From Nicola.Piazzi at gruppocomet.it Wed Jan 2 09:29:43 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Wed, 2 Jan 2019 09:29:43 +0000 Subject: R: Doesnt more detect sophos In-Reply-To: <65692dc7-3d9e-cfc8-d0d1-e59852666f44@msapiro.net> References: <65692dc7-3d9e-cfc8-d0d1-e59852666f44@msapiro.net> Message-ID: Doing a MailScanner --lint you can see that it tell that sophos found virus as clam do but in "Virus Scanner test reports" it report clam only Note that clam report a relative and correct path and sophos report an incorrect one (pool instead spool, and neicar.com instead eicar.com) MailScanner.conf says "Virus Scanners = clamd sophos" Found these virus scanners installed: clamavmodule, sophos, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections >>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/7314/1/neicar.com Virus Scanning: Sophos found 1 infections Infected message 1 came from 10.1.1.1 Infected message var came from Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna ? Italia Tel.? +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.comet.it -----Messaggio originale----- Da: MailScanner Per conto di Mark Sapiro Inviato: luned? 31 dicembre 2018 20:50 A: mailscanner at lists.mailscanner.info Oggetto: Re: Doesnt more detect sophos Priorit?: Bassa On 12/31/18 8:15 AM, Nicola Piazzi wrote: > > Here maillog of a non working message : > > 2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus > 'Mal/DrodAce-A' found in file > /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060. > ace > > 2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus > Scanning: Sophos found 1 infections > > 2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected > message var came from > > 2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus > Scanning: Found 1 viruses > > ? > > NOTE Infected message ?var? instead real file name !!! Is there some issue besides this particular message? It appears that MailScanner is detecting the virus. Perhaps the Sophos report has changed in some way in the latest version. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From iversons at rushville.k12.in.us Wed Jan 2 23:23:26 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 2 Jan 2019 18:23:26 -0500 Subject: Doesnt more detect sophos In-Reply-To: References: Message-ID: Nicola, Can you run savscan on an EICAR test file and capture the entire output? On Mon, Dec 31, 2018 at 11:15 AM Nicola Piazzi wrote: > Hi, > I found that mailscanner doesn no more catch sophos virus, this in an > existing installation and also in a fresh install > > > > Here maillog of a working message : > 2018-12-03T01:13:17.634913+01:00 EFA42 MailScanner[4191]: >>> Virus > 'Mal/DrodAce-A' found in file > ./27176108233.AC1B9/201283765ref20181203_xls.ace > > 2018-12-03T01:13:17.635238+01:00 EFA42 MailScanner[4191]: Virus Scanning: > Sophos found 1 infections > > 2018-12-03T01:13:17.635417+01:00 EFA42 MailScanner[4191]: Infected message > 27176108233.AC1B9 came from 82.193.37.22 > > 2018-12-03T01:13:17.635543+01:00 EFA42 MailScanner[4191]: Virus Scanning: > Found 1 viruses > > > > Here maillog of a non working message : > > 2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus > 'Mal/DrodAce-A' found in file > /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060.ace > > 2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus Scanning: > Sophos found 1 infections > > 2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected message > var came from > > 2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus Scanning: > Found 1 viruses > > > > NOTE Infected message ?var? instead real file name !!! > > > > This is newest installed version > [root at EFA41 sbin]# sweep --version > > SAVScan virus detection utility > > Copyright (c) 1989-2018 Sophos Limited. All rights reserved. > > System time 05:01:58 PM, System date 31 December 2018 > > Product version : 5.53.0 > > Engine version : 3.74.2 > > Virus data version : 5.58 > > User interface version : 2.03.074 > > Platform : Linux/AMD64 > > Released : 11 December 2018 > > Total viruses (with IDEs) : 28304428 > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Thu Jan 3 07:28:22 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Thu, 3 Jan 2019 07:28:22 +0000 Subject: R: Doesnt more detect sophos In-Reply-To: References: Message-ID: <2f84b454667f4bb8aa1e89829eb1b644@gruppocomet.it> Here output, it seems correct [root at EFA42 ~]# savscan /eictestfile SAVScan virus detection utility Version 5.53.0 [Linux/AMD64] Virus data version 5.58, December 2018 Includes detection for 28304520 viruses, Trojans and worms Copyright (c) 1989-2018 Sophos Limited. All rights reserved. System time 08:27:29 AM, System date 03 January 2019 IDE directory is: /opt/sophos-av/lib/sav Using IDE file emot-ajp.ide Using IDE file inje-dqo.ide Using IDE file rtfdl-dt.ide Using IDE file steal-et.ide Using IDE file trikb-bq.ide Using IDE file pdfdw-jm.ide Using IDE file encdo-et.ide Using IDE file docd-qmw.ide Using IDE file inje-dqx.ide Using IDE file emot-ake.ide Using IDE file emot-akh.ide Using IDE file fare-gds.ide Using IDE file trick-kr.ide Using IDE file zbot-msx.ide Using IDE file bank-gxl.ide Using IDE file bckdo-ak.ide Using IDE file phis-edi.ide Using IDE file xtbl-bb.ide Using IDE file pdfu-gnt.ide Using IDE file rans-fcq.ide Using IDE file drop-ahu.ide Using IDE file age-baef.ide Using IDE file blada-lb.ide Using IDE file betab-bs.ide Using IDE file fare-gea.ide Using IDE file phis-edn.ide Using IDE file nanoc-bi.ide Using IDE file zbot-mte.ide Using IDE file emot-ako.ide Using IDE file trick-kv.ide Using IDE file emot-akt.ide Using IDE file emot-aku.ide Using IDE file vools-e.ide Using IDE file miner-qa.ide Using IDE file pdfu-gol.ide Using IDE file fare-gem.ide Using IDE file fare-geq.ide Using IDE file pdfu-goq.ide Using IDE file fare-ges.ide Using IDE file fare-gex.ide Using IDE file zbot-mtw.ide Using IDE file gootki-n.ide Using IDE file emot-alq.ide Using IDE file zbot-mub.ide Using IDE file gootki-o.ide Using IDE file drid-aak.ide Using IDE file encdo-fz.ide Using IDE file formb-gj.ide Using IDE file age-bafb.ide Using IDE file zbot-muc.ide Using IDE file emot-alr.ide Using IDE file age-bafd.ide Using IDE file htmld-kj.ide Using IDE file nanocr-f.ide Using IDE file xtbl-bf.ide Using IDE file emot-amc.ide Using IDE file fare-gfo.ide Using IDE file docd-qsr.ide Using IDE file fare-geg.ide Using IDE file zbot-muv.ide Using IDE file rans-fcy.ide Using IDE file fare-gei.ide Using IDE file bdoo-bhh.ide Using IDE file emot-ams.ide Using IDE file nymai-iq.ide Using IDE file batdl-af.ide Using IDE file emot-amy.ide Using IDE file keylo-vo.ide Using IDE file loit-w.ide Using IDE file emot-alh.ide Using IDE file emot-anj.ide Using IDE file emot-anm.ide Using IDE file gootki-y.ide Using IDE file emot-anr.ide Using IDE file docd-qve.ide Using IDE file phis-efr.ide Using IDE file msil-lyd.ide Using IDE file msil-lye.ide Using IDE file msil-lyf.ide Using IDE file emot-ans.ide Using IDE file steal-ff.ide Using IDE file lnkrun-x.ide Using IDE file retefe-n.ide Using IDE file age-bagh.ide Using IDE file steal-fi.ide Using IDE file rtfdl-fh.ide Using IDE file fare-ggz.ide Using IDE file msil-lyi.ide Using IDE file emot-aop.ide Using IDE file lnk-bc.ide Using IDE file emot-aox.ide Using IDE file remco-fd.ide Using IDE file emot-apc.ide Using IDE file remco-fe.ide Using IDE file pubdl-o.ide Using IDE file delf-had.ide Using IDE file trick-lo.ide Using IDE file fare-ghu.ide Using IDE file recam-cz.ide Using IDE file inje-dsf.ide Using IDE file zbot-mvp.ide Using IDE file rans-fdh.ide Using IDE file emot-ann.ide Using IDE file emot-anq.ide Using IDE file trick-ls.ide Using IDE file formb-go.ide Using IDE file phis-egq.ide Using IDE file cryakl-q.ide Using IDE file docd-qzt.ide Using IDE file hawke-ss.ide Using IDE file rtfdl-gb.ide Using IDE file bokbot-b.ide Using IDE file fare-gip.ide Using IDE file lokib-bn.ide Using IDE file stolpe-c.ide Using IDE file zbot-mwb.ide Using IDE file inje-dsj.ide Using IDE file age-baig.ide Using IDE file encdo-hc.ide Using IDE file age-baij.ide Using IDE file fare-gjf.ide Using IDE file emot-ara.ide Using IDE file zbot-mwj.ide Using IDE file fare-gji.ide Using IDE file pdfu-grf.ide Using IDE file emot-ari.ide Using IDE file dwnl-wzk.ide Using IDE file docd-rdi.ide Using IDE file emot-arn.ide Using IDE file fare-gjm.ide Using IDE file htmld-kt.ide Using IDE file inje-dsp.ide Using IDE file emot-aro.ide Using IDE file msil-lyt.ide Using IDE file zbot-mwk.ide Using IDE file fuerbo-w.ide Using IDE file msil-lyu.ide Using IDE file inje-dsr.ide Using IDE file trick-lv.ide Using IDE file delf-gzt.ide Using IDE file zbot-mwn.ide Using IDE file inje-dsv.ide Using IDE file nanoc-bs.ide Using IDE file fare-gjx.ide Using IDE file zbot-mwx.ide Using IDE file fare-gkc.ide Using IDE file emot-aqj.ide Using IDE file phis-ehp.ide Using IDE file msil-lzb.ide Using IDE file rans-fdq.ide Using IDE file cryakl-u.ide Using IDE file steal-fy.ide Using IDE file phis-eia.ide Using IDE file pdfu-gsb.ide Using IDE file emot-asr.ide Using IDE file spy-auk.ide Using IDE file steal-fv.ide Using IDE file fare-gkk.ide Using IDE file age-bair.ide Using IDE file phis-eid.ide Using IDE file pdfu-gsf.ide Using IDE file cryakl-w.ide Using IDE file zbot-mxb.ide Using IDE file inje-dsu.ide Using IDE file phis-eig.ide Using IDE file zegos-kn.ide Using IDE file phis-eih.ide Using IDE file fare-gjn.ide Using IDE file rans-fds.ide Using IDE file icedid-c.ide Using IDE file zbot-mxg.ide Using IDE file age-bake.ide Using IDE file spy-aul.ide Using IDE file dharma-c.ide Using IDE file trick-md.ide Using IDE file encdo-hn.ide Using IDE file fare-gkp.ide Using IDE file fare-gkq.ide Using IDE file msil-lzh.ide Using IDE file trick-mj.ide Using IDE file docd-rgz.ide Using IDE file rans-fdx.ide Using IDE file drid-aap.ide Using IDE file rans-fdy.ide Using IDE file blada-lx.ide Using IDE file rans-fdz.ide Using IDE file steal-ga.ide Using IDE file nukesp-a.ide Using IDE file xtbl-bo.ide Using IDE file docph-cj.ide Using IDE file darkc-ib.ide Using IDE file fare-gkj.ide Using IDE file auto-chk.ide Using IDE file fare-gkt.ide Using IDE file trick-ml.ide Using IDE file pdfu-gsh.ide Using IDE file miner-qo.ide Using IDE file docd-rhg.ide Using IDE file trick-mm.ide Using IDE file emot-asw.ide Using IDE file trick-mo.ide Using IDE file phis-eir.ide Using IDE file trick-mp.ide Using IDE file rans-feb.ide Using IDE file trikb-cc.ide Quick Scanning >>> Virus 'EICAR-AV-Test' found in file /eictestfile 1 file scanned in 7 seconds. 1 virus was discovered. 1 file out of 1 was infected. If you need further advice regarding any detections please visit our Threat Center at: http://www.sophos.com/en-us/threat-center.aspx End of Scan. Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna ? Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.comet.it [Nuova immagine bitmap] Da: MailScanner Per conto di Shawn Iverson via MailScanner Inviato: gioved? 3 gennaio 2019 00:23 A: MailScanner Discussion Cc: Shawn Iverson Oggetto: Re: Doesnt more detect sophos Priorit?: Bassa Nicola, Can you run savscan on an EICAR test file and capture the entire output? On Mon, Dec 31, 2018 at 11:15 AM Nicola Piazzi > wrote: Hi, I found that mailscanner doesn no more catch sophos virus, this in an existing installation and also in a fresh install Here maillog of a working message : 2018-12-03T01:13:17.634913+01:00 EFA42 MailScanner[4191]: >>> Virus 'Mal/DrodAce-A' found in file ./27176108233.AC1B9/201283765ref20181203_xls.ace 2018-12-03T01:13:17.635238+01:00 EFA42 MailScanner[4191]: Virus Scanning: Sophos found 1 infections 2018-12-03T01:13:17.635417+01:00 EFA42 MailScanner[4191]: Infected message 27176108233.AC1B9 came from 82.193.37.22 2018-12-03T01:13:17.635543+01:00 EFA42 MailScanner[4191]: Virus Scanning: Found 1 viruses Here maillog of a non working message : 2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus 'Mal/DrodAce-A' found in file /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060.ace 2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus Scanning: Sophos found 1 infections 2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected message var came from 2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus Scanning: Found 1 viruses NOTE Infected message ?var? instead real file name !!! This is newest installed version [root at EFA41 sbin]# sweep --version SAVScan virus detection utility Copyright (c) 1989-2018 Sophos Limited. All rights reserved. System time 05:01:58 PM, System date 31 December 2018 Product version : 5.53.0 Engine version : 3.74.2 Virus data version : 5.58 User interface version : 2.03.074 Platform : Linux/AMD64 Released : 11 December 2018 Total viruses (with IDEs) : 28304428 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ][https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ] [https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: image001.png URL: From Nicola.Piazzi at gruppocomet.it Thu Jan 3 08:32:44 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Thu, 3 Jan 2019 08:32:44 +0000 Subject: Also avg doesnt detect virus Message-ID: <1d31fd04604e406fbb2a7b692ec54187@gruppocomet.it> Also AVG doesnt detect virus, and in both case (avg and sophos) we have "n"eicar.com in -lint output MailScanner.conf says "Virus Scanners = avg sophos" Found these virus scanners installed: avg, clamavmodule, sophos, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Avg: Virus identified EICAR_Test in neicar.com Virus Scanning: Avg found 1 infections >>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/7723/1/neicar.com Virus Scanning: Sophos found 1 infections Infected message var came from Virus Scanning: Found 2 viruses =========================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Thu Jan 3 16:52:49 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Thu, 3 Jan 2019 16:52:49 +0000 Subject: V5 have less AV wrapper than v4 Message-ID: I noticed that v5 have less antivirus wrapper than v4 Is there a reason for this ? Thx, happy 2019 Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.comet.it [Nuova immagine bitmap] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: image001.png URL: From iversons at rushville.k12.in.us Thu Jan 3 17:36:15 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 3 Jan 2019 12:36:15 -0500 Subject: V5 have less AV wrapper than v4 In-Reply-To: References: Message-ID: Nicola, Yes, many of the wrappers, just as you have found out with Sophos, have stopped working and were removed. I am slowly adding them back as folks help me with gathering outputs from current versions of scanners. On Thu, Jan 3, 2019 at 11:53 AM Nicola Piazzi wrote: > I noticed that v5 have less antivirus wrapper than v4 > > Is there a reason for this ? > > Thx, happy 2019 > > > > Nicola Piazzi > CED - Sistemi > COMET s.p.a. > Via Michelino, 105 - 40127 Bologna ? Italia > Tel. +39 051.6079.293 > Cell. +39 328.21.73.470 > Web: www.comet.it > [image: Nuova immagine bitmap] > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: not available URL: From iversons at rushville.k12.in.us Thu Jan 3 17:40:37 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 3 Jan 2019 12:40:37 -0500 Subject: Also avg doesnt detect virus In-Reply-To: <1d31fd04604e406fbb2a7b692ec54187@gruppocomet.it> References: <1d31fd04604e406fbb2a7b692ec54187@gruppocomet.it> Message-ID: The n is normal and is part of the parsing operation. On Thu, Jan 3, 2019 at 3:32 AM Nicola Piazzi wrote: > Also AVG doesnt detect virus, and in both case (avg and sophos) we have ?n? > eicar.com in ?lint output > > > > MailScanner.conf says "Virus Scanners = avg sophos" > > Found these virus scanners installed: avg, clamavmodule, sophos, clamd > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > Avg: Virus identified EICAR_Test in neicar.com > > Virus Scanning: Avg found 1 infections > > >>> Virus 'EICAR-AV-Test' found in file > /var/pool/MailScanner/incoming/7723/1/neicar.com > > Virus Scanning: Sophos found 1 infections > > Infected message var came from > > Virus Scanning: Found 2 viruses > > =========================================================================== > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Fri Jan 4 15:15:48 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Fri, 4 Jan 2019 15:15:48 +0000 Subject: About ESETS antivirus Message-ID: <51506eff482f4bbe998eb702284ac788@gruppocomet.it> I give a look to all antiviruses in current wrapper list and found that we have only these 3 working well : CLAMD Is free, integrated, and have no resource consumption because it use preloaded libraries from daemon SOPHOS Is also free, but now have a problem in detecting with MailScanner as described in previous post It have also another problem that we need to accept, it have no daemon so each scan costs 7 secs of a cpu ESETS It is a commercial product buti s very cheap and work well each scan costs 4 secs of a cpu with esets_scan There i also esets_cli that uses daemon and is fast as clamd, but wrapper is written to use esets_scan and output is different so MailScanner needs to support it If we want a very fast system that can handle tons of emails we can use clamd and esets removing sohos, but we need to have esets_cli support on MailScanner Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.comet.it [Nuova immagine bitmap] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: image001.png URL: From Nicola.Piazzi at gruppocomet.it Tue Jan 8 07:46:28 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 8 Jan 2019 07:46:28 +0000 Subject: actual Esets wrapper use expensive routine Message-ID: <055e370480c24426b2f61c3161fb6623@gruppocomet.it> Hi Esets wrapper uses esets_scan program that load libraries each time, this sw is included in esets file security for linux package this is the output that it is able to parse [root at EFA42 /]# time /opt/eset/esets/sbin/esets_scan /eicar.txt ESET Command-line scanner, version 4.5.13, (C) 1992-2018 ESET, spol. s r.o. Using license: COMET - lfs (/etc/opt/eset/esets/license/esets_26911c.lic) Module loader, version 1072 (20180813), build 1118 Module perseus, version 1546 (20181127), build 1996 Module scanner, version 18652 (20190104), build 39938 Module archiver, version 1281 (20181213), build 1365 Module advheur, version 1191 (20181106), build 1171 Module cleaner, version 1172 (20181113), build 1247 Command line: /eicar.txt Scan started at: Tue 08 Jan 2019 08:40:25 AM CET name="/eicar.txt", threat="Eicar test file", action="cleaned by deleting", info="" Scan completed at: Tue 08 Jan 2019 08:40:25 AM CET Scan time: 0 sec (0:00:00) Total: files - 1, objects 1 Infected: files - 0, objects 0 Cleaned: files - 1, objects 1 real 0m4.184s user 0m4.040s sys 0m0.132s As you can see it use more than 4 seconds of cpu each scan Esets have same package licensed as mail security (about same price) and it use esets_cli that call preloaded daemon and take very few resources [root at EFA42 /]# time /opt/eset/esets/bin/esets_cli /eicar.txt /eicar.txt: action="rejected" /eicar.txt: virus="Eicar test file" real 0m0.011s user 0m0.000s sys 0m0.001s Is possible to write a wrapper and all interface for this ? Using esets_cli in conjunction with clamd we can have a powered double scan feature with very low cpu consumption Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.comet.it [Nuova immagine bitmap] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: image001.png URL: From moriskod at yahoo.com Tue Jan 8 16:17:05 2019 From: moriskod at yahoo.com (Moris Kod) Date: Tue, 8 Jan 2019 16:17:05 +0000 (UTC) Subject: Quarantine file release In-Reply-To: References: <1d31fd04604e406fbb2a7b692ec54187@gruppocomet.it> Message-ID: <2090046031.8087186.1546964225162@mail.yahoo.com> Apologies if this is covered in current manual.. is there a web based quarantine release system out there somewhere that anyone is using with Mailscanner??? I use Clam and SaneSecurity 3rd party defs but? .doc files come in everyday that are fresh off the malware coders machines..? so I quarantine all .doc .docx etc..?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Jan 8 17:05:32 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 8 Jan 2019 12:05:32 -0500 Subject: Quarantine file release In-Reply-To: <2090046031.8087186.1546964225162@mail.yahoo.com> References: <1d31fd04604e406fbb2a7b692ec54187@gruppocomet.it> <2090046031.8087186.1546964225162@mail.yahoo.com> Message-ID: Take a look at MailWatch :) On Tue, Jan 8, 2019, 11:17 AM Moris Kod via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Apologies if this is covered in current manual.. is there a web based > quarantine release system out there somewhere that > anyone is using with Mailscanner? I use Clam and SaneSecurity 3rd party > defs but .doc files come in everyday that are fresh off the malware coders > machines.. so I quarantine all .doc .docx etc.. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bryan at shout.net Wed Jan 9 00:35:48 2019 From: bryan at shout.net (Bryan Holloway) Date: Tue, 8 Jan 2019 18:35:48 -0600 Subject: MailScanner DNS broken? Message-ID: <2116c94c-bd68-0153-e7df-6f009b7c40d9@shout.net> This may be a little off-topic, but it appears that the authoritatives for mailscanner.info aren't resolving "www." correctly. "mailscanner.info" works just fine, but it redirects to www, which breaks the web-page. -- % dig @ns1.digitalocean.com www.mailscanner.info A +short cax.mailborder.com. % % dig @ns1.digitalocean.com cax.mailscanner.info A +short % Google has a cached entry, which is sort of handy ... % dig @8.8.8.8 www.mailscanner.info A +short cax.mailborder.com. 52.1.4.70 This is true of ns1, ns2, and ns3. - bryan From mark at msapiro.net Wed Jan 9 00:51:57 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 8 Jan 2019 16:51:57 -0800 Subject: MailScanner DNS broken? In-Reply-To: <2116c94c-bd68-0153-e7df-6f009b7c40d9@shout.net> References: <2116c94c-bd68-0153-e7df-6f009b7c40d9@shout.net> Message-ID: <49a48eea-d597-b763-1616-aca4bff82250@msapiro.net> On 1/8/19 4:35 PM, Bryan Holloway wrote: > This may be a little off-topic, but it appears that the authoritatives > for mailscanner.info aren't resolving "www." correctly. > > "mailscanner.info" works just fine, but it redirects to www, which > breaks the web-page. > > -- > > % dig @ns1.digitalocean.com www.mailscanner.info A +short > cax.mailborder.com. > % > > % dig @ns1.digitalocean.com cax.mailscanner.info A +short > % But, the CNAME is cax.mailborder.com, not cax.mailscanner.info and the authoritative DNS for mailborder.com are Name Server: NS-1069.AWSDNS-05.ORG Name Server: NS-1714.AWSDNS-22.CO.UK Name Server: NS-355.AWSDNS-44.COM Name Server: NS-996.AWSDNS-60.NET So everything should be OK. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From bryan at shout.net Wed Jan 9 00:55:05 2019 From: bryan at shout.net (Bryan Holloway) Date: Tue, 8 Jan 2019 18:55:05 -0600 Subject: MailScanner DNS broken? In-Reply-To: <49a48eea-d597-b763-1616-aca4bff82250@msapiro.net> References: <2116c94c-bd68-0153-e7df-6f009b7c40d9@shout.net> <49a48eea-d597-b763-1616-aca4bff82250@msapiro.net> Message-ID: <13d5742d-2c47-ff89-e22f-fffc6fff49a8@shout.net> On 1/8/19 6:51 PM, Mark Sapiro wrote: > On 1/8/19 4:35 PM, Bryan Holloway wrote: >> This may be a little off-topic, but it appears that the authoritatives >> for mailscanner.info aren't resolving "www." correctly. >> >> "mailscanner.info" works just fine, but it redirects to www, which >> breaks the web-page. >> >> -- >> >> % dig @ns1.digitalocean.com www.mailscanner.info A +short >> cax.mailborder.com. >> % >> >> % dig @ns1.digitalocean.com cax.mailscanner.info A +short >> % > > > But, the CNAME is cax.mailborder.com, not cax.mailscanner.info and the > authoritative DNS for mailborder.com are > > Name Server: NS-1069.AWSDNS-05.ORG > Name Server: NS-1714.AWSDNS-22.CO.UK > Name Server: NS-355.AWSDNS-44.COM > Name Server: NS-996.AWSDNS-60.NET > > So everything should be OK. > You're absolutely right -- my bad. But I will say that the web-page stopped working for about an hour which led me down this (poorly executed) rabbit-hole. And now it's working again. Weird. Sorry for the noise ... From moriskod at yahoo.com Thu Jan 10 15:19:52 2019 From: moriskod at yahoo.com (Moris Kod) Date: Thu, 10 Jan 2019 15:19:52 +0000 (UTC) Subject: Quarantine file release In-Reply-To: References: <1d31fd04604e406fbb2a7b692ec54187@gruppocomet.it> <2090046031.8087186.1546964225162@mail.yahoo.com> Message-ID: <930401597.9413608.1547133592808@mail.yahoo.com> OH yeah, Mailwatch. :) Thanks, I'll get right on that, it probably won't take to long to setup on my box.? I'll do a full back first though. :) On Tuesday, January 8, 2019, 11:05:47 AM CST, Shawn Iverson wrote: Take a look at MailWatch :) On Tue, Jan 8, 2019, 11:17 AM Moris Kod via MailScanner wrote: Apologies if this is covered in current manual.. is there a web based quarantine release system out there somewhere that anyone is using with Mailscanner??? I use Clam and SaneSecurity 3rd party defs but? .doc files come in everyday that are fresh off the malware coders machines..? so I quarantine all .doc .docx etc..?? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From datasoftindia at gmail.com Sat Jan 12 14:41:45 2019 From: datasoftindia at gmail.com (Datasoft-India) Date: Sat, 12 Jan 2019 20:11:45 +0530 Subject: Warning message in mail Message-ID: Hello all, I want to add a line at the top of each incoming mail from external domains as follows "This email originated outside the organization. Do not click any links or attachments unless you know the sender" How is that possible. -- Regards DP I?m protected online with Avast Free Antivirus. Get it here ? it?s free forever. <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Sat Jan 12 19:22:41 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 12 Jan 2019 11:22:41 -0800 Subject: Warning message in mail In-Reply-To: References: Message-ID: On 1/12/19 6:41 AM, Datasoft-India wrote: > Hello all, > I want to add a line at the top of each incoming mail from external > domains as follows > "This email originated outside the organization. Do not click any links > or attachments unless you know the sender" > How is that possible. Assuming you mean you want to add the line in the body of the email, MailScanner doesn't do that and it is very difficult to do. Consider that an email message body can be simple text/plain, simple text/html, or various kinds of multipart including multipart/alternative with both text/plain and text/html and possibly other alternative parts. In these latter cases, it is impossible to know which text/* part is going to be displayed to the user because it depends on the users MUA and preferences. Thus you have to add the warning to every text/* part in the message. Adding the warning to a text/plain part is straightforward and in the simple text/plain email case would work, but in the multipart/alternative case, that's insufficient because it is more often the text/html part the user sees. Adding text to text/html parts is not at all straightforward. In order to know what to add and where, you have to know how the particular user's MUA will render the HTML which will vary depending on the MUA. The best you can do I think is to add your warning text to the Subject: You might be able to do that with MailScanner using something like Scanned Modify Subject and Scanned Subject Text in conjunction with a ruleset to to only apply the modification to external mail. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Nicola.Piazzi at gruppocomet.it Wed Jan 16 11:15:11 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Wed, 16 Jan 2019 11:15:11 +0000 Subject: Scan only if have attachmnent ? Message-ID: Hi Someone can tell me if virus scanning occurs only if email have attachment ? And if there is a directive to do this -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Jan 16 19:39:06 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 16 Jan 2019 11:39:06 -0800 Subject: Scan only if have attachmnent ? In-Reply-To: References: Message-ID: <8fed053e-7691-0beb-416c-17139a1aa41e@msapiro.net> On 1/16/19 3:15 AM, Nicola Piazzi wrote: > Hi > Someone can tell me if virus scanning occurs only if email have attachment ? Virus scanning includes the entire message in all cases, not just attachments. > And if there is a directive to do this The only control is whether to scan for viruses or not. See -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pndiku at gmail.com Mon Jan 21 08:29:58 2019 From: pndiku at gmail.com (Peter C. Ndikuwera) Date: Mon, 21 Jan 2019 11:29:58 +0300 Subject: Webmin Module Message-ID: Hi, Is the maintainer of the MailScanner webmin Module on this forum? Wondering if it works with v5. Peter. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nwilson123 at gmail.com Mon Jan 21 09:08:08 2019 From: nwilson123 at gmail.com (Neil) Date: Mon, 21 Jan 2019 11:08:08 +0200 Subject: How MS treats spam-virus with Sanesecurity Message-ID: Hi guys, Apologies in advance, I'm not sure if this is a question for MS, MW or Sansecurity but I've just discovered that despite my Sansecurity sigs picking up that this email was a spam email, it hasn't blocked it or added points to the spam score as per the logs below... Jan 18 09:56:35 MailScanner[3219]: Clamd::INFECTED::Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL :: ./CAC9885AC.A3148/ Jan 18 09:56:35 MailScanner[3219]: Found spam-virus Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148 Jan 18 09:56:35 MailScanner[3219]: Clamd::INFECTED:: Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL :: ./CAC9885AC.A3148/msg-3219-52.txt Jan 18 09:56:35 MailScanner[3219]: Found spam-virus Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148 Jan 18 09:57:02 MailScanner[3219]: Requeue: CAC9885AC.A3148 to 700638613 Jan 18 09:57:02 MailScanner[3219]: Logging message CAC9885AC.A3148 to SQL Jan 18 09:57:02 MailScanner[8432]: CAC9885AC.A3148: Logged to MailWatch SQL Looking in Mailwatch I only see the following points 0.15 BITCOIN_DEADLINE 2.00 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) I've looked through my MS config and can't seem to find any actions for spam-virus, or how to tell either Clamd, or Sane security to add points for this. Should I have a custom spam assassin rule perhaps that adds points for emails marked with my "Spam-Virus Header" perhaps? How do others treat this type of infection please? Any assistance or guidance is appreciated! Thank you. Regards. Neil Wilson. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.farrow at togethia.net Mon Jan 21 11:40:31 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Mon, 21 Jan 2019 11:40:31 +0000 Subject: HTML disarming died, status = 13 Message-ID: <8806a8d8-3c80-fb09-f56e-4220754ea774@togethia.net> Dear All, Having upgraded my ancient MailScanner installation on Centos 5, to running on Ubuntu 18.04 with Sendmail, I have encountered this problem. It seems the HTML Parser times out, which leads MailScanner to strip the HTML part of emails out and send a message saying "MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message." Typically this was caused by Winmail.dat files and TNEF attachedments, but I don't scan those to get round that issue. In this case a simple HTML message caused it, and looking through the logs this happens a lot, but only sometimes does Mailscanner "bin the html part" and send the warning. Having done some googling and testing it seems the HTML Parser timesout waiting for Spamassassin or something like that. So I increased the timeout for Spamassin from 75 seconds to 300 seconds just to see if this has an effect, in ConfigDefs.pl under /usr/share/MailScanner... Has anyone else seen this? Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.JPG Type: image/jpeg Size: 25851 bytes Desc: not available URL: From admin at tsys3.com Mon Jan 21 13:08:41 2019 From: admin at tsys3.com (admin) Date: Mon, 21 Jan 2019 08:08:41 -0500 Subject: HTML disarming died, status = 13 In-Reply-To: <8806a8d8-3c80-fb09-f56e-4220754ea774@togethia.net> References: <8806a8d8-3c80-fb09-f56e-4220754ea774@togethia.net> Message-ID: Good Morning, Yes, I have had this issue for some time now.? I could not figure out what was the cause.? I am trying your suggested fix for the problem, as I have been stumped. On 01/21/19 6:40 AM, Peter Farrow wrote: > > Dear All, > > Having upgraded my ancient MailScanner installation on Centos 5, to > running on Ubuntu 18.04 with Sendmail, I have encountered this problem. > > It seems the HTML Parser times out, which leads MailScanner to strip > the HTML part of emails out and send a message saying > > "MailScanner was attacked by a Denial Of Service attack, and has > therefore deleted this part of the message." > > Typically this was caused by Winmail.dat files and TNEF attachedments, > but I don't scan those to get round that issue. > > In this case a simple HTML message caused it, and looking through the > logs this happens a lot, but only sometimes does Mailscanner "bin the > html part" and send the warning. > > > Having done some googling and testing it seems the HTML Parser > timesout waiting for Spamassassin or something like that. > > So I increased the timeout for Spamassin from 75 seconds to 300 > seconds just to see if this has an effect, in ConfigDefs.pl under > /usr/share/MailScanner... > > Has anyone else seen this? > > Pete > > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > Thanks, Admin T System 3, Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.JPG Type: image/jpeg Size: 25851 bytes Desc: not available URL: From mark at msapiro.net Mon Jan 21 17:17:12 2019 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 21 Jan 2019 09:17:12 -0800 Subject: How MS treats spam-virus with Sanesecurity In-Reply-To: References: Message-ID: <1d6625b8-bfb7-48ce-c460-719685e87bc9@msapiro.net> On 1/21/19 1:08 AM, Neil wrote: > Hi guys, > > Apologies in advance, I'm not sure if this is a question for MS, MW or > Sansecurity but I've just discovered that despite my Sansecurity sigs > picking up that this email was a spam email, it hasn't blocked it or > added points to the spam score as per the logs below... > > Jan 18 09:56:35 MailScanner[3219]:? > Clamd::INFECTED::Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL :: > ./CAC9885AC.A3148/ > Jan 18 09:56:35? MailScanner[3219]: Found spam-virus > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148 > Jan 18 09:56:35 MailScanner[3219]: Clamd::INFECTED:: > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL :: > ./CAC9885AC.A3148/msg-3219-52.txt > Jan 18 09:56:35 MailScanner[3219]: Found spam-virus > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148 Clamd has found Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL and MailScanner has identified it as a spam-virus because the name matched one of the configured "Virus Names Which Are Spam" pattern. See . The next step is MailScanner adds the header defined by "Spam-Virus Header" to the message. The default for this is X-%org-name%-MailScanner-SpamVirus-Report: I.e. if org-name is "Example" the header added is X-Example-MailScanner-SpamVirus-Report: See The part you are missing is in SpamAssassin, you need something like header MS_FOUND_SPAMVIRUS exists:X-Example-MailScanner-SpamVirus-Report score MS_FOUND_SPAMVIRUS 3.0 Of course the actual name of the rule and the score are up to you. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From peter.farrow at togethia.net Mon Jan 21 18:11:58 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Mon, 21 Jan 2019 18:11:58 +0000 Subject: Custom rulesets Message-ID: Dear All, Following the "HTML parser Died" I previously reported, resulting in a "denial of service attack" message replacing the email html content, I have one domain that this is a repeated persistent problem with this error, so much so I don't filter her emails at all. It says in the MailScanner.conf file for the "tags" disarm settings that this can be the name of a ruleset. I would like the following settings set to "yes" for a particular recipient domain: Allow IFrame Tags = disarm Allow Script Tags = disarm Allow WebBugs = disarm Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = yes I would like these settings to be all set to set to yes for a particular recipient domain (eg.example.com) I do apologise if there is somewhere? this is documented that I should have read but I cannot find any detail on how to name and construct such a rule... If someone can be of assistance this would be greatly appreciated. Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.JPG Type: image/jpeg Size: 25851 bytes Desc: not available URL: From mark at msapiro.net Mon Jan 21 18:13:53 2019 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 21 Jan 2019 10:13:53 -0800 Subject: HTML disarming died, status = 13 In-Reply-To: <8806a8d8-3c80-fb09-f56e-4220754ea774@togethia.net> References: <8806a8d8-3c80-fb09-f56e-4220754ea774@togethia.net> Message-ID: <76e8d60a-8e67-803a-f5af-897c364bb987@msapiro.net> On 1/21/19 3:40 AM, Peter Farrow wrote: > > Having done some googling and testing it seems the HTML Parser timesout > waiting for Spamassassin or something like that. I don't think it's a timeout. The code in the DisarmHTMLEntity subroutine in MailScanner/Message.pm, and it is complex, but it forks a child process with a pipe for the child to do the disarming and pipe the result back to the parent. In this case, the parent is trying to read the result from the pipe and gets an exit status = 13 which is a "permission error" We've seen this before. See the threads starting at , , and I'm not sure that we've ever found a definitive cause/solution. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Mon Jan 21 18:33:17 2019 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 21 Jan 2019 10:33:17 -0800 Subject: Custom rulesets In-Reply-To: References: Message-ID: <8733320c-cab7-b87a-4859-a96633d6ddbd@msapiro.net> On 1/21/19 10:11 AM, Peter Farrow wrote: > > It says in the MailScanner.conf file for the "tags" disarm settings that > this can be the name of a ruleset. > > I would like the following settings set to "yes" for a particular > recipient domain: > > Allow IFrame Tags = disarm > Allow Script Tags = disarm > > Allow WebBugs = disarm > Allow Object Codebase Tags = disarm > > Convert Dangerous HTML To Text = yes > > I would like these settings to be all set to set to yes for a particular > recipient domain (eg.example.com) > > I do apologise if there is somewhere? this is documented that I should > have read but I cannot find any detail on how to name and construct such > a rule... Have you read /etc/MailScanner/rules/README and /etc/MailScanner/rules/EXAMPLES? Maybe your issue is because you need a ruleset for each setting. You probably inly need two actual rulesets, one for the settings for which you want 'disarm' settings and one for the setting you want 'yes'. E.g., /etc/MailScanner/rules/disarm.rules with content To: *@example.com disarm FromOrTo: default no Or if you really meant you want the 'disarm' settings to be 'yes' for the particular domain and 'disarm' for others To: *@example.com yes FromOrTo: default disarm and /etc/MailScanner/rules/yes.rules with content To: *@example.com yes FromOrTo: default no Then in your MailScanner.conf or conf.d/... or wherever you put it Allow IFrame Tags = %rules-dir%/disarm.rules Allow Script Tags = %rules-dir%/disarm.rules Allow WebBugs = %rules-dir%/disarm.rules Allow Object Codebase Tags = %rules-dir%/disarm.rules Convert Dangerous HTML To Text = %rules-dir%/yes.rules -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Mon Jan 21 21:27:55 2019 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 21 Jan 2019 13:27:55 -0800 Subject: Webmin Module In-Reply-To: References: Message-ID: <32fb6878-49e5-f38d-6e73-848f9fb68a8b@msapiro.net> On 1/21/19 12:29 AM, Peter C. Ndikuwera wrote: > Hi, > > Is the maintainer of the MailScanner webmin Module on this forum?? > > Wondering if it works with v5.? The project is old. hasn't been updated in almost 14 years. The servers for and can't be found. There are reports that it doesn't work properly with MailScanner v4. For example, the thread at . That said, if you are using it with MailScanner v4 and are happy with it, you might try it with v5 in a test environment. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From nerijus at users.sourceforge.net Mon Jan 21 22:23:12 2019 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Tue, 22 Jan 2019 00:23:12 +0200 Subject: MailScanner has detected definite fraud in the website at "youtu.be" Message-ID: Hello, A simple youtube link attached makes MailScanner think it is a fraud. The message body is this: --Apple-Mail-36C6D2AC-1C12-470D-B5C9-20A6FE5B0882 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit https://youtu.be/LmlBbbcWElA --Apple-Mail-36C6D2AC-1C12-470D-B5C9-20A6FE5B0882 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit MailScanner has detected definite fraud in the website at "youtu.be". Do not trust this website: https://youtu.be/LmlBbbcWElA

--Apple-Mail-36C6D2AC-1C12-470D-B5C9-20A6FE5B0882-- From peter.farrow at togethia.net Mon Jan 21 22:24:19 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Mon, 21 Jan 2019 22:24:19 +0000 Subject: Webmin Module In-Reply-To: <32fb6878-49e5-f38d-6e73-848f9fb68a8b@msapiro.net> References: <32fb6878-49e5-f38d-6e73-848f9fb68a8b@msapiro.net> Message-ID: <6c33a20d-cef5-9eb2-e113-4f24e7016229@togethia.net> It doesn't work with V5, tried it last week... Pete On 21/01/2019 21:27, Mark Sapiro wrote: > On 1/21/19 12:29 AM, Peter C. Ndikuwera wrote: >> Hi, >> >> Is the maintainer of the MailScanner webmin Module on this forum? >> >> Wondering if it works with v5. > > The project is old. > > hasn't been updated in almost 14 years. The servers for > and > can't be found. > > There are reports that it doesn't work properly with MailScanner v4. For > example, the thread at > . > > That said, if you are using it with MailScanner v4 and are happy with > it, you might try it with v5 in a test environment. > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From nerijus at users.sourceforge.net Mon Jan 21 22:36:24 2019 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Tue, 22 Jan 2019 00:36:24 +0200 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References: Message-ID: I have 2 messages where From: addresses are detected as possibe fraud attempt. But they are sensitive, I do not want to send them to the list. On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas wrote: > Hello, > > A simple youtube link attached makes MailScanner think it is a fraud. The message body is this: From peter.farrow at togethia.net Mon Jan 21 22:39:34 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Mon, 21 Jan 2019 22:39:34 +0000 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

Message-ID: <4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net> Use the non-shortened version of the URL such as https://www.youtube.com/watch?v=LmlBbbcWElA Then it works fine, P On 21/01/2019 22:36, Nerijus Baliunas wrote: > I have 2 messages where From: addresses are detected as possibe fraud attempt. > But they are sensitive, I do not want to send them to the list. > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas wrote: > >> Hello, >> >> A simple youtube link attached makes MailScanner think it is a fraud. The message body is this: > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From jerry.benton at mailborder.com Mon Jan 21 22:41:42 2019 From: jerry.benton at mailborder.com (jerry.benton at mailborder.com) Date: Mon, 21 Jan 2019 17:41:42 -0500 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

Message-ID: <010c01d4b1da$7b290620$717b1260$@mailborder.com> Do you understand how that mechanism works and why it would fail that check? Find Phishing Fraud - "... These can be spotted because the real address of the link in the message is not the same as the text that appears to be the link. " -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 -----Original Message----- From: MailScanner On Behalf Of Nerijus Baliunas Sent: Monday, January 21, 2019 17:36 To: MailScanner Discussion Subject: Re: MailScanner has detected definite fraud in the website at "youtu.be" I have 2 messages where From: addresses are detected as possibe fraud attempt. But they are sensitive, I do not want to send them to the list. On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas wrote: > Hello, > > A simple youtube link attached makes MailScanner think it is a fraud. The message body is this: -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5530 bytes Desc: not available URL: From nerijus at users.sourceforge.net Mon Jan 21 22:53:26 2019 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Tue, 22 Jan 2019 00:53:26 +0200 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: <4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net> References:

<4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net> Message-ID: It's not my messages marked such, I cannot ask other people to always send non-shortened version of the URL. Is it possible to whitelist a domain (youtu.be for example)? On Mon, 21 Jan 2019 22:39:34 +0000 Peter Farrow wrote: > Use the non-shortened version of the URL > such as https://www.youtube.com/watch?v=LmlBbbcWElA > Then it works fine, > P > On 21/01/2019 22:36, Nerijus Baliunas wrote: > > I have 2 messages where From: addresses are detected as possibe fraud attempt. > But they are sensitive, I do not want to send them to the list. > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas wrote: > > > Hello, > A simple youtube link attached makes MailScanner think it is a fraud. The message body is this: > > > > -- > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner Regards, Nerijus From nerijus at users.sourceforge.net Mon Jan 21 22:55:16 2019 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Tue, 22 Jan 2019 00:55:16 +0200 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: <010c01d4b1da$7b290620$717b1260$@mailborder.com> References:

<010c01d4b1da$7b290620$717b1260$@mailborder.com> Message-ID: Is it possible to disable Fraud checks for mailto: links? On Mon, 21 Jan 2019 17:41:42 -0500 jerry.benton at mailborder.com wrote: > Do you understand how that mechanism works and why it would fail that check? > > > Find Phishing Fraud - "... These can be spotted because the real address of > the link in the message is not the same as the text that appears to be the > link. " > > > -- > Jerry Benton > www.mailborder.com > +1 (843) 800-8605 > +44 (020) 3883-8605 > > > -----Original Message----- > From: MailScanner > On > Behalf Of Nerijus Baliunas > Sent: Monday, January 21, 2019 17:36 > To: MailScanner Discussion > Subject: Re: MailScanner has detected definite fraud in the website at > "youtu.be" > > I have 2 messages where From: addresses are detected as possibe fraud > attempt. > But they are sensitive, I do not want to send them to the list. > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas > wrote: > > > Hello, > > > > A simple youtube link attached makes MailScanner think it is a fraud. The > message body is this: From iversons at rushville.k12.in.us Mon Jan 21 23:00:19 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 21 Jan 2019 18:00:19 -0500 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

<4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net> Message-ID: "youtu.be" is in the phishing.bad.sites.conf, which is what is firing off that alert. You can add "youtu.be" to phishing.safe.sites.custom to whitelist it and then execute ms-update-phishing to pull it in to the new config. On Mon, Jan 21, 2019 at 5:54 PM Nerijus Baliunas < nerijus at users.sourceforge.net> wrote: > It's not my messages marked such, I cannot ask other people to always > send non-shortened version of the URL. Is it possible to whitelist a domain > (youtu.be for example)? > > On Mon, 21 Jan 2019 22:39:34 +0000 Peter Farrow > wrote: > > > Use the non-shortened version of the URL > > such as https://www.youtube.com/watch?v=LmlBbbcWElA > > Then it works fine, > > P > > On 21/01/2019 22:36, Nerijus Baliunas wrote: > > > > I have 2 messages where From: addresses are detected as possibe fraud > attempt. > > But they are sensitive, I do not want to send them to the list. > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas < > nerijus at users.sourceforge.net> wrote: > > > > > > Hello, > > A simple youtube link attached makes MailScanner think it is a fraud. > The message body is this: > > > > > > > > -- > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Regards, > Nerijus > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.farrow at togethia.net Mon Jan 21 23:03:18 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Mon, 21 Jan 2019 23:03:18 +0000 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: <010c01d4b1da$7b290620$717b1260$@mailborder.com> References:

<010c01d4b1da$7b290620$717b1260$@mailborder.com> Message-ID: <3bb1f8d7-e4e4-adc5-5973-70c361c6ef50@togethia.net> Sending a fresh email with the? the youtu.be link always gives this message, even with no text alternative, when the the youtube.com link constructed in the same basic email it does not give the warning message, just a plain link, no text alternative, so not sure quite why that is the case unless I am being dumb (entirely possible!) On 21/01/2019 22:41, jerry.benton at mailborder.com wrote: > Do you understand how that mechanism works and why it would fail that check? > > > Find Phishing Fraud - "... These can be spotted because the real address of > the link in the message is not the same as the text that appears to be the > link. " > > > -- > Jerry Benton > www.mailborder.com > +1 (843) 800-8605 > +44 (020) 3883-8605 > > > -----Original Message----- > From: MailScanner > On > Behalf Of Nerijus Baliunas > Sent: Monday, January 21, 2019 17:36 > To: MailScanner Discussion > Subject: Re: MailScanner has detected definite fraud in the website at > "youtu.be" > > I have 2 messages where From: addresses are detected as possibe fraud > attempt. > But they are sensitive, I do not want to send them to the list. > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas > wrote: > >> Hello, >> >> A simple youtube link attached makes MailScanner think it is a fraud. The > message body is this: > > > > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From iversons at rushville.k12.in.us Mon Jan 21 23:05:22 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 21 Jan 2019 18:05:22 -0500 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

<010c01d4b1da$7b290620$717b1260$@mailborder.com> Message-ID: I'll add an option to do that. https://github.com/MailScanner/v5/issues/357 On Mon, Jan 21, 2019 at 5:56 PM Nerijus Baliunas < nerijus at users.sourceforge.net> wrote: > Is it possible to disable Fraud checks for mailto: links? > > On Mon, 21 Jan 2019 17:41:42 -0500 jerry.benton at mailborder.com wrote: > > > Do you understand how that mechanism works and why it would fail that > check? > > > > > > Find Phishing Fraud - "... These can be spotted because the real address > of > > the link in the message is not the same as the text that appears to be > the > > link. " > > > > > > -- > > Jerry Benton > > www.mailborder.com > > +1 (843) 800-8605 > > +44 (020) 3883-8605 > > > > > > -----Original Message----- > > From: MailScanner > > > On > > Behalf Of Nerijus Baliunas > > Sent: Monday, January 21, 2019 17:36 > > To: MailScanner Discussion > > Subject: Re: MailScanner has detected definite fraud in the website at > > "youtu.be" > > > > I have 2 messages where From: addresses are detected as possibe fraud > > attempt. > > But they are sensitive, I do not want to send them to the list. > > > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas > > wrote: > > > > > Hello, > > > > > > A simple youtube link attached makes MailScanner think it is a fraud. > The > > message body is this: > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.farrow at togethia.net Mon Jan 21 23:12:21 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Mon, 21 Jan 2019 23:12:21 +0000 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

<4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net> Message-ID: Just as an aside... Is there any reason why youtu.be is listed in the phishing sites... does it have history..? On 21/01/2019 23:00, Shawn Iverson via MailScanner wrote: > "youtu.be " is in the phishing.bad.sites.conf, which > is what is firing off that alert. > > You can add "youtu.be " to phishing.safe.sites.custom > to whitelist it and then execute ms-update-phishing to pull it in to > the new config. > > On Mon, Jan 21, 2019 at 5:54 PM Nerijus Baliunas > > > wrote: > > It's not my messages marked such, I cannot ask other people to always > send non-shortened version of the URL. Is it possible to whitelist > a domain > (youtu.be for example)? > > On Mon, 21 Jan 2019 22:39:34 +0000 Peter Farrow > > wrote: > > > Use the non-shortened version of the URL > > such as https://www.youtube.com/watch?v=LmlBbbcWElA > > Then it works fine, > > P > > On 21/01/2019 22:36, Nerijus Baliunas wrote: > > > > I have 2 messages where From: addresses are detected as possibe > fraud attempt. > > But they are sensitive, I do not want to send them to the list. > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas > > wrote: > > > > > > Hello, > > A simple youtube link attached makes MailScanner think it is a > fraud. The message body is this: > > > > > > > > -- > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Regards, > Nerijus > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* > , > and is believed to be clean. > Togethia logo > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From jerry.benton at mailborder.com Mon Jan 21 23:14:04 2019 From: jerry.benton at mailborder.com (jerry.benton at mailborder.com) Date: Mon, 21 Jan 2019 18:14:04 -0500 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

<4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net>

Message-ID: <016c01d4b1df$00bebab0$023c3010$@mailborder.com> It is listed because it shows up in the Phishtank list. The phishing sites list in MailScanner is derived from the Phishtank list every few hours. -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 From: MailScanner On Behalf Of Peter Farrow Sent: Monday, January 21, 2019 18:12 To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner has detected definite fraud in the website at "youtu.be" Just as an aside... Is there any reason why youtu.be is listed in the phishing sites... does it have history..? On 21/01/2019 23:00, Shawn Iverson via MailScanner wrote: "youtu.be " is in the phishing.bad.sites.conf, which is what is firing off that alert. You can add "youtu.be " to phishing.safe.sites.custom to whitelist it and then execute ms-update-phishing to pull it in to the new config. On Mon, Jan 21, 2019 at 5:54 PM Nerijus Baliunas > wrote: It's not my messages marked such, I cannot ask other people to always send non-shortened version of the URL. Is it possible to whitelist a domain (youtu.be for example)? On Mon, 21 Jan 2019 22:39:34 +0000 Peter Farrow > wrote: > Use the non-shortened version of the URL > such as https://www.youtube.com/watch?v=LmlBbbcWElA > Then it works fine, > P > On 21/01/2019 22:36, Nerijus Baliunas wrote: > > I have 2 messages where From: addresses are detected as possibe fraud > attempt. > But they are sensitive, I do not want to send them to the list. > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas > > > wrote: > > > Hello, > A simple youtube link attached makes MailScanner think it is a fraud. The > message body is this: > > > > -- > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner Regards, Nerijus -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -- This message has been scanned for viruses and dangerous content by the Togethia MailScanner, and is believed to be clean. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ~WRD281.jpg Type: image/jpeg Size: 823 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 561 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 669 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 90838 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5530 bytes Desc: not available URL: From nerijus at users.sourceforge.net Mon Jan 21 23:15:04 2019 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Tue, 22 Jan 2019 01:15:04 +0200 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

<4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net> Message-ID: Why is it in phishing.bad.sites.conf? It's a legitimate youtube domain. On Mon, 21 Jan 2019 18:00:19 -0500 Shawn Iverson via MailScanner wrote: > "youtu.be" is in the phishing.bad.sites.conf, which is what is firing off > that alert. > > You can add "youtu.be" to phishing.safe.sites.custom to whitelist it and > then execute ms-update-phishing to pull it in to the new config. > > On Mon, Jan 21, 2019 at 5:54 PM Nerijus Baliunas < > nerijus at users.sourceforge.net> wrote: > > > It's not my messages marked such, I cannot ask other people to always > > send non-shortened version of the URL. Is it possible to whitelist a domain > > (youtu.be for example)? > > > > On Mon, 21 Jan 2019 22:39:34 +0000 Peter Farrow > > wrote: > > > > > Use the non-shortened version of the URL > > > such as https://www.youtube.com/watch?v=LmlBbbcWElA > > > Then it works fine, > > > P > > > On 21/01/2019 22:36, Nerijus Baliunas wrote: > > > > > > I have 2 messages where From: addresses are detected as possibe fraud > > attempt. > > > But they are sensitive, I do not want to send them to the list. > > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas < > > nerijus at users.sourceforge.net> wrote: > > > > > > > > > Hello, > > > A simple youtube link attached makes MailScanner think it is a fraud. > > The message body is this: > > > > > > > > > > > > -- > > > > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Regards, > > Nerijus > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner From jerry.benton at mailborder.com Mon Jan 21 23:20:44 2019 From: jerry.benton at mailborder.com (jerry.benton at mailborder.com) Date: Mon, 21 Jan 2019 18:20:44 -0500 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: References:

<4455ef17-a267-ab1e-981c-b35e6189a787@togethia.net>

Message-ID: <018001d4b1df$ef7ff1f0$ce7fd5d0$@mailborder.com> I just answered that. Every domain in the list is a legitimate domain, and a lot of them are used for abuse. That is why they show up on the list. The list is automated. I wrote a script that updates it every 4 hours. If you know someone that is willing to put a sanity check on the list every 4 hours by reviewing all ~16,000 entries, I am game to give them the access. -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 -----Original Message----- From: MailScanner On Behalf Of Nerijus Baliunas Sent: Monday, January 21, 2019 18:15 To: MailScanner Discussion Subject: Re: MailScanner has detected definite fraud in the website at "youtu.be" Why is it in phishing.bad.sites.conf? It's a legitimate youtube domain. On Mon, 21 Jan 2019 18:00:19 -0500 Shawn Iverson via MailScanner wrote: > "youtu.be" is in the phishing.bad.sites.conf, which is what is firing off > that alert. > > You can add "youtu.be" to phishing.safe.sites.custom to whitelist it and > then execute ms-update-phishing to pull it in to the new config. > > On Mon, Jan 21, 2019 at 5:54 PM Nerijus Baliunas < > nerijus at users.sourceforge.net> wrote: > > > It's not my messages marked such, I cannot ask other people to always > > send non-shortened version of the URL. Is it possible to whitelist a domain > > (youtu.be for example)? > > > > On Mon, 21 Jan 2019 22:39:34 +0000 Peter Farrow > > wrote: > > > > > Use the non-shortened version of the URL > > > such as https://www.youtube.com/watch?v=LmlBbbcWElA > > > Then it works fine, > > > P > > > On 21/01/2019 22:36, Nerijus Baliunas wrote: > > > > > > I have 2 messages where From: addresses are detected as possibe fraud > > attempt. > > > But they are sensitive, I do not want to send them to the list. > > > On Tue, 22 Jan 2019 00:23:12 +0200 Nerijus Baliunas < > > nerijus at users.sourceforge.net> wrote: > > > > > > > > > Hello, > > > A simple youtube link attached makes MailScanner think it is a fraud. > > The message body is this: > > > > > > > > > > > > -- > > > > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Regards, > > Nerijus > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5530 bytes Desc: not available URL: From mark at msapiro.net Mon Jan 21 23:35:14 2019 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 21 Jan 2019 15:35:14 -0800 Subject: MailScanner has detected definite fraud in the website at "youtu.be" In-Reply-To: <3bb1f8d7-e4e4-adc5-5973-70c361c6ef50@togethia.net> References:

<010c01d4b1da$7b290620$717b1260$@mailborder.com> <3bb1f8d7-e4e4-adc5-5973-70c361c6ef50@togethia.net> Message-ID: <05d23c37-624e-4f9c-7393-50630a47c25d@msapiro.net> On 1/21/19 3:03 PM, Peter Farrow wrote: > > Sending a fresh email with the? the youtu.be link always gives this > message, even with no text alternative, when the the youtube.com link > constructed in the same basic email it does not give the warning > message, just a plain link, no text alternative, so not sure quite why > that is the case unless I am being dumb (entirely possible!) youtu.be is in phishing.bad.sites.conf. Jerry has answered why. Shawn has answered how to override it by putting youtu.be in phishing.safe.sites.custom. It's phishing.bad.sites.conf that produces the "definite fraud" warning. The href domain unequal the text domain warning is different and produces the "possible fraud attempt" warning. This is not the only example of these things appearing in such contexts. MalwarePatrol continually lists 'https://docs.google.com' and 'https://drive.google.com', and these get listed in PhishTank too. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pndiku at gmail.com Tue Jan 22 07:08:50 2019 From: pndiku at gmail.com (Peter C. Ndikuwera) Date: Tue, 22 Jan 2019 10:08:50 +0300 Subject: Webmin Module In-Reply-To: <6c33a20d-cef5-9eb2-e113-4f24e7016229@togethia.net> References: <32fb6878-49e5-f38d-6e73-848f9fb68a8b@msapiro.net> <6c33a20d-cef5-9eb2-e113-4f24e7016229@togethia.net> Message-ID: Thanks, I've cloned the repo and if I find the time I'll take a stab at updating it. P -- At that time people began... On Tue, 22 Jan 2019 at 01:24, Peter Farrow wrote: > It doesn't work with V5, tried it last week... > > Pete > On 21/01/2019 21:27, Mark Sapiro wrote: > > On 1/21/19 12:29 AM, Peter C. Ndikuwera wrote: > > Hi, > > Is the maintainer of the MailScanner webmin Module on this forum? > > Wondering if it works with v5. > > The project is old. > hasn't been updated in almost 14 years. The servers for and can't be found. > > There are reports that it doesn't work properly with MailScanner v4. For > example, the thread at . > > That said, if you are using it with MailScanner v4 and are happy with > it, you might try it with v5 in a test environment. > > > -- > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From nwilson123 at gmail.com Tue Jan 22 07:49:09 2019 From: nwilson123 at gmail.com (Neil) Date: Tue, 22 Jan 2019 09:49:09 +0200 Subject: How MS treats spam-virus with Sanesecurity In-Reply-To: <1d6625b8-bfb7-48ce-c460-719685e87bc9@msapiro.net> References: <1d6625b8-bfb7-48ce-c460-719685e87bc9@msapiro.net> Message-ID: Hi Mark, Thanks for your assistance! I found two problems, one was my "Virus Names Which Are Spam" wasn't matching the correct virus reports, and then my "header MS_FOUND_SPAMVIRUS exists" didn't include my org-name, so even if it was matching the correct virus report, the header being added wouldn't have matched my spamassassin rule. Thanks again! Regards. Neil Wilson. On Mon, Jan 21, 2019 at 7:17 PM Mark Sapiro wrote: > On 1/21/19 1:08 AM, Neil wrote: > > Hi guys, > > > > Apologies in advance, I'm not sure if this is a question for MS, MW or > > Sansecurity but I've just discovered that despite my Sansecurity sigs > > picking up that this email was a spam email, it hasn't blocked it or > > added points to the spam score as per the logs below... > > > > Jan 18 09:56:35 MailScanner[3219]: > > Clamd::INFECTED::Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL :: > > ./CAC9885AC.A3148/ > > Jan 18 09:56:35 MailScanner[3219]: Found spam-virus > > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148 > > Jan 18 09:56:35 MailScanner[3219]: Clamd::INFECTED:: > > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL :: > > ./CAC9885AC.A3148/msg-3219-52.txt > > Jan 18 09:56:35 MailScanner[3219]: Found spam-virus > > Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL in CAC9885AC.A3148 > > > Clamd has found Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL and > MailScanner has identified it as a spam-virus because the name matched > one of the configured "Virus Names Which Are Spam" pattern. See > < > https://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Names%20Which%20Are%20Spam > >. > > The next step is MailScanner adds the header defined by "Spam-Virus > Header" to the message. The default for this is > > X-%org-name%-MailScanner-SpamVirus-Report: > > I.e. if org-name is "Example" the header added is > > X-Example-MailScanner-SpamVirus-Report: > > See > < > https://www.mailscanner.info/MailScanner.conf.index.html#Spam-Virus%20Header > > > > The part you are missing is in SpamAssassin, you need something like > > header MS_FOUND_SPAMVIRUS exists:X-Example-MailScanner-SpamVirus-Report > score MS_FOUND_SPAMVIRUS 3.0 > > Of course the actual name of the rule and the score are up to you. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Tue Jan 22 07:52:43 2019 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 22 Jan 2019 07:52:43 +0000 Subject: About sophossavi Message-ID: <0584654c7bf241dd85396233c850cdb3@gruppocomet.it> Hi everyone As anyone knows doing virus scan takes cpu time to invoke command that loads libraries, and this is done for each message we receive So, for example, clamscan takes 15 secs and sophos takes 7 sec This cause an intensive cpu work in our machine to scan each message Clamd remediate to this because it scan messages using daemon that have loaded libraries one time only and is only invoked for each scan resulting in a cpu time near 0 Not so for savscan (or sweep) for sophos that take 7 secs of cpu I found that there i salso sophossavi, but i was not able to use it (64 bit system) Someone can tell me if sophossavi acta s clamd doing a cpu save ? and if is possible to have a way to use it on 64bit systems ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.comet.it [Nuova immagine bitmap] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: image001.png URL: From mark at msapiro.net Tue Jan 22 17:41:47 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 22 Jan 2019 09:41:47 -0800 Subject: About sophossavi In-Reply-To: <0584654c7bf241dd85396233c850cdb3@gruppocomet.it> References: <0584654c7bf241dd85396233c850cdb3@gruppocomet.it> Message-ID: <642af0ac-2169-1a94-cd98-2055a5c00edf@msapiro.net> On 1/21/19 11:52 PM, Nicola Piazzi wrote: > > Someone can tell me if sophossavi acta s clamd doing a cpu save ? and if > is possible to have a way to use it on 64bit systems ?? It appears that the Sophos product that acts more like clamd is Sophos sav-di . Using this with MailScanner would require implementation of an appropriate wrapper. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner-list at okla.com Tue Jan 22 17:51:19 2019 From: mailscanner-list at okla.com (Tracy Greggs) Date: Tue, 22 Jan 2019 11:51:19 -0600 Subject: About sophossavi In-Reply-To: <642af0ac-2169-1a94-cd98-2055a5c00edf@msapiro.net> References: <0584654c7bf241dd85396233c850cdb3@gruppocomet.it> <642af0ac-2169-1a94-cd98-2055a5c00edf@msapiro.net> Message-ID: <07d501d4b27b$1656dd20$43049760$@okla.com> It would be less resource intensive, sounds like a good thing to me. Most of the wrappers have needed to be worked on for a bit anyway. Every time the AV changes paths, output etc it will require a rewrite it appears. Clearly the more wrappers that are working properly and the reporting working properly with Mailwatch, it just makes these open source projects much more useful. Other than MailBorder, there really aren't any other solutions that I know of to get the job done. Tried Baruwa a few years back and preferred MailScanner/Mailwatch. Thanks to all those doing volunteer coding on these projects. Tracy -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Tuesday, January 22, 2019 11:42 AM To: mailscanner at lists.mailscanner.info Subject: Re: About sophossavi On 1/21/19 11:52 PM, Nicola Piazzi wrote: > > Someone can tell me if sophossavi acta s clamd doing a cpu save ? and > if is possible to have a way to use it on 64bit systems ? It appears that the Sophos product that acts more like clamd is Sophos sav-di . Using this with MailScanner would require implementation of an appropriate wrapper. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From andrew at topdog.za.net Wed Jan 23 06:41:51 2019 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Wed, 23 Jan 2019 08:41:51 +0200 Subject: About sophossavi In-Reply-To: <642af0ac-2169-1a94-cd98-2055a5c00edf@msapiro.net> References: <0584654c7bf241dd85396233c850cdb3@gruppocomet.it> <642af0ac-2169-1a94-cd98-2055a5c00edf@msapiro.net> Message-ID: <89E9B97E-5DD7-49F0-B1AB-BF693AC2DC1C@topdog.za.net> > On 22 Jan 2019, at 19:41, Mark Sapiro wrote: > > It appears that the Sophos product that acts more like clamd is Sophos > sav-di > . > > Using this with MailScanner would require implementation of an > appropriate wrapper. We have in house code to connect to Sophos via SAVID and Avast via the daemon interface. These are both more efficient than invoking the command line programs for these engines. The code is on the v4 code base, i can provide our SweepViruses.pm from which you can extract the code. However, SweepViruses.pm may be dated as well going forward. Maybe the wheel should not be reinvented here as there is robust perl AV code[1] that could be used as the building blocks for a new SweepViruses.pm [1] https://metacpan.org/pod/File::VirusScan - Andrew From peter.farrow at togethia.net Wed Jan 23 19:08:26 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Wed, 23 Jan 2019 19:08:26 +0000 Subject: MailScanner[ ]: HTML disarming died, status = 13 Message-ID: <451882a4-12da-7024-8e3c-e7b3c0c7ff74@togethia.net> Dear All, I thought I had fixed this error by massaging the permissions. But it still persists.... and won't go away... even with "777" on all directories... Messages arrive with "Mailscanner suffered a Denial of service attack...." and the html contents removed. Any input appreciated! Pete -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From iversons at rushville.k12.in.us Wed Jan 23 19:12:01 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 23 Jan 2019 14:12:01 -0500 Subject: MailScanner[ ]: HTML disarming died, status = 13 In-Reply-To: <451882a4-12da-7024-8e3c-e7b3c0c7ff74@togethia.net> References: <451882a4-12da-7024-8e3c-e7b3c0c7ff74@togethia.net> Message-ID: Ubuntu 18.04? Apparmor enabled/enforcing? On Wed, Jan 23, 2019 at 2:08 PM Peter Farrow wrote: > Dear All, > > I thought I had fixed this error by massaging the permissions. > > But it still persists.... and won't go away... even with "777" on all > directories... > > Messages arrive with "Mailscanner suffered a Denial of service attack...." > and the html contents removed. > > Any input appreciated! > > Pete > > > -- > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From peter.farrow at togethia.net Wed Jan 23 19:29:01 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Wed, 23 Jan 2019 19:29:01 +0000 Subject: MailScanner[ ]: HTML disarming died, status = 13 In-Reply-To: References: <451882a4-12da-7024-8e3c-e7b3c0c7ff74@togethia.net> Message-ID: Thankyou shawn I'll take a look.... yes ubuntu 18.04 LTS Pete On 23/01/2019 19:12, Shawn Iverson via MailScanner wrote: > Ubuntu 18.04? > > Apparmor enabled/enforcing? > > On Wed, Jan 23, 2019 at 2:08 PM Peter Farrow > > wrote: > > Dear All, > > I thought I had fixed this error by massaging the permissions. > > But it still persists.... and won't go away... even with "777" on > all directories... > > Messages arrive with "Mailscanner suffered a Denial of service > attack...." and the html contents removed. > > Any input appreciated! > > Pete > > > -- > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* > , > and is believed to be clean. > Togethia logo > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From peter.farrow at togethia.net Wed Jan 23 19:35:28 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Wed, 23 Jan 2019 19:35:28 +0000 Subject: MailScanner[ ]: HTML disarming died, status = 13 In-Reply-To: References: <451882a4-12da-7024-8e3c-e7b3c0c7ff74@togethia.net> Message-ID: <2860d5b0-557d-1c4a-56be-286bc3a4fa54@togethia.net> Well Apparmor is running. So I disabled it for now to see what effect this has. To be honest its pretty tricky to track this down as it occurs so infrequently I enabled some rules as per Mark Sapiros suggestion to disable "disarming" for the domain in question but this still crops up. Pete On 23/01/2019 19:12, Shawn Iverson via MailScanner wrote: > Ubuntu 18.04? > > Apparmor enabled/enforcing? > > On Wed, Jan 23, 2019 at 2:08 PM Peter Farrow > > wrote: > > Dear All, > > I thought I had fixed this error by massaging the permissions. > > But it still persists.... and won't go away... even with "777" on > all directories... > > Messages arrive with "Mailscanner suffered a Denial of service > attack...." and the html contents removed. > > Any input appreciated! > > Pete > > > -- > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* > , > and is believed to be clean. > Togethia logo > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From peter.farrow at togethia.net Thu Jan 24 09:05:07 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Thu, 24 Jan 2019 09:05:07 +0000 Subject: MailScanner[ ]: HTML disarming died, status = 13 In-Reply-To: <2860d5b0-557d-1c4a-56be-286bc3a4fa54@togethia.net> References: <451882a4-12da-7024-8e3c-e7b3c0c7ff74@togethia.net> <2860d5b0-557d-1c4a-56be-286bc3a4fa54@togethia.net> Message-ID: Hi There Disabled apparmor, Had another 10 of these overnight, Is it worth dumping ubuntu and going back to Centos? My old Centos 5 scanners never had this issue... Pete On 23/01/2019 19:35, Peter Farrow wrote: > > Well Apparmor is running. > > So I disabled it for now to see what effect this has. > > To be honest its pretty tricky to track this down as it occurs so > infrequently > > I enabled some rules as per Mark Sapiros suggestion to disable > "disarming" for the domain in question but this still crops up. > > Pete > > > On 23/01/2019 19:12, Shawn Iverson via MailScanner wrote: >> Ubuntu 18.04? >> >> Apparmor enabled/enforcing? >> >> On Wed, Jan 23, 2019 at 2:08 PM Peter Farrow >> > wrote: >> >> Dear All, >> >> I thought I had fixed this error by massaging the permissions. >> >> But it still persists.... and won't go away... even with "777" on >> all directories... >> >> Messages arrive with "Mailscanner suffered a Denial of service >> attack...." and the html contents removed. >> >> Any input appreciated! >> >> Pete >> >> >> -- >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 option 7 >> iversons at rushville.k12.in.us >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by the *Togethia MailScanner* >> , >> and is believed to be clean. >> Togethia logo >> > -- > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* > , > and is believed to be clean. > Togethia logo > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From mark at msapiro.net Thu Jan 24 16:34:29 2019 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 24 Jan 2019 08:34:29 -0800 Subject: MailScanner[ ]: HTML disarming died, status = 13 In-Reply-To: References: <451882a4-12da-7024-8e3c-e7b3c0c7ff74@togethia.net> <2860d5b0-557d-1c4a-56be-286bc3a4fa54@togethia.net> Message-ID: <8424974f-7991-fdca-7efb-b118a28f44ec@msapiro.net> On 1/24/19 1:05 AM, Peter Farrow wrote: > Hi There > > Disabled apparmor, > > Had another 10 of these overnight, > > Is it worth dumping ubuntu and going back to Centos? > > My old Centos 5 scanners never had this issue... FWIW, I've been running MailScanner in production on Ubuntu 14.04 and 16.04 for years, and I've never seen this issue on this server. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Thu Jan 24 23:19:59 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Thu, 24 Jan 2019 23:19:59 +0000 Subject: SpamAssassin Rule Actions Message-ID: I have the following setting in my conf file, and it's working well (forwards mail that hits my sextortion rule to postmaster). SpamAssassin Rule Actions = CBJ_Ransom=>forward postmaster at juneau.org I've been using the sanesecurity UNOFFICIAL clamav signatures, and have gotten mixed results from the malwarepatrol signatures. It's hard to tell if the messages flagged as viruses are false positives or not so I quit using their clamav signatures in favor of the spamassassin ruleset which gives me more flexibility in what I do w/the hits. There are over 1500 rules however, having the format below: ... body MBL_22060342 /kerte\.ml\/lazada\//i describe MBL_22060342 MBL: 22060342 score MBL_22060342 5.0 body MBL_22060468 /lanhodiepuytin\.com\/spFOu-lMI_NJ-VGE\/InvoiceCodeChanges\/US_us\//i describe MBL_22060468 MBL: 22060468 score MBL_22060468 5.0 body MBL_22061432 /horizonth\.com\/dwl\//i describe MBL_22061432 MBL: 22061432 score MBL_22061432 5.0 I'd like to add them to the SpamAssassin Rule Actions but obviously don't want to hand enter all those rule names. Will the SpamAssassin Rule Actions accept a partial string or wildcard, a la: SpamAssassin Rule Actions = CBJ_Ransom=>forward postmaster at juneau.org MBL_=>forward postmaster at juneau.org Or SpamAssassin Rule Actions = CBJ_Ransom=>forward postmaster at juneau.org MBL_*=>forward postmaster at juneau.org Thanks... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From kevin at g1bwt.me.uk Fri Jan 25 12:44:59 2019 From: kevin at g1bwt.me.uk (Kevin Frost) Date: Fri, 25 Jan 2019 12:44:59 +0000 Subject: Raspberry Pi install Message-ID: <1626CEAC-3D56-4B09-A484-0665671F2F1D@g1bwt.me.uk> Hi Considering installing Mailscanner on a Ubuntu 16.04 image on a Raspberry Pi 3. Does anyone have any thoughts on whether it would succeed? Any gotchas? I?m not worried about speed etc., merely a small project. Thanks. From toby at rosecott.net Fri Jan 25 12:48:08 2019 From: toby at rosecott.net (Toby Home) Date: Fri, 25 Jan 2019 12:48:08 +0000 (UTC) Subject: Raspberry Pi install In-Reply-To: <1626CEAC-3D56-4B09-A484-0665671F2F1D@g1bwt.me.uk> References: <1626CEAC-3D56-4B09-A484-0665671F2F1D@g1bwt.me.uk> Message-ID: <77D992F1C0846DE7.F5FC06C6-E67A-4315-95F6-FCC597BA969C@mail.outlook.com> Have run it on pi 3 under raspian seemed ok on my home mail Regards Toby Widdows On Fri, Jan 25, 2019 at 12:45 PM +0000, "Kevin Frost" wrote: Hi Considering installing Mailscanner on a Ubuntu 16.04 image on a Raspberry Pi 3. Does anyone have any thoughts on whether it would succeed? Any gotchas? I?m not worried about speed etc., merely a small project. Thanks. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sun Jan 27 21:13:08 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 27 Jan 2019 16:13:08 -0500 Subject: 5.1.3-2 builds are available Message-ID: https://www.mailscanner.info https://github.com/MailScanner/v5/tree/master/builds Packages are now signed as well as hashed, for the security conscious (security paranoid). Visit github.com for the signatures, hashes, and pubkey for further verification. -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Mon Jan 28 07:59:18 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 28 Jan 2019 08:59:18 +0100 Subject: 5.1.3-2 builds are available In-Reply-To: References: Message-ID: Hai Shawn, ? it looks like : https://github.com/MailScanner/v5/blob/master/builds/MailScanner-5.1.3-2.deb.tar.gz? isnt a tar.gz file?? but this one is : https://s3.amazonaws.com/msv5/release/MailScanner-5.1.3-2.deb.tar.gz?? 445Kb. ? Can you verify the file in git? ? ? ? Best regards, ? Louis ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Shawn Iverson via MailScanner Verzonden: zondag 27 januari 2019 22:13 Aan: mailscanner at lists.mailscanner.info CC: Shawn Iverson Onderwerp: 5.1.3-2 builds are available https://www.mailscanner.info https://github.com/MailScanner/v5/tree/master/builds Packages are now signed as well as hashed, for the security conscious (security paranoid).? Visit github.com for the signatures, hashes, and pubkey for further verification. -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Mon Jan 28 08:00:15 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 28 Jan 2019 09:00:15 +0100 Subject: 5.1.3-2 builds are available In-Reply-To: References: Message-ID: for got to mention. ? -rw-r--r--? 1 root root 455797 Jan 27 21:44 MailScanner-5.1.3-2.deb.tar.gz??? ?< amazone. -rw-r--r--? 1 root root? 53251 Jan 28 08:58 MailScanner-5.1.3-2.deb.tar.gz ??? < github. both just a wget ... ? Greetz, ? Louis ? ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens L.P.H. van Belle via MailScanner Verzonden: maandag 28 januari 2019 8:59 Aan: MailScanner Discussion CC: L.P.H. van Belle Onderwerp: RE: 5.1.3-2 builds are available Hai Shawn, ? it looks like : https://github.com/MailScanner/v5/blob/master/builds/MailScanner-5.1.3-2.deb.tar.gz? isnt a tar.gz file?? but this one is : https://s3.amazonaws.com/msv5/release/MailScanner-5.1.3-2.deb.tar.gz?? 445Kb. ? Can you verify the file in git? ? ? ? Best regards, ? Louis ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Shawn Iverson via MailScanner Verzonden: zondag 27 januari 2019 22:13 Aan: mailscanner at lists.mailscanner.info CC: Shawn Iverson Onderwerp: 5.1.3-2 builds are available https://www.mailscanner.info https://github.com/MailScanner/v5/tree/master/builds Packages are now signed as well as hashed, for the security conscious (security paranoid).? Visit github.com for the signatures, hashes, and pubkey for further verification. -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Jan 28 09:33:36 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 28 Jan 2019 04:33:36 -0500 Subject: 5.1.3-2 builds are available In-Reply-To: References:

Message-ID: Louis, That's because you are fetching a webpage instead of the actual file. You need to fetch from github using raw format when downloading using wget... wget -O MailScanner-5.1.3-2.deb.tar.gz https://github.com/MailScanner/v5/blob/master/builds/MailScanner-5.1.3-2.deb.tar.gz?raw=true On Mon, Jan 28, 2019 at 3:00 AM L.P.H. van Belle via MailScanner < mailscanner at lists.mailscanner.info> wrote: > for got to mention. > > -rw-r--r-- 1 root root 455797 Jan 27 21:44 > MailScanner-5.1.3-2.deb.tar.gz < amazone. > -rw-r--r-- 1 root root 53251 Jan 28 08:58 MailScanner-5.1.3-2.deb.tar.gz > < github. > both just a wget ... > > Greetz, > > Louis > > > > > ------------------------------ > *Van:* MailScanner [mailto:mailscanner-bounces+belle= > bazuin.nl at lists.mailscanner.info] *Namens *L.P.H. van Belle via > MailScanner > *Verzonden:* maandag 28 januari 2019 8:59 > *Aan:* MailScanner Discussion > *CC:* L.P.H. van Belle > *Onderwerp:* RE: 5.1.3-2 builds are available > > Hai Shawn, > > it looks like : > https://github.com/MailScanner/v5/blob/master/builds/MailScanner-5.1.3-2.deb.tar.gz > isnt a tar.gz file? > but this one is : > https://s3.amazonaws.com/msv5/release/MailScanner-5.1.3-2.deb.tar.gz > 445Kb. > > Can you verify the file in git? > > > > Best regards, > > Louis > > > > ------------------------------ > *Van:* MailScanner [mailto:mailscanner-bounces+belle= > bazuin.nl at lists.mailscanner.info] *Namens *Shawn Iverson via MailScanner > *Verzonden:* zondag 27 januari 2019 22:13 > *Aan:* mailscanner at lists.mailscanner.info > *CC:* Shawn Iverson > *Onderwerp:* 5.1.3-2 builds are available > > https://www.mailscanner.info > > https://github.com/MailScanner/v5/tree/master/builds > > Packages are now signed as well as hashed, for the security conscious > (security paranoid). Visit github.com for the signatures, hashes, and > pubkey for further verification. > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Mon Jan 28 09:51:12 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 28 Jan 2019 10:51:12 +0100 Subject: 5.1.3-2 builds are available In-Reply-To: References: Message-ID: Hai Shawn, ? Ah, yes.., thats stupid of me, totaly forgot about the "raw" on github. Sorry about that. I'll get some more coffee ...? ? And Thank you for the update :-) ? ? Greetz, ? Lousi ? ? Van: Shawn Iverson [mailto:iversons at rushville.k12.in.us] Verzonden: maandag 28 januari 2019 10:34 Aan: MailScanner Discussion CC: L.P.H. van Belle Onderwerp: Re: 5.1.3-2 builds are available Louis, That's because you are fetching a webpage instead of the actual file. You need to fetch from github using raw format when downloading using wget... wget -O MailScanner-5.1.3-2.deb.tar.gz https://github.com/MailScanner/v5/blob/master/builds/MailScanner-5.1.3-2.deb.tar.gz?raw=true On Mon, Jan 28, 2019 at 3:00 AM L.P.H. van Belle via MailScanner wrote: for got to mention. ? -rw-r--r--? 1 root root 455797 Jan 27 21:44 MailScanner-5.1.3-2.deb.tar.gz??? ?< amazone. -rw-r--r--? 1 root root? 53251 Jan 28 08:58 MailScanner-5.1.3-2.deb.tar.gz ??? < github. both just a wget ... ? Greetz, ? Louis ? ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens L.P.H. van Belle via MailScanner Verzonden: maandag 28 januari 2019 8:59 Aan: MailScanner Discussion CC: L.P.H. van Belle Onderwerp: RE: 5.1.3-2 builds are available Hai Shawn, ? it looks like : https://github.com/MailScanner/v5/blob/master/builds/MailScanner-5.1.3-2.deb.tar.gz? isnt a tar.gz file?? but this one is : https://s3.amazonaws.com/msv5/release/MailScanner-5.1.3-2.deb.tar.gz?? 445Kb. ? Can you verify the file in git? ? ? ? Best regards, ? Louis ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Shawn Iverson via MailScanner Verzonden: zondag 27 januari 2019 22:13 Aan: mailscanner at lists.mailscanner.info CC: Shawn Iverson Onderwerp: 5.1.3-2 builds are available https://www.mailscanner.info https://github.com/MailScanner/v5/tree/master/builds Packages are now signed as well as hashed, for the security conscious (security paranoid).? Visit github.com for the signatures, hashes, and pubkey for further verification. -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Mon Jan 28 15:37:50 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Mon, 28 Jan 2019 15:37:50 +0000 Subject: Virus Scanner Rules to disable a specific virus scanner per ip/domain Message-ID: <19da4a5018c782ab15952fc15626b445@schroeffu.ch> Hello to all, I am running ClamdScan + F-Secure for VirusScanning. Can I disable clamdscan for specific domains/ips? Unfortunately in Mailscanner.conf is written it is not possible: # This *cannot* be the filename of a ruleset. Virus Scanners = clamdscan f-secure We are using clamdscan with enabled macro heuristics, it is blocking sucessfully hundrets of macros per month which are viruses (macro loader in .doc for example). F-Secure is only detecting macros which they know in their signature database, which isn't much or they are too slow to add new macro-loader-viruses. It would be perfect to disable clamdscan only for specific ips/domains, but still keep enable f-secure for them. Any possibility :-)? Thanks in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Tue Jan 29 16:08:09 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Tue, 29 Jan 2019 16:08:09 +0000 Subject: Virus Scanner Rules to disable a specific virus scanner per ip/domain In-Reply-To: References: <19da4a5018c782ab15952fc15626b445@schroeffu.ch> Message-ID: <0c830c7d5e5d5164697abba850fddf08@schroeffu.ch> Hey, thanks for your answer. But turn this key "Virus Scanning = FILESET-RULE" would turn off both, clamdscan + f-secure, right? There only the possibility virusscan yes/no? I would like to disable only clamdscan for specific domains, but keep enabled f-secure for them. Is that possible? Lot regards David Hi, this is the key (in MailScanner.conf): # If you want to be able to switch scanning on/off for different users or # different domains, set this to the filename of a ruleset. # This can also be the filename of a ruleset. Virus Scanning = yesRegards Valentin Laskov -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Jan 29 18:31:28 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 29 Jan 2019 10:31:28 -0800 Subject: Virus Scanner Rules to disable a specific virus scanner per ip/domain In-Reply-To: <0c830c7d5e5d5164697abba850fddf08@schroeffu.ch> References: <19da4a5018c782ab15952fc15626b445@schroeffu.ch> <0c830c7d5e5d5164697abba850fddf08@schroeffu.ch> Message-ID: <1acee247-bd0a-4bee-28d7-c5229f41204c@msapiro.net> On 1/29/19 8:08 AM, info at schroeffu.ch wrote: > Hey, thanks for your answer. > > But turn this key "Virus Scanning = FILESET-RULE" would turn off both, > clamdscan + f-secure, right? There only the possibility virusscan yes/no? > I would like to disable only clamdscan for specific domains, but keep > enabled f-secure for them. > > Is that possible? Not with current configuration options. MailScanner does not currently support a rule set for the 'Virus Scanners' setting. I don't know how difficult it would be to implement that. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From iversons at rushville.k12.in.us Tue Jan 29 18:34:31 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 29 Jan 2019 13:34:31 -0500 Subject: Virus Scanner Rules to disable a specific virus scanner per ip/domain In-Reply-To: <1acee247-bd0a-4bee-28d7-c5229f41204c@msapiro.net> References: <19da4a5018c782ab15952fc15626b445@schroeffu.ch> <0c830c7d5e5d5164697abba850fddf08@schroeffu.ch> <1acee247-bd0a-4bee-28d7-c5229f41204c@msapiro.net> Message-ID: Opened an enhancement request, I'll take a look in my spare time... https://github.com/MailScanner/v5/issues/363 On Tue, Jan 29, 2019 at 1:31 PM Mark Sapiro wrote: > On 1/29/19 8:08 AM, info at schroeffu.ch wrote: > > Hey, thanks for your answer. > > > > But turn this key "Virus Scanning = FILESET-RULE" would turn off both, > > clamdscan + f-secure, right? There only the possibility virusscan yes/no? > > I would like to disable only clamdscan for specific domains, but keep > > enabled f-secure for them. > > > > Is that possible? > > > Not with current configuration options. MailScanner does not currently > support a rule set for the 'Virus Scanners' setting. I don't know how > difficult it would be to implement that. > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Wed Jan 30 07:14:59 2019 From: it at festa.bg (Valentin Laskov) Date: Wed, 30 Jan 2019 09:14:59 +0200 Subject: Virus Scanner Rules to disable a specific virus scanner per ip/domain In-Reply-To: <1acee247-bd0a-4bee-28d7-c5229f41204c@msapiro.net> References: <19da4a5018c782ab15952fc15626b445@schroeffu.ch> <0c830c7d5e5d5164697abba850fddf08@schroeffu.ch> <1acee247-bd0a-4bee-28d7-c5229f41204c@msapiro.net> Message-ID: May be, if you managed to run second special configured instance of MailScanner. First with f-secure and the second with clamd I don't know how :) ?? 29.01.2019 ? 20:31, Mark Sapiro ??????: > On 1/29/19 8:08 AM, info at schroeffu.ch wrote: >> Hey, thanks for your answer. >> >> But turn this key "Virus Scanning = FILESET-RULE" would turn off both, >> clamdscan + f-secure, right? There only the possibility virusscan yes/no? >> I would like to disable only clamdscan for specific domains, but keep >> enabled f-secure for them. >> >> Is that possible? > > Not with current configuration options. MailScanner does not currently > support a rule set for the 'Virus Scanners' setting. I don't know how > difficult it would be to implement that. > > From mailscanner-list at okla.com Wed Jan 30 23:20:17 2019 From: mailscanner-list at okla.com (Tracy Greggs) Date: Wed, 30 Jan 2019 17:20:17 -0600 Subject: Release dangerous content? Message-ID: <000201d4b8f2$627f3fd0$277dbf70$@okla.com> I have these options set to below yet can't release dangerous content like a .bat file without it getting re-quarantined. 127.0.0.1 is whitelisted. define('DOMAINADMIN_CAN_RELEASE_DANGEROUS_CONTENTS', true); define('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS', true); define('QUARANTINE_USE_SENDMAIL', true); These are my current software versions. MailWatch Version: 1.2.12 Operating System Version: CentOS Linux 7 (Core) Postfix Version: 3.2.4 MailScanner Version: 5.1.3 ClamAV Version: 0.101.1 SpamAssassin Version: 3.4.2 PHP Version: 7.2.8 MySQL Version: 10.1.35-MariaDB GeoIP Database Version: GeoLite2 Country database 2019-01-22 17:43:27 Any ideas? Thanks, Tracy -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Wed Jan 30 23:22:57 2019 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 30 Jan 2019 18:22:57 -0500 Subject: Release dangerous content? In-Reply-To: <000201d4b8f2$627f3fd0$277dbf70$@okla.com> References: <000201d4b8f2$627f3fd0$277dbf70$@okla.com> Message-ID: <04a101d4b8f2$bc5c29a0$35147ce0$@mailborder.com> That is a MailWatch thing I believe. -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 From: MailScanner On Behalf Of Tracy Greggs via MailScanner Sent: Wednesday, January 30, 2019 18:20 To: 'MailScanner Discussion' Cc: Tracy Greggs Subject: Release dangerous content? I have these options set to below yet can't release dangerous content like a .bat file without it getting re-quarantined. 127.0.0.1 is whitelisted. define('DOMAINADMIN_CAN_RELEASE_DANGEROUS_CONTENTS', true); define('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS', true); define('QUARANTINE_USE_SENDMAIL', true); These are my current software versions. MailWatch Version: 1.2.12 Operating System Version: CentOS Linux 7 (Core) Postfix Version: 3.2.4 MailScanner Version: 5.1.3 ClamAV Version: 0.101.1 SpamAssassin Version: 3.4.2 PHP Version: 7.2.8 MySQL Version: 10.1.35-MariaDB GeoIP Database Version: GeoLite2 Country database 2019-01-22 17:43:27 Any ideas? Thanks, Tracy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5530 bytes Desc: not available URL: From peter.farrow at togethia.net Wed Jan 30 23:27:33 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Wed, 30 Jan 2019 23:27:33 +0000 Subject: Release dangerous content? In-Reply-To: <000201d4b8f2$627f3fd0$277dbf70$@okla.com> References: <000201d4b8f2$627f3fd0$277dbf70$@okla.com> Message-ID: Take a look here: https://docs.mailwatch.org/using/faq.html You need to add 127.0.0.1 rules to prevent this Pete On 30/01/2019 23:20, Tracy Greggs via MailScanner wrote: > > I have these options set to below yet can?t release dangerous content > like a .bat file without it getting re-quarantined.? 127.0.0.1 is > whitelisted. > > define('DOMAINADMIN_CAN_RELEASE_DANGEROUS_CONTENTS', true); > > define('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS', true); > > define('QUARANTINE_USE_SENDMAIL', true); > > These are my current software versions. > > MailWatch Version: 1.2.12 > > Operating System Version: CentOS Linux 7 (Core) > > Postfix Version: 3.2.4 > > MailScanner Version: 5.1.3 > > ClamAV Version: 0.101.1 > > SpamAssassin Version: 3.4.2 > > PHP Version: 7.2.8 > > MySQL Version: 10.1.35-MariaDB > > GeoIP Database Version: GeoLite2 Country database 2019-01-22 17:43:27 > > Any ideas? > > Thanks, > > Tracy > > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* > , > and is believed to be clean. > Togethia logo > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From mailscanner-list at okla.com Thu Jan 31 01:09:40 2019 From: mailscanner-list at okla.com (Tracy Greggs) Date: Wed, 30 Jan 2019 19:09:40 -0600 Subject: Release dangerous content? In-Reply-To: References: <000201d4b8f2$627f3fd0$277dbf70$@okla.com> Message-ID: <001e01d4b901$a6a93580$f3fba080$@okla.com> Meant to send it to the mailwatch list. Time for some new glasses perhaps :) From: MailScanner [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info ] On Behalf Of Peter Farrow Sent: Wednesday, January 30, 2019 5:28 PM To: Tracy Greggs via MailScanner Subject: Re: Release dangerous content? Take a look here: https://docs.mailwatch.org/using/faq.html You need to add 127.0.0.1 rules to prevent this Pete On 30/01/2019 23:20, Tracy Greggs via MailScanner wrote: I have these options set to below yet can't release dangerous content like a .bat file without it getting re-quarantined. 127.0.0.1 is whitelisted. define('DOMAINADMIN_CAN_RELEASE_DANGEROUS_CONTENTS', true); define('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS', true); define('QUARANTINE_USE_SENDMAIL', true); These are my current software versions. MailWatch Version: 1.2.12 Operating System Version: CentOS Linux 7 (Core) Postfix Version: 3.2.4 MailScanner Version: 5.1.3 ClamAV Version: 0.101.1 SpamAssassin Version: 3.4.2 PHP Version: 7.2.8 MySQL Version: 10.1.35-MariaDB GeoIP Database Version: GeoLite2 Country database 2019-01-22 17:43:27 Any ideas? Thanks, Tracy -- This message has been scanned for viruses and dangerous content by the Togethia MailScanner, and is believed to be clean. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 90838 bytes Desc: not available URL: From danita at caledonia.net Thu Jan 31 13:44:00 2019 From: danita at caledonia.net (Danita Zanre) Date: Thu, 31 Jan 2019 14:44:00 +0100 Subject: Oddly missing emails Message-ID: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> Hi folks! I usually receive multiple email messages from a vendor each day.? About 3 days ago, they seem, with a couple of tiny exceptions, to have stopped.? I thought perhaps they were having a problem with their order system.? It's pretty difficult to get together with their IT staff though, so I've been trying to figure it out from here.? This is the only "error" I see in the mail log, but these messages are delivered. I've searched for the IP address, the sender, etc. in the mail log, and only the messages that get through even seem to appear in the mail log. The kicker is though that if I change my address on their site to my gmail account, all mail gets through.? I expect an email almost immediately when I place orders - 30 orders were placed yesterday with NOT ONE email acknowledgement, and today I have alternated orders by changing my address from my address that goes through mailscanner and my gmail account.? The gmail messages always make it and my own account on my corporate mail server do not.? Here is the only thing I can see at all - by the way, long ago I used Xeams, and my server name is actually xeams ;-) - so do not be confused by seeing xeams all over the log! Jan 31 03:49:27 xeams postfix/postscreen[29388]: CONNECT from [174.129.9.32]:48046 to [192.223.10.63]:25 Jan 31 03:49:27 xeams postfix/postscreen[29388]: PASS OLD [174.129.9.32]:48046 Jan 31 03:49:27 xeams postfix/smtpd[7760]: warning: hostname www.aerogarden.com does not resolve to address 174.129.9.32 Jan 31 03:49:27 xeams postfix/smtpd[7760]: connect from unknown[174.129.9.32] Jan 31 03:49:27 xeams postfix/smtpd[7760]: B3AE220C074: client=unknown[174.129.9.32] Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: hold: header Received: from ip-172-30-4-103.ec2.internal (unknown [174.129.9.32])??by iris.caledonia.net (Postfix) with ESMTPS id B3AE220C074??for ; Thu, 31 Jan 2019 03:49:27 -0700 (MST) from unknown[174.129.9.32]; from= to= proto=ESMTP helo= Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: message-id=<201901311046.x0VAkEvc003578 at ip-172-30-4-103> Jan 31 03:49:27 xeams postfix/smtpd[7760]: disconnect from unknown[174.129.9.32] I have searched the log for the IP address, the host name, there are simply NO other errors.? I will note that the error about the hostname starts about January 25, but I received all mail as usual until about the 27. Where can I look to find out why these messages don't even seem to make it to the mail log? Thanks! -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at vidadigital.com.pa Thu Jan 31 13:47:40 2019 From: alex at vidadigital.com.pa (Alex Neuman) Date: Thu, 31 Jan 2019 08:47:40 -0500 Subject: Oddly missing emails In-Reply-To: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> References: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> Message-ID: Search upstream from MailScanner. Could be something like a firewall/iptables rule, fail2ban, or their server being on a blacklist and blacklisted by postfix. [image: logo] *Alex Neuman van der Hans* *Producer/Host**, Vida Digital* +1 (440) 253-9789 <+1+(440)+253-9789> | +507 6781-9505 <+507+6781-9505> | Panama |alex at vidadigital.com.pa | vidadigital.com.pa/ Skype:alexneuman | wiseintro.co/alexneuman On Thu, Jan 31, 2019 at 8:44 AM Danita Zanre wrote: > Hi folks! > > I usually receive multiple email messages from a vendor each day. About 3 > days ago, they seem, with a couple of tiny exceptions, to have stopped. I > thought perhaps they were having a problem with their order system. It's > pretty difficult to get together with their IT staff though, so I've been > trying to figure it out from here. This is the only "error" I see in the > mail log, but these messages are delivered. I've searched for the IP > address, the sender, etc. in the mail log, and only the messages that get > through even seem to appear in the mail log. > > The kicker is though that if I change my address on their site to my gmail > account, all mail gets through. I expect an email almost immediately when > I place orders - 30 orders were placed yesterday with NOT ONE email > acknowledgement, and today I have alternated orders by changing my address > from my address that goes through mailscanner and my gmail account. The > gmail messages always make it and my own account on my corporate mail > server do not. Here is the only thing I can see at all - by the way, long > ago I used Xeams, and my server name is actually xeams ;-) - so do not be > confused by seeing xeams all over the log! > > Jan 31 03:49:27 xeams postfix/postscreen[29388]: CONNECT from > [174.129.9.32]:48046 to [192.223.10.63]:25 > Jan 31 03:49:27 xeams postfix/postscreen[29388]: PASS OLD > [174.129.9.32]:48046 > Jan 31 03:49:27 xeams postfix/smtpd[7760]: warning: hostname > www.aerogarden.com does not resolve to address 174.129.9.32 > Jan 31 03:49:27 xeams postfix/smtpd[7760]: connect from > unknown[174.129.9.32] > Jan 31 03:49:27 xeams postfix/smtpd[7760]: B3AE220C074: > client=unknown[174.129.9.32] > Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: hold: header > Received: from ip-172-30-4-103.ec2.internal (unknown [174.129.9.32])??by > iris.caledonia.net > > (Postfix) with ESMTPS id B3AE220C074??for > ; Thu, 31 Jan 2019 03:49:27 -0700 (MST) from > unknown[174.129.9.32]; from= > to= > proto=ESMTP helo= > Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: > message-id=<201901311046.x0VAkEvc003578 at ip-172-30-4-103> > Jan 31 03:49:27 xeams postfix/smtpd[7760]: disconnect from > unknown[174.129.9.32] > > I have searched the log for the IP address, the host name, there are > simply NO other errors. I will note that the error about the hostname > starts about January 25, but I received all mail as usual until about the > 27. > > Where can I look to find out why these messages don't even seem to make it > to the mail log? > > Thanks! > > -- > *Danita Zanr?*, *Move Out of the Office* > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net > > LLC > Tel: (720) 319-8240 - Move Out of the Office > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Thu Jan 31 13:48:45 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 31 Jan 2019 08:48:45 -0500 Subject: Oddly missing emails In-Reply-To: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> References: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> Message-ID: That log says that the message was written to HOLD queue. Have anything in there, by chance? On Thu, Jan 31, 2019 at 8:44 AM Danita Zanre wrote: > Hi folks! > > I usually receive multiple email messages from a vendor each day. About 3 > days ago, they seem, with a couple of tiny exceptions, to have stopped. I > thought perhaps they were having a problem with their order system. It's > pretty difficult to get together with their IT staff though, so I've been > trying to figure it out from here. This is the only "error" I see in the > mail log, but these messages are delivered. I've searched for the IP > address, the sender, etc. in the mail log, and only the messages that get > through even seem to appear in the mail log. > > The kicker is though that if I change my address on their site to my gmail > account, all mail gets through. I expect an email almost immediately when > I place orders - 30 orders were placed yesterday with NOT ONE email > acknowledgement, and today I have alternated orders by changing my address > from my address that goes through mailscanner and my gmail account. The > gmail messages always make it and my own account on my corporate mail > server do not. Here is the only thing I can see at all - by the way, long > ago I used Xeams, and my server name is actually xeams ;-) - so do not be > confused by seeing xeams all over the log! > > Jan 31 03:49:27 xeams postfix/postscreen[29388]: CONNECT from > [174.129.9.32]:48046 to [192.223.10.63]:25 > Jan 31 03:49:27 xeams postfix/postscreen[29388]: PASS OLD > [174.129.9.32]:48046 > Jan 31 03:49:27 xeams postfix/smtpd[7760]: warning: hostname > www.aerogarden.com does not resolve to address 174.129.9.32 > Jan 31 03:49:27 xeams postfix/smtpd[7760]: connect from > unknown[174.129.9.32] > Jan 31 03:49:27 xeams postfix/smtpd[7760]: B3AE220C074: > client=unknown[174.129.9.32] > Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: hold: header > Received: from ip-172-30-4-103.ec2.internal (unknown [174.129.9.32])??by > iris.caledonia.net (Postfix) with ESMTPS id B3AE220C074??for > ; Thu, 31 Jan 2019 03:49:27 -0700 > (MST) from unknown[174.129.9.32]; from= > > to= > proto=ESMTP helo= > Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: > message-id=<201901311046.x0VAkEvc003578 at ip-172-30-4-103> > Jan 31 03:49:27 xeams postfix/smtpd[7760]: disconnect from > unknown[174.129.9.32] > > I have searched the log for the IP address, the host name, there are > simply NO other errors. I will note that the error about the hostname > starts about January 25, but I received all mail as usual until about the > 27. > > Where can I look to find out why these messages don't even seem to make it > to the mail log? > > Thanks! > > -- > *Danita Zanr?*, *Move Out of the Office* > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net LLC > Tel: (720) 319-8240 - Move Out of the Office > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From danita at caledonia.net Thu Jan 31 13:54:53 2019 From: danita at caledonia.net (Danita Zanre) Date: Thu, 31 Jan 2019 14:54:53 +0100 Subject: Oddly missing emails In-Reply-To: References: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> Message-ID: <78a83a19-4b46-b57b-04b8-69d1515fba09@caledonia.net> Nope - and this particular message actually was received.? Today I've received about 3 messages and they and only they even appear in the log. Shawn Iverson via MailScanner wrote on 1/31/19 2:48 PM: > That log says that the message was written to HOLD queue.? Have > anything in there, by chance? > > On Thu, Jan 31, 2019 at 8:44 AM Danita Zanre > wrote: > > Hi folks! > > I usually receive multiple email messages from a vendor each day.? > About 3 days ago, they seem, with a couple of tiny exceptions, to > have stopped.? I thought perhaps they were having a problem with > their order system.? It's pretty difficult to get together with > their IT staff though, so I've been trying to figure it out from > here.? This is the only "error" I see in the mail log, but these > messages are delivered. I've searched for the IP address, the > sender, etc. in the mail log, and only the messages that get > through even seem to appear in the mail log. > > The kicker is though that if I change my address on their site to > my gmail account, all mail gets through.? I expect an email almost > immediately when I place orders - 30 orders were placed yesterday > with NOT ONE email acknowledgement, and today I have alternated > orders by changing my address from my address that goes through > mailscanner and my gmail account.? The gmail messages always make > it and my own account on my corporate mail server do not.? Here is > the only thing I can see at all - by the way, long ago I used > Xeams, and my server name is actually xeams ;-) - so do not be > confused by seeing xeams all over the log! > > Jan 31 03:49:27 xeams postfix/postscreen[29388]: CONNECT from > [174.129.9.32]:48046 to [192.223.10.63]:25 > Jan 31 03:49:27 xeams postfix/postscreen[29388]: PASS OLD > [174.129.9.32]:48046 > Jan 31 03:49:27 xeams postfix/smtpd[7760]: warning: hostname > www.aerogarden.com does not resolve to > address 174.129.9.32 > Jan 31 03:49:27 xeams postfix/smtpd[7760]: connect from > unknown[174.129.9.32] > Jan 31 03:49:27 xeams postfix/smtpd[7760]: B3AE220C074: > client=unknown[174.129.9.32] > Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: hold: > header Received: from ip-172-30-4-103.ec2.internal (unknown > [174.129.9.32])??by iris.caledonia.net > (Postfix) with ESMTPS id B3AE220C074??for > ; Thu, 31 Jan 2019 03:49:27 -0700 (MST) > from unknown[174.129.9.32]; > from= > > to= proto=ESMTP > helo= > Jan 31 03:49:27 xeams postfix/cleanup[8028]: B3AE220C074: > message-id=<201901311046.x0VAkEvc003578 at ip-172-30-4-103> > Jan 31 03:49:27 xeams postfix/smtpd[7760]: disconnect from > unknown[174.129.9.32] > > I have searched the log for the IP address, the host name, there > are simply NO other errors.? I will note that the error about the > hostname starts about January 25, but I received all mail as usual > until about the 27. > > Where can I look to find out why these messages don't even seem to > make it to the mail log? > > Thanks! > > -- > *Danita Zanr?*, /Move Out of the Office/ > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net