postfix/lmtp[30006]: 7F6B1402AB:
>     to=<malmgren at myhomedomain.se <mailto:malmgren at myhomedomain.se>>,
>     relay=cube[private/dovecot-lmtp], delay=78,
>     delays=77/0.02/0.05/0.91, dsn=2.0.0, status=sent (250 2.0.0
>     <malmgren at myhomedomain.se <mailto:malmgren at myhomedomain.se>>
>     XKKvNbyK2VY3dQAAs8rsrw Saved)
>     Mar  4 14:16:45 cube dovecot: lmtp(30007): Disconnect from local:
>     Successful quit
>     Mar  4 14:16:45 cube postfix/qmgr[15119]: 7F6B1402AB: removed
>
>     Regards
>     Daniel Malmgren
>
>
>     -- 
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160304/7e5aaac6/attachment.html>

From steve at mjnservices.com  Mon Mar  7 16:25:16 2016
From: steve at mjnservices.com (Steven Jardine)
Date: Mon, 7 Mar 2016 09:25:16 -0700
Subject: Denial Of Service Attack Messages
Message-ID: <56DDAB6C.9010109@mjnservices.com>

I upgraded MailScanner several months ago to v4.85.2-3 and now 
v4.86.1-1. Often I am getting the error message:

    MailScanner was attacked by a Denial Of Service attack, and has
    therefore deleted this part of the message. Please contact your
    e-mail providers for more information if you need it, giving them
    the whole of this report. Attack in:
    /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any 
troubleshooting.

I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. 
The messages are causing problems with valid mail messages both incoming 
and outgoing.

Is there a way to disable this feature?  Any ideas on how to suppress 
these messages?


Thanks!
Steve



IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160307/06dbcd27/attachment.html>

From jerry.benton at mailborder.com  Mon Mar  7 17:19:41 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 7 Mar 2016 12:19:41 -0500
Subject: Denial Of Service Attack Messages
In-Reply-To: <56DDAB6C.9010109@mjnservices.com>
References: <56DDAB6C.9010109@mjnservices.com>
Message-ID: <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>

is the HTML parser installed?

-
Jerry Benton
www.mailborder.com
Sent from my iPhone

> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com> wrote:
> 
> I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:
> 
> MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
> The file reported in the attack is not there so I am unable to to any troubleshooting.
> 
> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.
> 
> Is there a way to disable this feature?  Any ideas on how to suppress these messages?
> 
> Thanks!
> Steve
> IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160307/aa4e89a0/attachment.html>

From steve at mjnservices.com  Mon Mar  7 17:21:54 2016
From: steve at mjnservices.com (Steven Jardine)
Date: Mon, 7 Mar 2016 10:21:54 -0700
Subject: Denial Of Service Attack Messages
In-Reply-To: <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
Message-ID: <56DDB8B2.50201@mjnservices.com>

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK


On 03/07/2016 10:19 AM, Jerry Benton wrote:
> is the HTML parser installed?
>
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com>
> Sent from my iPhone
>
> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com 
> <mailto:steve at mjnservices.com>> wrote:
>
>> I upgraded MailScanner several months ago to v4.85.2-3 and now 
>> v4.86.1-1. Often I am getting the error message:
>>
>>     MailScanner was attacked by a Denial Of Service attack, and has
>>     therefore deleted this part of the message. Please contact your
>>     e-mail providers for more information if you need it, giving them
>>     the whole of this report. Attack in:
>>     /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>>
>> The file reported in the attack is not there so I am unable to to any 
>> troubleshooting.
>>
>> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB 
>> RAM. The messages are causing problems with valid mail messages both 
>> incoming and outgoing.
>>
>> Is there a way to disable this feature?  Any ideas on how to suppress 
>> these messages?
>>
>>
>> Thanks!
>> Steve
>>
>> *IMPORTANT:* This email does not constitute a contract or an offer or 
>> acceptance of an offer to enter into a contract. Further, this email 
>> may not be used to modify, supplement, novate, or waive any rights 
>> with respect to an existing contract or other binding commercial terms.
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info 
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>



IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160307/7824e53e/attachment.html>

From jerry.benton at mailborder.com  Mon Mar  7 17:57:15 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 7 Mar 2016 12:57:15 -0500
Subject: Denial Of Service Attack Messages
In-Reply-To: <56DDB8B2.50201@mjnservices.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
Message-ID: <0F4B3145-6C42-4CF3-B46E-031024EDB7BB@mailborder.com>

This happens when the scanner times out. You can disable Dangerous Content scanning to eliminate the error.

-
Jerry Benton
www.mailborder.com
Sent from my iPhone

> On Mar 7, 2016, at 12:21, Steven Jardine <steve at mjnservices.com> wrote:
> 
> Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
> 
> HTML::Parser => OK
> 
> 
>> On 03/07/2016 10:19 AM, Jerry Benton wrote:
>> is the HTML parser installed?
>> 
>> -
>> Jerry Benton
>> www.mailborder.com
>> Sent from my iPhone
>> 
>> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com> wrote:
>> 
>>> I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:
>>> 
>>> MailScanner was attacked by a Denial               Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>>> The file reported in the attack is not there so I am unable to to any troubleshooting.
>>> 
>>> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.
>>> 
>>> Is there a way to disable this feature?  Any ideas on how to suppress these messages?
>>> 
>>> Thanks!
>>> Steve
>>> IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.
>>> 
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/listinfo/mailscanner
> 
> IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160307/d8cf6628/attachment.html>

From steve at mjnservices.com  Mon Mar  7 18:01:41 2016
From: steve at mjnservices.com (Steven Jardine)
Date: Mon, 7 Mar 2016 11:01:41 -0700
Subject: Denial Of Service Attack Messages
In-Reply-To: <0F4B3145-6C42-4CF3-B46E-031024EDB7BB@mailborder.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <0F4B3145-6C42-4CF3-B46E-031024EDB7BB@mailborder.com>
Message-ID: <56DDC205.60903@mjnservices.com>

What would cause a timeout?  My system is fairly new.  I would like to 
determine the reason for the problem rather than just disable the scan.  
Any ideas?

On 03/07/2016 10:57 AM, Jerry Benton wrote:
> This happens when the scanner times out. You can disable Dangerous 
> Content scanning to eliminate the error.
>
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com>
> Sent from my iPhone
>
> On Mar 7, 2016, at 12:21, Steven Jardine <steve at mjnservices.com 
> <mailto:steve at mjnservices.com>> wrote:
>
>> Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
>>
>> HTML::Parser => OK
>>
>>
>> On 03/07/2016 10:19 AM, Jerry Benton wrote:
>>> is the HTML parser installed?
>>>
>>> -
>>> Jerry Benton
>>> www.mailborder.com <http://www.mailborder.com>
>>> Sent from my iPhone
>>>
>>> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com> wrote:
>>>
>>>> I upgraded MailScanner several months ago to v4.85.2-3 and now 
>>>> v4.86.1-1. Often I am getting the error message:
>>>>
>>>>     MailScanner was attacked by a Denial Of Service attack, and has
>>>>     therefore deleted this part of the message. Please contact your
>>>>     e-mail providers for more information if you need it, giving
>>>>     them the whole of this report. Attack in:
>>>>     /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>>>>
>>>> The file reported in the attack is not there so I am unable to to 
>>>> any troubleshooting.
>>>>
>>>> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB 
>>>> RAM. The messages are causing problems with valid mail messages 
>>>> both incoming and outgoing.
>>>>
>>>> Is there a way to disable this feature?  Any ideas on how to 
>>>> suppress these messages?
>>>>
>>>>
>>>> Thanks!
>>>> Steve
>>>>
>>>> *IMPORTANT:* This email does not constitute a contract or an offer 
>>>> or acceptance of an offer to enter into a contract. Further, this 
>>>> email may not be used to modify, supplement, novate, or waive any 
>>>> rights with respect to an existing contract or other binding 
>>>> commercial terms.
>>>>
>>>>
>>>> -- 
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info 
>>>> <mailto:mailscanner at lists.mailscanner.info>
>>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>>
>>>
>>>
>>
>> *IMPORTANT:* This email does not constitute a contract or an offer or 
>> acceptance of an offer to enter into a contract. Further, this email 
>> may not be used to modify, supplement, novate, or waive any rights 
>> with respect to an existing contract or other binding commercial terms.
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info 
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>



IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160307/2430617b/attachment.html>

From pparsons at techeez.com  Tue Mar  8 00:22:26 2016
From: pparsons at techeez.com (Philip Parsons)
Date: Tue, 8 Mar 2016 00:22:26 +0000
Subject: Question about the Deny Filenames section
Message-ID: <11D8E491D9562549A61FD3186F363420027CFE5CB7@exchange.techeez.com>

Right now I have it set as  Deny Filenames = \.doc$ \.zip$ \.docx$

I want to make it a rule set as it stats I can so I can accept those docs from a specific person but deny everyone else..

Would it look like this?

From:                    test at test.com<mailto:test at test.com>
FromOrTo:       default        \.doc$ \.zip$ \.docx$





Thank you.
Philip Parsons


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/d1835879/attachment.html>

From greminn at gmail.com  Tue Mar  8 01:41:53 2016
From: greminn at gmail.com (Simon Buchanan)
Date: Tue, 8 Mar 2016 14:41:53 +1300
Subject: Mail server migration and HOLDing mail at Mailscanner
Message-ID: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>

Hi There,

We have?Mailscanner/postfix setup on centos and working well. It delivers mail to two seperate mail servers (dovecot?and?dbmail) depending on the domain (most clients are on our new dovecot platform, a few are on our old dbmail platform).?

dovecot is delivered via?smtp:xxx.xxx.xxx.xxx
dbmail is delivered via a?dbmail-lmtp service:?dbmail-lmtp:xxx.xxx.xxx.xxx:24

We are about to perform a lengthy migration of the dbmail server, and need to simply stop Mailscanner processing mail for dbmail ?until we are back up and running again. Is there anyway todo this, or is this a postfix question?

Thanks!

Simon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/5c91adad/attachment.html>

From mailscanner at replies.cyways.com  Tue Mar  8 04:19:31 2016
From: mailscanner at replies.cyways.com (Peter Lemieux)
Date: Mon, 7 Mar 2016 23:19:31 -0500
Subject: Mail server migration and HOLDing mail at Mailscanner
In-Reply-To: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>
References: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>
Message-ID: <56DE52D3.5090800@replies.cyways.com>

If the recipient server used SMTP, then Postfix would handle everything 
itself.  It would queue up the mail until the dbmail server came back online 
and deliver it soon thereafter.  All SMTP servers know how to handle outages 
on the receiving end and queue up mail for later delivery. Reading a bit of 
the wiki page for LMTP, it looks pretty similar to ESMTP.  I'd bet you'd be 
fine just bringing the dbmail server down gracefully, but maybe you should run 
a test.

How about bringing down the server late some night when it has low volumes 
then sending a test message to an account on it from outside?  The Postfix 
logs will tell you what it did with the message both when it arrives and later 
after the dbmail server is brought back up.

Good luck, Simon!

Peter


On 03/07/2016 08:41 PM, Simon Buchanan wrote:
> Hi There,
>
> We have Mailscanner/postfix setup on centos and working well. It delivers mail
> to two seperate mail servers (dovecot and dbmail) depending on the domain
> (most clients are on our new dovecot platform, a few are on our old dbmail
> platform).
>
> dovecot is delivered via smtp:xxx.xxx.xxx.xxx
> dbmail is delivered via a dbmail-lmtp service: dbmail-lmtp:xxx.xxx.xxx.xxx:24
>
> We are about to perform a lengthy migration of the dbmail server, and need to
> simply stop Mailscanner processing mail for dbmail  until we are back up and
> running again. Is there anyway todo this, or is this a postfix question?
>
> Thanks!
>
> Simon

From jerry.benton at mailborder.com  Tue Mar  8 04:38:37 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 7 Mar 2016 23:38:37 -0500
Subject: Mail server migration and HOLDing mail at Mailscanner
In-Reply-To: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>
References: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>
Message-ID: <32FF6998-A3B8-48B5-B178-D48ECF087F8B@mailborder.com>

If you shut down MailScanner and Postfix, obviously no email will be processed. You can also shut down MailScanner and make sure Postfix is started and it will accept the email and hold it in /var/spool/postfix/hold until you start MailScanner again. 

-
Jerry Benton
www.mailborder.com



> On Mar 7, 2016, at 8:41 PM, Simon Buchanan <greminn at gmail.com> wrote:
> 
> Hi There,
> 
> We have Mailscanner/postfix setup on centos and working well. It delivers mail to two seperate mail servers (dovecot and dbmail) depending on the domain (most clients are on our new dovecot platform, a few are on our old dbmail platform). 
> 
> dovecot is delivered via smtp:xxx.xxx.xxx.xxx
> dbmail is delivered via a dbmail-lmtp service: dbmail-lmtp:xxx.xxx.xxx.xxx:24
> 
> We are about to perform a lengthy migration of the dbmail server, and need to simply stop Mailscanner processing mail for dbmail  until we are back up and running again. Is there anyway todo this, or is this a postfix question?
> 
> Thanks!
> 
> Simon
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160307/afeda454/attachment.html>

From jerry.benton at mailborder.com  Tue Mar  8 04:53:59 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 7 Mar 2016 23:53:59 -0500
Subject: Question about the Deny Filenames section
In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFE5CB7@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F363420027CFE5CB7@exchange.techeez.com>
Message-ID: <8C10A8CF-F3F0-4FCD-8DDB-CF0D275811F3@mailborder.com>

This is an example of how Mailborder builds rules:

MailScanner.conf :
Filename Rules = /etc/MailScanner/frules/filename.rules

filename.rules :
FromOrTo:	linuxref.com	/etc/MailScanner/frules/linuxref.com.fn.conf
FromOrTo:	default	/etc/MailScanner/frules/default.fn.rules.conf

linuxref.com.fn.conf :
deny	\.bak$	 - 	 -
allow	\.bz2$	 - 	 -
deny	\{[a-hA-H0-9-]{25,}\}	 - 	 -
allow	\.Z$	 - 	 -
deny	\s{10,}	 - 	 -
deny	\.fdf$	 - 	 -
(more rules here)

default.fn.rules.conf :
(rules listed here)




-
Jerry Benton
www.mailborder.com



> On Mar 7, 2016, at 7:22 PM, Philip Parsons <pparsons at techeez.com> wrote:
> 
> Right now I have it set as  Deny Filenames = \.doc$ \.zip$ \.docx$
>  
> I want to make it a rule set as it stats I can so I can accept those docs from a specific person but deny everyone else..
>  
> Would it look like this?
>  
> From:                    test at test.com <mailto:test at test.com> 
> FromOrTo:       default        \.doc$ \.zip$ \.docx$
>  
>  
>  
>  
>  
> Thank you. 
> Philip Parsons
> 
>  
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160307/374610e4/attachment-0001.html>

From greminn at gmail.com  Tue Mar  8 07:09:23 2016
From: greminn at gmail.com (Simon)
Date: Tue, 8 Mar 2016 20:09:23 +1300
Subject: Mail server migration and HOLDing mail at Mailscanner
In-Reply-To: <32FF6998-A3B8-48B5-B178-D48ECF087F8B@mailborder.com>
References: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>
 <32FF6998-A3B8-48B5-B178-D48ECF087F8B@mailborder.com>
Message-ID: <CAM+OHSfYOH30mdZP4SvPeiNyR9HK=iGHPPCYus=hOJmUYOyjaA@mail.gmail.com>

Thanks for the replies, the problem with shutting down all mail is that
will also stop mail to our dovecot Mail platform, which is not going to be
offline for any migration... So 90% of clients will not receive mail so
that I can clean up the dbmail server (that has 10% of clients on it).

A fun tip, the dbmail server uses innodb... I have one table which is 650GB.

Its going to take about 2 hours to migrate the DB over to new MySQL server,
after which the table is 70GB. I was just concerned about mail bouncing
during that time because it could not deliver to the dbmail server. I might
check out postfix retry time..

On Tuesday, 8 March 2016, Jerry Benton <jerry.benton at mailborder.com> wrote:

> If you shut down MailScanner and Postfix, obviously no email will be
> processed. You can also shut down MailScanner and make sure Postfix is
> started and it will accept the email and hold it in /var/spool/postfix/hold
> until you start MailScanner again.
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
> On Mar 7, 2016, at 8:41 PM, Simon Buchanan <greminn at gmail.com
> <javascript:_e(%7B%7D,'cvml','greminn at gmail.com');>> wrote:
>
> Hi There,
>
> We have Mailscanner/postfix setup on centos and working well. It delivers
> mail to two seperate mail servers (dovecot and dbmail) depending on the
> domain (most clients are on our new dovecot platform, a few are on our old
> dbmail platform).
>
> dovecot is delivered via smtp:xxx.xxx.xxx.xxx
> dbmail is delivered via a dbmail-lmtp
> service: dbmail-lmtp:xxx.xxx.xxx.xxx:24
>
> We are about to perform a lengthy migration of the dbmail server, and need
> to simply stop Mailscanner processing mail for dbmail  until we are back up
> and running again. Is there anyway todo this, or is this a postfix question?
>
> Thanks!
>
> Simon
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> <javascript:_e(%7B%7D,'cvml','mailscanner at lists.mailscanner.info');>
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/fa0e5256/attachment.html>

From greminn at gmail.com  Tue Mar  8 07:36:16 2016
From: greminn at gmail.com (Simon)
Date: Tue, 8 Mar 2016 20:36:16 +1300
Subject: Mail server migration and HOLDing mail at Mailscanner
In-Reply-To: <CAM+OHSfYOH30mdZP4SvPeiNyR9HK=iGHPPCYus=hOJmUYOyjaA@mail.gmail.com>
References: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>
 <32FF6998-A3B8-48B5-B178-D48ECF087F8B@mailborder.com>
 <CAM+OHSfYOH30mdZP4SvPeiNyR9HK=iGHPPCYus=hOJmUYOyjaA@mail.gmail.com>
Message-ID: <CAM+OHSd2i8J7JhGhoU0rdJtqfb1PKdfUqCQ3EpHRWmSH5LWtMg@mail.gmail.com>

As a follow up to this one.. my dbmail transport is called dbmail-lmtp, so
adding this to postfix's main.cf:

defer_transports = dbmail-lmtp

Simply set all inbound mail to that transport to the defer queue. Once our
dbmail server comes back online and is available for delivery, i can
uncomment, reload postix and flush the queue.

Simon

On Tue, Mar 8, 2016 at 8:09 PM, Simon <greminn at gmail.com> wrote:

> Thanks for the replies, the problem with shutting down all mail is that
> will also stop mail to our dovecot Mail platform, which is not going to be
> offline for any migration... So 90% of clients will not receive mail so
> that I can clean up the dbmail server (that has 10% of clients on it).
>
> A fun tip, the dbmail server uses innodb... I have one table which is
> 650GB.
>
> Its going to take about 2 hours to migrate the DB over to new MySQL
> server, after which the table is 70GB. I was just concerned about mail
> bouncing during that time because it could not deliver to the dbmail
> server. I might check out postfix retry time..
>
>
> On Tuesday, 8 March 2016, Jerry Benton <jerry.benton at mailborder.com>
> wrote:
>
>> If you shut down MailScanner and Postfix, obviously no email will be
>> processed. You can also shut down MailScanner and make sure Postfix is
>> started and it will accept the email and hold it in /var/spool/postfix/hold
>> until you start MailScanner again.
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>> On Mar 7, 2016, at 8:41 PM, Simon Buchanan <greminn at gmail.com> wrote:
>>
>> Hi There,
>>
>> We have Mailscanner/postfix setup on centos and working well. It delivers
>> mail to two seperate mail servers (dovecot and dbmail) depending on the
>> domain (most clients are on our new dovecot platform, a few are on our old
>> dbmail platform).
>>
>> dovecot is delivered via smtp:xxx.xxx.xxx.xxx
>> dbmail is delivered via a dbmail-lmtp
>> service: dbmail-lmtp:xxx.xxx.xxx.xxx:24
>>
>> We are about to perform a lengthy migration of the dbmail server, and
>> need to simply stop Mailscanner processing mail for dbmail  until we are
>> back up and running again. Is there anyway todo this, or is this a postfix
>> question?
>>
>> Thanks!
>>
>> Simon
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/4dc01c7f/attachment.html>

From andy at z00b.com  Tue Mar  8 10:14:18 2016
From: andy at z00b.com (Andrew Southgate)
Date: Tue, 8 Mar 2016 10:14:18 -0000
Subject: Denial Of Service Attack Messages
In-Reply-To: <56DDC205.60903@mjnservices.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <0F4B3145-6C42-4CF3-B46E-031024EDB7BB@mailborder.com>
 <56DDC205.60903@mjnservices.com>
Message-ID: <06fc01d17923$4d5b2450$e8116cf0$@com>

I get the exact same thing, also running under a vm after I upgraded a few
months ago.

 

You can find the emails in question, the path is wrong but they are under
/var/spool/MailScanner/quarantine/

 

I've not yet hunted down where the timeout is to try raising it, although by
forwarding one of the deleted emails I had it get deleted once, and get
through once so it doesnt seem reliable.

 

my server is fairly low power (3x atom cores for this vm), but low usage
(handful of domains for friends and family), so I'd thought it may be
something to do with that.

 

 

From: MailScanner
[mailto:mailscanner-bounces+mailscanner=z00b.com at lists.mailscanner.info] On
Behalf Of Steven Jardine
Sent: 07 March 2016 18:02
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

What would cause a timeout?  My system is fairly new.  I would like to
determine the reason for the problem rather than just disable the scan.  Any
ideas?

On 03/07/2016 10:57 AM, Jerry Benton wrote:



This happens when the scanner times out. You can disable Dangerous Content
scanning to eliminate the error.

-

Jerry Benton

www.mailborder.com

Sent from my iPhone


On Mar 7, 2016, at 12:21, Steven Jardine <steve at mjnservices.com> wrote:

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK



On 03/07/2016 10:19 AM, Jerry Benton wrote:

is the HTML parser installed?

-

Jerry Benton

www.mailborder.com

Sent from my iPhone


On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com> wrote:

I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1.
Often I am getting the error message:

MailScanner was attacked by a Denial Of Service attack, and has therefore
deleted this part of the message. Please contact your e-mail providers for
more information if you need it, giving them the whole of this report.
Attack in:
/var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any
troubleshooting.

I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The
messages are causing problems with valid mail messages both incoming and
outgoing.

Is there a way to disable this feature?  Any ideas on how to suppress these
messages?


Thanks!
Steve

IMPORTANT: This email does not constitute a contract or an offer or
acceptance of an offer to enter into a contract. Further, this email may not
be used to modify, supplement, novate, or waive any rights with respect to
an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner





 

IMPORTANT: This email does not constitute a contract or an offer or
acceptance of an offer to enter into a contract. Further, this email may not
be used to modify, supplement, novate, or waive any rights with respect to
an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner






 
 

 

IMPORTANT: This email does not constitute a contract or an offer or
acceptance of an offer to enter into a contract. Further, this email may not
be used to modify, supplement, novate, or waive any rights with respect to
an existing contract or other binding commercial terms.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/31d51fed/attachment.html>

From mvdworp at utelisys.com  Tue Mar  8 11:19:45 2016
From: mvdworp at utelisys.com (Mikey van der Worp)
Date: Tue, 8 Mar 2016 12:19:45 +0100
Subject: Fwd: Problem detecting virusses
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A2A@beagle.office.utelisys.nl>
Message-ID: <D2834E3B06B736419B0A2D33AC754A967763DF5A2B@beagle.office.utelisys.nl>

All,

I have a serious matter where the ClamAV detects the virus using Sanesecurity, but the MailScanner does not do anything with it. Could somebody please help me?

MailScanner --lint does work with the generated test file..


Logs:
Tue Mar  8 12:15:09 2016 -> /var/spool/MailScanner/incoming/29595/EFF2815FC7B.A700B.message: Sanesecurity.Jurlbl.688475.UNOFFICIAL(366fc310e59c31692c8ce0c6633894f5:20379) FOUND

But MailScanner does not do anything with it.

Best regards,
Mikey

--
Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/><http://www.utelisys.com>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> <https://www.utelisys.com/> https://www.utelisys.com/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/60b07317/attachment.html>

From steveb_clamav at sanesecurity.com  Tue Mar  8 11:24:18 2016
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Tue, 8 Mar 2016 11:24:18 -0000
Subject: Fwd: Problem detecting virusses
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A2B@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A2A@beagle.office.utelisys.nl>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A2B@beagle.office.utelisys.nl>
Message-ID: <1ecbfca9818d73be3529f2d61d74515a.squirrel@sirius.servers.eqx.misp.co.uk>


On Tue, March 8, 2016 11:19 am, Mikey van der Worp wrote:
> All,
>
>
> I have a serious matter where the ClamAV detects the virus using
> Sanesecurity, but the MailScanner does not do anything with it. Could
> somebody please help me?
>
You need spam score mapping, for example:

http://tech-jot.blogspot.co.uk/2015/11/tagging-sanesecurity-matches-as-spam-in.html

http://sanesecurity.com/support/problems/


Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity


From mvdworp at utelisys.com  Tue Mar  8 11:33:00 2016
From: mvdworp at utelisys.com (Mikey van der Worp)
Date: Tue, 8 Mar 2016 12:33:00 +0100
Subject: Fwd: Problem detecting virusses
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A2A@beagle.office.utelisys.nl>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A2B@beagle.office.utelisys.nl>
 <1ecbfca9818d73be3529f2d61d74515a.squirrel@sirius.servers.eqx.misp.co.uk>
Message-ID: <D2834E3B06B736419B0A2D33AC754A967763DF5A2D@beagle.office.utelisys.nl>

You're a hero =)!



Clamd: message was infected: Sanesecurity.Rogue.0hr.20160307-1350.UNOFFICIAL
Clamd: INVOICE_395041.zip was infected: Sanesecurity.Rogue.0hr.20160307-1350.UNOFFICIAL Sophos: >>> Virus 'JS/DwnLdr-NGQ' found in file ./598E93C37D8.A4D94/INVOICE_395041.zip/accent.163016749.js
Sophos: >>> Virus 'Mal/DrodZp-A' found in file ./598E93C37D8.A4D94/INVOICE_395041.zip

Thank you very much! +1


Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/

On 03/08/2016 12:24 PM, Steve Basford wrote:


On Tue, March 8, 2016 11:19 am, Mikey van der Worp wrote:


All,


I have a serious matter where the ClamAV detects the virus using
Sanesecurity, but the MailScanner does not do anything with it. Could
somebody please help me?



You need spam score mapping, for example:

http://tech-jot.blogspot.co.uk/2015/11/tagging-sanesecurity-matches-as-spam-in.html

http://sanesecurity.com/support/problems/


Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/f23414cc/attachment.html>

From jerry.benton at mailborder.com  Tue Mar  8 11:49:31 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 8 Mar 2016 06:49:31 -0500
Subject: Denial Of Service Attack Messages
In-Reply-To: <56DDB8B2.50201@mjnservices.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
Message-ID: <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>

Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I need to go back through the changes made between the two versions unless someone is seeing this in 4.85.2-3.

-
Jerry Benton
www.mailborder.com



> On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com> wrote:
> 
> Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
> 
> HTML::Parser => OK
> 
> 
> On 03/07/2016 10:19 AM, Jerry Benton wrote:
>> is the HTML parser installed?
>> 
>> -
>> Jerry Benton
>> www.mailborder.com <http://www.mailborder.com/>Sent from my iPhone
>> 
>> On Mar 7, 2016, at 11:25, Steven Jardine < <mailto:steve at mjnservices.com>steve at mjnservices.com <mailto:steve at mjnservices.com>> wrote:
>> 
>>> I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:
>>> 
>>> MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>>> The file reported in the attack is not there so I am unable to to any troubleshooting.
>>> 
>>> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.
>>> 
>>> Is there a way to disable this feature?  Any ideas on how to suppress these messages?
>>> 
>>> Thanks!
>>> Steve
>>> IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.
>>> 
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>>> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
>>> 
>> 
>> 
>> 
> 
> IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/3a2cba85/attachment.html>

From andy at z00b.com  Tue Mar  8 11:54:43 2016
From: andy at z00b.com (Andrew Southgate)
Date: Tue, 8 Mar 2016 11:54:43 -0000
Subject: Denial Of Service Attack Messages
In-Reply-To: <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
Message-ID: <074b01d17931$55a65ea0$00f31be0$@com>

I'm getting it on 4.85.2-3

 

From: MailScanner
[mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf
Of Jerry Benton
Sent: 08 March 2016 11:50
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I
need to go back through the changes made between the two versions unless
someone is seeing this in 4.85.2-3.


-

Jerry Benton

www.mailborder.com

 

 

 

On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com> wrote:

 

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK



On 03/07/2016 10:19 AM, Jerry Benton wrote:

is the HTML parser installed?

-

Jerry Benton

www.mailborder.com <http://www.mailborder.com/> 

Sent from my iPhone


On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com> wrote:

I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1.
Often I am getting the error message:

MailScanner was attacked by a Denial Of Service attack, and has therefore
deleted this part of the message. Please contact your e-mail providers for
more information if you need it, giving them the whole of this report.
Attack in:
/var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any
troubleshooting.

I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The
messages are causing problems with valid mail messages both incoming and
outgoing.

Is there a way to disable this feature?  Any ideas on how to suppress these
messages?


Thanks!
Steve

IMPORTANT: This email does not constitute a contract or an offer or
acceptance of an offer to enter into a contract. Further, this email may not
be used to modify, supplement, novate, or waive any rights with respect to
an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner






 

 

IMPORTANT: This email does not constitute a contract or an offer or
acceptance of an offer to enter into a contract. Further, this email may not
be used to modify, supplement, novate, or waive any rights with respect to
an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/3bb7798f/attachment-0001.html>

From jerry.benton at mailborder.com  Tue Mar  8 12:18:57 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 8 Mar 2016 07:18:57 -0500
Subject: Denial Of Service Attack Messages
In-Reply-To: <074b01d17931$55a65ea0$00f31be0$@com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
Message-ID: <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>

Thanks Andrew.

Could those people seeing this error please check your Perl modules using this script:

https://github.com/MailScanner/v4/blob/master/check_modules.sh <https://github.com/MailScanner/v4/blob/master/check_modules.sh>


Also make sure your timeout settings in MailScanner.conf are not too short. I cannot remember if I reduced the defaults in MailScanner.conf. I will have to review the changes. 

Also please check your logs for as much information as possible and send it to the list. Please try to filter out the important parts and send only that information. 



-
Jerry Benton
www.mailborder.com



> On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com> wrote:
> 
> I'm getting it on 4.85.2-3
>  
> From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
> Sent: 08 March 2016 11:50
> To: MailScanner Discussion
> Subject: Re: Denial Of Service Attack Messages
>  
> Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I need to go back through the changes made between the two versions unless someone is seeing this in 4.85.2-3.
> 
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com/>
>  
>  
>  
>> On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com <mailto:steve at mjnservices.com>> wrote:
>>  
>> Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
>> 
>> HTML::Parser => OK
>> 
>> 
>> On 03/07/2016 10:19 AM, Jerry Benton wrote:
>>> is the HTML parser installed?
>>> 
>>> -
>>> Jerry Benton
>>> www.mailborder.com <http://www.mailborder.com/>
>>> Sent from my iPhone
>>> 
>>> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com <mailto:steve at mjnservices.com>> wrote:
>>> 
>>>> I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:
>>>> 
>>>>> MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>>>> The file reported in the attack is not there so I am unable to to any troubleshooting.
>>>> 
>>>> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.
>>>> 
>>>> Is there a way to disable this feature?  Any ideas on how to suppress these messages?
>>>> 
>>>> Thanks!
>>>> Steve
>>>> IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.
>>>> 
>>>> 
>>>> -- 
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>>>> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
>>> 
>>> 
>>>  
>>  
>> IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.
>> 
>> 
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
>  
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/f26903fb/attachment.html>

From andy at z00b.com  Tue Mar  8 12:53:50 2016
From: andy at z00b.com (Andrew Southgate)
Date: Tue, 8 Mar 2016 12:53:50 -0000
Subject: Denial Of Service Attack Messages
In-Reply-To: <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
Message-ID: <07aa01d17939$977c5660$c6750320$@com>

Its random and sporadic for me, but I havent had it occur in the last week
so I dont have logs for it.

 

That script gave everything an OK for me, and which timeout is it in
MailScanner.conf, the SpamAssassin one?

 

SpamAssassin Timeout = 75

 

 

From: MailScanner
[mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf
Of Jerry Benton
Sent: 08 March 2016 12:19
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

Thanks Andrew.

 

Could those people seeing this error please check your Perl modules using
this script:

 

https://github.com/MailScanner/v4/blob/master/check_modules.sh

 

 

Also make sure your timeout settings in MailScanner.conf are not too short.
I cannot remember if I reduced the defaults in MailScanner.conf. I will have
to review the changes. 

 

Also please check your logs for as much information as possible and send it
to the list. Please try to filter out the important parts and send only that
information. 

 

 


-

Jerry Benton

www.mailborder.com

 

 

 

On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com> wrote:

 

I'm getting it on 4.85.2-3

 

From: MailScanner
[mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf
Of Jerry Benton
Sent: 08 March 2016 11:50
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I
need to go back through the changes made between the two versions unless
someone is seeing this in 4.85.2-3.


-

Jerry Benton

 <http://www.mailborder.com/> www.mailborder.com

 

 

 

On Mar 7, 2016, at 12:21 PM, Steven Jardine < <mailto:steve at mjnservices.com>
steve at mjnservices.com> wrote:

 

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK




On 03/07/2016 10:19 AM, Jerry Benton wrote:

is the HTML parser installed?

-

Jerry Benton

 <http://www.mailborder.com/> www.mailborder.com

Sent from my iPhone


On Mar 7, 2016, at 11:25, Steven Jardine < <mailto:steve at mjnservices.com>
steve at mjnservices.com> wrote:

I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1.
Often I am getting the error message:

MailScanner was attacked by a Denial Of Service attack, and has therefore
deleted this part of the message. Please contact your e-mail providers for
more information if you need it, giving them the whole of this report.
Attack in:
/var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any
troubleshooting.

I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The
messages are causing problems with valid mail messages both incoming and
outgoing.

Is there a way to disable this feature?  Any ideas on how to suppress these
messages?


Thanks!
Steve

IMPORTANT: This email does not constitute a contract or an offer or
acceptance of an offer to enter into a contract. Further, this email may not
be used to modify, supplement, novate, or waive any rights with respect to
an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info>
mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner>
http://lists.mailscanner.info/listinfo/mailscanner







 

 

IMPORTANT: This email does not constitute a contract or an offer or
acceptance of an offer to enter into a contract. Further, this email may not
be used to modify, supplement, novate, or waive any rights with respect to
an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info>
mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner>
http://lists.mailscanner.info/listinfo/mailscanner

 



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info>
mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner>
http://lists.mailscanner.info/listinfo/mailscanner

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/460fadfb/attachment.html>

From it at festa.bg  Tue Mar  8 13:08:17 2016
From: it at festa.bg (Valentin Laskov)
Date: Tue, 8 Mar 2016 15:08:17 +0200
Subject: Denial Of Service Attack Messages
In-Reply-To: <07aa01d17939$977c5660$c6750320$@com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com>
Message-ID: <56DECEC1.9070600@festa.bg>

Sometimes this occurs just after updating clamav signatures while clamd 
reloads new signatures.

?? 08.03.2016 ? 14:53, Andrew Southgate ??????:
>
> Its random and sporadic for me, but I havent had it occur in the last 
> week so I dont have logs for it.
>
> That script gave everything an OK for me, and which timeout is it in 
> MailScanner.conf, the SpamAssassin one?
>
> SpamAssassin Timeout = 75
>
> *From:*MailScanner 
> [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] *On 
> Behalf Of *Jerry Benton
> *Sent:* 08 March 2016 12:19
> *To:* MailScanner Discussion
> *Subject:* Re: Denial Of Service Attack Messages
>
> Thanks Andrew.
>
> Could those people seeing this error please check your Perl modules 
> using this script:
>
> https://github.com/MailScanner/v4/blob/master/check_modules.sh
>
> Also make sure your timeout settings in MailScanner.conf are not too 
> short. I cannot remember if I reduced the defaults in 
> MailScanner.conf. I will have to review the changes.
>
> Also please check your logs for as much information as possible and 
> send it to the list. Please try to filter out the important parts and 
> send only that information.
>
>
> -
>
> Jerry Benton
>
> www.mailborder.com <http://www.mailborder.com>
>
>     On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com
>     <mailto:andy at z00b.com>> wrote:
>
>     I'm getting it on 4.85.2-3
>
>     *From:*MailScanner
>     [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info]*On
>     Behalf Of*Jerry Benton
>     *Sent:*08 March 2016 11:50
>     *To:*MailScanner Discussion
>     *Subject:*Re: Denial Of Service Attack Messages
>
>     Just so everyone knows, 4.86.1 is not released. It is beta. It
>     looks like I need to go back through the changes made between the
>     two versions unless someone is seeing this in 4.85.2-3.
>
>
>     -
>
>     Jerry Benton
>
>     www.mailborder.com <http://www.mailborder.com/>
>
>         On Mar 7, 2016, at 12:21 PM, Steven Jardine
>         <steve at mjnservices.com <mailto:steve at mjnservices.com>> wrote:
>
>         Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
>
>         HTML::Parser => OK
>
>
>         On 03/07/2016 10:19 AM, Jerry Benton wrote:
>
>             is the HTML parser installed?
>
>             -
>
>             Jerry Benton
>
>             www.mailborder.com <http://www.mailborder.com/>
>
>             Sent from my iPhone
>
>
>             On Mar 7, 2016, at 11:25, Steven Jardine
>             <steve at mjnservices.com <mailto:steve at mjnservices.com>> wrote:
>
>                 I upgraded MailScanner several months ago to v4.85.2-3
>                 and now v4.86.1-1. Often I am getting the error message:
>
>                     MailScanner was attacked by a Denial Of Service
>                     attack, and has therefore deleted this part of the
>                     message. Please contact your e-mail providers for
>                     more information if you need it, giving them the
>                     whole of this report. Attack in:
>                     /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>
>                 The file reported in the attack is not there so I am
>                 unable to to any troubleshooting.
>
>                 I am using a OpenVZ container with Ubuntu 14.04 - 6
>                 CPUs and 12GB RAM. The messages are causing problems
>                 with valid mail messages both incoming and outgoing.
>
>                 Is there a way to disable this feature?  Any ideas on
>                 how to suppress these messages?
>
>
>                 Thanks!
>                 Steve
>
>                 *IMPORTANT:*This email does not constitute a contract
>                 or an offer or acceptance of an offer to enter into a
>                 contract. Further, this email may not be used to
>                 modify, supplement, novate, or waive any rights with
>                 respect to an existing contract or other binding
>                 commercial terms.
>
>
>
>                 --
>                 MailScanner mailing list
>                 mailscanner at lists.mailscanner.info
>                 <mailto:mailscanner at lists.mailscanner.info>
>                 http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>
>               
>
>         *IMPORTANT:*This email does not constitute a contract or an
>         offer or acceptance of an offer to enter into a contract.
>         Further, this email may not be used to modify, supplement,
>         novate, or waive any rights with respect to an existing
>         contract or other binding commercial terms.
>
>
>
>         --
>         MailScanner mailing list
>         mailscanner at lists.mailscanner.info
>         <mailto:mailscanner at lists.mailscanner.info>
>         http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>

-- 
????????!

???????? ??????
?????????? ????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/15aa0ae5/attachment.html>

From richard at fastnet.co.uk  Tue Mar  8 13:25:15 2016
From: richard at fastnet.co.uk (Richard Mealing)
Date: Tue, 8 Mar 2016 13:25:15 +0000
Subject: Denial Of Service Attack Messages
In-Reply-To: <56DECEC1.9070600@festa.bg>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com> <56DECEC1.9070600@festa.bg>
Message-ID: <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>

Have you tried -
Maximum Processing Attempts = 0 # to disable the rule.

I did this a few years ago as I got these problems. I?ve never looked back.
I used to have to cd /var/db/clamav && rm * && freshclam (then download any extra sigs).

It was such an annoyance and I never found the problem. Obviously clamd wasn?t liking something, but I used so many extra sigs I couldn?t narrow it down.

From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Valentin Laskov
Sent: 08 March 2016 13:08
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Denial Of Service Attack Messages

Sometimes this occurs just after updating clamav signatures while clamd reloads new signatures.
?? 08.03.2016 ? 14:53, Andrew Southgate ??????:
Its random and sporadic for me, but I havent had it occur in the last week so I dont have logs for it.

That script gave everything an OK for me, and which timeout is it in MailScanner.conf, the SpamAssassin one?

SpamAssassin Timeout = 75


From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 12:19
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

Thanks Andrew.

Could those people seeing this error please check your Perl modules using this script:

https://github.com/MailScanner/v4/blob/master/check_modules.sh


Also make sure your timeout settings in MailScanner.conf are not too short. I cannot remember if I reduced the defaults in MailScanner.conf. I will have to review the changes.

Also please check your logs for as much information as possible and send it to the list. Please try to filter out the important parts and send only that information.



-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com<mailto:andy at z00b.com>> wrote:

I'm getting it on 4.85.2-3

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 11:50
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I need to go back through the changes made between the two versions unless someone is seeing this in 4.85.2-3.

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com<mailto:steve at mjnservices.com>> wrote:

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK



On 03/07/2016 10:19 AM, Jerry Benton wrote:
is the HTML parser installed?
-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>
Sent from my iPhone

On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com<mailto:steve at mjnservices.com>> wrote:
I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:
MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
The file reported in the attack is not there so I am unable to to any troubleshooting.
I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.
Is there a way to disable this feature?  Any ideas on how to suppress these messages?

Thanks!
Steve
IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner








IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner











--

????????!



???????? ??????

?????????? ????

"????? ???????" ??

???. "??. ?????????" 48

9000 ??. ?????

???.:   +359 52 669137

GSM: +359 888 669137

Fax:   +359 52 669110
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/ed3aa083/attachment-0001.html>

From ricky at teknikservice.nu  Tue Mar  8 15:27:18 2016
From: ricky at teknikservice.nu (Ricky Schneberger)
Date: Tue, 8 Mar 2016 16:27:18 +0100
Subject: How to avoid multiple MailScanner signatures
Message-ID: <56DEEF56.4060405@teknikservice.nu>

Hi,
Is it possible to avoid Multiple MailScanner signatures i a mail reply
chain?
I am thinking of having some kind of keyword that will trigger a "non
signature" behavior.

Regards

Ricky Schneberger


--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you choose to click.
If you are uncertain, we always try to help.
Greetings helpdesk at actnet.se



From consult.dmoorthy at apa.org  Tue Mar  8 15:45:32 2016
From: consult.dmoorthy at apa.org (Moorthy, Devakumar)
Date: Tue, 8 Mar 2016 15:45:32 +0000
Subject: Trouble configuring MailScanner with exim4
Message-ID: <SN1PR07MB222298DB94807880CB2B991C92B20@SN1PR07MB2222.namprd07.prod.outlook.com>

Hi All,

I'm trying to configure e-mail server with Ubuntu 14.04.2 LTS as the OS and Exim version 4.82. We wanted to strip signature attached (*.png or *.jpeg) while sending emails. I went through the procedure as in https://www.mailscanner.info/exim/. After customizing exim4 to run as two separate demons, I was unable to start the exim4 services. The error I found in exim4 logs are as follows.

"exim user lost privilege for using -C option"

Please assist me in troubleshooting the error and running exim4 successfully. Herewith attached exim

Devakumar Moorthy, RHCE | Network System Engineer
Information Technology Services
American Psychological Association<http://www.apa.org/>


  [cid:image020.jpg at 01CFBE0F.4C15AEB0]    [TWP_Washington_Portrait_2014_AW]



P Please consider the environment before printing this email.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/98e12efd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3793 bytes
Desc: image001.jpg
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/98e12efd/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 10377 bytes
Desc: image002.png
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/98e12efd/attachment.png>

From steve at mjnservices.com  Tue Mar  8 15:44:56 2016
From: steve at mjnservices.com (Steven Jardine)
Date: Tue, 8 Mar 2016 08:44:56 -0700
Subject: Denial Of Service Attack Messages
In-Reply-To: <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
Message-ID: <56DEF378.7080807@mjnservices.com>

I have been getting these errors since my upgrade to 4.85.2-3.  I hadn't 
upgraded for several years prior so I am not sure which version it 
started showing up.

Check modules shows all OK.

I cannot find the messages either in the quarantine or incoming directories.

Logs are clean for specific senders I checked.  No indication of timeout 
or errors.

Steve

On 03/08/2016 05:18 AM, Jerry Benton wrote:
> Thanks Andrew.
>
> Could those people seeing this error please check your Perl modules 
> using this script:
>
> https://github.com/MailScanner/v4/blob/master/check_modules.sh
>
>
> Also make sure your timeout settings in MailScanner.conf are not too 
> short. I cannot remember if I reduced the defaults in 
> MailScanner.conf. I will have to review the changes.
>
> Also please check your logs for as much information as possible and 
> send it to the list. Please try to filter out the important parts and 
> send only that information.
>
>
>
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com>
>
>
>
>> On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com 
>> <mailto:andy at z00b.com>> wrote:
>>
>> I'm getting it on 4.85.2-3
>> *From:*MailScanner 
>> [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info]*On 
>> Behalf Of*Jerry Benton
>> *Sent:*08 March 2016 11:50
>> *To:*MailScanner Discussion
>> *Subject:*Re: Denial Of Service Attack Messages
>> Just so everyone knows, 4.86.1 is not released. It is beta. It looks 
>> like I need to go back through the changes made between the two 
>> versions unless someone is seeing this in 4.85.2-3.
>>
>> -
>> Jerry Benton
>> www.mailborder.com <http://www.mailborder.com/>
>>> On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com 
>>> <mailto:steve at mjnservices.com>> wrote:
>>>
>>> Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
>>>
>>> HTML::Parser => OK
>>>
>>> On 03/07/2016 10:19 AM, Jerry Benton wrote:
>>>>
>>>> is the HTML parser installed?
>>>>
>>>> -
>>>> Jerry Benton
>>>> www.mailborder.com <http://www.mailborder.com/>
>>>> Sent from my iPhone
>>>>
>>>>
>>>> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com 
>>>> <mailto:steve at mjnservices.com>> wrote:
>>>>
>>>>> I upgraded MailScanner several months ago to v4.85.2-3 and now 
>>>>> v4.86.1-1. Often I am getting the error message:
>>>>>
>>>>>> MailScanner was attacked by a Denial Of Service attack, and has 
>>>>>> therefore deleted this part of the message. Please contact your 
>>>>>> e-mail providers for more information if you need it, giving them 
>>>>>> the whole of this report. Attack in: 
>>>>>> /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>>>>>
>>>>> The file reported in the attack is not there so I am unable to to 
>>>>> any troubleshooting.
>>>>>
>>>>> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB 
>>>>> RAM. The messages are causing problems with valid mail messages 
>>>>> both incoming and outgoing.
>>>>>
>>>>> Is there a way to disable this feature?  Any ideas on how to 
>>>>> suppress these messages?
>>>>>
>>>>> Thanks!
>>>>> Steve
>>>>> *IMPORTANT:*This email does not constitute a contract or an offer 
>>>>> or acceptance of an offer to enter into a contract. Further, this 
>>>>> email may not be used to modify, supplement, novate, or waive any 
>>>>> rights with respect to an existing contract or other binding 
>>>>> commercial terms.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info 
>>>>> <mailto:mailscanner at lists.mailscanner.info>
>>>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>>>
>>>>
>>>>
>>>>
>>> *IMPORTANT:*This email does not constitute a contract or an offer or 
>>> acceptance of an offer to enter into a contract. Further, this email 
>>> may not be used to modify, supplement, novate, or waive any rights 
>>> with respect to an existing contract or other binding commercial terms.
>>>
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info 
>>> <mailto:mailscanner at lists.mailscanner.info>
>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info 
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>



IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/4639cb11/attachment.html>

From pparsons at techeez.com  Tue Mar  8 17:07:23 2016
From: pparsons at techeez.com (Philip Parsons)
Date: Tue, 8 Mar 2016 17:07:23 +0000
Subject: Question about the Deny Filenames section
Message-ID: <11D8E491D9562549A61FD3186F363420027CFE6A5C@exchange.techeez.com>




Right now I have it set as  Deny Filenames = \.doc$ \.zip$ \.docx$

I want to make it a rule set as it stats I can so I can accept those docs from a specific person but deny everyone else..

Would it look like this?

From:                    test at test.com<mailto:test at test.com>
FromOrTo:       default        \.doc$ \.zip$ \.docx$





Thank you.
Philip Parsons

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/1303507b/attachment.html>

From kevin.miller at juneau.org  Tue Mar  8 18:05:52 2016
From: kevin.miller at juneau.org (Kevin Miller)
Date: Tue, 8 Mar 2016 18:05:52 +0000
Subject: Mail server migration and HOLDing mail at Mailscanner
In-Reply-To: <CAM+OHSfYOH30mdZP4SvPeiNyR9HK=iGHPPCYus=hOJmUYOyjaA@mail.gmail.com>
References: <etPan.56de2de1.6c175f08.937@simon.elogic.co.nz>
 <32FF6998-A3B8-48B5-B178-D48ECF087F8B@mailborder.com>
 <CAM+OHSfYOH30mdZP4SvPeiNyR9HK=iGHPPCYus=hOJmUYOyjaA@mail.gmail.com>
Message-ID: <e77f59e6457142219085c15b2f7faa20@City-Exch-DB1.cbj.local>

I think I?d probably just change the IP address of the server you?re upgrading.  Your MailScanner box will hold the mail until it can connect again or send an NDR after four days of trying (IIRC).  When you?re upgraded, just switch the IP address back and run mailq on the MailScanner box?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Simon
Sent: Monday, March 07, 2016 10:09 PM
To: MailScanner Discussion
Subject: Re: Mail server migration and HOLDing mail at Mailscanner

Thanks for the replies, the problem with shutting down all mail is that will also stop mail to our dovecot Mail platform, which is not going to be offline for any migration... So 90% of clients will not receive mail so that I can clean up the dbmail server (that has 10% of clients on it).

A fun tip, the dbmail server uses innodb... I have one table which is 650GB.

Its going to take about 2 hours to migrate the DB over to new MySQL server, after which the table is 70GB. I was just concerned about mail bouncing during that time because it could not deliver to the dbmail server. I might check out postfix retry time..

On Tuesday, 8 March 2016, Jerry Benton <jerry.benton at mailborder.com<mailto:jerry.benton at mailborder.com>> wrote:
If you shut down MailScanner and Postfix, obviously no email will be processed. You can also shut down MailScanner and make sure Postfix is started and it will accept the email and hold it in /var/spool/postfix/hold until you start MailScanner again.

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On Mar 7, 2016, at 8:41 PM, Simon Buchanan <greminn at gmail.com<javascript:_e(%7B%7D,'cvml','greminn at gmail.com');>> wrote:

Hi There,

We have Mailscanner/postfix setup on centos and working well. It delivers mail to two seperate mail servers (dovecot and dbmail) depending on the domain (most clients are on our new dovecot platform, a few are on our old dbmail platform).

dovecot is delivered via smtp:xxx.xxx.xxx.xxx
dbmail is delivered via a dbmail-lmtp service: dbmail-lmtp:xxx.xxx.xxx.xxx:24

We are about to perform a lengthy migration of the dbmail server, and need to simply stop Mailscanner processing mail for dbmail  until we are back up and running again. Is there anyway todo this, or is this a postfix question?

Thanks!

Simon



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<javascript:_e(%7B%7D,'cvml','mailscanner at lists.mailscanner.info');>
http://lists.mailscanner.info/listinfo/mailscanner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/b4e95222/attachment-0001.html>

From jerry.benton at mailborder.com  Tue Mar  8 19:21:47 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 8 Mar 2016 14:21:47 -0500
Subject: Question about the Deny Filenames section
In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFE6A5C@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F363420027CFE6A5C@exchange.techeez.com>
Message-ID: <A5BB2B85-B4DD-441D-920A-DA306B97DD6E@mailborder.com>

I answered this. 

-
Jerry Benton
www.mailborder.com



> On Mar 8, 2016, at 12:07 PM, Philip Parsons <pparsons at techeez.com> wrote:
> 
>  
>  
>  
> Right now I have it set as  Deny Filenames = \.doc$ \.zip$ \.docx$
>  
> I want to make it a rule set as it stats I can so I can accept those docs from a specific person but deny everyone else..
>  
> Would it look like this?
>  
> From:                    test at test.com <mailto:test at test.com> 
> FromOrTo:       default        \.doc$ \.zip$ \.docx$
>  
>  
>  
>  
>  
> Thank you. 
> Philip Parsons
> 
>  
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160308/b1477adf/attachment.html>

From mark at msapiro.net  Tue Mar  8 19:25:55 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 8 Mar 2016 11:25:55 -0800
Subject: Question about the Deny Filenames section
In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFE6A5C@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F363420027CFE6A5C@exchange.techeez.com>
Message-ID: <56DF2743.2070202@msapiro.net>

On 03/08/2016 09:07 AM, Philip Parsons wrote:
> 
> Right now I have it set as  Deny Filenames = \.doc$ \.zip$ \.docx$
> 
> I want to make it a rule set as it stats I can so I can accept those
> docs from a specific person but deny everyone else..
> 
> Would it look like this?
> 
> From:                    xxx
> FromOrTo:       default        \.doc$ \.zip$ \.docx$

Yes.

(Note: I sent this answer yesterday, but it never got out of my server
because MailScanner thinks the address that I replaced with 'xxx' above
is a phishing address.)

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From pparsons at techeez.com  Tue Mar  8 20:39:33 2016
From: pparsons at techeez.com (Philip Parsons)
Date: Tue, 8 Mar 2016 20:39:33 +0000
Subject: Question about the Deny Filenames section
In-Reply-To: <56DF2743.2070202@msapiro.net>
References: <11D8E491D9562549A61FD3186F363420027CFE6A5C@exchange.techeez.com>
 <56DF2743.2070202@msapiro.net>
Message-ID: <11D8E491D9562549A61FD3186F363420027CFE6E7D@exchange.techeez.com>

Thanks I have tried this rule set but it just blocks it all

-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Tuesday, March 8, 2016 11:26 AM
To: MailScanner List <mailscanner at lists.mailscanner.info>
Subject: Re: Question about the Deny Filenames section

On 03/08/2016 09:07 AM, Philip Parsons wrote:
> 
> Right now I have it set as  Deny Filenames = \.doc$ \.zip$ \.docx$
> 
> I want to make it a rule set as it stats I can so I can accept those
> docs from a specific person but deny everyone else..
> 
> Would it look like this?
> 
> From:                    xxx
> FromOrTo:       default        \.doc$ \.zip$ \.docx$

Yes.

(Note: I sent this answer yesterday, but it never got out of my server
because MailScanner thinks the address that I replaced with 'xxx' above
is a phishing address.)

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From mark at msapiro.net  Tue Mar  8 21:23:23 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 8 Mar 2016 13:23:23 -0800
Subject: Question about the Deny Filenames section
In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFE6E7D@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F363420027CFE6A5C@exchange.techeez.com>
 <56DF2743.2070202@msapiro.net>
 <11D8E491D9562549A61FD3186F363420027CFE6E7D@exchange.techeez.com>
Message-ID: <56DF42CB.1010704@msapiro.net>

On 03/08/2016 12:39 PM, Philip Parsons wrote:
> Thanks I have tried this rule set but it just blocks it all
...
>> From:                    xxx
>> FromOrTo:       default        \.doc$ \.zip$ \.docx$


You mean those two lines are in a file something like
/etc/MailScanner/rules/deny.filename.rules pointed to by Deny Filenames
in your config and files with those extensions are blocked even if the
message is from the xxx address?


If so, I looked at the code, and a rule like

From:    user at example.com

should work to provide a null value for the rule when the message is
from user at example.com, but what if you try something like

From: user at example.com  \.bogus_ext$

Or what about putting

From: user at example.com ^.*$

in a ruleset for Allow Filenames

Or do you already have something in Allow Filenames that might override
the Deny Filenames setting (I'm not sure about the interaction between
these).

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mvdworp at utelisys.com  Wed Mar  9 14:29:35 2016
From: mvdworp at utelisys.com (Mikey van der Worp)
Date: Wed, 9 Mar 2016 15:29:35 +0100
Subject: Solutions for huge amount of virusses/spam
Message-ID: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>

Gentlemen,

One of our customers opened a virus and now 2000+ emails are targeting us, mostly of them are either spam messages or virusses. Does anybody have a solution for this? Some of the virusses are coming through and some of them don't.

Our current setup is:
* clamav -> with unofficial rules (does not consume any cpu actually)
* spamassassin (with spamhaus etc)
* savscan (consuming a lot of our cpu and does not even detect 30%)
* mailscanner (high scoring spam = 4.0+, low scoring = 3.0)

I am willing to pay for an virus scanner, but if somebody can help me make the better choose of what to use with this, the virusses are the very annoying "invoice" emails. Does anybody suggests McAfee or Norton? Or another one?

Most viruses are actionscripts, doc and executables. We wish not to block the extension as this will block a lot of e-mails outgoing from our customers.

Best regards,
Mikey van der Worp

--
Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160309/174bb3f1/attachment.html>

From jerry.benton at mailborder.com  Wed Mar  9 14:32:36 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 9 Mar 2016 09:32:36 -0500
Subject: Solutions for huge amount of virusses/spam
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
Message-ID: <ED476573-0325-4C3C-91F8-1DD11E0F61FD@mailborder.com>

Define ?virus? as the most popular complaint of viruses making it through are HTML attachments that download ransomware via an iframe, which technically are not viruses. (the HTML attachments)

-
Jerry Benton
www.mailborder.com



> On Mar 9, 2016, at 9:29 AM, Mikey van der Worp <mvdworp at utelisys.com> wrote:
> 
> Gentlemen,
> 
> One of our customers opened a virus and now 2000+ emails are targeting us, mostly of them are either spam messages or virusses. Does anybody have a solution for this? Some of the virusses are coming through and some of them don't.
> 
> Our current setup is:
> * clamav -> with unofficial rules (does not consume any cpu actually)
> * spamassassin (with spamhaus etc)
> * savscan (consuming a lot of our cpu and does not even detect 30%)
> * mailscanner (high scoring spam = 4.0+, low scoring = 3.0)
> 
> I am willing to pay for an virus scanner, but if somebody can help me make the better choose of what to use with this, the virusses are the very annoying "invoice" emails. Does anybody suggests McAfee or Norton? Or another one?
> 
> Most viruses are actionscripts, doc and executables. We wish not to block the extension as this will block a lot of e-mails outgoing from our customers.
> 
> Best regards,
> Mikey van der Worp
> 
> -- 
> Mikey van der Worp <https://www.linkedin.com/profile/view?id=182619557>
> System Engineer
>  
> Utelisys Communications B.V.
> Trinity Buildings
> Tower A, 7th floor
> Pietersbergweg 15
> 1105 BM Amsterdam
>  
> M         +31 (0) 62 942 2052
> T          +31 (0) 20 561 8010
> F          +31 (0) 20 561 8021
>  
> LinkedIn <https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook <https://www.facebook.com/utelisyscommunications>
>  
>  <http://www.utelisys.com/>www.utelisys.com <http://www.utelisys.com/> ?  <https://www.utelisys.com/>https://www.utelisys.com/ <https://www.utelisys.com/>
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160309/d33882f9/attachment.html>

From steveb_clamav at sanesecurity.com  Wed Mar  9 14:36:53 2016
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Wed, 9 Mar 2016 14:36:53 -0000
Subject: Solutions for huge amount of virusses/spam
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
Message-ID: <be0a8efc8092d299c6b2cc423851c9d0.squirrel@sirius.servers.eqx.misp.co.uk>


On Wed, March 9, 2016 2:29 pm, Mikey van der Worp wrote:

> Our current setup is:
> * clamav -> with unofficial rules (does not consume any cpu actually)

Probably best drop me an email off-list but

Make sure you are using as the very least...

badmacro.ndb
foxhole_filename.cdb
phish.ndb
rogue.hdb

Cheers,

Steve
Email: steveb_clamav {-a-t-} sanesecurity.com
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity


From mvdworp at utelisys.com  Wed Mar  9 14:36:54 2016
From: mvdworp at utelisys.com (Mikey van der Worp)
Date: Wed, 9 Mar 2016 15:36:54 +0100
Subject: Solutions for huge amount of virusses/spam
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
 <ED476573-0325-4C3C-91F8-1DD11E0F61FD@mailborder.com>
Message-ID: <D2834E3B06B736419B0A2D33AC754A967763DF5A34@beagle.office.utelisys.nl>

The virusses are attached in a .zip file, and they contain an ActionScript file.

Some logs:

Wed Mar  9 15:24:39 2016 -> /var/spool/MailScanner/incoming/7002/A91471D202E.A81BC/nPayment_2016_March_451756.zip: OK
Wed Mar  9 15:29:28 2016 -> /var/spool/MailScanner/incoming/6913/E59FE1D17EB.AD539/nPayment_2016_March_767582.zip: Sanesecurity.Rogue.0hr.20160309-1152.UNOFFICIAL(749d3ff3f7daba2815c1d185a0e6f045:4463) FOUND
Wed Mar  9 15:29:52 2016 -> /var/spool/MailScanner/incoming/7002/0BFF01D17F6.AC86D/nPayment_2016_March_484985.zip: Sanesecurity.Rogue.0hr.20160309-1353.UNOFFICIAL(93469d8f6d8603b0fd26db4810dc7571:4283) FOUND
Wed Mar  9 15:31:12 2016 -> /var/spool/MailScanner/incoming/7097/9CE631D17CC.AC518/nPayment_2016_March_728879.zip: OK
Wed Mar  9 15:31:25 2016 -> /var/spool/MailScanner/incoming/6551/D8E3A1D17CC.A866B/nPayment_2016_March_733140.zip: OK
Wed Mar  9 15:31:46 2016 -> /var/spool/MailScanner/incoming/7097/337C91D17EB.A306C/nPayment_2016_March_129853.zip: OK
Wed Mar  9 15:32:44 2016 -> /var/spool/MailScanner/incoming/7002/335213C37D3.A8279/nPayment_2016_March_360255.zip: OK

As you can see some of them do get detected and the others do not.


Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/

On 03/09/2016 03:33 PM, Jerry Benton wrote:
Define ?virus? as the most popular complaint of viruses making it through are HTML attachments that download ransomware via an iframe, which technically are not viruses. (the HTML attachments)

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On Mar 9, 2016, at 9:29 AM, Mikey van der Worp <mvdworp at utelisys.com<mailto:mvdworp at utelisys.com>> wrote:

Gentlemen,

One of our customers opened a virus and now 2000+ emails are targeting us, mostly of them are either spam messages or virusses. Does anybody have a solution for this? Some of the virusses are coming through and some of them don't.

Our current setup is:
* clamav -> with unofficial rules (does not consume any cpu actually)
* spamassassin (with spamhaus etc)
* savscan (consuming a lot of our cpu and does not even detect 30%)
* mailscanner (high scoring spam = 4.0+, low scoring = 3.0)

I am willing to pay for an virus scanner, but if somebody can help me make the better choose of what to use with this, the virusses are the very annoying "invoice" emails. Does anybody suggests McAfee or Norton? Or another one?

Most viruses are actionscripts, doc and executables. We wish not to block the extension as this will block a lot of e-mails outgoing from our customers.

Best regards,
Mikey van der Worp

--
Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/><http://www.utelisys.com/>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> <https://www.utelisys.com/> https://www.utelisys.com/



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160309/807f4012/attachment.html>

From Antony.Stone at mailscanner.open.source.it  Wed Mar  9 14:37:12 2016
From: Antony.Stone at mailscanner.open.source.it (Antony Stone)
Date: Wed, 9 Mar 2016 15:37:12 +0100
Subject: Solutions for huge amount of virusses/spam
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
Message-ID: <201603091537.12946.Antony.Stone@mailscanner.open.source.it>

On Wednesday 09 March 2016 at 15:29:35, Mikey van der Worp wrote:

> We wish not to block the extension as this will block a lot of e-mails
> outgoing from our customers.

1. You can easily set up different blocking rules for inbound and outbound 
email, to allow your customers to send dubious filenames, but not to receive 
them.

2. Have you considered that allowing your customers to send attachments with 
filenames which may be blocked by other people's MailScanners (or similar) 
might not be a good way of getting the emails through?


Antony.

-- 
I conclude that there are two ways of constructing a software design: One way 
is to make it so simple that there are _obviously_ no deficiencies, and the 
other way is to make it so complicated that there are no _obvious_ 
deficiencies.

 - C A R Hoare

                                                   Please reply to the list;
                                                         please *don't* CC me.

From steveb_clamav at sanesecurity.com  Wed Mar  9 14:41:10 2016
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Wed, 9 Mar 2016 14:41:10 -0000
Subject: Solutions for huge amount of virusses/spam
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A34@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A33@beagle.office.utelisys.nl>
 <ED476573-0325-4C3C-91F8-1DD11E0F61FD@mailborder.com>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A34@beagle.office.utelisys.nl>
Message-ID: <ac0c7a707fc3e697f86712e9dc612b45.squirrel@sirius.servers.eqx.misp.co.uk>


On Wed, March 9, 2016 2:36 pm, Mikey van der Worp wrote:
> The virusses are attached in a .zip file, and they contain an
> ActionScript file.
>
>
> Some logs:
>
>
> Wed Mar  9 15:24:39 2016 ->
> /var/spool/MailScanner/incoming/7002/A91471D202E.A81BC/nPayment_2016_Marc
> h_451756.zip: OK

Use: foxhole_filename.cdb:

VPayment_2016_March_463076.zip:

Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL FOUND

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity


From mvdworp at utelisys.com  Fri Mar 11 10:32:43 2016
From: mvdworp at utelisys.com (Mikey van der Worp)
Date: Fri, 11 Mar 2016 11:32:43 +0100
Subject: Problem with Quarantine
Message-ID: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>

All,

Today we struggled with the issue "-U" having in /usr/sbin/MailScanner. Unfortunately almost 1000 e-mails where marked as "attempting to kill the mailscanner". Is there a possibillity to put them back in the queue and make the server re-scan all these messages whether its spam or not?

kanchenjunga ~ # ls -l /var/spool/MailScanner/quarantine/20160308/spam/ | wc -l
1102

Best regards,
Mikey


--
Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160311/c57233e2/attachment.html>

From heino.backhaus at fink-computer.de  Fri Mar 11 11:26:09 2016
From: heino.backhaus at fink-computer.de (Heino Backhaus)
Date: Fri, 11 Mar 2016 12:26:09 +0100
Subject: Problem with Quarantine
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>
Message-ID: <56E2AB51.4000600@fink-computer.de>

Hi Mikey,

please check this in Mailscanner.conf:
# When you quarantine an entire message, do you want to store it as
# raw mail queue files (so you can easily send them onto users) or
# as human-readable files (header then body in 1 file)?
Quarantine Whole Messages As Queue Files = no

Best Regards
  Heino

Am 11.03.2016 um 11:32 schrieb Mikey van der Worp:
> All,
>
> Today we struggled with the issue "-U" having in 
> /usr/sbin/MailScanner. Unfortunately almost 1000 e-mails where marked 
> as "attempting to kill the mailscanner". Is there a possibillity to 
> put them back in the queue and make the server re-scan all these 
> messages whether its spam or not?
>
> kanchenjunga ~ # ls -l 
> /var/spool/MailScanner/quarantine/20160308/spam/ | wc -l
> 1102
>
> Best regards,
> Mikey
>
>
> -- 
>
> *Mikey van der Worp <https://www.linkedin.com/profile/view?id=182619557>*
>
> System Engineer
>
> Utelisys Communications B.V.
>
> Trinity Buildings
>
> Tower A, 7th floor
>
> Pietersbergweg 15
>
> 1105 BM Amsterdam
>
> M+31 (0) 62 942 2052
>
> T+31 (0) 20 561 8010
>
> F+31 (0) 20 561 8021
>
> *LinkedIn 
> <https://www.linkedin.com/company/utelisys-communications-b.v./>*- 
> *Facebook <https://www.facebook.com/utelisyscommunications>*
>
> *<http://www.utelisys.com/>www.utelisys.com*? 
> *<https://www.utelisys.com/>https://www.utelisys.com/*
>
>
>
>
>

-- 
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gie?en
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
     -Alfred E. Neumann

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160311/0366dce8/attachment.html>

From mvdworp at utelisys.com  Fri Mar 11 11:30:19 2016
From: mvdworp at utelisys.com (Mikey van der Worp)
Date: Fri, 11 Mar 2016 12:30:19 +0100
Subject: Problem with Quarantine
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>
 <56E2AB51.4000600@fink-computer.de>
Message-ID: <D2834E3B06B736419B0A2D33AC754A967763DF5A42@beagle.office.utelisys.nl>

What is the point of making this change? I am asking if it is possible to do it now with my whole spam folder.


Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/

On 03/11/2016 12:26 PM, Heino Backhaus wrote:
Hi Mikey,

please check this in Mailscanner.conf:
# When you quarantine an entire message, do you want to store it as
# raw mail queue files (so you can easily send them onto users) or
# as human-readable files (header then body in 1 file)?
Quarantine Whole Messages As Queue Files = no

Best Regards
 Heino

Am 11.03.2016 um 11:32 schrieb Mikey van der Worp:
All,

Today we struggled with the issue "-U" having in /usr/sbin/MailScanner. Unfortunately almost 1000 e-mails where marked as "attempting to kill the mailscanner". Is there a possibillity to put them back in the queue and make the server re-scan all these messages whether its spam or not?

kanchenjunga ~ # ls -l /var/spool/MailScanner/quarantine/20160308/spam/ | wc -l
1102

Best regards,
Mikey


--
Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/><http://www.utelisys.com>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/








--
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de<mailto:heino.backhaus at fink-computer.de>
Web: www.fink-computer.de<http://www.fink-computer.de>
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gie?en
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
    -Alfred E. Neumann


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160311/231b1e24/attachment.html>

From heino.backhaus at fink-computer.de  Fri Mar 11 11:49:32 2016
From: heino.backhaus at fink-computer.de (Heino Backhaus)
Date: Fri, 11 Mar 2016 12:49:32 +0100
Subject: Problem with Quarantine
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A42@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>
 <56E2AB51.4000600@fink-computer.de>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A42@beagle.office.utelisys.nl>
Message-ID: <56E2B0CC.9030107@fink-computer.de>

no, you get me wrong...
Just check if it's set to yes or no. if it's set to yes check if
"Quarantine Whole Message = " is set to yes too. If so, it schould be
a case of copying the files in to postfix hold directory, which is 
/var/spool/postfix/hold/
on my system. Assuming that you're using postfix. Try this with one 
Message first :)

Best Regards
  Heino

Am 11.03.2016 um 12:30 schrieb Mikey van der Worp:
> What is the point of making this change? I am asking if it is possible 
> to do it now with my whole spam folder.
>
>
> *Mikey van der Worp <https://www.linkedin.com/profile/view?id=182619557>*
>
> System Engineer
>
> Utelisys Communications B.V.
>
> Trinity Buildings
>
> Tower A, 7th floor
>
> Pietersbergweg 15
>
> 1105 BM Amsterdam
>
> M+31 (0) 62 942 2052
>
> T+31 (0) 20 561 8010
>
> F+31 (0) 20 561 8021
>
> *LinkedIn 
> <https://www.linkedin.com/company/utelisys-communications-b.v./>*- 
> *Facebook <https://www.facebook.com/utelisyscommunications>*
>
> *<http://www.utelisys.com/>www.utelisys.com*? 
> *<https://www.utelisys.com/>https://www.utelisys.com/*
>
>
> On 03/11/2016 12:26 PM, Heino Backhaus wrote:
>> Hi Mikey,
>>
>> please check this in Mailscanner.conf:
>> # When you quarantine an entire message, do you want to store it as
>> # raw mail queue files (so you can easily send them onto users) or
>> # as human-readable files (header then body in 1 file)?
>> Quarantine Whole Messages As Queue Files = no
>>
>> Best Regards
>>  Heino
>>
>> Am 11.03.2016 um 11:32 schrieb Mikey van der Worp:
>>> All,
>>>
>>> Today we struggled with the issue "-U" having in 
>>> /usr/sbin/MailScanner. Unfortunately almost 1000 e-mails where 
>>> marked as "attempting to kill the mailscanner". Is there a 
>>> possibillity to put them back in the queue and make the server 
>>> re-scan all these messages whether its spam or not?
>>>
>>> kanchenjunga ~ # ls -l 
>>> /var/spool/MailScanner/quarantine/20160308/spam/ | wc -l
>>> 1102
>>>
>>> Best regards,
>>> Mikey
>>>
>>>
>>> -- 
>>>
>>> *Mikey van der Worp 
>>> <https://www.linkedin.com/profile/view?id=182619557>*
>>>
>>> System Engineer
>>>
>>> Utelisys Communications B.V.
>>>
>>> Trinity Buildings
>>>
>>> Tower A, 7th floor
>>>
>>> Pietersbergweg 15
>>>
>>> 1105 BM Amsterdam
>>>
>>> M+31 (0) 62 942 2052
>>>
>>> T+31 (0) 20 561 8010
>>>
>>> F+31 (0) 20 561 8021
>>>
>>> *LinkedIn 
>>> <https://www.linkedin.com/company/utelisys-communications-b.v./>*- 
>>> *Facebook <https://www.facebook.com/utelisyscommunications>*
>>>
>>> *<http://www.utelisys.com/>www.utelisys.com*? 
>>> *<https://www.utelisys.com/>https://www.utelisys.com/*
>>>
>>>
>>>
>>>
>>
>> -- 
>> Mit freundlichen Gruessen
>>
>> H. Backhaus
>>
>> Fink-Computer Systeme
>> Heggrabenstr. 9, 35435 Wettenberg
>> Email:heino.backhaus at fink-computer.de
>> Web:www.fink-computer.de
>> Fax: +49-641-98444638
>> Fon: +49-641-98444640
>> UST-ID: DE151040770
>> HRB: 2143 Gie?en
>> GF: Fredi Fink
>>
>> "In retrospect it becomes clear that hindsight is definitely overrated!"
>>      -Alfred E. Neumann
>
>
>
>

-- 
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gie?en
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
     -Alfred E. Neumann

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160311/a80a72b7/attachment.html>

From mvdworp at utelisys.com  Fri Mar 11 12:30:42 2016
From: mvdworp at utelisys.com (Mikey van der Worp)
Date: Fri, 11 Mar 2016 13:30:42 +0100
Subject: Problem with Quarantine
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>
 <56E2AB51.4000600@fink-computer.de>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A42@beagle.office.utelisys.nl>
 <56E2B0CC.9030107@fink-computer.de>
Message-ID: <D2834E3B06B736419B0A2D33AC754A967763DF5A44@beagle.office.utelisys.nl>

Unfortunately this was disabled. Is there still a way to release them?


Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/

On 03/11/2016 12:50 PM, Heino Backhaus wrote:
no, you get me wrong...
Just check if it's set to yes or no. if it's set to yes check if
"Quarantine Whole Message = " is set to yes too. If so, it schould be
a case of copying the files in to postfix hold directory, which is  /var/spool/postfix/hold/
on my system. Assuming that you're using postfix. Try this with one Message first :)

Best Regards
 Heino

Am 11.03.2016 um 12:30 schrieb Mikey van der Worp:
What is the point of making this change? I am asking if it is possible to do it now with my whole spam folder.


Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/><http://www.utelisys.com>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> https://www.utelisys.com/

On 03/11/2016 12:26 PM, Heino Backhaus wrote:
Hi Mikey,

please check this in Mailscanner.conf:
# When you quarantine an entire message, do you want to store it as
# raw mail queue files (so you can easily send them onto users) or
# as human-readable files (header then body in 1 file)?
Quarantine Whole Messages As Queue Files = no

Best Regards
 Heino

Am 11.03.2016 um 11:32 schrieb Mikey van der Worp:
All,

Today we struggled with the issue "-U" having in /usr/sbin/MailScanner. Unfortunately almost 1000 e-mails where marked as "attempting to kill the mailscanner". Is there a possibillity to put them back in the queue and make the server re-scan all these messages whether its spam or not?

kanchenjunga ~ # ls -l /var/spool/MailScanner/quarantine/20160308/spam/ | wc -l
1102

Best regards,
Mikey


--
Mikey van der Worp<https://www.linkedin.com/profile/view?id=182619557>
System Engineer

Utelisys Communications B.V.
Trinity Buildings
Tower A, 7th floor
Pietersbergweg 15
1105 BM Amsterdam

M         +31 (0) 62 942 2052
T          +31 (0) 20 561 8010
F          +31 (0) 20 561 8021

LinkedIn<https://www.linkedin.com/company/utelisys-communications-b.v./> - Facebook<https://www.facebook.com/utelisyscommunications>

<http://www.utelisys.com/><http://www.utelisys.com>www.utelisys.com<http://www.utelisys.com> ? <https://www.utelisys.com/> <https://www.utelisys.com/> https://www.utelisys.com/





--
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de<mailto:heino.backhaus at fink-computer.de>
Web: www.fink-computer.de<http://www.fink-computer.de>
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gie?en
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
    -Alfred E. Neumann









--
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de<mailto:heino.backhaus at fink-computer.de>
Web: www.fink-computer.de<http://www.fink-computer.de>
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gie?en
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
    -Alfred E. Neumann


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160311/218743bd/attachment.html>

From heino.backhaus at fink-computer.de  Fri Mar 11 13:30:30 2016
From: heino.backhaus at fink-computer.de (Heino Backhaus)
Date: Fri, 11 Mar 2016 14:30:30 +0100
Subject: Problem with Quarantine
In-Reply-To: <D2834E3B06B736419B0A2D33AC754A967763DF5A44@beagle.office.utelisys.nl>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>
 <56E2AB51.4000600@fink-computer.de>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A42@beagle.office.utelisys.nl>
 <56E2B0CC.9030107@fink-computer.de>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A44@beagle.office.utelisys.nl>
Message-ID: <56E2C876.5050304@fink-computer.de>

try:
sendmail -t < 
/var/spool/MailScanner/quarantine/20160311/spam/850CD189AEE.A6C01
for example...

Am 11.03.2016 um 13:30 schrieb Mikey van der Worp:
> Unfortunately this was disabled. Is there still a way to release them?
>
>
> *Mikey van der Worp <https://www.linkedin.com/profile/view?id=182619557>*
>
> System Engineer
>
> Utelisys Communications B.V.
>
> Trinity Buildings
>
> Tower A, 7th floor
>
> Pietersbergweg 15
>
> 1105 BM Amsterdam
>
> M+31 (0) 62 942 2052
>
> T+31 (0) 20 561 8010
>
> F+31 (0) 20 561 8021
>
> *LinkedIn 
> <https://www.linkedin.com/company/utelisys-communications-b.v./>*- 
> *Facebook <https://www.facebook.com/utelisyscommunications>*
>
> *<http://www.utelisys.com/>www.utelisys.com*? 
> *<https://www.utelisys.com/>https://www.utelisys.com/*
>
>
> On 03/11/2016 12:50 PM, Heino Backhaus wrote:
>> no, you get me wrong...
>> Just check if it's set to yes or no. if it's set to yes check if
>> "Quarantine Whole Message = " is set to yes too. If so, it schould be
>> a case of copying the files in to postfix hold directory, which is  
>> /var/spool/postfix/hold/
>> on my system. Assuming that you're using postfix. Try this with one 
>> Message first :)
>>
>> Best Regards
>>  Heino
>>
>> Am 11.03.2016 um 12:30 schrieb Mikey van der Worp:
>>> What is the point of making this change? I am asking if it is 
>>> possible to do it now with my whole spam folder.
>>>
>>>
>>> *Mikey van der Worp 
>>> <https://www.linkedin.com/profile/view?id=182619557>*
>>>
>>> System Engineer
>>>
>>> Utelisys Communications B.V.
>>>
>>> Trinity Buildings
>>>
>>> Tower A, 7th floor
>>>
>>> Pietersbergweg 15
>>>
>>> 1105 BM Amsterdam
>>>
>>> M+31 (0) 62 942 2052
>>>
>>> T+31 (0) 20 561 8010
>>>
>>> F+31 (0) 20 561 8021
>>>
>>> *LinkedIn 
>>> <https://www.linkedin.com/company/utelisys-communications-b.v./>*- 
>>> *Facebook <https://www.facebook.com/utelisyscommunications>*
>>>
>>> *<http://www.utelisys.com/>www.utelisys.com*? 
>>> *<https://www.utelisys.com/>https://www.utelisys.com/*
>>>
>>>
>>> On 03/11/2016 12:26 PM, Heino Backhaus wrote:
>>>> Hi Mikey,
>>>>
>>>> please check this in Mailscanner.conf:
>>>> # When you quarantine an entire message, do you want to store it as
>>>> # raw mail queue files (so you can easily send them onto users) or
>>>> # as human-readable files (header then body in 1 file)?
>>>> Quarantine Whole Messages As Queue Files = no
>>>>
>>>> Best Regards
>>>>  Heino
>>>>
>>>> Am 11.03.2016 um 11:32 schrieb Mikey van der Worp:
>>>>> All,
>>>>>
>>>>> Today we struggled with the issue "-U" having in 
>>>>> /usr/sbin/MailScanner. Unfortunately almost 1000 e-mails where 
>>>>> marked as "attempting to kill the mailscanner". Is there a 
>>>>> possibillity to put them back in the queue and make the server 
>>>>> re-scan all these messages whether its spam or not?
>>>>>
>>>>> kanchenjunga ~ # ls -l 
>>>>> /var/spool/MailScanner/quarantine/20160308/spam/ | wc -l
>>>>> 1102
>>>>>
>>>>> Best regards,
>>>>> Mikey
>>>>>
>>>>>
>>>>> -- 
>>>>>
>>>>> *Mikey van der Worp 
>>>>> <https://www.linkedin.com/profile/view?id=182619557>*
>>>>>
>>>>> System Engineer
>>>>>
>>>>> Utelisys Communications B.V.
>>>>>
>>>>> Trinity Buildings
>>>>>
>>>>> Tower A, 7th floor
>>>>>
>>>>> Pietersbergweg 15
>>>>>
>>>>> 1105 BM Amsterdam
>>>>>
>>>>> M+31 (0) 62 942 2052
>>>>>
>>>>> T+31 (0) 20 561 8010
>>>>>
>>>>> F+31 (0) 20 561 8021
>>>>>
>>>>> *LinkedIn 
>>>>> <https://www.linkedin.com/company/utelisys-communications-b.v./>*- 
>>>>> *Facebook <https://www.facebook.com/utelisyscommunications>*
>>>>>
>>>>> *<http://www.utelisys.com/>www.utelisys.com*? 
>>>>> *<https://www.utelisys.com/>https://www.utelisys.com/*
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Mit freundlichen Gruessen
>>>>
>>>> H. Backhaus
>>>>
>>>> Fink-Computer Systeme
>>>> Heggrabenstr. 9, 35435 Wettenberg
>>>> Email:heino.backhaus at fink-computer.de
>>>> Web:www.fink-computer.de
>>>> Fax: +49-641-98444638
>>>> Fon: +49-641-98444640
>>>> UST-ID: DE151040770
>>>> HRB: 2143 Gie?en
>>>> GF: Fredi Fink
>>>>
>>>> "In retrospect it becomes clear that hindsight is definitely overrated!"
>>>>      -Alfred E. Neumann
>>>
>>>
>>>
>>
>> -- 
>> Mit freundlichen Gruessen
>>
>> H. Backhaus
>>
>> Fink-Computer Systeme
>> Heggrabenstr. 9, 35435 Wettenberg
>> Email:heino.backhaus at fink-computer.de
>> Web:www.fink-computer.de
>> Fax: +49-641-98444638
>> Fon: +49-641-98444640
>> UST-ID: DE151040770
>> HRB: 2143 Gie?en
>> GF: Fredi Fink
>>
>> "In retrospect it becomes clear that hindsight is definitely overrated!"
>>      -Alfred E. Neumann
>
>
>
>

-- 
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gie?en
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
     -Alfred E. Neumann

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160311/907ea91f/attachment.html>

From mark at msapiro.net  Fri Mar 11 17:12:54 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 11 Mar 2016 09:12:54 -0800
Subject: Problem with Quarantine
In-Reply-To: <56E2C876.5050304@fink-computer.de>
References: <D2834E3B06B736419B0A2D33AC754A967763DF5A40@beagle.office.utelisys.nl>
 <56E2AB51.4000600@fink-computer.de>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A42@beagle.office.utelisys.nl>
 <56E2B0CC.9030107@fink-computer.de>
 <D2834E3B06B736419B0A2D33AC754A967763DF5A44@beagle.office.utelisys.nl>
 <56E2C876.5050304@fink-computer.de>
Message-ID: <56E2FC96.6000705@msapiro.net>

On 03/11/2016 05:30 AM, Heino Backhaus wrote:
> try:
> sendmail -t <
> /var/spool/MailScanner/quarantine/20160311/spam/850CD189AEE.A6C01
> for example...


This is probably a bad idea. '-t' will resend the message to all the To:
and Cc: addresses in the message. Some of these will already have been
delivered, perhaps to other domains, and the address this one was for
may not even be in To: or Cc:

Using as an example a message on my system that's at
/var/spool/MailScanner/quarantine/20160310/spam/3B32011E135F.AF313 , and
assuming Postfix, if you grep your mail log for 3B32011E135F (without
the .AF313 part) you will see several hits including the one from the
message being put in the hold queue. This will look something like

Mar 10 04:43:02 sbh16 postfix/cleanup[4776]: 3B32011E135F: hold: header
Received: from allworld.modwest.com (allworld.modwest.com
[204.11.244.235])??(using TLSv1 with cipher ADH-AES256-SHA (256/256
bits))??(No client certificate requested)??by sbh16.songbird.com
(Postfix) from allworld.modwest.com[204.11.244.235];
from=<www-data at allworld.modwest.com> to=<century at grizz.org> proto=ESMTP
helo=<allworld.modwest.com>

Something like

grep '3B32011E135F.*to=<' /var/log/mail.log

will return that and

grep '3B32011E135F.*to=<' /var/log/mail.log | sed -e 's/.*to=<//' -e
's/>.*//'

will return just the recipient address.

Using this, you should be able to put together some scripts that will
list the file names in the relevant quarantine folder, find the
recipients of the messages and put that together to do a "sendmail
recipient_address < file_name" command.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From kevin.miller at juneau.org  Fri Mar 11 20:26:52 2016
From: kevin.miller at juneau.org (Kevin Miller)
Date: Fri, 11 Mar 2016 20:26:52 +0000
Subject: cron.daily files
Message-ID: <1d1474b27bcc4f6a982a915a9d0276ed@City-Exch-DB1.cbj.local>

In the MailWatch list I recently posted that some scripts in cron.daily weren't running by the scheduler, but ran just fine from the CLI.  It turns out that Debian does not allow '.' in the filename of a cron job stored in /etc/cron.(d|daily|weekly|monthly).  It's actually a run-parts issue.
>From the run-parts man page:
       If neither the --lsbsysinit option nor the --regex option is given then
       the names must consist entirely of ASCII upper- and lower-case letters,
       ASCII digits, ASCII underscores, and ASCII minus-hyphens.

I don't think the MailScanner install script puts anything in the cron.X directories with "." in it, but in the ChangeLog file is the following entry:
    Another good ruleset to add to your setup is
    http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
    To download this automatically every night, fetch
    http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily
    and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh").

If anyone is using Debian (or other distros that behave similarly) and the KAM ruleset you may want rename KAM.cf.sh, taking out the "." characters.  A new note in the Changelog might be in order as well.  

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357



From iversons at rushville.k12.in.us  Fri Mar 11 20:30:32 2016
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Fri, 11 Mar 2016 15:30:32 -0500
Subject: cron.daily files
In-Reply-To: <1d1474b27bcc4f6a982a915a9d0276ed@City-Exch-DB1.cbj.local>
References: <1d1474b27bcc4f6a982a915a9d0276ed@City-Exch-DB1.cbj.local>
Message-ID: <CABu_8z+EDgTawJ_Y512ZG=5M=vsRtaaG0kqEy2bKWz_GLaN5vQ@mail.gmail.com>

That explains a lot.  Thanks!

On Fri, Mar 11, 2016 at 3:26 PM, Kevin Miller <kevin.miller at juneau.org>
wrote:

> In the MailWatch list I recently posted that some scripts in cron.daily
> weren't running by the scheduler, but ran just fine from the CLI.  It turns
> out that Debian does not allow '.' in the filename of a cron job stored in
> /etc/cron.(d|daily|weekly|monthly).  It's actually a run-parts issue.
> From the run-parts man page:
>        If neither the --lsbsysinit option nor the --regex option is given
> then
>        the names must consist entirely of ASCII upper- and lower-case
> letters,
>        ASCII digits, ASCII underscores, and ASCII minus-hyphens.
>
> I don't think the MailScanner install script puts anything in the cron.X
> directories with "." in it, but in the ChangeLog file is the following
> entry:
>     Another good ruleset to add to your setup is
>     http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
>     To download this automatically every night, fetch
>     http://www.mailscanner.info/files/4/KAM.cf.sh and put it in
> /etc/cron.daily
>     and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh").
>
> If anyone is using Debian (or other distros that behave similarly) and the
> KAM ruleset you may want rename KAM.cf.sh, taking out the "."
> characters.  A new note in the Changelog might be in order as well.
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No:
> 307357
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160311/0b47e8e8/attachment.html>

From mark at msapiro.net  Fri Mar 11 21:43:20 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 11 Mar 2016 13:43:20 -0800
Subject: cron.daily files
In-Reply-To: <1d1474b27bcc4f6a982a915a9d0276ed@City-Exch-DB1.cbj.local>
References: <1d1474b27bcc4f6a982a915a9d0276ed@City-Exch-DB1.cbj.local>
Message-ID: <56E33BF8.6090500@msapiro.net>

On 03/11/2016 12:26 PM, Kevin Miller wrote:
> In the MailWatch list I recently posted that some scripts in cron.daily weren't running by the scheduler, but ran just fine from the CLI.  It turns out that Debian does not allow '.' in the filename of a cron job stored in /etc/cron.(d|daily|weekly|monthly).  It's actually a run-parts issue.
>>From the run-parts man page:
>        If neither the --lsbsysinit option nor the --regex option is given then
>        the names must consist entirely of ASCII upper- and lower-case letters,
>        ASCII digits, ASCII underscores, and ASCII minus-hyphens.


Thanks for the heads-up.

I actually run (my own slightly modified version of) KAM.cf.sh daily,
but I run it and several other crons from root's own crontab because I
want more control over the timing. I don't want KAM.cf.sh and other
spamassassin updates which can run sa-compile running at the same time.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From iversons at rushville.k12.in.us  Sun Mar 13 20:28:24 2016
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sun, 13 Mar 2016 16:28:24 -0400
Subject: Net-DNS perf issues
Message-ID: <CABu_8zLEgbT47JKpCz-giib38YYEXRun4sjswrbwnJ4vc4AuNA@mail.gmail.com>

Just a heads up...

I tried Net::DNS v1.04 and v1.05 today with latest MS.  Performance was
downright awful and MailScanner --lint was taking about 8x longer than
normal.  Took me a while isolate this...

I reverted back to Net::DNS 0.65 that comes with CentOS 6.7

Not sure if it affects other distros, but thought I would give a heads up.

-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160313/6f73b36b/attachment.html>

From andy at z00b.com  Mon Mar 14 10:48:34 2016
From: andy at z00b.com (Andrew Southgate)
Date: Mon, 14 Mar 2016 10:48:34 -0000
Subject: Denial Of Service Attack Messages
In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com> <56DECEC1.9070600@festa.bg>
 <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>
Message-ID: <008e01d17ddf$15aa8210$40ff8630$@com>

Maximum Processing Attempts = 0

 

I set that, restarted MailScanner and have just had another DoS message

 

Mar 14 10:19:31 hermes MailScanner[17065]: Blacklist refresh time reached

Mar 14 10:19:31 hermes MailScanner[17065]: Starting up SQL Blacklist

Mar 14 10:19:31 hermes MailScanner[17065]: Read 12 blacklist entries

Mar 14 10:19:35 hermes MailScanner[17065]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 73AC282B1055.AFD69 from <redacted>

Mar 14 10:19:35 hermes MailScanner[17065]: Requeue: 73AC282B1055.AFD69 to 1C3D582B105F

Mar 14 10:19:35 hermes MailScanner[17065]: Uninfected: Delivered 1 messages

Mar 14 10:19:35 hermes postfix/qmgr[40123]: 1C3D582B105F: from<redacted>size=40013, nrcpt=1 (queue active)

Mar 14 10:19:37 hermes postfix/smtp[18564]: 1C3D582B105F: to<redacted>, relay=<redacted>:25, delay=38, delays=35/0.03/0.61/1.8, dsn=2.6.0, status=sent (250 2.6.0 <006501d17dda$ed219a80$c764cf80$@com> [InternalId=74135430497647, Hostname=<redacted>] 27900 bytes in 0.276, 98.491 KB/sec Queued mail for delivery)

Mar 14 10:19:37 hermes postfix/qmgr[40123]: 1C3D582B105F: removed

 

For anyone who wanted a maillog of it happenning.

 

the message contents became:

 

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/17065/73AC282B1055.AFD69/nmsg-17065-2.html 

 

I dont want to include the source email but it was just a random conversation with my other half and nothing particularly special

 

 

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Richard Mealing
Sent: 08 March 2016 13:25
To: MailScanner Discussion
Subject: RE: Denial Of Service Attack Messages

 

Have you tried - 

Maximum Processing Attempts = 0 # to disable the rule.

 

I did this a few years ago as I got these problems. I?ve never looked back. 

I used to have to cd /var/db/clamav && rm * && freshclam (then download any extra sigs). 

 

It was such an annoyance and I never found the problem. Obviously clamd wasn?t liking something, but I used so many extra sigs I couldn?t narrow it down. 

 

From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Valentin Laskov
Sent: 08 March 2016 13:08
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Denial Of Service Attack Messages

 

Sometimes this occurs just after updating clamav signatures while clamd reloads new signatures.

?? 08.03.2016 ? 14:53, Andrew Southgate ??????:

Its random and sporadic for me, but I havent had it occur in the last week so I dont have logs for it.

 

That script gave everything an OK for me, and which timeout is it in MailScanner.conf, the SpamAssassin one?

 

SpamAssassin Timeout = 75

 

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 12:19
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

Thanks Andrew.

 

Could those people seeing this error please check your Perl modules using this script:

 

https://github.com/MailScanner/v4/blob/master/check_modules.sh

 

 

Also make sure your timeout settings in MailScanner.conf are not too short. I cannot remember if I reduced the defaults in MailScanner.conf. I will have to review the changes. 

 

Also please check your logs for as much information as possible and send it to the list. Please try to filter out the important parts and send only that information. 

 

 


-

Jerry Benton

www.mailborder.com

 

 

 

On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com> wrote:

 

I'm getting it on 4.85.2-3

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 11:50
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I need to go back through the changes made between the two versions unless someone is seeing this in 4.85.2-3.


-

Jerry Benton

www.mailborder.com

 

 

 

On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com> wrote:

 

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK




On 03/07/2016 10:19 AM, Jerry Benton wrote:

is the HTML parser installed?

-

Jerry Benton

www.mailborder.com

Sent from my iPhone


On Mar 7, 2016, at 11:25, Steven Jardine < <mailto:steve at mjnservices.com> steve at mjnservices.com> wrote:

I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any troubleshooting.

I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.

Is there a way to disable this feature?  Any ideas on how to suppress these messages?


Thanks!
Steve

IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner







 

 

IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner

 



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner

 





 
 

 

-- 
????????!
 
???????? ??????
?????????? ????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/e48f895e/attachment.html>

From iversons at rushville.k12.in.us  Mon Mar 14 11:42:49 2016
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Mon, 14 Mar 2016 07:42:49 -0400
Subject: Denial Of Service Attack Messages
In-Reply-To: <008e01d17ddf$15aa8210$40ff8630$@com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com> <56DECEC1.9070600@festa.bg>
 <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>
 <008e01d17ddf$15aa8210$40ff8630$@com>
Message-ID: <CABu_8zLppKQwURrv2dgfCZOq-0P_pACYrGsZmoXV-B+3yVMZyA@mail.gmail.com>

That doesn't look like a DoS message to me.  It looks like an HTML tag
disarm message.

On Mon, Mar 14, 2016 at 6:48 AM, Andrew Southgate <andy at z00b.com> wrote:

> *Maximum Processing Attempts = 0*
>
>
>
> I set that, restarted MailScanner and have just had another DoS message
>
>
>
> Mar 14 10:19:31 hermes MailScanner[17065]: Blacklist refresh time reached
>
> Mar 14 10:19:31 hermes MailScanner[17065]: Starting up SQL Blacklist
>
> Mar 14 10:19:31 hermes MailScanner[17065]: Read 12 blacklist entries
>
> Mar 14 10:19:35 hermes MailScanner[17065]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 73AC282B1055.AFD69 from
> <redacted>
>
> Mar 14 10:19:35 hermes MailScanner[17065]: Requeue: 73AC282B1055.AFD69 to
> 1C3D582B105F
>
> Mar 14 10:19:35 hermes MailScanner[17065]: Uninfected: Delivered 1 messages
>
> Mar 14 10:19:35 hermes postfix/qmgr[40123]: 1C3D582B105F:
> from<redacted>size=40013, nrcpt=1 (queue active)
>
> Mar 14 10:19:37 hermes postfix/smtp[18564]: 1C3D582B105F: to<redacted>,
> relay=<redacted>:25, delay=38, delays=35/0.03/0.61/1.8, dsn=2.6.0,
> status=sent (250 2.6.0 <006501d17dda$ed219a80$c764cf80$@com>
> [InternalId=74135430497647, Hostname=<redacted>] 27900 bytes in 0.276,
> 98.491 KB/sec Queued mail for delivery)
>
> Mar 14 10:19:37 hermes postfix/qmgr[40123]: 1C3D582B105F: removed
>
>
>
> For anyone who wanted a maillog of it happenning.
>
>
>
> the message contents became:
>
>
>
> MailScanner was attacked by a Denial Of Service attack, and has therefore
> deleted this part of the message. Please contact your e-mail providers for
> more information if you need it, giving them the whole of this report.
> Attack in:
> /var/spool/MailScanner/incoming/17065/73AC282B1055.AFD69/nmsg-17065-2.html
>
>
>
> I dont want to include the source email but it was just a random
> conversation with my other half and nothing particularly special
>
>
>
>
>
>
>
> *From:* MailScanner [mailto:mailscanner-bounces+andy=
> z00b.com at lists.mailscanner.info] *On Behalf Of *Richard Mealing
> *Sent:* 08 March 2016 13:25
> *To:* MailScanner Discussion
> *Subject:* RE: Denial Of Service Attack Messages
>
>
>
> Have you tried -
>
> Maximum Processing Attempts = 0 # to disable the rule.
>
>
>
> I did this a few years ago as I got these problems. I?ve never looked
> back.
>
> I used to have to cd /var/db/clamav && rm * && freshclam (then download
> any extra sigs).
>
>
>
> It was such an annoyance and I never found the problem. Obviously clamd
> wasn?t liking something, but I used so many extra sigs I couldn?t narrow it
> down.
>
>
>
> *From:* MailScanner [
> mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info
> <mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info>] *On
> Behalf Of *Valentin Laskov
> *Sent:* 08 March 2016 13:08
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: Denial Of Service Attack Messages
>
>
>
> Sometimes this occurs just after updating clamav signatures while clamd
> reloads new signatures.
>
> ?? 08.03.2016 ? 14:53, Andrew Southgate ??????:
>
> Its random and sporadic for me, but I havent had it occur in the last week
> so I dont have logs for it.
>
>
>
> That script gave everything an OK for me, and which timeout is it in
> MailScanner.conf, the SpamAssassin one?
>
>
>
> SpamAssassin Timeout = 75
>
>
>
>
>
> *From:* MailScanner [
> mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info
> <mailscanner-bounces+andy=z00b.com at lists.mailscanner.info>] *On Behalf Of
> *Jerry Benton
> *Sent:* 08 March 2016 12:19
> *To:* MailScanner Discussion
> *Subject:* Re: Denial Of Service Attack Messages
>
>
>
> Thanks Andrew.
>
>
>
> Could those people seeing this error please check your Perl modules using
> this script:
>
>
>
> https://github.com/MailScanner/v4/blob/master/check_modules.sh
>
>
>
>
>
> Also make sure your timeout settings in MailScanner.conf are not too
> short. I cannot remember if I reduced the defaults in MailScanner.conf. I
> will have to review the changes.
>
>
>
> Also please check your logs for as much information as possible and send
> it to the list. Please try to filter out the important parts and send only
> that information.
>
>
>
>
>
>
> -
>
> Jerry Benton
>
> www.mailborder.com
>
>
>
>
>
>
>
> On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com> wrote:
>
>
>
> I'm getting it on 4.85.2-3
>
>
>
> *From:* MailScanner [
> mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info
> <mailscanner-bounces+andy=z00b.com at lists.mailscanner.info>] *On Behalf
> Of *Jerry Benton
> *Sent:* 08 March 2016 11:50
> *To:* MailScanner Discussion
> *Subject:* Re: Denial Of Service Attack Messages
>
>
>
> Just so everyone knows, 4.86.1 is not released. It is beta. It looks like
> I need to go back through the changes made between the two versions unless
> someone is seeing this in 4.85.2-3.
>
>
> -
>
> Jerry Benton
>
> www.mailborder.com
>
>
>
>
>
>
>
> On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com> wrote:
>
>
>
> Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
>
> HTML::Parser => OK
>
>
> On 03/07/2016 10:19 AM, Jerry Benton wrote:
>
> is the HTML parser installed?
>
> -
>
> Jerry Benton
>
> www.mailborder.com
>
> Sent from my iPhone
>
>
> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com> wrote:
>
> I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1.
> Often I am getting the error message:
>
> MailScanner was attacked by a Denial Of Service attack, and has therefore
> deleted this part of the message. Please contact your e-mail providers for
> more information if you need it, giving them the whole of this report.
> Attack in:
> /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>
> The file reported in the attack is not there so I am unable to to any
> troubleshooting.
>
> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The
> messages are causing problems with valid mail messages both incoming and
> outgoing.
>
> Is there a way to disable this feature?  Any ideas on how to suppress
> these messages?
>
>
> Thanks!
> Steve
>
> *IMPORTANT:* This email does not constitute a contract or an offer or
> acceptance of an offer to enter into a contract. Further, this email may
> not be used to modify, supplement, novate, or waive any rights with respect
> to an existing contract or other binding commercial terms.
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>
>
>
>
>
> *IMPORTANT:* This email does not constitute a contract or an offer or
> acceptance of an offer to enter into a contract. Further, this email may
> not be used to modify, supplement, novate, or waive any rights with respect
> to an existing contract or other binding commercial terms.
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>
>
>
>
>
>
>
> --
>
> ????????!
>
>
>
> ???????? ??????
>
> ?????????? ????
>
> "????? ???????" ??
>
> ???. "??. ?????????" 48
>
> 9000 ??. ?????
>
> ???.:   +359 52 669137
>
> GSM: +359 888 669137
>
> Fax:   +359 52 669110
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/7a402cd5/attachment.html>

From andy at z00b.com  Mon Mar 14 12:07:26 2016
From: andy at z00b.com (Andrew Southgate)
Date: Mon, 14 Mar 2016 12:07:26 -0000
Subject: Denial Of Service Attack Messages
In-Reply-To: <CABu_8zLppKQwURrv2dgfCZOq-0P_pACYrGsZmoXV-B+3yVMZyA@mail.gmail.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com> <56DECEC1.9070600@festa.bg>
 <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>
 <008e01d17ddf$15aa8210$40ff8630$@com>
 <CABu_8zLppKQwURrv2dgfCZOq-0P_pACYrGsZmoXV-B+3yVMZyA@mail.gmail.com>
Message-ID: <00d601d17dea$1ad60d30$50822790$@com>

but an HTML tag disarm shouldnt replace the contents of the email with "MailScanner was attacked by a Denial Of Service attack..." should it ? 

 

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: 14 March 2016 11:43
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

That doesn't look like a DoS message to me.  It looks like an HTML tag disarm message.

 

On Mon, Mar 14, 2016 at 6:48 AM, Andrew Southgate <andy at z00b.com> wrote:

Maximum Processing Attempts = 0

 

I set that, restarted MailScanner and have just had another DoS message

 

Mar 14 10:19:31 hermes MailScanner[17065]: Blacklist refresh time reached

Mar 14 10:19:31 hermes MailScanner[17065]: Starting up SQL Blacklist

Mar 14 10:19:31 hermes MailScanner[17065]: Read 12 blacklist entries

Mar 14 10:19:35 hermes MailScanner[17065]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 73AC282B1055.AFD69 from <redacted>

Mar 14 10:19:35 hermes MailScanner[17065]: Requeue: 73AC282B1055.AFD69 to 1C3D582B105F

Mar 14 10:19:35 hermes MailScanner[17065]: Uninfected: Delivered 1 messages

Mar 14 10:19:35 hermes postfix/qmgr[40123]: 1C3D582B105F: from<redacted>size=40013, nrcpt=1 (queue active)

Mar 14 10:19:37 hermes postfix/smtp[18564]: 1C3D582B105F: to<redacted>, relay=<redacted>:25, delay=38, delays=35/0.03/0.61/1.8, dsn=2.6.0, status=sent (250 2.6.0 <006501d17dda$ed219a80$c764cf80$@com> [InternalId=74135430497647, Hostname=<redacted>] 27900 bytes in 0.276, 98.491 KB/sec Queued mail for delivery)

Mar 14 10:19:37 hermes postfix/qmgr[40123]: 1C3D582B105F: removed

 

For anyone who wanted a maillog of it happenning.

 

the message contents became:

 

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/17065/73AC282B1055.AFD69/nmsg-17065-2.html 

 

I dont want to include the source email but it was just a random conversation with my other half and nothing particularly special

 

 

 

From: MailScanner [mailto:mailscanner-bounces+andy <mailto:mailscanner-bounces%2Bandy> =z00b.com at lists.mailscanner.info] On Behalf Of Richard Mealing
Sent: 08 March 2016 13:25
To: MailScanner Discussion
Subject: RE: Denial Of Service Attack Messages

 

Have you tried - 

Maximum Processing Attempts = 0 # to disable the rule.

 

I did this a few years ago as I got these problems. I?ve never looked back. 

I used to have to cd /var/db/clamav && rm * && freshclam (then download any extra sigs). 

 

It was such an annoyance and I never found the problem. Obviously clamd wasn?t liking something, but I used so many extra sigs I couldn?t narrow it down. 

 

From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Valentin Laskov
Sent: 08 March 2016 13:08
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Denial Of Service Attack Messages

 

Sometimes this occurs just after updating clamav signatures while clamd reloads new signatures.

?? 08.03.2016 ? 14:53, Andrew Southgate ??????:

Its random and sporadic for me, but I havent had it occur in the last week so I dont have logs for it.

 

That script gave everything an OK for me, and which timeout is it in MailScanner.conf, the SpamAssassin one?

 

SpamAssassin Timeout = 75

 

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 12:19
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

Thanks Andrew.

 

Could those people seeing this error please check your Perl modules using this script:

 

https://github.com/MailScanner/v4/blob/master/check_modules.sh

 

 

Also make sure your timeout settings in MailScanner.conf are not too short. I cannot remember if I reduced the defaults in MailScanner.conf. I will have to review the changes. 

 

Also please check your logs for as much information as possible and send it to the list. Please try to filter out the important parts and send only that information. 

 

 


-

Jerry Benton

www.mailborder.com

 

 

 

On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com> wrote:

 

I'm getting it on 4.85.2-3

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 11:50
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

 

Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I need to go back through the changes made between the two versions unless someone is seeing this in 4.85.2-3.


-

Jerry Benton

www.mailborder.com

 

 

 

On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com> wrote:

 

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK



On 03/07/2016 10:19 AM, Jerry Benton wrote:

is the HTML parser installed?

-

Jerry Benton

www.mailborder.com

Sent from my iPhone


On Mar 7, 2016, at 11:25, Steven Jardine < <mailto:steve at mjnservices.com> steve at mjnservices.com> wrote:

I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any troubleshooting.

I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.

Is there a way to disable this feature?  Any ideas on how to suppress these messages?


Thanks!
Steve

IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner






 

 

IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner

 



-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner

 

 

 
 

 

-- 
????????!
 
???????? ??????
?????????? ????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137 <tel:%2B359%2052%20669137> 
GSM: +359 888 669137 <tel:%2B359%20888%20669137> 
Fax:   +359 52 669110 <tel:%2B359%2052%20669110> 




--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner







 

-- 

Shawn Iverson

Director of Technology

Rush County Schools

765-932-3901 x271

iversons at rushville.k12.in.us

 

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_UFV2VFdmNG1SaVE&revid=0Bw5iD0ToYvs_U3VaVlpuTFBtak9QZXVRL3FmRUd2d0laTkZRPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/cfea8a53/attachment.html>

From andy at z00b.com  Mon Mar 14 12:10:45 2016
From: andy at z00b.com (Andrew Southgate)
Date: Mon, 14 Mar 2016 12:10:45 -0000
Subject: Denial Of Service Attack Messages
In-Reply-To: <00d601d17dea$1ad60d30$50822790$@com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com> <56DECEC1.9070600@festa.bg>
 <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>
 <008e01d17ddf$15aa8210$40ff8630$@com>
 <CABu_8zLppKQwURrv2dgfCZOq-0P_pACYrGsZmoXV-B+3yVMZyA@mail.gmail.com>
 <00d601d17dea$1ad60d30$50822790$@com>
Message-ID: <00fa01d17dea$90ac1130$b2043390$@com>

well.. thats somewhat fitting...

 

A second attempt at what I was trying to say:

 

 

but an HTML tag disarm shouldnt replace the contents of the email with "MailScanner was attacked by a Denial Of Service attack..." should it ? 

 

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Andrew Southgate
Sent: 14 March 2016 12:07
To: 'MailScanner Discussion'
Subject: RE: Denial Of Service Attack Messages

 

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/17065/176F782B1073.AABFC/nmsg-17065-12.html 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/fa6788d4/attachment.html>

From paul at trusted-management.com  Mon Mar 14 15:17:39 2016
From: paul at trusted-management.com (Paul Overton)
Date: Mon, 14 Mar 2016 15:17:39 +0000
Subject: IPv6 and spam.whitelist.rules
Message-ID: <7D67B4FC52BF7A4B8FD454F8ECA9134A3A0C2F@TM-DC.tm.local>

Dear All,

I have recently updated our network to be fully IPv6/IPv4 dual stack operation. Whilst doing this I have updated our MailSanners (x5). Two of them had no issues that other three failed as below.

For some time I have occasionally used a whitelist for a whole network, there (for example) I have used a netmask xxx.xxx.xxx.xxx/27 which appeared to work, however  when I updated our systems to use IPv6. MailScanner (Spam Detection) stopped working if email was received in using IPv6. After some debugging it appeared that  the reading of the whitelist which is being passed by Mail::CIDR, was erroring with "Invalid Netblock:".

I have re-configured the spam.whitelist.rules file to remove all / notations and all is now working again.

My systems are based on Slackware Linux, Sendmail (8.15.1) and MailScanner  4.85.2-3. Perl modules up to date.

Is this expected behaviour, or is this unexpected behaviour, or have I interpreted the whitelist format incorrectly ?

Regards

--
Paul

-- 
This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/4405c490/attachment.html>

From jerry.benton at mailborder.com  Mon Mar 14 15:44:28 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 14 Mar 2016 11:44:28 -0400
Subject: IPv6 and spam.whitelist.rules
In-Reply-To: <7D67B4FC52BF7A4B8FD454F8ECA9134A3A0C2F@TM-DC.tm.local>
References: <7D67B4FC52BF7A4B8FD454F8ECA9134A3A0C2F@TM-DC.tm.local>
Message-ID: <E34866E9-79F6-4882-B80C-B4913FEA0923@mailborder.com>

As far as I know MailScanner does not support CIDR blocks. You would have to use something like this:

192.168.1

to represent 192.168.1.0/24



-
Jerry Benton
www.mailborder.com



> On Mar 14, 2016, at 11:17 AM, Paul Overton <paul at trusted-management.com> wrote:
> 
> Dear All,
>  
> I have recently updated our network to be fully IPv6/IPv4 dual stack operation. Whilst doing this I have updated our MailSanners (x5). Two of them had no issues that other three failed as below.
>  
> For some time I have occasionally used a whitelist for a whole network, there (for example) I have used a netmask xxx.xxx.xxx.xxx/27 which appeared to work, however  when I updated our systems to use IPv6. MailScanner (Spam Detection) stopped working if email was received in using IPv6. After some debugging it appeared that  the reading of the whitelist which is being passed by Mail::CIDR, was erroring with ?Invalid Netblock:?.  
>  
> I have re-configured the spam.whitelist.rules file to remove all / notations and all is now working again.
>  
> My systems are based on Slackware Linux, Sendmail (8.15.1) and MailScanner  4.85.2-3. Perl modules up to date.
>  
> Is this expected behaviour, or is this unexpected behaviour, or have I interpreted the whitelist format incorrectly ?
>  
> Regards
>  
> --
> Paul
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by Trusted Management Limited <http://www.trusted-management.com/>, and is 
> believed to be clean. 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/4318c439/attachment.html>

From paul at trusted-management.com  Mon Mar 14 16:56:11 2016
From: paul at trusted-management.com (Paul Overton)
Date: Mon, 14 Mar 2016 16:56:11 +0000
Subject: IPv6 and spam.whitelist.rules
In-Reply-To: <E34866E9-79F6-4882-B80C-B4913FEA0923@mailborder.com>
References: <7D67B4FC52BF7A4B8FD454F8ECA9134A3A0C2F@TM-DC.tm.local>
 <E34866E9-79F6-4882-B80C-B4913FEA0923@mailborder.com>
Message-ID: <7D67B4FC52BF7A4B8FD454F8ECA9134A3A0E6E@TM-DC.tm.local>

Just gone back over a few months of operation, the CIDR blocks in spam.whitelist.rules did work fine until I added IPv6 into the equation.

The error I was getting appeared to be the attempt to compare the addresses in the whitelist with the servers own address. (Line 533 of Config.pm) where Net::CIDR ended up comparing an IPv4 block with a single IPv6 address. Naturally it did not work.

I have changed the format of my whitelist file to use the format you indicated below and all is well. However the format is very limiting in terms of managing white lists.

Thanks anyway.

Paul

From: MailScanner [mailto:mailscanner-bounces+paul=trusted-management.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 14 March 2016 15:44
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: IPv6 and spam.whitelist.rules

As far as I know MailScanner does not support CIDR blocks. You would have to use something like this:

192.168.1

to represent 192.168.1.0/24



-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On Mar 14, 2016, at 11:17 AM, Paul Overton <paul at trusted-management.com<mailto:paul at trusted-management.com>> wrote:

Dear All,

I have recently updated our network to be fully IPv6/IPv4 dual stack operation. Whilst doing this I have updated our MailSanners (x5). Two of them had no issues that other three failed as below.

For some time I have occasionally used a whitelist for a whole network, there (for example) I have used a netmask xxx.xxx.xxx.xxx/27 which appeared to work, however  when I updated our systems to use IPv6. MailScanner (Spam Detection) stopped working if email was received in using IPv6. After some debugging it appeared that  the reading of the whitelist which is being passed by Mail::CIDR, was erroring with ?Invalid Netblock:?.

I have re-configured the spam.whitelist.rules file to remove all / notations and all is now working again.

My systems are based on Slackware Linux, Sendmail (8.15.1) and MailScanner  4.85.2-3. Perl modules up to date.

Is this expected behaviour, or is this unexpected behaviour, or have I interpreted the whitelist format incorrectly ?

Regards

--
Paul

--
This message has been scanned for viruses and
dangerous content by Trusted Management Limited<http://www.trusted-management.com/>, and is
believed to be clean.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner


--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/762c28fa/attachment-0001.html>

From pparsons at techeez.com  Wed Mar 16 19:57:09 2016
From: pparsons at techeez.com (Philip Parsons)
Date: Wed, 16 Mar 2016 19:57:09 +0000
Subject: Errors filling up /var/log/messages
Message-ID: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>

I have the following errors filling up my messages log file

[LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes

I am pretty certain it is related to freashclam processes but cannot find a reason why ?

I know it is not the clamav list which I have just joined but hoping someone might have a fix..


Thank you.
Philip Parsons
IT Specialist
Techeez IT Consulting
250-818-2879
Skype ID: techeez
www.techeez.com "Making IT easy"

IMPORTANT NOTICE
This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160316/dceed7c1/attachment.html>

From jerry.benton at mailborder.com  Wed Mar 16 20:00:56 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 16 Mar 2016 16:00:56 -0400
Subject: Errors filling up /var/log/messages
In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>
Message-ID: <99E1393A-7EAE-4181-861A-777C2BFBA69A@mailborder.com>

Check your settings to make sure MailScanner is writing your PID to a directory that exists. (/var/run/MailScanner.pid is best to use.) If the PID cannot be created because you are using something like /var/run/MailScanner/MailScanner.pid, then the cron that checks MailScanner will start a new instance every hour. Pretty soon you are running a ton of MailScanner processes and run out of memory and then ClamAV cannot start or have memory to operate if it is started. 



-
Jerry Benton
www.mailborder.com



> On Mar 16, 2016, at 3:57 PM, Philip Parsons <pparsons at techeez.com> wrote:
> 
> I have the following errors filling up my messages log file
>  
> [LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes
>  
> I am pretty certain it is related to freashclam processes but cannot find a reason why ?
>  
> I know it is not the clamav list which I have just joined but hoping someone might have a fix..
>  
>  
> Thank you. 
> Philip Parsons
> IT Specialist
> Techeez IT Consulting
> 250-818-2879
> Skype ID: techeez
> www.techeez.com <http://www.techeez.com/> "Making IT easy"
>  
> IMPORTANT NOTICE 
> This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender.
>  
>  
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160316/225245da/attachment.html>

From pparsons at techeez.com  Wed Mar 16 20:08:47 2016
From: pparsons at techeez.com (Philip Parsons)
Date: Wed, 16 Mar 2016 20:08:47 +0000
Subject: Errors filling up /var/log/messages
In-Reply-To: <99E1393A-7EAE-4181-861A-777C2BFBA69A@mailborder.com>
References: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>
 <99E1393A-7EAE-4181-861A-777C2BFBA69A@mailborder.com>
Message-ID: <11D8E491D9562549A61FD3186F363420027CFF5C3F@exchange.techeez.com>

I have never changed that location and I have confirmed it is showing at that location as well

[root at mailscanner log]# ls -la  /var/run/MailScanner.pid
-rw------- 1 root root 6 Mar 15 09:29 /var/run/MailScanner.pid



From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: Wednesday, March 16, 2016 1:01 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Errors filling up /var/log/messages

Check your settings to make sure MailScanner is writing your PID to a directory that exists. (/var/run/MailScanner.pid is best to use.) If the PID cannot be created because you are using something like /var/run/MailScanner/MailScanner.pid, then the cron that checks MailScanner will start a new instance every hour. Pretty soon you are running a ton of MailScanner processes and run out of memory and then ClamAV cannot start or have memory to operate if it is started.



-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On Mar 16, 2016, at 3:57 PM, Philip Parsons <pparsons at techeez.com<mailto:pparsons at techeez.com>> wrote:

I have the following errors filling up my messages log file

[LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes

I am pretty certain it is related to freashclam processes but cannot find a reason why ?

I know it is not the clamav list which I have just joined but hoping someone might have a fix..


Thank you.
Philip Parsons
IT Specialist
Techeez IT Consulting
250-818-2879
Skype ID: techeez
www.techeez.com<http://www.techeez.com/> "Making IT easy"

IMPORTANT NOTICE
This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender.




--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner


--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160316/4606d206/attachment.html>

From iversons at rushville.k12.in.us  Wed Mar 16 21:36:18 2016
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Wed, 16 Mar 2016 17:36:18 -0400
Subject: Errors filling up /var/log/messages
In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>
Message-ID: <CABu_8zKhrZhu=qsThw4bXtyzxZ68Ta1tXyRtb1cFLECrQP4iKQ@mail.gmail.com>

How much memory do you have left?

On Wed, Mar 16, 2016 at 3:57 PM, Philip Parsons <pparsons at techeez.com>
wrote:

> I have the following errors filling up my messages log file
>
>
>
> [LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes
>
>
>
> I am pretty certain it is related to freashclam processes but cannot find
> a reason why ?
>
>
>
> I know it is not the clamav list which I have just joined but hoping
> someone might have a fix..
>
>
>
>
>
> Thank you.
> Philip Parsons
> IT Specialist
>
> Techeez IT Consulting
>
> 250-818-2879
>
> Skype ID: techeez
> www.techeez.com "Making IT easy"
>
>
>
> IMPORTANT NOTICE
> This e-mail is confidential, may be legally privileged, and is for the
> intended recipient only. Access, disclosure, copying and distribution or
> reliance on any of it by anyone else is prohibited and may be a criminal
> offence. Please delete if obtained in error and e-mail confirmation to the
> sender.
>
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160316/0b418fab/attachment.html>

From pparsons at techeez.com  Wed Mar 16 23:20:43 2016
From: pparsons at techeez.com (Philip Parsons)
Date: Wed, 16 Mar 2016 23:20:43 +0000
Subject: Errors filling up /var/log/messages
In-Reply-To: <CABu_8zKhrZhu=qsThw4bXtyzxZ68Ta1tXyRtb1cFLECrQP4iKQ@mail.gmail.com>
References: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>
 <CABu_8zKhrZhu=qsThw4bXtyzxZ68Ta1tXyRtb1cFLECrQP4iKQ@mail.gmail.com>
Message-ID: <11D8E491D9562549A61FD3186F363420027CFF6888@exchange.techeez.com>

512 megs plus swap

From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Wednesday, March 16, 2016 2:36 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Errors filling up /var/log/messages

How much memory do you have left?

On Wed, Mar 16, 2016 at 3:57 PM, Philip Parsons <pparsons at techeez.com<mailto:pparsons at techeez.com>> wrote:
I have the following errors filling up my messages log file

[LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes

I am pretty certain it is related to freashclam processes but cannot find a reason why ?

I know it is not the clamav list which I have just joined but hoping someone might have a fix..


Thank you.
Philip Parsons
IT Specialist
Techeez IT Consulting
250-818-2879<tel:250-818-2879>
Skype ID: techeez
www.techeez.com<http://www.techeez.com> "Making IT easy"

IMPORTANT NOTICE
This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender.





--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner




--
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>

[https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_UFV2VFdmNG1SaVE&revid=0Bw5iD0ToYvs_U3VaVlpuTFBtak9QZXVRL3FmRUd2d0laTkZRPQ]

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160316/bb0862e3/attachment.html>

From it at festa.bg  Thu Mar 17 08:41:17 2016
From: it at festa.bg (Valentin Laskov)
Date: Thu, 17 Mar 2016 10:41:17 +0200
Subject: Errors filling up /var/log/messages
In-Reply-To: <11D8E491D9562549A61FD3186F363420027CFF6888@exchange.techeez.com>
References: <11D8E491D9562549A61FD3186F363420027CFF5B26@exchange.techeez.com>
 <CABu_8zKhrZhu=qsThw4bXtyzxZ68Ta1tXyRtb1cFLECrQP4iKQ@mail.gmail.com>
 <11D8E491D9562549A61FD3186F363420027CFF6888@exchange.techeez.com>
Message-ID: <56EA6DAD.5040606@festa.bg>

I had such machine one year before. I had to change it because of a lack 
of memory especially while clamd reloads its signature.

?? 17.03.2016 ? 01:20, Philip Parsons ??????:
>
> 512 megs plus swap
>
> *From:*MailScanner 
> [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] 
> *On Behalf Of *Shawn Iverson
> *Sent:* Wednesday, March 16, 2016 2:36 PM
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: Errors filling up /var/log/messages
>
> How much memory do you have left?
>
> On Wed, Mar 16, 2016 at 3:57 PM, Philip Parsons <pparsons at techeez.com 
> <mailto:pparsons at techeez.com>> wrote:
>
>     I have the following errors filling up my messages log file
>
>     [LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes
>
>     I am pretty certain it is related to freashclam processes but
>     cannot find a reason why ?
>
>     I know it is not the clamav list which I have just joined but
>     hoping someone might have a fix..
>
>     Thank you.
>     Philip Parsons
>     IT Specialist
>
>     Techeez IT Consulting
>
>     250-818-2879 <tel:250-818-2879>
>
>     Skype ID: techeez
>     www.techeez.com <http://www.techeez.com> "Making IT easy"
>
>     IMPORTANT NOTICE
>     This e-mail is confidential, may be legally privileged, and is for
>     the intended recipient only. Access, disclosure, copying and
>     distribution or reliance on any of it by anyone else is prohibited
>     and may be a criminal offence. Please delete if obtained in error
>     and e-mail confirmation to the sender.
>
>
>
>
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
> -- 
>
> Shawn Iverson
>
> Director of Technology
>
> Rush County Schools
>
> 765-932-3901 x271
>
> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
>
>
>

-- 
????????!

???????? ??????
?????????? ????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160317/fd844f2d/attachment.html>

From mailscanner at replies.cyways.com  Thu Mar 17 13:47:23 2016
From: mailscanner at replies.cyways.com (Peter Lemieux)
Date: Thu, 17 Mar 2016 09:47:23 -0400
Subject: Maximum Processing Attempts
In-Reply-To: <008e01d17ddf$15aa8210$40ff8630$@com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com> <56DECEC1.9070600@festa.bg>
 <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>
 <008e01d17ddf$15aa8210$40ff8630$@com>
Message-ID: <56EAB56B.4050306@replies.cyways.com>

Can someone elaborate on the implications of changing this setting?  We've 
gotten a couple of complex malware messages that apparently crash the scanner. 
  We had this set to 6 (I don't know what the default is), so the message 
would be rescanned and crash the scanner again.  Meanwhile throughput came to 
a halt.

If I set this to zero, what happens to the malformed message?  Does it get 
delivered to the recipient (bad idea in this case)?  Thrown away? 
Quarantined?  The MailScanner.conf file doesn't address these questions.

Peter


On 03/14/2016 06:48 AM, Andrew Southgate wrote:
> *Maximum Processing Attempts = 0*

From jerry.benton at mailborder.com  Thu Mar 17 19:24:03 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Thu, 17 Mar 2016 15:24:03 -0400
Subject: Maximum Processing Attempts
In-Reply-To: <56EAB56B.4050306@replies.cyways.com>
References: <56DDAB6C.9010109@mjnservices.com>
 <BC9B4E75-5096-417C-8180-8015D6DB1DD0@mailborder.com>
 <56DDB8B2.50201@mjnservices.com>
 <9FBF78DB-5A2D-4C0B-9D66-3964C2923C1E@mailborder.com>
 <074b01d17931$55a65ea0$00f31be0$@com>
 <EAAEBD95-F98F-4DB3-A1E7-4F2749C7574D@mailborder.com>
 <07aa01d17939$977c5660$c6750320$@com> <56DECEC1.9070600@festa.bg>
 <6EE47AF64C339A4F8F7F50507241B3795F41CB7C@BTN-EXCHANGE-V1.fastnet.local>
 <008e01d17ddf$15aa8210$40ff8630$@com> <56EAB56B.4050306@replies.cyways.com>
Message-ID: <481C1E2B-759E-44E2-9F67-A70EA95CE301@mailborder.com>

It gets quarantined. 

-
Jerry Benton
www.mailborder.com



> On Mar 17, 2016, at 9:47 AM, Peter Lemieux <mailscanner at replies.cyways.com> wrote:
> 
> Can someone elaborate on the implications of changing this setting?  We've gotten a couple of complex malware messages that apparently crash the scanner.  We had this set to 6 (I don't know what the default is), so the message would be rescanned and crash the scanner again.  Meanwhile throughput came to a halt.
> 
> If I set this to zero, what happens to the malformed message?  Does it get delivered to the recipient (bad idea in this case)?  Thrown away? Quarantined?  The MailScanner.conf file doesn't address these questions.
> 
> Peter
> 
> 
> On 03/14/2016 06:48 AM, Andrew Southgate wrote:
>> *Maximum Processing Attempts = 0*
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From it at festa.bg  Wed Mar 23 13:30:16 2016
From: it at festa.bg (Valentin Laskov)
Date: Wed, 23 Mar 2016 15:30:16 +0200
Subject: SpamAssassin classifies MailScanner reports like SPAM
Message-ID: <56F29A68.6090800@festa.bg>

Hi,

This is a bug report (likely).

SpamAssassin classifies MailScanner report messages like SPAM:


  0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but
                             isn't
  1.1 SUBJ_ILLEGAL_CHARS     Subject: has too many raw illegal characters
  2.0 DSN_NO_MIMEVERSION     Return-Path <> and no MIME-Version: header
  0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the
                             encoding


Subject and body are UTF-8.


Regards!
Valentin Laskov


From alex at vidadigital.com.pa  Wed Mar 23 14:04:48 2016
From: alex at vidadigital.com.pa (Alex Neuman)
Date: Wed, 23 Mar 2016 09:04:48 -0500
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <56F29A68.6090800@festa.bg>
References: <56F29A68.6090800@festa.bg>
Message-ID: <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>

No. It's a feature. Turn off scanning from the host itself or the report
address + localhost if you want to be thorough.
On Mar 23, 2016 8:30 AM, "Valentin Laskov" <it at festa.bg> wrote:

> Hi,
>
> This is a bug report (likely).
>
> SpamAssassin classifies MailScanner report messages like SPAM:
>
>
>  0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but
>                             isn't
>  1.1 SUBJ_ILLEGAL_CHARS     Subject: has too many raw illegal characters
>  2.0 DSN_NO_MIMEVERSION     Return-Path <> and no MIME-Version: header
>  0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the
>                             encoding
>
>
> Subject and body are UTF-8.
>
>
> Regards!
> Valentin Laskov
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160323/c9aae2e4/attachment.html>

From john at tradoc.fr  Wed Mar 23 14:40:50 2016
From: john at tradoc.fr (John Wilcock)
Date: Wed, 23 Mar 2016 15:40:50 +0100
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
Message-ID: <b4975017-5459-e9ca-960b-dbf69b7b2cd0@tradoc.fr>

I beg to differ. If MailScanner reports are not RFC-compliant with 
regard to non-ASCII characters (which is what these SpamAssassin rules 
are effectively testing), then that's a bug in MailScanner.

That said, I agree entirely with your recommendation to turn off 
scanning for MailScanner-generated messages.

-- 
John

Le 23/03/2016 ? 15:04, Alex Neuman a ?crit :
>
> No. It's a feature. Turn off scanning from the host itself or the 
> report address + localhost if you want to be thorough.
>
> On Mar 23, 2016 8:30 AM, "Valentin Laskov" <it at festa.bg 
> <mailto:it at festa.bg>> wrote:
>
>     Hi,
>
>     This is a bug report (likely).
>
>     SpamAssassin classifies MailScanner report messages like SPAM:
>
>
>      0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be
>     ASCII but
>                                 isn't
>      1.1 SUBJ_ILLEGAL_CHARS     Subject: has too many raw illegal
>     characters
>      2.0 DSN_NO_MIMEVERSION     Return-Path <> and no MIME-Version: header
>      0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not
>     specify the
>                                 encoding
>
>
>     Subject and body are UTF-8.
>
>
>     Regards!
>     Valentin Laskov
>
>
>
>     -- 
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160323/9133f970/attachment.html>

From alex at vidadigital.com.pa  Wed Mar 23 15:10:18 2016
From: alex at vidadigital.com.pa (Alex Neuman van der Hans)
Date: Wed, 23 Mar 2016 10:10:18 -0500
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <b4975017-5459-e9ca-960b-dbf69b7b2cd0@tradoc.fr>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
 <b4975017-5459-e9ca-960b-dbf69b7b2cd0@tradoc.fr>
Message-ID: <25373F83-3E47-4D7A-9063-731BC442B71E@vidadigital.com.pa>

I beg to rediffer. There's a limit to what MailScanner should "sanitize". The less it touches the original message, and the more of it gets delivered, "warts and all", the better - some might think.

> On Mar 23, 2016, at 9:40 AM, John Wilcock <john at tradoc.fr> wrote:
> 
> I beg to differ. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160323/2f6e6662/attachment.html>

From it at festa.bg  Wed Mar 23 15:18:48 2016
From: it at festa.bg (Valentin Laskov)
Date: Wed, 23 Mar 2016 17:18:48 +0200
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
Message-ID: <56F2B3D8.2020401@festa.bg>

Well, than we must forgot about this feature:

(MailScanner.conf)
# What character set do you want to use for the attachment that
# replaces viruses (VirusWarning.txt)?
# The default is ISO-8859-1 as even Americans have to talk to the
# rest of the world occasionally :-)
# This can also be the filename of a ruleset.
Attachment Encoding Charset = UTF-8

?? 23.03.2016 ? 16:04, Alex Neuman ??????:
>
> No. It's a feature. Turn off scanning from the host itself or the 
> report address + localhost if you want to be thorough.
>
> On Mar 23, 2016 8:30 AM, "Valentin Laskov" <it at festa.bg 
> <mailto:it at festa.bg>> wrote:
>
>     Hi,
>
>     This is a bug report (likely).
>
>     SpamAssassin classifies MailScanner report messages like SPAM:
>
>
>      0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be
>     ASCII but
>                                 isn't
>      1.1 SUBJ_ILLEGAL_CHARS     Subject: has too many raw illegal
>     characters
>      2.0 DSN_NO_MIMEVERSION     Return-Path <> and no MIME-Version: header
>      0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not
>     specify the
>                                 encoding
>
>
>     Subject and body are UTF-8.
>
>
>     Regards!
>     Valentin Laskov
>
>
>
>     -- 
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>

-- 
????????!

???????? ??????
?????????? ????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160323/363f598b/attachment.html>

From john at tradoc.fr  Wed Mar 23 15:32:17 2016
From: john at tradoc.fr (John Wilcock)
Date: Wed, 23 Mar 2016 16:32:17 +0100
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <25373F83-3E47-4D7A-9063-731BC442B71E@vidadigital.com.pa>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
 <b4975017-5459-e9ca-960b-dbf69b7b2cd0@tradoc.fr>
 <25373F83-3E47-4D7A-9063-731BC442B71E@vidadigital.com.pa>
Message-ID: <7600ed53-15d1-2cfa-8e5d-3f876ae03a9a@tradoc.fr>

I get the impression we're talking at cross purposes here. I entirely 
agree that MailScanner should make minimal changes to *original messages*.

But the OP was talking about MailScanner *reports*, which should 
definitely, IMHO, be properly formed (i.e. RFC-compliant) even if the 
original message wasn't.

-- 
John

Le 23/03/2016 ? 16:10, Alex Neuman van der Hans a ?crit :
> I beg to rediffer. There's a limit to what MailScanner should 
> "sanitize". The less it touches the original message, and the more of 
> it gets delivered, "warts and all", the better - some might think.
>
>> On Mar 23, 2016, at 9:40 AM, John Wilcock <john at tradoc.fr 
>> <mailto:john at tradoc.fr>> wrote:
>>
>> I beg to differ.
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160323/99fd9491/attachment.html>

From alex at vidadigital.com.pa  Wed Mar 23 15:35:44 2016
From: alex at vidadigital.com.pa (Alex Neuman van der Hans)
Date: Wed, 23 Mar 2016 10:35:44 -0500
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <7600ed53-15d1-2cfa-8e5d-3f876ae03a9a@tradoc.fr>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
 <b4975017-5459-e9ca-960b-dbf69b7b2cd0@tradoc.fr>
 <25373F83-3E47-4D7A-9063-731BC442B71E@vidadigital.com.pa>
 <7600ed53-15d1-2cfa-8e5d-3f876ae03a9a@tradoc.fr>
Message-ID: <832FF075-B1A3-48E0-A784-5DAB56F23620@vidadigital.com.pa>

Good point.

> On Mar 23, 2016, at 10:32 AM, John Wilcock <john at tradoc.fr> wrote:
> 
> But the OP was talking about MailScanner *reports*, which should definitely, IMHO, be properly formed (i.e. RFC-compliant) even if the original message wasn't. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160323/05665a0e/attachment.html>

From mark at msapiro.net  Thu Mar 24 00:24:00 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 23 Mar 2016 17:24:00 -0700
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <56F2B3D8.2020401@festa.bg>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
 <56F2B3D8.2020401@festa.bg>
Message-ID: <56F333A0.3050605@msapiro.net>

On 03/23/2016 08:18 AM, Valentin Laskov wrote:
> Well, than we must forgot about this feature:
> 
> (MailScanner.conf)
> # What character set do you want to use for the attachment that
> # replaces viruses (VirusWarning.txt)?
> # The default is ISO-8859-1 as even Americans have to talk to the
> # rest of the world occasionally :-)
> # This can also be the filename of a ruleset.
> Attachment Encoding Charset = UTF-8


I don't think so. I would need to see the original warning from
MailScanner to say much definitively, but I'm guessing the what causes
the complaint in this case is some piece of the original message which
is included in the MailScanner report.

The setting you refer to is only for the character set of the specific
VirusWarning.txt part. What language is this in? What is your setting
for %report-dir% in your MailScanner.conf, and if it doesn't point to
reports/en, in what character set are the files in that directory encoded?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From it at festa.bg  Thu Mar 24 07:56:47 2016
From: it at festa.bg (Valentin Laskov)
Date: Thu, 24 Mar 2016 09:56:47 +0200
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <56F333A0.3050605@msapiro.net>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
 <56F2B3D8.2020401@festa.bg> <56F333A0.3050605@msapiro.net>
Message-ID: <56F39DBF.4050004@festa.bg>

Thank you Mark!

%report-dir% = /opt/MailScanner/etc/reports/bg+en

These are Bulgarian reports in UTF-8

You can see them here:
https://sites.google.com/site/ne6tata8na8laskov/home/mailscanner-bg-en-reports

?? 24.03.2016 ? 02:24, Mark Sapiro ??????:
> On 03/23/2016 08:18 AM, Valentin Laskov wrote:
>> Well, than we must forgot about this feature:
>>
>> (MailScanner.conf)
>> # What character set do you want to use for the attachment that
>> # replaces viruses (VirusWarning.txt)?
>> # The default is ISO-8859-1 as even Americans have to talk to the
>> # rest of the world occasionally :-)
>> # This can also be the filename of a ruleset.
>> Attachment Encoding Charset = UTF-8
>
> I don't think so. I would need to see the original warning from
> MailScanner to say much definitively, but I'm guessing the what causes
> the complaint in this case is some piece of the original message which
> is included in the MailScanner report.
>
> The setting you refer to is only for the character set of the specific
> VirusWarning.txt part. What language is this in? What is your setting
> for %report-dir% in your MailScanner.conf, and if it doesn't point to
> reports/en, in what character set are the files in that directory encoded?
>

Regards!
Valentin Laskov


From mark at msapiro.net  Thu Mar 24 20:18:23 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 24 Mar 2016 13:18:23 -0700
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <56F39DBF.4050004@festa.bg>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
 <56F2B3D8.2020401@festa.bg> <56F333A0.3050605@msapiro.net>
 <56F39DBF.4050004@festa.bg>
Message-ID: <56F44B8F.5030305@msapiro.net>

On 03/24/2016 12:56 AM, Valentin Laskov wrote:
> Thank you Mark!
> 
> %report-dir% = /opt/MailScanner/etc/reports/bg+en
> 
> These are Bulgarian reports in UTF-8


To say anything more about this issue, I'd need to see one of the report
emails from MailScanner that hits those spamassassin rules.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mark at msapiro.net  Fri Mar 25 22:06:34 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 25 Mar 2016 15:06:34 -0700
Subject: SpamAssassin classifies MailScanner reports like SPAM
In-Reply-To: <56F4EF0D.7030908@festa.bg>
References: <56F29A68.6090800@festa.bg>
 <CANyE0PpfGsAY06wR4-YgnzKi1+tLQfeKw8HWth92vpBhdvzNrA@mail.gmail.com>
 <56F2B3D8.2020401@festa.bg> <56F333A0.3050605@msapiro.net>
 <56F39DBF.4050004@festa.bg> <56F44B8F.5030305@msapiro.net>
 <56F4EF0D.7030908@festa.bg>
Message-ID: <56F5B66A.1050302@msapiro.net>

On 03/25/2016 12:55 AM, Valentin Laskov wrote:
> Hi Mark,
> 
> This email is sent out off the list. Report is attached.


Copying my reply back to the list.

I am hampered by my inability to read Bulgarian, but here's what I see.

The entire message is a spam report about a message. The spam report has
two parts. The first is the added spam report which is properly declared
as charset="UTF-8" The second part is the message which is the subject
of the spam report. That message in turn appears to be another
MailScanner report about an attached JScript Script and I agree that it
has multiple defects such as an unencoded Subject: header and no
MIME-Version: or Content-Type: headers.

I think this is the case because the original message probably had these
same defects and MailScanner just replaced the payload of the original
message. with its report.

This does seem to be a MailScanner bug. I'll try to investigate further.
Thanks for the report.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From it at festa.bg  Mon Mar 28 12:28:52 2016
From: it at festa.bg (Valentin Laskov)
Date: Mon, 28 Mar 2016 15:28:52 +0300
Subject: Filename and filetype rules
Message-ID: <56F92384.4000202@festa.bg>

Hi all,

Please tell me how to configure MailScanner to not send reports and 
notifications for some denied type files ( .js for example).

In my configuration these files (.js) are denied and quarantined (by 
default in MailScanner). The recipient receives the initial message with 
file removed and postmaster receives notification about Bad filename 
detected. In default MailScanner config the sender receives notification 
too.

1. Can I configure MailScanner to not send notifications for some file 
types ?
2. Can I configure MailScanner to delete the entire letter if it 
contains .js file attached?

Regards!
Valentin Laskov


From jerry.benton at mailborder.com  Mon Mar 28 12:31:42 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 28 Mar 2016 08:31:42 -0400
Subject: Filename and filetype rules
In-Reply-To: <56F92384.4000202@festa.bg>
References: <56F92384.4000202@festa.bg>
Message-ID: <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>

https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders



-
Jerry Benton
www.mailborder.com



> On Mar 28, 2016, at 8:28 AM, Valentin Laskov <it at festa.bg> wrote:
> 
> Hi all,
> 
> Please tell me how to configure MailScanner to not send reports and notifications for some denied type files ( .js for example).
> 
> In my configuration these files (.js) are denied and quarantined (by default in MailScanner). The recipient receives the initial message with file removed and postmaster receives notification about Bad filename detected. In default MailScanner config the sender receives notification too.
> 
> 1. Can I configure MailScanner to not send notifications for some file types ?
> 2. Can I configure MailScanner to delete the entire letter if it contains .js file attached?
> 
> Regards!
> Valentin Laskov
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From jerry.benton at mailborder.com  Mon Mar 28 12:32:17 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 28 Mar 2016 08:32:17 -0400
Subject: Filename and filetype rules
In-Reply-To: <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>
References: <56F92384.4000202@festa.bg>
 <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>
Message-ID: <C6D9BA7F-0410-4A4D-8FF2-FC6F15E2B270@mailborder.com>

<https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders>

First time link was broken.

-
Jerry Benton
www.mailborder.com



> On Mar 28, 2016, at 8:31 AM, Jerry Benton <jerry.benton at mailborder.com> wrote:
> 
> https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders
> 
> 
> 
> -
> Jerry Benton
> www.mailborder.com
> 
> 
> 
>> On Mar 28, 2016, at 8:28 AM, Valentin Laskov <it at festa.bg> wrote:
>> 
>> Hi all,
>> 
>> Please tell me how to configure MailScanner to not send reports and notifications for some denied type files ( .js for example).
>> 
>> In my configuration these files (.js) are denied and quarantined (by default in MailScanner). The recipient receives the initial message with file removed and postmaster receives notification about Bad filename detected. In default MailScanner config the sender receives notification too.
>> 
>> 1. Can I configure MailScanner to not send notifications for some file types ?
>> 2. Can I configure MailScanner to delete the entire letter if it contains .js file attached?
>> 
>> Regards!
>> Valentin Laskov
>> 
>> 
>> 
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>> 
> 


From it at festa.bg  Mon Mar 28 13:07:35 2016
From: it at festa.bg (Valentin Laskov)
Date: Mon, 28 Mar 2016 16:07:35 +0300
Subject: Filename and filetype rules
In-Reply-To: <C6D9BA7F-0410-4A4D-8FF2-FC6F15E2B270@mailborder.com>
References: <56F92384.4000202@festa.bg>
 <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>
 <C6D9BA7F-0410-4A4D-8FF2-FC6F15E2B270@mailborder.com>
Message-ID: <56F92C97.5050106@festa.bg>

OK, but this is policy for all denied filetypes/filenames. Can I change 
rule for .js (JavaScript) files only?


?? 28.03.2016 ? 15:32, Jerry Benton ??????:
> <https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders>
>
> First time link was broken.
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Mar 28, 2016, at 8:31 AM, Jerry Benton <jerry.benton at mailborder.com> wrote:
>>
>> https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders
>>
>>
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>>> On Mar 28, 2016, at 8:28 AM, Valentin Laskov <it at festa.bg> wrote:
>>>
>>> Hi all,
>>>
>>> Please tell me how to configure MailScanner to not send reports and notifications for some denied type files ( .js for example).
>>>
>>> In my configuration these files (.js) are denied and quarantined (by default in MailScanner). The recipient receives the initial message with file removed and postmaster receives notification about Bad filename detected. In default MailScanner config the sender receives notification too.
>>>
>>> 1. Can I configure MailScanner to not send notifications for some file types ?
>>> 2. Can I configure MailScanner to delete the entire letter if it contains .js file attached?
>>>
>>> Regards!
>>> Valentin Laskov
>>>
>>>
>>>
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>
>
>

-- 
????????!

???????? ??????
?????????? ????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110


From jerry.benton at mailborder.com  Mon Mar 28 13:09:10 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 28 Mar 2016 09:09:10 -0400
Subject: Filename and filetype rules
In-Reply-To: <56F92C97.5050106@festa.bg>
References: <56F92384.4000202@festa.bg>
 <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>
 <C6D9BA7F-0410-4A4D-8FF2-FC6F15E2B270@mailborder.com>
 <56F92C97.5050106@festa.bg>
Message-ID: <C8E6B3DB-A304-44A7-99B3-DD1D7C175FEA@mailborder.com>

Edit the file.

<https://www.mailscanner.info/MailScanner.conf.index.html#Filetype Rules>


-
Jerry Benton
www.mailborder.com



> On Mar 28, 2016, at 9:07 AM, Valentin Laskov <it at festa.bg> wrote:
> 
> OK, but this is policy for all denied filetypes/filenames. Can I change rule for .js (JavaScript) files only?
> 
> 
> ?? 28.03.2016 ? 15:32, Jerry Benton ??????:
>> <https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders>
>> 
>> First time link was broken.
>> 
>> -
>> Jerry Benton
>> www.mailborder.com
>> 
>> 
>> 
>>> On Mar 28, 2016, at 8:31 AM, Jerry Benton <jerry.benton at mailborder.com> wrote:
>>> 
>>> https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders
>>> 
>>> 
>>> 
>>> -
>>> Jerry Benton
>>> www.mailborder.com
>>> 
>>> 
>>> 
>>>> On Mar 28, 2016, at 8:28 AM, Valentin Laskov <it at festa.bg> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> Please tell me how to configure MailScanner to not send reports and notifications for some denied type files ( .js for example).
>>>> 
>>>> In my configuration these files (.js) are denied and quarantined (by default in MailScanner). The recipient receives the initial message with file removed and postmaster receives notification about Bad filename detected. In default MailScanner config the sender receives notification too.
>>>> 
>>>> 1. Can I configure MailScanner to not send notifications for some file types ?
>>>> 2. Can I configure MailScanner to delete the entire letter if it contains .js file attached?
>>>> 
>>>> Regards!
>>>> Valentin Laskov
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>> 
>> 
>> 
> 
> -- 
> ????????!
> 
> ???????? ??????
> ?????????? ????
> "????? ???????" ??
> ???. "??. ?????????" 48
> 9000 ??. ?????
> ???.:   +359 52 669137
> GSM: +359 888 669137
> Fax:   +359 52 669110
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From it at festa.bg  Tue Mar 29 13:25:45 2016
From: it at festa.bg (Valentin Laskov)
Date: Tue, 29 Mar 2016 16:25:45 +0300
Subject: Filename and filetype rules
In-Reply-To: <C8E6B3DB-A304-44A7-99B3-DD1D7C175FEA@mailborder.com>
References: <56F92384.4000202@festa.bg>
 <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>
 <C6D9BA7F-0410-4A4D-8FF2-FC6F15E2B270@mailborder.com>
 <56F92C97.5050106@festa.bg>
 <C8E6B3DB-A304-44A7-99B3-DD1D7C175FEA@mailborder.com>
Message-ID: <56FA8259.4080303@festa.bg>

Hi Jerry,

in filename.rules.conf (not filetype you mentioned) I changed deny to 
deny+delete in

deny+delete     \.jse?$         Possible Microsoft JScript 
attack                                               JScript Scripts are 
dangerous in email

but there is no any result: .js files still get quarantined, reports and 
notifications are still sent. I think there is no my choose among
  allow/deny/deny+delete/rename/rename to replacement-text/email-addresses

I need deny+delete_entire_message+without_notifications :)

Regards!
Valentin Laskov


?? 28.03.2016 ? 16:09, Jerry Benton ??????:
> Edit the file.
>
> <https://www.mailscanner.info/MailScanner.conf.index.html#Filetype Rules>
>
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Mar 28, 2016, at 9:07 AM, Valentin Laskov <it at festa.bg> wrote:
>>
>> OK, but this is policy for all denied filetypes/filenames. Can I change rule for .js (JavaScript) files only?
>>
>>
>> ?? 28.03.2016 ? 15:32, Jerry Benton ??????:
>>> <https://www.mailscanner.info/MailScanner.conf.index.html#Notify Senders>
>>>
>>> First time link was broken.
>>>
>>> -
>>> Jerry Benton
>>> www.mailborder.com
>>>
>>>
>>>
>>>>
>>>>> On Mar 28, 2016, at 8:28 AM, Valentin Laskov <it at festa.bg> wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> Please tell me how to configure MailScanner to not send reports and notifications for some denied type files ( .js for example).
>>>>>
>>>>> In my configuration these files (.js) are denied and quarantined (by default in MailScanner). The recipient receives the initial message with file removed and postmaster receives notification about Bad filename detected. In default MailScanner config the sender receives notification too.
>>>>>
>>>>> 1. Can I configure MailScanner to not send notifications for some file types ?
>>>>> 2. Can I configure MailScanner to delete the entire letter if it contains .js file attached?
>>>>>
>>>>> Regards!
>>>>> Valentin Laskov
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>>>
>>>
>> -- 
>> ????????!
>>
>> ???????? ??????
>> ?????????? ????
>> "????? ???????" ??
>> ???. "??. ?????????" 48
>> 9000 ??. ?????
>> ???.:   +359 52 669137
>> GSM: +359 888 669137
>> Fax:   +359 52 669110
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>

-- 
????????!

???????? ??????
?????????? ????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110


From ci at holmco.de  Tue Mar 29 13:31:04 2016
From: ci at holmco.de (Ralf Cirksena)
Date: Tue, 29 Mar 2016 15:31:04 +0200
Subject: [mailscanner]  Re: Filename and filetype rules
In-Reply-To: <56FA8259.4080303@festa.bg>
References: <56F92384.4000202@festa.bg>
 <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>
 <C6D9BA7F-0410-4A4D-8FF2-FC6F15E2B270@mailborder.com>
 <56F92C97.5050106@festa.bg>
 <C8E6B3DB-A304-44A7-99B3-DD1D7C175FEA@mailborder.com>
 <56FA8259.4080303@festa.bg>
Message-ID: <20160329133104.GB27982@edv20.holmco.de>

Hello Valentin,

On Tue, Mar 29, 2016 at 04:25:45PM +0300 you wrote:

> in filename.rules.conf (not filetype you mentioned) I changed deny
> to deny+delete in
> 
> deny+delete     \.jse?$         Possible Microsoft JScript attack
> JScript Scripts are dangerous in email
> 
> but there is no any result: .js files still get quarantined, reports
> and notifications are still sent. I think there is no my choose
> among
>  allow/deny/deny+delete/rename/rename to replacement-text/email-addresses
> 
> I need deny+delete_entire_message+without_notifications :)

you did restart mailscanner?


Greetings
-- 
R. Cirksena 

From markussen at media24.no  Tue Mar 29 13:57:01 2016
From: markussen at media24.no (Trond M. Markussen)
Date: Tue, 29 Mar 2016 15:57:01 +0200
Subject: Verify virus scanning
Message-ID: <0a6001d189c2$df8d1180$9ea73480$@media24.no>

Hi,

 

How can we verify that virus scanning is working?

 

According to MailWatch, there are only very few viruses found (looking at
Today's Totals) and "Top virus" states "none". 

 

This seems strange given the high number of spam with various attachments,
at least some of which have viruses and not just HTML attachments.

 

Regards,

 

Trond M.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160329/91a86723/attachment.html>

From jerry.benton at mailborder.com  Tue Mar 29 13:57:57 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 29 Mar 2016 09:57:57 -0400
Subject: Verify virus scanning
In-Reply-To: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
Message-ID: <64445371-A857-4BD8-8A20-DB7E6B787218@mailborder.com>

Yes, it works. 

-
Jerry Benton
www.mailborder.com



> On Mar 29, 2016, at 9:57 AM, Trond M. Markussen <markussen at media24.no> wrote:
> 
> Hi,
>  
> How can we verify that virus scanning is working?
>  
> According to MailWatch, there are only very few viruses found (looking at Today's Totals) and ?Top virus? states ?none?. 
>  
> This seems strange given the high number of spam with various attachments, at least some of which have viruses and not just HTML attachments.
>  
> Regards,
>  
> Trond M.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160329/3bc07f11/attachment.html>

From it at festa.bg  Tue Mar 29 14:00:08 2016
From: it at festa.bg (Valentin Laskov)
Date: Tue, 29 Mar 2016 17:00:08 +0300
Subject: [mailscanner] Re: Filename and filetype rules
In-Reply-To: <20160329133104.GB27982@edv20.holmco.de>
References: <56F92384.4000202@festa.bg>
 <9A2E17BA-0EFE-4D9F-B3BE-05E0476D824B@mailborder.com>
 <C6D9BA7F-0410-4A4D-8FF2-FC6F15E2B270@mailborder.com>
 <56F92C97.5050106@festa.bg>
 <C8E6B3DB-A304-44A7-99B3-DD1D7C175FEA@mailborder.com>
 <56FA8259.4080303@festa.bg> <20160329133104.GB27982@edv20.holmco.de>
Message-ID: <56FA8A68.7090007@festa.bg>

?? 29.03.2016 ? 16:31, Ralf Cirksena ??????:
> you did restart mailscanner? 
Yes.


From mailscanner at replies.cyways.com  Tue Mar 29 14:02:42 2016
From: mailscanner at replies.cyways.com (Peter Lemieux)
Date: Tue, 29 Mar 2016 10:02:42 -0400
Subject: Verify virus scanning
In-Reply-To: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
Message-ID: <56FA8B02.2020402@replies.cyways.com>

Download a copy of the EICAR test file from here: 
http://www.eicar.org/86-0-Intended-use.html.  Attach it to a message and send 
it to yourself.  If scanning is working, the attachment will be identified as 
a virus, and notices will be sent depending on how you have configured 
MailScanner.

Peter


On 03/29/2016 09:57 AM, Trond M. Markussen wrote:
> How can we verify that virus scanning is working?

From jerry.benton at mailborder.com  Tue Mar 29 14:05:37 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 29 Mar 2016 10:05:37 -0400
Subject: Verify virus scanning
In-Reply-To: <56FA8B02.2020402@replies.cyways.com>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
 <56FA8B02.2020402@replies.cyways.com>
Message-ID: <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>

MailScanner ?lint 

Also puts a copy of the eicar in a test message. 

-
Jerry Benton
www.mailborder.com



> On Mar 29, 2016, at 10:02 AM, Peter Lemieux <mailscanner at replies.cyways.com> wrote:
> 
> Download a copy of the EICAR test file from here: http://www.eicar.org/86-0-Intended-use.html.  Attach it to a message and send it to yourself.  If scanning is working, the attachment will be identified as a virus, and notices will be sent depending on how you have configured MailScanner.
> 
> Peter
> 
> 
> On 03/29/2016 09:57 AM, Trond M. Markussen wrote:
>> How can we verify that virus scanning is working?
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From markussen at media24.no  Tue Mar 29 14:28:43 2016
From: markussen at media24.no (Trond M. Markussen)
Date: Tue, 29 Mar 2016 16:28:43 +0200
Subject: SV: Verify virus scanning
In-Reply-To: <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
 <56FA8B02.2020402@replies.cyways.com>
 <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>
Message-ID: <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>

Thanks, the EICAR file was indeed stopped. But it seems strange that so few viruses are detected.. how does one check which virus definition file/date is in use?

Regards,

Trond M.

-----Opprinnelig melding-----
Fra: MailScanner [mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] P? vegne av Jerry Benton
Sendt: 29. mars 2016 16:06
Til: MailScanner Discussion
Emne: Re: Verify virus scanning

MailScanner ?lint 

Also puts a copy of the eicar in a test message. 

-
Jerry Benton
www.mailborder.com



> On Mar 29, 2016, at 10:02 AM, Peter Lemieux <mailscanner at replies.cyways.com> wrote:
> 
> Download a copy of the EICAR test file from here: http://www.eicar.org/86-0-Intended-use.html.  Attach it to a message and send it to yourself.  If scanning is working, the attachment will be identified as a virus, and notices will be sent depending on how you have configured MailScanner.
> 
> Peter
> 
> 
> On 03/29/2016 09:57 AM, Trond M. Markussen wrote:
>> How can we verify that virus scanning is working?
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner



From jerry.benton at mailborder.com  Tue Mar 29 14:30:54 2016
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Tue, 29 Mar 2016 10:30:54 -0400
Subject: Verify virus scanning
In-Reply-To: <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
 <56FA8B02.2020402@replies.cyways.com>
 <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>
 <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>
Message-ID: <D93EEE0D-FDF4-4344-8DE1-29772A8905AF@mailborder.com>

Are you saying viruses are getting through? Or are you just concerned because you are not seeing any viruses? I mean, we can send you some viruses if you are longing for them. 

-
Jerry Benton
www.mailborder.com



> On Mar 29, 2016, at 10:28 AM, Trond M. Markussen <markussen at media24.no> wrote:
> 
> Thanks, the EICAR file was indeed stopped. But it seems strange that so few viruses are detected.. how does one check which virus definition file/date is in use?
> 
> Regards,
> 
> Trond M.
> 
> -----Opprinnelig melding-----
> Fra: MailScanner [mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] P? vegne av Jerry Benton
> Sendt: 29. mars 2016 16:06
> Til: MailScanner Discussion
> Emne: Re: Verify virus scanning
> 
> MailScanner ?lint 
> 
> Also puts a copy of the eicar in a test message. 
> 
> -
> Jerry Benton
> www.mailborder.com
> 
> 
> 
>> On Mar 29, 2016, at 10:02 AM, Peter Lemieux <mailscanner at replies.cyways.com> wrote:
>> 
>> Download a copy of the EICAR test file from here: http://www.eicar.org/86-0-Intended-use.html.  Attach it to a message and send it to yourself.  If scanning is working, the attachment will be identified as a virus, and notices will be sent depending on how you have configured MailScanner.
>> 
>> Peter
>> 
>> 
>> On 03/29/2016 09:57 AM, Trond M. Markussen wrote:
>>> How can we verify that virus scanning is working?
>> 
>> 
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


From markussen at media24.no  Tue Mar 29 14:34:25 2016
From: markussen at media24.no (Trond M. Markussen)
Date: Tue, 29 Mar 2016 16:34:25 +0200
Subject: SV: Verify virus scanning
In-Reply-To: <D93EEE0D-FDF4-4344-8DE1-29772A8905AF@mailborder.com>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
 <56FA8B02.2020402@replies.cyways.com>
 <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>
 <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>
 <D93EEE0D-FDF4-4344-8DE1-29772A8905AF@mailborder.com>
Message-ID: <0abe01d189c8$188f6410$49ae2c30$@media24.no>

Appreciate the offer, but no need to send any :)

I am just concerned because the *very* low number of detected viruses seems unrealistic in comparison to the overall amount of mail, including high scoring spam with various suspicious attachments. But I understand these attachments most often don't technically contain viruses, but rather download malware via iframes etc..

Regards,

Trond M.

-----Opprinnelig melding-----
Fra: MailScanner [mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] P? vegne av Jerry Benton
Sendt: 29. mars 2016 16:31
Til: MailScanner Discussion
Emne: Re: Verify virus scanning

Are you saying viruses are getting through? Or are you just concerned because you are not seeing any viruses? I mean, we can send you some viruses if you are longing for them. 

-
Jerry Benton
www.mailborder.com



> On Mar 29, 2016, at 10:28 AM, Trond M. Markussen <markussen at media24.no> wrote:
> 
> Thanks, the EICAR file was indeed stopped. But it seems strange that so few viruses are detected.. how does one check which virus definition file/date is in use?
> 
> Regards,
> 
> Trond M.
> 
> -----Opprinnelig melding-----
> Fra: MailScanner [mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] P? vegne av Jerry Benton
> Sendt: 29. mars 2016 16:06
> Til: MailScanner Discussion
> Emne: Re: Verify virus scanning
> 
> MailScanner ?lint 
> 
> Also puts a copy of the eicar in a test message. 
> 
> -
> Jerry Benton
> www.mailborder.com
> 
> 
> 
>> On Mar 29, 2016, at 10:02 AM, Peter Lemieux <mailscanner at replies.cyways.com> wrote:
>> 
>> Download a copy of the EICAR test file from here: http://www.eicar.org/86-0-Intended-use.html.  Attach it to a message and send it to yourself.  If scanning is working, the attachment will be identified as a virus, and notices will be sent depending on how you have configured MailScanner.
>> 
>> Peter
>> 
>> 
>> On 03/29/2016 09:57 AM, Trond M. Markussen wrote:
>>> How can we verify that virus scanning is working?
>> 
>> 
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner



From steveb_clamav at sanesecurity.com  Tue Mar 29 14:40:27 2016
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Tue, 29 Mar 2016 15:40:27 +0100
Subject: Verify virus scanning
In-Reply-To: <D93EEE0D-FDF4-4344-8DE1-29772A8905AF@mailborder.com>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
 <56FA8B02.2020402@replies.cyways.com>
 <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>
 <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>
 <D93EEE0D-FDF4-4344-8DE1-29772A8905AF@mailborder.com>
Message-ID: <212e6d2ec304b6509c91574862f1d1f3.squirrel@sirius.servers.eqx.misp.co.uk>


On Tue, March 29, 2016 3:30 pm, Jerry Benton wrote:

> I mean, we can send you some
> viruses if you are longing for them.

Yes please... sob... I've *only* seen 725 unique hashes / 1644
of .js in zips.... so far today... ;)

----------- SCAN SUMMARY -----------
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 1644
Infected files: 1644

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity


From kevin.miller at juneau.org  Tue Mar 29 17:04:25 2016
From: kevin.miller at juneau.org (Kevin Miller)
Date: Tue, 29 Mar 2016 17:04:25 +0000
Subject: Verify virus scanning
In-Reply-To: <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
 <56FA8B02.2020402@replies.cyways.com>
 <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>
 <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>
Message-ID: <e7c7300baa63439d9500bb042050b1c7@City-Exch-DB2.cbj.local>

The virus scanning is independent of MailScanner.  You can check the virus definition version by using the normal tools provided by your anti-virus vendor.  For instance, if you're using clamAV:

root at mxt:/var/log# clamscan -V
ClamAV 0.99/21477/Mon Mar 28 11:45:21 2016

You can also check your logs.  To wit:

#grep freshclam  /var/log/syslog
Mar 29 08:25:59 mxt freshclam[461]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Mar 29 08:25:59 mxt freshclam[461]: daily.cld is up to date (version: 21477, sigs: 83904, f-level: 63, builder: jesler)
Mar 29 08:25:59 mxt freshclam[461]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Trond M. Markussen
Sent: Tuesday, March 29, 2016 6:29 AM
To: 'MailScanner Discussion'
Subject: SV: Verify virus scanning

Thanks, the EICAR file was indeed stopped. But it seems strange that so few viruses are detected.. how does one check which virus definition file/date is in use?

Regards,

Trond M.

From kevin.miller at juneau.org  Tue Mar 29 23:36:33 2016
From: kevin.miller at juneau.org (Kevin Miller)
Date: Tue, 29 Mar 2016 23:36:33 +0000
Subject: RBLs
Message-ID: <4ebc689f5b4241b9801fafcc7b3abe9c@City-Exch-DB2.cbj.local>

Spamassassin now includes a number of RBLs by default.  It seems they get queried regardless of whether I specify them in the "Spam Lists" configuration option.  Does it matter whether or not they are included in "Spam Lists" to trigger the "Spam Lists To Be Spam" threshold?  I.e, if they're in two spam lists, but the RBL lists aren't explicitly listed in MailScanner.conf, will the counter still increment and tag the email as definite spam even if it doesn't quite reach the normal spam score (5.0 in my case)?

Thanks...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357



From mailscanner at replies.cyways.com  Tue Mar 29 18:26:14 2016
From: mailscanner at replies.cyways.com (Peter Lemieux)
Date: Tue, 29 Mar 2016 14:26:14 -0400
Subject: SV: Verify virus scanning
In-Reply-To: <0abe01d189c8$188f6410$49ae2c30$@media24.no>
References: <0a6001d189c2$df8d1180$9ea73480$@media24.no>
 <56FA8B02.2020402@replies.cyways.com>
 <C2F4E810-76E8-4D19-BD50-3A5B90AFC716@mailborder.com>
 <0ab701d189c7$4cf49690$e6ddc3b0$@media24.no>
 <D93EEE0D-FDF4-4344-8DE1-29772A8905AF@mailborder.com>
 <0abe01d189c8$188f6410$49ae2c30$@media24.no>
Message-ID: <56FAC8C6.9050405@replies.cyways.com>

Traditional viruses don't show up very often on the systems I manage either. 
  Most of the messages we reject these days look like this:


     Sender: wadas1960 at example.com
IP Address: 94.204.56.50
  Recipient: wadas1960 at example.com
    Subject: CCE29032016_00035.jpg
  MessageID: u2TFJNRF025532
Quarantine: /var/spool/MailScanner/quarantine/20160329/u2TFJNRF025532
     Report: MailScanner: JScript Scripts are dangerous in email
(CYL9565832701.js)
     Report: MailScanner: JScript Scripts are dangerous in email
(CYL9565832701.js)


We block messages with embedded scripts via the filename/filetype rules.  We 
also have clamd configured to quarantine messages containing Microsoft 
Office documents with embedded macros.

Peter


On 03/29/2016 10:34 AM, Trond M. Markussen wrote:
> I am just concerned because the *very* low number of detected viruses
> seems unrealistic in comparison to the overall amount of mail, including
> high scoring spam with various suspicious attachments. But I understand
> these attachments most often don't technically contain viruses, but
> rather download malware via iframes etc..

From info at ezwww.ch  Wed Mar 30 09:27:05 2016
From: info at ezwww.ch (ezwww)
Date: Wed, 30 Mar 2016 11:27:05 +0200
Subject: new malware bypass MailScanner filename rules !
Message-ID: <56FB9BE9.6010105@ezwww.ch>

hi,

since two months I block attachments successfully .js content in .zip 
(with filename rule).

Since this night new JS/malware (subject "Bill N-xxxx" or "recent bill") 
bypass this rule !

It's a problem with mime header, body malformed that allowed to pass 
MailScanner ?

two examples :

---------------------------------------------------------------------
Received: from 85.105.40.171.static.ttnet.com.tr 
(85.105.40.171.static.ttnet.com.tr [85.105.40.171] (may be forged))
	....
From: Rueben Fletcher <FletcherRueben9352 at ttnet.com.tr>
Content-Type: multipart/mixed; 
boundary="Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C"
X-Smtp-Server: 076E5E4B-6F12-237D-20F1-7849FBD4C6C5
Subject: recent bill
Message-Id: <6DDE5CD3-4656-843B-EAFC-9C302B4F5339....>
X-Universally-Unique-Identifier: 072FB36F-AF92-218E-6949-5E387A758EF4
Date: Wed, 30 Mar 2016 12:12:08 +0300
To: xxxxx
Mime-Version: 1.0 (Mac OS X Mail 9.3 (3124))


--Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf-8

Dear xxxx,

Please see attached file regarding clients recent bill. Should you need =
further assistances lease feel free to email me.

Best regards
Rueben Fletcher
Head of Maintenance

--Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
Content-Disposition: inline; filename="xxxxx_document_003F11.zip"
Content-Type: application/x-rar-compressed; x-unix-mode=0600;
name="xxxxx_document_003F11.zip"
Content-Transfer-Encoding: base64
.....
--Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C--
---------------------------------------------------------------------


Received: from dsl-189-244-210-183-dyn.prod-infinitum.com.mx 
(dsl-187-156-82-128-dyn.prod-infinitum.com.mx [187.156.82.128] (may be 
forged))
	...
From: Frances Camacho <CamachoFrances586 at nssoluciones.com>
Content-Type: multipart/mixed; 
boundary="Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799"
X-Smtp-Server: 616C7611-9CEC-92CA-D751-C8A44FF50C5F
Subject: Bill N-2EC51C
Message-Id: <59C028F2-B1C8-60FE-D87A-DEAF3ECAA103....>
X-Universally-Unique-Identifier: 13825021-3DDE-FCF8-6985-BF5841859B69
Date: Tue, 29 Mar 2016 19:11:48 -0500
To: xxxx
Mime-Version: 1.0 (Mac OS X Mail 9.3 (3124))


--Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf-8

Dear xxxx,

Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.

Best regards
Frances Camacho
Sales Director

--Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799
Content-Disposition: inline; filename="28F59_xxxxx_2EC51C.zip"
Content-Type: application/zip; x-unix-mode=0600;
name="28F59_xxxx_2EC51C.zip"
Content-Transfer-Encoding: base64

....
--Apple-Mail=_4E9A492D-B205-2586-D525-1CB0B2AC2799--
---------------------------------------------------------------------

The antivirus detect the javascript file in attachment

Sophos: >>> Virus 'Mal/JSDldr-B' found in file 
./28F59_xxxx_2EC51C.zip/scan/f385230/e5ab2a96.js


Thanks for your help.

ezwww


From andrew at topdog.za.net  Wed Mar 30 12:42:20 2016
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Wed, 30 Mar 2016 14:42:20 +0200
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <56FB9BE9.6010105@ezwww.ch>
References: <56FB9BE9.6010105@ezwww.ch>
Message-ID: <E10D8043-5ED8-4A6A-803B-FE3EF909E3BD@topdog.za.net>


On 30 Mar 2016, at 11:27 AM, ezwww <info at ezwww.ch> wrote:

> It's a problem with mime header, body malformed that allowed to pass MailScanner ?

Would you be able to paste bin the full message with the necessary redactions done ?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160330/617c41e6/attachment.sig>

From steveb_clamav at sanesecurity.com  Wed Mar 30 12:57:20 2016
From: steveb_clamav at sanesecurity.com (Steve Basford)
Date: Wed, 30 Mar 2016 13:57:20 +0100
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <56FB9BE9.6010105@ezwww.ch>
References: <56FB9BE9.6010105@ezwww.ch>
Message-ID: <42d63206b82c056244d1743f937e841c.squirrel@sirius.servers.eqx.misp.co.uk>


On Wed, March 30, 2016 10:27 am, ezwww wrote:
> hi,
>
> since two months I block attachments successfully .js content in .zip
> (with filename rule).
>
>
> Since this night new JS/malware (subject "Bill N-xxxx" or "recent bill")
> bypass this rule !

Hi,

This isn't a zip file at all... it's actually a RAR file...

Content-Disposition: inline; filename="gaoj_pdf_8C607B.zip"
Content-Type: application/x-rar-compressed; x-unix-mode=0600;

Ie, note the x-rar-compressed bit and the .zip name


Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity


From mark at msapiro.net  Wed Mar 30 14:24:59 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 30 Mar 2016 07:24:59 -0700
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <56FB9BE9.6010105@ezwww.ch>
References: <56FB9BE9.6010105@ezwww.ch>
Message-ID: <56FBE1BB.2090307@msapiro.net>

On 3/30/16 2:27 AM, ezwww wrote:
> 
> It's a problem with mime header, body malformed that allowed to pass
> MailScanner ?
> 

> 
> --Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
> Content-Disposition: inline; filename="xxxxx_document_003F11.zip"
> Content-Type: application/x-rar-compressed; x-unix-mode=0600;
> name="xxxxx_document_003F11.zip"
> Content-Transfer-Encoding: base64


As mentioned in another reply, this is a RAR compressed file, not a true
ZIP. Do you have unrar installed and, e.g.

Unrar Command = /usr/bin/unrar

pointing to it in your MailScanner config?


-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From info at ezwww.ch  Wed Mar 30 15:02:08 2016
From: info at ezwww.ch (ezwww)
Date: Wed, 30 Mar 2016 17:02:08 +0200
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <56FBE1BB.2090307@msapiro.net>
References: <56FB9BE9.6010105@ezwww.ch> <56FBE1BB.2090307@msapiro.net>
Message-ID: <56FBEA70.8050604@ezwww.ch>

> On 3/30/16 2:27 AM, ezwww wrote:
>>
>> It's a problem with mime header, body malformed that allowed to pass
>> MailScanner ?
>>
>
>>
>> --Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
>> Content-Disposition: inline; filename="xxxxx_document_003F11.zip"
>> Content-Type: application/x-rar-compressed; x-unix-mode=0600;
>> name="xxxxx_document_003F11.zip"
>> Content-Transfer-Encoding: base64
>
>
> As mentioned in another reply, this is a RAR compressed file, not a true
> ZIP. Do you have unrar installed and, e.g.
>
> Unrar Command = /usr/bin/unrar
>
> pointing to it in your MailScanner config?
>
>

yes unrar 4.2 installed

 > rpm -ql unrar

/usr/bin/unrar
/usr/share/doc/unrar-4.2.3
/usr/share/doc/unrar-4.2.3/acknow.txt
/usr/share/doc/unrar-4.2.3/license.txt
/usr/share/doc/unrar-4.2.3/readme.txt
/usr/share/man/man1/unrar.1.gz

and MailScanner config

Unrar Command = /usr/bin/unrar


full message

http://pastebin.com/etnfF34t

ezwww

From info at ezwww.ch  Wed Mar 30 15:12:25 2016
From: info at ezwww.ch (ezwww)
Date: Wed, 30 Mar 2016 17:12:25 +0200
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <56FBE1BB.2090307@msapiro.net>
References: <56FB9BE9.6010105@ezwww.ch> <56FBE1BB.2090307@msapiro.net>
Message-ID: <56FBECD9.8080009@ezwww.ch>

> On 3/30/16 2:27 AM, ezwww wrote:
>>
>> It's a problem with mime header, body malformed that allowed to pass
>> MailScanner ?
>>
>
>>
>> --Apple-Mail=_31ABD19B-909E-3C06-CDC8-B14649A4772C
>> Content-Disposition: inline; filename="xxxxx_document_003F11.zip"
>> Content-Type: application/x-rar-compressed; x-unix-mode=0600;
>> name="xxxxx_document_003F11.zip"
>> Content-Transfer-Encoding: base64
>
>
> As mentioned in another reply, this is a RAR compressed file, not a true
> ZIP. Do you have unrar installed and, e.g.
>
> Unrar Command = /usr/bin/unrar
>
> pointing to it in your MailScanner config?
>
>

result linux command unrar extraction

 > /usr/bin/unrar x 04EBD_xxxx.xxxx_A546BB.zip

Extracting from 04EBD_xxxx.xxxx_A546BB.zip

Extracting  a0f10f.js                                                 OK
Extracting  K                                                         OK
All OK

From mark at msapiro.net  Wed Mar 30 15:23:59 2016
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 30 Mar 2016 08:23:59 -0700
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <56FBEA70.8050604@ezwww.ch>
References: <56FB9BE9.6010105@ezwww.ch> <56FBE1BB.2090307@msapiro.net>
 <56FBEA70.8050604@ezwww.ch>
Message-ID: <56FBEF8F.5000609@msapiro.net>

On 3/30/16 8:02 AM, ezwww wrote:
> 
> yes unrar 4.2 installed
...
> full message
> 
> http://pastebin.com/etnfF34t


I sent the message to me and I got

Mar 30 08:07:10 sbh16 MailScanner[6415]:
Clamd::INFECTED::Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL ::
./03D4F11E19C1.ACBD3/
Mar 30 08:07:10 sbh16 MailScanner[6415]: Found spam based virus
Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3


but MailScanner didn't detect the .js, so I suspect it's because of the
spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to
unzip the file because of the .zip extension rather than unrar based on
the Content-Type:

You can report this issue at <https://github.com/MailScanner/v4/issues>.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From mailbag at partnersolutions.ca  Thu Mar 31 11:22:38 2016
From: mailbag at partnersolutions.ca (PSI Mailbag)
Date: Thu, 31 Mar 2016 11:22:38 +0000
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <56FBEF8F.5000609@msapiro.net>
References: <56FB9BE9.6010105@ezwww.ch> <56FBE1BB.2090307@msapiro.net>
 <56FBEA70.8050604@ezwww.ch> <56FBEF8F.5000609@msapiro.net>
Message-ID: <D07D21CBF65006449B4065DAB20B6DE96C4BB139@PSIMSM001.pshosting.intranet>

The problem is due to the Content-Type header being on two lines. This chokes mailscanner and it skips the attachment detection. I wrote about this last year in September, but no one really noticed.. (http://lists.mailscanner.info/pipermail/mailscanner/2015-September/102575.html).

If you copy/paste the message you sent as-is, mailscanner skips the attachment detection. If you fix the Content-Type line to the following (no CR before name=), then mailscanner properly detects it and rejects the .JS:

Content-Type: application/x-rar-compressed; x-unix-mode=0600; name="04EBD_xxxx.xxxx_A546BB.zip"

Versus:

Content-Type: application/x-rar-compressed; x-unix-mode=0600;
name="04EBD_xxxx.xxxx_A546BB.zip"


-Joshua


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+mailbag=partnersolutions.ca at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: March 30, 2016 11:24 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: new malware bypass MailScanner filename rules !

On 3/30/16 8:02 AM, ezwww wrote:
> 
> yes unrar 4.2 installed
...
> full message
> 
> http://pastebin.com/etnfF34t


I sent the message to me and I got

Mar 30 08:07:10 sbh16 MailScanner[6415]:
Clamd::INFECTED::Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL ::
./03D4F11E19C1.ACBD3/
Mar 30 08:07:10 sbh16 MailScanner[6415]: Found spam based virus Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3


but MailScanner didn't detect the .js, so I suspect it's because of the spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to unzip the file because of the .zip extension rather than unrar based on the Content-Type:

You can report this issue at <https://github.com/MailScanner/v4/issues>.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner


From info at ezwww.ch  Thu Mar 31 11:32:39 2016
From: info at ezwww.ch (ezwww)
Date: Thu, 31 Mar 2016 13:32:39 +0200
Subject: new malware bypass MailScanner filename rules !
In-Reply-To: <D07D21CBF65006449B4065DAB20B6DE96C4BB139@PSIMSM001.pshosting.intranet>
References: <56FB9BE9.6010105@ezwww.ch> <56FBE1BB.2090307@msapiro.net>
 <56FBEA70.8050604@ezwww.ch> <56FBEF8F.5000609@msapiro.net>
 <D07D21CBF65006449B4065DAB20B6DE96C4BB139@PSIMSM001.pshosting.intranet>
Message-ID: <56FD0AD7.9080401@ezwww.ch>

Thanks for this information,

exactly you have right, it's a problem with MailScanner and malformed 
Content-Type header

I open a new issue in https://github.com/MailScanner/v4/issues/58

ezwww

> The problem is due to the Content-Type header being on two lines. This chokes mailscanner and it skips the attachment detection. I wrote about this last year in September, but no one really noticed.. (http://lists.mailscanner.info/pipermail/mailscanner/2015-September/102575.html).
>
> If you copy/paste the message you sent as-is, mailscanner skips the attachment detection. If you fix the Content-Type line to the following (no CR before name=), then mailscanner properly detects it and rejects the .JS:
>
> Content-Type: application/x-rar-compressed; x-unix-mode=0600; name="04EBD_xxxx.xxxx_A546BB.zip"
>
> Versus:
>
> Content-Type: application/x-rar-compressed; x-unix-mode=0600;
> name="04EBD_xxxx.xxxx_A546BB.zip"
>
>
> -Joshua
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces+mailbag=partnersolutions.ca at lists.mailscanner.info] On Behalf Of Mark Sapiro
> Sent: March 30, 2016 11:24 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: new malware bypass MailScanner filename rules !
>
> On 3/30/16 8:02 AM, ezwww wrote:
>>
>> yes unrar 4.2 installed
> ...
>> full message
>>
>> http://pastebin.com/etnfF34t
>
>
> I sent the message to me and I got
>
> Mar 30 08:07:10 sbh16 MailScanner[6415]:
> Clamd::INFECTED::Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL ::
> ./03D4F11E19C1.ACBD3/
> Mar 30 08:07:10 sbh16 MailScanner[6415]: Found spam based virus Sanesecurity.Malware.26057.JsHeur.UNOFFICIAL in 03D4F11E19C1.ACBD3
>
>
> but MailScanner didn't detect the .js, so I suspect it's because of the spoofed .zip extension. I.e., what I'm guessing is MailScanner tries to unzip the file because of the .zip extension rather than unrar based on the Content-Type:
>
> You can report this issue at <https://github.com/MailScanner/v4/issues>.
>