From belle at bazuin.nl Wed Dec 4 13:26:16 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 4 Dec 2019 14:26:16 +0100 Subject: Email and attachments, some attachements disapear in mail client. Message-ID: Hai, I have a problem with recieving email attachements. The current system is running: Operating System Version: Debian GNU/Linux 9 (stretch) MailWatch Version: 1.2.12 Postfix Version: 3.1.12 MailScanner Version: 5.1.3 ClamAV Version: SpamAssassin Version: 3.4.2 PHP Version: 7.0.33-0+deb9u6 MySQL Version: 10.1.41-MariaDB-0+deb9u1 After a customer upgraded its exchange to 2019 im loosing attachments. I noticed if they send an email to userA and CC it to userB withing the same network and email domain. UserA, does NOT see the attachment (xls) and the userB does have a the xls files in the email. What i also notice, in mailscanner/mailwatch, userA shows "winmail.dat" file, userB shows the xls file. UserA never sees any attachments. Im suspecting it involves these settings, i already attempted to set change : Use TNEF Contents = replace to add. Expand TNEF = yes #Use TNEF Contents = replace Use TNEF Contents = add Deliver Unparsable TNEF = yes TNEF Expander = /usr/bin/tnef --maxsize=350000000 TNEF Timeout = 120 Am i missing something here? I can figure out what is going on here. Suggestions? Greetz, Louis From belle at bazuin.nl Thu Dec 5 07:40:30 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 5 Dec 2019 08:40:30 +0100 Subject: Email and attachments, some attachements disapear in mail client. In-Reply-To: References: Message-ID: Hai Shawn, ? With the raw message, you mean the content?of the?file in (non-spam) quarantine? ? ? Greetz, ? Louis ? Van: Shawn Iverson [mailto:shawniverson at gmail.com] Verzonden: woensdag 4 december 2019 20:00 Aan: MailScanner Discussion CC: L.P.H. van Belle Onderwerp: Re: Email and attachments, some attachements disapear in mail client. Louis, It would be interesting to see what a raw message looks like coming in from your mail server before it hits mailscanner and then after it is processed by mailscanner.? On Wed, Dec 4, 2019 at 8:27 AM L.P.H. van Belle via MailScanner wrote: Hai, I have a problem with recieving email attachements. The current system is running: Operating System Version: Debian GNU/Linux 9 (stretch) MailWatch Version: 1.2.12 Postfix Version: 3.1.12 MailScanner Version: 5.1.3 ClamAV Version: SpamAssassin Version: 3.4.2 PHP Version: 7.0.33-0+deb9u6 MySQL Version: 10.1.41-MariaDB-0+deb9u1 After a customer upgraded its exchange to 2019 im loosing attachments. I noticed if they send an email to userA and CC it to userB withing the same network and email domain. UserA, does NOT see the attachment (xls) and the userB does have a the xls files in the email. What i also notice, in mailscanner/mailwatch, userA shows "winmail.dat" file, userB shows the xls file. UserA never sees any attachments. Im suspecting it involves these settings, i already attempted to set change : Use TNEF Contents = replace to add. Expand TNEF = yes #Use TNEF Contents = replace Use TNEF Contents = add Deliver Unparsable TNEF = yes TNEF Expander = /usr/bin/tnef --maxsize=350000000 TNEF Timeout = 120 Am i missing something here? I can figure out what is going on here. Suggestions? Greetz, Louis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglists at feedmebits.nl Tue Dec 10 14:47:14 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Tue, 10 Dec 2019 15:47:14 +0100 Subject: MailScanner 5.2.1-1 Released In-Reply-To: References: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> <6d6bec2142bb44abb6b39c07ef8f838d@City-Exch-DB2.cbj.local> Message-ID: Hello, I am wanting to update my VPS mailserver with the latest mailscanner version. Will this update break my DKIM signing for outgoing mails? If yes, what can I do about it? If not, awesome! Maarten On 2019-11-05 22:08, Shawn Iverson via MailScanner wrote: > Kevin, > > Correct, which is why it is off initially by default. > > On Tue, Nov 5, 2019, 2:18 PM Kevin Miller via MailScanner > wrote: > >> That's what I was concerned about. It may be moot, as I'm doing >> DKIM/DMARC checking in Postfix so hopefully messages will pass >> or fail DKIM (and hence, be accepted or rejected) prior to >> MailScanner touching them. Definitely something to watch closely >> and test before applying it to my production servers... >> >> ...Kevin >> -- >> Kevin Miller >> Network/email Administrator, CBJ MIS Dept. >> 155 South Seward Street >> Juneau, Alaska 99801 >> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >> 307357 >> >> -----Original Message----- >> From: MailScanner >> >> On Behalf Of Mark Sapiro >> Sent: Tuesday, November 5, 2019 10:10 AM >> To: mailscanner at lists.mailscanner.info >> Subject: Re: MailScanner 5.2.1-1 Released >> >> EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS >> >> ________________________________ >> >> On 11/5/19 11:01 AM, Kevin Miller via MailScanner wrote: >>> Groovy. >>> One quick question: Will the insertation of an "External message >> warning" affect DKIM/DMARC? >> >> It will modify the message body which will break any DKIM signature >> which signs the body (hard to imagine one that doesn't) and thus >> will cause any DMARC check that relies on DKIM (as opposed to SPF) >> to fail. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. >> Dylan >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner From mailinglists at feedmebits.nl Tue Dec 10 14:48:55 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Tue, 10 Dec 2019 15:48:55 +0100 Subject: MailScanner 5.2.1-1 Released In-Reply-To: References: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> <6d6bec2142bb44abb6b39c07ef8f838d@City-Exch-DB2.cbj.local> Message-ID: <80ac00154e3342c4af73f0209ce1af5e@feedmebits.nl> En also DKIM verifying/checking for incoming mails? On 2019-12-10 15:47, Maarten wrote: > Hello, > > I am wanting to update my VPS mailserver with the latest mailscanner > version. > Will this update break my DKIM signing for outgoing mails? If yes, what > can I do about it? If not, awesome! > > Maarten > > On 2019-11-05 22:08, Shawn Iverson via MailScanner wrote: >> Kevin, >> >> Correct, which is why it is off initially by default. >> >> On Tue, Nov 5, 2019, 2:18 PM Kevin Miller via MailScanner >> wrote: >> >>> That's what I was concerned about. It may be moot, as I'm doing >>> DKIM/DMARC checking in Postfix so hopefully messages will pass >>> or fail DKIM (and hence, be accepted or rejected) prior to >>> MailScanner touching them. Definitely something to watch closely >>> and test before applying it to my production servers... >>> >>> ...Kevin >>> -- >>> Kevin Miller >>> Network/email Administrator, CBJ MIS Dept. >>> 155 South Seward Street >>> Juneau, Alaska 99801 >>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >>> 307357 >>> >>> -----Original Message----- >>> From: MailScanner >>> >>> On Behalf Of Mark Sapiro >>> Sent: Tuesday, November 5, 2019 10:10 AM >>> To: mailscanner at lists.mailscanner.info >>> Subject: Re: MailScanner 5.2.1-1 Released >>> >>> EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS >>> >>> ________________________________ >>> >>> On 11/5/19 11:01 AM, Kevin Miller via MailScanner wrote: >>>> Groovy. >>>> One quick question: Will the insertation of an "External message >>> warning" affect DKIM/DMARC? >>> >>> It will modify the message body which will break any DKIM signature >>> which signs the body (hard to imagine one that doesn't) and thus >>> will cause any DMARC check that relies on DKIM (as opposed to SPF) >>> to fail. >>> >>> -- >>> Mark Sapiro The highway is for gamblers, >>> San Francisco Bay Area, California better use your sense - B. >>> Dylan >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner From mark at msapiro.net Tue Dec 10 18:28:50 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 10 Dec 2019 10:28:50 -0800 Subject: MailScanner 5.2.1-1 Released In-Reply-To: <80ac00154e3342c4af73f0209ce1af5e@feedmebits.nl> References: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> <6d6bec2142bb44abb6b39c07ef8f838d@City-Exch-DB2.cbj.local> <80ac00154e3342c4af73f0209ce1af5e@feedmebits.nl> Message-ID: <9d46a387-b1c4-e5fc-ad72-baf0d2d8d184@msapiro.net> On 12/10/19 6:48 AM, Maarten wrote: > En also DKIM verifying/checking for incoming mails? > > On 2019-12-10 15:47, Maarten wrote: >> Hello, >> >> I am wanting to update my VPS mailserver with the latest mailscanner >> version. >> Will this update break my DKIM signing for outgoing mails? If yes, what >> can I do about it? If not, awesome! I use opendkim for this, and the upgrade had no effect on DKIM signing/verifying. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailinglists at feedmebits.nl Wed Dec 11 07:08:29 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 11 Dec 2019 08:08:29 +0100 Subject: MailScanner 5.2.1-1 Released In-Reply-To: <9d46a387-b1c4-e5fc-ad72-baf0d2d8d184@msapiro.net> References: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> <6d6bec2142bb44abb6b39c07ef8f838d@City-Exch-DB2.cbj.local> <80ac00154e3342c4af73f0209ce1af5e@feedmebits.nl> <9d46a387-b1c4-e5fc-ad72-baf0d2d8d184@msapiro.net> Message-ID: <2c73c8d42ad7e63f76a4f8a545611a9c@feedmebits.nl> Thanks! I thought to have read somewhere in a discussion that it broke DKIM for someone. Going to upgrade then, thanks again for the new release! :) On 2019-12-10 19:28, Mark Sapiro wrote: > On 12/10/19 6:48 AM, Maarten wrote: >> En also DKIM verifying/checking for incoming mails? >> >> On 2019-12-10 15:47, Maarten wrote: >>> Hello, >>> >>> I am wanting to update my VPS mailserver with the latest mailscanner >>> version. >>> Will this update break my DKIM signing for outgoing mails? If yes, >>> what >>> can I do about it? If not, awesome! > > > I use opendkim for this, and the upgrade had no effect on DKIM > signing/verifying. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Fri Dec 13 23:05:38 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 13 Dec 2019 23:05:38 +0000 Subject: ramdisk_store Message-ID: <8c2402f755a14f4db0b40aff1e474b8e@City-Exch-DB2.cbj.local> I noticed over 500 directories in /var/spool/MailScanner/incoming going back many months. I deleted them (they were all empty) and rebooted. They came right back. Doing a bit more sleuthing, I found the same bunch of ancient history In /var/spool/MailScanner/ramdisk_store. I deleted the directories (they were all empty) from both locations and they stayed gone. Shouldn't ramdisk_store be cleaned up by the system? Since /var/spool/MailScanner/incoming is a tmpfs, it will clear out when the machine is rebooted, of course, but whatever is supposed to be cleaning ramdisk_store doesn't seem to be. I'm running MailScanner Version: 5.1.3 on Debian Buster. Thanks... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From gmarr at jen.bz Mon Dec 16 18:11:47 2019 From: gmarr at jen.bz (gmarr at jen.bz) Date: Mon, 16 Dec 2019 13:11:47 -0500 Subject: clamd lstat error Message-ID: <47f6484d8f8f0845af3e56c540e65418.squirrel@mail.jen.bz> Ubuntu 16.04 with clamav-daemon 0.101.4. Lint test is giving the error below; Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. In mailscanner.conf I have; Run As User = postfix Run As Group = postfix Incoming Work User = clamav Incoming Work Group = mtagroup clamdscan will only work with the --fdpass option # clamdscan --fdpass /home/george /home/george: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.050 sec (0 m 0 s) I've seen some threads saying that I need to change AllowSupplementaryGroups from false to true in the file /etc/clamav/clamd.conf. But that setting has been deprecated. WARNING: Ignoring deprecated option AllowSupplementaryGroups Anyone get this to work? From mark at msapiro.net Tue Dec 17 04:40:10 2019 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 16 Dec 2019 20:40:10 -0800 Subject: clamd lstat error In-Reply-To: <47f6484d8f8f0845af3e56c540e65418.squirrel@mail.jen.bz> References: <47f6484d8f8f0845af3e56c540e65418.squirrel@mail.jen.bz> Message-ID: <20e5a9df-ab20-ca33-f139-898b35a08b1e@msapiro.net> On 12/16/19 10:11 AM, gmarr at jen.bz wrote: > > Anyone get this to work? I use Incoming Work User = postfix Incoming Work Group = clamav chmod 2770 /var/spool/MailScanner/ chown postfix:clamav /var/spool/MailScanner/ -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From wcolburn at nrao.edu Thu Dec 19 21:12:13 2019 From: wcolburn at nrao.edu (William D. Colburn) Date: Thu, 19 Dec 2019 14:12:13 -0700 Subject: Mailscanner passing a virus Message-ID: <20191219211213.GA70762@zia.aoc.nrao.edu> One of our users got a virus today. A Mal/DocDl-K word document. I've resent it to myself multiple times, and MailScanner knows it is a virus in the maillog file: Dec 19 13:10:01 revere MailScanner[25330]: >>> Virus 'Mal/DocDl-K' found in file /var/pool/MailScanner/incoming/25330/xBJK9VH2030335/nbonus 2019.doc But no {VIRUS?} tag is added to the subject line and no headers are added to the email, so it gets delivered as normal, which is less than ideal. But I'm kind of stumped as what I need to look at or debug. MailScanner version is 5.0.3 with sendmail running on RHEL6.10. Any advice is appreciated. --Schlake From Antony.Stone at mailscanner.open.source.it Thu Dec 19 21:18:24 2019 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu, 19 Dec 2019 22:18:24 +0100 Subject: Mailscanner passing a virus In-Reply-To: <20191219211213.GA70762@zia.aoc.nrao.edu> References: <20191219211213.GA70762@zia.aoc.nrao.edu> Message-ID: <201912192218.24606.Antony.Stone@mailscanner.open.source.it> On Thursday 19 December 2019 at 22:12:13, William D. Colburn wrote: > One of our users got a virus today. A Mal/DocDl-K word document. I've > resent it to myself multiple times, and MailScanner knows it is a virus > in the maillog file: > > Dec 19 13:10:01 revere MailScanner[25330]: >>> Virus 'Mal/DocDl-K' found in > file /var/pool/MailScanner/incoming/25330/xBJK9VH2030335/nbonus 2019.doc Did the same thing appear for the initial delivery to the "user"? > But no {VIRUS?} tag is added to the subject line and no headers are > added to the email, so it gets delivered as normal, which is less than > ideal. Presumably this *does* happen when you send something such as EICAR into the same address? > But I'm kind of stumped as what I need to look at or debug. Show us your MailScanner config file, and tell us how MailScanner is connected in to your mail delivery system, as a start. Antony. -- The next sentence is true. The previous sentence is untrue. Please reply to the list; please *don't* CC me. From wcolburn at nrao.edu Thu Dec 19 21:35:00 2019 From: wcolburn at nrao.edu (William D. Colburn) Date: Thu, 19 Dec 2019 14:35:00 -0700 Subject: Mailscanner passing a virus In-Reply-To: <201912192218.24606.Antony.Stone@mailscanner.open.source.it> References: <20191219211213.GA70762@zia.aoc.nrao.edu> <201912192218.24606.Antony.Stone@mailscanner.open.source.it> Message-ID: <20191219213500.GA71633@zia.aoc.nrao.edu> On Thu, Dec 19, 2019 at 10:18:24PM +0100, Antony Stone wrote: >Did the same thing appear for the initial delivery to the "user"? We have three border mailscanners, and only my mailscanner is detecting the virus. The original came through one of the others and passed into exchange. It looks like the virus definition came shortly after it was arrived. So, the answer is no. >Presumably this *does* happen when you send something such as EICAR into the >same address? I haven't tried an EICAR, but we get lots of viruses, and I see lots of {VIRUS?} tags in the procmail logs for the server, and I verified that a mail seen as a virus in the maillogs was tagged as a virus in the subject. So that is working in general. >Show us your MailScanner config file, and tell us how MailScanner is connected >in to your mail delivery system, as a start. I'll attach the mailscanner.conf --Schlake -------------- next part -------------- %org-name% = NRAO-AOC %org-long-name% = National Radio Astronomy Observatory: Socorro, New Mexico %web-site% = https://info.nrao.edu/computing/guide/MAIL/spam %etc-dir% = /etc/MailScanner %report-dir% = /usr/share/MailScanner/reports/en %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp Max Children = 10 Run As User = Run As Group = Queue Scan Interval = 5 Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 7200 MTA = sendmail Sendmail = /usr/lib/sendmail Sendmail2 = /usr/lib/sendmail Incoming Work User = Incoming Work Group = mtagroup Incoming Work Permissions = 0660 Quarantine User = Quarantine Group = Quarantine Permissions = 0660 Max Unscanned Bytes Per Scan = 130m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = yes Reject Message = no Maximum Processing Attempts = 6 Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 30 File Command = /usr/bin/file File Timeout = 20 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = 104857600 Maximum Attachment Size = 104857600 Minimum Attachment Size = -1 Maximum Archive Depth = 4 Find Archives By Content = yes Unpack Microsoft Documents = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Add Text Of Doc = no Antiword = /usr/bin/antiword -f Antiword Timeout = 50 Unzip Maximum Files Per Archive = 0 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain Virus Scanning = yes Virus Scanners = sophos Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = HTML-IFrame Still Deliver Silent Viruses = yes Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = %rules-dir%/password-protected.rules Check Filenames In Password-Protected Archives = yes Allowed Sophos Error Messages = "Password protected file", "Message contained password-protected archive", "Attempt to hide real filename extension" Sophos IDE Dir = /opt/services/sophos-av/lib/sav Sophos Lib Dir = /opt/services/sophos-av/lib Monitors For Sophos Updates = /opt/services/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd /var/lib/clamav/*.inc/* /var/lib/clamav/*.?db /var/lib/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd.sock Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes ClamAV Full Message Scan = yes Fpscand Port = 10200 Dangerous Content Scanning = %rules-dir%/disarmscripts.rules Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = yes Allow Form Tags = yes Allow Script Tags = disarm Allow WebBugs = disarm Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap shim Known Web Bug Servers = msgtag.com Web Bug Replacement = http://www.nrao.edu/1x1spacer.gif Allow Object Codebase Tags = no Convert Dangerous HTML To Text = no Convert HTML To Text = no Archives Are = zip rar ole Allow Filenames = Deny Filenames = Filename Rules = %etc-dir%/filename.rules.conf Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %etc-dir%/filetype.rules.conf Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf Default Rename Pattern = __FILENAME__.disarmed Quarantine Infections = yes Quarantine Silent Viruses = yes Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = yes Keep Spam And MCP Archive Clean = no Language Strings = %report-dir%/languages.conf Rejection Report = %report-dir%/rejection.report.txt Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = no Mail Header = X-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-MailScanner-SpamScore: Information Header = X-MailScanner-Information: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-MailScanner-From: Envelope To Header = X-MailScanner-To: ID Header = IP Protocol Version Header = # X-%org-name%-MailScanner-IP-Protocol: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 5 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the postmaster at aoc.nrao.edu for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Multiple Headers = add Place New Headers At Top Of Message = no Hostname = The %org-name% MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Attach Image To Signature = no Attach Image To HTML Message Only = yes Allow Multiple HTML Signatures = no Dont Sign HTML If Headers Exist = # In-Reply-To: References: Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact postmaster at aoc.nrao.edu for details Remove These Headers = Deliver Cleaned Messages = yes Notify Senders = yes Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = no Notify Senders Of Blocked Size Attachments = yes Notify Senders Of Other Blocked Content = no Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Virus Modify Subject = start Virus Subject Text = {VIRUS?} Filename Modify Subject = start Filename Subject Text = {VIRUS?} Content Modify Subject = start Content Subject Text = {Dangerous Content?} Size Modify Subject = start Size Subject Text = {SIZE!} Disarmed Modify Subject = start Disarmed Subject Text = {Disarmed} Phishing Modify Subject = no Phishing Subject Text = {Fraud?} Spam Modify Subject = start Spam Subject Text = {SPAM?} High Scoring Spam Modify Subject = start High Scoring Spam Subject Text = {SPAM?} Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = Missing Mail Archive Is = directory Send Notices = no Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster at aoc.nrao.edu Local Postmaster = postmaster at aoc.nrao.edu Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = SPAMHAUS Spam Domain List = Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 5 Spam List Timeout = 10 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = no Definite Spam Is High Scoring = no Ignore Spam Whitelist If Recipients Exceed = 20 Max Spam Check Size = 2048k Use Watermarking = no Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = nothing Check Watermarks To Skip Spam Checks = yes Watermark Secret = %org-name%-Secret Watermark Lifetime = 604800 Watermark Header = X-%org-name%-MailScanner-Watermark: Use SpamAssassin = yes Max SpamAssassin Size = 200k trackback Required SpamAssassin Score = 5 High SpamAssassin Score = 10 SpamAssassin Auto Whitelist = no SpamAssassin Timeout = 900 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = no Include Binary Attachments In SpamAssassin = no Spam Score = yes Cache SpamAssassin Results = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every = 0 Wait During Bayes Rebuild = no Use Custom Spam Scanner = no Max Custom Spam Scanner Size = 20k Custom Spam Scanner Timeout = 20 Max Custom Spam Scanner Timeouts = 10 Custom Spam Scanner Timeout History = 20 Spam Actions = deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = deliver header "X-Spam-Status: Yes" Non Spam Actions = deliver header "X-Spam-Status: No" SpamAssassin Rule Actions = Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = no Log Spam = yes Log Non Spam = yes Log Delivery And Non-Delivery = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Permitted File MIME Types = no Log Silent Viruses = no Log Dangerous HTML Tags = no Log SpamAssassin Rule Actions = yes SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = DB DSN = DB Username = DB Password = SQL Serial Number = SQL Quick Peek = SQL Config = SQL Ruleset = SQL SpamAssassin Config = SQL Debug = no MCP Checks = no First Check = spam MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = deliver Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spamassassin.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Read IP Address From Received Header = no Spam Score Number Format = %d MailScanner Version Number = 5.0.3 SpamAssassin Cache Timings = 1800,300,10800,172800,600 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = no Always Looked Up Last After Batch = no Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /var/spool/MailScanner/incoming/Locks Custom Functions Dir = /usr/share/MailScanner/perl/custom Lock Type = Syslog Socket Type = Automatic Syntax Check = yes Minimum Code Status = supported include /etc/MailScanner/conf.d/* From Antony.Stone at mailscanner.open.source.it Thu Dec 19 21:44:53 2019 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu, 19 Dec 2019 22:44:53 +0100 Subject: Mailscanner passing a virus In-Reply-To: <20191219213500.GA71633@zia.aoc.nrao.edu> References: <20191219211213.GA70762@zia.aoc.nrao.edu> <201912192218.24606.Antony.Stone@mailscanner.open.source.it> <20191219213500.GA71633@zia.aoc.nrao.edu> Message-ID: <201912192244.54226.Antony.Stone@mailscanner.open.source.it> On Thursday 19 December 2019 at 22:35:00, William D. Colburn wrote: > On Thu, Dec 19, 2019 at 10:18:24PM +0100, Antony Stone wrote: > >Did the same thing appear for the initial delivery to the "user"? > > We have three border mailscanners, and only my mailscanner is detecting > the virus. The original came through one of the others and passed into > exchange. It looks like the virus definition came shortly after it was > arrived. So, the answer is no. So, that sounds like the virus arrived with your user before Sophos had updated their scanner detection library for it. By the time you tested, they *had* updated their library. > >Presumably this *does* happen when you send something such as EICAR into > >the same address? > > I haven't tried an EICAR, but we get lots of viruses, and I see lots of > {VIRUS?} tags in the procmail logs for the server, and I verified that a > mail seen as a virus in the maillogs was tagged as a virus in the > subject. So that is working in general. Okay, so, working in general, but not for this one... > >Show us your MailScanner config file, and tell us how MailScanner is > >connected in to your mail delivery system, as a start. > > I'll attach the mailscanner.conf I assume it's the same on all three servers. I also expect that if you send the same email (with the same viral attachment) to the same user who originally received it, it'll now get detected and blocked. If not, please post the headers of the email they do receive so we can see how MS processed it. Antony, -- Schr?dinger's rule of data integrity: the condition of any backup is unknown until a restore is attempted. Please reply to the list; please *don't* CC me. From wcolburn at nrao.edu Thu Dec 19 21:53:28 2019 From: wcolburn at nrao.edu (William D. Colburn) Date: Thu, 19 Dec 2019 14:53:28 -0700 Subject: Mailscanner passing a virus In-Reply-To: <201912192244.54226.Antony.Stone@mailscanner.open.source.it> References: <20191219211213.GA70762@zia.aoc.nrao.edu> <201912192218.24606.Antony.Stone@mailscanner.open.source.it> <20191219213500.GA71633@zia.aoc.nrao.edu> <201912192244.54226.Antony.Stone@mailscanner.open.source.it> Message-ID: <20191219215328.GA72825@zia.aoc.nrao.edu> On Thu, Dec 19, 2019 at 10:44:53PM +0100, Antony Stone wrote: >I also expect that if you send the same email (with the same viral attachment) >to the same user who originally received it, it'll now get detected and >blocked. No, that's the problem, it's not getting detected and blocked. It is passing through mailscanner. >If not, please post the headers of the email they do receive so we can see how >MS processed it. I'll attach. --Schlake -------------- next part -------------- A non-text attachment was scrubbed... Name: maillog.1 Type: application/x-troff-man Size: 1137 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: headers.1 Type: application/x-troff-man Size: 1723 bytes Desc: not available URL: From Antony.Stone at mailscanner.open.source.it Thu Dec 19 22:07:04 2019 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu, 19 Dec 2019 23:07:04 +0100 Subject: Mailscanner passing a virus In-Reply-To: <20191219215328.GA72825@zia.aoc.nrao.edu> References: <20191219211213.GA70762@zia.aoc.nrao.edu> <201912192244.54226.Antony.Stone@mailscanner.open.source.it> <20191219215328.GA72825@zia.aoc.nrao.edu> Message-ID: <201912192307.05220.Antony.Stone@mailscanner.open.source.it> On Thursday 19 December 2019 at 22:53:28, William D. Colburn wrote: > On Thu, Dec 19, 2019 at 10:44:53PM +0100, Antony Stone wrote: > >I also expect that if you send the same email (with the same viral > >attachment) to the same user who originally received it, it'll now get > >detected and blocked. > > No, that's the problem, it's not getting detected and blocked. It is > passing through mailscanner. Err..!? > >If not, please post the headers of the email they do receive so we can see > >how MS processed it. > > I'll attach. Okay, that I find weird. Sorry, but I'm going to defer someone else with a better viewpopint than I have, because if you have 3 MS instances configured in the same way, and one is blocking due to a detected virus, and another is detecting but not blocking, I'm not sure what to say next. Antony. -- It is also possible that putting the birds in a laboratory setting inadvertently renders them relatively incompetent. - Daniel C Dennett Please reply to the list; please *don't* CC me. From johne14419 at gmail.com Fri Dec 20 00:41:11 2019 From: johne14419 at gmail.com (John E) Date: Thu, 19 Dec 2019 19:41:11 -0500 Subject: Mailscanner passing a virus Message-ID: > One of our users got a virus today. A Mal/DocDl-K word document. I've> resent it to myself multiple times, and MailScanner knows it is a virus> in the maillog file:> > Dec 19 13:10:01 revere MailScanner[25330]: >>> Virus 'Mal/DocDl-K' found> in file /var/pool/MailScanner/incoming/25330/xBJK9VH2030335/nbonus> 2019.doc> > But no {VIRUS?} tag is added to the subject line and no headers are> added to the email, so it gets delivered as normal, which is less than> ideal.> > But I'm kind of stumped as what I need to look at or debug.> > MailScanner version is 5.0.3 with sendmail running on RHEL6.10. Any> advice is appreciated.> Version 5.0.3 is quite old now (2016 vintage?). The "/var/pool" instead of "/var/spool" part of the path above is an indication of a sophos/AVG specific bug in Mailscanner that got fixed in version v5.1.3-2 01/27/2019 Changes in v5.1.3-2 ================================== ... - Fix AVG output parsing in SweepViruses.pm - Fix absolute path in Sophos output parsing in SweepViruses.pm I suggest upgrading to the latest version to get that bug fixed. John -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmarr at jen.bz Sun Dec 22 16:54:26 2019 From: gmarr at jen.bz (gmarr at jen.bz) Date: Sun, 22 Dec 2019 11:54:26 -0500 Subject: missing avastBusy.lock file Message-ID: <0ffd0a56ea7e6eda97a9af2e26d98e94.squirrel@mail.jen.bz> Gave up on clamd and got Avast. lint did not like any of the options in SweepViruses.pm so I took them out. Also I set Prog=bin/avast in avast-wrapper. Now I am missing the avastBusy.lock file. Any way to get this? I looked back at some of my old distros and the file was not in them either. MailScanner.conf says "Virus Scanners = avast" Found these virus scanners installed: avast, clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Cannot lock /var/spool/MailScanner/incoming/Locks/avastBusy.lock, No such file or directory at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 789. From mark at msapiro.net Sun Dec 22 19:23:47 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 22 Dec 2019 11:23:47 -0800 Subject: missing avastBusy.lock file In-Reply-To: <0ffd0a56ea7e6eda97a9af2e26d98e94.squirrel@mail.jen.bz> References: <0ffd0a56ea7e6eda97a9af2e26d98e94.squirrel@mail.jen.bz> Message-ID: On 12/22/19 8:54 AM, gmarr at jen.bz wrote: > Gave up on clamd and got Avast. lint did not like any of the options in > SweepViruses.pm so I took them out. Also I set Prog=bin/avast in > avast-wrapper. Now I am missing the avastBusy.lock file. Any way to get > this? I looked back at some of my old distros and the file was not in > them either. The command ms-create-locks normally creates these, but only those files for which there is a *-autoupdate file in /usr/lib/MailScanner/wrapper/. However, you can just `touch /var/spool/MailScanner/incoming/Locks/avastBusy.lock` to create the file and then set its owner, group and mode the same as the other files in the Locks directory. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner-list at okla.com Mon Dec 23 13:23:18 2019 From: mailscanner-list at okla.com (Tracy Greggs) Date: Mon, 23 Dec 2019 07:23:18 -0600 Subject: Outlook .dat files detected as DOS executable by Linux file binary Message-ID: <1dd401d5b994$25132e10$6f398a30$@okla.com> Both Centos 7 and Ubuntu 18.04 LTS file commands return for example 240000.dat: DOS executable (block device driver) on all Outlook received emails with attachments. The .dat file names differ with each email, I never see winmail.dat but what I do see is that whatever the .dat file is normally contains the attachment and the message. I hate to completely disable the feature: # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = /usr/bin/file What is the current workaround for this issue, and what do you recommend for TNEF settings in MailScanner.conf? Thanks and Happy Holidays everyone! Tracy Greggs -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Mon Dec 23 13:57:59 2019 From: it at festa.bg (Valentin Laskov) Date: Mon, 23 Dec 2019 15:57:59 +0200 Subject: Outlook .dat files detected as DOS executable by Linux file binary In-Reply-To: <1dd401d5b994$25132e10$6f398a30$@okla.com> References: <1dd401d5b994$25132e10$6f398a30$@okla.com> Message-ID: Try /usr/bin/file --mime-type 240000.dat If you like the result, you can make File Command = /usr/local/bin/file-wrapper #cat /usr/local/bin/file-wrapper #!/bin/bash # # /usr/bin/file --mime-type "$1" Cheers! :) ?? 23.12.2019 ? 15:23, Tracy Greggs via MailScanner ??????: > > Both Centos 7 and Ubuntu 18.04 LTS file commands return for example > 240000.dat: DOS executable (block device driver) on all Outlook > received emails with attachments.? The .dat file names differ with > each email, I never see winmail.dat but what I do see is that whatever > the .dat file is normally contains the attachment and the message. > > I hate to completely disable the feature: > > # Where the "file" command is installed. > > # This is used for checking the content type of files, regardless of their > > # filename. > > # To disable Filetype checking, set this value to blank. > > File Command = /usr/bin/file > > What is the current workaround for this issue, and what do you > recommend for TNEF settings in MailScanner.conf? > > Thanks and Happy Holidays everyone! > > Tracy Greggs > > > > -- ????????! ???????? ?????? ???????? ????????????? "????? ???????" ?? ???. "??. ?????????" 48 9000 ??. ????? ???.: +359 52 669137 GSM: +359 888 669137 Fax: +359 52 669110 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Mon Dec 23 18:15:39 2019 From: mailscanner-list at okla.com (Tracy Greggs) Date: Mon, 23 Dec 2019 12:15:39 -0600 Subject: Outlook .dat files detected as DOS executable by Linux file binary In-Reply-To: References: <1dd401d5b994$25132e10$6f398a30$@okla.com> Message-ID: <1e4401d5b9bc$fc0b3200$f4219600$@okla.com> Interestingly enough, with the mime-type directive it comes back as text/plain where without it comes back as an executable block device driver. So the filesystems test must be where the issue resides? Thanks, Tracy From: MailScanner [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info] On Behalf Of Valentin Laskov Sent: Monday, December 23, 2019 7:58 AM To: mailscanner at lists.mailscanner.info >> MailScanner discussion Subject: Re: Outlook .dat files detected as DOS executable by Linux file binary Try /usr/bin/file --mime-type 240000.dat If you like the result, you can make File Command = /usr/local/bin/file-wrapper #cat /usr/local/bin/file-wrapper #!/bin/bash # # /usr/bin/file --mime-type "$1" Cheers! :) ?? 23.12.2019 ? 15:23, Tracy Greggs via MailScanner ??????: Both Centos 7 and Ubuntu 18.04 LTS file commands return for example 240000.dat: DOS executable (block device driver) on all Outlook received emails with attachments. The .dat file names differ with each email, I never see winmail.dat but what I do see is that whatever the .dat file is normally contains the attachment and the message. I hate to completely disable the feature: # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = /usr/bin/file What is the current workaround for this issue, and what do you recommend for TNEF settings in MailScanner.conf? Thanks and Happy Holidays everyone! Tracy Greggs -- ????????! ???????? ?????? ???????? ????????????? "????? ???????" ?? ???. "??. ?????????" 48 9000 ??. ????? ???.: +359 52 669137 GSM: +359 888 669137 Fax: +359 52 669110 -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at digitalessence.net Mon Dec 23 12:22:41 2019 From: info at digitalessence.net (Hedley Phillips) Date: Mon, 23 Dec 2019 12:22:41 -0000 Subject: How do I block and not deliver Blacklisted emails? Message-ID: <025101d5b98b$ac3fc230$04bf4690$@digitalessence.net> Hi, I'm blacklisting a few .tld's that are known sources of spam and currently blacklisted emails are being delivered as High Scoring spam as per these two settings: Is Definitely Spam = %rules-dir%/spam.blacklist.rules Spam Blacklist: Make this point to a ruleset, and anything in that ruleset whose value is "yes" will *always* be marked as spam. This value can be over-ridden by the "Is Definitely Not Spam" setting. This can also be the filename of a ruleset. Definite Spam Is High Scoring = yes Setting this to yes means that spam found in the blacklist is treated as "High Scoring Spam" in the "Spam Actions" section below. Setting it to no means that it will be treated as "normal" spam. This can also be the filename of a ruleset. I have a customer who has set High Scoring Spam to be delivered to their spam account as they don't want High Scoring spam to be deleted but also doesn't want to receive any blacklisted tld's. Is there a way to block blacklisted emails without marking them as High Scoring spam and delivering them? Thanks From kevin.miller at juneau.org Mon Dec 23 18:38:05 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 23 Dec 2019 18:38:05 +0000 Subject: How do I block and not deliver Blacklisted emails? In-Reply-To: <025101d5b98b$ac3fc230$04bf4690$@digitalessence.net> References: <025101d5b98b$ac3fc230$04bf4690$@digitalessence.net> Message-ID: <39eb27a217ee47708ee731dbacca1f03@City-Exch-DB2.cbj.local> Block that at the MTA level. I.e., reject them in postfix, sendmail, exim, or whatever you use. No point in accepting the mail and wasting CPU cycles passing it to MailScanner if it's in a blacklisted TLD. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner On Behalf Of Hedley Phillips Sent: Monday, December 23, 2019 3:23 AM To: mailscanner at lists.mailscanner.info Subject: How do I block and not deliver Blacklisted emails? EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________ Hi, I'm blacklisting a few .tld's that are known sources of spam and currently blacklisted emails are being delivered as High Scoring spam as per these two settings: Is Definitely Spam = %rules-dir%/spam.blacklist.rules Spam Blacklist: Make this point to a ruleset, and anything in that ruleset whose value is "yes" will *always* be marked as spam. This value can be over-ridden by the "Is Definitely Not Spam" setting. This can also be the filename of a ruleset. Definite Spam Is High Scoring = yes Setting this to yes means that spam found in the blacklist is treated as "High Scoring Spam" in the "Spam Actions" section below. Setting it to no means that it will be treated as "normal" spam. This can also be the filename of a ruleset. I have a customer who has set High Scoring Spam to be delivered to their spam account as they don't want High Scoring spam to be deleted but also doesn't want to receive any blacklisted tld's. Is there a way to block blacklisted emails without marking them as High Scoring spam and delivering them? Thanks -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From maxsec at gmail.com Tue Dec 24 08:57:53 2019 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 24 Dec 2019 08:57:53 +0000 Subject: How do I block and not deliver Blacklisted emails? In-Reply-To: <39eb27a217ee47708ee731dbacca1f03@City-Exch-DB2.cbj.local> References: <025101d5b98b$ac3fc230$04bf4690$@digitalessence.net> <39eb27a217ee47708ee731dbacca1f03@City-Exch-DB2.cbj.local> Message-ID: look at the High Scoring Spam Actions settings https://www.mailscanner.info/MailScanner.conf.index.html#High%20Scoring%20Spam%20Actions -- Martin Hepworth, CISSP Oxford, UK On Mon, 23 Dec 2019 at 18:38, Kevin Miller via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Block that at the MTA level. I.e., reject them in postfix, sendmail, > exim, or whatever you use. No point in accepting the mail and wasting CPU > cycles passing it to MailScanner if it's in a blacklisted TLD. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -----Original Message----- > From: MailScanner juneau.org at lists.mailscanner.info> On Behalf Of Hedley Phillips > Sent: Monday, December 23, 2019 3:23 AM > To: mailscanner at lists.mailscanner.info > Subject: How do I block and not deliver Blacklisted emails? > > EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS > > ________________________________ > > Hi, > > I'm blacklisting a few .tld's that are known sources of spam and currently > blacklisted emails are being delivered as High Scoring spam as per these two > settings: > > Is Definitely Spam = %rules-dir%/spam.blacklist.rules > > Spam Blacklist: > Make this point to a ruleset, and anything in that ruleset whose value is > "yes" will *always* be marked as spam. This value can be over-ridden by the > "Is Definitely Not Spam" setting. This can also be the filename of a > ruleset. > > Definite Spam Is High Scoring = yes > Setting this to yes means that spam found in the blacklist is treated as > "High Scoring Spam" in the "Spam Actions" section below. Setting it to no > means that it will be treated as "normal" spam. This can also be the > filename of a ruleset. > > I have a customer who has set High Scoring Spam to be delivered to their > spam account as they don't want High Scoring spam to be deleted but also > doesn't want to receive any blacklisted tld's. > > Is there a way to block blacklisted emails without marking them as High > Scoring spam and delivering them? > > Thanks > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmarr at jen.bz Tue Dec 24 18:42:51 2019 From: gmarr at jen.bz (gmarr at jen.bz) Date: Tue, 24 Dec 2019 13:42:51 -0500 Subject: clamdscan Message-ID: <663d6e095667e4607ab76d72913d95e0.squirrel@mail.jen.bz> I'm still struggling with the clamd lstat error! When I use the --fdpass option with clamdscan I can scan any directories. So I renamed clamdscan to clamdscan-cmd and made the batch clamdscan below; #!/bin/bash /usr/bin/clamdscan-cmd --fdpass $@ Works great from the command line. # clamdscan-cmd /var/spool/MailScanner/incoming/ /var/spool/MailScanner/incoming: lstat() failed: Permission denied. ERROR # clamdscan /var/spool/MailScanner/incoming/ /var/spool/MailScanner/incoming/64550/1.message: Eicar-Test-Signature FOUND But when I lint somehow MS does not use the batch file?! MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd, avast =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/79165 Virus Scanning: Clamd found 1 infections Virus Scanning: Found 1 viruses Can I make a wrapper so that the clamdscan command always has the --fdpass option? I can not understand how MS calls clamdscan-cmd instead of the batch I made. From mark at msapiro.net Tue Dec 24 20:41:48 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 24 Dec 2019 12:41:48 -0800 Subject: clamdscan In-Reply-To: <663d6e095667e4607ab76d72913d95e0.squirrel@mail.jen.bz> References: <663d6e095667e4607ab76d72913d95e0.squirrel@mail.jen.bz> Message-ID: <34c1a407-c0ba-0c7d-f104-5ca128d8bdb4@msapiro.net> On 12/24/19 10:42 AM, gmarr at jen.bz wrote: > > But when I lint somehow MS does not use the batch file?! That's because it talks directly to clamd via the socket and doesn't use clamdscan at all. You need to set everything up so it can work. In I said > I use > > Incoming Work User = postfix > Incoming Work Group = clamav > chmod 2770 /var/spool/MailScanner/ > chown postfix:clamav /var/spool/MailScanner/ Actually that was a mistake. It should have said chmod 2770 /var/spool/MailScanner/incoming chown postfix:clamav /var/spool/MailScanner/incoming if in fact you did the original chmod and chown above, you should reverse that with chmod 755 /var/spool/MailScanner/ chown postfix:postfix /var/spool/MailScanner/ in addition, I also have the default Incoming Work Permissions = 0660 and in /etc/clamav/clamd.conf I have User clamav which I think is default. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan