From pparsons at techeez.com Thu Sep 1 15:44:37 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 1 Sep 2016 15:44:37 +0000 Subject: Is it possible to In-Reply-To: <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> The logging has done nothing it is not creating any logs.. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: August 31, 2016 4:18 PM To: MailScanner Discussion Subject: RE: Is it possible to This box has been up and working for a year and just 3 days ago it is being hammered with these .zip files which is taking Mailscanner down. I assume the permissions are correct as it has been working but at this point I will check anything you would like me to. Which permissions should I look for. AN I am going to enable the logging now. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: August 31, 2016 3:54 PM To: MailScanner Discussion Subject: RE: Is it possible to Enable logging in clamd.conf so you can see what is going on. Permissions are correct, right? - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Philip Parsons Reply:?MailScanner Discussion Date:?August 31, 2016 at 6:52:29 PM To:?MailScanner Discussion Subject:? RE: Is it possible to > Well that did not work.. soon after I made the switch the mail stopped > being processed again..any other suggestions > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.inf > o] > On Behalf Of Jerry Benton > Sent: August 31, 2016 2:45 PM > To: MailScanner Discussion > Subject: RE: Is it possible to > > The Sane Security sigs in Clam AV pretty much do the same thing as the DCS in MailScanner. > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Philip Parsons > Reply: MailScanner Discussion > Date: August 31, 2016 at 5:43:05 PM > To: MailScanner Discussion > Subject: RE: Is it possible to > > > I have just done that and will see what happens.. The content > > scanning is pretty important now days with all the zepto stuff going around... > > > > -----Original Message----- > > From: MailScanner > > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.i > > nf > > o] > > On Behalf Of Jerry Benton > > Sent: August 31, 2016 2:30 PM > > To: MailScanner Discussion > > Subject: RE: Is it possible to > > > > Try disabling Dangerous Content Scanning instead. Turn the AV back on. > > > > > > - > > Jerry Benton > > www.mailborder.com > > +1 - 844-436-6245 > > > > > > -----Original Message----- > > From: Philip Parsons > > Reply: MailScanner Discussion > > Date: August 31, 2016 at 5:16:00 PM > > To: MailScanner Discussion > > Subject: RE: Is it possible to > > > > > Anyone else seeing zip files that are taking down Mailscanner and > > > clamAV I have had to disable Virus scanning.. > > > > > > From: MailScanner > > > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner > > > .i > > > nf > > > o] > > > On Behalf Of Philip Parsons > > > Sent: August 31, 2016 12:17 PM > > > To: MailScanner Discussion > > > Subject: Is it possible to > > > > > > Do the filetype check first and if it is bad to just store the message and continue on. > > ? > > > if so what settings in the config file need to be changed. Trying > > > to deal with a attack that is killing mailscanner and it is all bad file types. > > > > > > > > > Thank you. > > > Philip Parsons > > > > > > > > > -- > > > This message has been scanned for viruses and dangerous content by > > > MailScanner, and is believed to be clean. > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jerry.benton at mailborder.com Thu Sep 1 16:03:17 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 1 Sep 2016 12:03:17 -0400 Subject: Is it possible to In-Reply-To: <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> Message-ID: Install Sophos and see if you see the same behavior. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Philip Parsons Reply:?MailScanner Discussion Date:?September 1, 2016 at 11:44:48 AM To:?MailScanner Discussion Subject:? RE: Is it possible to > The logging has done nothing it is not creating any logs.. > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] > On Behalf Of Philip Parsons > Sent: August 31, 2016 4:18 PM > To: MailScanner Discussion > Subject: RE: Is it possible to > > This box has been up and working for a year and just 3 days ago it is being hammered with these > .zip files which is taking Mailscanner down. > > I assume the permissions are correct as it has been working but at this point I will check > anything you would like me to. Which permissions should I look for. AN I am going to enable > the logging now. > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] > On Behalf Of Jerry Benton > Sent: August 31, 2016 3:54 PM > To: MailScanner Discussion > Subject: RE: Is it possible to > > Enable logging in clamd.conf so you can see what is going on. > Permissions are correct, right? > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Philip Parsons > Reply: MailScanner Discussion > Date: August 31, 2016 at 6:52:29 PM > To: MailScanner Discussion > Subject: RE: Is it possible to > > > Well that did not work.. soon after I made the switch the mail stopped > > being processed again..any other suggestions > > > > -----Original Message----- > > From: MailScanner > > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.inf > > o] > > On Behalf Of Jerry Benton > > Sent: August 31, 2016 2:45 PM > > To: MailScanner Discussion > > Subject: RE: Is it possible to > > > > The Sane Security sigs in Clam AV pretty much do the same thing as the DCS in MailScanner. > > > > > > - > > Jerry Benton > > www.mailborder.com > > +1 - 844-436-6245 > > > > > > -----Original Message----- > > From: Philip Parsons > > Reply: MailScanner Discussion > > Date: August 31, 2016 at 5:43:05 PM > > To: MailScanner Discussion > > Subject: RE: Is it possible to > > > > > I have just done that and will see what happens.. The content > > > scanning is pretty important now days with all the zepto stuff going around... > > > > > > -----Original Message----- > > > From: MailScanner > > > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.i > > > nf > > > o] > > > On Behalf Of Jerry Benton > > > Sent: August 31, 2016 2:30 PM > > > To: MailScanner Discussion > > > Subject: RE: Is it possible to > > > > > > Try disabling Dangerous Content Scanning instead. Turn the AV back on. > > > > > > > > > - > > > Jerry Benton > > > www.mailborder.com > > > +1 - 844-436-6245 > > > > > > > > > -----Original Message----- > > > From: Philip Parsons > > > Reply: MailScanner Discussion > > > Date: August 31, 2016 at 5:16:00 PM > > > To: MailScanner Discussion > > > Subject: RE: Is it possible to > > > > > > > Anyone else seeing zip files that are taking down Mailscanner and > > > > clamAV I have had to disable Virus scanning.. > > > > > > > > From: MailScanner > > > > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner > > > > .i > > > > nf > > > > o] > > > > On Behalf Of Philip Parsons > > > > Sent: August 31, 2016 12:17 PM > > > > To: MailScanner Discussion > > > > Subject: Is it possible to > > > > > > > > Do the filetype check first and if it is bad to just store the message and continue on. > > > ? > > > > if so what settings in the config file need to be changed. Trying > > > > to deal with a attack that is killing mailscanner and it is all bad file types. > > > > > > > > > > > > Thank you. > > > > Philip Parsons > > > > > > > > > > > > -- > > > > This message has been scanned for viruses and dangerous content by > > > > MailScanner, and is believed to be clean. > > > > > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > > > > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > > > > -- > > > This message has been scanned for viruses and dangerous content by > > > MailScanner, and is believed to be clean. > > > > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/listinfo/mailscanner > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and > is believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > From steveb_clamav at sanesecurity.com Thu Sep 1 18:03:07 2016 From: steveb_clamav at sanesecurity.com (Steve basford) Date: Thu, 01 Sep 2016 19:03:07 +0100 Subject: Is it possible to In-Reply-To: <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> Message-ID: <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> what 3rd party databases are you using with ClamAV... just Sanesecurity or Securiteinfo etc? Could you list dbs in database folder. On 1 September 2016 16:45:31 Philip Parsons wrote: > The logging has done nothing it is not creating any logs.. > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On > Behalf Of Philip Parsons > Sent: August 31, 2016 4:18 PM > To: MailScanner Discussion > Subject: RE: Is it possible to > > This box has been up and working for a year and just 3 days ago it is being > hammered with these .zip files which is taking Mailscanner down. > > I assume the permissions are correct as it Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity From qtapioca at gmail.com Thu Sep 1 22:09:46 2016 From: qtapioca at gmail.com (Q tapioca) Date: Thu, 1 Sep 2016 18:09:46 -0400 Subject: Plesk compatibility Message-ID: Does the MailScanner program have any compatibility issue with Plesk 12.0 running Centos 5/6? I am considering using it for lots emails with virus attachment into the domain. Thanks for any help. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pparsons at techeez.com Fri Sep 2 01:06:11 2016 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 Sep 2016 01:06:11 +0000 Subject: Is it possible to In-Reply-To: <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> Message-ID: <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com> I believe I am using all of them. I have removed some and tried that but I think I it is a good Idea to remove then all I will try it with nothing just clamav databases. The funny thing is I now have a second system different customer that is also having the same issue. This is all related to these .zip files -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Steve basford Sent: Thursday, September 1, 2016 11:03 AM To: MailScanner Discussion Subject: RE: Is it possible to what 3rd party databases are you using with ClamAV... just Sanesecurity or Securiteinfo etc? Could you list dbs in database folder. On 1 September 2016 16:45:31 Philip Parsons wrote: > The logging has done nothing it is not creating any logs.. > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On > Behalf Of Philip Parsons > Sent: August 31, 2016 4:18 PM > To: MailScanner Discussion > Subject: RE: Is it possible to > > This box has been up and working for a year and just 3 days ago it is being > hammered with these .zip files which is taking Mailscanner down. > > I assume the permissions are correct as it Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steveb_clamav at sanesecurity.com Fri Sep 2 07:27:10 2016 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Fri, 2 Sep 2016 08:27:10 +0100 Subject: Is it possible to In-Reply-To: <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com> Message-ID: On Fri, September 2, 2016 2:06 am, Philip Parsons wrote: > I believe I am using all of them. I have removed some and tried that but > I think I it is a good Idea to remove then all I will try it with nothing > just clamav databases. The funny thing is I now have a second system > different customer that is also having the same issue. This is all > related to these .zip files Note: might be an idea to move this off-list or to clamav-users or to sanesecurity list but for now.... This is a slightly unfair test but I scanned a small file with each database and all returned an OK but here are the timings for each database... If you are using any of the ones marked [Possible Performance Issue] then removed them first and see what happens. Securiteinfo: spam_marketing.ndb 230250 ms [Possible Performance Issue] javascript.ndb 23109 ms [Possible Performance Issue] securiteinfo.hdb 11781 ms [Possible Performance Issue] securiteinfoascii.hdb 1532 ms securiteinfohtml.hdb 1469 ms Sanesecurity mirrored: scamnailer.ndb 8547 ms phish.ndb 4750 ms junk.ndb 2391 ms spear.ndb 1985 ms phishtank.ndb 1844 ms scam.ndb 1641 ms badmacro.ndb 1500 ms winnow_phish_complete.ndb 1484 ms winnow_phish_complete_url.ndb 1484 ms jurlbl.ndb 1391 ms winnow_malware_links.ndb 1344 ms jurlbla.ndb 1313 ms blurl.ndb 1313 ms porcupine.ndb 1296 ms foxhole_filename.cdb 1282 ms bofhland_malware_attach.hdb 1266 ms foxhole_all.cdb 1266 ms foxhole_generic.cdb 1266 ms lott.ndb 1266 ms winnow_extended_malware.hdb 1266 ms winnow_malware.hdb 1266 ms winnow_spam_complete.ndb 1266 ms bofhland_phishing_URL.ndb 1265 ms bofhland_cracked_URL.ndb 1250 ms bofhland_malware_URL.ndb 1250 ms crdfam.clamav.hdb 1250 ms doppelstern.ndb 1250 ms doppelstern-phishtank.ndb 1250 ms rogue.hdb 1250 ms spam.ldb 1250 ms spamattach.hdb 1250 ms spamimg.hdb 1250 ms spearl.ndb 1250 ms winnow.attachments.hdb 1250 ms winnow_bad_cw.hdb 1250 ms winnow.complex.patterns.ldb 1235 ms doppelstern.hdb 1234 ms foxhole_js.cdb 1234 ms winnow_extended_malware_links.ndb 1234 ms Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity From alvaro at hostalia.com Fri Sep 2 12:52:28 2016 From: alvaro at hostalia.com (=?UTF-8?Q?Alvaro_Mar=c3=adn?=) Date: Fri, 2 Sep 2016 14:52:28 +0200 Subject: Long queue IDs in Postfix In-Reply-To: References: <0de4adbe-c191-84fc-8f2e-50a81855cff2@hostalia.com> Message-ID: <4ed94c1d-060d-85bc-347a-e5cfafb6545b@hostalia.com> Hi again, since the day we talked, I've a server that scans ~90k mails/day, that has been running with this patch applied and it works fine. I've been working in another patch that provides support for long queue IDs and hash queue depth > 0 in the Postfix's incoming directory . Postfix's defaults are: hash_queue_depth = 1 hash_queue_names = deferred, defer but if the incoming queue is hashed too, for example, if we have: hash_queue_names = incoming, active, deferred, bounce, defer, flush, hold, trace only short queue IDs can be used, as we discussed 2 years ago: http://lists.mailscanner.info/pipermail/mailscanner/2014-May/101348.html the problem is when the outgoing file is created: if ($MailScanner::SMDiskStore::HashDirDepth == 2) { $this->{hdname} =~ /^(.)(.)(.*)$/; $this->{hdpath} = "$dir/$1/$2/" . $this->{hdname}; } elsif ($MailScanner::SMDiskStore::HashDirDepth == 1) { $this->{hdname} =~ /^(.)(.*)$/; $this->{hdpath} = "$dir/$1/" . $this->{hdname}; } elsif ($MailScanner::SMDiskStore::HashDirDepth == 0) { $this->{hdname} =~ /^(.*)$/; $this->{hdpath} = "$dir/" . $this->{hdname}; } this code is valid for short queue IDs but not for long ones (the hierarchy is not generated using the first characters of the ID, as that code do). I'll test it and the next week i'll create an issue in github. Regards, El 29/08/16 a las 16:00, Jerry Benton escribi?: > Alvaro, > > Thank you. If you get a chance to test it on 5.0.3, which is the > latest stable version, let me know. I will try to take a look at it. > Mark may as well as he also uses Postfix. > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Alvaro Mar?n > Reply: MailScanner Discussion > Date: August 29, 2016 at 9:57:44 AM > To: mailscanner at lists.mailscanner.info > Subject: Long queue IDs in Postfix > >> Hi, >> >> I've this issue opened in github: >> >> https://github.com/MailScanner/v5/issues/15 >> >> I've enabled long_queue_ids in Postfix (with hash_queue_depth disabled) >> and MailScanner works fine, but when it requeues the message, it creates >> one message with a short queue ID format: >> >> MailScanner[14209]: Requeue: 3sK7N64rr3zJX5T.A6FFB to D74D7218040 >> >> The HDOutFileName function generates it in Postfix.pm: >> >> $file = sprintf("%05X%lX", int(rand 1000000)+1, (stat($file))[1]); >> >> that should be in a long format. >> Reading Postfix's code, I see: >> >> /* >> >> The long non-repeating queue ID is encoded in an alphabet of 10 digits, >> 21 upper-case characters, and 21 or fewer lower-case characters. The >> alphabet is made "safe" by removing all the vowels (AEIOUaeiou). The ID >> is the concatenation of: >> - the time in seconds (base 52 encoded, six or more chars), >> - the time in microseconds (base 52 encoded, exactly four chars), >> - the 'z' character to separate the time and inode information, >> - the inode number (base 51 encoded so that it contains no 'z'). */ >> >> So I've created a patch that implements this functionality (if long >> queue ids format is enabled, if not, it will be generated as usual). >> >> I'm running MailScanner-4.84.5-3 (with the patch to manage long queue >> IDs from 4.85.1-1 version) and it runs fine (the patch attached is done >> against last stable release code of MailScanner); I'll be watching it >> for some days. >> >> Regards, >> -- >> Alvaro Mar?n Illera >> Hostalia Internet >> www.hostalia.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/listinfo/mailscanner >> >> > > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From pparsons at techeez.com Fri Sep 2 14:14:59 2016 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 Sep 2016 14:14:59 +0000 Subject: Is it possible to In-Reply-To: References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com>, Message-ID: Thanks for this. The question has been asked on the other lists multiple times they point out that the log entries states "MailScanner has detected a possible denial of service attack." So they say it is a MailScanner problem. I know have 3 customers with the same problem. Have not remove all the extra databases yet getting to that today. Techeez on the go so please excuse the spelling. > On Sep 2, 2016, at 12:28 AM, Steve Basford wrote: > > >> On Fri, September 2, 2016 2:06 am, Philip Parsons wrote: >> I believe I am using all of them. I have removed some and tried that but >> I think I it is a good Idea to remove then all I will try it with nothing >> just clamav databases. The funny thing is I now have a second system >> different customer that is also having the same issue. This is all >> related to these .zip files > > Note: might be an idea to move this off-list or to clamav-users or to > sanesecurity list but for now.... > > This is a slightly unfair test but I scanned a small file with each > database and all returned an OK but here are the timings for each database... > > If you are using any of the ones marked [Possible Performance Issue] > then removed them first and see what happens. > > Securiteinfo: > > spam_marketing.ndb 230250 ms [Possible Performance Issue] > javascript.ndb 23109 ms [Possible Performance Issue] > securiteinfo.hdb 11781 ms [Possible Performance Issue] > securiteinfoascii.hdb 1532 ms > securiteinfohtml.hdb 1469 ms > > Sanesecurity mirrored: > > scamnailer.ndb 8547 ms > phish.ndb 4750 ms > junk.ndb 2391 ms > spear.ndb 1985 ms > phishtank.ndb 1844 ms > scam.ndb 1641 ms > badmacro.ndb 1500 ms > winnow_phish_complete.ndb 1484 ms > winnow_phish_complete_url.ndb 1484 ms > jurlbl.ndb 1391 ms > winnow_malware_links.ndb 1344 ms > jurlbla.ndb 1313 ms > blurl.ndb 1313 ms > porcupine.ndb 1296 ms > foxhole_filename.cdb 1282 ms > bofhland_malware_attach.hdb 1266 ms > foxhole_all.cdb 1266 ms > foxhole_generic.cdb 1266 ms > lott.ndb 1266 ms > winnow_extended_malware.hdb 1266 ms > winnow_malware.hdb 1266 ms > winnow_spam_complete.ndb 1266 ms > bofhland_phishing_URL.ndb 1265 ms > bofhland_cracked_URL.ndb 1250 ms > bofhland_malware_URL.ndb 1250 ms > crdfam.clamav.hdb 1250 ms > doppelstern.ndb 1250 ms > doppelstern-phishtank.ndb 1250 ms > rogue.hdb 1250 ms > spam.ldb 1250 ms > spamattach.hdb 1250 ms > spamimg.hdb 1250 ms > spearl.ndb 1250 ms > winnow.attachments.hdb 1250 ms > winnow_bad_cw.hdb 1250 ms > winnow.complex.patterns.ldb 1235 ms > doppelstern.hdb 1234 ms > foxhole_js.cdb 1234 ms > winnow_extended_malware_links.ndb 1234 ms > > Cheers, > > Steve > Web : sanesecurity.com > Blog: sanesecurity.blogspot.com > Twitter: @sanesecurity > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From pparsons at techeez.com Fri Sep 2 16:14:18 2016 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 Sep 2016 16:14:18 +0000 Subject: Is it possible to In-Reply-To: References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com>, Message-ID: <11D8E491D9562549A61FD3186F3634200284FEABB4@exchange.techeez.com> Update: The removal of all of the Securiteinfo and the Sanesecurity seems for now to have fixed it up. No I have to figure out which one is causing the issues. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: September 2, 2016 7:15 AM To: MailScanner Discussion Subject: Re: Is it possible to Thanks for this. The question has been asked on the other lists multiple times they point out that the log entries states "MailScanner has detected a possible denial of service attack." So they say it is a MailScanner problem. I know have 3 customers with the same problem. Have not remove all the extra databases yet getting to that today. Techeez on the go so please excuse the spelling. > On Sep 2, 2016, at 12:28 AM, Steve Basford wrote: > > >> On Fri, September 2, 2016 2:06 am, Philip Parsons wrote: >> I believe I am using all of them. I have removed some and tried that >> but I think I it is a good Idea to remove then all I will try it with >> nothing just clamav databases. The funny thing is I now have a >> second system different customer that is also having the same issue. >> This is all related to these .zip files > > Note: might be an idea to move this off-list or to clamav-users or to > sanesecurity list but for now.... > > This is a slightly unfair test but I scanned a small file with each > database and all returned an OK but here are the timings for each database... > > If you are using any of the ones marked [Possible Performance Issue] > then removed them first and see what happens. > > Securiteinfo: > > spam_marketing.ndb 230250 ms [Possible Performance Issue] > javascript.ndb 23109 ms [Possible Performance Issue] > securiteinfo.hdb 11781 ms [Possible Performance Issue] > securiteinfoascii.hdb 1532 ms > securiteinfohtml.hdb 1469 ms > > Sanesecurity mirrored: > > scamnailer.ndb 8547 ms > phish.ndb 4750 ms > junk.ndb 2391 ms > spear.ndb 1985 ms > phishtank.ndb 1844 ms > scam.ndb 1641 ms > badmacro.ndb 1500 ms > winnow_phish_complete.ndb 1484 ms > winnow_phish_complete_url.ndb 1484 ms > jurlbl.ndb 1391 ms > winnow_malware_links.ndb 1344 ms > jurlbla.ndb 1313 ms > blurl.ndb 1313 ms > porcupine.ndb 1296 ms > foxhole_filename.cdb 1282 ms > bofhland_malware_attach.hdb 1266 ms > foxhole_all.cdb 1266 ms > foxhole_generic.cdb 1266 ms > lott.ndb 1266 ms > winnow_extended_malware.hdb 1266 ms > winnow_malware.hdb 1266 ms > winnow_spam_complete.ndb 1266 ms > bofhland_phishing_URL.ndb 1265 ms > bofhland_cracked_URL.ndb 1250 ms > bofhland_malware_URL.ndb 1250 ms > crdfam.clamav.hdb 1250 ms > doppelstern.ndb 1250 ms > doppelstern-phishtank.ndb 1250 ms > rogue.hdb 1250 ms > spam.ldb 1250 ms > spamattach.hdb 1250 ms > spamimg.hdb 1250 ms > spearl.ndb 1250 ms > winnow.attachments.hdb 1250 ms > winnow_bad_cw.hdb 1250 ms > winnow.complex.patterns.ldb 1235 ms > doppelstern.hdb 1234 ms > foxhole_js.cdb 1234 ms > winnow_extended_malware_links.ndb 1234 ms > > Cheers, > > Steve > Web : sanesecurity.com > Blog: sanesecurity.blogspot.com > Twitter: @sanesecurity > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steveb_clamav at sanesecurity.com Fri Sep 2 16:18:25 2016 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Fri, 2 Sep 2016 17:18:25 +0100 Subject: Is it possible to In-Reply-To: <11D8E491D9562549A61FD3186F3634200284FEABB4@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com>, <11D8E491D9562549A61FD3186F3634200284FEABB4@exchange.techeez.com> Message-ID: <24d28cc9b3b0df8f9e71fc85287ed154.squirrel@sanesecurity.com> On Fri, September 2, 2016 5:14 pm, Philip Parsons wrote: > Update: > The removal of all of the Securiteinfo and the Sanesecurity seems for now > to have fixed it up. No I have to figure out which one is causing the > issues. Step one... remove Securiteinfo onces first...there's less databases. Cheers, Steve Web : sanesecurity.com Twitter: @sanesecurity From pparsons at techeez.com Fri Sep 2 21:55:12 2016 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 2 Sep 2016 21:55:12 +0000 Subject: Is it possible to In-Reply-To: <11D8E491D9562549A61FD3186F3634200284FEABB4@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com>, <11D8E491D9562549A61FD3186F3634200284FEABB4@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F3634200284FEB55D@exchange.techeez.com> Well it seemed promising with the removal of just the Securiteinfo rules everything was flowing well on all 3 customers and then one started having the same issue. So I had to remove all the extra rules again. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: September 2, 2016 9:14 AM To: MailScanner Discussion Subject: RE: Is it possible to Update: The removal of all of the Securiteinfo and the Sanesecurity seems for now to have fixed it up. No I have to figure out which one is causing the issues. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: September 2, 2016 7:15 AM To: MailScanner Discussion Subject: Re: Is it possible to Thanks for this. The question has been asked on the other lists multiple times they point out that the log entries states "MailScanner has detected a possible denial of service attack." So they say it is a MailScanner problem. I know have 3 customers with the same problem. Have not remove all the extra databases yet getting to that today. Techeez on the go so please excuse the spelling. > On Sep 2, 2016, at 12:28 AM, Steve Basford wrote: > > >> On Fri, September 2, 2016 2:06 am, Philip Parsons wrote: >> I believe I am using all of them. I have removed some and tried that >> but I think I it is a good Idea to remove then all I will try it with >> nothing just clamav databases. The funny thing is I now have a >> second system different customer that is also having the same issue. >> This is all related to these .zip files > > Note: might be an idea to move this off-list or to clamav-users or to > sanesecurity list but for now.... > > This is a slightly unfair test but I scanned a small file with each > database and all returned an OK but here are the timings for each database... > > If you are using any of the ones marked [Possible Performance Issue] > then removed them first and see what happens. > > Securiteinfo: > > spam_marketing.ndb 230250 ms [Possible Performance Issue] > javascript.ndb 23109 ms [Possible Performance Issue] > securiteinfo.hdb 11781 ms [Possible Performance Issue] > securiteinfoascii.hdb 1532 ms > securiteinfohtml.hdb 1469 ms > > Sanesecurity mirrored: > > scamnailer.ndb 8547 ms > phish.ndb 4750 ms > junk.ndb 2391 ms > spear.ndb 1985 ms > phishtank.ndb 1844 ms > scam.ndb 1641 ms > badmacro.ndb 1500 ms > winnow_phish_complete.ndb 1484 ms > winnow_phish_complete_url.ndb 1484 ms > jurlbl.ndb 1391 ms > winnow_malware_links.ndb 1344 ms > jurlbla.ndb 1313 ms > blurl.ndb 1313 ms > porcupine.ndb 1296 ms > foxhole_filename.cdb 1282 ms > bofhland_malware_attach.hdb 1266 ms > foxhole_all.cdb 1266 ms > foxhole_generic.cdb 1266 ms > lott.ndb 1266 ms > winnow_extended_malware.hdb 1266 ms > winnow_malware.hdb 1266 ms > winnow_spam_complete.ndb 1266 ms > bofhland_phishing_URL.ndb 1265 ms > bofhland_cracked_URL.ndb 1250 ms > bofhland_malware_URL.ndb 1250 ms > crdfam.clamav.hdb 1250 ms > doppelstern.ndb 1250 ms > doppelstern-phishtank.ndb 1250 ms > rogue.hdb 1250 ms > spam.ldb 1250 ms > spamattach.hdb 1250 ms > spamimg.hdb 1250 ms > spearl.ndb 1250 ms > winnow.attachments.hdb 1250 ms > winnow_bad_cw.hdb 1250 ms > winnow.complex.patterns.ldb 1235 ms > doppelstern.hdb 1234 ms > foxhole_js.cdb 1234 ms > winnow_extended_malware_links.ndb 1234 ms > > Cheers, > > Steve > Web : sanesecurity.com > Blog: sanesecurity.blogspot.com > Twitter: @sanesecurity > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/listinfo/mailscanner > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From iversons at rushville.k12.in.us Sat Sep 3 21:11:35 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 3 Sep 2016 17:11:35 -0400 Subject: CentOS 6.x RPMs Available Message-ID: In case anyone is interested...mailscanner community is welcome to utilize rpms from this repo for CentOS 6.x. Want to contribute back to mailscanner :) yum config: https://dl.efa-project.org/rpm/EFA.repo GPG key: https://dl.efa-project.org/rpm/RPM-GPG-KEY-E.F.A.Project Packages included in repo (sorry repo isn't allowing indexes and webmaster is out of office...but will work on that when he returns) unrar-5.2.7 spamassassin-3.4.1-2 postfix-3.0.4-1 perl-Text-Balanced-2.0.3-1 perl-Test-Pod-1.51-1 perl-Socket-2.0.21-1 perl-Net-Ident-1.23-1 perl-Net-DNS-Resolver-Programmable-0.003-6 perl-NetAddr-IP-4.078 perl-Mail-SPF-Query-1.999.1-2 perl-Mail-SPF-2.9.0.-1 perl-Mail-ClamAV-0.29-2 perl-libnet-3.08-1 perl-IP-Country2.28-1 perl-IO-Socket-IP-0.37-1 perl-IO-Socket-INET6-2.72-1 perl-Geo-IP-1.45-1 perl-File-ShareDir-Install perl-ExtUtils-MakeMaker-7.10-3 perl-ExtUtils-Install-2.0.4-1 perl-ExtUtils-Constant-0.23-1 perl-Digest-SHA-5.95-1 perl-Digest-MD5-2.54-1 perl-Digest-HMAC-1.03-1 perl-Digest-1.17-1 perl-DB_File-1.835-1 perl-Cypt-OpenSSL-RSA-0.28-1 clamav-unofficial-sigs-5.4.1-1 -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From jvoorhees1 at gmail.com Wed Sep 7 16:25:37 2016 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed, 7 Sep 2016 11:25:37 -0500 Subject: Archiving questions Message-ID: Hello guys: I'm using the archiving feature of MailScanner which is currently working pretty fine. This is my current setup: Archive Mail = %rules-dir%/archive.mail.rules Missing Mail Archive Is = file # %rules-dir%/archive.mail.rules file To: *@mydomain.com /var/spool/MailScanner/archive/_TODOMAIN_/_DATE_/received/_TOUSER_/from-_FROMUSER_ at _FROMDOMAIN_.mbox From: *@mydomain.com /var/spool/MailScanner/archive/_FROMDOMAIN_/_DATE_/sent/_FROMUSER_/to-_TOUSER_ at _TODOMAIN_.mbox However I'm facing a couple of minor issues I'd like you to give me some ideas to solve it: 1. I wan't to release (resend) some archived mail by running "sendmail -t < /path/archived/message.mbox" as root. But this causes the released message (sent by root at mydomain.com) to be archived again twice: 1st. as a message sent by root, 2nd. as a message sent to the original recipient. How can I avoid to archive messages from root at mydomain.com? I tried to put the following lines at the 1st and last line of my rules file without luck: i. From: root at mydomain.com No ii. FromOrTo: root at mydomain.com No iii. From: root at mydomain.com "" iv. From: root at mydomain.com 2. I've noticed that archiving process occurs before virus and spam checking. Is there a way to change this? So maybe archiving could occur just after virus+spam checks. Currently, I can't see any MailScanner header regarding spam checks in archived messages. Thanks in advance for your time and help. From pparsons at techeez.com Thu Sep 8 17:21:48 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 8 Sep 2016 17:21:48 +0000 Subject: Is it possible to In-Reply-To: References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F36342002850296B0@exchange.techeez.com> If anyone is interested the issue seems to have been the extra rule sets added to the scanning of clamav. After removal of all of the extra databases the system was able to handle the loads 100%. Couple of items I had to change. I had to drop the Max Children = setting in Mailscanner.conf to 3 as these systems only has 3 gigs ram and then I was able to add the Sanesecurity extra rule sets back with no issues.. As soon as I added the Securiteinfo: rules back into the mix the system started to have problems. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Steve Basford Sent: September 2, 2016 12:27 AM To: MailScanner Discussion Subject: RE: Is it possible to On Fri, September 2, 2016 2:06 am, Philip Parsons wrote: > I believe I am using all of them. I have removed some and tried that > but I think I it is a good Idea to remove then all I will try it with > nothing just clamav databases. The funny thing is I now have a second > system different customer that is also having the same issue. This is > all related to these .zip files Note: might be an idea to move this off-list or to clamav-users or to sanesecurity list but for now.... This is a slightly unfair test but I scanned a small file with each database and all returned an OK but here are the timings for each database... If you are using any of the ones marked [Possible Performance Issue] then removed them first and see what happens. Securiteinfo: spam_marketing.ndb 230250 ms [Possible Performance Issue] javascript.ndb 23109 ms [Possible Performance Issue] securiteinfo.hdb 11781 ms [Possible Performance Issue] securiteinfoascii.hdb 1532 ms securiteinfohtml.hdb 1469 ms Sanesecurity mirrored: scamnailer.ndb 8547 ms phish.ndb 4750 ms junk.ndb 2391 ms spear.ndb 1985 ms phishtank.ndb 1844 ms scam.ndb 1641 ms badmacro.ndb 1500 ms winnow_phish_complete.ndb 1484 ms winnow_phish_complete_url.ndb 1484 ms jurlbl.ndb 1391 ms winnow_malware_links.ndb 1344 ms jurlbla.ndb 1313 ms blurl.ndb 1313 ms porcupine.ndb 1296 ms foxhole_filename.cdb 1282 ms bofhland_malware_attach.hdb 1266 ms foxhole_all.cdb 1266 ms foxhole_generic.cdb 1266 ms lott.ndb 1266 ms winnow_extended_malware.hdb 1266 ms winnow_malware.hdb 1266 ms winnow_spam_complete.ndb 1266 ms bofhland_phishing_URL.ndb 1265 ms bofhland_cracked_URL.ndb 1250 ms bofhland_malware_URL.ndb 1250 ms crdfam.clamav.hdb 1250 ms doppelstern.ndb 1250 ms doppelstern-phishtank.ndb 1250 ms rogue.hdb 1250 ms spam.ldb 1250 ms spamattach.hdb 1250 ms spamimg.hdb 1250 ms spearl.ndb 1250 ms winnow.attachments.hdb 1250 ms winnow_bad_cw.hdb 1250 ms winnow.complex.patterns.ldb 1235 ms doppelstern.hdb 1234 ms foxhole_js.cdb 1234 ms winnow_extended_malware_links.ndb 1234 ms Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steveb_clamav at sanesecurity.com Thu Sep 8 18:28:07 2016 From: steveb_clamav at sanesecurity.com (Steve basford) Date: Thu, 08 Sep 2016 19:28:07 +0100 Subject: Is it possible to In-Reply-To: <11D8E491D9562549A61FD3186F36342002850296B0@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F3634200284FE2E5F@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3007@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3191@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE3330@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE33E4@exchange.techeez.com> <11D8E491D9562549A61FD3186F3634200284FE4D7A@exchange.techeez.com> <156e6eb2b78.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> <11D8E491D9562549A61FD3186F3634200284FE793D@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342002850296B0@exchange.techeez.com> Message-ID: <1570b0e92d8.27d5.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> On 8 September 2016 18:22:37 Philip Parsons wrote: > As soon as I added the Securiteinfo: rules back into the mix the system > started to have problems. > Thanks for the feedback, this matches the simple tests below.. > Securiteinfo: > > spam_marketing.ndb 230250 ms [Possible Performance Issue] > javascript.ndb 23109 ms [Possible Performance Issue] > securiteinfo.hdb 11781 ms [Possible Performance Issue] Cheers, Steve Twitter: @sanesecurity From markussen at media24.no Fri Sep 9 12:15:09 2016 From: markussen at media24.no (Trond M. Markussen) Date: Fri, 9 Sep 2016 14:15:09 +0200 Subject: Spoofing and SPF Message-ID: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> Hi, We have set up rules where the combination of FROM_CUSTOMERDOMAIN (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to filter out spoofed spam emails. However, some of these pass the SPF test for some reason. Any suggestions as to why and how to avoid these would be greatly appreciated..! Regards, Trond M. Markussen Return-Path: Received: from stt-cha-ms1.vipowernet.net (mail.vipowernet.net [65.112.145.72]) by filtermx.media24.no (8.13.8/8.13.8) with ESMTP id u749VHwZ031985 for ; Thu, 4 Aug 2016 11:31:18 +0200 X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=185.27.134.51; Date: Thu, 4 Aug 2016 05:31:39 -0400 Return-Path: bob at customerdomain.no To: bill@ customerdomain.no From: "Bob Client," Reply-To: Bob Client Subject: =?iso-8859-1?Q?bankoverf=F8ring?= Message-ID: X-Priority: 3 X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="iso-8859-1" X-Authenticated-User: abbuncome at vipowernet.net From: srs0+950v+7+customerdomain.no=bob at vipowernet.net [Add to Whitelist | Add to Blacklist] To: bill at customerdomain.no Subject: bankoverf?ring Size: 1.2Kb Score Matching Rule Description cached not score=1.754 6 required 0.50 BOTNET_SERVERWORDS Hostname contains server-like substrings -0.01 BOTNET_SOHO Relay might be a SOHO mail server 0.01 FROM_CUSTOMERDOMAIN 1.50 LOTS_OF_MONEY -1.25 RP_MATCHES_RCVD -0.00 SPF_PASS SPF: sender matches SPF record 1.00 XM_PHPMAILER_FORGED -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert at dellschau.de Fri Sep 9 12:32:38 2016 From: robert at dellschau.de (Fa. Dellschau Robert Dellschau) Date: Fri, 9 Sep 2016 14:32:38 +0200 Subject: Get rid of stalkers Message-ID: <81bc6abc-ad2b-58ec-ddc2-7812695f7852@dellschau.de> Hello @ list ! I'm using mailscanner since .... 2003? 2005? But now there is a new "obstacle" I try to understand: I want to keep out emails from my stalking / hoovering ex-girlfriend. I tried to set her adress to the blacklist .... and yes, the are marked as highscored spam and delivered to quarantine but .. I want them to be deleted at first sight, so that I'm not in the risk of reading them the first moment. otherwise .... if I would like to announce her misbehavior to court, I'd should have copies of all the rubbish, she sendt. My Idea is to set in the "scan.mail.rules" file a line with from: her at badlullaby.com archive delete --> would that archive & delete all emails from her? any ideas ? Kind regards robert nearby cologne / germany. -- Signatur ------------------------------------------------------------------------ RICHEL-Folienhallen -MULTIBLOC-BetonBlocksteine -Folienhallen-fuer-die-Industrie -Gebrauchte Technik _*/DELLSCHAU Bauhandel & Recyclingbedarf GmbH/*_* Brechen - Sieben- Sortieren - Baumaschinenhandel. *Professionelles f?r's Recycling - Aufbereitungstechnik - Consulting 50129 Bergheim Glessen - Im Brauweiler Feld 6 Tel : 02238 / 942074 Fax : 02238 / 942075 www.dellschau.de info at dellschau.de -- impressum Sitz der Gesellschaft: 50126 Bergheim, Handelsregister K?ln HRB 40328 Gesch?ftsf?hrung : Dipl. Ing. R.Dellschau, J.M. Dellschau . ------------------------------------------------------------------------ --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren gepr?ft. https://www.avast.com/antivirus -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: DSLOGO.JPG Type: image/jpeg Size: 17070 bytes Desc: not available URL: From jvoorhees1 at gmail.com Fri Sep 9 16:19:22 2016 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Fri, 9 Sep 2016 11:19:22 -0500 Subject: Get rid of stalkers In-Reply-To: <81bc6abc-ad2b-58ec-ddc2-7812695f7852@dellschau.de> References: <81bc6abc-ad2b-58ec-ddc2-7812695f7852@dellschau.de> Message-ID: You can do it at MTA level. If you're using postfix you could just do something like this: smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist The contents of the /etc/postfix/blacklist file: her at badlullaby.com DISCARD You will only see a postfix log like this: Sep 9 11:10:49 mailserver postfix/smtpd[11981]: NOQUEUE: discard: RCPT from mail.badlullabies.com[69.69.69.69]: : Client host triggers DISCARD action; from= to=< someone at yourdomain.com> proto=ESMTP helo= Does that make sense for you? On Fri, Sep 9, 2016 at 7:32 AM, Fa. Dellschau Robert Dellschau < robert at dellschau.de> wrote: > Hello @ list ! > I'm using mailscanner since .... 2003? 2005? > > But now there is a new "obstacle" I try to understand: > I want to keep out emails from my stalking / hoovering ex-girlfriend. > I tried to set her adress to the blacklist .... and yes, the are marked as > highscored spam and delivered to quarantine > but .. I want them to be deleted at first sight, so that I'm not in the > risk of reading them the first moment. > otherwise .... if I would like to announce her misbehavior to court, I'd > should have copies of all the rubbish, she sendt. > > My Idea is to set in the "scan.mail.rules" file a line with > from: her at badlullaby.com archive delete --> would that archive & > delete all emails from her? > > any ideas ? > > Kind regards > robert > nearby cologne / germany. > > -- > > ------------------------------ > RICHEL-Folienhallen > > -MULTIBLOC-BetonBlocksteine > -Folienhallen- > fuer-die-Industrie -Gebrauchte > Technik > *DELLSCHAU Bauhandel & Recyclingbedarf GmbH* > > * Brechen - Sieben- Sortieren - Baumaschinenhandel. *Professionelles > f?r's Recycling - Aufbereitungstechnik - Consulting > 50129 Bergheim Glessen - Im Brauweiler Feld 6 > Tel : 02238 / 942074 Fax : 02238 / 942075 > www.dellschau.de info at dellschau.de -- impressum > > Sitz der Gesellschaft: 50126 Bergheim, Handelsregister K?ln HRB 40328 > Gesch?ftsf?hrung : Dipl. Ing. R.Dellschau, J.M. Dellschau > [image: .] > ------------------------------ > > > > > > Virenfrei. > www.avast.com > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: DSLOGO.JPG Type: image/jpeg Size: 17070 bytes Desc: not available URL: From mark at msapiro.net Fri Sep 9 16:37:07 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 9 Sep 2016 09:37:07 -0700 Subject: Get rid of stalkers In-Reply-To: References: <81bc6abc-ad2b-58ec-ddc2-7812695f7852@dellschau.de> Message-ID: On 09/09/2016 09:19 AM, Jason Voorhees wrote: > You can do it at MTA level. If you're using postfix you could just do > something like this: > > smtpd_recipient_restrictions = > check_sender_access hash:/etc/postfix/blacklist > > The contents of the /etc/postfix/blacklist file: > > her at badlullaby.com DISCARD But he doesn't want to discard the mail. He wants to archive but not deliver it. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Sep 9 17:11:18 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 9 Sep 2016 10:11:18 -0700 Subject: Get rid of stalkers In-Reply-To: <81bc6abc-ad2b-58ec-ddc2-7812695f7852@dellschau.de> References: <81bc6abc-ad2b-58ec-ddc2-7812695f7852@dellschau.de> Message-ID: <8251c2da-2681-3b56-0d1d-9e9680893f05@msapiro.net> On 09/09/2016 05:32 AM, Fa. Dellschau Robert Dellschau wrote: > > My Idea is to set in the "scan.mail.rules" file a line with > from: her at badlullaby.com archive delete --> would that archive & > delete all emails from her? That won't work. Scan Messages doesn't accept 'actions'. There are multiple ways to do this, but I suggest making a SpamAssassin rule such as header X_FROM_HER From =~/her at badlullaby.com/i describe X_FROM_HER Mail from her score X_FROM_HER 1.0 And then make a rule set for SpamAssassin Rule Actions containing X_FROM_HER=>store-/path/to/directory/,delete where /path/to/directory/ is an existing directory writable by MailScanner. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Sep 9 19:35:04 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 9 Sep 2016 12:35:04 -0700 Subject: Spoofing and SPF In-Reply-To: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> References: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> Message-ID: <902117ab-d0b3-de2d-b7d8-ae7d320dae23@msapiro.net> On 09/09/2016 05:15 AM, Trond M. Markussen wrote: > > > We have set up rules where the combination of FROM_CUSTOMERDOMAIN > (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to > filter out spoofed spam emails. How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the From: header, you won't necessarily detect an SPF failure on spoofed From: domains. SPF is based in the sending server (envelope from), not the From: domain. If you control outgoing mail from the domain, you could DKIM sign it and then base your test on a valid DKIM signature from the domain, but this depends on no mail passing through an email list or other process that will make a transformation that breaks the signature on its way from the originating server to you. In other words, you can do things such as are done in DMARC without necessarily publishing a DMARC policy, but see for some of the negatives of DMARC. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From robert at dellschau.de Sat Sep 10 12:10:39 2016 From: robert at dellschau.de (Robert Dellschau) Date: Sat, 10 Sep 2016 14:10:39 +0200 Subject: MailScanner Digest, Vol 129, Issue 7 In-Reply-To: References: Message-ID: <9558C701-57F5-40F1-B541-58758298CCBB@dellschau.de> Yes, this is a good idea - i ll give it a try ... I didnt thought of postfix at All. Kind regards, Robert >From my Mobile.. Am 10. September 2016 14:00:01 MESZ, schrieb mailscanner-request at lists.mailscanner.info: >Send MailScanner mailing list submissions to > mailscanner at lists.mailscanner.info > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.mailscanner.info/mailman/listinfo/mailscanner >or, via email, send a message with subject or body 'help' to > mailscanner-request at lists.mailscanner.info > >You can reach the person managing the list at > mailscanner-owner at lists.mailscanner.info > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of MailScanner digest..." > > >Today's Topics: > > 1. Spoofing and SPF (Trond M. Markussen) > 2. Get rid of stalkers (Fa. Dellschau Robert Dellschau) > 3. Re: Get rid of stalkers (Jason Voorhees) > 4. Re: Get rid of stalkers (Mark Sapiro) > 5. Re: Get rid of stalkers (Mark Sapiro) > 6. Re: Spoofing and SPF (Mark Sapiro) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Fri, 9 Sep 2016 14:15:09 +0200 >From: "Trond M. Markussen" >To: >Subject: Spoofing and SPF >Message-ID: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> >Content-Type: text/plain; charset="iso-8859-1" > >Hi, > > > >We have set up rules where the combination of FROM_CUSTOMERDOMAIN >(customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to >filter >out spoofed spam emails. > > > >However, some of these pass the SPF test for some reason. Any >suggestions as >to why and how to avoid these would be greatly appreciated..! > > > >Regards, > > > >Trond M. Markussen > > > > > > > >Return-Path: > >Received: from stt-cha-ms1.vipowernet.net (mail.vipowernet.net >[65.112.145.72]) > > by filtermx.media24.no (8.13.8/8.13.8) with ESMTP id u749VHwZ031985 > > for ; Thu, 4 Aug 2016 11:31:18 +0200 > >X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) >x-ip-name=185.27.134.51; > >Date: Thu, 4 Aug 2016 05:31:39 -0400 > >Return-Path: bob at customerdomain.no > >To: bill@ customerdomain.no > >From: "Bob Client," > >Reply-To: Bob Client > >Subject: =?iso-8859-1?Q?bankoverf=F8ring?= > >Message-ID: > > >X-Priority: 3 > >X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ] > >MIME-Version: 1.0 > >Content-Transfer-Encoding: 8bit > >Content-Type: text/plain; charset="iso-8859-1" > >X-Authenticated-User: abbuncome at vipowernet.net > >From: srs0+950v+7+customerdomain.no=bob at vipowernet.net [Add to >Whitelist | >Add to Blacklist] > > > >To: bill at customerdomain.no > >Subject: bankoverf?ring > >Size: 1.2Kb > > > > > >Score Matching Rule Description > >cached not > > score=1.754 > >6 required > >0.50 BOTNET_SERVERWORDS Hostname contains server-like substrings > >-0.01 BOTNET_SOHO Relay might be a SOHO mail server > >0.01 FROM_CUSTOMERDOMAIN > >1.50 LOTS_OF_MONEY > >-1.25 RP_MATCHES_RCVD > >-0.00 SPF_PASS SPF: sender matches SPF record > >1.00 XM_PHPMAILER_FORGED > > > > > > > > > >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: > > >------------------------------ > >Message: 2 >Date: Fri, 9 Sep 2016 14:32:38 +0200 >From: "Fa. Dellschau Robert Dellschau" >To: mailscanner at lists.mailscanner.info >Subject: Get rid of stalkers >Message-ID: <81bc6abc-ad2b-58ec-ddc2-7812695f7852 at dellschau.de> >Content-Type: text/plain; charset="utf-8"; Format="flowed" > >Hello @ list ! >I'm using mailscanner since .... 2003? 2005? > >But now there is a new "obstacle" I try to understand: >I want to keep out emails from my stalking / hoovering ex-girlfriend. >I tried to set her adress to the blacklist .... and yes, the are marked > >as highscored spam and delivered to quarantine >but .. I want them to be deleted at first sight, so that I'm not in the > >risk of reading them the first moment. >otherwise .... if I would like to announce her misbehavior to court, >I'd >should have copies of all the rubbish, she sendt. > >My Idea is to set in the "scan.mail.rules" file a line with >from: her at badlullaby.com archive delete --> would that archive & >delete all emails from her? > >any ideas ? > >Kind regards >robert >nearby cologne / germany. > > >-- >Signatur >------------------------------------------------------------------------ >RICHEL-Folienhallen >-MULTIBLOC-BetonBlocksteine > >-Folienhallen-fuer-die-Industrie > >-Gebrauchte Technik > > >_*/DELLSCHAU Bauhandel & Recyclingbedarf GmbH/*_* >Brechen - Sieben- Sortieren - Baumaschinenhandel. >*Professionelles f?r's Recycling - Aufbereitungstechnik - Consulting >50129 Bergheim Glessen - Im Brauweiler Feld 6 >Tel : 02238 / 942074 Fax : 02238 / 942075 >www.dellschau.de info at dellschau.de >-- impressum > >Sitz der Gesellschaft: 50126 Bergheim, Handelsregister K?ln HRB 40328 >Gesch?ftsf?hrung : Dipl. Ing. R.Dellschau, J.M. Dellschau > . >------------------------------------------------------------------------ > > > > > > >--- >Diese E-Mail wurde von Avast Antivirus-Software auf Viren gepr?ft. >https://www.avast.com/antivirus >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: DSLOGO.JPG >Type: image/jpeg >Size: 17070 bytes >Desc: not available >URL: > > >------------------------------ > >Message: 3 >Date: Fri, 9 Sep 2016 11:19:22 -0500 >From: Jason Voorhees >To: MailScanner Discussion >Subject: Re: Get rid of stalkers >Message-ID: > >Content-Type: text/plain; charset="utf-8" > >You can do it at MTA level. If you're using postfix you could just do >something like this: > >smtpd_recipient_restrictions = > check_sender_access hash:/etc/postfix/blacklist > >The contents of the /etc/postfix/blacklist file: > >her at badlullaby.com DISCARD > >You will only see a postfix log like this: > >Sep 9 11:10:49 mailserver postfix/smtpd[11981]: NOQUEUE: discard: RCPT >from mail.badlullabies.com[69.69.69.69]: >: >Client host triggers DISCARD action; from= to=< >someone at yourdomain.com> proto=ESMTP helo= > >Does that make sense for you? > > >On Fri, Sep 9, 2016 at 7:32 AM, Fa. Dellschau Robert Dellschau < >robert at dellschau.de> wrote: > >> Hello @ list ! >> I'm using mailscanner since .... 2003? 2005? >> >> But now there is a new "obstacle" I try to understand: >> I want to keep out emails from my stalking / hoovering ex-girlfriend. >> I tried to set her adress to the blacklist .... and yes, the are >marked as >> highscored spam and delivered to quarantine >> but .. I want them to be deleted at first sight, so that I'm not in >the >> risk of reading them the first moment. >> otherwise .... if I would like to announce her misbehavior to court, >I'd >> should have copies of all the rubbish, she sendt. >> >> My Idea is to set in the "scan.mail.rules" file a line with >> from: her at badlullaby.com archive delete --> would that archive & >> delete all emails from her? >> >> any ideas ? >> >> Kind regards >> robert >> nearby cologne / germany. >> >> -- >> >> ------------------------------ >> RICHEL-Folienhallen >> > >> -MULTIBLOC-BetonBlocksteine >> >-Folienhallen- >> fuer-die-Industrie >-Gebrauchte >> Technik >> *DELLSCHAU Bauhandel & Recyclingbedarf GmbH* >> >> * Brechen - Sieben- Sortieren - Baumaschinenhandel. *Professionelles >> f?r's Recycling - Aufbereitungstechnik - Consulting >> 50129 Bergheim Glessen - Im Brauweiler Feld 6 >> Tel : 02238 / 942074 Fax : 02238 / 942075 >> www.dellschau.de info at dellschau.de -- impressum >> >> Sitz der Gesellschaft: 50126 Bergheim, Handelsregister K?ln HRB 40328 >> Gesch?ftsf?hrung : Dipl. Ing. R.Dellschau, J.M. Dellschau >> [image: .] >> ------------------------------ >> >> >> >> >> >> > >Virenfrei. >> www.avast.com >> > >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: DSLOGO.JPG >Type: image/jpeg >Size: 17070 bytes >Desc: not available >URL: > > >------------------------------ > >Message: 4 >Date: Fri, 9 Sep 2016 09:37:07 -0700 >From: Mark Sapiro >To: mailscanner at lists.mailscanner.info >Subject: Re: Get rid of stalkers >Message-ID: >Content-Type: text/plain; charset=windows-1252 > >On 09/09/2016 09:19 AM, Jason Voorhees wrote: >> You can do it at MTA level. If you're using postfix you could just do >> something like this: >> >> smtpd_recipient_restrictions = >> check_sender_access hash:/etc/postfix/blacklist >> >> The contents of the /etc/postfix/blacklist file: >> >> her at badlullaby.com DISCARD > > >But he doesn't want to discard the mail. He wants to archive but not >deliver it. > >-- >Mark Sapiro The highway is for gamblers, >San Francisco Bay Area, California better use your sense - B. Dylan > > >------------------------------ > >Message: 5 >Date: Fri, 9 Sep 2016 10:11:18 -0700 >From: Mark Sapiro >To: mailscanner at lists.mailscanner.info >Subject: Re: Get rid of stalkers >Message-ID: <8251c2da-2681-3b56-0d1d-9e9680893f05 at msapiro.net> >Content-Type: text/plain; charset=windows-1252 > >On 09/09/2016 05:32 AM, Fa. Dellschau Robert Dellschau wrote: >> >> My Idea is to set in the "scan.mail.rules" file a line with >> from: her at badlullaby.com archive delete --> would that archive & >> delete all emails from her? > > >That won't work. Scan Messages doesn't accept 'actions'. > >There are multiple ways to do this, but I suggest making a SpamAssassin >rule such as > >header X_FROM_HER From =~/her at badlullaby.com/i >describe X_FROM_HER Mail from her >score X_FROM_HER 1.0 > >And then make a rule set for SpamAssassin Rule Actions containing > >X_FROM_HER=>store-/path/to/directory/,delete > >where /path/to/directory/ is an existing directory writable by >MailScanner. > >-- >Mark Sapiro The highway is for gamblers, >San Francisco Bay Area, California better use your sense - B. Dylan > > >------------------------------ > >Message: 6 >Date: Fri, 9 Sep 2016 12:35:04 -0700 >From: Mark Sapiro >To: mailscanner at lists.mailscanner.info >Subject: Re: Spoofing and SPF >Message-ID: <902117ab-d0b3-de2d-b7d8-ae7d320dae23 at msapiro.net> >Content-Type: text/plain; charset=windows-1252 > >On 09/09/2016 05:15 AM, Trond M. Markussen wrote: >> >> >> We have set up rules where the combination of FROM_CUSTOMERDOMAIN >> (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to >> filter out spoofed spam emails. > > >How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the >From: header, you won't necessarily detect an SPF failure on spoofed >From: domains. SPF is based in the sending server (envelope from), not >the From: domain. > >If you control outgoing mail from the domain, you could DKIM sign it >and >then base your test on a valid DKIM signature from the domain, but this >depends on no mail passing through an email list or other process that >will make a transformation that breaks the signature on its way from >the >originating server to you. > >In other words, you can do things such as are done in DMARC > without necessarily publishing a DMARC policy, >but see for some of the negatives of >DMARC. > >-- >Mark Sapiro The highway is for gamblers, >San Francisco Bay Area, California better use your sense - B. Dylan > > >------------------------------ > >Subject: Digest Footer > > > >-- >MailScanner mailing list >mailscanner at lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >------------------------------ > >End of MailScanner Digest, Vol 129, Issue 7 >******************************************* -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Sat Sep 10 14:29:18 2016 From: thom at vdb.nl (Thom van der Boon) Date: Sat, 10 Sep 2016 16:29:18 +0200 (CEST) Subject: MailScanner 5.0.3 does not start MTA Message-ID: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> Hi, I have been using the previous versions of mailscanner for many years. I upgraded my system (CentOS 6.x) to MailScanner 5.0.3. After upgrading when you start MailScanner the postfix MTA (both incoming and outgoing) is not started by MailScanner. Tested it with the sendmail and sendmail does not start as well. mailscanner --lint gives no errors What am I missing here? Where can I start to debug this? Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: +31 (0)88 4272727 Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Sat Sep 10 16:16:08 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 10 Sep 2016 09:16:08 -0700 Subject: MailScanner 5.0.3 does not start MTA In-Reply-To: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> Message-ID: <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> On 09/10/2016 07:29 AM, Thom van der Boon wrote: > > After upgrading when you start MailScanner the postfix MTA (both > incoming and outgoing) is not started by MailScanner. Tested it with the > sendmail and sendmail does not start as well. This is intentional. With MailScanner v5 it is expected that the MTA (MTAs in the sendmail case) will be started and stopped independently of MailScanner. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner-list at okla.com Sat Sep 10 16:30:49 2016 From: mailscanner-list at okla.com (Tracy Greggs) Date: Sat, 10 Sep 2016 11:30:49 -0500 Subject: MailScanner 5.0.3 does not start MTA In-Reply-To: <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> Message-ID: <030001d20b80$b3c690e0$1b53b2a0$@okla.com> I'm sure there is some logical reason for this change, but I preferred the previous behavior as well. In the end, not a big deal either way. Tracy -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info ] On Behalf Of Mark Sapiro Sent: Saturday, September 10, 2016 11:16 AM To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner 5.0.3 does not start MTA On 09/10/2016 07:29 AM, Thom van der Boon wrote: > > After upgrading when you start MailScanner the postfix MTA (both > incoming and outgoing) is not started by MailScanner. Tested it with > the sendmail and sendmail does not start as well. This is intentional. With MailScanner v5 it is expected that the MTA (MTAs in the sendmail case) will be started and stopped independently of MailScanner. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From thom at vdb.nl Sat Sep 10 19:04:53 2016 From: thom at vdb.nl (Thom van der Boon) Date: Sat, 10 Sep 2016 21:04:53 +0200 (CEST) Subject: MailScanner 5.0.3 does not start MTA In-Reply-To: <030001d20b80$b3c690e0$1b53b2a0$@okla.com> References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> Message-ID: <213267814.108722.1473534293865.JavaMail.zimbra@vdb.nl> OK, I would expect that if you would run a update from 4.8x to 5.0.x the installer would give an warning about this changed behavior. Anyway: After starting postfix manually MailScanner runs beautifully :)) Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: +31 (0)88 4272727 Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ Van: "Tracy Greggs" Aan: "MailScanner Discussion" Verzonden: Zaterdag 10 september 2016 18:30:49 Onderwerp: RE: MailScanner 5.0.3 does not start MTA I'm sure there is some logical reason for this change, but I preferred the previous behavior as well. In the end, not a big deal either way. Tracy -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info ] On Behalf Of Mark Sapiro Sent: Saturday, September 10, 2016 11:16 AM To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner 5.0.3 does not start MTA On 09/10/2016 07:29 AM, Thom van der Boon wrote: > > After upgrading when you start MailScanner the postfix MTA (both > incoming and outgoing) is not started by MailScanner. Tested it with > the sendmail and sendmail does not start as well. This is intentional. With MailScanner v5 it is expected that the MTA (MTAs in the sendmail case) will be started and stopped independently of MailScanner. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From wbaudler at gb.nrao.edu Sat Sep 10 20:46:46 2016 From: wbaudler at gb.nrao.edu (Wolfgang Baudler) Date: Sat, 10 Sep 2016 16:46:46 -0400 Subject: MailScanner 5.0.3 does not start MTA In-Reply-To: <213267814.108722.1473534293865.JavaMail.zimbra@vdb.nl> References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> <213267814.108722.1473534293865.JavaMail.zimbra@vdb.nl> Message-ID: <4abacea8dd1e6132ba1cff433bf3b1ef.squirrel@webmail.gb.nrao.edu> > OK, > > I would expect that if you would run a update from 4.8x to 5.0.x the > installer would give an warning about this changed behavior. > Yes, that would be nice. And ideally it would provide a modified sendmail startup-script needed for sendmail in a contrib directory or similar (I have sent one for RHEL6 to this list in an earlier post). > Anyway: After starting postfix manually MailScanner runs beautifully :)) For sendmail it is not that easy unfortunately, since you need two instances running that need to be started up in a certain way, which distro sendmail scripts can't handle. The pre-5.0.x mailscanner scripts took care of it, but they are missing in 5.0.x. Wolfgang From markussen at media24.no Mon Sep 12 08:50:29 2016 From: markussen at media24.no (Trond M. Markussen) Date: Mon, 12 Sep 2016 10:50:29 +0200 Subject: SV: Spoofing and SPF In-Reply-To: <902117ab-d0b3-de2d-b7d8-ae7d320dae23@msapiro.net> References: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> <902117ab-d0b3-de2d-b7d8-ae7d320dae23@msapiro.net> Message-ID: <082e01d20cd2$b7aefe10$270cfa30$@media24.no> Yes, FROM_CUSTOMERDOMAIN is based on from: but in these cases that rule was triggered. However, the emails seem to have passed the SPF check even though the senders were not listed in the SPF record for that domain. Not sure about how, but this part could be a clue perhaps? "(skip=loggedin (res=PASS)) " X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=185.27.134.51; Regards, Trond M. -----Opprinnelig melding----- Fra: MailScanner [mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] P? vegne av Mark Sapiro Sendt: 9. september 2016 21:35 Til: mailscanner at lists.mailscanner.info Emne: Re: Spoofing and SPF On 09/09/2016 05:15 AM, Trond M. Markussen wrote: > > > We have set up rules where the combination of FROM_CUSTOMERDOMAIN > (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to > filter out spoofed spam emails. How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the From: header, you won't necessarily detect an SPF failure on spoofed From: domains. SPF is based in the sending server (envelope from), not the From: domain. If you control outgoing mail from the domain, you could DKIM sign it and then base your test on a valid DKIM signature from the domain, but this depends on no mail passing through an email list or other process that will make a transformation that breaks the signature on its way from the originating server to you. In other words, you can do things such as are done in DMARC without necessarily publishing a DMARC policy, but see for some of the negatives of DMARC. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From mark at msapiro.net Mon Sep 12 12:52:51 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 12 Sep 2016 05:52:51 -0700 Subject: SV: Spoofing and SPF In-Reply-To: <082e01d20cd2$b7aefe10$270cfa30$@media24.no> References: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> <902117ab-d0b3-de2d-b7d8-ae7d320dae23@msapiro.net> <082e01d20cd2$b7aefe10$270cfa30$@media24.no> Message-ID: <9251AC9A-D6C8-463B-BDC8-ED8048EBA325@msapiro.net> On September 12, 2016 1:50:29 AM PDT, "Trond M. Markussen" wrote: >Yes, FROM_CUSTOMERDOMAIN is based on from: but in these cases that rule >was >triggered. However, the emails seem to have passed the SPF check even >though the senders were not listed in the SPF record for that domain. That's because SPF is not based on the domain of From:. It is based on the domain of the envelope sender which is not necessarily the From: domain. -- Mark Sapiro Sent from my Not_an_iThing with standards compliant, open source software. From markussen at media24.no Mon Sep 12 13:59:02 2016 From: markussen at media24.no (Trond M. Markussen) Date: Mon, 12 Sep 2016 15:59:02 +0200 Subject: SV: SV: Spoofing and SPF In-Reply-To: <9251AC9A-D6C8-463B-BDC8-ED8048EBA325@msapiro.net> References: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> <902117ab-d0b3-de2d-b7d8-ae7d320dae23@msapiro.net> <082e01d20cd2$b7aefe10$270cfa30$@media24.no> <9251AC9A-D6C8-463B-BDC8-ED8048EBA325@msapiro.net> Message-ID: <086e01d20cfd$d2b82b70$78288250$@media24.no> Hi, So in other words the SPF check is based on the envelope sender as seen here Return-Path: SRS0+950V+7+pbl.no=arild at vipowernet.net and not the from: From: "Bob Client," ? In other words, SPF does not prevent spoofing in these cases? I should probably explain our setup better though; we have a meta rule in effect that will give a score of 10 if triggered. This meta rule is applied if the following two rules are triggered: FROM_CUSTOMERDOMAIN and SPF_FAIL (or SPF_SOFTFAIL) CUSTOMERDOMAIN is the client that only wants to allow e-mails from their own domain if the sender is listed in their SPF record. This seems to filter out 99% of spoofed emails from their domain, but some keep getting through - and in these cases the FROM_CUSTOMERDOMAIN rule is triggered, but not SPF_FAIL/SPF_SOFTFAIL. 0.01 FROM_CUSTOMERDOMAIN 0.00 FSL_BULK_SIG 1.50 HELO_MISC_IP 0.00 HTML_MESSAGE HTML included in message 10.00 LOCAL_SPF_SOFTFAIL_FROM_CUSTOMERDOMAIN 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.89 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% 0.92 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.05 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.50 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) Regards, Trond M. -----Opprinnelig melding----- Fra: MailScanner [mailto:mailscanner-bounces+markussen=media24.no at lists.mailscanner.info] P? vegne av Mark Sapiro Sendt: 12. september 2016 14:53 Til: MailScanner Discussion Emne: Re: SV: Spoofing and SPF On September 12, 2016 1:50:29 AM PDT, "Trond M. Markussen" wrote: >Yes, FROM_CUSTOMERDOMAIN is based on from: but in these cases that rule >was triggered. However, the emails seem to have passed the SPF check >even though the senders were not listed in the SPF record for that >domain. That's because SPF is not based on the domain of From:. It is based on the domain of the envelope sender which is not necessarily the From: domain. -- Mark Sapiro Sent from my Not_an_iThing with standards compliant, open source software. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From walt at onlinemarketingguild.com Mon Sep 12 19:38:45 2016 From: walt at onlinemarketingguild.com (Walt Thiessen) Date: Mon, 12 Sep 2016 15:38:45 -0400 Subject: change %org-name% in multiple values? In-Reply-To: <030001d20b80$b3c690e0$1b53b2a0$@okla.com> References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> Message-ID: I'm just now updating to version 5.0.3-7, and I noticed in your Read Me file in /usr/mailscanner/etc/conf.d that, "If you change the value of a %variable% then you must redefine all the settings that use that %variable% here, as the %variable% substitutions are done when the files are initially read, not later when settings are looked up when MailScanner is processing messages." I count 16 instances where %org-name% is used in MailScanner.conf. Does this mean that I have to substitute the value for %org-name% for all 16 entries in order to change the %org-name%? Walt Thiessen Online Marketing Guild LLC 34 Alan Drive Weatogue, CT 06089 phone: 860-264-5432 cell: 860-712-8168 email: walt at onlinemarketingguild.com On 9/10/2016 12:30 PM, Tracy Greggs wrote: > I'm sure there is some logical reason for this change, but I preferred the > previous behavior as well. > > In the end, not a big deal either way. > > Tracy > > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info > ] On Behalf Of Mark Sapiro > Sent: Saturday, September 10, 2016 11:16 AM > To: mailscanner at lists.mailscanner.info > Subject: Re: MailScanner 5.0.3 does not start MTA > > On 09/10/2016 07:29 AM, Thom van der Boon wrote: >> After upgrading when you start MailScanner the postfix MTA (both >> incoming and outgoing) is not started by MailScanner. Tested it with >> the sendmail and sendmail does not start as well. > > This is intentional. With MailScanner v5 it is expected that the MTA (MTAs > in the sendmail case) will be started and stopped independently of > MailScanner. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Mon Sep 12 19:46:59 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 12 Sep 2016 12:46:59 -0700 Subject: change %org-name% in multiple values? In-Reply-To: References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> Message-ID: That is correct because of the order the files are read. MailScanner.conf is read first. If you change %org-name% (a variable) in your conf.d/ then that setting will be read, but you will need to redefine other values that use it because they will already be defined using the orignal value. In the case of %variables% it is easier to change them in MailScanner.conf. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Walt Thiessen via MailScanner Reply:?MailScanner Discussion Date:?September 12, 2016 at 3:39:07 PM To:?MailScanner Discussion Cc:?Walt Thiessen Subject:? change %org-name% in multiple values? > I'm just now updating to version 5.0.3-7, and I noticed in your Read Me > file in /usr/mailscanner/etc/conf.d that, "If you change the value of a > %variable% then you must redefine all the settings that use that > %variable% here, as the %variable% substitutions are done when the files > are initially read, not later when settings are looked up when > MailScanner is processing messages." > > I count 16 instances where %org-name% is used in MailScanner.conf. Does > this mean that I have to substitute the value for %org-name% for all 16 > entries in order to change the %org-name%? > > > Walt Thiessen > Online Marketing Guild LLC > 34 Alan Drive > Weatogue, CT 06089 > phone: 860-264-5432 > cell: 860-712-8168 > email: walt at onlinemarketingguild.com > > > On 9/10/2016 12:30 PM, Tracy Greggs wrote: > > I'm sure there is some logical reason for this change, but I preferred the > > previous behavior as well. > > > > In the end, not a big deal either way. > > > > Tracy > > > > > > -----Original Message----- > > From: MailScanner > > [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info > > ] On Behalf Of Mark Sapiro > > Sent: Saturday, September 10, 2016 11:16 AM > > To: mailscanner at lists.mailscanner.info > > Subject: Re: MailScanner 5.0.3 does not start MTA > > > > On 09/10/2016 07:29 AM, Thom van der Boon wrote: > >> After upgrading when you start MailScanner the postfix MTA (both > >> incoming and outgoing) is not started by MailScanner. Tested it with > >> the sendmail and sendmail does not start as well. > > > > This is intentional. With MailScanner v5 it is expected that the MTA (MTAs > > in the sendmail case) will be started and stopped independently of > > MailScanner. > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From walt at onlinemarketingguild.com Mon Sep 12 19:50:31 2016 From: walt at onlinemarketingguild.com (Walt Thiessen) Date: Mon, 12 Sep 2016 15:50:31 -0400 Subject: change %org-name% in multiple values? In-Reply-To: References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> Message-ID: <39b2e2a8-f320-a8c3-bccb-db10a79bca3b@onlinemarketingguild.com> Okay, but if so, now I'm confused about the note that says, "Instead of making changes directly to this file, you should put your configuration options in your own file in /usr/mailscanner/etc/conf.d/. Example file: /usr/mailscanner/etc/conf.d/my_settings.conf." So if I'm changing variables directly in MailScanner.conf, what should I be putting in /usr/mailscanner/etc/conf.d/my_settings.conf? Walt Thiessen Online Marketing Guild LLC 34 Alan Drive Weatogue, CT 06089 phone: 860-264-5432 cell: 860-712-8168 email: walt at onlinemarketingguild.com On 9/12/2016 3:46 PM, Jerry Benton wrote: > That is correct because of the order the files are read. > MailScanner.conf is read first. If you change %org-name% (a variable) > in your conf.d/ then that setting will be read, but you will need to > redefine other values that use it because they will already be defined > using the orignal value. > > > In the case of %variables% it is easier to change them in MailScanner.conf. > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Walt Thiessen via MailScanner > Reply: MailScanner Discussion > Date: September 12, 2016 at 3:39:07 PM > To: MailScanner Discussion > Cc: Walt Thiessen > Subject: change %org-name% in multiple values? > >> I'm just now updating to version 5.0.3-7, and I noticed in your Read Me >> file in /usr/mailscanner/etc/conf.d that, "If you change the value of a >> %variable% then you must redefine all the settings that use that >> %variable% here, as the %variable% substitutions are done when the files >> are initially read, not later when settings are looked up when >> MailScanner is processing messages." >> >> I count 16 instances where %org-name% is used in MailScanner.conf. Does >> this mean that I have to substitute the value for %org-name% for all 16 >> entries in order to change the %org-name%? >> >> >> Walt Thiessen >> Online Marketing Guild LLC >> 34 Alan Drive >> Weatogue, CT 06089 >> phone: 860-264-5432 >> cell: 860-712-8168 >> email: walt at onlinemarketingguild.com >> >> >> On 9/10/2016 12:30 PM, Tracy Greggs wrote: >>> I'm sure there is some logical reason for this change, but I preferred the >>> previous behavior as well. >>> >>> In the end, not a big deal either way. >>> >>> Tracy >>> >>> >>> -----Original Message----- >>> From: MailScanner >>> [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info >>> ] On Behalf Of Mark Sapiro >>> Sent: Saturday, September 10, 2016 11:16 AM >>> To: mailscanner at lists.mailscanner.info >>> Subject: Re: MailScanner 5.0.3 does not start MTA >>> >>> On 09/10/2016 07:29 AM, Thom van der Boon wrote: >>>> After upgrading when you start MailScanner the postfix MTA (both >>>> incoming and outgoing) is not started by MailScanner. Tested it with >>>> the sendmail and sendmail does not start as well. >>> This is intentional. With MailScanner v5 it is expected that the MTA (MTAs >>> in the sendmail case) will be started and stopped independently of >>> MailScanner. >>> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Mon Sep 12 19:57:50 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 12 Sep 2016 12:57:50 -0700 Subject: change %org-name% in multiple values? In-Reply-To: <39b2e2a8-f320-a8c3-bccb-db10a79bca3b@onlinemarketingguild.com> References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> <39b2e2a8-f320-a8c3-bccb-db10a79bca3b@onlinemarketingguild.com> Message-ID: That is correct if you want is to survive upgrades, but it does not work for %variables%. Example: MailScanner.conf %org-name% = Foo Watermark Secret = %org-name%-Secret now read conf.d/ %org-name% = Bar The %org-name% is now Bar, but Watermark Secret is still Foo-Secret. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Walt Thiessen via MailScanner Reply:?MailScanner Discussion Date:?September 12, 2016 at 3:50:48 PM To:?MailScanner Discussion Cc:?Walt Thiessen Subject:? Re: change %org-name% in multiple values? > Okay, but if so, now I'm confused about the note that says, "Instead of > making changes directly to this file, you should put your configuration > options in your own file in /usr/mailscanner/etc/conf.d/. Example file: > /usr/mailscanner/etc/conf.d/my_settings.conf." > > So if I'm changing variables directly in MailScanner.conf, what should I > be putting in /usr/mailscanner/etc/conf.d/my_settings.conf? > > > Walt Thiessen > Online Marketing Guild LLC > 34 Alan Drive > Weatogue, CT 06089 > phone: 860-264-5432 > cell: 860-712-8168 > email: walt at onlinemarketingguild.com > > > On 9/12/2016 3:46 PM, Jerry Benton wrote: > > That is correct because of the order the files are read. > > MailScanner.conf is read first. If you change %org-name% (a variable) > > in your conf.d/ then that setting will be read, but you will need to > > redefine other values that use it because they will already be defined > > using the orignal value. > > > > > > In the case of %variables% it is easier to change them in MailScanner.conf. > > > > > > - > > Jerry Benton > > www.mailborder.com > > +1 - 844-436-6245 > > > > > > -----Original Message----- > > From: Walt Thiessen via MailScanner > > Reply: MailScanner Discussion > > Date: September 12, 2016 at 3:39:07 PM > > To: MailScanner Discussion > > Cc: Walt Thiessen > > Subject: change %org-name% in multiple values? > > > >> I'm just now updating to version 5.0.3-7, and I noticed in your Read Me > >> file in /usr/mailscanner/etc/conf.d that, "If you change the value of a > >> %variable% then you must redefine all the settings that use that > >> %variable% here, as the %variable% substitutions are done when the files > >> are initially read, not later when settings are looked up when > >> MailScanner is processing messages." > >> > >> I count 16 instances where %org-name% is used in MailScanner.conf. Does > >> this mean that I have to substitute the value for %org-name% for all 16 > >> entries in order to change the %org-name%? > >> > >> > >> Walt Thiessen > >> Online Marketing Guild LLC > >> 34 Alan Drive > >> Weatogue, CT 06089 > >> phone: 860-264-5432 > >> cell: 860-712-8168 > >> email: walt at onlinemarketingguild.com > >> > >> > >> On 9/10/2016 12:30 PM, Tracy Greggs wrote: > >>> I'm sure there is some logical reason for this change, but I preferred the > >>> previous behavior as well. > >>> > >>> In the end, not a big deal either way. > >>> > >>> Tracy > >>> > >>> > >>> -----Original Message----- > >>> From: MailScanner > >>> [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info > >>> ] On Behalf Of Mark Sapiro > >>> Sent: Saturday, September 10, 2016 11:16 AM > >>> To: mailscanner at lists.mailscanner.info > >>> Subject: Re: MailScanner 5.0.3 does not start MTA > >>> > >>> On 09/10/2016 07:29 AM, Thom van der Boon wrote: > >>>> After upgrading when you start MailScanner the postfix MTA (both > >>>> incoming and outgoing) is not started by MailScanner. Tested it with > >>>> the sendmail and sendmail does not start as well. > >>> This is intentional. With MailScanner v5 it is expected that the MTA (MTAs > >>> in the sendmail case) will be started and stopped independently of > >>> MailScanner. > >>> > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From walt at onlinemarketingguild.com Mon Sep 12 20:16:59 2016 From: walt at onlinemarketingguild.com (Walt Thiessen) Date: Mon, 12 Sep 2016 16:16:59 -0400 Subject: change %org-name% in multiple values? In-Reply-To: References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> <39b2e2a8-f320-a8c3-bccb-db10a79bca3b@onlinemarketingguild.com> Message-ID: <143458ed-ea60-5be7-ec70-328b92407a65@onlinemarketingguild.com> You might want to consider removing or modifying Line 10 from the default MailScanner.conf file, because it lists a variable as something to set in a mysettings.conf file. Walt Thiessen Online Marketing Guild LLC 34 Alan Drive Weatogue, CT 06089 phone: 860-264-5432 cell: 860-712-8168 On 9/12/2016 3:57 PM, Jerry Benton wrote: > That is correct if you want is to survive upgrades, but it does not > work for %variables%. Example: > > MailScanner.conf > > %org-name% = Foo > Watermark Secret = %org-name%-Secret > > now read conf.d/ > > %org-name% = Bar > > > The %org-name% is now Bar, but Watermark Secret is still Foo-Secret. > > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Walt Thiessen via MailScanner > Reply: MailScanner Discussion > Date: September 12, 2016 at 3:50:48 PM > To: MailScanner Discussion > Cc: Walt Thiessen > Subject: Re: change %org-name% in multiple values? > >> Okay, but if so, now I'm confused about the note that says, "Instead of >> making changes directly to this file, you should put your configuration >> options in your own file in /usr/mailscanner/etc/conf.d/. Example file: >> /usr/mailscanner/etc/conf.d/my_settings.conf." >> >> So if I'm changing variables directly in MailScanner.conf, what should I >> be putting in /usr/mailscanner/etc/conf.d/my_settings.conf? >> >> >> Walt Thiessen >> Online Marketing Guild LLC >> 34 Alan Drive >> Weatogue, CT 06089 >> phone: 860-264-5432 >> cell: 860-712-8168 >> email: walt at onlinemarketingguild.com >> >> >> On 9/12/2016 3:46 PM, Jerry Benton wrote: >>> That is correct because of the order the files are read. >>> MailScanner.conf is read first. If you change %org-name% (a variable) >>> in your conf.d/ then that setting will be read, but you will need to >>> redefine other values that use it because they will already be defined >>> using the orignal value. >>> >>> >>> In the case of %variables% it is easier to change them in MailScanner.conf. >>> >>> >>> - >>> Jerry Benton >>> www.mailborder.com >>> +1 - 844-436-6245 >>> >>> >>> -----Original Message----- >>> From: Walt Thiessen via MailScanner >>> Reply: MailScanner Discussion >>> Date: September 12, 2016 at 3:39:07 PM >>> To: MailScanner Discussion >>> Cc: Walt Thiessen >>> Subject: change %org-name% in multiple values? >>> >>>> I'm just now updating to version 5.0.3-7, and I noticed in your Read Me >>>> file in /usr/mailscanner/etc/conf.d that, "If you change the value of a >>>> %variable% then you must redefine all the settings that use that >>>> %variable% here, as the %variable% substitutions are done when the files >>>> are initially read, not later when settings are looked up when >>>> MailScanner is processing messages." >>>> >>>> I count 16 instances where %org-name% is used in MailScanner.conf. Does >>>> this mean that I have to substitute the value for %org-name% for all 16 >>>> entries in order to change the %org-name%? >>>> >>>> >>>> Walt Thiessen >>>> Online Marketing Guild LLC >>>> 34 Alan Drive >>>> Weatogue, CT 06089 >>>> phone: 860-264-5432 >>>> cell: 860-712-8168 >>>> email: walt at onlinemarketingguild.com >>>> >>>> >>>> On 9/10/2016 12:30 PM, Tracy Greggs wrote: >>>>> I'm sure there is some logical reason for this change, but I preferred the >>>>> previous behavior as well. >>>>> >>>>> In the end, not a big deal either way. >>>>> >>>>> Tracy >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: MailScanner >>>>> [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info >>>>> ] On Behalf Of Mark Sapiro >>>>> Sent: Saturday, September 10, 2016 11:16 AM >>>>> To: mailscanner at lists.mailscanner.info >>>>> Subject: Re: MailScanner 5.0.3 does not start MTA >>>>> >>>>> On 09/10/2016 07:29 AM, Thom van der Boon wrote: >>>>>> After upgrading when you start MailScanner the postfix MTA (both >>>>>> incoming and outgoing) is not started by MailScanner. Tested it with >>>>>> the sendmail and sendmail does not start as well. >>>>> This is intentional. With MailScanner v5 it is expected that the MTA (MTAs >>>>> in the sendmail case) will be started and stopped independently of >>>>> MailScanner. >>>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Sep 13 00:51:51 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 12 Sep 2016 17:51:51 -0700 Subject: change %org-name% in multiple values? In-Reply-To: <143458ed-ea60-5be7-ec70-328b92407a65@onlinemarketingguild.com> References: <776658934.108284.1473517758083.JavaMail.zimbra@vdb.nl> <0745230f-f24c-7714-950c-e61140132fe0@msapiro.net> <030001d20b80$b3c690e0$1b53b2a0$@okla.com> <39b2e2a8-f320-a8c3-bccb-db10a79bca3b@onlinemarketingguild.com> <143458ed-ea60-5be7-ec70-328b92407a65@onlinemarketingguild.com> Message-ID: <72e4e0df-8c01-d5ea-367f-9adfdb7b8d67@msapiro.net> On 09/12/2016 01:16 PM, Walt Thiessen via MailScanner wrote: > You might want to consider removing or modifying Line 10 from the > default MailScanner.conf file, because it lists a variable as something > to set in a mysettings.conf file. I have submitted (diff at ) -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Tue Sep 13 01:26:30 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 12 Sep 2016 18:26:30 -0700 Subject: SV: SV: Spoofing and SPF In-Reply-To: <086e01d20cfd$d2b82b70$78288250$@media24.no> References: <06e401d20a93$d3853b40$7a8fb1c0$@media24.no> <902117ab-d0b3-de2d-b7d8-ae7d320dae23@msapiro.net> <082e01d20cd2$b7aefe10$270cfa30$@media24.no> <9251AC9A-D6C8-463B-BDC8-ED8048EBA325@msapiro.net> <086e01d20cfd$d2b82b70$78288250$@media24.no> Message-ID: <43dc8c18-dcb1-8422-3736-1bd557743eb2@msapiro.net> On 09/12/2016 06:59 AM, Trond M. Markussen wrote: > > So in other words the SPF check is based on the envelope sender as seen here > Return-Path: SRS0+950V+7+pbl.no=arild at vipowernet.net and not the from: From: > "Bob Client," ? > > In other words, SPF does not prevent spoofing in these cases? That's correct. SPF was never intended to prevent spoofing of From:. It is designed to detect whether the owner of a domain says the server that's attempting to send the mail with envelope from that domain is allowed to do so. It works strictly on the SMTP MAIL FROM (envelope from), not anything in the headers or body of the message. > I should probably explain our setup better though; we have a meta rule in > effect that will give a score of 10 if triggered. This meta rule is applied > if the following two rules are triggered: FROM_CUSTOMERDOMAIN and SPF_FAIL > (or SPF_SOFTFAIL) > > CUSTOMERDOMAIN is the client that only wants to allow e-mails from their own > domain if the sender is listed in their SPF record. > > This seems to filter out 99% of spoofed emails from their domain, but some > keep getting through - and in these cases the FROM_CUSTOMERDOMAIN rule is > triggered, but not SPF_FAIL/SPF_SOFTFAIL. Because simple spoofed From: mails often also spoof the envelope sender to match or maybe the envelope sender just doesn't publish SPF, but they don't always as in your example. You need to also check that the From: domain is aligned (a DMARC[1] term) with the envelope sender domain. Your customer may wish to publish a DMARC p=reject police for it's domain, however I hesitate to recommend DMARC because of the havoc that has been created by it's misuse[2]. In your case you could just create another rule ENVFROM__CUSTOMERDOMAIN that would test the Return-Path header and then your failure meta-rule could be something logically equivalent to FROM_CUSTOMERDOMAIN and (not ENVFROM__CUSTOMERDOMAIN or SPF_FAIL or SPF_SOFTFAIL). [1] [2] -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From tom at izb.net Tue Sep 13 08:53:51 2016 From: tom at izb.net (Tom) Date: Tue, 13 Sep 2016 10:53:51 +0200 Subject: How to add recipient in stored.virus.message.txt (and related) report? Message-ID: <20160913085351.GA53750@f-i-ts.net> Hello, I need to include the recipient email address in stored.*.message.txt reports, but Mailscanner removes the line if I try. So, if I have this template: [..] Bitte halten Sie diese Meldung bereit: Kunde: blah Timestamp: $datenumber QueueID: $id Email: $to Information Helpdesk: eroeffnen Sie ein Ticket und leiten Sie dieses [..] Then the user receives something like this: [..] Bitte halten Sie diese Meldung bereit: Kunde: blah Timestamp: 20160913 QueueID: ABABABABAB Information Helpdesk: eroeffnen Sie ein Ticket und leiten Sie dieses [..] The line containing "Email: $to" have been removed. Is this possible? And - if it is currently not possible, could someone please point me to the correct place in the code so that I can patch it myself? Thanks in advance, Tom From pparsons at techeez.com Thu Sep 15 16:50:23 2016 From: pparsons at techeez.com (Philip Parsons) Date: Thu, 15 Sep 2016 16:50:23 +0000 Subject: Attachment removal notifications Message-ID: <11D8E491D9562549A61FD3186F363420028503E35F@exchange.techeez.com> Is there a way to only notify someone of the attachment been blocked if it is not a .exe. or .js or .wsf etc etc Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Thu Sep 15 20:42:49 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Thu, 15 Sep 2016 16:42:49 -0400 Subject: Attachment removal notifications In-Reply-To: <11D8E491D9562549A61FD3186F363420028503E35F@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F363420028503E35F@exchange.techeez.com> Message-ID: You should be able to create a ruleset. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Philip Parsons Reply:?MailScanner Discussion Date:?September 15, 2016 at 12:50:36 PM To:?MailScanner Discussion Subject:? Attachment removal notifications > Is there a way to only notify someone of the attachment been blocked if it is not a .exe. > or .js or .wsf etc etc > > > Thank you. > Philip Parsons > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From mark at msapiro.net Thu Sep 15 22:32:58 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 15 Sep 2016 15:32:58 -0700 Subject: Attachment removal notifications In-Reply-To: <11D8E491D9562549A61FD3186F363420028503E35F@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F363420028503E35F@exchange.techeez.com> Message-ID: <6af88673-cea6-cd45-89bf-0d09cb567465@msapiro.net> On 09/15/2016 09:50 AM, Philip Parsons wrote: > Is there a way to only notify someone of the attachment been blocked if > it is not a .exe. or .js or .wsf etc etc I don't know if I understand or not. It seems you want to block files with extensions like .exe, .js, etc. and also other extensions, but you want notification only for the 'other' extensions and not for the .exe, .js, etc. ones. If this is the case, the answer is No. Also, if you are talking about the 'report' in the message delivered to the recipient, again the answer is No. OTOH, if what you want is no sender notification for attachments blocked because of file name or file type, but you do want notification for blocking on Size or other reasons, then the anser is Yes. See the 'Notify Senders *' settings at -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Thu Sep 15 22:44:40 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 15 Sep 2016 15:44:40 -0700 Subject: How to add recipient in stored.virus.message.txt (and related) report? In-Reply-To: <20160913085351.GA53750@f-i-ts.net> References: <20160913085351.GA53750@f-i-ts.net> Message-ID: On 09/13/2016 01:53 AM, Tom wrote: > Hello, > > I need to include the recipient email address in stored.*.message.txt reports, > but Mailscanner removes the line if I try. So, if I have this template: > > [..] > Bitte halten Sie diese Meldung bereit: > > Kunde: blah > Timestamp: $datenumber > QueueID: $id > Email: $to > > Information Helpdesk: eroeffnen Sie ein Ticket und leiten Sie dieses > [..] > > Then the user receives something like this: > > [..] > Bitte halten Sie diese Meldung bereit: > > Kunde: blah > Timestamp: 20160913 > QueueID: ABABABABAB > > Information Helpdesk: eroeffnen Sie ein Ticket und leiten Sie dieses > [..] > > The line containing "Email: $to" have been removed. But these reports are in the message delivered to the recipient. Presumably the recipient already knows who she is, so why do you want to pot a To: line in the report? > Is this possible? > > And - if it is currently not possible, could someone please point me to > the correct place in the code so that I can patch it myself? There are a couple of things going on here. Apparently if a line in the report template contains an unknown $string replacement, the entire line is removed. I think this is a bug. I think the correct behavior is to leave the line unchanged. The other thing is apparently $to is 'unknown' for the stored.*.message.txt templates even though it is clearly known for at least some other reports. I haven't specifically looked for the code, but it would be in MailScanner's Message.pm module. If you want to work on this, it would be helpful if you filed an issue at and an eventual PR if you develop a fix. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Mon Sep 19 18:51:45 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 19 Sep 2016 14:51:45 -0400 Subject: MCP checks Message-ID: Anyone using MCP? I can?t seem to get it to fire on any rules, but the same rules will fire in regular spamassassin checks. - Jerry Benton www.mailborder.com +1 - 844-436-6245 From mailscanner at replies.cyways.com Mon Sep 19 19:18:11 2016 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Mon, 19 Sep 2016 15:18:11 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: I do, but I'm using 4.85,2. We use MCP at a health center to intercept outbound messages that may contain "patient health information" as defined by the US HIPAA laws. Works as advertised. I haven't tried version 5 yet so I can't help with that. Peter On 09/19/2016 02:51 PM, Jerry Benton wrote: > Anyone using MCP? I can?t seem to get it to fire on any rules, but the > same rules will fire in regular spamassassin checks. > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > From jerry.benton at mailborder.com Mon Sep 19 19:21:24 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 19 Sep 2016 15:21:24 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: What do your settings look like? - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Peter H. Lemieux Reply:?MailScanner Discussion Date:?September 19, 2016 at 3:18:27 PM To:?MailScanner Discussion Subject:? Re: MCP checks > I do, but I'm using 4.85,2. We use MCP at a health center to intercept > outbound messages that may contain "patient health information" as > defined by the US HIPAA laws. Works as advertised. > > I haven't tried version 5 yet so I can't help with that. > > Peter > > > On 09/19/2016 02:51 PM, Jerry Benton wrote: > > Anyone using MCP? I can?t seem to get it to fire on any rules, but the > > same rules will fire in regular spamassassin checks. > > > > > > - > > Jerry Benton > > www.mailborder.com > > +1 - 844-436-6245 > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From mailscanner at replies.cyways.com Mon Sep 19 20:37:51 2016 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Mon, 19 Sep 2016 16:37:51 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: # this contains the usual list of addresses to check or not to check MCP Checks = /etc/MailScanner/rules/mcp_checks.rules First Check = MCP MCP Required SpamAssassin Score = 5 MCP High SpamAssassin Score = 9 MCP Error Score = 1 # we use "PHI" for "patient health information" MCP Header = X-XXCHC-PHI-Monitor: Non MCP Actions = deliver MCP Actions = store-nonmcp High Scoring MCP Actions = store-mcp Bounce MCP As Attachment = no MCP Modify Subject = no MCP Subject Text = High Scoring MCP Modify Subject = no High Scoring MCP Subject Text = {PHI} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = yes Detailed MCP Report = yes Include Scores In MCP Report = yes In /etc/MailScanner/mcp I have rulesets like this one: File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf ### Patient Identification Codes header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject Header score SUBJ_XXID1 10 header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject Header score SUBJ_XXID2 10 header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject Header score SUBJ_XXID3 10 header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header score SUBJ_XXID4 5 # They use some pretty generic patient IDs like 00001234. header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header score SUBJ_XXID5 5 header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ describe SUBJ_SSN1 Likely Social Security Number in Subject Header score SUBJ_SSN1 10 [etc.] A score of ten results in the message being quarantined and a notice sent to the administrator and the message sender. A score of five sends notices but permits the message to be sent to its recipient. Hope this helps, Jerry! Peter On 09/19/2016 03:21 PM, Jerry Benton wrote: > What do your settings look like? > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Peter H. Lemieux > Reply: MailScanner Discussion > Date: September 19, 2016 at 3:18:27 PM > To: MailScanner Discussion > Subject: Re: MCP checks > >> I do, but I'm using 4.85,2. We use MCP at a health center to intercept >> outbound messages that may contain "patient health information" as >> defined by the US HIPAA laws. Works as advertised. >> >> I haven't tried version 5 yet so I can't help with that. >> >> Peter >> >> >> On 09/19/2016 02:51 PM, Jerry Benton wrote: >>> Anyone using MCP? I can?t seem to get it to fire on any rules, but the >>> same rules will fire in regular spamassassin checks. >>> >>> >>> - >>> Jerry Benton >>> www.mailborder.com >>> +1 - 844-436-6245 >>> >>> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > From jerry.benton at mailborder.com Mon Sep 19 20:47:34 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 19 Sep 2016 16:47:34 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Similar settings on my lab server. Not working =/ This sucks. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Peter H. Lemieux Reply:?MailScanner Discussion Date:?September 19, 2016 at 4:38:16 PM To:?MailScanner Discussion Subject:? Re: MCP checks > # this contains the usual list of addresses to check or not to check > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules > > First Check = MCP > > MCP Required SpamAssassin Score = 5 > MCP High SpamAssassin Score = 9 > MCP Error Score = 1 > > # we use "PHI" for "patient health information" > MCP Header = X-XXCHC-PHI-Monitor: > Non MCP Actions = deliver > > MCP Actions = store-nonmcp > High Scoring MCP Actions = store-mcp > Bounce MCP As Attachment = no > > MCP Modify Subject = no > MCP Subject Text = > High Scoring MCP Modify Subject = no > High Scoring MCP Subject Text = {PHI} > > Is Definitely MCP = no > Is Definitely Not MCP = no > Definite MCP Is High Scoring = no > Always Include MCP Report = yes > Detailed MCP Report = yes > Include Scores In MCP Report = yes > > In /etc/MailScanner/mcp I have rulesets like this one: > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf > > ### Patient Identification Codes > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject Header > score SUBJ_XXID1 10 > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject Header > score SUBJ_XXID2 10 > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject Header > score SUBJ_XXID3 10 > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header > score SUBJ_XXID4 5 > > # They use some pretty generic patient IDs like 00001234. > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header > score SUBJ_XXID5 5 > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ > describe SUBJ_SSN1 Likely Social Security Number in Subject Header > score SUBJ_SSN1 10 > > [etc.] > > A score of ten results in the message being quarantined and a notice > sent to the administrator and the message sender. A score of five sends > notices but permits the message to be sent to its recipient. > > Hope this helps, Jerry! > > Peter > > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: > > What do your settings look like? > > > > > > - > > Jerry Benton > > www.mailborder.com > > +1 - 844-436-6245 > > > > > > -----Original Message----- > > From: Peter H. Lemieux > > Reply: MailScanner Discussion > > Date: September 19, 2016 at 3:18:27 PM > > To: MailScanner Discussion > > Subject: Re: MCP checks > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to intercept > >> outbound messages that may contain "patient health information" as > >> defined by the US HIPAA laws. Works as advertised. > >> > >> I haven't tried version 5 yet so I can't help with that. > >> > >> Peter > >> > >> > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: > >>> Anyone using MCP? I can?t seem to get it to fire on any rules, but the > >>> same rules will fire in regular spamassassin checks. > >>> > >>> > >>> - > >>> Jerry Benton > >>> www.mailborder.com > >>> +1 - 844-436-6245 > >>> > >>> > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From iversons at rushville.k12.in.us Mon Sep 19 20:55:54 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 16:55:54 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: I'll runs some tests. 5.0.3-7, right? On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton wrote: > Similar settings on my lab server. Not working =/ > > This sucks. > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Peter H. Lemieux > Reply: MailScanner Discussion > Date: September 19, 2016 at 4:38:16 PM > To: MailScanner Discussion > Subject: Re: MCP checks > > > # this contains the usual list of addresses to check or not to check > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules > > > > First Check = MCP > > > > MCP Required SpamAssassin Score = 5 > > MCP High SpamAssassin Score = 9 > > MCP Error Score = 1 > > > > # we use "PHI" for "patient health information" > > MCP Header = X-XXCHC-PHI-Monitor: > > Non MCP Actions = deliver > > > > MCP Actions = store-nonmcp > > High Scoring MCP Actions = store-mcp > > Bounce MCP As Attachment = no > > > > MCP Modify Subject = no > > MCP Subject Text = > > High Scoring MCP Modify Subject = no > > High Scoring MCP Subject Text = {PHI} > > > > Is Definitely MCP = no > > Is Definitely Not MCP = no > > Definite MCP Is High Scoring = no > > Always Include MCP Report = yes > > Detailed MCP Report = yes > > Include Scores In MCP Report = yes > > > > In /etc/MailScanner/mcp I have rulesets like this one: > > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf > > > > ### Patient Identification Codes > > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject Header > > score SUBJ_XXID1 10 > > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject Header > > score SUBJ_XXID2 10 > > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject Header > > score SUBJ_XXID3 10 > > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header > > score SUBJ_XXID4 5 > > > > # They use some pretty generic patient IDs like 00001234. > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header > > score SUBJ_XXID5 5 > > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ > > describe SUBJ_SSN1 Likely Social Security Number in Subject Header > > score SUBJ_SSN1 10 > > > > [etc.] > > > > A score of ten results in the message being quarantined and a notice > > sent to the administrator and the message sender. A score of five sends > > notices but permits the message to be sent to its recipient. > > > > Hope this helps, Jerry! > > > > Peter > > > > > > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: > > > What do your settings look like? > > > > > > > > > - > > > Jerry Benton > > > www.mailborder.com > > > +1 - 844-436-6245 > > > > > > > > > -----Original Message----- > > > From: Peter H. Lemieux > > > Reply: MailScanner Discussion > > > Date: September 19, 2016 at 3:18:27 PM > > > To: MailScanner Discussion > > > Subject: Re: MCP checks > > > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to intercept > > >> outbound messages that may contain "patient health information" as > > >> defined by the US HIPAA laws. Works as advertised. > > >> > > >> I haven't tried version 5 yet so I can't help with that. > > >> > > >> Peter > > >> > > >> > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: > > >>> Anyone using MCP? I can?t seem to get it to fire on any rules, but > the > > >>> same rules will fire in regular spamassassin checks. > > >>> > > >>> > > >>> - > > >>> Jerry Benton > > >>> www.mailborder.com > > >>> +1 - 844-436-6245 > > >>> > > >>> > > >> > > >> > > >> -- > > >> MailScanner mailing list > > >> mailscanner at lists.mailscanner.info > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > >> > > > > > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Mon Sep 19 20:56:54 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 19 Sep 2016 16:56:54 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Yes. The latest. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Shawn Iverson Reply:?MailScanner Discussion Date:?September 19, 2016 at 4:56:27 PM To:?MailScanner Discussion Subject:? Re: MCP checks > I'll runs some tests. 5.0.3-7, right? > > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton > wrote: > > > Similar settings on my lab server. Not working =/ > > > > This sucks. > > > > > > - > > Jerry Benton > > www.mailborder.com > > +1 - 844-436-6245 > > > > > > -----Original Message----- > > From: Peter H. Lemieux > > Reply: MailScanner Discussion > > Date: September 19, 2016 at 4:38:16 PM > > To: MailScanner Discussion > > Subject: Re: MCP checks > > > > > # this contains the usual list of addresses to check or not to check > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules > > > > > > First Check = MCP > > > > > > MCP Required SpamAssassin Score = 5 > > > MCP High SpamAssassin Score = 9 > > > MCP Error Score = 1 > > > > > > # we use "PHI" for "patient health information" > > > MCP Header = X-XXCHC-PHI-Monitor: > > > Non MCP Actions = deliver > > > > > > MCP Actions = store-nonmcp > > > High Scoring MCP Actions = store-mcp > > > Bounce MCP As Attachment = no > > > > > > MCP Modify Subject = no > > > MCP Subject Text = > > > High Scoring MCP Modify Subject = no > > > High Scoring MCP Subject Text = {PHI} > > > > > > Is Definitely MCP = no > > > Is Definitely Not MCP = no > > > Definite MCP Is High Scoring = no > > > Always Include MCP Report = yes > > > Detailed MCP Report = yes > > > Include Scores In MCP Report = yes > > > > > > In /etc/MailScanner/mcp I have rulesets like this one: > > > > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf > > > > > > ### Patient Identification Codes > > > > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject Header > > > score SUBJ_XXID1 10 > > > > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject Header > > > score SUBJ_XXID2 10 > > > > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject Header > > > score SUBJ_XXID3 10 > > > > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header > > > score SUBJ_XXID4 5 > > > > > > # They use some pretty generic patient IDs like 00001234. > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header > > > score SUBJ_XXID5 5 > > > > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ > > > describe SUBJ_SSN1 Likely Social Security Number in Subject Header > > > score SUBJ_SSN1 10 > > > > > > [etc.] > > > > > > A score of ten results in the message being quarantined and a notice > > > sent to the administrator and the message sender. A score of five sends > > > notices but permits the message to be sent to its recipient. > > > > > > Hope this helps, Jerry! > > > > > > Peter > > > > > > > > > > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: > > > > What do your settings look like? > > > > > > > > > > > > - > > > > Jerry Benton > > > > www.mailborder.com > > > > +1 - 844-436-6245 > > > > > > > > > > > > -----Original Message----- > > > > From: Peter H. Lemieux > > > > Reply: MailScanner Discussion > > > > Date: September 19, 2016 at 3:18:27 PM > > > > To: MailScanner Discussion > > > > Subject: Re: MCP checks > > > > > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to intercept > > > >> outbound messages that may contain "patient health information" as > > > >> defined by the US HIPAA laws. Works as advertised. > > > >> > > > >> I haven't tried version 5 yet so I can't help with that. > > > >> > > > >> Peter > > > >> > > > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: > > > >>> Anyone using MCP? I can?t seem to get it to fire on any rules, but > > the > > > >>> same rules will fire in regular spamassassin checks. > > > >>> > > > >>> > > > >>> - > > > >>> Jerry Benton > > > >>> www.mailborder.com > > > >>> +1 - 844-436-6245 > > > >>> > > > >>> > > > >> > > > >> > > > >> -- > > > >> MailScanner mailing list > > > >> mailscanner at lists.mailscanner.info > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > >> > > > >> > > > > > > > > > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From pparsons at techeez.com Mon Sep 19 21:21:49 2016 From: pparsons at techeez.com (Philip Parsons) Date: Mon, 19 Sep 2016 21:21:49 +0000 Subject: MailScanner.conf rule set Message-ID: <11D8E491D9562549A61FD3186F36342002850475B6@exchange.techeez.com> If I change Notify Senders Of Blocked Filenames Or Filetypes to point to a rule set as per below Notify Senders Of Blocked Filenames Or Filetypes = %rules-dir%/notify_senders.rules It is possible to send all noifications to a single email address ? and if so what would the rule look like.. Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Sep 19 21:53:14 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 17:53:14 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Confirmed issue with MCP. I cannot get MCP to fire either. On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton wrote: > Yes. The latest. > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Shawn Iverson > Reply: MailScanner Discussion > Date: September 19, 2016 at 4:56:27 PM > To: MailScanner Discussion > Subject: Re: MCP checks > > > I'll runs some tests. 5.0.3-7, right? > > > > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton > > wrote: > > > > > Similar settings on my lab server. Not working =/ > > > > > > This sucks. > > > > > > > > > - > > > Jerry Benton > > > www.mailborder.com > > > +1 - 844-436-6245 > > > > > > > > > -----Original Message----- > > > From: Peter H. Lemieux > > > Reply: MailScanner Discussion > > > Date: September 19, 2016 at 4:38:16 PM > > > To: MailScanner Discussion > > > Subject: Re: MCP checks > > > > > > > # this contains the usual list of addresses to check or not to check > > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules > > > > > > > > First Check = MCP > > > > > > > > MCP Required SpamAssassin Score = 5 > > > > MCP High SpamAssassin Score = 9 > > > > MCP Error Score = 1 > > > > > > > > # we use "PHI" for "patient health information" > > > > MCP Header = X-XXCHC-PHI-Monitor: > > > > Non MCP Actions = deliver > > > > > > > > MCP Actions = store-nonmcp > > > > High Scoring MCP Actions = store-mcp > > > > Bounce MCP As Attachment = no > > > > > > > > MCP Modify Subject = no > > > > MCP Subject Text = > > > > High Scoring MCP Modify Subject = no > > > > High Scoring MCP Subject Text = {PHI} > > > > > > > > Is Definitely MCP = no > > > > Is Definitely Not MCP = no > > > > Definite MCP Is High Scoring = no > > > > Always Include MCP Report = yes > > > > Detailed MCP Report = yes > > > > Include Scores In MCP Report = yes > > > > > > > > In /etc/MailScanner/mcp I have rulesets like this one: > > > > > > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf > > > > > > > > ### Patient Identification Codes > > > > > > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ > > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject Header > > > > score SUBJ_XXID1 10 > > > > > > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ > > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject Header > > > > score SUBJ_XXID2 10 > > > > > > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ > > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject Header > > > > score SUBJ_XXID3 10 > > > > > > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ > > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header > > > > score SUBJ_XXID4 5 > > > > > > > > # They use some pretty generic patient IDs like 00001234. > > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ > > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header > > > > score SUBJ_XXID5 5 > > > > > > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ > > > > describe SUBJ_SSN1 Likely Social Security Number in Subject Header > > > > score SUBJ_SSN1 10 > > > > > > > > [etc.] > > > > > > > > A score of ten results in the message being quarantined and a notice > > > > sent to the administrator and the message sender. A score of five > sends > > > > notices but permits the message to be sent to its recipient. > > > > > > > > Hope this helps, Jerry! > > > > > > > > Peter > > > > > > > > > > > > > > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: > > > > > What do your settings look like? > > > > > > > > > > > > > > > - > > > > > Jerry Benton > > > > > www.mailborder.com > > > > > +1 - 844-436-6245 > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Peter H. Lemieux > > > > > Reply: MailScanner Discussion > > > > > Date: September 19, 2016 at 3:18:27 PM > > > > > To: MailScanner Discussion > > > > > Subject: Re: MCP checks > > > > > > > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to > intercept > > > > >> outbound messages that may contain "patient health information" as > > > > >> defined by the US HIPAA laws. Works as advertised. > > > > >> > > > > >> I haven't tried version 5 yet so I can't help with that. > > > > >> > > > > >> Peter > > > > >> > > > > >> > > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: > > > > >>> Anyone using MCP? I can?t seem to get it to fire on any rules, > but > > > the > > > > >>> same rules will fire in regular spamassassin checks. > > > > >>> > > > > >>> > > > > >>> - > > > > >>> Jerry Benton > > > > >>> www.mailborder.com > > > > >>> +1 - 844-436-6245 > > > > >>> > > > > >>> > > > > >> > > > > >> > > > > >> -- > > > > >> MailScanner mailing list > > > > >> mailscanner at lists.mailscanner.info > > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > >> > > > > >> > > > > > > > > > > > > > > > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > > > > > -- > > Shawn Iverson > > Director of Technology > > Rush County Schools > > 765-932-3901 x271 > > iversons at rushville.k12.in.us > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From pparsons at techeez.com Mon Sep 19 21:56:57 2016 From: pparsons at techeez.com (Philip Parsons) Date: Mon, 19 Sep 2016 21:56:57 +0000 Subject: MailScanner.conf rule set In-Reply-To: <11D8E491D9562549A61FD3186F36342002850475B6@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002850475B6@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F36342002850476EB@exchange.techeez.com> Badly formatted question. What I want to be able to do is to send all of the Blocked file name reports to a specific email address not to the recipient. From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Philip Parsons Sent: September 19, 2016 2:22 PM To: MailScanner Discussion Subject: MailScanner.conf rule set If I change Notify Senders Of Blocked Filenames Or Filetypes to point to a rule set as per below Notify Senders Of Blocked Filenames Or Filetypes = %rules-dir%/notify_senders.rules It is possible to send all noifications to a single email address ? and if so what would the rule look like.. Thank you. Philip Parsons -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Sep 19 22:06:25 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 18:06:25 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: I do not see MCP being called. I should at least see the following in the maillog: MCP Checks: Starting On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson wrote: > Confirmed issue with MCP. > > I cannot get MCP to fire either. > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > wrote: > >> Yes. The latest. >> >> >> - >> Jerry Benton >> www.mailborder.com >> +1 - 844-436-6245 >> >> >> -----Original Message----- >> From: Shawn Iverson >> Reply: MailScanner Discussion >> Date: September 19, 2016 at 4:56:27 PM >> To: MailScanner Discussion >> Subject: Re: MCP checks >> >> > I'll runs some tests. 5.0.3-7, right? >> > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton >> > wrote: >> > >> > > Similar settings on my lab server. Not working =/ >> > > >> > > This sucks. >> > > >> > > >> > > - >> > > Jerry Benton >> > > www.mailborder.com >> > > +1 - 844-436-6245 >> > > >> > > >> > > -----Original Message----- >> > > From: Peter H. Lemieux >> > > Reply: MailScanner Discussion >> > > Date: September 19, 2016 at 4:38:16 PM >> > > To: MailScanner Discussion >> > > Subject: Re: MCP checks >> > > >> > > > # this contains the usual list of addresses to check or not to check >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules >> > > > >> > > > First Check = MCP >> > > > >> > > > MCP Required SpamAssassin Score = 5 >> > > > MCP High SpamAssassin Score = 9 >> > > > MCP Error Score = 1 >> > > > >> > > > # we use "PHI" for "patient health information" >> > > > MCP Header = X-XXCHC-PHI-Monitor: >> > > > Non MCP Actions = deliver >> > > > >> > > > MCP Actions = store-nonmcp >> > > > High Scoring MCP Actions = store-mcp >> > > > Bounce MCP As Attachment = no >> > > > >> > > > MCP Modify Subject = no >> > > > MCP Subject Text = >> > > > High Scoring MCP Modify Subject = no >> > > > High Scoring MCP Subject Text = {PHI} >> > > > >> > > > Is Definitely MCP = no >> > > > Is Definitely Not MCP = no >> > > > Definite MCP Is High Scoring = no >> > > > Always Include MCP Report = yes >> > > > Detailed MCP Report = yes >> > > > Include Scores In MCP Report = yes >> > > > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: >> > > > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf >> > > > >> > > > ### Patient Identification Codes >> > > > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject Header >> > > > score SUBJ_XXID1 10 >> > > > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject Header >> > > > score SUBJ_XXID2 10 >> > > > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject Header >> > > > score SUBJ_XXID3 10 >> > > > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header >> > > > score SUBJ_XXID4 5 >> > > > >> > > > # They use some pretty generic patient IDs like 00001234. >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header >> > > > score SUBJ_XXID5 5 >> > > > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ >> > > > describe SUBJ_SSN1 Likely Social Security Number in Subject Header >> > > > score SUBJ_SSN1 10 >> > > > >> > > > [etc.] >> > > > >> > > > A score of ten results in the message being quarantined and a notice >> > > > sent to the administrator and the message sender. A score of five >> sends >> > > > notices but permits the message to be sent to its recipient. >> > > > >> > > > Hope this helps, Jerry! >> > > > >> > > > Peter >> > > > >> > > > >> > > > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: >> > > > > What do your settings look like? >> > > > > >> > > > > >> > > > > - >> > > > > Jerry Benton >> > > > > www.mailborder.com >> > > > > +1 - 844-436-6245 >> > > > > >> > > > > >> > > > > -----Original Message----- >> > > > > From: Peter H. Lemieux >> > > > > Reply: MailScanner Discussion >> > > > > Date: September 19, 2016 at 3:18:27 PM >> > > > > To: MailScanner Discussion >> > > > > Subject: Re: MCP checks >> > > > > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to >> intercept >> > > > >> outbound messages that may contain "patient health information" >> as >> > > > >> defined by the US HIPAA laws. Works as advertised. >> > > > >> >> > > > >> I haven't tried version 5 yet so I can't help with that. >> > > > >> >> > > > >> Peter >> > > > >> >> > > > >> >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on any rules, >> but >> > > the >> > > > >>> same rules will fire in regular spamassassin checks. >> > > > >>> >> > > > >>> >> > > > >>> - >> > > > >>> Jerry Benton >> > > > >>> www.mailborder.com >> > > > >>> +1 - 844-436-6245 >> > > > >>> >> > > > >>> >> > > > >> >> > > > >> >> > > > >> -- >> > > > >> MailScanner mailing list >> > > > >> mailscanner at lists.mailscanner.info >> > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > > > >> >> > > > >> >> > > > > >> > > > > >> > > > >> > > > >> > > > -- >> > > > MailScanner mailing list >> > > > mailscanner at lists.mailscanner.info >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > > > >> > > > >> > > >> > > >> > > -- >> > > MailScanner mailing list >> > > mailscanner at lists.mailscanner.info >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > > >> > > >> > >> > >> > -- >> > Shawn Iverson >> > Director of Technology >> > Rush County Schools >> > 765-932-3901 x271 >> > iversons at rushville.k12.in.us >> > >> > >> > -- >> > MailScanner mailing list >> > mailscanner at lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Mon Sep 19 22:10:43 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 19 Sep 2016 18:10:43 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: I see it being called and run, it just is not triggering. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Shawn Iverson Reply:?MailScanner Discussion Date:?September 19, 2016 at 6:07:00 PM To:?MailScanner Discussion Subject:? Re: MCP checks > I do not see MCP being called. I should at least see the following in the > maillog: > > MCP Checks: Starting > > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: > > > Confirmed issue with MCP. > > > > I cannot get MCP to fire either. > > > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: > > > >> Yes. The latest. > >> > >> > >> - > >> Jerry Benton > >> www.mailborder.com > >> +1 - 844-436-6245 > >> > >> > >> -----Original Message----- > >> From: Shawn Iverson > >> Reply: MailScanner Discussion > >> Date: September 19, 2016 at 4:56:27 PM > >> To: MailScanner Discussion > >> Subject: Re: MCP checks > >> > >> > I'll runs some tests. 5.0.3-7, right? > >> > > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton > >> > wrote: > >> > > >> > > Similar settings on my lab server. Not working =/ > >> > > > >> > > This sucks. > >> > > > >> > > > >> > > - > >> > > Jerry Benton > >> > > www.mailborder.com > >> > > +1 - 844-436-6245 > >> > > > >> > > > >> > > -----Original Message----- > >> > > From: Peter H. Lemieux > >> > > Reply: MailScanner Discussion > >> > > Date: September 19, 2016 at 4:38:16 PM > >> > > To: MailScanner Discussion > >> > > Subject: Re: MCP checks > >> > > > >> > > > # this contains the usual list of addresses to check or not to check > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules > >> > > > > >> > > > First Check = MCP > >> > > > > >> > > > MCP Required SpamAssassin Score = 5 > >> > > > MCP High SpamAssassin Score = 9 > >> > > > MCP Error Score = 1 > >> > > > > >> > > > # we use "PHI" for "patient health information" > >> > > > MCP Header = X-XXCHC-PHI-Monitor: > >> > > > Non MCP Actions = deliver > >> > > > > >> > > > MCP Actions = store-nonmcp > >> > > > High Scoring MCP Actions = store-mcp > >> > > > Bounce MCP As Attachment = no > >> > > > > >> > > > MCP Modify Subject = no > >> > > > MCP Subject Text = > >> > > > High Scoring MCP Modify Subject = no > >> > > > High Scoring MCP Subject Text = {PHI} > >> > > > > >> > > > Is Definitely MCP = no > >> > > > Is Definitely Not MCP = no > >> > > > Definite MCP Is High Scoring = no > >> > > > Always Include MCP Report = yes > >> > > > Detailed MCP Report = yes > >> > > > Include Scores In MCP Report = yes > >> > > > > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: > >> > > > > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf > >> > > > > >> > > > ### Patient Identification Codes > >> > > > > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject Header > >> > > > score SUBJ_XXID1 10 > >> > > > > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject Header > >> > > > score SUBJ_XXID2 10 > >> > > > > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject Header > >> > > > score SUBJ_XXID3 10 > >> > > > > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header > >> > > > score SUBJ_XXID4 5 > >> > > > > >> > > > # They use some pretty generic patient IDs like 00001234. > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header > >> > > > score SUBJ_XXID5 5 > >> > > > > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ > >> > > > describe SUBJ_SSN1 Likely Social Security Number in Subject Header > >> > > > score SUBJ_SSN1 10 > >> > > > > >> > > > [etc.] > >> > > > > >> > > > A score of ten results in the message being quarantined and a notice > >> > > > sent to the administrator and the message sender. A score of five > >> sends > >> > > > notices but permits the message to be sent to its recipient. > >> > > > > >> > > > Hope this helps, Jerry! > >> > > > > >> > > > Peter > >> > > > > >> > > > > >> > > > > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: > >> > > > > What do your settings look like? > >> > > > > > >> > > > > > >> > > > > - > >> > > > > Jerry Benton > >> > > > > www.mailborder.com > >> > > > > +1 - 844-436-6245 > >> > > > > > >> > > > > > >> > > > > -----Original Message----- > >> > > > > From: Peter H. Lemieux > >> > > > > Reply: MailScanner Discussion > >> > > > > Date: September 19, 2016 at 3:18:27 PM > >> > > > > To: MailScanner Discussion > >> > > > > Subject: Re: MCP checks > >> > > > > > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to > >> intercept > >> > > > >> outbound messages that may contain "patient health information" > >> as > >> > > > >> defined by the US HIPAA laws. Works as advertised. > >> > > > >> > >> > > > >> I haven't tried version 5 yet so I can't help with that. > >> > > > >> > >> > > > >> Peter > >> > > > >> > >> > > > >> > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on any rules, > >> but > >> > > the > >> > > > >>> same rules will fire in regular spamassassin checks. > >> > > > >>> > >> > > > >>> > >> > > > >>> - > >> > > > >>> Jerry Benton > >> > > > >>> www.mailborder.com > >> > > > >>> +1 - 844-436-6245 > >> > > > >>> > >> > > > >>> > >> > > > >> > >> > > > >> > >> > > > >> -- > >> > > > >> MailScanner mailing list > >> > > > >> mailscanner at lists.mailscanner.info > >> > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > > >> > >> > > > >> > >> > > > > > >> > > > > > >> > > > > >> > > > > >> > > > -- > >> > > > MailScanner mailing list > >> > > > mailscanner at lists.mailscanner.info > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > > > >> > > > > >> > > > >> > > > >> > > -- > >> > > MailScanner mailing list > >> > > mailscanner at lists.mailscanner.info > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > > >> > > > >> > > >> > > >> > -- > >> > Shawn Iverson > >> > Director of Technology > >> > Rush County Schools > >> > 765-932-3901 x271 > >> > iversons at rushville.k12.in.us > >> > > >> > > >> > -- > >> > MailScanner mailing list > >> > mailscanner at lists.mailscanner.info > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > >> > > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner at lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> > > > > > > -- > > Shawn Iverson > > Director of Technology > > Rush County Schools > > 765-932-3901 x271 > > iversons at rushville.k12.in.us > > > > > > > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From iversons at rushville.k12.in.us Mon Sep 19 22:18:05 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 18:18:05 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Doh! I have my logging off...digging some more... On Mon, Sep 19, 2016 at 6:10 PM, Jerry Benton wrote: > I see it being called and run, it just is not triggering. > > > - > Jerry Benton > www.mailborder.com > +1 - 844-436-6245 > > > -----Original Message----- > From: Shawn Iverson > Reply: MailScanner Discussion > Date: September 19, 2016 at 6:07:00 PM > To: MailScanner Discussion > Subject: Re: MCP checks > > > I do not see MCP being called. I should at least see the following in the > > maillog: > > > > MCP Checks: Starting > > > > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: > > > > > Confirmed issue with MCP. > > > > > > I cannot get MCP to fire either. > > > > > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: > > > > > >> Yes. The latest. > > >> > > >> > > >> - > > >> Jerry Benton > > >> www.mailborder.com > > >> +1 - 844-436-6245 > > >> > > >> > > >> -----Original Message----- > > >> From: Shawn Iverson > > >> Reply: MailScanner Discussion > > >> Date: September 19, 2016 at 4:56:27 PM > > >> To: MailScanner Discussion > > >> Subject: Re: MCP checks > > >> > > >> > I'll runs some tests. 5.0.3-7, right? > > >> > > > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton > > >> > wrote: > > >> > > > >> > > Similar settings on my lab server. Not working =/ > > >> > > > > >> > > This sucks. > > >> > > > > >> > > > > >> > > - > > >> > > Jerry Benton > > >> > > www.mailborder.com > > >> > > +1 - 844-436-6245 > > >> > > > > >> > > > > >> > > -----Original Message----- > > >> > > From: Peter H. Lemieux > > >> > > Reply: MailScanner Discussion > > >> > > Date: September 19, 2016 at 4:38:16 PM > > >> > > To: MailScanner Discussion > > >> > > Subject: Re: MCP checks > > >> > > > > >> > > > # this contains the usual list of addresses to check or not to > check > > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules > > >> > > > > > >> > > > First Check = MCP > > >> > > > > > >> > > > MCP Required SpamAssassin Score = 5 > > >> > > > MCP High SpamAssassin Score = 9 > > >> > > > MCP Error Score = 1 > > >> > > > > > >> > > > # we use "PHI" for "patient health information" > > >> > > > MCP Header = X-XXCHC-PHI-Monitor: > > >> > > > Non MCP Actions = deliver > > >> > > > > > >> > > > MCP Actions = store-nonmcp > > >> > > > High Scoring MCP Actions = store-mcp > > >> > > > Bounce MCP As Attachment = no > > >> > > > > > >> > > > MCP Modify Subject = no > > >> > > > MCP Subject Text = > > >> > > > High Scoring MCP Modify Subject = no > > >> > > > High Scoring MCP Subject Text = {PHI} > > >> > > > > > >> > > > Is Definitely MCP = no > > >> > > > Is Definitely Not MCP = no > > >> > > > Definite MCP Is High Scoring = no > > >> > > > Always Include MCP Report = yes > > >> > > > Detailed MCP Report = yes > > >> > > > Include Scores In MCP Report = yes > > >> > > > > > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: > > >> > > > > > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf > > >> > > > > > >> > > > ### Patient Identification Codes > > >> > > > > > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ > > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject > Header > > >> > > > score SUBJ_XXID1 10 > > >> > > > > > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ > > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject > Header > > >> > > > score SUBJ_XXID2 10 > > >> > > > > > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ > > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject > Header > > >> > > > score SUBJ_XXID3 10 > > >> > > > > > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ > > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header > > >> > > > score SUBJ_XXID4 5 > > >> > > > > > >> > > > # They use some pretty generic patient IDs like 00001234. > > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ > > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header > > >> > > > score SUBJ_XXID5 5 > > >> > > > > > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ > > >> > > > describe SUBJ_SSN1 Likely Social Security Number in Subject > Header > > >> > > > score SUBJ_SSN1 10 > > >> > > > > > >> > > > [etc.] > > >> > > > > > >> > > > A score of ten results in the message being quarantined and a > notice > > >> > > > sent to the administrator and the message sender. A score of > five > > >> sends > > >> > > > notices but permits the message to be sent to its recipient. > > >> > > > > > >> > > > Hope this helps, Jerry! > > >> > > > > > >> > > > Peter > > >> > > > > > >> > > > > > >> > > > > > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: > > >> > > > > What do your settings look like? > > >> > > > > > > >> > > > > > > >> > > > > - > > >> > > > > Jerry Benton > > >> > > > > www.mailborder.com > > >> > > > > +1 - 844-436-6245 > > >> > > > > > > >> > > > > > > >> > > > > -----Original Message----- > > >> > > > > From: Peter H. Lemieux > > >> > > > > Reply: MailScanner Discussion > > >> > > > > Date: September 19, 2016 at 3:18:27 PM > > >> > > > > To: MailScanner Discussion > > >> > > > > Subject: Re: MCP checks > > >> > > > > > > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to > > >> intercept > > >> > > > >> outbound messages that may contain "patient health > information" > > >> as > > >> > > > >> defined by the US HIPAA laws. Works as advertised. > > >> > > > >> > > >> > > > >> I haven't tried version 5 yet so I can't help with that. > > >> > > > >> > > >> > > > >> Peter > > >> > > > >> > > >> > > > >> > > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: > > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on any > rules, > > >> but > > >> > > the > > >> > > > >>> same rules will fire in regular spamassassin checks. > > >> > > > >>> > > >> > > > >>> > > >> > > > >>> - > > >> > > > >>> Jerry Benton > > >> > > > >>> www.mailborder.com > > >> > > > >>> +1 - 844-436-6245 > > >> > > > >>> > > >> > > > >>> > > >> > > > >> > > >> > > > >> > > >> > > > >> -- > > >> > > > >> MailScanner mailing list > > >> > > > >> mailscanner at lists.mailscanner.info > > >> > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > > >> > > >> > > > >> > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> > > > -- > > >> > > > MailScanner mailing list > > >> > > > mailscanner at lists.mailscanner.info > > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > > > > >> > > > > > >> > > > > >> > > > > >> > > -- > > >> > > MailScanner mailing list > > >> > > mailscanner at lists.mailscanner.info > > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > > > >> > > > > >> > > > >> > > > >> > -- > > >> > Shawn Iverson > > >> > Director of Technology > > >> > Rush County Schools > > >> > 765-932-3901 x271 > > >> > iversons at rushville.k12.in.us > > >> > > > >> > > > >> > -- > > >> > MailScanner mailing list > > >> > mailscanner at lists.mailscanner.info > > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > > >> > > > >> > > >> > > >> -- > > >> MailScanner mailing list > > >> mailscanner at lists.mailscanner.info > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > >> > > > > > > > > > -- > > > Shawn Iverson > > > Director of Technology > > > Rush County Schools > > > 765-932-3901 x271 > > > iversons at rushville.k12.in.us > > > > > > > > > > > > > > > -- > > Shawn Iverson > > Director of Technology > > Rush County Schools > > 765-932-3901 x271 > > iversons at rushville.k12.in.us > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Sep 19 22:26:37 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 18:26:37 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Same here. Starting but not triggering...doing some debugging now... On Mon, Sep 19, 2016 at 6:18 PM, Shawn Iverson wrote: > Doh! I have my logging off...digging some more... > > On Mon, Sep 19, 2016 at 6:10 PM, Jerry Benton > wrote: > >> I see it being called and run, it just is not triggering. >> >> >> - >> Jerry Benton >> www.mailborder.com >> +1 - 844-436-6245 >> >> >> -----Original Message----- >> From: Shawn Iverson >> Reply: MailScanner Discussion >> Date: September 19, 2016 at 6:07:00 PM >> To: MailScanner Discussion >> Subject: Re: MCP checks >> >> > I do not see MCP being called. I should at least see the following in >> the >> > maillog: >> > >> > MCP Checks: Starting >> > >> > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: >> > >> > > Confirmed issue with MCP. >> > > >> > > I cannot get MCP to fire either. >> > > >> > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: >> > > >> > >> Yes. The latest. >> > >> >> > >> >> > >> - >> > >> Jerry Benton >> > >> www.mailborder.com >> > >> +1 - 844-436-6245 >> > >> >> > >> >> > >> -----Original Message----- >> > >> From: Shawn Iverson >> > >> Reply: MailScanner Discussion >> > >> Date: September 19, 2016 at 4:56:27 PM >> > >> To: MailScanner Discussion >> > >> Subject: Re: MCP checks >> > >> >> > >> > I'll runs some tests. 5.0.3-7, right? >> > >> > >> > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton >> > >> > wrote: >> > >> > >> > >> > > Similar settings on my lab server. Not working =/ >> > >> > > >> > >> > > This sucks. >> > >> > > >> > >> > > >> > >> > > - >> > >> > > Jerry Benton >> > >> > > www.mailborder.com >> > >> > > +1 - 844-436-6245 >> > >> > > >> > >> > > >> > >> > > -----Original Message----- >> > >> > > From: Peter H. Lemieux >> > >> > > Reply: MailScanner Discussion >> > >> > > Date: September 19, 2016 at 4:38:16 PM >> > >> > > To: MailScanner Discussion >> > >> > > Subject: Re: MCP checks >> > >> > > >> > >> > > > # this contains the usual list of addresses to check or not to >> check >> > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules >> > >> > > > >> > >> > > > First Check = MCP >> > >> > > > >> > >> > > > MCP Required SpamAssassin Score = 5 >> > >> > > > MCP High SpamAssassin Score = 9 >> > >> > > > MCP Error Score = 1 >> > >> > > > >> > >> > > > # we use "PHI" for "patient health information" >> > >> > > > MCP Header = X-XXCHC-PHI-Monitor: >> > >> > > > Non MCP Actions = deliver >> > >> > > > >> > >> > > > MCP Actions = store-nonmcp >> > >> > > > High Scoring MCP Actions = store-mcp >> > >> > > > Bounce MCP As Attachment = no >> > >> > > > >> > >> > > > MCP Modify Subject = no >> > >> > > > MCP Subject Text = >> > >> > > > High Scoring MCP Modify Subject = no >> > >> > > > High Scoring MCP Subject Text = {PHI} >> > >> > > > >> > >> > > > Is Definitely MCP = no >> > >> > > > Is Definitely Not MCP = no >> > >> > > > Definite MCP Is High Scoring = no >> > >> > > > Always Include MCP Report = yes >> > >> > > > Detailed MCP Report = yes >> > >> > > > Include Scores In MCP Report = yes >> > >> > > > >> > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: >> > >> > > > >> > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf >> > >> > > > >> > >> > > > ### Patient Identification Codes >> > >> > > > >> > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ >> > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject >> Header >> > >> > > > score SUBJ_XXID1 10 >> > >> > > > >> > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ >> > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject >> Header >> > >> > > > score SUBJ_XXID2 10 >> > >> > > > >> > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ >> > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject >> Header >> > >> > > > score SUBJ_XXID3 10 >> > >> > > > >> > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ >> > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject Header >> > >> > > > score SUBJ_XXID4 5 >> > >> > > > >> > >> > > > # They use some pretty generic patient IDs like 00001234. >> > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ >> > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject Header >> > >> > > > score SUBJ_XXID5 5 >> > >> > > > >> > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ >> > >> > > > describe SUBJ_SSN1 Likely Social Security Number in Subject >> Header >> > >> > > > score SUBJ_SSN1 10 >> > >> > > > >> > >> > > > [etc.] >> > >> > > > >> > >> > > > A score of ten results in the message being quarantined and a >> notice >> > >> > > > sent to the administrator and the message sender. A score of >> five >> > >> sends >> > >> > > > notices but permits the message to be sent to its recipient. >> > >> > > > >> > >> > > > Hope this helps, Jerry! >> > >> > > > >> > >> > > > Peter >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: >> > >> > > > > What do your settings look like? >> > >> > > > > >> > >> > > > > >> > >> > > > > - >> > >> > > > > Jerry Benton >> > >> > > > > www.mailborder.com >> > >> > > > > +1 - 844-436-6245 >> > >> > > > > >> > >> > > > > >> > >> > > > > -----Original Message----- >> > >> > > > > From: Peter H. Lemieux >> > >> > > > > Reply: MailScanner Discussion >> > >> > > > > Date: September 19, 2016 at 3:18:27 PM >> > >> > > > > To: MailScanner Discussion >> > >> > > > > Subject: Re: MCP checks >> > >> > > > > >> > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health center to >> > >> intercept >> > >> > > > >> outbound messages that may contain "patient health >> information" >> > >> as >> > >> > > > >> defined by the US HIPAA laws. Works as advertised. >> > >> > > > >> >> > >> > > > >> I haven't tried version 5 yet so I can't help with that. >> > >> > > > >> >> > >> > > > >> Peter >> > >> > > > >> >> > >> > > > >> >> > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: >> > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on any >> rules, >> > >> but >> > >> > > the >> > >> > > > >>> same rules will fire in regular spamassassin checks. >> > >> > > > >>> >> > >> > > > >>> >> > >> > > > >>> - >> > >> > > > >>> Jerry Benton >> > >> > > > >>> www.mailborder.com >> > >> > > > >>> +1 - 844-436-6245 >> > >> > > > >>> >> > >> > > > >>> >> > >> > > > >> >> > >> > > > >> >> > >> > > > >> -- >> > >> > > > >> MailScanner mailing list >> > >> > > > >> mailscanner at lists.mailscanner.info >> > >> > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > > > >> >> > >> > > > >> >> > >> > > > > >> > >> > > > > >> > >> > > > >> > >> > > > >> > >> > > > -- >> > >> > > > MailScanner mailing list >> > >> > > > mailscanner at lists.mailscanner.info >> > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > > > >> > >> > > > >> > >> > > >> > >> > > >> > >> > > -- >> > >> > > MailScanner mailing list >> > >> > > mailscanner at lists.mailscanner.info >> > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > > >> > >> > > >> > >> > >> > >> > >> > >> > -- >> > >> > Shawn Iverson >> > >> > Director of Technology >> > >> > Rush County Schools >> > >> > 765-932-3901 x271 >> > >> > iversons at rushville.k12.in.us >> > >> > >> > >> > >> > >> > -- >> > >> > MailScanner mailing list >> > >> > mailscanner at lists.mailscanner.info >> > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > >> > >> > >> > >> >> > >> >> > >> -- >> > >> MailScanner mailing list >> > >> mailscanner at lists.mailscanner.info >> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> >> > >> >> > > >> > > >> > > -- >> > > Shawn Iverson >> > > Director of Technology >> > > Rush County Schools >> > > 765-932-3901 x271 >> > > iversons at rushville.k12.in.us >> > > >> > > >> > > >> > >> > >> > -- >> > Shawn Iverson >> > Director of Technology >> > Rush County Schools >> > 765-932-3901 x271 >> > iversons at rushville.k12.in.us >> > >> > >> > -- >> > MailScanner mailing list >> > mailscanner at lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Sep 20 01:29:01 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 21:29:01 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Found the problem... Sep 19 21:23:15.618 [21238] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm line 1902 I created the /var/spool/postfix/.spamassassin directory and MCP started working. On Mon, Sep 19, 2016 at 6:26 PM, Shawn Iverson wrote: > Same here. Starting but not triggering...doing some debugging now... > > On Mon, Sep 19, 2016 at 6:18 PM, Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Doh! I have my logging off...digging some more... >> >> On Mon, Sep 19, 2016 at 6:10 PM, Jerry Benton < >> jerry.benton at mailborder.com> wrote: >> >>> I see it being called and run, it just is not triggering. >>> >>> >>> - >>> Jerry Benton >>> www.mailborder.com >>> +1 - 844-436-6245 >>> >>> >>> -----Original Message----- >>> From: Shawn Iverson >>> Reply: MailScanner Discussion >>> Date: September 19, 2016 at 6:07:00 PM >>> To: MailScanner Discussion >>> Subject: Re: MCP checks >>> >>> > I do not see MCP being called. I should at least see the following in >>> the >>> > maillog: >>> > >>> > MCP Checks: Starting >>> > >>> > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: >>> > >>> > > Confirmed issue with MCP. >>> > > >>> > > I cannot get MCP to fire either. >>> > > >>> > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: >>> > > >>> > >> Yes. The latest. >>> > >> >>> > >> >>> > >> - >>> > >> Jerry Benton >>> > >> www.mailborder.com >>> > >> +1 - 844-436-6245 >>> > >> >>> > >> >>> > >> -----Original Message----- >>> > >> From: Shawn Iverson >>> > >> Reply: MailScanner Discussion >>> > >> Date: September 19, 2016 at 4:56:27 PM >>> > >> To: MailScanner Discussion >>> > >> Subject: Re: MCP checks >>> > >> >>> > >> > I'll runs some tests. 5.0.3-7, right? >>> > >> > >>> > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton >>> > >> > wrote: >>> > >> > >>> > >> > > Similar settings on my lab server. Not working =/ >>> > >> > > >>> > >> > > This sucks. >>> > >> > > >>> > >> > > >>> > >> > > - >>> > >> > > Jerry Benton >>> > >> > > www.mailborder.com >>> > >> > > +1 - 844-436-6245 >>> > >> > > >>> > >> > > >>> > >> > > -----Original Message----- >>> > >> > > From: Peter H. Lemieux >>> > >> > > Reply: MailScanner Discussion >>> > >> > > Date: September 19, 2016 at 4:38:16 PM >>> > >> > > To: MailScanner Discussion >>> > >> > > Subject: Re: MCP checks >>> > >> > > >>> > >> > > > # this contains the usual list of addresses to check or not >>> to check >>> > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules >>> > >> > > > >>> > >> > > > First Check = MCP >>> > >> > > > >>> > >> > > > MCP Required SpamAssassin Score = 5 >>> > >> > > > MCP High SpamAssassin Score = 9 >>> > >> > > > MCP Error Score = 1 >>> > >> > > > >>> > >> > > > # we use "PHI" for "patient health information" >>> > >> > > > MCP Header = X-XXCHC-PHI-Monitor: >>> > >> > > > Non MCP Actions = deliver >>> > >> > > > >>> > >> > > > MCP Actions = store-nonmcp >>> > >> > > > High Scoring MCP Actions = store-mcp >>> > >> > > > Bounce MCP As Attachment = no >>> > >> > > > >>> > >> > > > MCP Modify Subject = no >>> > >> > > > MCP Subject Text = >>> > >> > > > High Scoring MCP Modify Subject = no >>> > >> > > > High Scoring MCP Subject Text = {PHI} >>> > >> > > > >>> > >> > > > Is Definitely MCP = no >>> > >> > > > Is Definitely Not MCP = no >>> > >> > > > Definite MCP Is High Scoring = no >>> > >> > > > Always Include MCP Report = yes >>> > >> > > > Detailed MCP Report = yes >>> > >> > > > Include Scores In MCP Report = yes >>> > >> > > > >>> > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: >>> > >> > > > >>> > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf >>> > >> > > > >>> > >> > > > ### Patient Identification Codes >>> > >> > > > >>> > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ >>> > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject >>> Header >>> > >> > > > score SUBJ_XXID1 10 >>> > >> > > > >>> > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ >>> > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject >>> Header >>> > >> > > > score SUBJ_XXID2 10 >>> > >> > > > >>> > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ >>> > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in Subject >>> Header >>> > >> > > > score SUBJ_XXID3 10 >>> > >> > > > >>> > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ >>> > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject >>> Header >>> > >> > > > score SUBJ_XXID4 5 >>> > >> > > > >>> > >> > > > # They use some pretty generic patient IDs like 00001234. >>> > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ >>> > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject >>> Header >>> > >> > > > score SUBJ_XXID5 5 >>> > >> > > > >>> > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ >>> > >> > > > describe SUBJ_SSN1 Likely Social Security Number in Subject >>> Header >>> > >> > > > score SUBJ_SSN1 10 >>> > >> > > > >>> > >> > > > [etc.] >>> > >> > > > >>> > >> > > > A score of ten results in the message being quarantined and a >>> notice >>> > >> > > > sent to the administrator and the message sender. A score of >>> five >>> > >> sends >>> > >> > > > notices but permits the message to be sent to its recipient. >>> > >> > > > >>> > >> > > > Hope this helps, Jerry! >>> > >> > > > >>> > >> > > > Peter >>> > >> > > > >>> > >> > > > >>> > >> > > > >>> > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: >>> > >> > > > > What do your settings look like? >>> > >> > > > > >>> > >> > > > > >>> > >> > > > > - >>> > >> > > > > Jerry Benton >>> > >> > > > > www.mailborder.com >>> > >> > > > > +1 - 844-436-6245 >>> > >> > > > > >>> > >> > > > > >>> > >> > > > > -----Original Message----- >>> > >> > > > > From: Peter H. Lemieux >>> > >> > > > > Reply: MailScanner Discussion >>> > >> > > > > Date: September 19, 2016 at 3:18:27 PM >>> > >> > > > > To: MailScanner Discussion >>> > >> > > > > Subject: Re: MCP checks >>> > >> > > > > >>> > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health center >>> to >>> > >> intercept >>> > >> > > > >> outbound messages that may contain "patient health >>> information" >>> > >> as >>> > >> > > > >> defined by the US HIPAA laws. Works as advertised. >>> > >> > > > >> >>> > >> > > > >> I haven't tried version 5 yet so I can't help with that. >>> > >> > > > >> >>> > >> > > > >> Peter >>> > >> > > > >> >>> > >> > > > >> >>> > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: >>> > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on any >>> rules, >>> > >> but >>> > >> > > the >>> > >> > > > >>> same rules will fire in regular spamassassin checks. >>> > >> > > > >>> >>> > >> > > > >>> >>> > >> > > > >>> - >>> > >> > > > >>> Jerry Benton >>> > >> > > > >>> www.mailborder.com >>> > >> > > > >>> +1 - 844-436-6245 >>> > >> > > > >>> >>> > >> > > > >>> >>> > >> > > > >> >>> > >> > > > >> >>> > >> > > > >> -- >>> > >> > > > >> MailScanner mailing list >>> > >> > > > >> mailscanner at lists.mailscanner.info >>> > >> > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> > >> > > > >> >>> > >> > > > >> >>> > >> > > > > >>> > >> > > > > >>> > >> > > > >>> > >> > > > >>> > >> > > > -- >>> > >> > > > MailScanner mailing list >>> > >> > > > mailscanner at lists.mailscanner.info >>> > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> > >> > > > >>> > >> > > > >>> > >> > > >>> > >> > > >>> > >> > > -- >>> > >> > > MailScanner mailing list >>> > >> > > mailscanner at lists.mailscanner.info >>> > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> > >> > > >>> > >> > > >>> > >> > >>> > >> > >>> > >> > -- >>> > >> > Shawn Iverson >>> > >> > Director of Technology >>> > >> > Rush County Schools >>> > >> > 765-932-3901 x271 >>> > >> > iversons at rushville.k12.in.us >>> > >> > >>> > >> > >>> > >> > -- >>> > >> > MailScanner mailing list >>> > >> > mailscanner at lists.mailscanner.info >>> > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> > >> > >>> > >> > >>> > >> >>> > >> >>> > >> -- >>> > >> MailScanner mailing list >>> > >> mailscanner at lists.mailscanner.info >>> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> > >> >>> > >> >>> > > >>> > > >>> > > -- >>> > > Shawn Iverson >>> > > Director of Technology >>> > > Rush County Schools >>> > > 765-932-3901 x271 >>> > > iversons at rushville.k12.in.us >>> > > >>> > > >>> > > >>> > >>> > >>> > -- >>> > Shawn Iverson >>> > Director of Technology >>> > Rush County Schools >>> > 765-932-3901 x271 >>> > iversons at rushville.k12.in.us >>> > >>> > >>> > -- >>> > MailScanner mailing list >>> > mailscanner at lists.mailscanner.info >>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> > >>> > >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >> >> >> -- >> Shawn Iverson >> Director of Technology >> Rush County Schools >> 765-932-3901 x271 >> iversons at rushville.k12.in.us >> >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Sep 20 01:34:36 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 21:34:36 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Wait spoke too soon....still debugging....that was a problem, must be something else... On Mon, Sep 19, 2016 at 9:29 PM, Shawn Iverson wrote: > Found the problem... > > Sep 19 21:23:15.618 [21238] dbg: config: mkdir /var/spool/postfix/.spamassassin > failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at > /usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm line 1902 > > I created the /var/spool/postfix/.spamassassin directory and MCP started > working. > > > On Mon, Sep 19, 2016 at 6:26 PM, Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Same here. Starting but not triggering...doing some debugging now... >> >> On Mon, Sep 19, 2016 at 6:18 PM, Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Doh! I have my logging off...digging some more... >>> >>> On Mon, Sep 19, 2016 at 6:10 PM, Jerry Benton < >>> jerry.benton at mailborder.com> wrote: >>> >>>> I see it being called and run, it just is not triggering. >>>> >>>> >>>> - >>>> Jerry Benton >>>> www.mailborder.com >>>> +1 - 844-436-6245 >>>> >>>> >>>> -----Original Message----- >>>> From: Shawn Iverson >>>> Reply: MailScanner Discussion >>>> Date: September 19, 2016 at 6:07:00 PM >>>> To: MailScanner Discussion >>>> Subject: Re: MCP checks >>>> >>>> > I do not see MCP being called. I should at least see the following in >>>> the >>>> > maillog: >>>> > >>>> > MCP Checks: Starting >>>> > >>>> > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: >>>> > >>>> > > Confirmed issue with MCP. >>>> > > >>>> > > I cannot get MCP to fire either. >>>> > > >>>> > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: >>>> > > >>>> > >> Yes. The latest. >>>> > >> >>>> > >> >>>> > >> - >>>> > >> Jerry Benton >>>> > >> www.mailborder.com >>>> > >> +1 - 844-436-6245 >>>> > >> >>>> > >> >>>> > >> -----Original Message----- >>>> > >> From: Shawn Iverson >>>> > >> Reply: MailScanner Discussion >>>> > >> Date: September 19, 2016 at 4:56:27 PM >>>> > >> To: MailScanner Discussion >>>> > >> Subject: Re: MCP checks >>>> > >> >>>> > >> > I'll runs some tests. 5.0.3-7, right? >>>> > >> > >>>> > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton >>>> > >> > wrote: >>>> > >> > >>>> > >> > > Similar settings on my lab server. Not working =/ >>>> > >> > > >>>> > >> > > This sucks. >>>> > >> > > >>>> > >> > > >>>> > >> > > - >>>> > >> > > Jerry Benton >>>> > >> > > www.mailborder.com >>>> > >> > > +1 - 844-436-6245 >>>> > >> > > >>>> > >> > > >>>> > >> > > -----Original Message----- >>>> > >> > > From: Peter H. Lemieux >>>> > >> > > Reply: MailScanner Discussion >>>> > >> > > Date: September 19, 2016 at 4:38:16 PM >>>> > >> > > To: MailScanner Discussion >>>> > >> > > Subject: Re: MCP checks >>>> > >> > > >>>> > >> > > > # this contains the usual list of addresses to check or not >>>> to check >>>> > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules >>>> > >> > > > >>>> > >> > > > First Check = MCP >>>> > >> > > > >>>> > >> > > > MCP Required SpamAssassin Score = 5 >>>> > >> > > > MCP High SpamAssassin Score = 9 >>>> > >> > > > MCP Error Score = 1 >>>> > >> > > > >>>> > >> > > > # we use "PHI" for "patient health information" >>>> > >> > > > MCP Header = X-XXCHC-PHI-Monitor: >>>> > >> > > > Non MCP Actions = deliver >>>> > >> > > > >>>> > >> > > > MCP Actions = store-nonmcp >>>> > >> > > > High Scoring MCP Actions = store-mcp >>>> > >> > > > Bounce MCP As Attachment = no >>>> > >> > > > >>>> > >> > > > MCP Modify Subject = no >>>> > >> > > > MCP Subject Text = >>>> > >> > > > High Scoring MCP Modify Subject = no >>>> > >> > > > High Scoring MCP Subject Text = {PHI} >>>> > >> > > > >>>> > >> > > > Is Definitely MCP = no >>>> > >> > > > Is Definitely Not MCP = no >>>> > >> > > > Definite MCP Is High Scoring = no >>>> > >> > > > Always Include MCP Report = yes >>>> > >> > > > Detailed MCP Report = yes >>>> > >> > > > Include Scores In MCP Report = yes >>>> > >> > > > >>>> > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: >>>> > >> > > > >>>> > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf >>>> > >> > > > >>>> > >> > > > ### Patient Identification Codes >>>> > >> > > > >>>> > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ >>>> > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject >>>> Header >>>> > >> > > > score SUBJ_XXID1 10 >>>> > >> > > > >>>> > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ >>>> > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in Subject >>>> Header >>>> > >> > > > score SUBJ_XXID2 10 >>>> > >> > > > >>>> > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ >>>> > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in >>>> Subject Header >>>> > >> > > > score SUBJ_XXID3 10 >>>> > >> > > > >>>> > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ >>>> > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject >>>> Header >>>> > >> > > > score SUBJ_XXID4 5 >>>> > >> > > > >>>> > >> > > > # They use some pretty generic patient IDs like 00001234. >>>> > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ >>>> > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject >>>> Header >>>> > >> > > > score SUBJ_XXID5 5 >>>> > >> > > > >>>> > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ >>>> > >> > > > describe SUBJ_SSN1 Likely Social Security Number in Subject >>>> Header >>>> > >> > > > score SUBJ_SSN1 10 >>>> > >> > > > >>>> > >> > > > [etc.] >>>> > >> > > > >>>> > >> > > > A score of ten results in the message being quarantined and >>>> a notice >>>> > >> > > > sent to the administrator and the message sender. A score of >>>> five >>>> > >> sends >>>> > >> > > > notices but permits the message to be sent to its recipient. >>>> > >> > > > >>>> > >> > > > Hope this helps, Jerry! >>>> > >> > > > >>>> > >> > > > Peter >>>> > >> > > > >>>> > >> > > > >>>> > >> > > > >>>> > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: >>>> > >> > > > > What do your settings look like? >>>> > >> > > > > >>>> > >> > > > > >>>> > >> > > > > - >>>> > >> > > > > Jerry Benton >>>> > >> > > > > www.mailborder.com >>>> > >> > > > > +1 - 844-436-6245 >>>> > >> > > > > >>>> > >> > > > > >>>> > >> > > > > -----Original Message----- >>>> > >> > > > > From: Peter H. Lemieux >>>> > >> > > > > Reply: MailScanner Discussion >>>> > >> > > > > Date: September 19, 2016 at 3:18:27 PM >>>> > >> > > > > To: MailScanner Discussion >>>> > >> > > > > Subject: Re: MCP checks >>>> > >> > > > > >>>> > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health center >>>> to >>>> > >> intercept >>>> > >> > > > >> outbound messages that may contain "patient health >>>> information" >>>> > >> as >>>> > >> > > > >> defined by the US HIPAA laws. Works as advertised. >>>> > >> > > > >> >>>> > >> > > > >> I haven't tried version 5 yet so I can't help with that. >>>> > >> > > > >> >>>> > >> > > > >> Peter >>>> > >> > > > >> >>>> > >> > > > >> >>>> > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: >>>> > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on any >>>> rules, >>>> > >> but >>>> > >> > > the >>>> > >> > > > >>> same rules will fire in regular spamassassin checks. >>>> > >> > > > >>> >>>> > >> > > > >>> >>>> > >> > > > >>> - >>>> > >> > > > >>> Jerry Benton >>>> > >> > > > >>> www.mailborder.com >>>> > >> > > > >>> +1 - 844-436-6245 >>>> > >> > > > >>> >>>> > >> > > > >>> >>>> > >> > > > >> >>>> > >> > > > >> >>>> > >> > > > >> -- >>>> > >> > > > >> MailScanner mailing list >>>> > >> > > > >> mailscanner at lists.mailscanner.info >>>> > >> > > > >> http://lists.mailscanner.info/ >>>> mailman/listinfo/mailscanner >>>> > >> > > > >> >>>> > >> > > > >> >>>> > >> > > > > >>>> > >> > > > > >>>> > >> > > > >>>> > >> > > > >>>> > >> > > > -- >>>> > >> > > > MailScanner mailing list >>>> > >> > > > mailscanner at lists.mailscanner.info >>>> > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> > >> > > > >>>> > >> > > > >>>> > >> > > >>>> > >> > > >>>> > >> > > -- >>>> > >> > > MailScanner mailing list >>>> > >> > > mailscanner at lists.mailscanner.info >>>> > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> > >> > > >>>> > >> > > >>>> > >> > >>>> > >> > >>>> > >> > -- >>>> > >> > Shawn Iverson >>>> > >> > Director of Technology >>>> > >> > Rush County Schools >>>> > >> > 765-932-3901 x271 >>>> > >> > iversons at rushville.k12.in.us >>>> > >> > >>>> > >> > >>>> > >> > -- >>>> > >> > MailScanner mailing list >>>> > >> > mailscanner at lists.mailscanner.info >>>> > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> > >> > >>>> > >> > >>>> > >> >>>> > >> >>>> > >> -- >>>> > >> MailScanner mailing list >>>> > >> mailscanner at lists.mailscanner.info >>>> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> > >> >>>> > >> >>>> > > >>>> > > >>>> > > -- >>>> > > Shawn Iverson >>>> > > Director of Technology >>>> > > Rush County Schools >>>> > > 765-932-3901 x271 >>>> > > iversons at rushville.k12.in.us >>>> > > >>>> > > >>>> > > >>>> > >>>> > >>>> > -- >>>> > Shawn Iverson >>>> > Director of Technology >>>> > Rush County Schools >>>> > 765-932-3901 x271 >>>> > iversons at rushville.k12.in.us >>>> > >>>> > >>>> > -- >>>> > MailScanner mailing list >>>> > mailscanner at lists.mailscanner.info >>>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> > >>>> > >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >>> >>> >>> -- >>> Shawn Iverson >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x271 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> >> -- >> Shawn Iverson >> Director of Technology >> Rush County Schools >> 765-932-3901 x271 >> iversons at rushville.k12.in.us >> >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Sep 20 01:40:37 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 21:40:37 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: A few other issues...look related to missing plugins...looks like SA is not reading anything from /etc/mail/spamassassin... 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_dcc 0 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_pyzor 0 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_razor1 0 21:38:18 Sep 19 21:38:18.142 [26246] info: config: failed to parse line, skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_razor2 0 21:38:18 Sep 19 21:38:18.142 [26246] info: config: failed to parse line, skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": decode_attachments 1 21:38:18 Timeout::_run: check: no loaded plugin implements 'check_main': cannot scan! 21:38:18 Check that the necessary '.pre' files are in the config directory. 21:38:18 At a minimum, v320.pre loads the Check plugin which is required. On Mon, Sep 19, 2016 at 9:34 PM, Shawn Iverson wrote: > Wait spoke too soon....still debugging....that was a problem, must be > something else... > > On Mon, Sep 19, 2016 at 9:29 PM, Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Found the problem... >> >> Sep 19 21:23:15.618 [21238] dbg: config: mkdir >> /var/spool/postfix/.spamassassin failed: mkdir >> /var/spool/postfix/.spamassassin: Permission denied at >> /usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm line 1902 >> >> I created the /var/spool/postfix/.spamassassin directory and MCP started >> working. >> >> >> On Mon, Sep 19, 2016 at 6:26 PM, Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Same here. Starting but not triggering...doing some debugging now... >>> >>> On Mon, Sep 19, 2016 at 6:18 PM, Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Doh! I have my logging off...digging some more... >>>> >>>> On Mon, Sep 19, 2016 at 6:10 PM, Jerry Benton < >>>> jerry.benton at mailborder.com> wrote: >>>> >>>>> I see it being called and run, it just is not triggering. >>>>> >>>>> >>>>> - >>>>> Jerry Benton >>>>> www.mailborder.com >>>>> +1 - 844-436-6245 >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Shawn Iverson >>>>> Reply: MailScanner Discussion >>>>> Date: September 19, 2016 at 6:07:00 PM >>>>> To: MailScanner Discussion >>>>> Subject: Re: MCP checks >>>>> >>>>> > I do not see MCP being called. I should at least see the following >>>>> in the >>>>> > maillog: >>>>> > >>>>> > MCP Checks: Starting >>>>> > >>>>> > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: >>>>> > >>>>> > > Confirmed issue with MCP. >>>>> > > >>>>> > > I cannot get MCP to fire either. >>>>> > > >>>>> > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: >>>>> > > >>>>> > >> Yes. The latest. >>>>> > >> >>>>> > >> >>>>> > >> - >>>>> > >> Jerry Benton >>>>> > >> www.mailborder.com >>>>> > >> +1 - 844-436-6245 >>>>> > >> >>>>> > >> >>>>> > >> -----Original Message----- >>>>> > >> From: Shawn Iverson >>>>> > >> Reply: MailScanner Discussion >>>>> > >> Date: September 19, 2016 at 4:56:27 PM >>>>> > >> To: MailScanner Discussion >>>>> > >> Subject: Re: MCP checks >>>>> > >> >>>>> > >> > I'll runs some tests. 5.0.3-7, right? >>>>> > >> > >>>>> > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton >>>>> > >> > wrote: >>>>> > >> > >>>>> > >> > > Similar settings on my lab server. Not working =/ >>>>> > >> > > >>>>> > >> > > This sucks. >>>>> > >> > > >>>>> > >> > > >>>>> > >> > > - >>>>> > >> > > Jerry Benton >>>>> > >> > > www.mailborder.com >>>>> > >> > > +1 - 844-436-6245 >>>>> > >> > > >>>>> > >> > > >>>>> > >> > > -----Original Message----- >>>>> > >> > > From: Peter H. Lemieux >>>>> > >> > > Reply: MailScanner Discussion >>>>> > >> > > Date: September 19, 2016 at 4:38:16 PM >>>>> > >> > > To: MailScanner Discussion >>>>> > >> > > Subject: Re: MCP checks >>>>> > >> > > >>>>> > >> > > > # this contains the usual list of addresses to check or not >>>>> to check >>>>> > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules >>>>> > >> > > > >>>>> > >> > > > First Check = MCP >>>>> > >> > > > >>>>> > >> > > > MCP Required SpamAssassin Score = 5 >>>>> > >> > > > MCP High SpamAssassin Score = 9 >>>>> > >> > > > MCP Error Score = 1 >>>>> > >> > > > >>>>> > >> > > > # we use "PHI" for "patient health information" >>>>> > >> > > > MCP Header = X-XXCHC-PHI-Monitor: >>>>> > >> > > > Non MCP Actions = deliver >>>>> > >> > > > >>>>> > >> > > > MCP Actions = store-nonmcp >>>>> > >> > > > High Scoring MCP Actions = store-mcp >>>>> > >> > > > Bounce MCP As Attachment = no >>>>> > >> > > > >>>>> > >> > > > MCP Modify Subject = no >>>>> > >> > > > MCP Subject Text = >>>>> > >> > > > High Scoring MCP Modify Subject = no >>>>> > >> > > > High Scoring MCP Subject Text = {PHI} >>>>> > >> > > > >>>>> > >> > > > Is Definitely MCP = no >>>>> > >> > > > Is Definitely Not MCP = no >>>>> > >> > > > Definite MCP Is High Scoring = no >>>>> > >> > > > Always Include MCP Report = yes >>>>> > >> > > > Detailed MCP Report = yes >>>>> > >> > > > Include Scores In MCP Report = yes >>>>> > >> > > > >>>>> > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: >>>>> > >> > > > >>>>> > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf >>>>> > >> > > > >>>>> > >> > > > ### Patient Identification Codes >>>>> > >> > > > >>>>> > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ >>>>> > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in Subject >>>>> Header >>>>> > >> > > > score SUBJ_XXID1 10 >>>>> > >> > > > >>>>> > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ >>>>> > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in >>>>> Subject Header >>>>> > >> > > > score SUBJ_XXID2 10 >>>>> > >> > > > >>>>> > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ >>>>> > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in >>>>> Subject Header >>>>> > >> > > > score SUBJ_XXID3 10 >>>>> > >> > > > >>>>> > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ >>>>> > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject >>>>> Header >>>>> > >> > > > score SUBJ_XXID4 5 >>>>> > >> > > > >>>>> > >> > > > # They use some pretty generic patient IDs like 00001234. >>>>> > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ >>>>> > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject >>>>> Header >>>>> > >> > > > score SUBJ_XXID5 5 >>>>> > >> > > > >>>>> > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ >>>>> > >> > > > describe SUBJ_SSN1 Likely Social Security Number in Subject >>>>> Header >>>>> > >> > > > score SUBJ_SSN1 10 >>>>> > >> > > > >>>>> > >> > > > [etc.] >>>>> > >> > > > >>>>> > >> > > > A score of ten results in the message being quarantined and >>>>> a notice >>>>> > >> > > > sent to the administrator and the message sender. A score >>>>> of five >>>>> > >> sends >>>>> > >> > > > notices but permits the message to be sent to its recipient. >>>>> > >> > > > >>>>> > >> > > > Hope this helps, Jerry! >>>>> > >> > > > >>>>> > >> > > > Peter >>>>> > >> > > > >>>>> > >> > > > >>>>> > >> > > > >>>>> > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: >>>>> > >> > > > > What do your settings look like? >>>>> > >> > > > > >>>>> > >> > > > > >>>>> > >> > > > > - >>>>> > >> > > > > Jerry Benton >>>>> > >> > > > > www.mailborder.com >>>>> > >> > > > > +1 - 844-436-6245 >>>>> > >> > > > > >>>>> > >> > > > > >>>>> > >> > > > > -----Original Message----- >>>>> > >> > > > > From: Peter H. Lemieux >>>>> > >> > > > > Reply: MailScanner Discussion >>>>> > >> > > > > Date: September 19, 2016 at 3:18:27 PM >>>>> > >> > > > > To: MailScanner Discussion >>>>> > >> > > > > Subject: Re: MCP checks >>>>> > >> > > > > >>>>> > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health >>>>> center to >>>>> > >> intercept >>>>> > >> > > > >> outbound messages that may contain "patient health >>>>> information" >>>>> > >> as >>>>> > >> > > > >> defined by the US HIPAA laws. Works as advertised. >>>>> > >> > > > >> >>>>> > >> > > > >> I haven't tried version 5 yet so I can't help with that. >>>>> > >> > > > >> >>>>> > >> > > > >> Peter >>>>> > >> > > > >> >>>>> > >> > > > >> >>>>> > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: >>>>> > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on any >>>>> rules, >>>>> > >> but >>>>> > >> > > the >>>>> > >> > > > >>> same rules will fire in regular spamassassin checks. >>>>> > >> > > > >>> >>>>> > >> > > > >>> >>>>> > >> > > > >>> - >>>>> > >> > > > >>> Jerry Benton >>>>> > >> > > > >>> www.mailborder.com >>>>> > >> > > > >>> +1 - 844-436-6245 >>>>> > >> > > > >>> >>>>> > >> > > > >>> >>>>> > >> > > > >> >>>>> > >> > > > >> >>>>> > >> > > > >> -- >>>>> > >> > > > >> MailScanner mailing list >>>>> > >> > > > >> mailscanner at lists.mailscanner.info >>>>> > >> > > > >> http://lists.mailscanner.info/ >>>>> mailman/listinfo/mailscanner >>>>> > >> > > > >> >>>>> > >> > > > >> >>>>> > >> > > > > >>>>> > >> > > > > >>>>> > >> > > > >>>>> > >> > > > >>>>> > >> > > > -- >>>>> > >> > > > MailScanner mailing list >>>>> > >> > > > mailscanner at lists.mailscanner.info >>>>> > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> > >> > > > >>>>> > >> > > > >>>>> > >> > > >>>>> > >> > > >>>>> > >> > > -- >>>>> > >> > > MailScanner mailing list >>>>> > >> > > mailscanner at lists.mailscanner.info >>>>> > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> > >> > > >>>>> > >> > > >>>>> > >> > >>>>> > >> > >>>>> > >> > -- >>>>> > >> > Shawn Iverson >>>>> > >> > Director of Technology >>>>> > >> > Rush County Schools >>>>> > >> > 765-932-3901 x271 >>>>> > >> > iversons at rushville.k12.in.us >>>>> > >> > >>>>> > >> > >>>>> > >> > -- >>>>> > >> > MailScanner mailing list >>>>> > >> > mailscanner at lists.mailscanner.info >>>>> > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> > >> > >>>>> > >> > >>>>> > >> >>>>> > >> >>>>> > >> -- >>>>> > >> MailScanner mailing list >>>>> > >> mailscanner at lists.mailscanner.info >>>>> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> > >> >>>>> > >> >>>>> > > >>>>> > > >>>>> > > -- >>>>> > > Shawn Iverson >>>>> > > Director of Technology >>>>> > > Rush County Schools >>>>> > > 765-932-3901 x271 >>>>> > > iversons at rushville.k12.in.us >>>>> > > >>>>> > > >>>>> > > >>>>> > >>>>> > >>>>> > -- >>>>> > Shawn Iverson >>>>> > Director of Technology >>>>> > Rush County Schools >>>>> > 765-932-3901 x271 >>>>> > iversons at rushville.k12.in.us >>>>> > >>>>> > >>>>> > -- >>>>> > MailScanner mailing list >>>>> > mailscanner at lists.mailscanner.info >>>>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> > >>>>> > >>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> >>>> >>>> >>>> -- >>>> Shawn Iverson >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x271 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> >>> -- >>> Shawn Iverson >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x271 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> >> -- >> Shawn Iverson >> Director of Technology >> Rush County Schools >> 765-932-3901 x271 >> iversons at rushville.k12.in.us >> >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From th3penguinwhisperer at gmail.com Mon Sep 19 15:44:17 2016 From: th3penguinwhisperer at gmail.com (PenguinWhispererThe .) Date: Mon, 19 Sep 2016 17:44:17 +0200 Subject: genericstable doesn't work (has to do with MailScanner?) Message-ID: I want to forward all mail for root (so basically the output of all cron jobs but other mails for root as well) to an external email address (hotmail). I also have a Mailscanner setup on this FreeBSD mail server. I have incoming/outgoing and submit profiles. However I don't know exactly how MailScanner sends the mails once they have been checked. My sendmail configuration looks right. However it's not working ( I see root at mail.domain.com as from address in the logs when trying with sendmail -froot myhotmail at hotmail.com). Easiest method would be to use the aliases file. I updated the root alias: root: mymail at hotmail.com And ran newaliases. When an email is sent I see that the hotmail MX server "accepts" my mail. Standard MS Security through obscurity makes me think it's silently discarding my email ( not in junk mail, ... ). This server is used to send/receive mail for a domain (and more domains in the future). I've checked the logs and it seems the mail is sent with from field of : root at mail.domain.com I'm pretty sure this is at the root of my mail never received in my hotmail. The existing email addresses are using user at domain.com as from. Now I would like to rewrite this (mail) from address/ctladdr. I thought this would be an easy fix with genericstable. Genericstable (had multiple tries): root info at domain.com root at localhost info at domain.comroot@mail.domain.com info at domain.com Regenerated the db with makemap. I tried with different settings. I also removed the EXPOSED_USER root (from the generic m4 file). I can see it's not in the generated cf file. I also added root to the trusted users. In my m4 file: FEATURE(genericstable)dnl GENERICS_DOMAIN(domain.com)dnl dnl GENERICS_DOMAIN(mail.domain.com)dnl dnl GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl FEATURE(masquerade_envelope)dnl dnl define(`LOCAL_RELAY', `localhost')dnl I have a submit mc file as well. Not sure if this matters but I don't think so. (I don't have sendmail in MSP mode running as far as I know). I've tried with GENERICS_DOMAIN as the domain that I want it to be or the domain that I want to be rewritten. make all install and restarted sendmail. Still it just seems to go out as root at mail.domain.com I tried with sendmail in address test mode (bt; tryflags hs and try esmtp root). This correctly modifies to the wanted source address: info at domain.com . Anyone has some other ideas why this is not working? Or more debugging ways? Do I need local_relay to make this work? What's expected to be in the hosts file? Fqdn(mail.domain.com) and hostname(so mail) for 127.0.0.1 ? Thanks a lot in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Sep 20 02:53:55 2016 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 19 Sep 2016 22:53:55 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Ok, I got it working, and I may have an explanation. In SA 3.4.1, it appears that the .pre files are expected to be in the same location as the prefs file. Symlinking the .pre files into /etc/MailScanner/mcp, and fixing my permissions on /var/spool/postfix/.spamassassin seems to have resolved the issue for me. MCP is now working. On Mon, Sep 19, 2016 at 9:40 PM, Shawn Iverson wrote: > A few other issues...look related to missing plugins...looks like SA is > not reading anything from /etc/mail/spamassassin... > > 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_dcc 0 > 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_pyzor 0 > 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_razor1 0 > 21:38:18 Sep 19 21:38:18.142 [26246] info: config: failed to parse line, > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_razor2 0 > 21:38:18 Sep 19 21:38:18.142 [26246] info: config: failed to parse line, > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": > decode_attachments 1 > > 21:38:18 Timeout::_run: check: no loaded plugin implements 'check_main': > cannot scan! > 21:38:18 Check that the necessary '.pre' files are in the config directory. > 21:38:18 At a minimum, v320.pre loads the Check plugin which is required. > > > On Mon, Sep 19, 2016 at 9:34 PM, Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Wait spoke too soon....still debugging....that was a problem, must be >> something else... >> >> On Mon, Sep 19, 2016 at 9:29 PM, Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Found the problem... >>> >>> Sep 19 21:23:15.618 [21238] dbg: config: mkdir >>> /var/spool/postfix/.spamassassin failed: mkdir >>> /var/spool/postfix/.spamassassin: Permission denied at >>> /usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm line 1902 >>> >>> I created the /var/spool/postfix/.spamassassin directory and MCP >>> started working. >>> >>> >>> On Mon, Sep 19, 2016 at 6:26 PM, Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Same here. Starting but not triggering...doing some debugging now... >>>> >>>> On Mon, Sep 19, 2016 at 6:18 PM, Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> Doh! I have my logging off...digging some more... >>>>> >>>>> On Mon, Sep 19, 2016 at 6:10 PM, Jerry Benton < >>>>> jerry.benton at mailborder.com> wrote: >>>>> >>>>>> I see it being called and run, it just is not triggering. >>>>>> >>>>>> >>>>>> - >>>>>> Jerry Benton >>>>>> www.mailborder.com >>>>>> +1 - 844-436-6245 >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: Shawn Iverson >>>>>> Reply: MailScanner Discussion >>>>>> Date: September 19, 2016 at 6:07:00 PM >>>>>> To: MailScanner Discussion >>>>>> Subject: Re: MCP checks >>>>>> >>>>>> > I do not see MCP being called. I should at least see the following >>>>>> in the >>>>>> > maillog: >>>>>> > >>>>>> > MCP Checks: Starting >>>>>> > >>>>>> > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: >>>>>> > >>>>>> > > Confirmed issue with MCP. >>>>>> > > >>>>>> > > I cannot get MCP to fire either. >>>>>> > > >>>>>> > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: >>>>>> > > >>>>>> > >> Yes. The latest. >>>>>> > >> >>>>>> > >> >>>>>> > >> - >>>>>> > >> Jerry Benton >>>>>> > >> www.mailborder.com >>>>>> > >> +1 - 844-436-6245 >>>>>> > >> >>>>>> > >> >>>>>> > >> -----Original Message----- >>>>>> > >> From: Shawn Iverson >>>>>> > >> Reply: MailScanner Discussion >>>>>> > >> Date: September 19, 2016 at 4:56:27 PM >>>>>> > >> To: MailScanner Discussion >>>>>> > >> Subject: Re: MCP checks >>>>>> > >> >>>>>> > >> > I'll runs some tests. 5.0.3-7, right? >>>>>> > >> > >>>>>> > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton >>>>>> > >> > wrote: >>>>>> > >> > >>>>>> > >> > > Similar settings on my lab server. Not working =/ >>>>>> > >> > > >>>>>> > >> > > This sucks. >>>>>> > >> > > >>>>>> > >> > > >>>>>> > >> > > - >>>>>> > >> > > Jerry Benton >>>>>> > >> > > www.mailborder.com >>>>>> > >> > > +1 - 844-436-6245 >>>>>> > >> > > >>>>>> > >> > > >>>>>> > >> > > -----Original Message----- >>>>>> > >> > > From: Peter H. Lemieux >>>>>> > >> > > Reply: MailScanner Discussion >>>>>> > >> > > Date: September 19, 2016 at 4:38:16 PM >>>>>> > >> > > To: MailScanner Discussion >>>>>> > >> > > Subject: Re: MCP checks >>>>>> > >> > > >>>>>> > >> > > > # this contains the usual list of addresses to check or >>>>>> not to check >>>>>> > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules >>>>>> > >> > > > >>>>>> > >> > > > First Check = MCP >>>>>> > >> > > > >>>>>> > >> > > > MCP Required SpamAssassin Score = 5 >>>>>> > >> > > > MCP High SpamAssassin Score = 9 >>>>>> > >> > > > MCP Error Score = 1 >>>>>> > >> > > > >>>>>> > >> > > > # we use "PHI" for "patient health information" >>>>>> > >> > > > MCP Header = X-XXCHC-PHI-Monitor: >>>>>> > >> > > > Non MCP Actions = deliver >>>>>> > >> > > > >>>>>> > >> > > > MCP Actions = store-nonmcp >>>>>> > >> > > > High Scoring MCP Actions = store-mcp >>>>>> > >> > > > Bounce MCP As Attachment = no >>>>>> > >> > > > >>>>>> > >> > > > MCP Modify Subject = no >>>>>> > >> > > > MCP Subject Text = >>>>>> > >> > > > High Scoring MCP Modify Subject = no >>>>>> > >> > > > High Scoring MCP Subject Text = {PHI} >>>>>> > >> > > > >>>>>> > >> > > > Is Definitely MCP = no >>>>>> > >> > > > Is Definitely Not MCP = no >>>>>> > >> > > > Definite MCP Is High Scoring = no >>>>>> > >> > > > Always Include MCP Report = yes >>>>>> > >> > > > Detailed MCP Report = yes >>>>>> > >> > > > Include Scores In MCP Report = yes >>>>>> > >> > > > >>>>>> > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: >>>>>> > >> > > > >>>>>> > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf >>>>>> > >> > > > >>>>>> > >> > > > ### Patient Identification Codes >>>>>> > >> > > > >>>>>> > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ >>>>>> > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in >>>>>> Subject Header >>>>>> > >> > > > score SUBJ_XXID1 10 >>>>>> > >> > > > >>>>>> > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ >>>>>> > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in >>>>>> Subject Header >>>>>> > >> > > > score SUBJ_XXID2 10 >>>>>> > >> > > > >>>>>> > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ >>>>>> > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in >>>>>> Subject Header >>>>>> > >> > > > score SUBJ_XXID3 10 >>>>>> > >> > > > >>>>>> > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ >>>>>> > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject >>>>>> Header >>>>>> > >> > > > score SUBJ_XXID4 5 >>>>>> > >> > > > >>>>>> > >> > > > # They use some pretty generic patient IDs like 00001234. >>>>>> > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ >>>>>> > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject >>>>>> Header >>>>>> > >> > > > score SUBJ_XXID5 5 >>>>>> > >> > > > >>>>>> > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ >>>>>> > >> > > > describe SUBJ_SSN1 Likely Social Security Number in >>>>>> Subject Header >>>>>> > >> > > > score SUBJ_SSN1 10 >>>>>> > >> > > > >>>>>> > >> > > > [etc.] >>>>>> > >> > > > >>>>>> > >> > > > A score of ten results in the message being quarantined >>>>>> and a notice >>>>>> > >> > > > sent to the administrator and the message sender. A score >>>>>> of five >>>>>> > >> sends >>>>>> > >> > > > notices but permits the message to be sent to its >>>>>> recipient. >>>>>> > >> > > > >>>>>> > >> > > > Hope this helps, Jerry! >>>>>> > >> > > > >>>>>> > >> > > > Peter >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: >>>>>> > >> > > > > What do your settings look like? >>>>>> > >> > > > > >>>>>> > >> > > > > >>>>>> > >> > > > > - >>>>>> > >> > > > > Jerry Benton >>>>>> > >> > > > > www.mailborder.com >>>>>> > >> > > > > +1 - 844-436-6245 >>>>>> > >> > > > > >>>>>> > >> > > > > >>>>>> > >> > > > > -----Original Message----- >>>>>> > >> > > > > From: Peter H. Lemieux >>>>>> > >> > > > > Reply: MailScanner Discussion >>>>>> > >> > > > > Date: September 19, 2016 at 3:18:27 PM >>>>>> > >> > > > > To: MailScanner Discussion >>>>>> > >> > > > > Subject: Re: MCP checks >>>>>> > >> > > > > >>>>>> > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health >>>>>> center to >>>>>> > >> intercept >>>>>> > >> > > > >> outbound messages that may contain "patient health >>>>>> information" >>>>>> > >> as >>>>>> > >> > > > >> defined by the US HIPAA laws. Works as advertised. >>>>>> > >> > > > >> >>>>>> > >> > > > >> I haven't tried version 5 yet so I can't help with that. >>>>>> > >> > > > >> >>>>>> > >> > > > >> Peter >>>>>> > >> > > > >> >>>>>> > >> > > > >> >>>>>> > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: >>>>>> > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on >>>>>> any rules, >>>>>> > >> but >>>>>> > >> > > the >>>>>> > >> > > > >>> same rules will fire in regular spamassassin checks. >>>>>> > >> > > > >>> >>>>>> > >> > > > >>> >>>>>> > >> > > > >>> - >>>>>> > >> > > > >>> Jerry Benton >>>>>> > >> > > > >>> www.mailborder.com >>>>>> > >> > > > >>> +1 - 844-436-6245 >>>>>> > >> > > > >>> >>>>>> > >> > > > >>> >>>>>> > >> > > > >> >>>>>> > >> > > > >> >>>>>> > >> > > > >> -- >>>>>> > >> > > > >> MailScanner mailing list >>>>>> > >> > > > >> mailscanner at lists.mailscanner.info >>>>>> > >> > > > >> http://lists.mailscanner.info/ >>>>>> mailman/listinfo/mailscanner >>>>>> > >> > > > >> >>>>>> > >> > > > >> >>>>>> > >> > > > > >>>>>> > >> > > > > >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > > -- >>>>>> > >> > > > MailScanner mailing list >>>>>> > >> > > > mailscanner at lists.mailscanner.info >>>>>> > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > >>>>>> > >> > > >>>>>> > >> > > -- >>>>>> > >> > > MailScanner mailing list >>>>>> > >> > > mailscanner at lists.mailscanner.info >>>>>> > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> > >> > > >>>>>> > >> > > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > -- >>>>>> > >> > Shawn Iverson >>>>>> > >> > Director of Technology >>>>>> > >> > Rush County Schools >>>>>> > >> > 765-932-3901 x271 >>>>>> > >> > iversons at rushville.k12.in.us >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > -- >>>>>> > >> > MailScanner mailing list >>>>>> > >> > mailscanner at lists.mailscanner.info >>>>>> > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> > >> > >>>>>> > >> > >>>>>> > >> >>>>>> > >> >>>>>> > >> -- >>>>>> > >> MailScanner mailing list >>>>>> > >> mailscanner at lists.mailscanner.info >>>>>> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> > >> >>>>>> > >> >>>>>> > > >>>>>> > > >>>>>> > > -- >>>>>> > > Shawn Iverson >>>>>> > > Director of Technology >>>>>> > > Rush County Schools >>>>>> > > 765-932-3901 x271 >>>>>> > > iversons at rushville.k12.in.us >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > >>>>>> > >>>>>> > -- >>>>>> > Shawn Iverson >>>>>> > Director of Technology >>>>>> > Rush County Schools >>>>>> > 765-932-3901 x271 >>>>>> > iversons at rushville.k12.in.us >>>>>> > >>>>>> > >>>>>> > -- >>>>>> > MailScanner mailing list >>>>>> > mailscanner at lists.mailscanner.info >>>>>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> > >>>>>> > >>>>>> >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Shawn Iverson >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 x271 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Shawn Iverson >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x271 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> >>> -- >>> Shawn Iverson >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x271 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> >> -- >> Shawn Iverson >> Director of Technology >> Rush County Schools >> 765-932-3901 x271 >> iversons at rushville.k12.in.us >> >> >> > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- Shawn Iverson Director of Technology Rush County Schools 765-932-3901 x271 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Sep 20 04:42:24 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 19 Sep 2016 21:42:24 -0700 Subject: MailScanner.conf rule set In-Reply-To: <11D8E491D9562549A61FD3186F36342002850476EB@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002850475B6@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342002850476EB@exchange.techeez.com> Message-ID: <512f1705-b109-9a17-57e6-bec04c651f15@msapiro.net> On 09/19/2016 02:56 PM, Philip Parsons wrote: > > What I want to be able to do is to send all of the Blocked file name > reports to a specific email address not to the recipient. I'm still confused. There are three notifications. 1) The sender of the mail (From: address) is notified that some of their message was blocked. This is controlled by the Notify Senders * settings. See 2) An admin or ?? is notified of the action. This is controlled by the Notice* settings. 3) When an attachment is blocked a notice is placed in the message to the recipient about the blocked attachment and the attachment itself is replaced by a more detailed warning message. This is controlled by the Deleted * Report settings. These point to a file containing a template, but it could be /dev/null. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jerry.benton at mailborder.com Tue Sep 20 07:22:45 2016 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 20 Sep 2016 03:22:45 -0400 Subject: MCP checks In-Reply-To: References: Message-ID: Shawn, Thanks, I will test it out. - Jerry Benton www.mailborder.com +1 - 844-436-6245 -----Original Message----- From:?Shawn Iverson Reply:?MailScanner Discussion Date:?September 19, 2016 at 10:54:29 PM To:?MailScanner Discussion Subject:? Re: MCP checks > Ok, I got it working, and I may have an explanation. > > In SA 3.4.1, it appears that the .pre files are expected to be in the same > location as the prefs file. > > Symlinking the .pre files into /etc/MailScanner/mcp, and fixing my > permissions on /var/spool/postfix/.spamassassin seems to have resolved the > issue for me. > > MCP is now working. > > > On Mon, Sep 19, 2016 at 9:40 PM, Shawn Iverson > > wrote: > > > A few other issues...look related to missing plugins...looks like SA is > > not reading anything from /etc/mail/spamassassin... > > > > 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, > > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_dcc 0 > > 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, > > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_pyzor 0 > > 21:38:18 Sep 19 21:38:18.141 [26246] info: config: failed to parse line, > > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_razor1 0 > > 21:38:18 Sep 19 21:38:18.142 [26246] info: config: failed to parse line, > > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": use_razor2 0 > > 21:38:18 Sep 19 21:38:18.142 [26246] info: config: failed to parse line, > > skipping, in "/etc/MailScanner/mcp/mcp.spamassassin.conf": > > decode_attachments 1 > > > > 21:38:18 Timeout::_run: check: no loaded plugin implements 'check_main': > > cannot scan! > > 21:38:18 Check that the necessary '.pre' files are in the config directory. > > 21:38:18 At a minimum, v320.pre loads the Check plugin which is required. > > > > > > On Mon, Sep 19, 2016 at 9:34 PM, Shawn Iverson < > > iversons at rushville.k12.in.us> wrote: > > > >> Wait spoke too soon....still debugging....that was a problem, must be > >> something else... > >> > >> On Mon, Sep 19, 2016 at 9:29 PM, Shawn Iverson < > >> iversons at rushville.k12.in.us> wrote: > >> > >>> Found the problem... > >>> > >>> Sep 19 21:23:15.618 [21238] dbg: config: mkdir > >>> /var/spool/postfix/.spamassassin failed: mkdir > >>> /var/spool/postfix/.spamassassin: Permission denied at > >>> /usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm line 1902 > >>> > >>> I created the /var/spool/postfix/.spamassassin directory and MCP > >>> started working. > >>> > >>> > >>> On Mon, Sep 19, 2016 at 6:26 PM, Shawn Iverson < > >>> iversons at rushville.k12.in.us> wrote: > >>> > >>>> Same here. Starting but not triggering...doing some debugging now... > >>>> > >>>> On Mon, Sep 19, 2016 at 6:18 PM, Shawn Iverson < > >>>> iversons at rushville.k12.in.us> wrote: > >>>> > >>>>> Doh! I have my logging off...digging some more... > >>>>> > >>>>> On Mon, Sep 19, 2016 at 6:10 PM, Jerry Benton < > >>>>> jerry.benton at mailborder.com> wrote: > >>>>> > >>>>>> I see it being called and run, it just is not triggering. > >>>>>> > >>>>>> > >>>>>> - > >>>>>> Jerry Benton > >>>>>> www.mailborder.com > >>>>>> +1 - 844-436-6245 > >>>>>> > >>>>>> > >>>>>> -----Original Message----- > >>>>>> From: Shawn Iverson > >>>>>> Reply: MailScanner Discussion > >>>>>> Date: September 19, 2016 at 6:07:00 PM > >>>>>> To: MailScanner Discussion > >>>>>> Subject: Re: MCP checks > >>>>>> > >>>>>> > I do not see MCP being called. I should at least see the following > >>>>>> in the > >>>>>> > maillog: > >>>>>> > > >>>>>> > MCP Checks: Starting > >>>>>> > > >>>>>> > On Mon, Sep 19, 2016 at 5:53 PM, Shawn Iverson > > wrote: > >>>>>> > > >>>>>> > > Confirmed issue with MCP. > >>>>>> > > > >>>>>> > > I cannot get MCP to fire either. > >>>>>> > > > >>>>>> > > On Mon, Sep 19, 2016 at 4:56 PM, Jerry Benton > > > wrote: > >>>>>> > > > >>>>>> > >> Yes. The latest. > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> - > >>>>>> > >> Jerry Benton > >>>>>> > >> www.mailborder.com > >>>>>> > >> +1 - 844-436-6245 > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> -----Original Message----- > >>>>>> > >> From: Shawn Iverson > >>>>>> > >> Reply: MailScanner Discussion > >>>>>> > >> Date: September 19, 2016 at 4:56:27 PM > >>>>>> > >> To: MailScanner Discussion > >>>>>> > >> Subject: Re: MCP checks > >>>>>> > >> > >>>>>> > >> > I'll runs some tests. 5.0.3-7, right? > >>>>>> > >> > > >>>>>> > >> > On Mon, Sep 19, 2016 at 4:47 PM, Jerry Benton > >>>>>> > >> > wrote: > >>>>>> > >> > > >>>>>> > >> > > Similar settings on my lab server. Not working =/ > >>>>>> > >> > > > >>>>>> > >> > > This sucks. > >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > - > >>>>>> > >> > > Jerry Benton > >>>>>> > >> > > www.mailborder.com > >>>>>> > >> > > +1 - 844-436-6245 > >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > -----Original Message----- > >>>>>> > >> > > From: Peter H. Lemieux > >>>>>> > >> > > Reply: MailScanner Discussion > >>>>>> > >> > > Date: September 19, 2016 at 4:38:16 PM > >>>>>> > >> > > To: MailScanner Discussion > >>>>>> > >> > > Subject: Re: MCP checks > >>>>>> > >> > > > >>>>>> > >> > > > # this contains the usual list of addresses to check or > >>>>>> not to check > >>>>>> > >> > > > MCP Checks = /etc/MailScanner/rules/mcp_checks.rules > >>>>>> > >> > > > > >>>>>> > >> > > > First Check = MCP > >>>>>> > >> > > > > >>>>>> > >> > > > MCP Required SpamAssassin Score = 5 > >>>>>> > >> > > > MCP High SpamAssassin Score = 9 > >>>>>> > >> > > > MCP Error Score = 1 > >>>>>> > >> > > > > >>>>>> > >> > > > # we use "PHI" for "patient health information" > >>>>>> > >> > > > MCP Header = X-XXCHC-PHI-Monitor: > >>>>>> > >> > > > Non MCP Actions = deliver > >>>>>> > >> > > > > >>>>>> > >> > > > MCP Actions = store-nonmcp > >>>>>> > >> > > > High Scoring MCP Actions = store-mcp > >>>>>> > >> > > > Bounce MCP As Attachment = no > >>>>>> > >> > > > > >>>>>> > >> > > > MCP Modify Subject = no > >>>>>> > >> > > > MCP Subject Text = > >>>>>> > >> > > > High Scoring MCP Modify Subject = no > >>>>>> > >> > > > High Scoring MCP Subject Text = {PHI} > >>>>>> > >> > > > > >>>>>> > >> > > > Is Definitely MCP = no > >>>>>> > >> > > > Is Definitely Not MCP = no > >>>>>> > >> > > > Definite MCP Is High Scoring = no > >>>>>> > >> > > > Always Include MCP Report = yes > >>>>>> > >> > > > Detailed MCP Report = yes > >>>>>> > >> > > > Include Scores In MCP Report = yes > >>>>>> > >> > > > > >>>>>> > >> > > > In /etc/MailScanner/mcp I have rulesets like this one: > >>>>>> > >> > > > > >>>>>> > >> > > > File: /etc/MailScanner/mcp/20_Numbers_and_Codes.cf > >>>>>> > >> > > > > >>>>>> > >> > > > ### Patient Identification Codes > >>>>>> > >> > > > > >>>>>> > >> > > > header SUBJ_XXID1 Subject =~ /\b005[4-8]\d{4}\b/ > >>>>>> > >> > > > describe SUBJ_XXID1 XXCHC Patient ID with 0054-8 in > >>>>>> Subject Header > >>>>>> > >> > > > score SUBJ_XXID1 10 > >>>>>> > >> > > > > >>>>>> > >> > > > header SUBJ_XXID2 Subject =~ /\b1005[89]\d+\b/ > >>>>>> > >> > > > describe SUBJ_XXID2 XXCHC Patient ID with 10058-9 in > >>>>>> Subject Header > >>>>>> > >> > > > score SUBJ_XXID2 10 > >>>>>> > >> > > > > >>>>>> > >> > > > header SUBJ_XXID3 Subject =~ /\b1006[0123]\d+\b/ > >>>>>> > >> > > > describe SUBJ_XXID3 XXCHC Patient ID with 10060-63 in > >>>>>> Subject Header > >>>>>> > >> > > > score SUBJ_XXID3 10 > >>>>>> > >> > > > > >>>>>> > >> > > > header SUBJ_XXID4 Subject =~ /\b00000\d{3}\b/ > >>>>>> > >> > > > describe SUBJ_XXID4 Possible XXCHC Patient ID in Subject > >>>>>> Header > >>>>>> > >> > > > score SUBJ_XXID4 5 > >>>>>> > >> > > > > >>>>>> > >> > > > # They use some pretty generic patient IDs like 00001234. > >>>>>> > >> > > > header SUBJ_XXID5 Subject =~ /\b0000\d{4}\b/ > >>>>>> > >> > > > describe SUBJ_XXID5 Possible XXCHC Patient ID in Subject > >>>>>> Header > >>>>>> > >> > > > score SUBJ_XXID5 5 > >>>>>> > >> > > > > >>>>>> > >> > > > header SUBJ_SSN1 Subject =~ /\b\d{3}-\d{2}-\d{4}\b/ > >>>>>> > >> > > > describe SUBJ_SSN1 Likely Social Security Number in > >>>>>> Subject Header > >>>>>> > >> > > > score SUBJ_SSN1 10 > >>>>>> > >> > > > > >>>>>> > >> > > > [etc.] > >>>>>> > >> > > > > >>>>>> > >> > > > A score of ten results in the message being quarantined > >>>>>> and a notice > >>>>>> > >> > > > sent to the administrator and the message sender. A score > >>>>>> of five > >>>>>> > >> sends > >>>>>> > >> > > > notices but permits the message to be sent to its > >>>>>> recipient. > >>>>>> > >> > > > > >>>>>> > >> > > > Hope this helps, Jerry! > >>>>>> > >> > > > > >>>>>> > >> > > > Peter > >>>>>> > >> > > > > >>>>>> > >> > > > > >>>>>> > >> > > > > >>>>>> > >> > > > On 09/19/2016 03:21 PM, Jerry Benton wrote: > >>>>>> > >> > > > > What do your settings look like? > >>>>>> > >> > > > > > >>>>>> > >> > > > > > >>>>>> > >> > > > > - > >>>>>> > >> > > > > Jerry Benton > >>>>>> > >> > > > > www.mailborder.com > >>>>>> > >> > > > > +1 - 844-436-6245 > >>>>>> > >> > > > > > >>>>>> > >> > > > > > >>>>>> > >> > > > > -----Original Message----- > >>>>>> > >> > > > > From: Peter H. Lemieux > >>>>>> > >> > > > > Reply: MailScanner Discussion > >>>>>> > >> > > > > Date: September 19, 2016 at 3:18:27 PM > >>>>>> > >> > > > > To: MailScanner Discussion > >>>>>> > >> > > > > Subject: Re: MCP checks > >>>>>> > >> > > > > > >>>>>> > >> > > > >> I do, but I'm using 4.85,2. We use MCP at a health > >>>>>> center to > >>>>>> > >> intercept > >>>>>> > >> > > > >> outbound messages that may contain "patient health > >>>>>> information" > >>>>>> > >> as > >>>>>> > >> > > > >> defined by the US HIPAA laws. Works as advertised. > >>>>>> > >> > > > >> > >>>>>> > >> > > > >> I haven't tried version 5 yet so I can't help with that. > >>>>>> > >> > > > >> > >>>>>> > >> > > > >> Peter > >>>>>> > >> > > > >> > >>>>>> > >> > > > >> > >>>>>> > >> > > > >> On 09/19/2016 02:51 PM, Jerry Benton wrote: > >>>>>> > >> > > > >>> Anyone using MCP? I can?t seem to get it to fire on > >>>>>> any rules, > >>>>>> > >> but > >>>>>> > >> > > the > >>>>>> > >> > > > >>> same rules will fire in regular spamassassin checks. > >>>>>> > >> > > > >>> > >>>>>> > >> > > > >>> > >>>>>> > >> > > > >>> - > >>>>>> > >> > > > >>> Jerry Benton > >>>>>> > >> > > > >>> www.mailborder.com > >>>>>> > >> > > > >>> +1 - 844-436-6245 > >>>>>> > >> > > > >>> > >>>>>> > >> > > > >>> > >>>>>> > >> > > > >> > >>>>>> > >> > > > >> > >>>>>> > >> > > > >> -- > >>>>>> > >> > > > >> MailScanner mailing list > >>>>>> > >> > > > >> mailscanner at lists.mailscanner.info > >>>>>> > >> > > > >> http://lists.mailscanner.info/ > >>>>>> mailman/listinfo/mailscanner > >>>>>> > >> > > > >> > >>>>>> > >> > > > >> > >>>>>> > >> > > > > > >>>>>> > >> > > > > > >>>>>> > >> > > > > >>>>>> > >> > > > > >>>>>> > >> > > > -- > >>>>>> > >> > > > MailScanner mailing list > >>>>>> > >> > > > mailscanner at lists.mailscanner.info > >>>>>> > >> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>>>>> > >> > > > > >>>>>> > >> > > > > >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > -- > >>>>>> > >> > > MailScanner mailing list > >>>>>> > >> > > mailscanner at lists.mailscanner.info > >>>>>> > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>>>>> > >> > > > >>>>>> > >> > > > >>>>>> > >> > > >>>>>> > >> > > >>>>>> > >> > -- > >>>>>> > >> > Shawn Iverson > >>>>>> > >> > Director of Technology > >>>>>> > >> > Rush County Schools > >>>>>> > >> > 765-932-3901 x271 > >>>>>> > >> > iversons at rushville.k12.in.us > >>>>>> > >> > > >>>>>> > >> > > >>>>>> > >> > -- > >>>>>> > >> > MailScanner mailing list > >>>>>> > >> > mailscanner at lists.mailscanner.info > >>>>>> > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>>>>> > >> > > >>>>>> > >> > > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> -- > >>>>>> > >> MailScanner mailing list > >>>>>> > >> mailscanner at lists.mailscanner.info > >>>>>> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>>>>> > >> > >>>>>> > >> > >>>>>> > > > >>>>>> > > > >>>>>> > > -- > >>>>>> > > Shawn Iverson > >>>>>> > > Director of Technology > >>>>>> > > Rush County Schools > >>>>>> > > 765-932-3901 x271 > >>>>>> > > iversons at rushville.k12.in.us > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> > > >>>>>> > > >>>>>> > -- > >>>>>> > Shawn Iverson > >>>>>> > Director of Technology > >>>>>> > Rush County Schools > >>>>>> > 765-932-3901 x271 > >>>>>> > iversons at rushville.k12.in.us > >>>>>> > > >>>>>> > > >>>>>> > -- > >>>>>> > MailScanner mailing list > >>>>>> > mailscanner at lists.mailscanner.info > >>>>>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>>>>> > > >>>>>> > > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> MailScanner mailing list > >>>>>> mailscanner at lists.mailscanner.info > >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Shawn Iverson > >>>>> Director of Technology > >>>>> Rush County Schools > >>>>> 765-932-3901 x271 > >>>>> iversons at rushville.k12.in.us > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> -- > >>>> Shawn Iverson > >>>> Director of Technology > >>>> Rush County Schools > >>>> 765-932-3901 x271 > >>>> iversons at rushville.k12.in.us > >>>> > >>>> > >>>> > >>> > >>> > >>> -- > >>> Shawn Iverson > >>> Director of Technology > >>> Rush County Schools > >>> 765-932-3901 x271 > >>> iversons at rushville.k12.in.us > >>> > >>> > >>> > >> > >> > >> -- > >> Shawn Iverson > >> Director of Technology > >> Rush County Schools > >> 765-932-3901 x271 > >> iversons at rushville.k12.in.us > >> > >> > >> > > > > > > -- > > Shawn Iverson > > Director of Technology > > Rush County Schools > > 765-932-3901 x271 > > iversons at rushville.k12.in.us > > > > > > > > > -- > Shawn Iverson > Director of Technology > Rush County Schools > 765-932-3901 x271 > iversons at rushville.k12.in.us > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From pparsons at techeez.com Tue Sep 20 15:41:15 2016 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 20 Sep 2016 15:41:15 +0000 Subject: MailScanner.conf rule set In-Reply-To: <512f1705-b109-9a17-57e6-bec04c651f15@msapiro.net> References: <11D8E491D9562549A61FD3186F36342002850475B6@exchange.techeez.com> <11D8E491D9562549A61FD3186F36342002850476EB@exchange.techeez.com> <512f1705-b109-9a17-57e6-bec04c651f15@msapiro.net> Message-ID: <11D8E491D9562549A61FD3186F3634200285048D39@exchange.techeez.com> Mark you are correct, I am out to lunch not thinking about it right.. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+pparsons=techeez.com at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: September 19, 2016 9:42 PM To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner.conf rule set On 09/19/2016 02:56 PM, Philip Parsons wrote: > > What I want to be able to do is to send all of the Blocked file name > reports to a specific email address not to the recipient. I'm still confused. There are three notifications. 1) The sender of the mail (From: address) is notified that some of their message was blocked. This is controlled by the Notify Senders * settings. See 2) An admin or ?? is notified of the action. This is controlled by the Notice* settings. 3) When an attachment is blocked a notice is placed in the message to the recipient about the blocked attachment and the attachment itself is replaced by a more detailed warning message. This is controlled by the Deleted * Report settings. These point to a file containing a template, but it could be /dev/null. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From tom at izb.net Tue Sep 20 16:21:25 2016 From: tom at izb.net (Tom) Date: Tue, 20 Sep 2016 18:21:25 +0200 Subject: How to add recipient in stored.virus.message.txt (and related) report? In-Reply-To: References: <20160913085351.GA53750@f-i-ts.net> Message-ID: <20160920162125.GA74346@f-i-ts.net> On Thu, Sep 15, 2016 at 03:44:40PM -0700, Mark Sapiro wrote: > But these reports are in the message delivered to the recipient. > Presumably the recipient already knows who she is, so why do you want to > pot a To: line in the report? It's needed for a robot: the user receives the mail with the message about some blocked content and forwards this to a ticket system. A robot then takes such a ticket and scans the blocked attachments against some different virus scanners and - if clean - delivers the attachment. We need the recipient[s] for this robot. > I haven't specifically looked for the code, but it would be in > MailScanner's Message.pm module. If you want to work on this, it would > be helpful if you filed an issue at > and an eventual PR if you > develop a fix. I filed a report: https://github.com/MailScanner/v5/issues/18 and I included a small patch to demonstrate the requirement. Thanks, Tom From ewr at erols.com Wed Sep 21 20:12:10 2016 From: ewr at erols.com (Eric Wirt) Date: Wed, 21 Sep 2016 16:12:10 -0400 Subject: HTML Conditionals inside tag mangled by phishing filter Message-ID: <72BF714A-AB1C-4121-8F96-A467FEAF4514@erols.com> I have some MS Outlook users who have been complaining to me about emails arriving mangled, and I finally took the time to dive into what was going on. I am using MailScanner version 5.0.3. What I found is that if an email contains HTML conditionals inside an tag, and any part of the email ends up triggering the phishing filters, those conditionals can get mangled. The problem was mostly only visible to Outlook users, since that is the Mail client that is typically targeted with conditionals. I came up with a little stripped down HTML that demonstrates the problem. Unfortunately my Perl skills are severely lacking, so while I did peak around Message.pm, and see that it is using HTML::Parser to evaluate each tag, then make changes (if necessary) and write the tags back out, I didn't dig in enough to be able to determine if this is an issue with HTML::Parser itself, or the way Mailscanner rebuilds the email, or something else. I did check the HTML::Parser version on the server and upgrade it from 3.7.1 to 3.7.2, but that didn?t make a difference. Here is the "original" HTML email body on an email. l stripped it down to be easily readable, but in real-life the point is to provide different styling in order to deal with Outlook?s eccentricities than the styling for other email clients. ORIGINAL HTML: abc.com ---------- If you send the above as an email through MailScanner (and leave the 2nd href that triggers the phishing filters), the resulting output of the first A tag is below. As you can see, the second conditional inside the tag is being moved up above the tag, when it should still be below. ---------- In practice, it doesn?t matter where (or how many) of these structures are in the HTML, they all end up mangled, even though they are not the actual part of the email that is triggering the phishing filter. If I remove the bottom abc.com so that the phishing filters don't trigger on the email, the email comes through correctly. Also, if I remove the tag from around the set of two conditionals, it makes it through with the correct order intact (still triggering the phishing filters), so it only seems to happen when embedded in an tag. However, it wouldn?t surprise me if there are other enclosing tags that could trigger the same situation, but I haven?t done any testing on that yet. Any suggestions on how to resolve this would be greatly appreciated. Thanks! Eric