From salighie at gmail.com Fri Apr 5 23:03:43 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Fri, 5 Apr 2019 19:03:43 -0400 Subject: All Emails tagged as {VIRUS} Message-ID: Hi, In the past couple of days my email is all coming in with the subject line tagged as {VIRUS}. This is true for all mail, but of course there's no virus involved. Mailscanner v5.0.7 ClamAV v0.100.0 ClamAV update process started at Fri Apr 5 18:41:07 2019 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.0 Recommended version: 0.101.2 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) daily.cld is up to date (version: 25410, sigs: 1552552, f-level: 63, builder: raynman) bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo) A review of /var/log/maillog suggests that there's a problem with ClamAV Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content Scanning: Starting Apr 5 18:34:23 myhost MailScanner[7448]: *AV engine clamav timed out* Apr 5 18:34:23 myhost MailScanner[7448]: *clamav: Failed to complete, timed out* Apr 5 18:34:23 myhost MailScanner[7448]: *Virus Scanning: Denial Of Service attack detected!* I've tried to observe what is happening on the system, while mail is being scanned and what i can surmise is that clamscan is timing-out (uses 100% CPU) [image: image.png] any pointers would be greatly appreciated. I have not been able to find anything online. I'll try upgrading to the latest and greatest MailScanner in the mean time. thanks Salighie -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 7529 bytes Desc: not available URL: From warren at scifioz.com Fri Apr 5 23:21:53 2019 From: warren at scifioz.com (Warren Hillsdon) Date: Sat, 6 Apr 2019 10:21:53 +1100 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: Message-ID: <002701d4ec06$5b815af0$128410d0$@scifioz.com> All, I had the same issue start last night as well. However it completely stopped any mail ? legit or not being delivered. I had to stop the clamav process in order to get mail to flow again. Apr 6 00:20:56 myhost MailScanner[21622]: AV engine clamav timed out Apr 6 00:20:56 myhost MailScanner[21622]: clamav: Failed to complete, timed out Apr 6 00:20:56 myhost MailScanner[21622]: Virus Scanning: Denial Of Service attack detected! Apr 6 00:20:56 myhost sendmail[22790]: x35DKq9R022790: from=, size=57707, class=0, nrcpts=1, msgid=<58b9337c-50d9-4551-8d40-c967539868fa at ind1s01mta587.xt.local>, bodytype=8BITMIME, proto=ESMTPS, daemon=MTA, relay=mta44.emailinfo2.bestbuy.com [136.147.140.129] Apr 6 00:20:58 myhost MailScanner[22684]: New Batch: Found 6 messages waiting Apr 6 00:20:58 myhost MailScanner[22684]: New Batch: Scanning 1 messages, 58359 bytes Apr 6 00:20:59 myhost MailScanner[22684]: Virus and Content Scanning: Starting Apr 6 00:21:04 myhost MailScanner[21444]: AV engine clamav timed out Apr 6 00:21:04 myhost MailScanner[21444]: clamav: Failed to complete, timed out Apr 6 00:21:04 myhost MailScanner[21444]: Virus Scanning: Denial Of Service attack detected! Running ClamAV 0.101.1-1 Mailscanner v5.0.7 Warren From: MailScanner On Behalf Of Sebastiano Dante Alighieri Sent: Saturday, 6 April 2019 10:04 AM To: mailscanner at lists.mailscanner.info Subject: All Emails tagged as {VIRUS} Hi, In the past couple of days my email is all coming in with the subject line tagged as {VIRUS}. This is true for all mail, but of course there's no virus involved. Mailscanner v5.0.7 ClamAV v0.100.0 ClamAV update process started at Fri Apr 5 18:41:07 2019 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.0 Recommended version: 0.101.2 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) daily.cld is up to date (version: 25410, sigs: 1552552, f-level: 63, builder: raynman) bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo) A review of /var/log/maillog suggests that there's a problem with ClamAV Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content Scanning: Starting Apr 5 18:34:23 myhost MailScanner[7448]: AV engine clamav timed out Apr 5 18:34:23 myhost MailScanner[7448]: clamav: Failed to complete, timed out Apr 5 18:34:23 myhost MailScanner[7448]: Virus Scanning: Denial Of Service attack detected! I've tried to observe what is happening on the system, while mail is being scanned and what i can surmise is that clamscan is timing-out (uses 100% CPU) any pointers would be greatly appreciated. I have not been able to find anything online. I'll try upgrading to the latest and greatest MailScanner in the mean time. thanks Salighie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 26689 bytes Desc: not available URL: From mark at msapiro.net Sat Apr 6 00:41:56 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 5 Apr 2019 17:41:56 -0700 Subject: All Emails tagged as {VIRUS} In-Reply-To: <002701d4ec06$5b815af0$128410d0$@scifioz.com> References: <002701d4ec06$5b815af0$128410d0$@scifioz.com> Message-ID: <089eb170-8376-cae4-6d2b-4b14656bbd33@msapiro.net> On 4/5/19 4:21 PM, Warren Hillsdon wrote: > All, > > ? > > I had the same issue start last night as well. However it completely > stopped any mail ? legit or not being delivered. I had to stop the > clamav process in order to get mail to flow again. > > ? > > Apr? 6 00:20:56 myhost MailScanner[21622]: AV engine clamav timed out > > Apr? 6 00:20:56 myhost MailScanner[21622]: clamav: Failed to complete, > timed out > > Apr? 6 00:20:56 myhost MailScanner[21622]: Virus Scanning: Denial Of > Service attack detected! I'm not sure what the issue is with clamav, but it is much preferred to use clamd. In your MailScanner configuration set Virus Scanners = clamd Clamd Socket = /var/run/clamav/clamd.ctl or whatever the path is and of course ensure that the clamd service, which may be called clamd or clamav-daemon or ?? depending on your distro, is running. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From yuwang at cs.fsu.edu Sat Apr 6 00:31:33 2019 From: yuwang at cs.fsu.edu (yuwang) Date: Fri, 05 Apr 2019 20:31:33 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: Message-ID: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> My guess is clamav update issue. What happens when you 'Mailscanner Lint'? use strace to attach to clam process, use lsof to see open files, and turn on debug mode on clam might help too. James On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > Hi, > > In the past couple of days my email is all coming in with the subject > line tagged as {VIRUS}. This is true for all mail, but of course > there's no virus involved. > > Mailscanner v5.0.7 > ClamAV v0.100.0 > >> ClamAV update process started at Fri Apr 5 18:41:07 2019 >> >> WARNING: Your ClamAV installation is OUTDATED! >> >> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 >> >> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav >> >> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, >> builder: sigmgr) >> >> daily.cld is up to date (version: 25410, sigs: 1552552, f-level: 63, >> builder: raynman) >> >> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, >> builder: neo) > > A review of /var/log/maillog suggests that there's a problem with > ClamAV > >> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content >> Scanning: Starting >> >> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED OUT >> >> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO >> COMPLETE, TIMED OUT >> >> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL OF >> SERVICE ATTACK DETECTED! > > I've tried to observe what is happening on the system, while mail is > being scanned and what i can surmise is that clamscan is timing-out > (uses 100% CPU) > > any pointers would be greatly appreciated. I have not been able to > find anything online. > > I'll try upgrading to the latest and greatest MailScanner in the mean > time. > > thanks > Salighie From salighie at gmail.com Sat Apr 6 08:19:15 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Sat, 6 Apr 2019 04:19:15 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> Message-ID: After I upgraded to the latest version, i get no mail; MailScanner Crashes continuously *Apr 6 04:12:23 MyHost MailScanner[10890]: MailScanner Email Processor version 5.1.3 starting...* Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration file /etc/MailScanner/MailScanner.conf Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration file /etc/MailScanner/conf.d/README *Apr 6 04:12:23 MyHost MailScanner[10890]: Could not read file them.* *Apr 6 04:12:23 MyHost MailScanner[10890]: Error in line 1422, file "/usr/share/MailScanner/reports/en/stored.fi them." for storedfilenamemessage does not exist (or can not be read)* Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames from the phishing whitelist Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames from the phishing blacklists Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin results cache Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to SpamAssassin cache database Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling SpamAssassin auto-whitelist functionality... Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus scanners: clamav Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to Processing Attempts Database Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in the Processing Attempts Database Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = flock *Apr 6 04:12:28 MyHost MailScanner[10920]: MailScanner Email Processor version 5.1.3 starting...* Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration file /etc/MailScanner/MailScanner.conf Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration file /etc/MailScanner/conf.d/README Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file them. *Apr 6 04:12:28 MyHost MailScanner[10920]: Error in line 1422, file "/usr/share/MailScanner/reports/en/stored.fi them." for storedfilenamemessage does not exist (or can not be read)* This goes on while there's a message to be processed in the db, until it detects too many crashes and quarantines the message. when a new message comes in, it starts all over again. *MailScanner Lint output* Could not read file /usr/share/MailScanner/reports/en/stored.fi at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. Error in line 1422, file "/usr/share/MailScanner/reports/en/stored.fi them." for storedfilenamemessage does not exist (or can not be read) at /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > My guess is clamav update issue. What happens when you 'Mailscanner > Lint'? use strace to attach to clam process, use lsof to see open files, > and turn on debug mode on clam might help too. > > James > > > On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > > Hi, > > > > In the past couple of days my email is all coming in with the subject > > line tagged as {VIRUS}. This is true for all mail, but of course > > there's no virus involved. > > > > Mailscanner v5.0.7 > > ClamAV v0.100.0 > > > >> ClamAV update process started at Fri Apr 5 18:41:07 2019 > >> > >> WARNING: Your ClamAV installation is OUTDATED! > >> > >> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > >> > >> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav > >> > >> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, > >> builder: sigmgr) > >> > >> daily.cld is up to date (version: 25410, sigs: 1552552, f-level: 63, > >> builder: raynman) > >> > >> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, > >> builder: neo) > > > > A review of /var/log/maillog suggests that there's a problem with > > ClamAV > > > >> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content > >> Scanning: Starting > >> > >> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED OUT > >> > >> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO > >> COMPLETE, TIMED OUT > >> > >> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL OF > >> SERVICE ATTACK DETECTED! > > > > I've tried to observe what is happening on the system, while mail is > > being scanned and what i can surmise is that clamscan is timing-out > > (uses 100% CPU) > > > > any pointers would be greatly appreciated. I have not been able to > > find anything online. > > > > I'll try upgrading to the latest and greatest MailScanner in the mean > > time. > > > > thanks > > Salighie > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ervandepol at gmail.com Sat Apr 6 09:15:23 2019 From: ervandepol at gmail.com (Polleke) Date: Sat, 06 Apr 2019 11:15:23 +0200 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: Message-ID: <20190406111523.780E.3FC183F3@gmail.com> Ola, II just raised the timeout in MailScanner.conf:: #Virus Scanner Timeout = 300 Virus Scanner Timeout = 600 And it works again... ps. You can ignore the Clamav outdated message... -- Polleke Original Message From: Sebastiano Dante Alighieri To: mailscanner at lists.mailscanner.info Subject: All Emails tagged as {VIRUS} Date: 6-4-2019 01:03:43 Hi,? In the past couple of days my email is all coming in with the subject line tagged as {VIRUS}. This is true for all mail, but of course there's no virus involved. Mailscanner v5.0.7 ClamAV v0.100.0 ClamAV update process started at Fri Apr? 5 18:41:07 2019 > > > > WARNING: Your ClamAV installation is OUTDATED! > > > > WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > > > > DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav > > > > main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) > > > > daily.cld is up to date (version: 25410, sigs: 1552552, f-level: 63, builder: raynman) > > > > bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo) > > > A review of /var/log/maillog suggests that there's a problem with ClamAV Apr? 5 18:31:22 myhost MailScanner[7448]: Virus and Content Scanning: Starting > > > Apr? 5 18:34:23? myhost? MailScanner[7448]: AV engine clamav timed out > > > Apr? 5 18:34:23? myhost? MailScanner[7448]: clamav: Failed to complete, timed out > > > Apr? 5 18:34:23? myhost? MailScanner[7448]: Virus Scanning: Denial Of Service attack detected! > > I've tried to observe what is happening on the system, while mail is being scanned and what i can surmise is that clamscan is timing-out (uses 100% CPU) any pointers would be greatly appreciated. I have not been able to find anything online.. I'll try upgrading to the latest and greatest MailScanner in the mean time. thanks Salighie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ??h -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 5ca86ca6.png Type: image/png Size: 7529 bytes Desc: not available URL: From yuwang at cs.fsu.edu Sat Apr 6 13:49:43 2019 From: yuwang at cs.fsu.edu (yuwang) Date: Sat, 06 Apr 2019 09:49:43 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> Message-ID: <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [2] >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >> >> Error in line 1422, file >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for >> storedfilenamemessage does not exist (or can not be read) at >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." The file should be "/usr/share/MailScanner/reports/en/stored.filename.message.txt" Your error message says /usr/share/MailScanner/reports/en/stored.fi What is the output of command: grep 'stored.fi' /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl and ls -l /usr/share/MailScanner/reports/en/stored.filename.message.txt James On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: > After I upgraded to the latest version, i get no mail; MailScanner > Crashes continuously > >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL >> PROCESSOR VERSION 5.1.3 STARTING... >> >> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration >> file /etc/MailScanner/MailScanner.conf >> >> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration >> file /etc/MailScanner/conf.d/README >> >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE >> THEM. >> >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) >> >> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames >> from the phishing whitelist >> >> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames >> from the phishing blacklists >> >> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin >> results cache >> >> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to >> SpamAssassin cache database >> >> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling SpamAssassin >> auto-whitelist functionality... >> >> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus >> scanners: clamav >> >> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to Processing >> Attempts Database >> >> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in the >> Processing Attempts Database >> >> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = flock >> >> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL >> PROCESSOR VERSION 5.1.3 STARTING... >> >> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration >> file /etc/MailScanner/MailScanner.conf >> >> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration >> file /etc/MailScanner/conf.d/README >> >> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file >> them. >> >> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > > This goes on while there's a message to be processed in the db, until > it detects too many crashes and quarantines the message. > > when a new message comes in, it starts all over again. > > MAILSCANNER LINT OUTPUT > >> Could not read file /usr/share/MailScanner/reports/en/stored.fi [2] >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >> >> Error in line 1422, file >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for >> storedfilenamemessage does not exist (or can not be read) at >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > > On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > >> My guess is clamav update issue. What happens when you 'Mailscanner >> Lint'? use strace to attach to clam process, use lsof to see open >> files, >> and turn on debug mode on clam might help too. >> >> James >> >> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: >>> Hi, >>> >>> In the past couple of days my email is all coming in with the >> subject >>> line tagged as {VIRUS}. This is true for all mail, but of course >>> there's no virus involved. >>> >>> Mailscanner v5.0.7 >>> ClamAV v0.100.0 >>> >>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 >>>> >>>> WARNING: Your ClamAV installation is OUTDATED! >>>> >>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 >>>> >>>> DON'T PANIC! Read >> https://www.clamav.net/documents/upgrading-clamav >>>> >>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, >>>> builder: sigmgr) >>>> >>>> daily.cld is up to date (version: 25410, sigs: 1552552, f-level: >> 63, >>>> builder: raynman) >>>> >>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, >>>> builder: neo) >>> >>> A review of /var/log/maillog suggests that there's a problem with >>> ClamAV >>> >>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content >>>> Scanning: Starting >>>> >>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED >> OUT >>>> >>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO >>>> COMPLETE, TIMED OUT >>>> >>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL >> OF >>>> SERVICE ATTACK DETECTED! >>> >>> I've tried to observe what is happening on the system, while mail >> is >>> being scanned and what i can surmise is that clamscan is >> timing-out >>> (uses 100% CPU) >>> >>> any pointers would be greatly appreciated. I have not been able to >>> find anything online. >>> >>> I'll try upgrading to the latest and greatest MailScanner in the >> mean >>> time. >>> >>> thanks >>> Salighie > > > Links: > ------ > [1] http://stored.fi > [2] http://stored.fi/ From iversons at rushville.k12.in.us Sat Apr 6 13:52:17 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 6 Apr 2019 09:52:17 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> Message-ID: You have garbage/typos in your MailScanner.conf at line 1422. On Sat, Apr 6, 2019 at 4:20 AM Sebastiano Dante Alighieri < salighie at gmail.com> wrote: > After I upgraded to the latest version, i get no mail; MailScanner Crashes > continuously > > *Apr 6 04:12:23 MyHost MailScanner[10890]: MailScanner Email Processor > version 5.1.3 starting...* > Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration file > /etc/MailScanner/MailScanner.conf > Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration file > /etc/MailScanner/conf.d/README > *Apr 6 04:12:23 MyHost MailScanner[10890]: Could not read file them.* > *Apr 6 04:12:23 MyHost MailScanner[10890]: Error in line 1422, file > "/usr/share/MailScanner/reports/en/stored.fi them." for > storedfilenamemessage does not exist (or can not be read)* > Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames from the > phishing whitelist > Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames from the > phishing blacklists > Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin results > cache > Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to SpamAssassin > cache database > Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling SpamAssassin > auto-whitelist functionality... > Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus scanners: > clamav > Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to Processing > Attempts Database > Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in the > Processing Attempts Database > Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = flock > *Apr 6 04:12:28 MyHost MailScanner[10920]: MailScanner Email Processor > version 5.1.3 starting...* > Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration file > /etc/MailScanner/MailScanner.conf > Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration file > /etc/MailScanner/conf.d/README > Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file them. > *Apr 6 04:12:28 MyHost MailScanner[10920]: Error in line 1422, file > "/usr/share/MailScanner/reports/en/stored.fi them." for > storedfilenamemessage does not exist (or can not be read)* > > > > This goes on while there's a message to be processed in the db, until it > detects too many crashes and quarantines the message. > > when a new message comes in, it starts all over again. > > *MailScanner Lint output* > > Could not read file /usr/share/MailScanner/reports/en/stored.fi at > /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > Error in line 1422, file "/usr/share/MailScanner/reports/en/stored.fi them." > for storedfilenamemessage does not exist (or can not be read) at > /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > > > On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > >> My guess is clamav update issue. What happens when you 'Mailscanner >> Lint'? use strace to attach to clam process, use lsof to see open files, >> and turn on debug mode on clam might help too. >> >> James >> >> >> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: >> > Hi, >> > >> > In the past couple of days my email is all coming in with the subject >> > line tagged as {VIRUS}. This is true for all mail, but of course >> > there's no virus involved. >> > >> > Mailscanner v5.0.7 >> > ClamAV v0.100.0 >> > >> >> ClamAV update process started at Fri Apr 5 18:41:07 2019 >> >> >> >> WARNING: Your ClamAV installation is OUTDATED! >> >> >> >> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 >> >> >> >> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav >> >> >> >> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, >> >> builder: sigmgr) >> >> >> >> daily.cld is up to date (version: 25410, sigs: 1552552, f-level: 63, >> >> builder: raynman) >> >> >> >> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, >> >> builder: neo) >> > >> > A review of /var/log/maillog suggests that there's a problem with >> > ClamAV >> > >> >> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content >> >> Scanning: Starting >> >> >> >> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED OUT >> >> >> >> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO >> >> COMPLETE, TIMED OUT >> >> >> >> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL OF >> >> SERVICE ATTACK DETECTED! >> > >> > I've tried to observe what is happening on the system, while mail is >> > being scanned and what i can surmise is that clamscan is timing-out >> > (uses 100% CPU) >> > >> > any pointers would be greatly appreciated. I have not been able to >> > find anything online. >> > >> > I'll try upgrading to the latest and greatest MailScanner in the mean >> > time. >> > >> > thanks >> > Salighie >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Sat Apr 6 15:37:49 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 6 Apr 2019 08:37:49 -0700 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> Message-ID: <1a598aea-c524-fbe3-ff65-6d5039c75744@msapiro.net> On 4/6/19 6:52 AM, Shawn Iverson via MailScanner wrote: > You have garbage/typos in your MailScanner.conf at line 1422. > > On Sat, Apr 6, 2019 at 4:20 AM Sebastiano Dante Alighieri > > wrote: > > After I upgraded to the latest version, i get no mail; MailScanner > Crashes continuously > ... > *Apr? 6 04:12:23??MyHost??MailScanner[10890]:?Error in line > 1422, file "/usr/share/MailScanner/reports/en/stored.fi > them." for storedfilenamemessage does not > exist (or can not be read)* To be more specific, line 1422 of MailScanner.conf should be > Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Yours is apparently truncated/wrapped at "%report-dir%/stored.fi" -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sat Apr 6 15:41:22 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 6 Apr 2019 08:41:22 -0700 Subject: All Emails tagged as {VIRUS} In-Reply-To: <20190406111523.780E.3FC183F3@gmail.com> References: <20190406111523.780E.3FC183F3@gmail.com> Message-ID: <4f2f39b8-3ac1-97b8-e09e-8ef88952cbc6@msapiro.net> On 4/6/19 2:15 AM, Polleke wrote: > Ola, > ? > II just raised the timeout in MailScanner.conf:: > ? > #Virus Scanner Timeout = 300 > Virus Scanner Timeout = 600 > ? > And it works again... And you can avoid the need to do that and all the processing involved in loading clamav on each message by using clamd instead. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From salighie at gmail.com Sun Apr 7 00:02:39 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Sat, 6 Apr 2019 20:02:39 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> Message-ID: i think I've figured out where that error was coming from - MailScanner.conf:1422 [image: image.png] fixed that and now MailScanner Lint returns nothing / two blank lines. still no mail, however multiple failed attempts to process the message - now all messages get quarantined. Apr 6 19:35:31 vemlsncr1 MailScanner[76527]: Warning: skipping message 73E501815AFE.A834F as it has been attempted too many times Apr 6 19:35:31 vemlsncr1 MailScanner[76527]: Quarantined message 73E501815AFE.A834F as it caused MailScanner to crash several times Apr 6 19:35:31 vemlsncr1 MailScanner[76527]: Saved entire message to /var/spool/MailScanner/quarantine/20190406/73E501815AFE.A834F thanks Sebastiano On Sat, Apr 6, 2019 at 9:49 AM yuwang wrote: > "Could not read file /usr/share/MailScanner/reports/en/stored.fi [2] > >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >> > >> Error in line 1422, file > >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for > >> storedfilenamemessage does not exist (or can not be read) at > >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." > > The file should be > "/usr/share/MailScanner/reports/en/stored.filename.message.txt" > > Your error message says /usr/share/MailScanner/reports/en/stored.fi > > What is the output of command: > > grep 'stored.fi' /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl > and > ls -l /usr/share/MailScanner/reports/en/stored.filename.message.txt > > James > > > On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: > > After I upgraded to the latest version, i get no mail; MailScanner > > Crashes continuously > > > >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL > >> PROCESSOR VERSION 5.1.3 STARTING... > >> > >> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration > >> file /etc/MailScanner/MailScanner.conf > >> > >> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration > >> file /etc/MailScanner/conf.d/README > >> > >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE > >> THEM. > >> > >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, > >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR > >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames > >> from the phishing whitelist > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames > >> from the phishing blacklists > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin > >> results cache > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to > >> SpamAssassin cache database > >> > >> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling SpamAssassin > >> auto-whitelist functionality... > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus > >> scanners: clamav > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to Processing > >> Attempts Database > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in the > >> Processing Attempts Database > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = flock > >> > >> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL > >> PROCESSOR VERSION 5.1.3 STARTING... > >> > >> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration > >> file /etc/MailScanner/MailScanner.conf > >> > >> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration > >> file /etc/MailScanner/conf.d/README > >> > >> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file > >> them. > >> > >> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, > >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR > >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > > > > This goes on while there's a message to be processed in the db, until > > it detects too many crashes and quarantines the message. > > > > when a new message comes in, it starts all over again. > > > > MAILSCANNER LINT OUTPUT > > > >> Could not read file /usr/share/MailScanner/reports/en/stored.fi [2] > >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >> > >> Error in line 1422, file > >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for > >> storedfilenamemessage does not exist (or can not be read) at > >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > > > > On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > > > >> My guess is clamav update issue. What happens when you 'Mailscanner > >> Lint'? use strace to attach to clam process, use lsof to see open > >> files, > >> and turn on debug mode on clam might help too. > >> > >> James > >> > >> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > >>> Hi, > >>> > >>> In the past couple of days my email is all coming in with the > >> subject > >>> line tagged as {VIRUS}. This is true for all mail, but of course > >>> there's no virus involved. > >>> > >>> Mailscanner v5.0.7 > >>> ClamAV v0.100.0 > >>> > >>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 > >>>> > >>>> WARNING: Your ClamAV installation is OUTDATED! > >>>> > >>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > >>>> > >>>> DON'T PANIC! Read > >> https://www.clamav.net/documents/upgrading-clamav > >>>> > >>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, > >>>> builder: sigmgr) > >>>> > >>>> daily.cld is up to date (version: 25410, sigs: 1552552, f-level: > >> 63, > >>>> builder: raynman) > >>>> > >>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, > >>>> builder: neo) > >>> > >>> A review of /var/log/maillog suggests that there's a problem with > >>> ClamAV > >>> > >>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content > >>>> Scanning: Starting > >>>> > >>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED > >> OUT > >>>> > >>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO > >>>> COMPLETE, TIMED OUT > >>>> > >>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL > >> OF > >>>> SERVICE ATTACK DETECTED! > >>> > >>> I've tried to observe what is happening on the system, while mail > >> is > >>> being scanned and what i can surmise is that clamscan is > >> timing-out > >>> (uses 100% CPU) > >>> > >>> any pointers would be greatly appreciated. I have not been able to > >>> find anything online. > >>> > >>> I'll try upgrading to the latest and greatest MailScanner in the > >> mean > >>> time. > >>> > >>> thanks > >>> Salighie > > > > > > Links: > > ------ > > [1] http://stored.fi > > [2] http://stored.fi/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 18168 bytes Desc: not available URL: From mark at msapiro.net Sun Apr 7 00:21:59 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 6 Apr 2019 17:21:59 -0700 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> Message-ID: <936962d0-f171-07e4-d201-af4ebe81573e@msapiro.net> On 4/6/19 5:02 PM, Sebastiano Dante Alighieri wrote: > > i think I've figured out where that error was coming from - > MailScanner.conf:1422 > > image.png > > fixed that and now MailScanner Lint returns nothing / two blank lines. What did you fix? In your graphic you highlighted line 1423 # These can also be the filenames of rulesets. That line is and the following two are actually lines 1450-1452 in the distributed MailScanner.conf. Lines 1422 through 1450 should be > Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt > Stored Virus Message Report = %report-dir%/stored.virus.message.txt > Stored Size Message Report = %report-dir%/stored.size.message.txt > > # Set where to find the message text sent to users explaining about the > # attached disinfected documents. > # This can also be the filename of a ruleset. > Disinfected Report = %report-dir%/disinfected.report.txt > > # Set where to find the HTML and text versions that will be added to the > # end of all clean messages, if "Sign Clean Messages" is set. > # These can also be the filenames of rulesets. > Inline HTML Signature = %report-dir%/inline.sig.html > Inline Text Signature = %report-dir%/inline.sig.txt > > # When using an image in the signature, there are 2 filenames which need > # to be set. The first is the location in this server's filesystem of the > # image file itself. The second is the name of the image as it is stored in > # the attachment. The HTML version of the signature will refer to this > # second name in the HTML tag. > # Note: the filename extension will be used as the MIME subtype, so a GIF > # Note: the filename extension will be used as the MIME subtype, so a GIF > # image must end in ".gif" for example. (.jpg ==> "jpeg" as a special case) > # See "Attach Image To Signature" for notes on how to use this. > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg > > # Set where to find the HTML and text versions that will be inserted at > # the top of messages that have had viruses removed from them. > # These can also be the filenames of rulesets. Everything after Stored Bad Filename Message Report = %report-dir%/stored.fi up to # the top of messages that have had viruses removed from is missing. You need to get from GitHub and either use it as is or compare it to yours to see what you need to fix. sudo MailScanner --lint should return a report of 30 lines or so. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From salighie at gmail.com Mon Apr 8 20:11:52 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Mon, 8 Apr 2019 16:11:52 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> Message-ID: it would appear that increasing *Virus Scanner Timeout = 600* (up from 300) in MailScanner.conf, fixed it for me... at least for now. Now, mail is being virus-scanned and delivered successfully without any misleading subject tags; Albeit at a seemingly slow rate (here's an excerpt from the maillog showing the processing times of two email messages) Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: Starting Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at 911 bytes per second Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed at 299259 bytes per second Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: Starting Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at 322 bytes per second Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed at 131233 bytes per second process [185871] took a little over 6 minutes to complete at a rate of 299259 bytes/sec process [182275] took a little over 3 minutes to complete at a rate of 131233 bytes/sec If we take process 185871 scanning at 299kbtes/sec taking a little over 6 minutes to complete - one might think at that rate, that a message of 100MB+ was scanned - but it's no where near that. maybe it's I/O related... but i'm using a 256MB RAMDISK as the v-scanner's temp directory, here is the line from my fstab *tmpfs /var/spool/MailScanner/incoming tmpfs rw,size=256M 0 0* other thoughts I don't get why the timeout has to be so high, is clamav wrapper method really that slow - is it a startup problem that would go away if i install and integrate with the clamd.socket (I know members have said this is preferable, just want to understand all aspects and why) or is there something else going awry? Or Why is a virus scan timeout automatically treated as a virus / denial of service attack - it seems to me that it should be configurable with something like this Virus Scanner Timeout Action = [detect|deliver|drop|etc] thanks all for the support. Best regards Sebastiano On Sat, Apr 6, 2019 at 9:49 AM yuwang wrote: > "Could not read file /usr/share/MailScanner/reports/en/stored.fi [2] > >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >> > >> Error in line 1422, file > >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for > >> storedfilenamemessage does not exist (or can not be read) at > >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." > > The file should be > "/usr/share/MailScanner/reports/en/stored.filename.message.txt" > > Your error message says /usr/share/MailScanner/reports/en/stored.fi > > What is the output of command: > > grep 'stored.fi' /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl > and > ls -l /usr/share/MailScanner/reports/en/stored.filename.message.txt > > James > > > On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: > > After I upgraded to the latest version, i get no mail; MailScanner > > Crashes continuously > > > >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL > >> PROCESSOR VERSION 5.1.3 STARTING... > >> > >> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration > >> file /etc/MailScanner/MailScanner.conf > >> > >> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration > >> file /etc/MailScanner/conf.d/README > >> > >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE > >> THEM. > >> > >> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, > >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR > >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames > >> from the phishing whitelist > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames > >> from the phishing blacklists > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin > >> results cache > >> > >> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to > >> SpamAssassin cache database > >> > >> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling SpamAssassin > >> auto-whitelist functionality... > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus > >> scanners: clamav > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to Processing > >> Attempts Database > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in the > >> Processing Attempts Database > >> > >> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = flock > >> > >> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL > >> PROCESSOR VERSION 5.1.3 STARTING... > >> > >> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration > >> file /etc/MailScanner/MailScanner.conf > >> > >> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration > >> file /etc/MailScanner/conf.d/README > >> > >> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file > >> them. > >> > >> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, > >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR > >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > > > > This goes on while there's a message to be processed in the db, until > > it detects too many crashes and quarantines the message. > > > > when a new message comes in, it starts all over again. > > > > MAILSCANNER LINT OUTPUT > > > >> Could not read file /usr/share/MailScanner/reports/en/stored.fi [2] > >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >> > >> Error in line 1422, file > >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for > >> storedfilenamemessage does not exist (or can not be read) at > >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > > > > On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > > > >> My guess is clamav update issue. What happens when you 'Mailscanner > >> Lint'? use strace to attach to clam process, use lsof to see open > >> files, > >> and turn on debug mode on clam might help too. > >> > >> James > >> > >> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > >>> Hi, > >>> > >>> In the past couple of days my email is all coming in with the > >> subject > >>> line tagged as {VIRUS}. This is true for all mail, but of course > >>> there's no virus involved. > >>> > >>> Mailscanner v5.0.7 > >>> ClamAV v0.100.0 > >>> > >>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 > >>>> > >>>> WARNING: Your ClamAV installation is OUTDATED! > >>>> > >>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > >>>> > >>>> DON'T PANIC! Read > >> https://www.clamav.net/documents/upgrading-clamav > >>>> > >>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, > >>>> builder: sigmgr) > >>>> > >>>> daily.cld is up to date (version: 25410, sigs: 1552552, f-level: > >> 63, > >>>> builder: raynman) > >>>> > >>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, > >>>> builder: neo) > >>> > >>> A review of /var/log/maillog suggests that there's a problem with > >>> ClamAV > >>> > >>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content > >>>> Scanning: Starting > >>>> > >>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED > >> OUT > >>>> > >>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO > >>>> COMPLETE, TIMED OUT > >>>> > >>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL > >> OF > >>>> SERVICE ATTACK DETECTED! > >>> > >>> I've tried to observe what is happening on the system, while mail > >> is > >>> being scanned and what i can surmise is that clamscan is > >> timing-out > >>> (uses 100% CPU) > >>> > >>> any pointers would be greatly appreciated. I have not been able to > >>> find anything online. > >>> > >>> I'll try upgrading to the latest and greatest MailScanner in the > >> mean > >>> time. > >>> > >>> thanks > >>> Salighie > > > > > > Links: > > ------ > > [1] http://stored.fi > > [2] http://stored.fi/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuwang at cs.fsu.edu Mon Apr 8 20:32:43 2019 From: yuwang at cs.fsu.edu (yuwang) Date: Mon, 08 Apr 2019 16:32:43 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> Message-ID: What's the runtime for 'time Mailscanner --lint'? If you can, try Mark's suggestion and use clamd. I first used clamav and had performance issues, changed to clamd and everything has been fast since. James On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote: > it would appear that increasing > > VIRUS SCANNER TIMEOUT = 600 (up from 300) > > in MailScanner.conf, fixed it for me... at least for now. > > Now, mail is being virus-scanned and delivered successfully without > any misleading subject tags; Albeit at a seemingly slow rate (here's > an excerpt from the maillog showing the processing times of two email > messages) > > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: > Starting > > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at > 911 bytes per second > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed > at 299259 bytes per second > > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: > Starting > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at > 322 bytes per second > > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed > at 131233 bytes per second > > process [185871] took a little over 6 minutes to complete at a rate of > 299259 bytes/sec > process [182275] took a little over 3 minutes to complete at a rate of > 131233 bytes/sec > > If we take process 185871 scanning at 299kbtes/sec taking a little > over 6 minutes to complete - one might think at that rate, that a > message of 100MB+ was scanned - but it's no where near that. > > maybe it's I/O related... but i'm using a 256MB RAMDISK as the > v-scanner's temp directory, here is the line from my fstab > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0 > > other thoughts > > I don't get why the timeout has to be so high, is clamav wrapper > method really that slow - is it a startup problem that would go away > if i install and integrate with the clamd.socket (I know members have > said this is preferable, just want to understand all aspects and why) > or is there something else going awry? > > Or > > Why is a virus scan timeout automatically treated as a virus / denial > of service attack - it seems to me that it should be configurable with > something like this > Virus Scanner Timeout Action = [detect|deliver|drop|etc] > > thanks all for the support. > > Best regards > Sebastiano > > On Sat, Apr 6, 2019 at 9:49 AM yuwang wrote: > >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1] >> [2] >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >>>> >>>> Error in line 1422, file >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for >>>> storedfilenamemessage does not exist (or can not be read) at >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." >> >> The file should be >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt" >> >> Your error message says /usr/share/MailScanner/reports/en/stored.fi >> [1] >> >> What is the output of command: >> >> grep 'stored.fi [1]' >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl >> and >> ls -l >> /usr/share/MailScanner/reports/en/stored.filename.message.txt >> >> James >> >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: >>> After I upgraded to the latest version, i get no mail; MailScanner >>> Crashes continuously >>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL >>>> PROCESSOR VERSION 5.1.3 STARTING... >>>> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading >> configuration >>>> file /etc/MailScanner/MailScanner.conf >>>> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading >> configuration >>>> file /etc/MailScanner/conf.d/README >>>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE >>>> THEM. >>>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." >> FOR >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames >>>> from the phishing whitelist >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames >>>> from the phishing blacklists >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin >>>> results cache >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to >>>> SpamAssassin cache database >>>> >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling >> SpamAssassin >>>> auto-whitelist functionality... >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus >>>> scanners: clamav >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to >> Processing >>>> Attempts Database >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in >> the >>>> Processing Attempts Database >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = >> flock >>>> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL >>>> PROCESSOR VERSION 5.1.3 STARTING... >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading >> configuration >>>> file /etc/MailScanner/MailScanner.conf >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading >> configuration >>>> file /etc/MailScanner/conf.d/README >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file >>>> them. >>>> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." >> FOR >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) >>> >>> This goes on while there's a message to be processed in the db, >> until >>> it detects too many crashes and quarantines the message. >>> >>> when a new message comes in, it starts all over again. >>> >>> MAILSCANNER LINT OUTPUT >>> >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi >> [1] [2] >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >>>> >>>> Error in line 1422, file >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for >>>> storedfilenamemessage does not exist (or can not be read) at >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. >>> >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: >>> >>>> My guess is clamav update issue. What happens when you >> 'Mailscanner >>>> Lint'? use strace to attach to clam process, use lsof to see open >>>> files, >>>> and turn on debug mode on clam might help too. >>>> >>>> James >>>> >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: >>>>> Hi, >>>>> >>>>> In the past couple of days my email is all coming in with the >>>> subject >>>>> line tagged as {VIRUS}. This is true for all mail, but of course >>>>> there's no virus involved. >>>>> >>>>> Mailscanner v5.0.7 >>>>> ClamAV v0.100.0 >>>>> >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 >>>>>> >>>>>> WARNING: Your ClamAV installation is OUTDATED! >>>>>> >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 >>>>>> >>>>>> DON'T PANIC! Read >>>> https://www.clamav.net/documents/upgrading-clamav >>>>>> >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: >> 60, >>>>>> builder: sigmgr) >>>>>> >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552, >> f-level: >>>> 63, >>>>>> builder: raynman) >>>>>> >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: >> 63, >>>>>> builder: neo) >>>>> >>>>> A review of /var/log/maillog suggests that there's a problem >> with >>>>> ClamAV >>>>> >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content >>>>>> Scanning: Starting >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV >> TIMED >>>> OUT >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO >>>>>> COMPLETE, TIMED OUT >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: >> DENIAL >>>> OF >>>>>> SERVICE ATTACK DETECTED! >>>>> >>>>> I've tried to observe what is happening on the system, while >> mail >>>> is >>>>> being scanned and what i can surmise is that clamscan is >>>> timing-out >>>>> (uses 100% CPU) >>>>> >>>>> any pointers would be greatly appreciated. I have not been able >> to >>>>> find anything online. >>>>> >>>>> I'll try upgrading to the latest and greatest MailScanner in the >>>> mean >>>>> time. >>>>> >>>>> thanks >>>>> Salighie >>> >>> >>> Links: >>> ------ >>> [1] http://stored.fi >>> [2] http://stored.fi/ > > > Links: > ------ > [1] http://stored.fi > [2] http://STORED.FI From salighie at gmail.com Mon Apr 8 20:40:36 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Mon, 8 Apr 2019 16:40:36 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> Message-ID: [root at MyHost ~]# time MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 868 hostnames from the phishing whitelist Read 5807 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (5.1.3) is correct. Your setting "Mail Header" contains illegal characters. This is most likely caused by your "%org-name%" setting which must not contain any spaces, "." or "_" characters as these are known to cause problems with many mail systems. MailScanner setting GID to (1002) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 0.9 config: Strange rule token: 0.6 config: Strange rule token: 1.2 config: Strange rule token: -1.0 config: Strange rule token: 0.6 config: Strange rule token: 0.5 config: Strange rule token: 1.5 config: Strange rule token: 0.6 config: Strange rule token: 1.2 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.2 config: Strange rule token: 0.6 config: Strange rule token: 0.5 config: Strange rule token: 0.6 config: Strange rule token: 0.8 config: Strange rule token: 1.3 config: Strange rule token: 0.9 config: Strange rule token: 0.5 config: Strange rule token: 0.6 config: Strange rule token: 2.9 config: Strange rule token: 2.9 config: Strange rule token: 0.9 config: Strange rule token: 0.6 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.5 config: Strange rule token: 1.5 config: Strange rule token: 1.5 config: Strange rule token: 0.3 config: Strange rule token: 0.3 config: Strange rule token: 0.3 SpamAssassin reported an error. Auto: Found virus scanners: clamav Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Filetype Checks: Allowing 1 eicar.com Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: Detected duplicate databases /var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please manually remove one of them 1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. real 2m41.113s user 2m36.969s sys 0m3.452s On Mon, Apr 8, 2019 at 4:32 PM yuwang wrote: > What's the runtime for 'time Mailscanner --lint'? > > If you can, try Mark's suggestion and use clamd. I first used clamav and > had performance issues, changed to clamd and everything has been fast > since. > > James > > On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote: > > it would appear that increasing > > > > VIRUS SCANNER TIMEOUT = 600 (up from 300) > > > > in MailScanner.conf, fixed it for me... at least for now. > > > > Now, mail is being virus-scanned and delivered successfully without > > any misleading subject tags; Albeit at a seemingly slow rate (here's > > an excerpt from the maillog showing the processing times of two email > > messages) > > > > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: > > Starting > > > > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at > > 911 bytes per second > > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed > > at 299259 bytes per second > > > > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: > > Starting > > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at > > 322 bytes per second > > > > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed > > at 131233 bytes per second > > > > process [185871] took a little over 6 minutes to complete at a rate of > > 299259 bytes/sec > > process [182275] took a little over 3 minutes to complete at a rate of > > 131233 bytes/sec > > > > If we take process 185871 scanning at 299kbtes/sec taking a little > > over 6 minutes to complete - one might think at that rate, that a > > message of 100MB+ was scanned - but it's no where near that. > > > > maybe it's I/O related... but i'm using a 256MB RAMDISK as the > > v-scanner's temp directory, here is the line from my fstab > > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0 > > > > other thoughts > > > > I don't get why the timeout has to be so high, is clamav wrapper > > method really that slow - is it a startup problem that would go away > > if i install and integrate with the clamd.socket (I know members have > > said this is preferable, just want to understand all aspects and why) > > or is there something else going awry? > > > > Or > > > > Why is a virus scan timeout automatically treated as a virus / denial > > of service attack - it seems to me that it should be configurable with > > something like this > > Virus Scanner Timeout Action = [detect|deliver|drop|etc] > > > > thanks all for the support. > > > > Best regards > > Sebastiano > > > > On Sat, Apr 6, 2019 at 9:49 AM yuwang wrote: > > > >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1] > >> [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." > >> > >> The file should be > >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt" > >> > >> Your error message says /usr/share/MailScanner/reports/en/stored.fi > >> [1] > >> > >> What is the output of command: > >> > >> grep 'stored.fi [1]' > >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl > >> and > >> ls -l > >> /usr/share/MailScanner/reports/en/stored.filename.message.txt > >> > >> James > >> > >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: > >>> After I upgraded to the latest version, i get no mail; MailScanner > >>> Crashes continuously > >>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE > >>>> THEM. > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames > >>>> from the phishing whitelist > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames > >>>> from the phishing blacklists > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin > >>>> results cache > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to > >>>> SpamAssassin cache database > >>>> > >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling > >> SpamAssassin > >>>> auto-whitelist functionality... > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus > >>>> scanners: clamav > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to > >> Processing > >>>> Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in > >> the > >>>> Processing Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = > >> flock > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file > >>>> them. > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>> > >>> This goes on while there's a message to be processed in the db, > >> until > >>> it detects too many crashes and quarantines the message. > >>> > >>> when a new message comes in, it starts all over again. > >>> > >>> MAILSCANNER LINT OUTPUT > >>> > >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi > >> [1] [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > >>> > >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > >>> > >>>> My guess is clamav update issue. What happens when you > >> 'Mailscanner > >>>> Lint'? use strace to attach to clam process, use lsof to see open > >>>> files, > >>>> and turn on debug mode on clam might help too. > >>>> > >>>> James > >>>> > >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > >>>>> Hi, > >>>>> > >>>>> In the past couple of days my email is all coming in with the > >>>> subject > >>>>> line tagged as {VIRUS}. This is true for all mail, but of course > >>>>> there's no virus involved. > >>>>> > >>>>> Mailscanner v5.0.7 > >>>>> ClamAV v0.100.0 > >>>>> > >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 > >>>>>> > >>>>>> WARNING: Your ClamAV installation is OUTDATED! > >>>>>> > >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > >>>>>> > >>>>>> DON'T PANIC! Read > >>>> https://www.clamav.net/documents/upgrading-clamav > >>>>>> > >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: > >> 60, > >>>>>> builder: sigmgr) > >>>>>> > >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552, > >> f-level: > >>>> 63, > >>>>>> builder: raynman) > >>>>>> > >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: > >> 63, > >>>>>> builder: neo) > >>>>> > >>>>> A review of /var/log/maillog suggests that there's a problem > >> with > >>>>> ClamAV > >>>>> > >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content > >>>>>> Scanning: Starting > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV > >> TIMED > >>>> OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO > >>>>>> COMPLETE, TIMED OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: > >> DENIAL > >>>> OF > >>>>>> SERVICE ATTACK DETECTED! > >>>>> > >>>>> I've tried to observe what is happening on the system, while > >> mail > >>>> is > >>>>> being scanned and what i can surmise is that clamscan is > >>>> timing-out > >>>>> (uses 100% CPU) > >>>>> > >>>>> any pointers would be greatly appreciated. I have not been able > >> to > >>>>> find anything online. > >>>>> > >>>>> I'll try upgrading to the latest and greatest MailScanner in the > >>>> mean > >>>>> time. > >>>>> > >>>>> thanks > >>>>> Salighie > >>> > >>> > >>> Links: > >>> ------ > >>> [1] http://stored.fi > >>> [2] http://stored.fi/ > > > > > > Links: > > ------ > > [1] http://stored.fi > > [2] http://STORED.FI > -------------- next part -------------- An HTML attachment was scrubbed... URL: From salighie at gmail.com Mon Apr 8 21:03:19 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Mon, 8 Apr 2019 17:03:19 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> Message-ID: BTW: Thanks mark for the suggestion (increasing the timeout to 600 - that was a quick win!) - but long-term, i will try to get clamd working - I'm having some issues getting Clamd to start as a service - it hangs on the way up, crashes, tries to restart... but that's another thread. I'll post that to the ClamAv mailing list. Thanks again all for the support much appreciated. #LoveMailScanner On Mon, Apr 8, 2019 at 4:32 PM yuwang wrote: > What's the runtime for 'time Mailscanner --lint'? > > If you can, try Mark's suggestion and use clamd. I first used clamav and > had performance issues, changed to clamd and everything has been fast > since. > > James > > On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote: > > it would appear that increasing > > > > VIRUS SCANNER TIMEOUT = 600 (up from 300) > > > > in MailScanner.conf, fixed it for me... at least for now. > > > > Now, mail is being virus-scanned and delivered successfully without > > any misleading subject tags; Albeit at a seemingly slow rate (here's > > an excerpt from the maillog showing the processing times of two email > > messages) > > > > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: > > Starting > > > > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at > > 911 bytes per second > > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed > > at 299259 bytes per second > > > > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: > > Starting > > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at > > 322 bytes per second > > > > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed > > at 131233 bytes per second > > > > process [185871] took a little over 6 minutes to complete at a rate of > > 299259 bytes/sec > > process [182275] took a little over 3 minutes to complete at a rate of > > 131233 bytes/sec > > > > If we take process 185871 scanning at 299kbtes/sec taking a little > > over 6 minutes to complete - one might think at that rate, that a > > message of 100MB+ was scanned - but it's no where near that. > > > > maybe it's I/O related... but i'm using a 256MB RAMDISK as the > > v-scanner's temp directory, here is the line from my fstab > > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0 > > > > other thoughts > > > > I don't get why the timeout has to be so high, is clamav wrapper > > method really that slow - is it a startup problem that would go away > > if i install and integrate with the clamd.socket (I know members have > > said this is preferable, just want to understand all aspects and why) > > or is there something else going awry? > > > > Or > > > > Why is a virus scan timeout automatically treated as a virus / denial > > of service attack - it seems to me that it should be configurable with > > something like this > > Virus Scanner Timeout Action = [detect|deliver|drop|etc] > > > > thanks all for the support. > > > > Best regards > > Sebastiano > > > > On Sat, Apr 6, 2019 at 9:49 AM yuwang wrote: > > > >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1] > >> [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." > >> > >> The file should be > >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt" > >> > >> Your error message says /usr/share/MailScanner/reports/en/stored.fi > >> [1] > >> > >> What is the output of command: > >> > >> grep 'stored.fi [1]' > >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl > >> and > >> ls -l > >> /usr/share/MailScanner/reports/en/stored.filename.message.txt > >> > >> James > >> > >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: > >>> After I upgraded to the latest version, i get no mail; MailScanner > >>> Crashes continuously > >>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE > >>>> THEM. > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames > >>>> from the phishing whitelist > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames > >>>> from the phishing blacklists > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin > >>>> results cache > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to > >>>> SpamAssassin cache database > >>>> > >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling > >> SpamAssassin > >>>> auto-whitelist functionality... > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus > >>>> scanners: clamav > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to > >> Processing > >>>> Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in > >> the > >>>> Processing Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = > >> flock > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file > >>>> them. > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>> > >>> This goes on while there's a message to be processed in the db, > >> until > >>> it detects too many crashes and quarantines the message. > >>> > >>> when a new message comes in, it starts all over again. > >>> > >>> MAILSCANNER LINT OUTPUT > >>> > >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi > >> [1] [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > >>> > >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > >>> > >>>> My guess is clamav update issue. What happens when you > >> 'Mailscanner > >>>> Lint'? use strace to attach to clam process, use lsof to see open > >>>> files, > >>>> and turn on debug mode on clam might help too. > >>>> > >>>> James > >>>> > >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > >>>>> Hi, > >>>>> > >>>>> In the past couple of days my email is all coming in with the > >>>> subject > >>>>> line tagged as {VIRUS}. This is true for all mail, but of course > >>>>> there's no virus involved. > >>>>> > >>>>> Mailscanner v5.0.7 > >>>>> ClamAV v0.100.0 > >>>>> > >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 > >>>>>> > >>>>>> WARNING: Your ClamAV installation is OUTDATED! > >>>>>> > >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > >>>>>> > >>>>>> DON'T PANIC! Read > >>>> https://www.clamav.net/documents/upgrading-clamav > >>>>>> > >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: > >> 60, > >>>>>> builder: sigmgr) > >>>>>> > >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552, > >> f-level: > >>>> 63, > >>>>>> builder: raynman) > >>>>>> > >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: > >> 63, > >>>>>> builder: neo) > >>>>> > >>>>> A review of /var/log/maillog suggests that there's a problem > >> with > >>>>> ClamAV > >>>>> > >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content > >>>>>> Scanning: Starting > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV > >> TIMED > >>>> OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO > >>>>>> COMPLETE, TIMED OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: > >> DENIAL > >>>> OF > >>>>>> SERVICE ATTACK DETECTED! > >>>>> > >>>>> I've tried to observe what is happening on the system, while > >> mail > >>>> is > >>>>> being scanned and what i can surmise is that clamscan is > >>>> timing-out > >>>>> (uses 100% CPU) > >>>>> > >>>>> any pointers would be greatly appreciated. I have not been able > >> to > >>>>> find anything online. > >>>>> > >>>>> I'll try upgrading to the latest and greatest MailScanner in the > >>>> mean > >>>>> time. > >>>>> > >>>>> thanks > >>>>> Salighie > >>> > >>> > >>> Links: > >>> ------ > >>> [1] http://stored.fi > >>> [2] http://stored.fi/ > > > > > > Links: > > ------ > > [1] http://stored.fi > > [2] http://STORED.FI > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Tue Apr 9 10:12:44 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 9 Apr 2019 10:12:44 +0000 Subject: Sophos SAVI (SOLVED) Message-ID: Hi, I wrote documentation of how to use sophos SAVI into mailscanner in CENTOS 64bit Savi uses daemon like clamd so it is cpu unexpensive in scanning file If someone interested can send me directly and ill sent doc -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Apr 9 10:23:54 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 9 Apr 2019 06:23:54 -0400 Subject: Sophos SAVI (SOLVED) In-Reply-To: References: Message-ID: Nicola, I'm interested and would like to give it a try. On Tue, Apr 9, 2019 at 6:12 AM Nicola Piazzi wrote: > Hi, > I wrote documentation of how to use sophos SAVI into mailscanner in CENTOS > 64bit > > Savi uses daemon like clamd so it is cpu unexpensive in scanning file > > > > If someone interested can send me directly and ill sent doc > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuwang at cs.fsu.edu Tue Apr 9 15:51:10 2019 From: yuwang at cs.fsu.edu (Yu Wang) Date: Tue, 9 Apr 2019 15:51:10 +0000 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> Message-ID: <69fcafbf822e495c85086472965092d1@EXCH1.cs.fsu.edu> Your spamassassin reported one error. You may want to check and fix it. My MailScanner ?lint runs in 2.3 seconds, yours ran 160 seconds. How long does it take to run this one: time spamassassin -D --lint You also have duplicated clamav databases. See below in red font color. James From: Sebastiano Dante Alighieri Sent: Monday, April 8, 2019 4:41 PM To: Yu Wang Cc: MailScanner Discussion Subject: Re: All Emails tagged as {VIRUS} [root at MyHost ~]# time MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 868 hostnames from the phishing whitelist Read 5807 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (5.1.3) is correct. Your setting "Mail Header" contains illegal characters. This is most likely caused by your "%org-name%" setting which must not contain any spaces, "." or "_" characters as these are known to cause problems with many mail systems. MailScanner setting GID to (1002) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 0.9 config: Strange rule token: 0.6 config: Strange rule token: 1.2 config: Strange rule token: -1.0 config: Strange rule token: 0.6 config: Strange rule token: 0.5 config: Strange rule token: 1.5 config: Strange rule token: 0.6 config: Strange rule token: 1.2 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.2 config: Strange rule token: 0.6 config: Strange rule token: 0.5 config: Strange rule token: 0.6 config: Strange rule token: 0.8 config: Strange rule token: 1.3 config: Strange rule token: 0.9 config: Strange rule token: 0.5 config: Strange rule token: 0.6 config: Strange rule token: 2.9 config: Strange rule token: 2.9 config: Strange rule token: 0.9 config: Strange rule token: 0.6 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.5 config: Strange rule token: 1.5 config: Strange rule token: 1.5 config: Strange rule token: 0.3 config: Strange rule token: 0.3 config: Strange rule token: 0.3 SpamAssassin reported an error. Auto: Found virus scanners: clamav Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Filetype Checks: Allowing 1 eicar.com Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: Detected duplicate databases /var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please manually remove one of them 1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. real 2m41.113s user 2m36.969s sys 0m3.452s On Mon, Apr 8, 2019 at 4:32 PM yuwang > wrote: What's the runtime for 'time Mailscanner --lint'? If you can, try Mark's suggestion and use clamd. I first used clamav and had performance issues, changed to clamd and everything has been fast since. James On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote: > it would appear that increasing > > VIRUS SCANNER TIMEOUT = 600 (up from 300) > > in MailScanner.conf, fixed it for me... at least for now. > > Now, mail is being virus-scanned and delivered successfully without > any misleading subject tags; Albeit at a seemingly slow rate (here's > an excerpt from the maillog showing the processing times of two email > messages) > > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: > Starting > > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at > 911 bytes per second > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed > at 299259 bytes per second > > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: > Starting > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at > 322 bytes per second > > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed > at 131233 bytes per second > > process [185871] took a little over 6 minutes to complete at a rate of > 299259 bytes/sec > process [182275] took a little over 3 minutes to complete at a rate of > 131233 bytes/sec > > If we take process 185871 scanning at 299kbtes/sec taking a little > over 6 minutes to complete - one might think at that rate, that a > message of 100MB+ was scanned - but it's no where near that. > > maybe it's I/O related... but i'm using a 256MB RAMDISK as the > v-scanner's temp directory, here is the line from my fstab > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0 > > other thoughts > > I don't get why the timeout has to be so high, is clamav wrapper > method really that slow - is it a startup problem that would go away > if i install and integrate with the clamd.socket (I know members have > said this is preferable, just want to understand all aspects and why) > or is there something else going awry? > > Or > > Why is a virus scan timeout automatically treated as a virus / denial > of service attack - it seems to me that it should be configurable with > something like this > Virus Scanner Timeout Action = [detect|deliver|drop|etc] > > thanks all for the support. > > Best regards > Sebastiano > > On Sat, Apr 6, 2019 at 9:49 AM yuwang > wrote: > >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1] >> [2] >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >>>> >>>> Error in line 1422, file >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for >>>> storedfilenamemessage does not exist (or can not be read) at >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." >> >> The file should be >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt" >> >> Your error message says /usr/share/MailScanner/reports/en/stored.fi >> [1] >> >> What is the output of command: >> >> grep 'stored.fi [1]' >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl >> and >> ls -l >> /usr/share/MailScanner/reports/en/stored.filename.message.txt >> >> James >> >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: >>> After I upgraded to the latest version, i get no mail; MailScanner >>> Crashes continuously >>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL >>>> PROCESSOR VERSION 5.1.3 STARTING... >>>> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading >> configuration >>>> file /etc/MailScanner/MailScanner.conf >>>> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading >> configuration >>>> file /etc/MailScanner/conf.d/README >>>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE >>>> THEM. >>>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." >> FOR >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames >>>> from the phishing whitelist >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames >>>> from the phishing blacklists >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin >>>> results cache >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to >>>> SpamAssassin cache database >>>> >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling >> SpamAssassin >>>> auto-whitelist functionality... >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus >>>> scanners: clamav >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to >> Processing >>>> Attempts Database >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in >> the >>>> Processing Attempts Database >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = >> flock >>>> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL >>>> PROCESSOR VERSION 5.1.3 STARTING... >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading >> configuration >>>> file /etc/MailScanner/MailScanner.conf >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading >> configuration >>>> file /etc/MailScanner/conf.d/README >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file >>>> them. >>>> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." >> FOR >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) >>> >>> This goes on while there's a message to be processed in the db, >> until >>> it detects too many crashes and quarantines the message. >>> >>> when a new message comes in, it starts all over again. >>> >>> MAILSCANNER LINT OUTPUT >>> >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi >> [1] [2] >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >>>> >>>> Error in line 1422, file >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for >>>> storedfilenamemessage does not exist (or can not be read) at >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. >>> >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang > wrote: >>> >>>> My guess is clamav update issue. What happens when you >> 'Mailscanner >>>> Lint'? use strace to attach to clam process, use lsof to see open >>>> files, >>>> and turn on debug mode on clam might help too. >>>> >>>> James >>>> >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: >>>>> Hi, >>>>> >>>>> In the past couple of days my email is all coming in with the >>>> subject >>>>> line tagged as {VIRUS}. This is true for all mail, but of course >>>>> there's no virus involved. >>>>> >>>>> Mailscanner v5.0.7 >>>>> ClamAV v0.100.0 >>>>> >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 >>>>>> >>>>>> WARNING: Your ClamAV installation is OUTDATED! >>>>>> >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 >>>>>> >>>>>> DON'T PANIC! Read >>>> https://www.clamav.net/documents/upgrading-clamav >>>>>> >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: >> 60, >>>>>> builder: sigmgr) >>>>>> >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552, >> f-level: >>>> 63, >>>>>> builder: raynman) >>>>>> >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: >> 63, >>>>>> builder: neo) >>>>> >>>>> A review of /var/log/maillog suggests that there's a problem >> with >>>>> ClamAV >>>>> >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content >>>>>> Scanning: Starting >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV >> TIMED >>>> OUT >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO >>>>>> COMPLETE, TIMED OUT >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: >> DENIAL >>>> OF >>>>>> SERVICE ATTACK DETECTED! >>>>> >>>>> I've tried to observe what is happening on the system, while >> mail >>>> is >>>>> being scanned and what i can surmise is that clamscan is >>>> timing-out >>>>> (uses 100% CPU) >>>>> >>>>> any pointers would be greatly appreciated. I have not been able >> to >>>>> find anything online. >>>>> >>>>> I'll try upgrading to the latest and greatest MailScanner in the >>>> mean >>>>> time. >>>>> >>>>> thanks >>>>> Salighie >>> >>> >>> Links: >>> ------ >>> [1] http://stored.fi >>> [2] http://stored.fi/ > > > Links: > ------ > [1] http://stored.fi > [2] http://STORED.FI -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuwang at cs.fsu.edu Tue Apr 9 16:25:23 2019 From: yuwang at cs.fsu.edu (Yu Wang) Date: Tue, 9 Apr 2019 16:25:23 +0000 Subject: MailScanner was attacked by DOS and deletes message body Message-ID: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> Hello, In the past month, I have a few users asked me to retrieve email messages deleted by Mailscanner. When I went to the directory listed by Mailscanner, I cannot find the directory and thus cannot retrieve messages for my users. Here is an example: From: zzzzz > Date: 4/8/19 4:55 AM (GMT-05:00) To: zzzzzz at cs.fsu.edu Subject: Re: Internship Application MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html There was no directory /var/spool/MailScanner/incoming/141905/ on the server (about 5 hours later). I searched '1841B12012B.A4390' under /var/spool/MailScanner and /var/spool/postfix/ and found nothing. [root at smtpin2 log]# ls -l /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html ls: cannot access /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html: No such file or directory Maillog entries: Apr 8 04:55:08 smtpin2 postfix/smtpd[106496]: 1841B12012B: client=zzzzzzz.go.jp[zzzzzzzz] Apr 8 04:55:08 smtpin2 postfix/cleanup[143771]: 1841B12012B: hold: header Received: from zzzzzzz.jp (zzzzzzzz.go.jp [zzzzzzzzzzzz])??by smtp.cs.fsu.edu (Postfix) with ESMTP id 1841B12012B??for ; Mon, 8 Apr 2019 04:55:07 -0400 (EDT) from zzzz.go.jp[]; from= to= proto=ESMTP helo= Apr 8 04:55:08 smtpin2 postfix/cleanup[143771]: 1841B12012B: message-id=<7A29AFFE-45F6-472F-AE30-A181EB69CBB6 at riken.jp> Apr 8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: zzzzzzzz.go.jp [zzzzzzz] not internal Apr 8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: not authenticated Apr 8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: no signature data Apr 8 04:55:08 smtpin2 opendmarc[64392]: 1841B12012B: SPF(mailfrom): zzzzz.jp pass Apr 8 04:55:08 smtpin2 opendmarc[64392]: 1841B12012B: riken.jp none Apr 8 04:55:08 smtpin2 postfix/smtpd[106496]: disconnect from zzzzzzz.go.jp[zzzzzzzz] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Apr 8 04:55:09 smtpin2 MailScanner[141905]: New Batch: Scanning 1 messages, 21869 bytes Apr 8 04:55:09 smtpin2 MailScanner[141905]: Virus and Content Scanning: Starting Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Whitelist refresh time reached Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Starting up MailWatch SQL Whitelist Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Read 309 whitelist entries Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Blacklist refresh time reached Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Starting up MailWatch SQL Blacklist Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Read 291 blacklist entries Apr 8 04:55:14 smtpin2 MailScanner[141905]: HTML disarming died, status = 13 Apr 8 04:55:14 smtpin2 MailScanner[141905]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 1841B12012B.A4390 from zzzzzz at riken.jp Apr 8 04:55:14 smtpin2 MailScanner[141905]: Requeue: 1841B12012B.A4390 to B30B212012C Apr 8 04:55:14 smtpin2 MailScanner[141905]: Uninfected: Delivered 1 messages Apr 8 04:55:14 smtpin2 postfix/qmgr[33312]: B30B212012C: from=, size=20446, nrcpt=1 (queue active) Apr 8 04:55:14 smtpin2 MailScanner[141905]: Deleted 1 messages from processing-database Apr 8 04:55:14 smtpin2 postfix/smtp[146430]: Host offered STARTTLS: [zzzzzz.cs.fsu.edu] Apr 8 04:55:14 smtpin2 postfix/smtp[146430]: B30B212012C: to=, relay=zzzzzz.cs.fsu.edu[]:25, delay=6.8, delays=6.7/0/0/0.01, dsn=2.0.0, status=sent (250 Ok: queued as 3746AF39B1) Apr 8 04:55:14 smtpin2 postfix/qmgr[33312]: B30B212012C: removed Also there was no entry for this message under MailWatch's "Message Listing". I would like to either configure MailScanner to not delete message body or have ability to located the email message and manually send to my users. Any help would be greatly appreciated. Thank you. James Wang -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuwang at cs.fsu.edu Tue Apr 9 16:31:02 2019 From: yuwang at cs.fsu.edu (Yu Wang) Date: Tue, 9 Apr 2019 16:31:02 +0000 Subject: MailScanner was attacked by DOS and deletes message body In-Reply-To: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> References: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> Message-ID: <51855b54332840f68b183ca06cadf776@EXCH1.cs.fsu.edu> I should have searched the list before posting this. I found old posts on this subject right after I sent this email. I will update my Mailscanner to the latest stable to have "Ignore Denial of Service option". Thanks. James From: MailScanner On Behalf Of Yu Wang Sent: Tuesday, April 9, 2019 12:25 PM To: mailscanner at lists.mailscanner.info Subject: MailScanner was attacked by DOS and deletes message body Hello, In the past month, I have a few users asked me to retrieve email messages deleted by Mailscanner. When I went to the directory listed by Mailscanner, I cannot find the directory and thus cannot retrieve messages for my users. Here is an example: From: zzzzz > Date: 4/8/19 4:55 AM (GMT-05:00) To: zzzzzz at cs.fsu.edu Subject: Re: Internship Application MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html There was no directory /var/spool/MailScanner/incoming/141905/ on the server (about 5 hours later). I searched '1841B12012B.A4390' under /var/spool/MailScanner and /var/spool/postfix/ and found nothing. [root at smtpin2 log]# ls -l /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html ls: cannot access /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html: No such file or directory Maillog entries: Apr 8 04:55:08 smtpin2 postfix/smtpd[106496]: 1841B12012B: client=zzzzzzz.go.jp[zzzzzzzz] Apr 8 04:55:08 smtpin2 postfix/cleanup[143771]: 1841B12012B: hold: header Received: from zzzzzzz.jp (zzzzzzzz.go.jp [zzzzzzzzzzzz])??by smtp.cs.fsu.edu (Postfix) with ESMTP id 1841B12012B??for >; Mon, 8 Apr 2019 04:55:07 -0400 (EDT) from zzzz.go.jp[]; from= to=> proto=ESMTP helo= Apr 8 04:55:08 smtpin2 postfix/cleanup[143771]: 1841B12012B: message-id=<7A29AFFE-45F6-472F-AE30-A181EB69CBB6 at riken.jp> Apr 8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: zzzzzzzz.go.jp [zzzzzzz] not internal Apr 8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: not authenticated Apr 8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: no signature data Apr 8 04:55:08 smtpin2 opendmarc[64392]: 1841B12012B: SPF(mailfrom): zzzzz.jp pass Apr 8 04:55:08 smtpin2 opendmarc[64392]: 1841B12012B: riken.jp none Apr 8 04:55:08 smtpin2 postfix/smtpd[106496]: disconnect from zzzzzzz.go.jp[zzzzzzzz] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Apr 8 04:55:09 smtpin2 MailScanner[141905]: New Batch: Scanning 1 messages, 21869 bytes Apr 8 04:55:09 smtpin2 MailScanner[141905]: Virus and Content Scanning: Starting Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Whitelist refresh time reached Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Starting up MailWatch SQL Whitelist Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Read 309 whitelist entries Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Blacklist refresh time reached Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Starting up MailWatch SQL Blacklist Apr 8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Read 291 blacklist entries Apr 8 04:55:14 smtpin2 MailScanner[141905]: HTML disarming died, status = 13 Apr 8 04:55:14 smtpin2 MailScanner[141905]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 1841B12012B.A4390 from zzzzzz at riken.jp Apr 8 04:55:14 smtpin2 MailScanner[141905]: Requeue: 1841B12012B.A4390 to B30B212012C Apr 8 04:55:14 smtpin2 MailScanner[141905]: Uninfected: Delivered 1 messages Apr 8 04:55:14 smtpin2 postfix/qmgr[33312]: B30B212012C: from=>, size=20446, nrcpt=1 (queue active) Apr 8 04:55:14 smtpin2 MailScanner[141905]: Deleted 1 messages from processing-database Apr 8 04:55:14 smtpin2 postfix/smtp[146430]: Host offered STARTTLS: [zzzzzz.cs.fsu.edu] Apr 8 04:55:14 smtpin2 postfix/smtp[146430]: B30B212012C: to=>, relay=zzzzzz.cs.fsu.edu[]:25, delay=6.8, delays=6.7/0/0/0.01, dsn=2.0.0, status=sent (250 Ok: queued as 3746AF39B1) Apr 8 04:55:14 smtpin2 postfix/qmgr[33312]: B30B212012C: removed Also there was no entry for this message under MailWatch's "Message Listing". I would like to either configure MailScanner to not delete message body or have ability to located the email message and manually send to my users. Any help would be greatly appreciated. Thank you. James Wang -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Apr 9 17:01:00 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 9 Apr 2019 10:01:00 -0700 Subject: MailScanner was attacked by DOS and deletes message body In-Reply-To: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> References: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> Message-ID: On 4/9/19 9:25 AM, Yu Wang wrote: > > MailScanner was attacked by a Denial Of Service attack, and has > therefore deleted this part of the message. Please contact your e-mail > providers for more information if you need it, giving them the whole of > this report. Attack in: > /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html > > There was no directory /var/spool/MailScanner/incoming/141905/ on the > server (about 5 hours later). I searched ?1841B12012B.A4390? under > /var/spool/MailScanner and /var/spool/postfix/ and found nothing. If MailScanner saved the message, it would be in /var/spool/MailScanner/quarantine/20190408/1841B12012B.A4390/message or possibly /var/spool/MailScanner/quarantine/20190408/spam/1841B12012B.A4390. '20190408' is the date. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From salighie at gmail.com Tue Apr 9 17:40:33 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Tue, 9 Apr 2019 13:40:33 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: <69fcafbf822e495c85086472965092d1@EXCH1.cs.fsu.edu> References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> <69fcafbf822e495c85086472965092d1@EXCH1.cs.fsu.edu> Message-ID: spamassassin processing time: real 0m7.930s user 0m7.607s sys 0m0.309s delete the duplicate db looking into spamassassin error: seems Geo::IP and Net::Patricia are not installed i'll try to install them now On Tue, Apr 9, 2019 at 11:51 AM Yu Wang wrote: > Your spamassassin reported one error. You may want to check and fix it. > > > > My MailScanner ?lint runs in 2.3 seconds, yours ran 160 seconds. > > > > How long does it take to run this one: > > > > time spamassassin -D --lint > > > > You also have duplicated clamav databases. See below in red font color. > > > > James > > > > *From:* Sebastiano Dante Alighieri > *Sent:* Monday, April 8, 2019 4:41 PM > *To:* Yu Wang > *Cc:* MailScanner Discussion > *Subject:* Re: All Emails tagged as {VIRUS} > > > > [root at MyHost ~]# time MailScanner --lint > > Trying to setlogsock(unix) > > > > Reading configuration file /etc/MailScanner/MailScanner.conf > > Reading configuration file /etc/MailScanner/conf.d/README > > Read 868 hostnames from the phishing whitelist > > Read 5807 hostnames from the phishing blacklists > > > > Checking version numbers... > > Version number in MailScanner.conf (5.1.3) is correct. > > > > Your setting "Mail Header" contains illegal characters. > > This is most likely caused by your "%org-name%" setting > > which must not contain any spaces, "." or "_" characters > > as these are known to cause problems with many mail systems. > > > > MailScanner setting GID to (1002) > > MailScanner setting UID to (89) > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 0.9 > > config: Strange rule token: 0.6 > > config: Strange rule token: 1.2 > > config: Strange rule token: -1.0 > > config: Strange rule token: 0.6 > > config: Strange rule token: 0.5 > > config: Strange rule token: 1.5 > > config: Strange rule token: 0.6 > > config: Strange rule token: 1.2 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.2 > > config: Strange rule token: 0.6 > > config: Strange rule token: 0.5 > > config: Strange rule token: 0.6 > > config: Strange rule token: 0.8 > > config: Strange rule token: 1.3 > > config: Strange rule token: 0.9 > > config: Strange rule token: 0.5 > > config: Strange rule token: 0.6 > > config: Strange rule token: 2.9 > > config: Strange rule token: 2.9 > > config: Strange rule token: 0.9 > > config: Strange rule token: 0.6 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.5 > > config: Strange rule token: 1.5 > > config: Strange rule token: 1.5 > > config: Strange rule token: 0.3 > > config: Strange rule token: 0.3 > > config: Strange rule token: 0.3 > > SpamAssassin reported an error. > > Auto: Found virus scanners: clamav > > Connected to Processing Attempts Database > > Created Processing Attempts Database successfully > > There are 0 messages in the Processing Attempts Database > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = auto" > > Found these virus scanners installed: clamav > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Filetype Checks: Allowing 1 eicar.com > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > LibClamAV Warning: Detected duplicate databases > /var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please > manually remove one of them > > 1.message: Eicar-Test-Signature FOUND > > > > ./1/eicar.com: Eicar-Test-Signature FOUND > > > > Virus Scanning: ClamAV found 2 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 2 viruses > > =========================================================================== > > Virus Scanner test reports: > > ClamAV said "eicar.com contains Eicar-Test-Signature" > > > > If any of your virus scanners (clamav) > > are not listed there, you should check that they are installed correctly > > and that MailScanner is finding them correctly via its virus.scanners.conf. > > > > real 2m41.113s > > user 2m36.969s > > sys 0m3.452s > > > > > > On Mon, Apr 8, 2019 at 4:32 PM yuwang wrote: > > What's the runtime for 'time Mailscanner --lint'? > > If you can, try Mark's suggestion and use clamd. I first used clamav and > had performance issues, changed to clamd and everything has been fast > since. > > James > > On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote: > > it would appear that increasing > > > > VIRUS SCANNER TIMEOUT = 600 (up from 300) > > > > in MailScanner.conf, fixed it for me... at least for now. > > > > Now, mail is being virus-scanned and delivered successfully without > > any misleading subject tags; Albeit at a seemingly slow rate (here's > > an excerpt from the maillog showing the processing times of two email > > messages) > > > > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: > > Starting > > > > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at > > 911 bytes per second > > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed > > at 299259 bytes per second > > > > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: > > Starting > > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at > > 322 bytes per second > > > > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed > > at 131233 bytes per second > > > > process [185871] took a little over 6 minutes to complete at a rate of > > 299259 bytes/sec > > process [182275] took a little over 3 minutes to complete at a rate of > > 131233 bytes/sec > > > > If we take process 185871 scanning at 299kbtes/sec taking a little > > over 6 minutes to complete - one might think at that rate, that a > > message of 100MB+ was scanned - but it's no where near that. > > > > maybe it's I/O related... but i'm using a 256MB RAMDISK as the > > v-scanner's temp directory, here is the line from my fstab > > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0 > > > > other thoughts > > > > I don't get why the timeout has to be so high, is clamav wrapper > > method really that slow - is it a startup problem that would go away > > if i install and integrate with the clamd.socket (I know members have > > said this is preferable, just want to understand all aspects and why) > > or is there something else going awry? > > > > Or > > > > Why is a virus scan timeout automatically treated as a virus / denial > > of service attack - it seems to me that it should be configurable with > > something like this > > Virus Scanner Timeout Action = [detect|deliver|drop|etc] > > > > thanks all for the support. > > > > Best regards > > Sebastiano > > > > On Sat, Apr 6, 2019 at 9:49 AM yuwang wrote: > > > >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1] > >> [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." > >> > >> The file should be > >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt" > >> > >> Your error message says /usr/share/MailScanner/reports/en/stored.fi > >> [1] > >> > >> What is the output of command: > >> > >> grep 'stored.fi [1]' > >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl > >> and > >> ls -l > >> /usr/share/MailScanner/reports/en/stored.filename.message.txt > >> > >> James > >> > >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: > >>> After I upgraded to the latest version, i get no mail; MailScanner > >>> Crashes continuously > >>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE > >>>> THEM. > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames > >>>> from the phishing whitelist > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames > >>>> from the phishing blacklists > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin > >>>> results cache > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to > >>>> SpamAssassin cache database > >>>> > >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling > >> SpamAssassin > >>>> auto-whitelist functionality... > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus > >>>> scanners: clamav > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to > >> Processing > >>>> Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in > >> the > >>>> Processing Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = > >> flock > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file > >>>> them. > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>> > >>> This goes on while there's a message to be processed in the db, > >> until > >>> it detects too many crashes and quarantines the message. > >>> > >>> when a new message comes in, it starts all over again. > >>> > >>> MAILSCANNER LINT OUTPUT > >>> > >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi > >> [1] [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > >>> > >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > >>> > >>>> My guess is clamav update issue. What happens when you > >> 'Mailscanner > >>>> Lint'? use strace to attach to clam process, use lsof to see open > >>>> files, > >>>> and turn on debug mode on clam might help too. > >>>> > >>>> James > >>>> > >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > >>>>> Hi, > >>>>> > >>>>> In the past couple of days my email is all coming in with the > >>>> subject > >>>>> line tagged as {VIRUS}. This is true for all mail, but of course > >>>>> there's no virus involved. > >>>>> > >>>>> Mailscanner v5.0.7 > >>>>> ClamAV v0.100.0 > >>>>> > >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 > >>>>>> > >>>>>> WARNING: Your ClamAV installation is OUTDATED! > >>>>>> > >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > >>>>>> > >>>>>> DON'T PANIC! Read > >>>> https://www.clamav.net/documents/upgrading-clamav > >>>>>> > >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: > >> 60, > >>>>>> builder: sigmgr) > >>>>>> > >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552, > >> f-level: > >>>> 63, > >>>>>> builder: raynman) > >>>>>> > >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: > >> 63, > >>>>>> builder: neo) > >>>>> > >>>>> A review of /var/log/maillog suggests that there's a problem > >> with > >>>>> ClamAV > >>>>> > >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content > >>>>>> Scanning: Starting > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV > >> TIMED > >>>> OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO > >>>>>> COMPLETE, TIMED OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: > >> DENIAL > >>>> OF > >>>>>> SERVICE ATTACK DETECTED! > >>>>> > >>>>> I've tried to observe what is happening on the system, while > >> mail > >>>> is > >>>>> being scanned and what i can surmise is that clamscan is > >>>> timing-out > >>>>> (uses 100% CPU) > >>>>> > >>>>> any pointers would be greatly appreciated. I have not been able > >> to > >>>>> find anything online. > >>>>> > >>>>> I'll try upgrading to the latest and greatest MailScanner in the > >>>> mean > >>>>> time. > >>>>> > >>>>> thanks > >>>>> Salighie > >>> > >>> > >>> Links: > >>> ------ > >>> [1] http://stored.fi > >>> [2] http://stored.fi/ > > > > > > Links: > > ------ > > [1] http://stored.fi > > [2] http://STORED.FI > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuwang at cs.fsu.edu Wed Apr 10 13:47:14 2019 From: yuwang at cs.fsu.edu (Yu Wang) Date: Wed, 10 Apr 2019 09:47:14 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> <69fcafbf822e495c85086472965092d1@EXCH1.cs.fsu.edu> Message-ID: <000201d4efa3$e7f9ea10$b7edbe30$@cs.fsu.edu> Mine runs less than 2 seconds but 8 seconds is not too bad. It could be that you have a slower machine. Clamav seems to be the pita. What MTA do you run, Postfix? From: Sebastiano Dante Alighieri Sent: Tuesday, April 9, 2019 1:41 PM To: Yu Wang Cc: MailScanner Discussion Subject: Re: All Emails tagged as {VIRUS} spamassassin processing time: real 0m7.930s user 0m7.607s sys 0m0.309s delete the duplicate db looking into spamassassin error: seems Geo::IP and Net::Patricia are not installed i'll try to install them now On Tue, Apr 9, 2019 at 11:51 AM Yu Wang > wrote: Your spamassassin reported one error. You may want to check and fix it. My MailScanner ?lint runs in 2.3 seconds, yours ran 160 seconds. How long does it take to run this one: time spamassassin -D --lint You also have duplicated clamav databases. See below in red font color. James From: Sebastiano Dante Alighieri > Sent: Monday, April 8, 2019 4:41 PM To: Yu Wang > Cc: MailScanner Discussion > Subject: Re: All Emails tagged as {VIRUS} [root at MyHost ~]# time MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 868 hostnames from the phishing whitelist Read 5807 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (5.1.3) is correct. Your setting "Mail Header" contains illegal characters. This is most likely caused by your "%org-name%" setting which must not contain any spaces, "." or "_" characters as these are known to cause problems with many mail systems. MailScanner setting GID to (1002) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 0.9 config: Strange rule token: 0.6 config: Strange rule token: 1.2 config: Strange rule token: -1.0 config: Strange rule token: 0.6 config: Strange rule token: 0.5 config: Strange rule token: 1.5 config: Strange rule token: 0.6 config: Strange rule token: 1.2 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.2 config: Strange rule token: 0.6 config: Strange rule token: 0.5 config: Strange rule token: 0.6 config: Strange rule token: 0.8 config: Strange rule token: 1.3 config: Strange rule token: 0.9 config: Strange rule token: 0.5 config: Strange rule token: 0.6 config: Strange rule token: 2.9 config: Strange rule token: 2.9 config: Strange rule token: 0.9 config: Strange rule token: 0.6 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.9 config: Strange rule token: 1.5 config: Strange rule token: 1.5 config: Strange rule token: 1.5 config: Strange rule token: 0.3 config: Strange rule token: 0.3 config: Strange rule token: 0.3 SpamAssassin reported an error. Auto: Found virus scanners: clamav Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com ) Filetype Checks: Allowing 1 eicar.com Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: Detected duplicate databases /var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please manually remove one of them 1.message: Eicar-Test-Signature FOUND ./1/eicar.com : Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. real 2m41.113s user 2m36.969s sys 0m3.452s On Mon, Apr 8, 2019 at 4:32 PM yuwang > wrote: What's the runtime for 'time Mailscanner --lint'? If you can, try Mark's suggestion and use clamd. I first used clamav and had performance issues, changed to clamd and everything has been fast since. James On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote: > it would appear that increasing > > VIRUS SCANNER TIMEOUT = 600 (up from 300) > > in MailScanner.conf, fixed it for me... at least for now. > > Now, mail is being virus-scanned and delivered successfully without > any misleading subject tags; Albeit at a seemingly slow rate (here's > an excerpt from the maillog showing the processing times of two email > messages) > > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: > Starting > > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at > 911 bytes per second > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed > at 299259 bytes per second > > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: > Starting > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at > 322 bytes per second > > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed > at 131233 bytes per second > > process [185871] took a little over 6 minutes to complete at a rate of > 299259 bytes/sec > process [182275] took a little over 3 minutes to complete at a rate of > 131233 bytes/sec > > If we take process 185871 scanning at 299kbtes/sec taking a little > over 6 minutes to complete - one might think at that rate, that a > message of 100MB+ was scanned - but it's no where near that. > > maybe it's I/O related... but i'm using a 256MB RAMDISK as the > v-scanner's temp directory, here is the line from my fstab > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0 > > other thoughts > > I don't get why the timeout has to be so high, is clamav wrapper > method really that slow - is it a startup problem that would go away > if i install and integrate with the clamd.socket (I know members have > said this is preferable, just want to understand all aspects and why) > or is there something else going awry? > > Or > > Why is a virus scan timeout automatically treated as a virus / denial > of service attack - it seems to me that it should be configurable with > something like this > Virus Scanner Timeout Action = [detect|deliver|drop|etc] > > thanks all for the support. > > Best regards > Sebastiano > > On Sat, Apr 6, 2019 at 9:49 AM yuwang > wrote: > >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1] >> [2] >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >>>> >>>> Error in line 1422, file >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for >>>> storedfilenamemessage does not exist (or can not be read) at >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." >> >> The file should be >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt" >> >> Your error message says /usr/share/MailScanner/reports/en/stored.fi >> [1] >> >> What is the output of command: >> >> grep 'stored.fi [1]' >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl >> and >> ls -l >> /usr/share/MailScanner/reports/en/stored.filename.message.txt >> >> James >> >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: >>> After I upgraded to the latest version, i get no mail; MailScanner >>> Crashes continuously >>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL >>>> PROCESSOR VERSION 5.1.3 STARTING... >>>> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading >> configuration >>>> file /etc/MailScanner/MailScanner.conf >>>> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading >> configuration >>>> file /etc/MailScanner/conf.d/README >>>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE >>>> THEM. >>>> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." >> FOR >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames >>>> from the phishing whitelist >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames >>>> from the phishing blacklists >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin >>>> results cache >>>> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to >>>> SpamAssassin cache database >>>> >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling >> SpamAssassin >>>> auto-whitelist functionality... >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus >>>> scanners: clamav >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to >> Processing >>>> Attempts Database >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in >> the >>>> Processing Attempts Database >>>> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = >> flock >>>> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL >>>> PROCESSOR VERSION 5.1.3 STARTING... >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading >> configuration >>>> file /etc/MailScanner/MailScanner.conf >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading >> configuration >>>> file /etc/MailScanner/conf.d/README >>>> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file >>>> them. >>>> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." >> FOR >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) >>> >>> This goes on while there's a message to be processed in the db, >> until >>> it detects too many crashes and quarantines the message. >>> >>> when a new message comes in, it starts all over again. >>> >>> MAILSCANNER LINT OUTPUT >>> >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi >> [1] [2] >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. >>>> >>>> Error in line 1422, file >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for >>>> storedfilenamemessage does not exist (or can not be read) at >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. >>> >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang > wrote: >>> >>>> My guess is clamav update issue. What happens when you >> 'Mailscanner >>>> Lint'? use strace to attach to clam process, use lsof to see open >>>> files, >>>> and turn on debug mode on clam might help too. >>>> >>>> James >>>> >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: >>>>> Hi, >>>>> >>>>> In the past couple of days my email is all coming in with the >>>> subject >>>>> line tagged as {VIRUS}. This is true for all mail, but of course >>>>> there's no virus involved. >>>>> >>>>> Mailscanner v5.0.7 >>>>> ClamAV v0.100.0 >>>>> >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 >>>>>> >>>>>> WARNING: Your ClamAV installation is OUTDATED! >>>>>> >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 >>>>>> >>>>>> DON'T PANIC! Read >>>> https://www.clamav.net/documents/upgrading-clamav >>>>>> >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: >> 60, >>>>>> builder: sigmgr) >>>>>> >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552, >> f-level: >>>> 63, >>>>>> builder: raynman) >>>>>> >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: >> 63, >>>>>> builder: neo) >>>>> >>>>> A review of /var/log/maillog suggests that there's a problem >> with >>>>> ClamAV >>>>> >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content >>>>>> Scanning: Starting >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV >> TIMED >>>> OUT >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO >>>>>> COMPLETE, TIMED OUT >>>>>> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: >> DENIAL >>>> OF >>>>>> SERVICE ATTACK DETECTED! >>>>> >>>>> I've tried to observe what is happening on the system, while >> mail >>>> is >>>>> being scanned and what i can surmise is that clamscan is >>>> timing-out >>>>> (uses 100% CPU) >>>>> >>>>> any pointers would be greatly appreciated. I have not been able >> to >>>>> find anything online. >>>>> >>>>> I'll try upgrading to the latest and greatest MailScanner in the >>>> mean >>>>> time. >>>>> >>>>> thanks >>>>> Salighie >>> >>> >>> Links: >>> ------ >>> [1] http://stored.fi >>> [2] http://stored.fi/ > > > Links: > ------ > [1] http://stored.fi > [2] http://STORED.FI -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuwang at cs.fsu.edu Wed Apr 10 13:50:51 2019 From: yuwang at cs.fsu.edu (Yu Wang) Date: Wed, 10 Apr 2019 09:50:51 -0400 Subject: MailScanner was attacked by DOS and deletes message body In-Reply-To: References: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> Message-ID: <000f01d4efa4$693e90d0$3bbbb270$@cs.fsu.edu> Mark, It appears MailScanner either didn't save it or something caused the message to be removed. I cannot find it anywhere under /var/spool/MailScanner/. I updated MailScanner last night to 5.1.3-2 and patched perl scripts for the ignore denial of service workaround. Hopefully it will fix the message body deletion issue. Thanks. James -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Tuesday, April 9, 2019 1:01 PM To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner was attacked by DOS and deletes message body On 4/9/19 9:25 AM, Yu Wang wrote: > > MailScanner was attacked by a Denial Of Service attack, and has > therefore deleted this part of the message. Please contact your e-mail > providers for more information if you need it, giving them the whole > of this report. Attack in: > /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-2 > 0.html > > There was no directory /var/spool/MailScanner/incoming/141905/ on the > server (about 5 hours later). I searched ?1841B12012B.A4390? under > /var/spool/MailScanner and /var/spool/postfix/ and found nothing. If MailScanner saved the message, it would be in /var/spool/MailScanner/quarantine/20190408/1841B12012B.A4390/message or possibly /var/spool/MailScanner/quarantine/20190408/spam/1841B12012B.A4390. '20190408' is the date. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From salighie at gmail.com Wed Apr 10 13:58:17 2019 From: salighie at gmail.com (Sebastiano Dante Alighieri) Date: Wed, 10 Apr 2019 09:58:17 -0400 Subject: All Emails tagged as {VIRUS} In-Reply-To: <000201d4efa3$e7f9ea10$b7edbe30$@cs.fsu.edu> References: <333a7124c6e02d72b05bbb1eed0a5757@cs.fsu.edu> <2219111b9e062292f73798ef8558ff33@cs.fsu.edu> <69fcafbf822e495c85086472965092d1@EXCH1.cs.fsu.edu> <000201d4efa3$e7f9ea10$b7edbe30$@cs.fsu.edu> Message-ID: yes, postfix. On Wed, Apr 10, 2019 at 9:47 AM Yu Wang wrote: > Mine runs less than 2 seconds but 8 seconds is not too bad. It could be > that you have a slower machine. Clamav seems to be the pita. What MTA do > you run, Postfix? > > > > > > *From:* Sebastiano Dante Alighieri > *Sent:* Tuesday, April 9, 2019 1:41 PM > *To:* Yu Wang > *Cc:* MailScanner Discussion > *Subject:* Re: All Emails tagged as {VIRUS} > > > > spamassassin processing time: > > > > real 0m7.930s > > user 0m7.607s > > sys 0m0.309s > > > > delete the duplicate db > > > > looking into spamassassin error: seems Geo::IP and Net::Patricia are not > installed > > i'll try to install them now > > > > On Tue, Apr 9, 2019 at 11:51 AM Yu Wang wrote: > > Your spamassassin reported one error. You may want to check and fix it. > > > > My MailScanner ?lint runs in 2.3 seconds, yours ran 160 seconds. > > > > How long does it take to run this one: > > > > time spamassassin -D --lint > > > > You also have duplicated clamav databases. See below in red font color. > > > > James > > > > *From:* Sebastiano Dante Alighieri > *Sent:* Monday, April 8, 2019 4:41 PM > *To:* Yu Wang > *Cc:* MailScanner Discussion > *Subject:* Re: All Emails tagged as {VIRUS} > > > > [root at MyHost ~]# time MailScanner --lint > > Trying to setlogsock(unix) > > > > Reading configuration file /etc/MailScanner/MailScanner.conf > > Reading configuration file /etc/MailScanner/conf.d/README > > Read 868 hostnames from the phishing whitelist > > Read 5807 hostnames from the phishing blacklists > > > > Checking version numbers... > > Version number in MailScanner.conf (5.1.3) is correct. > > > > Your setting "Mail Header" contains illegal characters. > > This is most likely caused by your "%org-name%" setting > > which must not contain any spaces, "." or "_" characters > > as these are known to cause problems with many mail systems. > > > > MailScanner setting GID to (1002) > > MailScanner setting UID to (89) > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 0.9 > > config: Strange rule token: 0.6 > > config: Strange rule token: 1.2 > > config: Strange rule token: -1.0 > > config: Strange rule token: 0.6 > > config: Strange rule token: 0.5 > > config: Strange rule token: 1.5 > > config: Strange rule token: 0.6 > > config: Strange rule token: 1.2 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.2 > > config: Strange rule token: 0.6 > > config: Strange rule token: 0.5 > > config: Strange rule token: 0.6 > > config: Strange rule token: 0.8 > > config: Strange rule token: 1.3 > > config: Strange rule token: 0.9 > > config: Strange rule token: 0.5 > > config: Strange rule token: 0.6 > > config: Strange rule token: 2.9 > > config: Strange rule token: 2.9 > > config: Strange rule token: 0.9 > > config: Strange rule token: 0.6 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.9 > > config: Strange rule token: 1.5 > > config: Strange rule token: 1.5 > > config: Strange rule token: 1.5 > > config: Strange rule token: 0.3 > > config: Strange rule token: 0.3 > > config: Strange rule token: 0.3 > > SpamAssassin reported an error. > > Auto: Found virus scanners: clamav > > Connected to Processing Attempts Database > > Created Processing Attempts Database successfully > > There are 0 messages in the Processing Attempts Database > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = auto" > > Found these virus scanners installed: clamav > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Filetype Checks: Allowing 1 eicar.com > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > LibClamAV Warning: Detected duplicate databases > /var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please > manually remove one of them > > 1.message: Eicar-Test-Signature FOUND > > > > ./1/eicar.com: Eicar-Test-Signature FOUND > > > > Virus Scanning: ClamAV found 2 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 2 viruses > > =========================================================================== > > Virus Scanner test reports: > > ClamAV said "eicar.com contains Eicar-Test-Signature" > > > > If any of your virus scanners (clamav) > > are not listed there, you should check that they are installed correctly > > and that MailScanner is finding them correctly via its virus.scanners.conf. > > > > real 2m41.113s > > user 2m36.969s > > sys 0m3.452s > > > > > > On Mon, Apr 8, 2019 at 4:32 PM yuwang wrote: > > What's the runtime for 'time Mailscanner --lint'? > > If you can, try Mark's suggestion and use clamd. I first used clamav and > had performance issues, changed to clamd and everything has been fast > since. > > James > > On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote: > > it would appear that increasing > > > > VIRUS SCANNER TIMEOUT = 600 (up from 300) > > > > in MailScanner.conf, fixed it for me... at least for now. > > > > Now, mail is being virus-scanned and delivered successfully without > > any misleading subject tags; Albeit at a seemingly slow rate (here's > > an excerpt from the maillog showing the processing times of two email > > messages) > > > > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning: > > Starting > > > > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at > > 911 bytes per second > > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed > > at 299259 bytes per second > > > > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning: > > Starting > > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at > > 322 bytes per second > > > > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed > > at 131233 bytes per second > > > > process [185871] took a little over 6 minutes to complete at a rate of > > 299259 bytes/sec > > process [182275] took a little over 3 minutes to complete at a rate of > > 131233 bytes/sec > > > > If we take process 185871 scanning at 299kbtes/sec taking a little > > over 6 minutes to complete - one might think at that rate, that a > > message of 100MB+ was scanned - but it's no where near that. > > > > maybe it's I/O related... but i'm using a 256MB RAMDISK as the > > v-scanner's temp directory, here is the line from my fstab > > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0 > > > > other thoughts > > > > I don't get why the timeout has to be so high, is clamav wrapper > > method really that slow - is it a startup problem that would go away > > if i install and integrate with the clamd.socket (I know members have > > said this is preferable, just want to understand all aspects and why) > > or is there something else going awry? > > > > Or > > > > Why is a virus scan timeout automatically treated as a virus / denial > > of service attack - it seems to me that it should be configurable with > > something like this > > Virus Scanner Timeout Action = [detect|deliver|drop|etc] > > > > thanks all for the support. > > > > Best regards > > Sebastiano > > > > On Sat, Apr 6, 2019 at 9:49 AM yuwang wrote: > > > >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1] > >> [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058." > >> > >> The file should be > >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt" > >> > >> Your error message says /usr/share/MailScanner/reports/en/stored.fi > >> [1] > >> > >> What is the output of command: > >> > >> grep 'stored.fi [1]' > >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl > >> and > >> ls -l > >> /usr/share/MailScanner/reports/en/stored.filename.message.txt > >> > >> James > >> > >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote: > >>> After I upgraded to the latest version, i get no mail; MailScanner > >>> Crashes continuously > >>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE > >>>> THEM. > >>>> > >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames > >>>> from the phishing whitelist > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames > >>>> from the phishing blacklists > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin > >>>> results cache > >>>> > >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to > >>>> SpamAssassin cache database > >>>> > >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling > >> SpamAssassin > >>>> auto-whitelist functionality... > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus > >>>> scanners: clamav > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to > >> Processing > >>>> Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in > >> the > >>>> Processing Attempts Database > >>>> > >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = > >> flock > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL > >>>> PROCESSOR VERSION 5.1.3 STARTING... > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/MailScanner.conf > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading > >> configuration > >>>> file /etc/MailScanner/conf.d/README > >>>> > >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file > >>>> them. > >>>> > >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422, > >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM." > >> FOR > >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ) > >>> > >>> This goes on while there's a message to be processed in the db, > >> until > >>> it detects too many crashes and quarantines the message. > >>> > >>> when a new message comes in, it starts all over again. > >>> > >>> MAILSCANNER LINT OUTPUT > >>> > >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi > >> [1] [2] > >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856. > >>>> > >>>> Error in line 1422, file > >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for > >>>> storedfilenamemessage does not exist (or can not be read) at > >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058. > >>> > >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang wrote: > >>> > >>>> My guess is clamav update issue. What happens when you > >> 'Mailscanner > >>>> Lint'? use strace to attach to clam process, use lsof to see open > >>>> files, > >>>> and turn on debug mode on clam might help too. > >>>> > >>>> James > >>>> > >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote: > >>>>> Hi, > >>>>> > >>>>> In the past couple of days my email is all coming in with the > >>>> subject > >>>>> line tagged as {VIRUS}. This is true for all mail, but of course > >>>>> there's no virus involved. > >>>>> > >>>>> Mailscanner v5.0.7 > >>>>> ClamAV v0.100.0 > >>>>> > >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019 > >>>>>> > >>>>>> WARNING: Your ClamAV installation is OUTDATED! > >>>>>> > >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2 > >>>>>> > >>>>>> DON'T PANIC! Read > >>>> https://www.clamav.net/documents/upgrading-clamav > >>>>>> > >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: > >> 60, > >>>>>> builder: sigmgr) > >>>>>> > >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552, > >> f-level: > >>>> 63, > >>>>>> builder: raynman) > >>>>>> > >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: > >> 63, > >>>>>> builder: neo) > >>>>> > >>>>> A review of /var/log/maillog suggests that there's a problem > >> with > >>>>> ClamAV > >>>>> > >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content > >>>>>> Scanning: Starting > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV > >> TIMED > >>>> OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO > >>>>>> COMPLETE, TIMED OUT > >>>>>> > >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: > >> DENIAL > >>>> OF > >>>>>> SERVICE ATTACK DETECTED! > >>>>> > >>>>> I've tried to observe what is happening on the system, while > >> mail > >>>> is > >>>>> being scanned and what i can surmise is that clamscan is > >>>> timing-out > >>>>> (uses 100% CPU) > >>>>> > >>>>> any pointers would be greatly appreciated. I have not been able > >> to > >>>>> find anything online. > >>>>> > >>>>> I'll try upgrading to the latest and greatest MailScanner in the > >>>> mean > >>>>> time. > >>>>> > >>>>> thanks > >>>>> Salighie > >>> > >>> > >>> Links: > >>> ------ > >>> [1] http://stored.fi > >>> [2] http://stored.fi/ > > > > > > Links: > > ------ > > [1] http://stored.fi > > [2] http://STORED.FI > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel at crothers.me Wed Apr 10 16:54:52 2019 From: daniel at crothers.me (Daniel Crothers) Date: Wed, 10 Apr 2019 12:54:52 -0400 Subject: Definite Fraud Message-ID: Sorry if this has been answered before. "MailScanner has detected definite fraud in the website at "mandrillapp.com". Do not trust this website: https://1tac.com/tracking It's referencing Mandrill which is a product in MailChimp, an extremely popular "marketing automation platform and an email marketing service." It's used by businesses small, medium and large. I am guessing this is the correct place to bring this up, as I cannot seem to find any information on where to submit false positives. Just like the tinyurl post I read, it's a centralized service "mandrillapp.com", used by a large amount of people and I feel that should be removed/white-listed as the real website in reference 1tac.com most definitely is not fraud. Also I apologize if I'm breaking any rules of the mailing-list, this is literally the first time I've interacted one like this. I thank you all for your consideration. Daniel From yuwang at cs.fsu.edu Wed Apr 10 17:06:09 2019 From: yuwang at cs.fsu.edu (yuwang) Date: Wed, 10 Apr 2019 13:06:09 -0400 Subject: Definite Fraud In-Reply-To: References: Message-ID: <99ed6d97cbebaa581aea507f3383014c@cs.fsu.edu> You can put it in /etc/MailScanner/phishing.safe.sites.custom James On 2019-04-10 12:54, Daniel Crothers wrote: > Sorry if this has been answered before. > > "MailScanner has detected definite fraud in the website at > "mandrillapp.com". Do not trust this website: > https://1tac.com/tracking > > It's referencing Mandrill which is a product in MailChimp, an > extremely popular "marketing automation platform and an email > marketing service." It's used by businesses small, medium and large. > > I am guessing this is the correct place to bring this up, as I cannot > seem to find any information on where to submit false positives. Just > like the tinyurl post I read, it's a centralized service > "mandrillapp.com", used by a large amount of people and I feel that > should be removed/white-listed as the real website in reference > 1tac.com most definitely is not fraud. > > Also I apologize if I'm breaking any rules of the mailing-list, this > is literally the first time I've interacted one like this. I thank you > all for your consideration. > > Daniel From mark at msapiro.net Wed Apr 10 17:14:33 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 10 Apr 2019 10:14:33 -0700 Subject: Definite Fraud In-Reply-To: References: Message-ID: On 4/10/19 9:54 AM, Daniel Crothers wrote: > > "MailScanner has detected definite fraud in the website at > "mandrillapp.com". Do not trust this website: > https://1tac.com/tracking These 'definite fraud' sites are listed in /etc/MailScanner/phishing.bad.sites.conf.master. The data in that file come from . You can whitelist mandrillapp.com for your installation by adding it to /etc/MailScanner/phishing.safe.sites.custom. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mmgomess at gmail.com Wed Apr 10 18:36:28 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Wed, 10 Apr 2019 15:36:28 -0300 Subject: MailScanner was attacked by DOS and deletes message body In-Reply-To: <000f01d4efa4$693e90d0$3bbbb270$@cs.fsu.edu> References: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> <000f01d4efa4$693e90d0$3bbbb270$@cs.fsu.edu> Message-ID: Hello everyone. Look at this. https://github.com/MailScanner/v5/pull/367 Marcelo Em qua, 10 de abr de 2019 ?s 10:50, Yu Wang escreveu: > Mark, > > It appears MailScanner either didn't save it or something caused the > message to be removed. I cannot find it anywhere under > /var/spool/MailScanner/. > > I updated MailScanner last night to 5.1.3-2 and patched perl scripts for > the ignore denial of service workaround. Hopefully it will fix the message > body deletion issue. > > Thanks. > > James > > -----Original Message----- > From: MailScanner cs.fsu.edu at lists.mailscanner.info> On Behalf Of Mark Sapiro > Sent: Tuesday, April 9, 2019 1:01 PM > To: mailscanner at lists.mailscanner.info > Subject: Re: MailScanner was attacked by DOS and deletes message body > > On 4/9/19 9:25 AM, Yu Wang wrote: > > > > MailScanner was attacked by a Denial Of Service attack, and has > > therefore deleted this part of the message. Please contact your e-mail > > providers for more information if you need it, giving them the whole > > of this report. Attack in: > > /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-2 > > 0.html > > > > There was no directory /var/spool/MailScanner/incoming/141905/ on the > > server (about 5 hours later). I searched ?1841B12012B.A4390? under > > /var/spool/MailScanner and /var/spool/postfix/ and found nothing. > > > If MailScanner saved the message, it would be in > /var/spool/MailScanner/quarantine/20190408/1841B12012B.A4390/message or > possibly /var/spool/MailScanner/quarantine/20190408/spam/1841B12012B.A4390. > '20190408' is the date. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuwang at cs.fsu.edu Wed Apr 10 18:42:01 2019 From: yuwang at cs.fsu.edu (yuwang) Date: Wed, 10 Apr 2019 14:42:01 -0400 Subject: MailScanner was attacked by DOS and deletes message body In-Reply-To: References: <5b6a32cbc2d944fdbf6f0c1a1cdfded2@EXCH1.cs.fsu.edu> <000f01d4efa4$693e90d0$3bbbb270$@cs.fsu.edu> Message-ID: <64244a59eb0fdba4a31d24f161a418ea@cs.fsu.edu> Yes, that's the one I used to patch MailScanner.conf and perl script and module. Thanks for providing the workaround. James On 2019-04-10 14:36, Marcelo Machado wrote: > Hello everyone. Look at this. > > https://github.com/MailScanner/v5/pull/367 > > Marcelo > > Em qua, 10 de abr de 2019 ?s 10:50, Yu Wang > escreveu: > >> Mark, >> >> It appears MailScanner either didn't save it or something caused the >> message to be removed. I cannot find it anywhere under >> /var/spool/MailScanner/. >> >> I updated MailScanner last night to 5.1.3-2 and patched perl scripts >> for the ignore denial of service workaround. Hopefully it will fix >> the message body deletion issue. >> >> Thanks. >> >> James >> >> -----Original Message----- >> From: MailScanner >> On >> Behalf Of Mark Sapiro >> Sent: Tuesday, April 9, 2019 1:01 PM >> To: mailscanner at lists.mailscanner.info >> Subject: Re: MailScanner was attacked by DOS and deletes message >> body >> >> On 4/9/19 9:25 AM, Yu Wang wrote: >>> >>> MailScanner was attacked by a Denial Of Service attack, and has >>> therefore deleted this part of the message. Please contact your >> e-mail >>> providers for more information if you need it, giving them the >> whole >>> of this report. Attack in: >>> >> > /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-2 >>> 0.html >>> >>> There was no directory /var/spool/MailScanner/incoming/141905/ on >> the >>> server (about 5 hours later). I searched ?1841B12012B.A4390? >> under >>> /var/spool/MailScanner and /var/spool/postfix/ and found nothing. >> >> If MailScanner saved the message, it would be in >> /var/spool/MailScanner/quarantine/20190408/1841B12012B.A4390/message >> or possibly >> /var/spool/MailScanner/quarantine/20190408/spam/1841B12012B.A4390. >> '20190408' is the date. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. >> Dylan >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner From gpapamichelakis at gmail.com Fri Apr 12 08:33:29 2019 From: gpapamichelakis at gmail.com (George Papamichelakis) Date: Fri, 12 Apr 2019 11:33:29 +0300 Subject: How do you people handle spam from Google lists etc? Message-ID: Hi all , I'm sure I'm not the only one? here that gets spammed from google servers , I receive messages that in from line apears something like this : azovwave+bncbd3orshfrylbb36yx3sqkgqegq7g4ga at googlegroups.com azovwave+bncbd3orshfrylbbiwjqxsakgqev4lqfzy at googlegroups.com azovwave2+bncbd3orshfrylbbno2x3sqkgqei4erkja at googlegroups.com azovwave12+bncbd3orshfrylbbuwzx3sqkgqeecgxwwi at googlegroups.com the address of course is different or changes every now and then, as you can see in the first pair and the only common clue? I can find, is in the headers? which is the only reference to the real spammer : X-Original-Sender: arwad at azovwave.com A rule from inside mailscanner seems impossible to catch such spammers , so how do you people get by from these without blocking google email servers ? you work your way in local spamassassin rules ? is there some thing? in the setup of mailscanner that I have overlooked ? Thanks in advance From yuwang at cs.fsu.edu Fri Apr 12 12:59:12 2019 From: yuwang at cs.fsu.edu (yuwang) Date: Fri, 12 Apr 2019 08:59:12 -0400 Subject: How do you people handle spam from Google lists etc? In-Reply-To: References: Message-ID: <9231641e9b1239362d609e2104adb007@cs.fsu.edu> Have you looked up owners/locations of the IP addresses that sent those spams? Did they really come from google's servers? Google's SPF is soft-fail (why they didn't go with hard-fail is puzzling) so none google servers can send emails out as @googlegroups.com. If the real spammer is from azovwave.com, you can block/blacklist sender's IP(s). > googlegroups.com Non-authoritative answer: googlegroups.com text = "v=spf1 redirect=_spf.google.com" > _dmarc.googlegroups.com Non-authoritative answer: _dmarc.googlegroups.com text = "v=DMARC1\; p=none\; rua=mailto:mailauth-reports at google.com" > _spf.google.com Non-authoritative answer: _spf.google.com text = "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" James On 2019-04-12 04:33, George Papamichelakis wrote: > Hi all , > > > I'm sure I'm not the only one? here that gets spammed from google > servers , I receive > > messages that in from line apears something like this : > > azovwave+bncbd3orshfrylbb36yx3sqkgqegq7g4ga at googlegroups.com > azovwave+bncbd3orshfrylbbiwjqxsakgqev4lqfzy at googlegroups.com > azovwave2+bncbd3orshfrylbbno2x3sqkgqei4erkja at googlegroups.com > azovwave12+bncbd3orshfrylbbuwzx3sqkgqeecgxwwi at googlegroups.com > > > the address of course is different or changes every now and then, as > you can see in the first pair > > and the only common clue? I can find, is in the headers? which is the > only reference to the real spammer : > > X-Original-Sender: arwad at azovwave.com > > > A rule from inside mailscanner seems impossible to catch such spammers > , so how do you > > people get by from these without blocking google email servers ? you > work your way in local spamassassin rules ? > > is there some thing? in the setup of mailscanner that I have overlooked > ? > > > Thanks in advance From andrew at topdog.za.net Fri Apr 12 13:12:51 2019 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Fri, 12 Apr 2019 15:12:51 +0200 Subject: How do you people handle spam from Google lists etc? In-Reply-To: References: Message-ID: > On 12 Apr 2019, at 10:33, George Papamichelakis wrote: > > I'm sure I'm not the only one here that gets spammed from google servers , I receive The EBL DNSBL[1] maybe helpful for this use case. [1] https://msbl.org/ebl.html - A From peter.farrow at togethia.net Fri Apr 12 13:15:53 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Fri, 12 Apr 2019 14:15:53 +0100 Subject: How do you people handle spam from Google lists etc? In-Reply-To: References: Message-ID: <16a11b0af28.27f8.f10e8866d2808a6c747790ff92dee4b4@togethia.net> Bin those emails On 12 April 2019 14:13:31 Andrew Colin Kissa via MailScanner wrote: >> On 12 Apr 2019, at 10:33, George Papamichelakis >> wrote: >> >> I'm sure I'm not the only one here that gets spammed from google servers , >> I receive > > The EBL DNSBL[1] maybe helpful for this use case. > > [1] https://msbl.org/ebl.html > > - A > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by the Togethia MailScanner, > and is believed to be clean. From gpapamichelakis at gmail.com Fri Apr 12 13:16:10 2019 From: gpapamichelakis at gmail.com (George Papamichelakis) Date: Fri, 12 Apr 2019 16:16:10 +0300 Subject: How do you people handle spam from Google lists etc? In-Reply-To: <9231641e9b1239362d609e2104adb007@cs.fsu.edu> References: <9231641e9b1239362d609e2104adb007@cs.fsu.edu> Message-ID: yes they come from google, the original sender is from turkey though: 209.85.208.62??? mail-ed1-f62.google.com??? United States??? [ ]??? [? ]??? [? ]??? [? ] 92.42.39.50??? mail.kordonweb.net??? Turkey??? [? ]??? [? ]??? [ ]??? [? ] 192.168.1.114??? (Private Network)??? (Private Network) They also have an unsubscribe link in the header : List-Unsubscribe: , but? as you can see the link is for subscribing , to unsubscribe (even though you never subscribed...)? you have to send a message to this address by hand, seems? a bit risky? and if they manage to harvest a lot of your addresses it's hell. They have several accounts in google to do so? also, as you saw in my first message. George On 4/12/19 3:59 PM, yuwang wrote: > > Have you looked up owners/locations of the IP addresses that sent > those spams? Did they really come from google's servers? Google's SPF > is soft-fail (why they didn't go with hard-fail is puzzling) so none > google servers can send emails out as @googlegroups.com. If the real > spammer is from azovwave.com, you can block/blacklist sender's IP(s). > > >> googlegroups.com > > Non-authoritative answer: > googlegroups.com??????? text = "v=spf1 redirect=_spf.google.com" > > >> _dmarc.googlegroups.com > > Non-authoritative answer: > _dmarc.googlegroups.com text = "v=DMARC1\; p=none\; > rua=mailto:mailauth-reports at google.com" > > >> _spf.google.com > > Non-authoritative answer: > _spf.google.com text = "v=spf1 include:_netblocks.google.com > include:_netblocks2.google.com include:_netblocks3.google.com ~all" > > > James > > > > > On 2019-04-12 04:33, George Papamichelakis wrote: >> Hi all , >> >> >> I'm sure I'm not the only one? here that gets spammed from google >> servers , I receive >> >> messages that in from line apears something like this : >> >> azovwave+bncbd3orshfrylbb36yx3sqkgqegq7g4ga at googlegroups.com >> azovwave+bncbd3orshfrylbbiwjqxsakgqev4lqfzy at googlegroups.com >> azovwave2+bncbd3orshfrylbbno2x3sqkgqei4erkja at googlegroups.com >> azovwave12+bncbd3orshfrylbbuwzx3sqkgqeecgxwwi at googlegroups.com >> >> >> the address of course is different or changes every now and then, as >> you can see in the first pair >> >> and the only common clue? I can find, is in the headers? which is the >> only reference to the real spammer : >> >> X-Original-Sender: arwad at azovwave.com >> >> >> A rule from inside mailscanner seems impossible to catch such spammers >> , so how do you >> >> people get by from these without blocking google email servers ? you >> work your way in local spamassassin rules ? >> >> is there some thing? in the setup of mailscanner that I have >> overlooked ? >> >> >> Thanks in advance From mark at msapiro.net Fri Apr 12 14:55:58 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 12 Apr 2019 07:55:58 -0700 Subject: How do you people handle spam from Google lists etc? In-Reply-To: References: Message-ID: On 4/12/19 1:33 AM, George Papamichelakis wrote: > Hi all , > > > I'm sure I'm not the only one? here that gets spammed from google > servers , I receive > > messages that in from line apears something like this : > > azovwave+bncbd3orshfrylbb36yx3sqkgqegq7g4ga at googlegroups.com > azovwave+bncbd3orshfrylbbiwjqxsakgqev4lqfzy at googlegroups.com > azovwave2+bncbd3orshfrylbbno2x3sqkgqei4erkja at googlegroups.com > azovwave12+bncbd3orshfrylbbuwzx3sqkgqeecgxwwi at googlegroups.com These appear to be actual Google groups. If the mail is really coming from googlegroups, report it to Google. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From gpapamichelakis at gmail.com Fri Apr 12 14:57:18 2019 From: gpapamichelakis at gmail.com (George Papamichelakis) Date: Fri, 12 Apr 2019 17:57:18 +0300 Subject: How do you people handle spam from Google lists etc? In-Reply-To: References: Message-ID: <8cd5c50d-d434-f15e-35ec-840b6ff71106@gmail.com> it's google groups sure but the users never subscribed to them ... On 4/12/19 5:55 PM, Mark Sapiro wrote: > On 4/12/19 1:33 AM, George Papamichelakis wrote: >> Hi all , >> >> >> I'm sure I'm not the only one? here that gets spammed from google >> servers , I receive >> >> messages that in from line apears something like this : >> >> azovwave+bncbd3orshfrylbb36yx3sqkgqegq7g4ga at googlegroups.com >> azovwave+bncbd3orshfrylbbiwjqxsakgqev4lqfzy at googlegroups.com >> azovwave2+bncbd3orshfrylbbno2x3sqkgqei4erkja at googlegroups.com >> azovwave12+bncbd3orshfrylbbuwzx3sqkgqeecgxwwi at googlegroups.com > > These appear to be actual Google groups. If the mail is really coming > from googlegroups, report it to Google. > > From mark at msapiro.net Fri Apr 12 15:14:19 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 12 Apr 2019 08:14:19 -0700 Subject: How do you people handle spam from Google lists etc? In-Reply-To: <8cd5c50d-d434-f15e-35ec-840b6ff71106@gmail.com> References: <8cd5c50d-d434-f15e-35ec-840b6ff71106@gmail.com> Message-ID: <260bc914-29c7-4628-84fc-65e946e84dcd@msapiro.net> On 4/12/19 7:57 AM, George Papamichelakis wrote: > it's google groups sure but the users never subscribed to them ... If the spam is actually being sent from the Google group, Google should deal with it. On the other hand, if it's just mail that cleverly spoofs the google group as the sender, the originator's IP address should be somewhere in the Received: headers, and it should be possible to detect the difference between these and real Google groups email in a SpamAssassin rule. Or, if as you say elsewhere they all have a header like > List-Unsubscribe: , > You should be able to get that with a spamassassin rule like header RULE_NAME List-Unsubscribe =~ /subscribe>$/ -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From gpapamichelakis at gmail.com Fri Apr 12 15:38:55 2019 From: gpapamichelakis at gmail.com (George Papamichelakis) Date: Fri, 12 Apr 2019 18:38:55 +0300 Subject: How do you people handle spam from Google lists etc? In-Reply-To: <260bc914-29c7-4628-84fc-65e946e84dcd@msapiro.net> References: <8cd5c50d-d434-f15e-35ec-840b6ff71106@gmail.com> <260bc914-29c7-4628-84fc-65e946e84dcd@msapiro.net> Message-ID: <45236678-7356-885d-ef65-710c2ac48923@gmail.com> On 4/12/19 6:14 PM, Mark Sapiro wrote: > On 4/12/19 7:57 AM, George Papamichelakis wrote: >> it's google groups sure but the users never subscribed to them ... > > If the spam is actually being sent from the Google group, Google should > deal with it. its spam? definetly , they use google? and it's not spoofing. funny thing is when you search for googlegroups abuse : Friendly reminder that if you encounter emails on this list that you believe are spam or abuse of the list, please report the abuse using the google groups Report Abuse feature in the drop-down in the top right of the message in the web interface. All emails should have a "To view this discussion on the web visit" link in their footer that will direct you to the web interface. This is for if you are subscribed through the google group. Seems you can only report google groups abuse from your google account , that leaves out a lot of people? if they don't have a google account . Also what happens when the you're spammed on your business email but you have to report the abuse from your personal gmail account ? This is very grey and vague I think . > On the other hand, if it's just mail that cleverly spoofs the google > group as the sender, the originator's IP address should be somewhere in > the Received: headers, and it should be possible to detect the > difference between these and real Google groups email in a SpamAssassin > rule. > > Or, if as you say elsewhere they all have a header like > >> List-Unsubscribe: , >> > You should be able to get that with a spamassassin rule like > > header RULE_NAME List-Unsubscribe =~ /subscribe>$/ This is more likely to work probably , I will create a rule with low score at first? to check thanks for suggesting George -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Mon Apr 15 07:03:48 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 15 Apr 2019 09:03:48 +0200 Subject: How do you people handle spam from Google lists etc? In-Reply-To: References: <9231641e9b1239362d609e2104adb007@cs.fsu.edu> Message-ID: I found a interesting development here: http://unsubscriberobot.com/ Its built up from an former Google Engineer and independent software contractor. This give us the advantage to send our as for us seen spam newsletter mails to unsubscribe.robot at gmail.com and the software follows the link in a simulated browser, fills out the form, and clicks the unsubscribe button. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: MailScanner > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > info] Namens George Papamichelakis > Verzonden: vrijdag 12 april 2019 15:16 > Aan: yuwang; MailScanner Discussion > Onderwerp: Re: How do you people handle spam from Google lists etc? > > yes they come from google, the original sender is from turkey though: > > 209.85.208.62??? mail-ed1-f62.google.com??? United States??? > [ ]??? [? > ]??? [? ]??? [? ] > 92.42.39.50??? mail.kordonweb.net??? Turkey??? [? ]??? [? ]??? > [ ]??? [? ] > 192.168.1.114??? (Private Network)??? (Private Network) > > They also have an unsubscribe link in the header : > > List-Unsubscribe: > , > > > but? as you can see the link is for subscribing , to > unsubscribe (even > though you never subscribed...)? you have to > send a message to this address by hand, seems? a bit risky? > and if they > manage to harvest a lot of your addresses > it's hell. > > They have several accounts in google to do so? also, as you saw in my > first message. > > > George > > > > On 4/12/19 3:59 PM, yuwang wrote: > > > > Have you looked up owners/locations of the IP addresses that sent > > those spams? Did they really come from google's servers? > Google's SPF > > is soft-fail (why they didn't go with hard-fail is > puzzling) so none > > google servers can send emails out as @googlegroups.com. If > the real > > spammer is from azovwave.com, you can block/blacklist > sender's IP(s). > > > > > >> googlegroups.com > > > > Non-authoritative answer: > > googlegroups.com??????? text = "v=spf1 redirect=_spf.google.com" > > > > > >> _dmarc.googlegroups.com > > > > Non-authoritative answer: > > _dmarc.googlegroups.com text = "v=DMARC1\; p=none\; > > rua=mailto:mailauth-reports at google.com" > > > > > >> _spf.google.com > > > > Non-authoritative answer: > > _spf.google.com text = "v=spf1 include:_netblocks.google.com > > include:_netblocks2.google.com include:_netblocks3.google.com ~all" > > > > > > James > > > > > > > > > > On 2019-04-12 04:33, George Papamichelakis wrote: > >> Hi all , > >> > >> > >> I'm sure I'm not the only one? here that gets spammed from google > >> servers , I receive > >> > >> messages that in from line apears something like this : > >> > >> azovwave+bncbd3orshfrylbb36yx3sqkgqegq7g4ga at googlegroups.com > >> azovwave+bncbd3orshfrylbbiwjqxsakgqev4lqfzy at googlegroups.com > >> azovwave2+bncbd3orshfrylbbno2x3sqkgqei4erkja at googlegroups.com > >> azovwave12+bncbd3orshfrylbbuwzx3sqkgqeecgxwwi at googlegroups.com > >> > >> > >> the address of course is different or changes every now > and then, as > >> you can see in the first pair > >> > >> and the only common clue? I can find, is in the headers? > which is the > >> only reference to the real spammer : > >> > >> X-Original-Sender: arwad at azovwave.com > >> > >> > >> A rule from inside mailscanner seems impossible to catch > such spammers > >> , so how do you > >> > >> people get by from these without blocking google email > servers ? you > >> work your way in local spamassassin rules ? > >> > >> is there some thing? in the setup of mailscanner that I have > >> overlooked ? > >> > >> > >> Thanks in advance > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From mailinglists at feedmebits.nl Wed Apr 24 09:00:07 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 24 Apr 2019 11:00:07 +0200 Subject: MailScanner and spamassasin Message-ID: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> Hello, I setup a custom spamassasin rule in /etc/MailScanner/spamassassin.conf. header?? FAKE_PAYMENT_REQUEST?? Subject =~ /mailinglists/i describe FAKE_PAYMENT_REQUEST?? fake payment requests with subject mailinglists score??? FAKE_PAYMENT_REQUEST?? 7.0 However the email with the subject keeps arriving in my inbox. I also don't a spamassasin header added by mailscanner to the headers: Return-Path: X-Original-To: mailinglists at feedmebits.nl Delivered-To: mailinglists at feedmebits.nl X-Spam-Status: No X-FMB-MailScanner-From: oferty at lenovopolska.pl X-FMB-MailScanner: Found to be clean X-FMB-MailScanner-ID: 2A6D620EF9.A15EA X-FMB-MailScanner-Information: Please contact hostmaster at feedmebits.nl for more information X-Greylist: delayed 400 seconds by postgrey-1.34 at supernova; Tue, 23 Apr 2019 21:22:14 CEST DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.feedmebits.nl 2A6D620EF9 Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=94.152.129.80; helo=5e988150.static.tld.pl; envelope-from=oferty at lenovopolska.pl; receiver=mailinglists at feedmebits.nl Received: from 5E988150.static.tld.pl (5E988150.static.tld.pl [94.152.129.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by a.mx.feedmebits.nl (Postfix) with ESMTPS id 2A6D620EF9 for ; Tue, 23 Apr 2019 21:22:13 +0200 (CEST) Received: (qmail 16670 invoked by uid 384007); 23 Apr 2019 19:15:33 -0000 X-clamdmail: clamdmail 0.18a Received: from 51b6877d.dsl.pool.telekom.hu (HELO ?51B6877D.dsl.pool.telekom.hu?) (oferty at lenovopolska.pl@81.182.135.125) by 5e988150.static.tld.pl with ESMTPA; 23 Apr 2019 19:15:20 -0000 Content-Type: multipart/related; boundary="6530185204826224966-24833983516226" MIME-Version: 1.0 Subject: mailinglists List-Help: X-Abuse-Reports-To: Date: Tue, 23 Apr 2019 21:15:18 +0200 X-Sender-Info: oferty at lenovopolska.pl Message-ID: Abuse-Reports-To: To: mailinglists at feedmebits.nl From: X-Sender: X-CSA-Complaints: whitelistcomplaints at lenovopolska.pl It's an email sent each time from a different from address so I thought I'd filter with a spamassin rule on the subject. Why is MailScanner not picking up the spamassasin rule I configured, did I miss something? Or should I use this file to configure spamassasin rules? /etc/MailScanner/mcp/mcp.spamassassin.conf Maarten -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Apr 24 15:31:42 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 24 Apr 2019 08:31:42 -0700 Subject: MailScanner and spamassasin In-Reply-To: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> Message-ID: <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> On 4/24/19 2:00 AM, Maarten wrote: > Hello, > > I setup a custom spamassasin rule in /etc/MailScanner/spamassassin.conf. > > header?? FAKE_PAYMENT_REQUEST?? Subject =~ /mailinglists/i > describe FAKE_PAYMENT_REQUEST?? fake payment requests with subject > mailinglists > score??? FAKE_PAYMENT_REQUEST?? 7.0 > > However the email with the subject keeps arriving in my inbox. I also > don't a spamassasin header > added by mailscanner to the headers: Have you restarted mailscanner and spamd if you use it? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailinglists at feedmebits.nl Wed Apr 24 16:03:34 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 24 Apr 2019 18:03:34 +0200 Subject: MailScanner and spamassasin In-Reply-To: <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> Message-ID: Hey Mark, I have restarted mailscanner, I don't have spamd running, I thought the spamassasin perl module is used by mailscanner to do the spamassasin rule checking? I see output when I run spamassassin -D --lint. Is it better to have spamassin running as a daemon and then having it configured via postfix? On 4/24/19 5:31 PM, Mark Sapiro wrote: > On 4/24/19 2:00 AM, Maarten wrote: >> Hello, >> >> I setup a custom spamassasin rule in /etc/MailScanner/spamassassin.conf. >> >> header?? FAKE_PAYMENT_REQUEST?? Subject =~ /mailinglists/i >> describe FAKE_PAYMENT_REQUEST?? fake payment requests with subject >> mailinglists >> score??? FAKE_PAYMENT_REQUEST?? 7.0 >> >> However the email with the subject keeps arriving in my inbox. I also >> don't a spamassasin header >> added by mailscanner to the headers: > > Have you restarted mailscanner and spamd if you use it? > From mark at msapiro.net Wed Apr 24 18:24:22 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 24 Apr 2019 11:24:22 -0700 Subject: MailScanner and spamassasin In-Reply-To: References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> Message-ID: <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> On 4/24/19 9:03 AM, Maarten wrote: > > I have restarted mailscanner, I don't have spamd running, > I thought the spamassasin perl module is used by mailscanner > to do the spamassasin rule checking? I see output when I run > spamassassin -D --lint. Yes, MailScanner does use the Perl module, but it has never been clear to me whether this in turn will use spamd if available. For your original question, do you have a symlink /etc/spamassassin/MailScanner.cf -> /etc/MailScanner/spamassassin.conf? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailinglists at feedmebits.nl Wed Apr 24 18:57:03 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 24 Apr 2019 20:57:03 +0200 Subject: MailScanner and spamassasin In-Reply-To: <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> Message-ID: lrwxrwxrwx. 1 root root 34 Jan 29 19:43 /etc/mail/spamassassin/MailScanner.cf -> /etc/MailScanner/spamassassin.conf On 4/24/19 8:24 PM, Mark Sapiro wrote: > On 4/24/19 9:03 AM, Maarten wrote: >> I have restarted mailscanner, I don't have spamd running, >> I thought the spamassasin perl module is used by mailscanner >> to do the spamassasin rule checking? I see output when I run >> spamassassin -D --lint. > > Yes, MailScanner does use the Perl module, but it has never been clear > to me whether this in turn will use spamd if available. > > For your original question, do you have a symlink > /etc/spamassassin/MailScanner.cf -> /etc/MailScanner/spamassassin.conf? > From mark at msapiro.net Wed Apr 24 20:30:38 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 24 Apr 2019 13:30:38 -0700 Subject: MailScanner and spamassasin In-Reply-To: References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> Message-ID: <02a2498c-43cb-b1ab-b38a-a35aa74fa0d5@msapiro.net> On 4/24/19 11:57 AM, Maarten wrote: > lrwxrwxrwx. 1 root root 34 Jan 29 19:43 > /etc/mail/spamassassin/MailScanner.cf -> /etc/MailScanner/spamassassin.conf I think the issue is a spamassassin quirk. You have header FAKE_PAYMENT_REQUEST Subject =~ /mailinglists/i The 'i' flag toggles ignore_case which starts out true so your match is case sensitive. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Wed Apr 24 20:42:07 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 24 Apr 2019 13:42:07 -0700 Subject: MailScanner and spamassasin In-Reply-To: <02a2498c-43cb-b1ab-b38a-a35aa74fa0d5@msapiro.net> References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> <02a2498c-43cb-b1ab-b38a-a35aa74fa0d5@msapiro.net> Message-ID: <77c40832-f948-b517-e4f7-5325b4de8036@msapiro.net> On 4/24/19 1:30 PM, Mark Sapiro wrote: > > I think the issue is a spamassassin quirk. You have > > header FAKE_PAYMENT_REQUEST Subject =~ /mailinglists/i > > The 'i' flag toggles ignore_case which starts out true so your match is > case sensitive. I think the above is incorrect. I just looked for this in the docs and it doesn't seem to work that way. I'm probably conflating this with Postfix regex tables which do work this way. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailinglists at feedmebits.nl Wed Apr 24 21:17:29 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 24 Apr 2019 23:17:29 +0200 Subject: MailScanner and spamassasin In-Reply-To: <77c40832-f948-b517-e4f7-5325b4de8036@msapiro.net> References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> <02a2498c-43cb-b1ab-b38a-a35aa74fa0d5@msapiro.net> <77c40832-f948-b517-e4f7-5325b4de8036@msapiro.net> Message-ID: When I look it up in the docs it seems it should be this? header FAKE_PAYMENT_REQUEST Subject =~ /\bmailinglists\b/i On 4/24/19 10:42 PM, Mark Sapiro wrote: > On 4/24/19 1:30 PM, Mark Sapiro wrote: >> I think the issue is a spamassassin quirk. You have >> >> header FAKE_PAYMENT_REQUEST Subject =~ /mailinglists/i >> >> The 'i' flag toggles ignore_case which starts out true so your match is >> case sensitive. > > I think the above is incorrect. I just looked for this in the docs and > it doesn't seem to work that way. I'm probably conflating this with > Postfix regex tables which do work this way. > From mark at msapiro.net Wed Apr 24 21:28:42 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 24 Apr 2019 14:28:42 -0700 Subject: MailScanner and spamassasin In-Reply-To: References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> <02a2498c-43cb-b1ab-b38a-a35aa74fa0d5@msapiro.net> <77c40832-f948-b517-e4f7-5325b4de8036@msapiro.net> Message-ID: On 4/24/19 2:17 PM, Maarten wrote: > When I look it up in the docs it seems it should be this? > > header?? FAKE_PAYMENT_REQUEST?? Subject =~ /\bmailinglists\b/i That only means it should be surrounded by whitespace to preclude a match on something like Subject: mymailinglists.com Subject =~ /mailinglists/i will match the string 'mailinglists' anywhere in the subject. If you want to match only Subject: mailinglists you want something like Subject =~ /^mailinglists$/i But none of this explains why your test fails. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From thom at vdb.nl Thu Apr 25 04:59:33 2019 From: thom at vdb.nl (Thom van der Boon) Date: Thu, 25 Apr 2019 06:59:33 +0200 (CEST) Subject: MailScanner and spamassasin In-Reply-To: References: <540667de-2c57-5f78-064a-fa744da40f2d@feedmebits.nl> <55a171d5-9b96-1b08-4a31-fd38ac36329c@msapiro.net> <3094649c-a43b-85f1-8180-55ace9d4a341@msapiro.net> <02a2498c-43cb-b1ab-b38a-a35aa74fa0d5@msapiro.net> <77c40832-f948-b517-e4f7-5325b4de8036@msapiro.net> Message-ID: <81329250.477421.1556168373270.JavaMail.zimbra@vdb.nl> Maarten, It is very unwise to have a "single" trigger to mark something as spam. If somebody accidentally mails you with this subject it will be marked as spam. If you send me your e-mail address, I'll send you some examples I use to catch spam Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: [ tel:+31884272727 | +31 (0)88 4272727 ] Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ Van: "Maarten" Aan: "MailScanner Discussion" Verzonden: Woensdag 24 april 2019 23:17:29 Onderwerp: Re: MailScanner and spamassasin When I look it up in the docs it seems it should be this? header FAKE_PAYMENT_REQUEST Subject =~ /\bmailinglists\b/i On 4/24/19 10:42 PM, Mark Sapiro wrote: > On 4/24/19 1:30 PM, Mark Sapiro wrote: >> I think the issue is a spamassassin quirk. You have >> >> header FAKE_PAYMENT_REQUEST Subject =~ /mailinglists/i >> >> The 'i' flag toggles ignore_case which starts out true so your match is >> case sensitive. > > I think the above is incorrect. I just looked for this in the docs and > it doesn't seem to work that way. I'm probably conflating this with > Postfix regex tables which do work this way. > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Thu Apr 25 08:07:59 2019 From: it at festa.bg (Valentin Laskov) Date: Thu, 25 Apr 2019 11:07:59 +0300 Subject: Possible bug in Spam Actions = deliver attachment Message-ID: <05634bab-8fb9-82f7-4324-8e7e47f7c823@festa.bg> Hello, Yesterday I updated MailScanner from 5.0.7 to 5.1.3 I noticed messages like this Subject: Other Bad Content Detected Report: MailScanner: Message attempted to kill MailScanner All of letters causing this are Spam. In MailScanner.conf I have Spam Actions = deliver attachment header "X-Spam-Status: Yes" Letters are not delivered but quarantined. Regards! Valentin Laskov -- ????????! ???????? ?????? ???????? ????????????? "????? ???????" ?? ???. "??. ?????????" 48 9000 ??. ????? ???.: +359 52 669137 GSM: +359 888 669137 Fax: +359 52 669110 From iversons at rushville.k12.in.us Fri Apr 26 14:13:23 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 26 Apr 2019 10:13:23 -0400 Subject: Possible bug in Spam Actions = deliver attachment In-Reply-To: <05634bab-8fb9-82f7-4324-8e7e47f7c823@festa.bg> References: <05634bab-8fb9-82f7-4324-8e7e47f7c823@festa.bg> Message-ID: Valentin, Is there any additional information in the mail log to help explain the "Message attempted to kill MainScanner" message? On Thu, Apr 25, 2019 at 12:09 PM Valentin Laskov wrote: > Hello, > > Yesterday I updated MailScanner from 5.0.7 to 5.1.3 > > I noticed messages like this > > Subject: Other Bad Content Detected > > Report: MailScanner: Message attempted to kill MailScanner > > All of letters causing this are Spam. In MailScanner.conf I have > > Spam Actions = deliver attachment header "X-Spam-Status: Yes" > > Letters are not delivered but quarantined. > > Regards! > > Valentin Laskov > > > -- > ????????! > > ???????? ?????? > ???????? ????????????? > "????? ???????" ?? > ???. "??. ?????????" 48 > 9000 ??. ????? > ???.: +359 52 669137 > GSM: +359 888 669137 > Fax: +359 52 669110 > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Fri Apr 26 22:26:06 2019 From: it at festa.bg (Valentin Laskov) Date: Sat, 27 Apr 2019 01:26:06 +0300 Subject: Possible bug in Spam Actions = deliver attachment In-Reply-To: References: <05634bab-8fb9-82f7-4324-8e7e47f7c823@festa.bg> Message-ID: <6b426c7e-fbd3-e455-383d-72cde7d6de33@festa.bg> Hi Shawn, this is in maillog: Apr 26 19:39:48 ns MailScanner[14367]: Spam Actions: message x3QGKubV014105 actions are deliver,header,attachment Apr 26 19:44:31 ns MailScanner[14480]: Making attempt 6 at processing message x3QGKubV014105 Apr 26 19:44:36 ns MailScanner[14480]: Message x3QGKubV014105 from 91.196.126.199 (info at somedomain.bg) to festa.bg is spam, SpamAssassin (not cached, score=4.956, required 3, BAYES_05 -0.50, FUZZY_XPILL 2.80, HTML_IMAGE_ONLY_20 1.55, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.38, MIME_HTML_ONLY 0.72, T_REMOTE_IMAGE 0.01) Apr 26 19:44:36 ns MailScanner[14480]: Spam Actions: message x3QGKubV014105 actions are deliver,header,attachment Apr 26 19:44:37 ns MailScanner[12651]: Warning: skipping message x3QGKubV014105 as it has been attempted too many times Apr 26 19:44:37 ns MailScanner[12651]: Quarantined message x3QGKubV014105 as it caused MailScanner to crash several times Apr 26 19:44:37 ns MailScanner[12651]: Saved entire message to /var/spool/MailScanner/quarantine/20190426/x3QGKubV014105 Yesterday I removed "attachment" but forgot to delete custom.conf~ made by joe text editor and this overrided my changes in custom.conf Will see and write tomorrow. Now I saw this ERROR: The "envelope_ ... in root at ns:/home/laskov# MailScanner --lint Trying to setlogsock(unix) Skipping Custom Function file CustomAction.pm.orig as its name does not end in .pm or .pl Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Reading configuration file /etc/MailScanner/conf.d/custom.laskov.conf Read 1501 hostnames from the phishing whitelist Read 16624 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (5.1.3) is correct. ERROR: The "envelope_sender_header" in your spamassassin.conf ERROR: is not correct, it should match X-FestaHolding-MailScanner-From Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" mktemp: invalid option -- '-' Usage: mktemp [-V] | [-dqtu] [-p prefix] [template] Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. root at ns:/home/laskov# ... and now it says Your envelope_sender_header in spamassassin.conf is correct. "... mktemp: invalid option -- '-' Usage: mktemp [-V] | [-dqtu] [-p prefix] [template] ..." persists from many MailScanner versions in the past. My OS is Slackware 14-2 Regards Valentin ?? 26.04.19 ?. ? 17:13 ?., Shawn Iverson via MailScanner ??????: > Valentin, > > Is there any additional information in the mail log to help explain > the "Message attempted to kill MainScanner" message? > > On Thu, Apr 25, 2019 at 12:09 PM Valentin Laskov > wrote: > > Hello, > > Yesterday I updated MailScanner from 5.0.7 to 5.1.3 > > I noticed messages like this > > Subject: Other Bad Content Detected > > Report: MailScanner: Message attempted to kill MailScanner > > All of letters causing this are Spam. In MailScanner.conf I have > > Spam Actions = deliver attachment header "X-Spam-Status: Yes" > > Letters are not delivered but quarantined. > > Regards! > > Valentin Laskov > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Mon Apr 29 14:05:30 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Mon, 29 Apr 2019 14:05:30 +0000 Subject: someone use this ? Message-ID: <7a77c131bfab4a498cb6ac2c38ee04e4@gruppocomet.it> http://dkimwl.org I am unable to find how to register so i dont know how they can manteain its data -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at shout.net Mon Apr 29 14:13:23 2019 From: jim at shout.net (Jim Creason) Date: Mon, 29 Apr 2019 09:13:23 -0500 Subject: someone use this ? In-Reply-To: <7a77c131bfab4a498cb6ac2c38ee04e4@gruppocomet.it> References: <7a77c131bfab4a498cb6ac2c38ee04e4@gruppocomet.it> Message-ID: Interesting, never heard of it. It does say this on the Terms page, though: 5.1 To apply for an account use the Contact form situated on our website. On 4/29/2019 9:05 AM, Nicola Piazzi wrote: > http://dkimwl.org > > I am unable to find how to register so i dont know how they can manteain > its data > > > > From Nicola.Piazzi at gruppocomet.it Tue Apr 30 10:27:00 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 30 Apr 2019 10:27:00 +0000 Subject: envelope-from Message-ID: <06fd3fd310be43048157500225b3306b@gruppocomet.it> Someone have a way to test in spamassassin envelope-from instead of from contained in headers ? Mailscanner add envelope-from in header only when spamassassin altready scanned it -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Apr 30 16:02:03 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 30 Apr 2019 09:02:03 -0700 Subject: envelope-from In-Reply-To: <06fd3fd310be43048157500225b3306b@gruppocomet.it> References: <06fd3fd310be43048157500225b3306b@gruppocomet.it> Message-ID: <5ece2db5-5a53-a1bb-ad1f-5dfa282a35f3@msapiro.net> On 4/30/19 3:27 AM, Nicola Piazzi wrote: > Someone have a way to test in spamassassin envelope-from instead of from > contained in headers ? > > Mailscanner add envelope-from in header only when spamassassin altready > scanned it MTAs on final delivery are supposed to add a Return-Path: header with the envelope sender address. Postfix does. See RFC 5321, sec 4.4 and predecessors which says in part: > When the delivery SMTP server makes the "final delivery" of a > message, it inserts a return-path line at the beginning of the mail > data. This use of return-path is required; mail systems MUST support > it. The return-path line preserves the information in the path> from the MAIL command. Here, final delivery means the message > has left the SMTP environment. Normally, this would mean it had been > delivered to the destination user or an associated mail drop, but in > some cases it may be further processed and transmitted by another > mail system. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From djones at ena.com Tue Apr 30 16:15:09 2019 From: djones at ena.com (David Jones) Date: Tue, 30 Apr 2019 16:15:09 +0000 Subject: envelope-from In-Reply-To: <5ece2db5-5a53-a1bb-ad1f-5dfa282a35f3@msapiro.net> References: <06fd3fd310be43048157500225b3306b@gruppocomet.it> <5ece2db5-5a53-a1bb-ad1f-5dfa282a35f3@msapiro.net> Message-ID: <56e44677-4a43-15a2-5e84-9a3a97247b22@ena.com> > On 4/30/19 3:27 AM, Nicola Piazzi wrote: >> Someone have a way to test in spamassassin envelope-from instead of from >> contained in headers ? >> >> Mailscanner add envelope-from in header only when spamassassin altready >> scanned it > Are you referring to this in SA rules? header __ENV_FROM_DOCUSIGN_NET EnvelopeFrom =~ /\@docusign\.net/ -- David Jones From mailscanner at replies.cyways.com Tue Apr 30 16:16:00 2019 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Tue, 30 Apr 2019 12:16:00 -0400 Subject: envelope-from In-Reply-To: <06fd3fd310be43048157500225b3306b@gruppocomet.it> References: <06fd3fd310be43048157500225b3306b@gruppocomet.it> Message-ID: <518926d8-7833-da91-3e6a-5bc2a8a78b4f@replies.cyways.com> The envelope-from appears in the Return-Path header, the header at the top of every message. I write SA rules that test on that. On 4/30/19 6:27 AM, Nicola Piazzi wrote: > Someone have a way to test in spamassassin envelope-from instead of from > contained in headers ? > > Mailscanner add envelope-from in header only when spamassassin altready > scanned it > > > > From eschaeffer at cantella.com Tue Apr 30 15:13:29 2019 From: eschaeffer at cantella.com (Eric) Date: Tue, 30 Apr 2019 11:13:29 -0400 Subject: Add External Email Warning in message body Message-ID: <3c79f9e6-3208-1f58-2c2e-f63e930d9753@cantella.com> Hi All, I'm trying to add something along the lines of "Warning: This email is from an external source. Please proceed with caution" etc etc, to the top of the body of any message from an external source. I've looked into doing this with the MTA (Exim in my case), and it doesn't seem possible. Is there a way to do this in MailScanner? Thanks for your help! -- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete this material from any computer. Cantella does not permit execution of trades requested by email. Please call to ensure prompt execution of orders, as we are not responsible for orders transmitted through email. Investing involves risk and you may incur a profit or a loss. Please carefully consider investment objectives, risks, charges, and expenses before investing. Cantella & Co., Inc. does not provide legal or tax advice. For legal or tax advice, please seek the services of a qualified professional. The performance data featured represents past performance, which is no guarantee of future results. Mutual funds and UITs are sold by prospectus only. Please carefully consider the fund's investment objective, risks, charges and expenses applicable to a continued investment in the fund before investing. For this and other information, call or write for a free prospectus, or view one online. Read it carefully before you invest or send money. Fixed income is subject to availability and change in price. Bonds are subject to market and interest rate risk if sold prior to maturity. Interest rates increases can cause the price of a debt security to decrease. Interest income may be subject to federal, state, local, and/or alternative minimum tax. Cantella is not registered as a Municipal Advisor and is not acting in this capacity. In accordance with industry regulations, all messages are retained and are subject to monitoring. This message has been scanned for viruses and dangerous content and is believed to be clean. Securities offered through Cantella & Co., Inc., Member FINRA/SIPC. Home Office: 350 Main Street 3rd Floor Malden, MA 02148 Telephone: (800)652-8358