From lee.iitb at gmail.com Fri Nov 1 07:14:04 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Fri, 1 Nov 2019 12:44:04 +0530 Subject: MailScanner and Zimbra Message-ID: Hi, We use MailScanner on our mail server. MailScanner scans the incoming mails and relays it to a VM with Zimbra 8.8.15 installed. However we notice that Zimbra's spam software captures many spam mails which are not captured by MailScanner. Why is this so ? thanks --- Thomas Stephen Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxsec at gmail.com Fri Nov 1 07:19:30 2019 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 1 Nov 2019 07:19:30 +0000 Subject: MailScanner and Zimbra In-Reply-To: References: Message-ID: What tuning to spamassasin have you done and are you on the latest version? On Fri, 1 Nov 2019 at 07:14, Thomas Stephen Lee wrote: > Hi, > > We use MailScanner on our mail server. > > MailScanner scans the incoming mails and relays it to a VM with Zimbra > 8.8.15 installed. > > However we notice that Zimbra's spam software captures many spam mails > which are not captured by MailScanner. > > Why is this so ? > > thanks > > --- > Thomas Stephen Lee > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Fri Nov 1 09:29:31 2019 From: thom at vdb.nl (Thom van der Boon) Date: Fri, 1 Nov 2019 10:29:31 +0100 (CET) Subject: MailScanner and Zimbra In-Reply-To: References: Message-ID: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> I have the same setup. check the age of the files in /var/spamassassin/version_number/ check wether there is a spamassassin update script in /etc/cron.daily (you will find nothing in your logs to check wether sa-update is working) If old files quick fix run as root: sa-update --verbose ; service mailscanner restart Script to auto-update: [ https://dsr.vanderboon.net/DSR/contrib/ | https://dsr.vanderboon.net/DSR/contrib/ ] In /etc/MailScanner/MailScanner.conf check and change the following parameters: Log Spam = yes Log SpamAssassin Rule Actions = yes Max Spam Check Size = 20m restart MailScanner after this and check your logs Tip 1: Use KAM.cf KAM.cf is a great collection of spamassassin rules Rules are here: [ https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf | https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf ] Script to auto-update: [ https://dsr.vanderboon.net/DSR/contrib/ | https://dsr.vanderboon.net/DSR/contrib/ ] Tip 2: Use securiteinfo.com to improve ClamAV detection It is an paid extension to ClamAV, but it costs less than ? 30/USD 35 per year (You only need pro version to protect your mail server) https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml Thom Van: "Thomas Stephen Lee" Aan: "MailScanner Discussion" Verzonden: Vrijdag 1 november 2019 08:14:04 Onderwerp: MailScanner and Zimbra Hi, We use MailScanner on our mail server. MailScanner scans the incoming mails and relays it to a VM with Zimbra 8.8.15 installed. However we notice that Zimbra's spam software captures many spam mails which are not captured by MailScanner. Why is this so ? thanks --- Thomas Stephen Lee -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From lee.iitb at gmail.com Fri Nov 1 09:35:20 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Fri, 1 Nov 2019 15:05:20 +0530 Subject: MailScanner and Zimbra In-Reply-To: References: Message-ID: We are using MailScanner version 5.1.3-2. We were using the default version of SpamAssassin that comes with CentOS 7.7. We have done no tuning of SpamAssassin. We just now installed the latest version of SpamAssassin that comes with Fedora 31 (3.4.2). What else do you suggest we do? thanks --- Thomas Stephen Lee On Fri, Nov 1, 2019 at 12:49 PM Martin Hepworth wrote: > What tuning to spamassasin have you done and are you on the latest version? > > On Fri, 1 Nov 2019 at 07:14, Thomas Stephen Lee > wrote: > >> Hi, >> >> We use MailScanner on our mail server. >> >> MailScanner scans the incoming mails and relays it to a VM with Zimbra >> 8.8.15 installed. >> >> However we notice that Zimbra's spam software captures many spam mails >> which are not captured by MailScanner. >> >> Why is this so ? >> >> thanks >> >> --- >> Thomas Stephen Lee >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- > -- > Martin Hepworth, CISSP > Oxford, UK > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lee.iitb at gmail.com Fri Nov 1 09:55:18 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Fri, 1 Nov 2019 15:25:18 +0530 Subject: MailScanner and Zimbra In-Reply-To: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: Thanks for the reply Thom. We have updated SpamAssassin and added the cron.daily script. For virus scanning we have installed the ClamAV unofficial sigs and Sophos AV for Linux. thanks --- Thomas Stephen Lee On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon wrote: > I have the same setup. > > check the age of the files in /var/spamassassin/version_number/ > > check wether there is a spamassassin update script in /etc/cron.daily (you > will find nothing in your logs to check wether sa-update is working) > > If old files quick fix run as root: sa-update --verbose ; service > mailscanner restart > Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ > > In /etc/MailScanner/MailScanner.conf check and change the following > parameters: > > Log Spam = yes > Log SpamAssassin Rule Actions = yes > Max Spam Check Size = 20m > > restart MailScanner after this and check your logs > > Tip 1: Use KAM.cf > KAM.cf is a great collection of spamassassin rules > Rules are here: https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf > Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ > > > Tip 2: Use securiteinfo.com to improve ClamAV detection > It is an paid extension to ClamAV, but it costs less than ? 30/USD 35 per > year (You only need pro version to protect your mail server) > > https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml > > Thom > > ------------------------------ > *Van: *"Thomas Stephen Lee" > *Aan: *"MailScanner Discussion" > *Verzonden: *Vrijdag 1 november 2019 08:14:04 > *Onderwerp: *MailScanner and Zimbra > > Hi, > > We use MailScanner on our mail server. > > MailScanner scans the incoming mails and relays it to a VM with Zimbra > 8.8.15 installed. > > However we notice that Zimbra's spam software captures many spam mails > which are not captured by MailScanner. > > Why is this so ? > > thanks > > --- > Thomas Stephen Lee > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Fri Nov 1 11:04:26 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 1 Nov 2019 07:04:26 -0400 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: I don't know what Zimbra is using, but another suggestion is augmenting MailScanner with RBLs (such as ahead of it with Postfix Postscreen, which is very fast) is quite effective. MailScanner and SpamAssassin are just two of many other tools in your spam fighting arsenal. On Fri, Nov 1, 2019 at 5:56 AM Thomas Stephen Lee wrote: > Thanks for the reply Thom. > > We have updated SpamAssassin and added the cron.daily script. > > For virus scanning we have installed the ClamAV unofficial sigs and Sophos > AV for Linux. > > thanks > > --- > Thomas Stephen Lee > > On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon wrote: > >> I have the same setup. >> >> check the age of the files in /var/spamassassin/version_number/ >> >> check wether there is a spamassassin update script in /etc/cron.daily >> (you will find nothing in your logs to check wether sa-update is working) >> >> If old files quick fix run as root: sa-update --verbose ; service >> mailscanner restart >> Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ >> >> In /etc/MailScanner/MailScanner.conf check and change the following >> parameters: >> >> Log Spam = yes >> Log SpamAssassin Rule Actions = yes >> Max Spam Check Size = 20m >> >> restart MailScanner after this and check your logs >> >> Tip 1: Use KAM.cf >> KAM.cf is a great collection of spamassassin rules >> Rules are here: >> https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf >> Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ >> >> >> Tip 2: Use securiteinfo.com to improve ClamAV detection >> It is an paid extension to ClamAV, but it costs less than ? 30/USD 35 >> per year (You only need pro version to protect your mail server) >> >> https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml >> >> Thom >> >> ------------------------------ >> *Van: *"Thomas Stephen Lee" >> *Aan: *"MailScanner Discussion" >> *Verzonden: *Vrijdag 1 november 2019 08:14:04 >> *Onderwerp: *MailScanner and Zimbra >> >> Hi, >> >> We use MailScanner on our mail server. >> >> MailScanner scans the incoming mails and relays it to a VM with Zimbra >> 8.8.15 installed. >> >> However we notice that Zimbra's spam software captures many spam mails >> which are not captured by MailScanner. >> >> Why is this so ? >> >> thanks >> >> --- >> Thomas Stephen Lee >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Fri Nov 1 12:55:07 2019 From: djones at ena.com (David Jones) Date: Fri, 1 Nov 2019 12:55:07 +0000 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: Great suggestions below. Here are some more: 1. Install greylisting (sqlgrey) and enable it slowly by doing selective greylisting 2. Enable Postfix postscreen with weighted method and add in dozens of RBLs (see spamassassin mailing list archives) 3. Setup postwhite (search github.com) to prevent blocking too much from #1 and #2 above. 4. Install/compile DCC (https://www.dcc-servers.net/dcc/). There are many howto?s out there for this. 5. Tune out the MTA (Postfix) settings for rejecting based on DHS and hostname (see spamassassin mailing list archives) 6. Make sure the RelayCountry plugin is enabled and working so you can add rules to bump up scores for certain countries that aren?t normal for your particular mail flow. 7. Advanced users can install postfwd and add headers in the MTA that spamassassin can use in local/custom rules. 8. Install opendmarc and policyd-spf into the MTA to add support for DMARC inside spamassassin with the addition of a few rules that use the headers added. (see spamassassin mailing list archives) A well-tuned MTA (RBLs, greylisting, and DNS/HELO checks) should drop > 98% of the spam/junk before it has to reach spamassassin. Dave From: MailScanner on behalf of Shawn Iverson via MailScanner Reply-To: MailScanner Discussion Date: Friday, November 1, 2019 at 6:05 AM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: MailScanner and Zimbra I don't know what Zimbra is using, but another suggestion is augmenting MailScanner with RBLs (such as ahead of it with Postfix Postscreen, which is very fast) is quite effective. MailScanner and SpamAssassin are just two of many other tools in your spam fighting arsenal. On Fri, Nov 1, 2019 at 5:56 AM Thomas Stephen Lee > wrote: Thanks for the reply Thom. We have updated SpamAssassin and added the cron.daily script. For virus scanning we have installed the ClamAV unofficial sigs and Sophos AV for Linux. thanks --- Thomas Stephen Lee On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon > wrote: I have the same setup. check the age of the files in /var/spamassassin/version_number/ check wether there is a spamassassin update script in /etc/cron.daily (you will find nothing in your logs to check wether sa-update is working) If old files quick fix run as root: sa-update --verbose ; service mailscanner restart Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ In /etc/MailScanner/MailScanner.conf check and change the following parameters: Log Spam = yes Log SpamAssassin Rule Actions = yes Max Spam Check Size = 20m restart MailScanner after this and check your logs Tip 1: Use KAM.cf KAM.cf is a great collection of spamassassin rules Rules are here: https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ Tip 2: Use securiteinfo.com to improve ClamAV detection It is an paid extension to ClamAV, but it costs less than ? 30/USD 35 per year (You only need pro version to protect your mail server) https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml Thom ________________________________ Van: "Thomas Stephen Lee" > Aan: "MailScanner Discussion" > Verzonden: Vrijdag 1 november 2019 08:14:04 Onderwerp: MailScanner and Zimbra Hi, We use MailScanner on our mail server. MailScanner scans the incoming mails and relays it to a VM with Zimbra 8.8.15 installed. However we notice that Zimbra's spam software captures many spam mails which are not captured by MailScanner. Why is this so ? thanks --- Thomas Stephen Lee -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us [Image removed by sender.][Image removed by sender.][Image removed by sender. Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Fri Nov 1 13:05:38 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 1 Nov 2019 09:05:38 -0400 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: +1 We need to put this on the MailScanner website as "Things you can do to enhance your MailScanner" :) On Fri, Nov 1, 2019 at 8:55 AM David Jones via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Great suggestions below. Here are some more: > > 1. Install greylisting (sqlgrey) and enable it slowly by doing > selective greylisting > 2. Enable Postfix postscreen with weighted method and add in dozens of > RBLs (see spamassassin mailing list archives) > 3. Setup postwhite (search github.com) to prevent blocking too much > from #1 and #2 above. > 4. Install/compile DCC (https://www.dcc-servers.net/dcc/). There are > many howto?s out there for this. > 5. Tune out the MTA (Postfix) settings for rejecting based on DHS and > hostname (see spamassassin mailing list archives) > 6. Make sure the RelayCountry plugin is enabled and working so you can > add rules to bump up scores for certain countries that aren?t normal for > your particular mail flow. > 7. Advanced users can install postfwd and add headers in the MTA that > spamassassin can use in local/custom rules. > 8. Install opendmarc and policyd-spf into the MTA to add support for > DMARC inside spamassassin with the addition of a few rules that use the > headers added. (see spamassassin mailing list archives) > > > > A well-tuned MTA (RBLs, greylisting, and DNS/HELO checks) should drop > > 98% of the spam/junk before it has to reach spamassassin. > > > > Dave > > > > *From: *MailScanner ena.com at lists.mailscanner.info> on behalf of Shawn Iverson via > MailScanner > *Reply-To: *MailScanner Discussion > *Date: *Friday, November 1, 2019 at 6:05 AM > *To: *MailScanner Discussion > *Cc: *Shawn Iverson > *Subject: *Re: MailScanner and Zimbra > > > > I don't know what Zimbra is using, but another suggestion is augmenting > MailScanner with RBLs (such as ahead of it with Postfix Postscreen, which > is very fast) is quite effective. MailScanner and SpamAssassin are just > two of many other tools in your spam fighting arsenal. > > > > On Fri, Nov 1, 2019 at 5:56 AM Thomas Stephen Lee > wrote: > > Thanks for the reply Thom. > > > We have updated SpamAssassin and added the cron.daily script. > > For virus scanning we have installed the ClamAV unofficial sigs and Sophos > AV for Linux. > > thanks > > --- > > Thomas Stephen Lee > > > > On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon wrote: > > I have the same setup. > > > > check the age of the files in /var/spamassassin/version_number/ > > > > check wether there is a spamassassin update script in /etc/cron.daily (you > will find nothing in your logs to check wether sa-update is working) > > > > If old files quick fix run as root: sa-update --verbose ; service > mailscanner restart > > Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ > > > > In /etc/MailScanner/MailScanner.conf check and change the following > parameters: > > > > Log Spam = yes > > Log SpamAssassin Rule Actions = yes > > Max Spam Check Size = 20m > > > > restart MailScanner after this and check your logs > > > > Tip 1: Use KAM.cf > > KAM.cf is a great collection of spamassassin rules > > Rules are here: https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf > > Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ > > > > Tip 2: Use securiteinfo.com to improve ClamAV detection > > It is an paid extension to ClamAV, but it costs less than ? 30/USD 35 per > year (You only need pro version to protect your mail server) > > > https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml > > > > Thom > > > ------------------------------ > > *Van: *"Thomas Stephen Lee" > *Aan: *"MailScanner Discussion" > *Verzonden: *Vrijdag 1 november 2019 08:14:04 > *Onderwerp: *MailScanner and Zimbra > > > > Hi, > > We use MailScanner on our mail server. > > MailScanner scans the incoming mails and relays it to a VM with Zimbra > 8.8.15 installed. > > However we notice that Zimbra's spam software captures many spam mails > which are not captured by MailScanner. > > Why is this so ? > > thanks > > --- > Thomas Stephen Lee > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > -- > > Shawn Iverson, CETL > > Rush County Schools > > iversons at rushville.k12.in.us > > > > [image: Image removed by sender.][image: Image removed by sender.][image: > Image removed by sender. Cybersecurity] > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Fri Nov 1 13:21:33 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 1 Nov 2019 14:21:33 +0100 Subject: MailScanner and Zimbra In-Reply-To: References: Message-ID: Beware of header rewriting/modifications if you using DKIM/SPF/DMARC Then you need to install a Sender Framwork Policy program. ? If you using spf/dkim/dmarc and your forwarding mails, it will get rejected to do modified headers. ? if you using postfix, setup postsrsd - Sender Rewriting Scheme (SRS) lookup table for Postfix Simple to integrate also. ? My current mailscanner results, due to postfix settings. Processed: 898 311.38MB Clean: 896 99.8% Spam: 2 0.2% All othere 0. ? No greylisting used, no postwhite?used. ? Best used of my server postfix postscreen + fail2ban. ? I use this setup for postscreen. Black and white lists are used to for postscreen its counter ? postscreen_dnsbl_threshold????? = 7 postscreen_dnsbl_sites = ??????? zen.spamhaus.org*4 ??????? b.barracudacentral.org*4 ??????? dnsbl.cobion.com*2 ??????? bl.spameatingmonkey.net*2 ??????? fresh.spameatingmonkey.net*2 ??????? dnsbl.kempt.net*1 ??????? dnsbl.inps.de*2 ??????? bl.spamcop.net*2 ??????? srn.surgate.net=127.0.0.2*1 ??????? spam.dnsbl.sorbs.net*1 ??????? psbl.surriel.com*2 ??????? bl.mailspike.net*2 ??????? rep.mailspike.net=127.0.0.[13;14]*1 ??????? bl.suomispam.net*1 ??????? bl.blocklist.de*2 ??????? ix.dnsbl.manitu.net*2 ??????? dnsbl-1.uceprotect.net*1 ??????? dnsbl-2.uceprotect.net*1 ??????? dnsbl.justspam.org=127.0.0.2*2 ??????? blackholes.tepucom.nl=127.0.0.2*2 ??????? dnsbl.beetjevreemd.nl=127.0.0.2*2 ??????? multi.surbl.org*2 ??????? all.s5h.net=127.0.0.2*1 ??????? hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 ??????? rbl.abuse.ro=127.0.0.[2;4]*2 ??????? gl.suomispam.net=127.0.0.2*1 ??????? truncate.gbudb.net=127.0.0.2*1 ??????? dnsbl.zapbl.net=127.0.0.2*1 ??????? netblockbl.spamgrouper.to=127.0.0.2*1 ??????? dnsbl.spfbl.net=127.0.0.[2;4]*2 ??????? dnsrbl.org*1 ??????? # No RDNS ??????? dnsbl.spfbl.net=127.0.0.3*1 ??????? hostkarma.junkemailfilter.com=127.0.0.3*1 ??????? # whitelists ??????? swl.spamhaus.org*-6 ??????? dnswl.spfbl.net=127.0.0.[2;3;4]*-3 ??????? list.dnswl.org=127.0.[0..254].[0..3]*-4 ??????? rep.mailspike.net=127.0.0.[17;18]*-1 ??????? rep.mailspike.net=127.0.0.[19;20]*-2 ??????? hostkarma.junkemailfilter.com=127.0.0.1*-4 ??????? nobl.junkemailfilter.com=127.0.0.5*-4 # and a pretty simple fail2ban setup. ? # /etc/fail2ban/filter.d/postfix-postscreen.conf # # Fail2Ban filter for Postfix's Postscreen blocks. # #?You need to adjust the Rank number to what you please. # make sure you match the first number [7-9] so the 7 with postfix/postscreen_dnsbl_threshold value= # For now we have set rank 7 and up are getting blocked and put in the firewall ? [INCLUDES] ? # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf ? [Definition] ? _daemon = postfix(-\w+)?/postscreen ? failregex = DNSBL rank ([7-9]|[1-9][0-9]) for \[\] ? ignoreregex = ? # Author: Louis van Belle ####################################################### ? in Jail.local [postfix-postscreen] port???? = smtp logpath? = /var/log/mail.log maxretry = 1 bantime = 86400 findtime = 3600 banaction = ufw Works great (for me) :-) ? ? Greetz, ? Louis ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Shawn Iverson via MailScanner Verzonden: vrijdag 1 november 2019 14:06 Aan: MailScanner Discussion CC: Shawn Iverson Onderwerp: Re: MailScanner and Zimbra +1 We need to put this on the MailScanner website as "Things you can do to enhance your MailScanner" :) On Fri, Nov 1, 2019 at 8:55 AM David Jones via MailScanner wrote: Great suggestions below.? Here are some more: 1. Install greylisting (sqlgrey) and enable it slowly by doing selective greylisting 2. Enable Postfix postscreen with weighted method and add in dozens of RBLs (see spamassassin mailing list archives) 3. Setup postwhite (search github.com) to prevent blocking too much from #1 and #2 above. 4. Install/compile DCC (https://www.dcc-servers.net/dcc/). There are many howto?s out there for this. 5. Tune out the MTA (Postfix) settings for rejecting based on DHS and hostname (see spamassassin mailing list archives) 6. Make sure the RelayCountry plugin is enabled and working so you can add rules to bump up scores for certain countries that aren?t normal for your particular mail flow. 7. Advanced users can install postfwd and add headers in the MTA that spamassassin can use in local/custom rules. 8. Install opendmarc and policyd-spf into the MTA to add support for DMARC inside spamassassin with the addition of a few rules that use the headers added.? (see spamassassin mailing list archives) ? A well-tuned MTA (RBLs, greylisting, and DNS/HELO checks) should drop > 98% of the spam/junk before it has to reach spamassassin. ? Dave ? From: MailScanner on behalf of Shawn Iverson via MailScanner Reply-To: MailScanner Discussion Date: Friday, November 1, 2019 at 6:05 AM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: MailScanner and Zimbra ? I don't know what Zimbra is using, but another suggestion is augmenting MailScanner with RBLs (such as ahead of it with Postfix Postscreen, which is very fast) is quite effective.? MailScanner and SpamAssassin are just two of many other tools in your spam fighting arsenal. ? On Fri, Nov 1, 2019 at 5:56 AM Thomas Stephen Lee wrote: Thanks for the reply Thom. We have updated SpamAssassin and added the cron.daily script. For virus scanning we have installed the ClamAV unofficial sigs and Sophos AV for Linux. thanks --- Thomas Stephen Lee ? On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon wrote: I have the same setup. ? check the age of the files in /var/spamassassin/version_number/ ? check wether there is a spamassassin update script in /etc/cron.daily (you will find nothing in your logs to check wether sa-update is working) ? If old files quick fix run as root: sa-update --verbose ; service mailscanner restart Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ ? In /etc/MailScanner/MailScanner.conf check and change the following parameters: ? Log Spam = yes Log SpamAssassin Rule Actions = yes Max Spam Check Size = 20m ? restart MailScanner after this and check your logs ? Tip 1: Use KAM.cf KAM.cf is a great collection of spamassassin rules Rules are here: https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ ? Tip 2: Use securiteinfo.com to improve ClamAV detection It is an paid extension to ClamAV, but it? costs less than ? 30/USD 35 per year (You only need pro version to protect your mail server) https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml ? Thom ? Van: "Thomas Stephen Lee" Aan: "MailScanner Discussion" Verzonden: Vrijdag 1 november 2019 08:14:04 Onderwerp: MailScanner and Zimbra ? Hi, We use MailScanner on our mail server. MailScanner scans the incoming mails and relays it to a VM with Zimbra 8.8.15 installed. However we notice that Zimbra's spam software captures many spam mails which are not captured by MailScanner. Why is this so ? thanks --- Thomas Stephen Lee -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner ? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner ? -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us ? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Nov 1 17:16:55 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 1 Nov 2019 10:16:55 -0700 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: > +1 > > We need to put this on the MailScanner website as "Things you can do to > enhance your MailScanner" :) +1 The old web site used to have some tips. See . Some of this is out of date, but we should have similar info on the current web site. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From lee.iitb at gmail.com Sat Nov 2 09:11:16 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Sat, 2 Nov 2019 14:41:16 +0530 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: Hi All, Thank you very much for all the suggestions. We will try out one by one. Given below is a partial output of a message Zimbra caught as spam. *----------------------------------------------------------------------------* Content analysis details: (16.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.0000] 1.0 HK_RANDOM_REPLYTO Reply-To username looks random 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM 1.0 HK_RANDOM_FROM From username looks random 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (hulsingcrm6[at]aliyun.com) 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (hulsingcrm6[at]aliyun.com) 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is quarantine 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS *----------------------------------------------------------------------------* thanks --- Thomas Stephen Lee On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro wrote: > On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: > > +1 > > > > We need to put this on the MailScanner website as "Things you can do to > > enhance your MailScanner" :) > > +1 > > The old web site used to have some tips. See > < > https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html > >. > Some of this is out of date, but we should have similar info on the > current web site. > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Sat Nov 2 17:24:58 2019 From: djones at ena.com (David Jones) Date: Sat, 2 Nov 2019 17:24:58 +0000 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> DMARC and BAYES blocked that email. It would be interesting to get/see the details of the ?DMARC_? rules on the Zimbra server. Zimbra must have added DMARC support to Spamassassin. I wonder if they used opendmarc with custom SA rules to read the opendmarc headers. Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a Zimbra environment, you may want to use MailScanner to score only and not block to utilize the built-in Zimbra spam/ham handling. From: MailScanner on behalf of Thomas Stephen Lee Reply-To: MailScanner Discussion Date: Saturday, November 2, 2019 at 4:12 AM To: MailScanner Discussion Subject: Re: MailScanner and Zimbra Hi All, Thank you very much for all the suggestions. We will try out one by one. Given below is a partial output of a message Zimbra caught as spam. *----------------------------------------------------------------------------* Content analysis details: (16.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.0000] 1.0 HK_RANDOM_REPLYTO Reply-To username looks random 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM 1.0 HK_RANDOM_FROM From username looks random 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (hulsingcrm6[at]aliyun.com) 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (hulsingcrm6[at]aliyun.com) 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is quarantine 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS *----------------------------------------------------------------------------* thanks --- Thomas Stephen Lee On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro > wrote: On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: > +1 > > We need to put this on the MailScanner website as "Things you can do to > enhance your MailScanner" :) +1 The old web site used to have some tips. See >. Some of this is out of date, but we should have similar info on the current web site. -- Mark Sapiro > The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sat Nov 2 17:30:48 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 2 Nov 2019 13:30:48 -0400 Subject: MailScanner and Zimbra In-Reply-To: <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: Following... Would love to see those rules as well. I like that Zimbra has a MailScanner rule! On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner < mailscanner at lists.mailscanner.info> wrote: > DMARC and BAYES blocked that email. > > > > It would be interesting to get/see the details of the ?DMARC_? rules on > the Zimbra server. Zimbra must have added DMARC support to Spamassassin. > I wonder if they used opendmarc with custom SA rules to read the opendmarc > headers. > > > > Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a > Zimbra environment, you may want to use MailScanner to score only and not > block to utilize the built-in Zimbra spam/ham handling. > > > > *From: *MailScanner ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee < > lee.iitb at gmail.com> > *Reply-To: *MailScanner Discussion > *Date: *Saturday, November 2, 2019 at 4:12 AM > *To: *MailScanner Discussion > *Subject: *Re: MailScanner and Zimbra > > > > Hi All, > > Thank you very much for all the suggestions. > We will try out one by one. > > Given below is a partial output of a message Zimbra caught as spam. > > > > *----------------------------------------------------------------------------* > > Content analysis details: (16.2 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP > 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.0000] > 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 1.0000] > 1.0 HK_RANDOM_REPLYTO Reply-To username looks random > 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM > 1.0 HK_RANDOM_FROM From username looks random > 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail > provider > (hulsingcrm6[at]aliyun.com) > 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail > domains are different > 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record > 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit > (hulsingcrm6[at]aliyun.com) > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is > quarantine > 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom > freemail headers are different > 0.8 RDNS_NONE Delivered to internal network by a host with > no rDNS > > > *----------------------------------------------------------------------------* > > > thanks > > --- > Thomas Stephen Lee > > > > On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro wrote: > > On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: > > +1 > > > > We need to put this on the MailScanner website as "Things you can do to > > enhance your MailScanner" :) > > +1 > > The old web site used to have some tips. See > < > https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html > > >. > Some of this is out of date, but we should have similar info on the > current web site. > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From lee.iitb at gmail.com Sun Nov 3 15:09:14 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Sun, 3 Nov 2019 20:39:14 +0530 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: Hi All, The DMARC rules are in https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in Sorry, Zimbra does not have a MailScanner rule. We added it extra. vim /opt/zimbra/data/spamassassin/localrules/sauser.cf ----------------- header LOCAL_MAILSCANNER_SPAM X-Organization-MailScanner-SpamScore =~ /sssss/ describe LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM score LOCAL_MAILSCANNER_SPAM 4.123 ----------------- thanks --- Thomas Stephen Lee On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Following... > > Would love to see those rules as well. I like that Zimbra has a > MailScanner rule! > > On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner < > mailscanner at lists.mailscanner.info> wrote: > >> DMARC and BAYES blocked that email. >> >> >> >> It would be interesting to get/see the details of the ?DMARC_? rules on >> the Zimbra server. Zimbra must have added DMARC support to Spamassassin. >> I wonder if they used opendmarc with custom SA rules to read the opendmarc >> headers. >> >> >> >> Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a >> Zimbra environment, you may want to use MailScanner to score only and not >> block to utilize the built-in Zimbra spam/ham handling. >> >> >> >> *From: *MailScanner > ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee < >> lee.iitb at gmail.com> >> *Reply-To: *MailScanner Discussion >> *Date: *Saturday, November 2, 2019 at 4:12 AM >> *To: *MailScanner Discussion >> *Subject: *Re: MailScanner and Zimbra >> >> >> >> Hi All, >> >> Thank you very much for all the suggestions. >> We will try out one by one. >> >> Given below is a partial output of a message Zimbra caught as spam. >> >> >> >> *----------------------------------------------------------------------------* >> >> Content analysis details: (16.2 points, 5.0 required) >> >> pts rule name description >> ---- ---------------------- >> -------------------------------------------------- >> -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% >> [score: 1.0000] >> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% >> [score: 1.0000] >> 1.0 HK_RANDOM_REPLYTO Reply-To username looks random >> 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM >> 1.0 HK_RANDOM_FROM From username looks random >> 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail >> provider >> (hulsingcrm6[at]aliyun.com) >> 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail >> domains are different >> 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record >> 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit >> (hulsingcrm6[at]aliyun.com) >> 0.0 HTML_MESSAGE BODY: HTML included in message >> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >> 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is >> quarantine >> 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom >> freemail headers are different >> 0.8 RDNS_NONE Delivered to internal network by a host with >> no rDNS >> >> >> *----------------------------------------------------------------------------* >> >> >> thanks >> >> --- >> Thomas Stephen Lee >> >> >> >> On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro wrote: >> >> On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: >> > +1 >> > >> > We need to put this on the MailScanner website as "Things you can do to >> > enhance your MailScanner" :) >> >> +1 >> >> The old web site used to have some tips. See >> < >> https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html >> >> >. >> Some of this is out of date, but we should have similar info on the >> current web site. >> >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > Shawn Iverson, CETL > Rush County Schools > iversons at rushville.k12.in.us > > [image: Cybersecurity] > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sun Nov 3 15:11:23 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 3 Nov 2019 10:11:23 -0500 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: Thomas, Thank you for sharing! On Sun, Nov 3, 2019 at 10:09 AM Thomas Stephen Lee wrote: > Hi All, > > The DMARC rules are in > > https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in > > Sorry, Zimbra does not have a MailScanner rule. > We added it extra. > > vim /opt/zimbra/data/spamassassin/localrules/sauser.cf > > ----------------- > header LOCAL_MAILSCANNER_SPAM X-Organization-MailScanner-SpamScore =~ > /sssss/ > describe LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM > score LOCAL_MAILSCANNER_SPAM 4.123 > ----------------- > > thanks > > --- > Thomas Stephen Lee > > On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner < > mailscanner at lists.mailscanner.info> wrote: > >> Following... >> >> Would love to see those rules as well. I like that Zimbra has a >> MailScanner rule! >> >> On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner < >> mailscanner at lists.mailscanner.info> wrote: >> >>> DMARC and BAYES blocked that email. >>> >>> >>> >>> It would be interesting to get/see the details of the ?DMARC_? rules on >>> the Zimbra server. Zimbra must have added DMARC support to Spamassassin. >>> I wonder if they used opendmarc with custom SA rules to read the opendmarc >>> headers. >>> >>> >>> >>> Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a >>> Zimbra environment, you may want to use MailScanner to score only and not >>> block to utilize the built-in Zimbra spam/ham handling. >>> >>> >>> >>> *From: *MailScanner >> ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee < >>> lee.iitb at gmail.com> >>> *Reply-To: *MailScanner Discussion >>> *Date: *Saturday, November 2, 2019 at 4:12 AM >>> *To: *MailScanner Discussion >>> *Subject: *Re: MailScanner and Zimbra >>> >>> >>> >>> Hi All, >>> >>> Thank you very much for all the suggestions. >>> We will try out one by one. >>> >>> Given below is a partial output of a message Zimbra caught as spam. >>> >>> >>> >>> *----------------------------------------------------------------------------* >>> >>> Content analysis details: (16.2 points, 5.0 required) >>> >>> pts rule name description >>> ---- ---------------------- >>> -------------------------------------------------- >>> -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP >>> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% >>> [score: 1.0000] >>> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% >>> [score: 1.0000] >>> 1.0 HK_RANDOM_REPLYTO Reply-To username looks random >>> 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM >>> 1.0 HK_RANDOM_FROM From username looks random >>> 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail >>> provider >>> (hulsingcrm6[at]aliyun.com) >>> 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail >>> domains are different >>> 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record >>> 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit >>> (hulsingcrm6[at]aliyun.com) >>> 0.0 HTML_MESSAGE BODY: HTML included in message >>> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >>> 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is >>> quarantine >>> 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and >>> EnvelopeFrom >>> freemail headers are different >>> 0.8 RDNS_NONE Delivered to internal network by a host with >>> no rDNS >>> >>> >>> *----------------------------------------------------------------------------* >>> >>> >>> thanks >>> >>> --- >>> Thomas Stephen Lee >>> >>> >>> >>> On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro wrote: >>> >>> On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: >>> > +1 >>> > >>> > We need to put this on the MailScanner website as "Things you can do to >>> > enhance your MailScanner" :) >>> >>> +1 >>> >>> The old web site used to have some tips. See >>> < >>> https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html >>> >>> >. >>> Some of this is out of date, but we should have similar info on the >>> current web site. >>> >>> >>> -- >>> Mark Sapiro The highway is for gamblers, >>> San Francisco Bay Area, California better use your sense - B. Dylan >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >> >> -- >> Shawn Iverson, CETL >> Rush County Schools >> iversons at rushville.k12.in.us >> >> [image: Cybersecurity] >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- Shawn Iverson, CETL Director of Technology Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Mon Nov 4 01:30:40 2019 From: djones at ena.com (David Jones) Date: Mon, 4 Nov 2019 01:30:40 +0000 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: Those Zimbra rules are better than nothing but they aren?t correct on lines 88, 93, and 98. The DMARC specification says that DKIM should pass and align with the From: domain OR SPF should pass and align with the envelope-from domain. Those rules at those lines say it?s an AND but it should be OR like (DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_* It?s not that critical since they are only subtracting a few points for the DMARC_PASS_* rules. Then again, passing DMARC doesn?t have a direct relationship to spam and ham. It only asserts the email was authentic (DKIM) or authorized (SPF). You can take any of those DKIM_VALID_AU and SPF_PASS and create whitelist_auth entries which actually have value towards allowing/blocking. The best way to get DMARC support into SA is to install opendmarc and integrate it into your MTA (plenty of HOWTOs out there) and then add rules similar to these (adjust regex for your opendmarc.conf AuthservID setting): /etc/opendmarc.conf AuthservID = smtp.example.com RejectFailures true Socket inet:8893 at localhost SoftwareHeader true SPFIgnoreResults true SPFSelfValidate true /etc/mail/spamassassin/10_opendmarc.cf header DMARC_PASS Authentication-Results =~ /smtp\.example\.com; dmarc=pass/ describe DMARC_PASS DMARC check passed score DMARC_PASS -0.01 header DMARC_FAIL Authentication-Results =~ /smtp\.example\.com; dmarc=fail/ describe DMARC_FAIL DMARC check failed score DMARC_FAIL 0.01 header DMARC_NONE Authentication-Results =~ /smtp\.example\.com; dmarc=none/ describe DMARC_NONE DMARC check neutral score DMARC_NONE 0.01 header __DMARC_FAIL_REJECT Authentication-Results =~ /smtp\.example\.com; dmarc=fail \(p=reject/ meta DMARC_FAIL_REJECT __DMARC_FAIL_REJECT describe DMARC_FAIL_REJECT DMARC check failed and the sending domains says to reject this message score DMARC_FAIL_REJECT 9.0 Then create meta rules based off of the rules above or use MailScanner?s ?SpamAssassin Rule Actions? form more precision. DMARC_PASS != ham and DMARC_FAIL != spam. These should be used to make safe whitelist_auth entries. From: Thomas Stephen Lee Date: Sunday, November 3, 2019 at 9:10 AM To: MailScanner Discussion Cc: Shawn Iverson , David Jones Subject: Re: MailScanner and Zimbra Hi All, The DMARC rules are in https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in Sorry, Zimbra does not have a MailScanner rule. We added it extra. vim /opt/zimbra/data/spamassassin/localrules/sauser.cf ----------------- header LOCAL_MAILSCANNER_SPAM X-Organization-MailScanner-SpamScore =~ /sssss/ describe LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM score LOCAL_MAILSCANNER_SPAM 4.123 ----------------- thanks --- Thomas Stephen Lee On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner > wrote: Following... Would love to see those rules as well. I like that Zimbra has a MailScanner rule! On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner > wrote: DMARC and BAYES blocked that email. It would be interesting to get/see the details of the ?DMARC_? rules on the Zimbra server. Zimbra must have added DMARC support to Spamassassin. I wonder if they used opendmarc with custom SA rules to read the opendmarc headers. Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a Zimbra environment, you may want to use MailScanner to score only and not block to utilize the built-in Zimbra spam/ham handling. From: MailScanner > on behalf of Thomas Stephen Lee > Reply-To: MailScanner Discussion > Date: Saturday, November 2, 2019 at 4:12 AM To: MailScanner Discussion > Subject: Re: MailScanner and Zimbra Hi All, Thank you very much for all the suggestions. We will try out one by one. Given below is a partial output of a message Zimbra caught as spam. *----------------------------------------------------------------------------* Content analysis details: (16.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.0000] 1.0 HK_RANDOM_REPLYTO Reply-To username looks random 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM 1.0 HK_RANDOM_FROM From username looks random 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (hulsingcrm6[at]aliyun.com) 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (hulsingcrm6[at]aliyun.com) 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is quarantine 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS *----------------------------------------------------------------------------* thanks --- Thomas Stephen Lee On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro > wrote: On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: > +1 > > We need to put this on the MailScanner website as "Things you can do to > enhance your MailScanner" :) +1 The old web site used to have some tips. See >. Some of this is out of date, but we should have similar info on the current web site. -- Mark Sapiro > The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us Error! Filename not specified.Error! Filename not specified.Error! Filename not specified. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Mon Nov 4 01:50:45 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 3 Nov 2019 17:50:45 -0800 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: <254b61d6-8405-7794-e198-2153d9a8dd1b@msapiro.net> On 11/3/19 5:30 PM, David Jones via MailScanner wrote: > Those Zimbra rules are better than nothing but they aren?t correct on > lines 88, 93, and 98.? The DMARC specification says that DKIM should > pass and align with the From: domain OR SPF should pass and align with > the envelope-from domain.? Those rules at those lines say it?s an AND > but it should be OR like You are correct that DMARC requires a valid DKIM signature aligned with the From: domain OR a valid SPF ... SPF itself requires that the envelope from domain's SPF record permit the sending server, but DMARC places an additional requirement that the valid SPF domain, which by definition of SPF is the envelope from domain, align with the domain of the From: header. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From lee.iitb at gmail.com Mon Nov 4 06:54:24 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Mon, 4 Nov 2019 12:24:24 +0530 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: Hi David, You can download and install Zimbra opensource edition from. https://www.zimbra.com/try/zimbra-collaboration-open-source/ for free But we don't know how exactly to submit a bug report. There are forums and bugzilla. thanks --- Thomas Stephen Lee On Mon, Nov 4, 2019 at 7:00 AM David Jones wrote: > Those Zimbra rules are better than nothing but they aren?t correct on > lines 88, 93, and 98. The DMARC specification says that DKIM should pass > and align with the From: domain OR SPF should pass and align with the > envelope-from domain. Those rules at those lines say it?s an AND but it > should be OR like > > > > (DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_* > > > > It?s not that critical since they are only subtracting a few points for > the DMARC_PASS_* rules. Then again, passing DMARC doesn?t have a direct > relationship to spam and ham. It only asserts the email was authentic > (DKIM) or authorized (SPF). You can take any of those DKIM_VALID_AU and > SPF_PASS and create whitelist_auth entries which actually have value > towards allowing/blocking. > > > > The best way to get DMARC support into SA is to install opendmarc and > integrate it into your MTA (plenty of HOWTOs out there) and then add rules > similar to these (adjust regex for your opendmarc.conf AuthservID setting): > > > > /etc/opendmarc.conf > > AuthservID = smtp.example.com > > RejectFailures true > > Socket inet:8893 at localhost > > SoftwareHeader true > > SPFIgnoreResults true > > SPFSelfValidate true > > > > > > /etc/mail/spamassassin/10_opendmarc.cf > > header DMARC_PASS Authentication-Results =~ > /smtp\.example\.com; dmarc=pass/ > > describe DMARC_PASS DMARC check passed > > score DMARC_PASS -0.01 > > > > header DMARC_FAIL Authentication-Results =~ > /smtp\.example\.com; dmarc=fail/ > > describe DMARC_FAIL DMARC check failed > > score DMARC_FAIL 0.01 > > > > header DMARC_NONE Authentication-Results =~ > /smtp\.example\.com; dmarc=none/ > > describe DMARC_NONE DMARC check neutral > > score DMARC_NONE 0.01 > > > > header __DMARC_FAIL_REJECT Authentication-Results =~ > /smtp\.example\.com; dmarc=fail \(p=reject/ > > meta DMARC_FAIL_REJECT __DMARC_FAIL_REJECT > > describe DMARC_FAIL_REJECT DMARC check failed and the > sending domains says to reject this message > > score DMARC_FAIL_REJECT 9.0 > > > > Then create meta rules based off of the rules above or use MailScanner?s > ?SpamAssassin Rule Actions? form more precision. > > > > DMARC_PASS != ham and DMARC_FAIL != spam. These should be used to make > safe whitelist_auth entries. > > > > > > *From: *Thomas Stephen Lee > *Date: *Sunday, November 3, 2019 at 9:10 AM > *To: *MailScanner Discussion > *Cc: *Shawn Iverson , David Jones < > djones at ena.com> > *Subject: *Re: MailScanner and Zimbra > > > > Hi All, > > The DMARC rules are in > > https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in > > Sorry, Zimbra does not have a MailScanner rule. > We added it extra. > > vim /opt/zimbra/data/spamassassin/localrules/sauser.cf > > ----------------- > header LOCAL_MAILSCANNER_SPAM X-Organization-MailScanner-SpamScore =~ > /sssss/ > describe LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM > score LOCAL_MAILSCANNER_SPAM 4.123 > ----------------- > > > thanks > > --- > > Thomas Stephen Lee > > > > On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner < > mailscanner at lists.mailscanner.info> wrote: > > Following... > > > > Would love to see those rules as well. I like that Zimbra has a > MailScanner rule! > > > > On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner < > mailscanner at lists.mailscanner.info> wrote: > > DMARC and BAYES blocked that email. > > > > It would be interesting to get/see the details of the ?DMARC_? rules on > the Zimbra server. Zimbra must have added DMARC support to Spamassassin. > I wonder if they used opendmarc with custom SA rules to read the opendmarc > headers. > > > > Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a > Zimbra environment, you may want to use MailScanner to score only and not > block to utilize the built-in Zimbra spam/ham handling. > > > > *From: *MailScanner ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee < > lee.iitb at gmail.com> > *Reply-To: *MailScanner Discussion > *Date: *Saturday, November 2, 2019 at 4:12 AM > *To: *MailScanner Discussion > *Subject: *Re: MailScanner and Zimbra > > > > Hi All, > > Thank you very much for all the suggestions. > We will try out one by one. > > Given below is a partial output of a message Zimbra caught as spam. > > > > *----------------------------------------------------------------------------* > > Content analysis details: (16.2 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP > 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.0000] > 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 1.0000] > 1.0 HK_RANDOM_REPLYTO Reply-To username looks random > 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM > 1.0 HK_RANDOM_FROM From username looks random > 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail > provider > (hulsingcrm6[at]aliyun.com) > 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail > domains are different > 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record > 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit > (hulsingcrm6[at]aliyun.com) > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is > quarantine > 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom > freemail headers are different > 0.8 RDNS_NONE Delivered to internal network by a host with > no rDNS > > > *----------------------------------------------------------------------------* > > > thanks > > --- > Thomas Stephen Lee > > > > On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro wrote: > > On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: > > +1 > > > > We need to put this on the MailScanner website as "Things you can do to > > enhance your MailScanner" :) > > +1 > > The old web site used to have some tips. See > < > https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html > > >. > Some of this is out of date, but we should have similar info on the > current web site. > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > > Shawn Iverson, CETL > > Rush County Schools > > iversons at rushville.k12.in.us > > > > *Error! Filename not specified.**Error! Filename not specified.**Error! > Filename not specified.* > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Nov 4 14:24:47 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 4 Nov 2019 09:24:47 -0500 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: I can give the Zimbra folks a hand. I will try to reach out to them. They definitely need to be adhering DMARC specs. On Mon, Nov 4, 2019 at 1:55 AM Thomas Stephen Lee wrote: > Hi David, > > You can download and install Zimbra opensource edition from. > > https://www.zimbra.com/try/zimbra-collaboration-open-source/ > > for free > > But we don't know how exactly to submit a bug report. > > There are forums and bugzilla. > > thanks > > > --- > Thomas Stephen Lee > > On Mon, Nov 4, 2019 at 7:00 AM David Jones wrote: > >> Those Zimbra rules are better than nothing but they aren?t correct on >> lines 88, 93, and 98. The DMARC specification says that DKIM should pass >> and align with the From: domain OR SPF should pass and align with the >> envelope-from domain. Those rules at those lines say it?s an AND but it >> should be OR like >> >> >> >> (DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_* >> >> >> >> It?s not that critical since they are only subtracting a few points for >> the DMARC_PASS_* rules. Then again, passing DMARC doesn?t have a direct >> relationship to spam and ham. It only asserts the email was authentic >> (DKIM) or authorized (SPF). You can take any of those DKIM_VALID_AU and >> SPF_PASS and create whitelist_auth entries which actually have value >> towards allowing/blocking. >> >> >> >> The best way to get DMARC support into SA is to install opendmarc and >> integrate it into your MTA (plenty of HOWTOs out there) and then add rules >> similar to these (adjust regex for your opendmarc.conf AuthservID setting): >> >> >> >> /etc/opendmarc.conf >> >> AuthservID = smtp.example.com >> >> RejectFailures true >> >> Socket inet:8893 at localhost >> >> SoftwareHeader true >> >> SPFIgnoreResults true >> >> SPFSelfValidate true >> >> >> >> >> >> /etc/mail/spamassassin/10_opendmarc.cf >> >> header DMARC_PASS Authentication-Results =~ >> /smtp\.example\.com; dmarc=pass/ >> >> describe DMARC_PASS DMARC check passed >> >> score DMARC_PASS -0.01 >> >> >> >> header DMARC_FAIL Authentication-Results =~ >> /smtp\.example\.com; dmarc=fail/ >> >> describe DMARC_FAIL DMARC check failed >> >> score DMARC_FAIL 0.01 >> >> >> >> header DMARC_NONE Authentication-Results =~ >> /smtp\.example\.com; dmarc=none/ >> >> describe DMARC_NONE DMARC check neutral >> >> score DMARC_NONE 0.01 >> >> >> >> header __DMARC_FAIL_REJECT Authentication-Results =~ >> /smtp\.example\.com; dmarc=fail \(p=reject/ >> >> meta DMARC_FAIL_REJECT __DMARC_FAIL_REJECT >> >> describe DMARC_FAIL_REJECT DMARC check failed and the >> sending domains says to reject this message >> >> score DMARC_FAIL_REJECT 9.0 >> >> >> >> Then create meta rules based off of the rules above or use MailScanner?s >> ?SpamAssassin Rule Actions? form more precision. >> >> >> >> DMARC_PASS != ham and DMARC_FAIL != spam. These should be used to make >> safe whitelist_auth entries. >> >> >> >> >> >> *From: *Thomas Stephen Lee >> *Date: *Sunday, November 3, 2019 at 9:10 AM >> *To: *MailScanner Discussion >> *Cc: *Shawn Iverson , David Jones < >> djones at ena.com> >> *Subject: *Re: MailScanner and Zimbra >> >> >> >> Hi All, >> >> The DMARC rules are in >> >> https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in >> >> Sorry, Zimbra does not have a MailScanner rule. >> We added it extra. >> >> vim /opt/zimbra/data/spamassassin/localrules/sauser.cf >> >> ----------------- >> header LOCAL_MAILSCANNER_SPAM X-Organization-MailScanner-SpamScore >> =~ /sssss/ >> describe LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM >> score LOCAL_MAILSCANNER_SPAM 4.123 >> ----------------- >> >> >> thanks >> >> --- >> >> Thomas Stephen Lee >> >> >> >> On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner < >> mailscanner at lists.mailscanner.info> wrote: >> >> Following... >> >> >> >> Would love to see those rules as well. I like that Zimbra has a >> MailScanner rule! >> >> >> >> On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner < >> mailscanner at lists.mailscanner.info> wrote: >> >> DMARC and BAYES blocked that email. >> >> >> >> It would be interesting to get/see the details of the ?DMARC_? rules on >> the Zimbra server. Zimbra must have added DMARC support to Spamassassin. >> I wonder if they used opendmarc with custom SA rules to read the opendmarc >> headers. >> >> >> >> Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a >> Zimbra environment, you may want to use MailScanner to score only and not >> block to utilize the built-in Zimbra spam/ham handling. >> >> >> >> *From: *MailScanner > ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee < >> lee.iitb at gmail.com> >> *Reply-To: *MailScanner Discussion >> *Date: *Saturday, November 2, 2019 at 4:12 AM >> *To: *MailScanner Discussion >> *Subject: *Re: MailScanner and Zimbra >> >> >> >> Hi All, >> >> Thank you very much for all the suggestions. >> We will try out one by one. >> >> Given below is a partial output of a message Zimbra caught as spam. >> >> >> >> *----------------------------------------------------------------------------* >> >> Content analysis details: (16.2 points, 5.0 required) >> >> pts rule name description >> ---- ---------------------- >> -------------------------------------------------- >> -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% >> [score: 1.0000] >> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% >> [score: 1.0000] >> 1.0 HK_RANDOM_REPLYTO Reply-To username looks random >> 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM >> 1.0 HK_RANDOM_FROM From username looks random >> 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail >> provider >> (hulsingcrm6[at]aliyun.com) >> 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail >> domains are different >> 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record >> 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit >> (hulsingcrm6[at]aliyun.com) >> 0.0 HTML_MESSAGE BODY: HTML included in message >> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >> 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is >> quarantine >> 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom >> freemail headers are different >> 0.8 RDNS_NONE Delivered to internal network by a host with >> no rDNS >> >> >> *----------------------------------------------------------------------------* >> >> >> thanks >> >> --- >> Thomas Stephen Lee >> >> >> >> On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro wrote: >> >> On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: >> > +1 >> > >> > We need to put this on the MailScanner website as "Things you can do to >> > enhance your MailScanner" :) >> >> +1 >> >> The old web site used to have some tips. See >> < >> https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html >> >> >. >> Some of this is out of date, but we should have similar info on the >> current web site. >> >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> >> Shawn Iverson, CETL >> >> Rush County Schools >> >> iversons at rushville.k12.in.us >> >> >> >> *Error! Filename not specified.**Error! Filename not specified.**Error! >> Filename not specified.* >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- Shawn Iverson, CETL Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at replies.cyways.com Mon Nov 4 15:12:22 2019 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Mon, 4 Nov 2019 10:12:22 -0500 Subject: lots of hung cron jobs Message-ID: <3cc33c72-e73a-857e-fe30-6b955f6f415b@replies.cyways.com> CentOS 6.10 MailScanner 5.1.3-2 Running "ps ax" on this server this morning brought up over a dozen hung cron processes like this: awk -v progname=/etc/cron.hourly/mailscanner progname {????? print prognam /bin/sh /usr/sbin/ms-cron HOURLY /bin/sh /usr/sbin/ms-check Any suggestions why this might be happening? Peter From lee.iitb at gmail.com Tue Nov 5 07:52:48 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Tue, 5 Nov 2019 13:22:48 +0530 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> <86BD4723-11F1-4E5C-8965-E40798730766@ena.com> Message-ID: Thanks all. --- Thomas Stephen Lee On Mon, Nov 4, 2019 at 7:55 PM Shawn Iverson wrote: > I can give the Zimbra folks a hand. I will try to reach out to them. > They definitely need to be adhering DMARC specs. > > On Mon, Nov 4, 2019 at 1:55 AM Thomas Stephen Lee > wrote: > >> Hi David, >> >> You can download and install Zimbra opensource edition from. >> >> https://www.zimbra.com/try/zimbra-collaboration-open-source/ >> >> for free >> >> But we don't know how exactly to submit a bug report. >> >> There are forums and bugzilla. >> >> thanks >> >> >> --- >> Thomas Stephen Lee >> >> On Mon, Nov 4, 2019 at 7:00 AM David Jones wrote: >> >>> Those Zimbra rules are better than nothing but they aren?t correct on >>> lines 88, 93, and 98. The DMARC specification says that DKIM should pass >>> and align with the From: domain OR SPF should pass and align with the >>> envelope-from domain. Those rules at those lines say it?s an AND but it >>> should be OR like >>> >>> >>> >>> (DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_* >>> >>> >>> >>> It?s not that critical since they are only subtracting a few points for >>> the DMARC_PASS_* rules. Then again, passing DMARC doesn?t have a direct >>> relationship to spam and ham. It only asserts the email was authentic >>> (DKIM) or authorized (SPF). You can take any of those DKIM_VALID_AU and >>> SPF_PASS and create whitelist_auth entries which actually have value >>> towards allowing/blocking. >>> >>> >>> >>> The best way to get DMARC support into SA is to install opendmarc and >>> integrate it into your MTA (plenty of HOWTOs out there) and then add rules >>> similar to these (adjust regex for your opendmarc.conf AuthservID setting): >>> >>> >>> >>> /etc/opendmarc.conf >>> >>> AuthservID = smtp.example.com >>> >>> RejectFailures true >>> >>> Socket inet:8893 at localhost >>> >>> SoftwareHeader true >>> >>> SPFIgnoreResults true >>> >>> SPFSelfValidate true >>> >>> >>> >>> >>> >>> /etc/mail/spamassassin/10_opendmarc.cf >>> >>> header DMARC_PASS Authentication-Results =~ >>> /smtp\.example\.com; dmarc=pass/ >>> >>> describe DMARC_PASS DMARC check passed >>> >>> score DMARC_PASS -0.01 >>> >>> >>> >>> header DMARC_FAIL Authentication-Results =~ >>> /smtp\.example\.com; dmarc=fail/ >>> >>> describe DMARC_FAIL DMARC check failed >>> >>> score DMARC_FAIL 0.01 >>> >>> >>> >>> header DMARC_NONE Authentication-Results =~ >>> /smtp\.example\.com; dmarc=none/ >>> >>> describe DMARC_NONE DMARC check neutral >>> >>> score DMARC_NONE 0.01 >>> >>> >>> >>> header __DMARC_FAIL_REJECT Authentication-Results =~ >>> /smtp\.example\.com; dmarc=fail \(p=reject/ >>> >>> meta DMARC_FAIL_REJECT __DMARC_FAIL_REJECT >>> >>> describe DMARC_FAIL_REJECT DMARC check failed and the >>> sending domains says to reject this message >>> >>> score DMARC_FAIL_REJECT 9.0 >>> >>> >>> >>> Then create meta rules based off of the rules above or use MailScanner?s >>> ?SpamAssassin Rule Actions? form more precision. >>> >>> >>> >>> DMARC_PASS != ham and DMARC_FAIL != spam. These should be used to make >>> safe whitelist_auth entries. >>> >>> >>> >>> >>> >>> *From: *Thomas Stephen Lee >>> *Date: *Sunday, November 3, 2019 at 9:10 AM >>> *To: *MailScanner Discussion >>> *Cc: *Shawn Iverson , David Jones < >>> djones at ena.com> >>> *Subject: *Re: MailScanner and Zimbra >>> >>> >>> >>> Hi All, >>> >>> The DMARC rules are in >>> >>> https://github.com/Zimbra/zm-mta/blob/develop/salocal.cf.in >>> >>> Sorry, Zimbra does not have a MailScanner rule. >>> We added it extra. >>> >>> vim /opt/zimbra/data/spamassassin/localrules/sauser.cf >>> >>> ----------------- >>> header LOCAL_MAILSCANNER_SPAM X-Organization-MailScanner-SpamScore >>> =~ /sssss/ >>> describe LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM >>> score LOCAL_MAILSCANNER_SPAM 4.123 >>> ----------------- >>> >>> >>> thanks >>> >>> --- >>> >>> Thomas Stephen Lee >>> >>> >>> >>> On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner < >>> mailscanner at lists.mailscanner.info> wrote: >>> >>> Following... >>> >>> >>> >>> Would love to see those rules as well. I like that Zimbra has a >>> MailScanner rule! >>> >>> >>> >>> On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner < >>> mailscanner at lists.mailscanner.info> wrote: >>> >>> DMARC and BAYES blocked that email. >>> >>> >>> >>> It would be interesting to get/see the details of the ?DMARC_? rules on >>> the Zimbra server. Zimbra must have added DMARC support to Spamassassin. >>> I wonder if they used opendmarc with custom SA rules to read the opendmarc >>> headers. >>> >>> >>> >>> Same for LOCAL_MAILSCANNER_SPAM. I would like to see that rule. In a >>> Zimbra environment, you may want to use MailScanner to score only and not >>> block to utilize the built-in Zimbra spam/ham handling. >>> >>> >>> >>> *From: *MailScanner >> ena.com at lists.mailscanner.info> on behalf of Thomas Stephen Lee < >>> lee.iitb at gmail.com> >>> *Reply-To: *MailScanner Discussion >>> *Date: *Saturday, November 2, 2019 at 4:12 AM >>> *To: *MailScanner Discussion >>> *Subject: *Re: MailScanner and Zimbra >>> >>> >>> >>> Hi All, >>> >>> Thank you very much for all the suggestions. >>> We will try out one by one. >>> >>> Given below is a partial output of a message Zimbra caught as spam. >>> >>> >>> >>> *----------------------------------------------------------------------------* >>> >>> Content analysis details: (16.2 points, 5.0 required) >>> >>> pts rule name description >>> ---- ---------------------- >>> -------------------------------------------------- >>> -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP >>> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% >>> [score: 1.0000] >>> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% >>> [score: 1.0000] >>> 1.0 HK_RANDOM_REPLYTO Reply-To username looks random >>> 4.1 LOCAL_MAILSCANNER_SPAM MailScanner marked SPAM >>> 1.0 HK_RANDOM_FROM From username looks random >>> 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail >>> provider >>> (hulsingcrm6[at]aliyun.com) >>> 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail >>> domains are different >>> 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record >>> 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit >>> (hulsingcrm6[at]aliyun.com) >>> 0.0 HTML_MESSAGE BODY: HTML included in message >>> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >>> 6.0 DMARC_FAIL_QUAR DMARC validation failed and policy is >>> quarantine >>> 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and >>> EnvelopeFrom >>> freemail headers are different >>> 0.8 RDNS_NONE Delivered to internal network by a host with >>> no rDNS >>> >>> >>> *----------------------------------------------------------------------------* >>> >>> >>> thanks >>> >>> --- >>> Thomas Stephen Lee >>> >>> >>> >>> On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro wrote: >>> >>> On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote: >>> > +1 >>> > >>> > We need to put this on the MailScanner website as "Things you can do to >>> > enhance your MailScanner" :) >>> >>> +1 >>> >>> The old web site used to have some tips. See >>> < >>> https://web.archive.org/web/20150315051129/http://mailscanner.info/gettingthebest.html >>> >>> >. >>> Some of this is out of date, but we should have similar info on the >>> current web site. >>> >>> >>> -- >>> Mark Sapiro The highway is for gamblers, >>> San Francisco Bay Area, California better use your sense - B. Dylan >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >>> >>> -- >>> >>> Shawn Iverson, CETL >>> >>> Rush County Schools >>> >>> iversons at rushville.k12.in.us >>> >>> >>> >>> *Error! Filename not specified.**Error! Filename not specified.**Error! >>> Filename not specified.* >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> > > -- > Shawn Iverson, CETL > Rush County Schools > iversons at rushville.k12.in.us > > [image: Cybersecurity] > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Nov 5 14:36:00 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 5 Nov 2019 09:36:00 -0500 Subject: MailScanner 5.2.1-1 Released Message-ID: Dear MailScanner List: MailScanner 5.2.1-1 has been released. Many thanks goes to all contributors and the entire MailScanner team. Please read the README below in its entirety before updating to MailScanner 5.2.1-1. MailScanner has undergone refactoring to eliminate the need for tarballs for major distributions. This is especially important if you are using automated deployment tools to install MailScanner, since retooling for the new packaging may be required. https://github.com/MailScanner/v5/blob/master/README https://github.com/MailScanner/v5/blob/master/changelog -- Shawn Iverson, CETL Director of Technology Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Tue Nov 5 19:01:03 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Tue, 5 Nov 2019 19:01:03 +0000 Subject: MailScanner 5.2.1-1 Released In-Reply-To: References: Message-ID: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> Groovy. One quick question: Will the insertation of an "External message warning" affect DKIM/DMARC? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner On Behalf Of Shawn Iverson via MailScanner Sent: Tuesday, November 5, 2019 5:36 AM To: mailscanner at lists.mailscanner.info Cc: Shawn Iverson Subject: MailScanner 5.2.1-1 Released EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________________ Dear MailScanner List: MailScanner 5.2.1-1 has been released. Many thanks goes to all contributors and the entire MailScanner team. Please read the README below in its entirety before updating to MailScanner 5.2.1-1.? MailScanner has undergone refactoring to eliminate the need for tarballs for major distributions.? This is especially important if you are using automated deployment tools to install MailScanner, since retooling for the new packaging may be required. https://github.com/MailScanner/v5/blob/master/README?? https://github.com/MailScanner/v5/blob/master/changelog?? -- Shawn Iverson, CETL Director of Technology Rush County Schools mailto:iversons at rushville.k12.in.us From mark at msapiro.net Tue Nov 5 19:10:05 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 5 Nov 2019 11:10:05 -0800 Subject: MailScanner 5.2.1-1 Released In-Reply-To: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> References: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> Message-ID: <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> On 11/5/19 11:01 AM, Kevin Miller via MailScanner wrote: > Groovy. > One quick question: Will the insertation of an "External message warning" affect DKIM/DMARC? It will modify the message body which will break any DKIM signature which signs the body (hard to imagine one that doesn't) and thus will cause any DMARC check that relies on DKIM (as opposed to SPF) to fail. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Tue Nov 5 19:17:55 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Tue, 5 Nov 2019 19:17:55 +0000 Subject: MailScanner 5.2.1-1 Released In-Reply-To: <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> References: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> Message-ID: <6d6bec2142bb44abb6b39c07ef8f838d@City-Exch-DB2.cbj.local> That's what I was concerned about. It may be moot, as I'm doing DKIM/DMARC checking in Postfix so hopefully messages will pass or fail DKIM (and hence, be accepted or rejected) prior to MailScanner touching them. Definitely something to watch closely and test before applying it to my production servers... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Tuesday, November 5, 2019 10:10 AM To: mailscanner at lists.mailscanner.info Subject: Re: MailScanner 5.2.1-1 Released EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________ On 11/5/19 11:01 AM, Kevin Miller via MailScanner wrote: > Groovy. > One quick question: Will the insertation of an "External message warning" affect DKIM/DMARC? It will modify the message body which will break any DKIM signature which signs the body (hard to imagine one that doesn't) and thus will cause any DMARC check that relies on DKIM (as opposed to SPF) to fail. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From iversons at rushville.k12.in.us Tue Nov 5 21:08:24 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 5 Nov 2019 16:08:24 -0500 Subject: MailScanner 5.2.1-1 Released In-Reply-To: <6d6bec2142bb44abb6b39c07ef8f838d@City-Exch-DB2.cbj.local> References: <621c2c3f05464b35bc59d7d33200132d@City-Exch-DB2.cbj.local> <8d28ae89-1287-299d-d2d3-3e72720b08d3@msapiro.net> <6d6bec2142bb44abb6b39c07ef8f838d@City-Exch-DB2.cbj.local> Message-ID: Kevin, Correct, which is why it is off initially by default. On Tue, Nov 5, 2019, 2:18 PM Kevin Miller via MailScanner < mailscanner at lists.mailscanner.info> wrote: > That's what I was concerned about. It may be moot, as I'm doing > DKIM/DMARC checking in Postfix so hopefully messages will pass or fail > DKIM (and hence, be accepted or rejected) prior to MailScanner touching > them. Definitely something to watch closely and test before applying it to > my production servers... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > -----Original Message----- > From: MailScanner juneau.org at lists.mailscanner.info> On Behalf Of Mark Sapiro > Sent: Tuesday, November 5, 2019 10:10 AM > To: mailscanner at lists.mailscanner.info > Subject: Re: MailScanner 5.2.1-1 Released > > EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS > > ________________________________ > > On 11/5/19 11:01 AM, Kevin Miller via MailScanner wrote: > > Groovy. > > One quick question: Will the insertation of an "External message > warning" affect DKIM/DMARC? > > > It will modify the message body which will break any DKIM signature which > signs the body (hard to imagine one that doesn't) and thus will cause any > DMARC check that relies on DKIM (as opposed to SPF) to fail. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danita at caledonia.net Tue Nov 5 21:53:00 2019 From: danita at caledonia.net (Danita Zanre) Date: Tue, 5 Nov 2019 22:53:00 +0100 Subject: Comodo for Linux? Message-ID: Is it possible to use Comodo Anti-Virus for Linux with Mailscanner? I've been googling, but haven't really found any info on it.? If it's possible, is there a quick tutorial anywhere on how to set it up? Thanks. -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Nov 5 22:01:06 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 5 Nov 2019 17:01:06 -0500 Subject: Comodo for Linux? In-Reply-To: References: Message-ID: Anything is possible :D We would need to build a wrapper for Comodo's scan engine. Does Comodo provide a trial version I could use to research the scan engine? On Tue, Nov 5, 2019, 4:53 PM Danita Zanre wrote: > Is it possible to use Comodo Anti-Virus for Linux with Mailscanner? I've > been googling, but haven't really found any info on it. If it's possible, > is there a quick tutorial anywhere on how to set it up? > > Thanks. > > -- > *Danita Zanr?*, *Move Out of the Office* > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net LLC > Tel: (720) 319-8240 - Move Out of the Office > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danita at caledonia.net Tue Nov 5 22:26:14 2019 From: danita at caledonia.net (Danita Zanre) Date: Tue, 5 Nov 2019 23:26:14 +0100 Subject: Comodo for Linux? In-Reply-To: References: Message-ID: <4348b50d-8a37-cc15-3826-d129d7d2129e@caledonia.net> Here's their download site. https://www.comodo.com/home/download/download.php?prod=antivirus-for-linux Always up for a challenge, I know Shawn!!!! Danita Shawn Iverson via MailScanner wrote on 11/5/19 11:01 PM: > Anything is possible :D > > We would need to build a wrapper for Comodo's scan engine. Does Comodo > provide a trial version I could use to research the scan engine? > > On Tue, Nov 5, 2019, 4:53 PM Danita Zanre > wrote: > > Is it possible to use Comodo Anti-Virus for Linux with > Mailscanner? I've been googling, but haven't really found any info > on it.? If it's possible, is there a quick tutorial anywhere on > how to set it up? > > Thanks. > > -- > *Danita Zanr?*, /Move Out of the Office/ > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net LLC > Tel: (720) 319-8240 - Move Out of the Office > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > This message has been scanned for viruses and > dangerous content by *Iris MailScanner* , > and is > believed to be clean. > > > -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at tradoc.fr Wed Nov 6 07:53:30 2019 From: john at tradoc.fr (John Wilcock) Date: Wed, 6 Nov 2019 08:53:30 +0100 Subject: MailScanner 5.2.1-1 Released In-Reply-To: References: Message-ID: <32dca262-a060-46bb-4b64-ae9886074368@tradoc.fr> Thanks, Shawn. Will you be continuing to distribute tarballs in the future? Do you have a quick pointer to what's been changed by the "refactoring", so that I can see how it would affect gentoo? Thanks, John Le 05/11/2019 ? 15:36, Shawn Iverson via MailScanner a ?crit?: > Dear MailScanner List: > > MailScanner 5.2.1-1 has been released. Many thanks goes to all > contributors and the entire MailScanner team. > > Please read the README below in its entirety before updating to > MailScanner 5.2.1-1.? MailScanner has undergone refactoring to > eliminate the need for tarballs for major distributions.? This is > especially important if you are using automated deployment tools to > install MailScanner, since retooling for the new packaging may be > required. > > https://github.com/MailScanner/v5/blob/master/README > > > https://github.com/MailScanner/v5/blob/master/changelog > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > iversons at rushville.k12.in.us > > Cybersecurity > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Wed Nov 6 10:06:53 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 6 Nov 2019 05:06:53 -0500 Subject: MailScanner 5.2.1-1 Released In-Reply-To: <32dca262-a060-46bb-4b64-ae9886074368@tradoc.fr> References: <32dca262-a060-46bb-4b64-ae9886074368@tradoc.fr> Message-ID: John, The only tarball will be for generic *nix systems going forward. Since this was a code refactor, functionality remains the same aside from items documented in the changelog, which are unrelated to the refactor itself. The difference is that for major distributions (RHEL-based, Debian-based, SUSE-based), you install the package and then run /usr/sbin/ms-configure (formerly install.sh, with or without --update, depending on whether you are upgrading or installing) On Wed, Nov 6, 2019 at 2:53 AM John Wilcock wrote: > Thanks, Shawn. > > Will you be continuing to distribute tarballs in the future? Do you have a > quick pointer to what's been changed by the "refactoring", so that I can > see how it would affect gentoo? > > Thanks, > John > > > Le 05/11/2019 ? 15:36, Shawn Iverson via MailScanner a ?crit : > > Dear MailScanner List: > > MailScanner 5.2.1-1 has been released. Many thanks goes to all > contributors and the entire MailScanner team. > > Please read the README below in its entirety before updating to > MailScanner 5.2.1-1. MailScanner has undergone refactoring to eliminate > the need for tarballs for major distributions. This is especially > important if you are using automated deployment tools to install > MailScanner, since retooling for the new packaging may be required. > > https://github.com/MailScanner/v5/blob/master/README > > https://github.com/MailScanner/v5/blob/master/changelog > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > iversons at rushville.k12.in.us > > [image: Cybersecurity] > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From danita at caledonia.net Wed Nov 6 12:07:51 2019 From: danita at caledonia.net (Danita Zanre) Date: Wed, 6 Nov 2019 13:07:51 +0100 Subject: Comodo for Linux? In-Reply-To: <4348b50d-8a37-cc15-3826-d129d7d2129e@caledonia.net> References: <4348b50d-8a37-cc15-3826-d129d7d2129e@caledonia.net> Message-ID: <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> FYI - we're a small family site using ClamAV - and while it would not be out of the question to "purchase" AV, free is nice!? ClamAV has been causing us all kinds of issues, and results in almost every message being delayed at least 5 minutes.? If there are other free or inexpensive options we should look at that already work with Mailscanner, I'm all ears! Thanks Danita Danita Zanre wrote on 11/5/19 11:26 PM: > Here's their download site. > https://www.comodo.com/home/download/download.php?prod=antivirus-for-linux > > Always up for a challenge, I know Shawn!!!! > > Danita > > > Shawn Iverson via MailScanner wrote on 11/5/19 11:01 PM: >> Anything is possible :D >> >> We would need to build a wrapper for Comodo's scan engine. Does >> Comodo provide a trial version I could use to research the scan engine? >> >> On Tue, Nov 5, 2019, 4:53 PM Danita Zanre > > wrote: >> >> Is it possible to use Comodo Anti-Virus for Linux with >> Mailscanner? I've been googling, but haven't really found any >> info on it.? If it's possible, is there a quick tutorial anywhere >> on how to set it up? >> >> Thanks. >> >> -- >> *Danita Zanr?*, /Move Out of the Office/ >> I love my job, and you can too! >> Tel: (720) 319-7530 - Caledonia.Net LLC >> Tel: (720) 319-8240 - Move Out of the Office >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by *Iris MailScanner* , >> and is >> believed to be clean. >> >> > > -- > *Danita Zanr?*, /Move Out of the Office/ > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net LLC > Tel: (720) 319-8240 - Move Out of the Office > > > -- > This message has been scanned for viruses and > dangerous content by *Iris MailScanner* , > and is > believed to be clean. > > > -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From Antony.Stone at mailscanner.open.source.it Wed Nov 6 12:13:16 2019 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Wed, 6 Nov 2019 13:13:16 +0100 Subject: Comodo for Linux? In-Reply-To: <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> References: <4348b50d-8a37-cc15-3826-d129d7d2129e@caledonia.net> <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> Message-ID: <201911061313.16097.Antony.Stone@mailscanner.open.source.it> On Wednesday 06 November 2019 at 13:07:51, Danita Zanre wrote: > ClamAV has been causing us all kinds of issues Care to give some details? Are you using ClamAV directly from MailScanner, or is it plugged into your mail flow in some other way? > and results in almost every message being delayed at least 5 minutes. Got any log file records to show what can be going on there? What size machine are you doing the processing on? Antony. -- This sentence contains exacly three erors. Please reply to the list; please *don't* CC me. From andrew at andew.org.uk Wed Nov 6 12:17:07 2019 From: andrew at andew.org.uk (Andrew Pearce) Date: Wed, 06 Nov 2019 12:17:07 +0000 Subject: Comodo for Linux? In-Reply-To: <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> References: <4348b50d-8a37-cc15-3826-d129d7d2129e@caledonia.net> <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> Message-ID: There is a free version of sophos that works with MailScanner. You can download it from https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx Regards Andrew On 2019-11-06 12:07, Danita Zanre wrote: > FYI - we're a small family site using ClamAV - and while it would not > be out of the question to "purchase" AV, free is nice! ClamAV has > been causing us all kinds of issues, and results in almost every > message being delayed at least 5 minutes. If there are other free or > inexpensive options we should look at that already work with > Mailscanner, I'm all ears! > > Thanks > > Danita > > Danita Zanre wrote on 11/5/19 11:26 PM: > >> Here's their download site. >> > https://www.comodo.com/home/download/download.php?prod=antivirus-for-linux >> >> Always up for a challenge, I know Shawn!!!! >> >> Danita >> >> Shawn Iverson via MailScanner wrote on 11/5/19 11:01 PM: >> >> Anything is possible :D >> >> We would need to build a wrapper for Comodo's scan engine. Does >> Comodo provide a trial version I could use to research the scan >> engine? >> >> On Tue, Nov 5, 2019, 4:53 PM Danita Zanre >> wrote: >> >> Is it possible to use Comodo Anti-Virus for Linux with Mailscanner? >> I've been googling, but haven't really found any info on it. If >> it's possible, is there a quick tutorial anywhere on how to set it >> up? >> >> Thanks. >> >> -- >> DANITA ZANR?, _Move Out of the Office_ >> I love my job, and you can too! >> Tel: (720) 319-7530 - Caledonia.Net [1] LLC >> Tel: (720) 319-8240 - Move Out of the Office >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- >> This message has been scanned for viruses and >> dangerous content by IRIS MAILSCANNER [2], and is >> believed to be clean. > > -- > DANITA ZANR?, _Move Out of the Office_ > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net [1] LLC > Tel: (720) 319-8240 - Move Out of the Office > > -- > This message has been scanned for viruses and > dangerous content by IRIS MAILSCANNER [2], and is > believed to be clean. > > -- > DANITA ZANR?, _Move Out of the Office_ > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net [1] LLC > Tel: (720) 319-8240 - Move Out of the Office > > -- > This message has been scanned for viruses and > dangerous content by MAILSCANNER [3], and is > believed to be clean. > > Links: > ------ > [1] http://caledonia.net/ > [2] http://iris.caledonia.net/ > [3] http://www.mailscanner.info/ From mailinglists at feedmebits.nl Wed Nov 6 12:15:49 2019 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 6 Nov 2019 13:15:49 +0100 Subject: Comodo for Linux? In-Reply-To: <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> References: <4348b50d-8a37-cc15-3826-d129d7d2129e@caledonia.net> <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> Message-ID: I use? sophos and clamav for my personal mailserver, also free: https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx On 11/6/19 1:07 PM, Danita Zanre wrote: > FYI - we're a small family site using ClamAV - and while it would not > be out of the question to "purchase" AV, free is nice!? ClamAV has > been causing us all kinds of issues, and results in almost every > message being delayed at least 5 minutes.? If there are other free or > inexpensive options we should look at that already work with > Mailscanner, I'm all ears! > > Thanks > > Danita > > > Danita Zanre wrote on 11/5/19 11:26 PM: >> Here's their download site. >> https://www.comodo.com/home/download/download.php?prod=antivirus-for-linux >> >> Always up for a challenge, I know Shawn!!!! >> >> Danita >> >> >> Shawn Iverson via MailScanner wrote on 11/5/19 11:01 PM: >>> Anything is possible :D >>> >>> We would need to build a wrapper for Comodo's scan engine.? Does >>> Comodo provide a trial version I could use to research the scan engine? >>> >>> On Tue, Nov 5, 2019, 4:53 PM Danita Zanre >> > wrote: >>> >>> Is it possible to use Comodo Anti-Virus for Linux with >>> Mailscanner?? I've been googling, but haven't really found any >>> info on it.? If it's possible, is there a quick tutorial >>> anywhere on how to set it up? >>> >>> Thanks. >>> >>> -- >>> *Danita Zanr?*, /Move Out of the Office/ >>> I love my job, and you can too! >>> Tel: (720) 319-7530 - Caledonia.Net LLC >>> Tel: (720) 319-8240 - Move Out of the Office >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by *Iris MailScanner* >>> , and is >>> believed to be clean. >>> >>> >> >> -- >> *Danita Zanr?*, /Move Out of the Office/ >> I love my job, and you can too! >> Tel: (720) 319-7530 - Caledonia.Net LLC >> Tel: (720) 319-8240 - Move Out of the Office >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by *Iris MailScanner* , >> and is >> believed to be clean. >> >> > > -- > *Danita Zanr?*, /Move Out of the Office/ > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net LLC > Tel: (720) 319-8240 - Move Out of the Office > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Wed Nov 6 12:49:15 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 6 Nov 2019 13:49:15 +0100 Subject: Comodo for Linux? In-Reply-To: References: <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> Message-ID: Hai, Thats a nice one to know.. time to test sophos also. Thanks for the info @Danita. Quote: " ClamAV has been causing us all kinds of issues, and results in almost every message being delayed at least 5 minutes." Then i suggest you investigate you setup. Im running mailscanner + mailwatch and clamav +postfix for about 5-6 years now, 0 problems and max 1 min delay. Greetz, Louis ________________________________ Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Maarten Verzonden: woensdag 6 november 2019 13:16 Aan: MailScanner Discussion Onderwerp: Re: Comodo for Linux? I use sophos and clamav for my personal mailserver, also free: https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx On 11/6/19 1:07 PM, Danita Zanre wrote: FYI - we're a small family site using ClamAV - and while it would not be out of the question to "purchase" AV, free is nice! ClamAV has been causing us all kinds of issues, and results in almost every message being delayed at least 5 minutes. If there are other free or inexpensive options we should look at that already work with Mailscanner, I'm all ears! Thanks Danita Danita Zanre wrote on 11/5/19 11:26 PM: Here's their download site. https://www.comodo.com/home/download/download.php?prod=antivirus-for-linux Always up for a challenge, I know Shawn!!!! Danita Shawn Iverson via MailScanner wrote on 11/5/19 11:01 PM: Anything is possible :D We would need to build a wrapper for Comodo's scan engine. Does Comodo provide a trial version I could use to research the scan engine? On Tue, Nov 5, 2019, 4:53 PM Danita Zanre wrote: Is it possible to use Comodo Anti-Virus for Linux with Mailscanner? I've been googling, but haven't really found any info on it. If it's possible, is there a quick tutorial anywhere on how to set it up? Thanks. -- Danita Zanr?, Move Out of the Office I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by Iris MailScanner , and is believed to be clean. -- Danita Zanr?, Move Out of the Office I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -- This message has been scanned for viruses and dangerous content by Iris MailScanner , and is believed to be clean. -- Danita Zanr?, Move Out of the Office I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office From mailscanner at replies.cyways.com Wed Nov 6 13:11:28 2019 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Wed, 6 Nov 2019 08:11:28 -0500 Subject: lots of hung cron jobs Message-ID: <819cecc1-4280-11f6-2634-36dc0346440f@replies.cyways.com> I had the same situation this morning. I've disabled the cron job for now. Running "ms-cron HOURLY" from the command prompt hangs. Peter CentOS 6.10 MailScanner 5.1.3-2 Running "ps ax" on this server this morning brought up over a dozen hung cron processes like this: awk -v progname=/etc/cron.hourly/mailscanner progname {????? print prognam /bin/sh /usr/sbin/ms-cron HOURLY /bin/sh /usr/sbin/ms-check Any suggestions why this might be happening? Peter -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From djones at ena.com Wed Nov 6 16:49:13 2019 From: djones at ena.com (David Jones) Date: Wed, 6 Nov 2019 16:49:13 +0000 Subject: Comodo for Linux? In-Reply-To: References: <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net>, Message-ID: Max 1 min delay? Using clamd, a batch should be a max of 3 to 4 seconds. I run a larger farm of 8 MailScanners processing about 600K emails a day and 1 min batch processing would be really bad. I am running a number of the UNOFFICIAL sigs that dramatically enhances ClamAV's ability to block spam, not just viruses, and still very low delay in the few seconds range. I also use Eset Nod32 which is very fase and cheap -- around $330 USD every 3 years for 8 licenses. I will check out Sophos but my tuned out (UNOFFICIAL sigs) ClamAV is far better than a standard AV scanner. ________________________________ From: MailScanner on behalf of L.P.H. van Belle via MailScanner Sent: Wednesday, November 6, 2019 6:49 AM To: MailScanner Discussion Cc: L.P.H. van Belle Subject: RE: Comodo for Linux? Hai, Thats a nice one to know.. time to test sophos also. Thanks for the info @Danita. Quote: " ClamAV has been causing us all kinds of issues, and results in almost every message being delayed at least 5 minutes." Then i suggest you investigate you setup. Im running mailscanner + mailwatch and clamav +postfix for about 5-6 years now, 0 problems and max 1 min delay. Greetz, Louis ________________________________ Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Maarten Verzonden: woensdag 6 november 2019 13:16 Aan: MailScanner Discussion Onderwerp: Re: Comodo for Linux? I use sophos and clamav for my personal mailserver, also free: https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx On 11/6/19 1:07 PM, Danita Zanre wrote: FYI - we're a small family site using ClamAV - and while it would not be out of the question to "purchase" AV, free is nice! ClamAV has been causing us all kinds of issues, and results in almost every message being delayed at least 5 minutes. If there are other free or inexpensive options we should look at that already work with Mailscanner, I'm all ears! Thanks Danita Danita Zanre wrote on 11/5/19 11:26 PM: Here's their download site. https://www.comodo.com/home/download/download.php?prod=antivirus-for-linux Always up for a challenge, I know Shawn!!!! Danita Shawn Iverson via MailScanner wrote on 11/5/19 11:01 PM: Anything is possible :D We would need to build a wrapper for Comodo's scan engine. Does Comodo provide a trial version I could use to research the scan engine? On Tue, Nov 5, 2019, 4:53 PM Danita Zanre wrote: Is it possible to use Comodo Anti-Virus for Linux with Mailscanner? I've been googling, but haven't really found any info on it. If it's possible, is there a quick tutorial anywhere on how to set it up? Thanks. -- Danita Zanr?, Move Out of the Office I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This message has been scanned for viruses and dangerous content by Iris MailScanner , and is believed to be clean. -- Danita Zanr?, Move Out of the Office I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -- This message has been scanned for viruses and dangerous content by Iris MailScanner , and is believed to be clean. -- Danita Zanr?, Move Out of the Office I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Nov 6 17:44:50 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 6 Nov 2019 09:44:50 -0800 Subject: lots of hung cron jobs In-Reply-To: <819cecc1-4280-11f6-2634-36dc0346440f@replies.cyways.com> References: <819cecc1-4280-11f6-2634-36dc0346440f@replies.cyways.com> Message-ID: On 11/6/19 5:11 AM, Peter H. Lemieux wrote: > I had the same situation this morning.? I've disabled the cron job for now. > > Running "ms-cron HOURLY" from the command prompt hangs. ... > Running "ps ax" on this server this morning brought up over a dozen hung > cron processes like this: > > awk -v progname=/etc/cron.hourly/mailscanner progname {??????? print > prognam > /bin/sh /usr/sbin/ms-cron HOURLY > /bin/sh /usr/sbin/ms-check /usr/sbin/ms-cron HOURLY will at most run two jobs depending on whether or not they are enabled in /etc/MailScanner/defaults. the two jobs are ms-check which will run if ms_cron_check=1 in /etc/MailScanner/defaults and ms-msg-alert which will run if ms_cron_msg_alert=1 in /etc/MailScanner/defaults. By default, only ms-check is enabled and that is apparently what is hanging. What ms-check does is check to see if MailScanner is running[1] and if not and if it wasn't intentionally stopped[2], it attempts to kill any stray MailScanner processes and then start MailScanner. The place where it can hang is in this code: > # kill any rogue processes > kill -15 $(ps axww | grep '[M]ailScanner' | awk '{print $1}') > /dev/null 2>&1 > # wait until they're gone. > while (ps axww | grep -q '[M]ailScanner'); do > sleep 1 > done That code should be OK. It says find the pids of any processes which `ps axww` reports as having MailScanner in their names, send them a SIGTERM and then wait until there aren't any more. There could be and issue if they don't all die or if a new one starts while ms-check is waiting for them to die. but under normal circumstances, MailScanner will be running and ms-check will exit without doing any of this unless somehow the pid in MailScanner's configured PIDFile is not the pid of the running MailScanner. In summary, I don't know why this is happening, but perhaps this info will help. [1] determined by the pid in MailScanner's configured PIDFile existing and being a MailScanner process [2] determined by the presence of /var/lock/subsys/MailScanner.off -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner at replies.cyways.com Wed Nov 6 18:57:13 2019 From: mailscanner at replies.cyways.com (Peter H. Lemieux) Date: Wed, 6 Nov 2019 13:57:13 -0500 Subject: Comodo for Linux? In-Reply-To: <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> References: <4348b50d-8a37-cc15-3826-d129d7d2129e@caledonia.net> <37057138-8799-d826-1ee1-12cf6f08c8f3@caledonia.net> Message-ID: <651f4ab2-09c6-83ba-41e2-1e2233ec25fe@replies.cyways.com> Are you using clamd? On my server it takes less than a second for MailScanner to query clamd and determine if something is infected. In fact, it runs both clamd and SpamAssassin in at most a second. clamd takes a while to start up since it needs to read all the signatures into memory. In operation, though, it's quite speedy. Peter On 11/6/19 7:07 AM, Danita Zanre wrote: > FYI - we're a small family site using ClamAV - and while it would not be > out of the question to "purchase" AV, free is nice!? ClamAV has been > causing us all kinds of issues, and results in almost every message > being delayed at least 5 minutes.? If there are other free or > inexpensive options we should look at that already work with > Mailscanner, I'm all ears! From info at schroeffu.ch Thu Nov 7 15:04:08 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Thu, 07 Nov 2019 15:04:08 +0000 Subject: Quarantine password protected 7zip .7z archives too Message-ID: <99e685030c5d7bc0c7960365faa65258@schroeffu.ch> Hi MailScanner Community, currently, detecting .zip or .rar with password is working as expected: They are going to quarantine + notified as non-forging virus. But .7z files with passwords are not detected and are passing MailScanner to the recipient, instead of going to be quarantined. Is this a bug or a missing feature? Mailscanner 5.1.3-2 Ubuntu 18.04 Server Allow Password-Protected Archives = no Non-Forging Viruses = Joke/ OF97/ eicar Zip-Password dpkg --get-selections | grep -i 7zip p7zip install p7zip-full install Thanks for any help! Schroeffu -------------- next part -------------- An HTML attachment was scrubbed... URL: From vitoarh at yahoo.com Fri Nov 8 10:08:41 2019 From: vitoarh at yahoo.com (Vito Arh) Date: Fri, 8 Nov 2019 10:08:41 +0000 (UTC) Subject: mailscanner does not start after installation References: <249751658.877531.1573207721339.ref@mail.yahoo.com> Message-ID: <249751658.877531.1573207721339@mail.yahoo.com> Hi all, I tried to install mailscanner to my LXC container. Installation completed successfully. After installation I wanted to start service with command: # service mailscanner start Job for mailscanner.service failed because of unavailable resources or another system error.See "systemctl status mailscanner.service" and "journalctl -xe" for details. I posted logs below. I think the problem is in "mailscanner.service: Failed to set invocation ID on control group /system.slice/mailscanner.service, ignoring: Operation not permitted" How can I avoid that? I googled without success. Probabbly this is because LXC containter? Thank you for your help. Some details and logs: # uname -a Linux boba 4.15.18-15-pve #1 SMP PVE 4.15.18-40 (Tue, 21 May 2019 17:43:20 +0200) x86_64 GNU/Linux # systemctl status mailscanner.service ? mailscanner.service - LSB: MailScanner daemon ?? Loaded: loaded (/usr/lib/MailScanner/init/ms-init; enabled; vendor preset: enabled) ?? Active: failed (Result: resources) since Fri 2019-11-08 10:55:59 CET; 3min 9s ago ???? Docs: man:systemd-sysv-generator(8) ? Process: 17588 ExecStart=/usr/lib/MailScanner/init/ms-init start (code=exited, status=0/SUCCESS) nov 08 10:55:59 boba systemd[1]: Starting LSB: MailScanner daemon... nov 08 10:55:59 boba ms-init[17588]:???? Edit the file /etc/MailScanner/MailScanner.conf according to nov 08 10:55:59 boba ms-init[17588]:???? your needs. When complete, edit /etc/MailScanner/defaults and set nov 08 10:55:59 boba ms-init[17588]:???? the variable to enable MailScanner to run: nov 08 10:55:59 boba ms-init[17588]:???? run_mailscanner=1 nov 08 10:55:59 boba systemd[1]: mailscanner.service: PID file /var/run/MailScanner.pid not readable (yet?) after start: No such file or directory nov 08 10:55:59 boba systemd[1]: Failed to start LSB: MailScanner daemon. nov 08 10:55:59 boba systemd[1]: mailscanner.service: Unit entered failed state. nov 08 10:55:59 boba systemd[1]: mailscanner.service: Failed with result 'resources'. #journalctl -xe nov 08 11:02:45 boba systemd[1]: mailscanner.service: Failed to reset devices.list: Operation not permittednov 08 11:02:45 boba systemd[1]: mailscanner.service: Failed to set invocation ID on control group /system.slice/mailscanner.service, ignoring: Operation not permitted nov 08 11:02:45 boba systemd[1]: Starting LSB: MailScanner daemon... -- Subject: Unit mailscanner.service has begun start-up -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit mailscanner.service has begun starting up. nov 08 11:02:45 boba ms-init[18374]:???? Edit the file /etc/MailScanner/MailScanner.conf according to nov 08 11:02:45 boba ms-init[18374]:???? your needs. When complete, edit /etc/MailScanner/defaults and set nov 08 11:02:45 boba ms-init[18374]:???? the variable to enable MailScanner to run: nov 08 11:02:45 boba ms-init[18374]:???? run_mailscanner=1 nov 08 11:02:45 boba systemd[1]: mailscanner.service: PID file /var/run/MailScanner.pid not readable (yet?) after start: No such file or directory nov 08 11:02:45 boba systemd[1]: Failed to start LSB: MailScanner daemon. -- Subject: Unit mailscanner.service has failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit mailscanner.service has failed. -- -- The result is failed. nov 08 11:02:45 boba systemd[1]: mailscanner.service: Unit entered failed state. nov 08 11:02:45 boba systemd[1]: mailscanner.service: Failed with result 'resources'. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Nov 8 17:50:58 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 8 Nov 2019 09:50:58 -0800 Subject: mailscanner does not start after installation In-Reply-To: <249751658.877531.1573207721339@mail.yahoo.com> References: <249751658.877531.1573207721339.ref@mail.yahoo.com> <249751658.877531.1573207721339@mail.yahoo.com> Message-ID: On 11/8/19 2:08 AM, Vito Arh via MailScanner wrote: > > I posted logs below. I think the problem is in "mailscanner.service: > Failed to set invocation ID on control group No. ... > nov 08 10:55:59 boba systemd[1]: Starting LSB: MailScanner daemon... > nov 08 10:55:59 boba ms-init[17588]:???? Edit the file > /etc/MailScanner/MailScanner.conf according to > nov 08 10:55:59 boba ms-init[17588]:???? your needs. When complete, edit > /etc/MailScanner/defaults and set > nov 08 10:55:59 boba ms-init[17588]:???? the variable to enable > MailScanner to run: > nov 08 10:55:59 boba ms-init[17588]:???? run_mailscanner=1 Have you configured MailScanner and set run_mailscanner=1 in /etc/MailScanner/defaults? Until you do that, MailScanner won't run. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Sat Nov 9 01:52:45 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Sat, 9 Nov 2019 01:52:45 +0000 Subject: t4 Message-ID: T4 ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From kevin.miller at juneau.org Sat Nov 9 01:53:47 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Sat, 9 Nov 2019 01:53:47 +0000 Subject: t4 In-Reply-To: References: Message-ID: <1fed5d92605c462d8acf3e2e3b54e6d1@City-Exch-DB2.cbj.local> Ignore this - wrong address... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner On Behalf Of Kevin Miller via MailScanner Sent: Friday, November 8, 2019 4:53 PM To: 'MailScanner Discussion' Cc: Kevin Miller Subject: t4 EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________ T4 ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From iversons at rushville.k12.in.us Sat Nov 9 13:02:31 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 9 Nov 2019 08:02:31 -0500 Subject: Quarantine password protected 7zip .7z archives too In-Reply-To: <99e685030c5d7bc0c7960365faa65258@schroeffu.ch> References: <99e685030c5d7bc0c7960365faa65258@schroeffu.ch> Message-ID: It's a feature :D Probably is a bug, but I will need to run one through some tests. I'm assuming you are running on debian? On Thu, Nov 7, 2019 at 10:04 AM wrote: > > Hi MailScanner Community, > > currently, detecting .zip or .rar with password is working as expected: > They are going to quarantine + notified as non-forging virus. > But .7z files with passwords are not detected and are passing MailScanner > to the recipient, instead of going to be quarantined. > > Is this a bug or a missing feature? > > Mailscanner 5.1.3-2 > Ubuntu 18.04 Server > Allow Password-Protected Archives = no > Non-Forging Viruses = Joke/ OF97/ eicar Zip-Password > > dpkg --get-selections | grep -i 7zip > p7zip install > p7zip-full install > > Thanks for any help! > Schroeffu > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sat Nov 9 19:58:32 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 9 Nov 2019 14:58:32 -0500 Subject: Quarantine password protected 7zip .7z archives too In-Reply-To: References: <99e685030c5d7bc0c7960365faa65258@schroeffu.ch> Message-ID: Disregard. Ubuntu 18.04, got it. On Sat, Nov 9, 2019 at 8:02 AM Shawn Iverson wrote: > It's a feature :D > > Probably is a bug, but I will need to run one through some tests. I'm > assuming you are running on debian? > > > > On Thu, Nov 7, 2019 at 10:04 AM wrote: > >> >> Hi MailScanner Community, >> >> currently, detecting .zip or .rar with password is working as expected: >> They are going to quarantine + notified as non-forging virus. >> But .7z files with passwords are not detected and are passing MailScanner >> to the recipient, instead of going to be quarantined. >> >> Is this a bug or a missing feature? >> >> Mailscanner 5.1.3-2 >> Ubuntu 18.04 Server >> Allow Password-Protected Archives = no >> Non-Forging Viruses = Joke/ OF97/ eicar Zip-Password >> >> dpkg --get-selections | grep -i 7zip >> p7zip install >> p7zip-full install >> >> Thanks for any help! >> Schroeffu >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > iversons at rushville.k12.in.us > > [image: Cybersecurity] > -- Shawn Iverson, CETL Director of Technology Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Mon Nov 11 06:48:05 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Mon, 11 Nov 2019 06:48:05 +0000 Subject: Quarantine password protected 7zip .7z archives too In-Reply-To: References: Message-ID: <084bfd5b9c9b381024c3a3b31771ed84@schroeffu.ch> Hi Shawn, no in my case it is Ubuntu 18.04, well its very similar to Debian ;- )) This packages are installed already: p7zip install p7zip-full install I am looking forward for any help in advance Date: Sat, 9 Nov 2019 08:02:31 -0500 From: Shawn Iverson To: MailScanner Discussion Subject: Re: Quarantine password protected 7zip .7z archives too Message-ID: Content-Type: text/plain; charset="utf-8" It's a feature :D Probably is a bug, but I will need to run one through some tests. I'm assuming you are running on debian? On Thu, Nov 7, 2019 at 10:04 AM wrote: > Hi MailScanner Community, > > currently, detecting .zip or .rar with password is working as expected: > They are going to quarantine + notified as non-forging virus. > But .7z files with passwords are not detected and are passing MailScanner > to the recipient, instead of going to be quarantined. > > Is this a bug or a missing feature? > > Mailscanner 5.1.3-2 > Ubuntu 18.04 Server > Allow Password-Protected Archives = no > Non-Forging Viruses = Joke/ OF97/ eicar Zip-Password > > dpkg --get-selections | grep -i 7zip > p7zip install > p7zip-full install > > Thanks for any help! > Schroeffu > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools iversons at rushville.k12.in.us From kieron at thewestwing.co.nz Thu Nov 14 22:44:32 2019 From: kieron at thewestwing.co.nz (Kieron Gray) Date: Fri, 15 Nov 2019 11:44:32 +1300 Subject: Mailscanner Configuration Issues Message-ID: Hi, I recently upgraded to a new server and had Configserver install VSF / Mailscanner etc. I used this setup on my previous servers too. Any help would be appreciated. Thanks Kieron ????????. However, I?m having issues with local mail delivery both account to account delivery and indeed to intra account emails. Delivered to internal network by host with dynamic-looking rDNS This gives a score of 2.84 also .. RCVD_IN_SORBS_DUL 4.00 SORBS: sent directly from dynamic IP address and SPF_SOFTFAIL 1.50 SPF: sender does not match SPF record (softfail) some headers ?. Received: from 125-237-9-210-vdsl.sparkbb.co.nz ([125.237.9.210]:51043 helo=Steve) by lahost2.ashburtononline.com with esmtp (Exim 4.92) (envelope-from ) id 1iVMqY-0006xV-2G for kieron at thewestwing.co.nz; Fri, 15 Nov 2019 10:40:10 +1300 Message-ID: <597C08CB586D482BB2FB7C058EA70A06 at Steve> Reply-To: "Steve at PacificTrailways" From: "Steve at PacificTrailways" To: "Kieron Gray" References: <0639AB52A9944E5DB70D1F6F563B423B at Steve> In-Reply-To: Subject: =?utf-8?Q?Re:_=5BNorton_AntiSpam=5DRe:_Pacific?= =?utf-8?Q?_Trailways_=5BNorton_AntiSpam=5DEmai?= =?utf-8?Q?l_Quarantine_Notification=E2=9C=89_You_h?= =?utf-8?Q?ave_8__new_emails_on_hold?= Date: Fri, 15 Nov 2019 10:40:07 +1300 Organization: Pacific Trailways MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001A_01D59BA1.0C608630" X-Priority: 1 X-MSMail-Priority: High Importance: High X-Mailer: Microsoft Windows Live Mail 16.4.3528.331 X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331 -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Fri Nov 15 10:38:03 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 15 Nov 2019 05:38:03 -0500 Subject: Mailscanner Configuration Issues In-Reply-To: References: Message-ID: This is spamassassin, actually... 125-237-9-210-vdsl.sparkbb.co.nz looks like a dynamic rDNS, according to 20_dynrdns.cf SORBS also believes it is a dynamic IP address SPF failure is most likely because this is a dynamic address is probably not in the SPF record On Thu, Nov 14, 2019 at 7:32 PM Kieron Gray via MailScanner < mailscanner at lists.mailscanner.info> wrote: > Hi, > > I recently upgraded to a new server and had Configserver install VSF / > Mailscanner etc. I used this setup on my previous servers too. > > Any help would be appreciated. > > Thanks > > Kieron > > ????????. > > However, I?m having issues with local mail delivery both account to > account delivery and indeed to intra account emails. > > Delivered to internal network by host with dynamic-looking rDNS > > > This gives a score of 2.84 > > also .. > RCVD_IN_SORBS_DUL 4.00 SORBS: sent directly from dynamic IP address > and > SPF_SOFTFAIL 1.50 SPF: sender does not match SPF record (softfail) > some headers ?. > > > Received: from 125-237-9-210-vdsl.sparkbb.co.nz ([125.237.9.210]:51043 helo=Steve) > by lahost2.ashburtononline.com with esmtp (Exim 4.92) > (envelope-from ) > id 1iVMqY-0006xV-2G > for kieron at thewestwing.co.nz; Fri, 15 Nov 2019 10:40:10 +1300 > Message-ID: <597C08CB586D482BB2FB7C058EA70A06 at Steve> > Reply-To: "Steve at PacificTrailways" > From: "Steve at PacificTrailways" > To: "Kieron Gray" > References: <0639AB52A9944E5DB70D1F6F563B423B at Steve> > In-Reply-To: > Subject: =?utf-8?Q?Re:_=5BNorton_AntiSpam=5DRe:_Pacific?= > =?utf-8?Q?_Trailways_=5BNorton_AntiSpam=5DEmai?= > =?utf-8?Q?l_Quarantine_Notification=E2=9C=89_You_h?= > =?utf-8?Q?ave_8__new_emails_on_hold?= > Date: Fri, 15 Nov 2019 10:40:07 +1300 > Organization: Pacific Trailways > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_001A_01D59BA1.0C608630" > X-Priority: 1 > X-MSMail-Priority: High > Importance: High > X-Mailer: Microsoft Windows Live Mail 16.4.3528.331 > X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331 > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From lee.iitb at gmail.com Mon Nov 18 04:05:53 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Mon, 18 Nov 2019 09:35:53 +0530 Subject: MailScanner and Zimbra In-Reply-To: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: Hi Thom, We are using the https://dsr.vanderboon.net/DSR/contrib/KAM.cf.sh to update MailScanner. but everyday Gmail tags the cron output as spam with a message. I have attached a screenshot. Why is this so ? thanks - Thomas Stephen Lee On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon wrote: > I have the same setup. > > check the age of the files in /var/spamassassin/version_number/ > > check wether there is a spamassassin update script in /etc/cron.daily (you > will find nothing in your logs to check wether sa-update is working) > > If old files quick fix run as root: sa-update --verbose ; service > mailscanner restart > Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ > > In /etc/MailScanner/MailScanner.conf check and change the following > parameters: > > Log Spam = yes > Log SpamAssassin Rule Actions = yes > Max Spam Check Size = 20m > > restart MailScanner after this and check your logs > > Tip 1: Use KAM.cf > KAM.cf is a great collection of spamassassin rules > Rules are here: https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf > Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ > > > Tip 2: Use securiteinfo.com to improve ClamAV detection > It is an paid extension to ClamAV, but it costs less than ? 30/USD 35 per > year (You only need pro version to protect your mail server) > > https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml > > Thom > > ------------------------------ > *Van: *"Thomas Stephen Lee" > *Aan: *"MailScanner Discussion" > *Verzonden: *Vrijdag 1 november 2019 08:14:04 > *Onderwerp: *MailScanner and Zimbra > > Hi, > > We use MailScanner on our mail server. > > MailScanner scans the incoming mails and relays it to a VM with Zimbra > 8.8.15 installed. > > However we notice that Zimbra's spam software captures many spam mails > which are not captured by MailScanner. > > Why is this so ? > > thanks > > --- > Thomas Stephen Lee > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: kam.png Type: image/png Size: 74111 bytes Desc: not available URL: From danita at caledonia.net Tue Nov 19 18:12:58 2019 From: danita at caledonia.net (Danita Zanre) Date: Tue, 19 Nov 2019 19:12:58 +0100 Subject: Sophos and encrypted files Message-ID: Hi folks, Mail has been flowing here fairly well, but I'm having a lot of trouble with encrypted files (password protected PDFs, xlsx files etc) being blocked.? I can allow specific senders in the virus.scanning.rules.? Is there a way for me to bypass specific types of encrypted files for specific recipients?? I'm not finding that! Thanks. -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Nov 19 19:01:52 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 19 Nov 2019 11:01:52 -0800 Subject: Sophos and encrypted files In-Reply-To: References: Message-ID: On 11/19/19 10:12 AM, Danita Zanre wrote: > > Mail has been flowing here fairly well, but I'm having a lot of trouble > with encrypted files (password protected PDFs, xlsx files etc) being > blocked.? I can allow specific senders in the virus.scanning.rules.? Is > there a way for me to bypass specific types of encrypted files for > specific recipients?? I'm not finding that! You can create rule sets for "Allow Password-Protected Archives", "Allow Filenames" and/or "Allow Filetypes". Some combination of these may allow you to do what you want. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From danita at caledonia.net Tue Nov 19 19:28:47 2019 From: danita at caledonia.net (Danita Zanre) Date: Tue, 19 Nov 2019 20:28:47 +0100 Subject: Sophos and encrypted files In-Reply-To: References: Message-ID: <8a326235-0b8d-85c2-0c16-f1a34c43077c@caledonia.net> Well, I'm not apparently not even getting it to work properly in the virus.scanning.rules file - I've put this: From: ??? ??? ?? user at company.com??? ? no FromOrTo:??? default??? ??? ??? ??? ??? ??? ??? yes And files from user at company.com are still scanned.? Is this not the proper syntax for that file? Thanks Danita Mark Sapiro wrote on 11/19/19 8:01 PM: > On 11/19/19 10:12 AM, Danita Zanre wrote: >> Mail has been flowing here fairly well, but I'm having a lot of trouble >> with encrypted files (password protected PDFs, xlsx files etc) being >> blocked.? I can allow specific senders in the virus.scanning.rules.? Is >> there a way for me to bypass specific types of encrypted files for >> specific recipients?? I'm not finding that! > > You can create rule sets for "Allow Password-Protected Archives", "Allow > Filenames" and/or "Allow Filetypes". Some combination of these may allow > you to do what you want. > -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Nov 19 19:52:33 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 19 Nov 2019 11:52:33 -0800 Subject: Sophos and encrypted files In-Reply-To: <8a326235-0b8d-85c2-0c16-f1a34c43077c@caledonia.net> References: <8a326235-0b8d-85c2-0c16-f1a34c43077c@caledonia.net> Message-ID: On 11/19/19 11:28 AM, Danita Zanre wrote: > Well, I'm not apparently not even getting it to work properly in the > virus.scanning.rules file - I've put this: > > From: ??? ??? ?? user at company.com??? ? no > FromOrTo:??? default??? ??? ??? ??? ??? ??? ??? yes > > And files from user at company.com are still scanned.? Is this not the > proper syntax for that file? It is. Do you have the appropriate Virus Scanning = %rules-dir%/virus.scanning.rules in your MailScanner.conf. If that's the case, you should be aware that From and To addresses in rules are the envelope sender and recipient(s). The envelope sender may not be equal to the From: header address. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From danita at caledonia.net Tue Nov 19 20:19:32 2019 From: danita at caledonia.net (Danita Zanre) Date: Tue, 19 Nov 2019 21:19:32 +0100 Subject: Sophos and encrypted files In-Reply-To: References: <8a326235-0b8d-85c2-0c16-f1a34c43077c@caledonia.net> Message-ID: I think I banged my head enough!? It seems to be working now.? restarting mailscanner a couple of times and staring at the file seems to have done the trick! Thanks Mark Sapiro wrote on 11/19/19 8:52 PM: > On 11/19/19 11:28 AM, Danita Zanre wrote: >> Well, I'm not apparently not even getting it to work properly in the >> virus.scanning.rules file - I've put this: >> >> From: ??? ??? ?? user at company.com??? ? no >> FromOrTo:??? default??? ??? ??? ??? ??? ??? ??? yes >> >> And files from user at company.com are still scanned.? Is this not the >> proper syntax for that file? > > It is. > > Do you have the appropriate > > Virus Scanning = %rules-dir%/virus.scanning.rules > > in your MailScanner.conf. > > If that's the case, you should be aware that From and To addresses in > rules are the envelope sender and recipient(s). The envelope sender may > not be equal to the From: header address. > -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Wed Nov 20 10:26:44 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Wed, 20 Nov 2019 10:26:44 +0000 Subject: Some issues with Sophos in Mailscanner Message-ID: <84ce41f7b2f0947bd6d6ce2dc19a4558@schroeffu.ch> Hi Mailscanner Community, are some of you using the free sophos virus scanner in production? Maybe you can help me with some issues. For years i am running ESETS and CLAMAV + SaneSecurity, but the detection is not as good as i wish. So i installed additonally sophos days go to compare. - Sophos is not detecting any real virus in the wild. ESETS+ClamAV does. Any Idea why? - Sophos is not detecting EICAR with for example "savscan /tmp/eicar.txt.com". Any Idea why? - But Sophos is detecting password protected 7zip and MS Office Password protected files. Now, thats not optimal. VBA Virus can be found in MS Office Password PRotected files, so block this files is overkill and not neccessary. How can I whitelist password protected Office files, but still detect pw protected 7zip? Because my Mailscanner is not detecting password protected 7zip files (see http://lists.mailscanner.info/pipermail/mailscanner/2019-November/106065.html (http://lists.mailscanner.info/pipermail/mailscanner/2019-November/106065.html)) , its good that sophos does. Therefore i didn't deinstall sophos sav scanner yet. May some of you had the same issue? thanks for any help Schroeffu -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Wed Nov 20 13:38:58 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Wed, 20 Nov 2019 13:38:58 +0000 Subject: Some issues with Sophos in Mailscanner In-Reply-To: <84ce41f7b2f0947bd6d6ce2dc19a4558@schroeffu.ch> References: <84ce41f7b2f0947bd6d6ce2dc19a4558@schroeffu.ch> Message-ID: <53df6d3802894cd0e7b13236a06b2cd9@schroeffu.ch> OK, today Sophos detected its first real virus, a compromized HTML ^_^ Sophos: >>> Virus 'Troj/HTMLDrop-T' found in file (...)DHL_Deklaration_734.html So scan engine seems to work, but for me it seems the detection rate is very low in comparison to ClamAV (+SaneSecurity) + ESETS. And the other issue "whitelist office pw protected files" is discuessed here: http://lists.mailscanner.info/pipermail/mailscanner/2019-November/106076.html (http://lists.mailscanner.info/pipermail/mailscanner/2019-November/106076.html) all the best Schroeffu 20. November 2019 11:26, info at schroeffu.ch (mailto:info at schroeffu.ch) schrieb: Hi Mailscanner Community, are some of you using the free sophos virus scanner in production? Maybe you can help me with some issues. For years i am running ESETS and CLAMAV + SaneSecurity, but the detection is not as good as i wish. So i installed additonally sophos days go to compare. - Sophos is not detecting any real virus in the wild. ESETS+ClamAV does. Any Idea why? - Sophos is not detecting EICAR with for example "savscan /tmp/eicar.txt.com". Any Idea why? - But Sophos is detecting password protected 7zip and MS Office Password protected files. Now, thats not optimal. VBA Virus can be found in MS Office Password PRotected files, so block this files is overkill and not neccessary. How can I whitelist password protected Office files, but still detect pw protected 7zip? Because my Mailscanner is not detecting password protected 7zip files (see http://lists.mailscanner.info/pipermail/mailscanner/2019-November/106065.html (http://lists.mailscanner.info/pipermail/mailscanner/2019-November/106065.html)) , its good that sophos does. Therefore i didn't deinstall sophos sav scanner yet. May some of you had the same issue? thanks for any help Schroeffu -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Nov 20 16:59:51 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 20 Nov 2019 08:59:51 -0800 Subject: Some issues with Sophos in Mailscanner In-Reply-To: <53df6d3802894cd0e7b13236a06b2cd9@schroeffu.ch> References: <84ce41f7b2f0947bd6d6ce2dc19a4558@schroeffu.ch> <53df6d3802894cd0e7b13236a06b2cd9@schroeffu.ch> Message-ID: On 11/20/19 5:38 AM, info at schroeffu.ch wrote: > OK, today Sophos detected its first real virus, a compromized HTML ^_^ > > > Sophos: >>> Virus 'Troj/HTMLDrop-T' found in file > (...)DHL_Deklaration_734.html > > So scan engine seems to work, but for me it seems the detection rate is > very low in comparison to ClamAV (+SaneSecurity) + ESETS. ...> 20. November 2019 11:26, info at schroeffu.ch > schrieb: > > For years i am running ESETS and CLAMAV + SaneSecurity, but the > detection is not as good as i wish. So i installed additonally > sophos days go to compare. Most of the SaneSecurity sigs are designed to detect spam and phishing rather than actual virus/malware. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pramod at mindspring.co.za Thu Nov 21 08:28:29 2019 From: pramod at mindspring.co.za (Pramod Daya) Date: Thu, 21 Nov 2019 08:28:29 +0000 Subject: Recommended Antivirus scanners Message-ID: Hi Folks, I've been using clamd successfully for years, but finding that some macro viruses in Office docs are slipping through. I added the free version of Sophos to Mailscanner, and apart from causing my CPU usage to skyrocket, it doesn't seem to detect anything. Do you have any recommendations on what are the most effective antivirus scanners to run in conjunction with Clam ? Is anyone running several scanners simultaneously ? Feedback much appreciated. Thanks ___________________________________________________ Pramod Daya (CEO) M.Sc. Computer Science (U. of Oregon) Unit 5, Melomed Office Park Punters Way, Kenilworth Cape Town, South Africa 7708 www.mindspring.co.za [cid:image001.png at 01D4A824.38D37C20] Work: +27 21 657 1780 Fax: +27 21 671 7599 Cell: +27 83 675 0367 pramod at mindspring.co.za -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 5989 bytes Desc: image001.png URL: From danita at caledonia.net Thu Nov 21 09:37:03 2019 From: danita at caledonia.net (Danita Zanre) Date: Thu, 21 Nov 2019 10:37:03 +0100 Subject: Recommended Antivirus scanners In-Reply-To: References: Message-ID: I had the opposite experience lately. Clamd was causing excessive delays in email, so I switched to sophos. It?s detecting viruses, and has been a bit of a pain because I?ve not found a reliable way to white list password protected files for some of my users and it blocks all of those requiring individual whitening for now while I learn what the heck it is I?m doing. I feel like we suddenly get more spam though, because I suspect that clamd was marking some phishing types of spam as viruses that sophos does not. -- Danita Zanr?, Move Out of the Office I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office On Nov 21, 2019, 9:29 AM +0100, Pramod Daya via MailScanner , wrote: > Hi Folks, > > I?ve been using clamd successfully for years, but finding that some macro viruses in Office docs are slipping through.? I added the free version of Sophos to Mailscanner, and apart from causing my CPU usage to skyrocket, it doesn?t seem to detect anything. ?Do you have any recommendations on what are the most effective antivirus scanners to run in conjunction with Clam ? Is anyone running several scanners simultaneously ? > > Feedback much appreciated. > Thanks > ___________________________________________________ > Pramod Daya (CEO) > M.Sc. Computer Science (U. of Oregon) > Unit 5, Melomed Office Park > Punters Way, Kenilworth > Cape Town, South Africa 7708 > www.mindspring.co.za > > Work: ?+27 21?657 1780 > Fax:? +27 21?671 7599 > ? Cell:? +27 83 675 0367 > pramod at mindspring.co.za > > > > -- > This message has been scanned for viruses and > dangerous content by Iris MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 5989 bytes Desc: not available URL: From kevin.miller at juneau.org Thu Nov 21 19:50:15 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Thu, 21 Nov 2019 19:50:15 +0000 Subject: Eudora long-MIME boundary attack Message-ID: <6c852bd9a3434f28b25e90968d32531e@City-Exch-DB2.cbj.local> What is the mechanism for detecting the Eudora long-MIME boundary attack? I receive multiple instances of emails that trigger that warning daily but I can't discover where it's configured. Every time it triggers, a message is sent to postmaster. I previously thought they were being blocked but today noticed that they were getting through. A warning message is sent to postmaster. I presumed that indicated that the message was blocked. Apparently not. Apparently they're not flagged as either a virus or spam so this line applies: Non Spam Actions = deliver header "X-CBJ-Spam-Status: No" store-nonspam How can I set MailScanner to flag them as blocked content and not deliver them to my users? In the event of a false positive I can always release it from quarantine but first I have to quarantine them. Thanks... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From info at schroeffu.ch Fri Nov 22 13:11:47 2019 From: info at schroeffu.ch (info at schroeffu.ch) Date: Fri, 22 Nov 2019 13:11:47 +0000 Subject: Recommended Antivirus scanners In-Reply-To: References: Message-ID: <203e5d2eb586f3f95603e573cd6762f0@schroeffu.ch> First of all:?the very best option against macro viruses as mail attachements is to use ClamAV with option "OLE2BlockMacros true" (/etc/clamav/clamd.conf). This option works like a charm, it is detecting any macro as a virus called "Heuristics.OLE2.ContainsMacros". Second, don't forget to quarantine password protected archives, some weeks ago Emotet is using zip files with passwords more often too. Sophos I added some days ago and have had the same problem: very bad detection rate, but cpu usage is exploding. I am going to deinstall sophos in some days again. Some experience from our past with F-Secure, ESETS, ClamAV and daily 5000+ Mails incomming: F-Secure is detecting new signatures often little bit later than ESETS, but ESETS is still far away from detecting new signatures fast enough, in comparison with Trend Micro. ClamAV is detecting 40% viruses (macros excluded) which ESETS was not detecting, so, i was also confused that clamav is detecting such often a virus instead of ESETS. (Therefore i tried additionally sophos but sophos seems to be just unuseable bullsh** for me,sry) Moving away from F-Secure was more strategically, because ESETS Proxy Gateway Product was technically better, the F-Secure Proxy was just buggy and they didn't fixed the bugs reported with tickets. But you only need ESETS Linux File Server License when running ESETS in MailScanner (which is much cheaper than have a license for any protected user as a mail-server-product license.) because MailScanner only uses the standard command line scanner. So my personal favorite in Business is Trend Micro but their installation is not compatible with MailScanner. I guess with rspamd + ICAP Protocoll for Virus Scanning Plugin you can use much more virus scanners from other companies. > Message: 3 > Date: Thu, 21 Nov 2019 08:28:29 +0000 > From: Pramod Daya > To: "mailscanner at lists.mailscanner.info" > > Subject: Recommended Antivirus scanners > Message-ID: > > > Content-Type: text/plain; charset="us-ascii" > > Hi Folks, > > I've been using clamd successfully for years, but finding that some macro viruses in Office docs > are slipping through. I added the free version of Sophos to Mailscanner, and apart from causing my > CPU usage to skyrocket, it doesn't seem to detect anything. Do you have any recommendations on what > are the most effective antivirus scanners to run in conjunction with Clam ? Is anyone running > several scanners simultaneously ? > > Feedback much appreciated. > Thanks > ___________________________________________________ > Pramod Daya (CEO) > M.Sc. Computer Science (U. of Oregon) > Unit 5, Melomed Office Park > Punters Way, Kenilworth > Cape Town, South Africa 7708 > www.mindspring.co.za > [cid:image001.png at 01D4A824.38D37C20] > Work: +27 21 657 1780 > Fax: +27 21 671 7599 > Cell: +27 83 675 0367 > pramod at mindspring.co.za > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > ml> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image001.png > Type: image/png > Size: 5989 bytes > Desc: image001.png > URL: > g> From lee.iitb at gmail.com Tue Nov 26 07:12:40 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Tue, 26 Nov 2019 12:42:40 +0530 Subject: MailScanner and Zimbra In-Reply-To: References: <582040083.327578.1572600571852.JavaMail.zimbra@vdb.nl> Message-ID: Hi, clicked on "Looks safe" for few days. Now message is not going to spam folder and no red message. thanks - Thomas Stephen Lee On Mon, Nov 18, 2019 at 9:35 AM Thomas Stephen Lee wrote: > Hi Thom, > > We are using the > > https://dsr.vanderboon.net/DSR/contrib/KAM.cf.sh > > to update MailScanner. > > but everyday Gmail tags the cron output as spam with a message. > > I have attached a screenshot. > > Why is this so ? > > thanks > > - > Thomas Stephen Lee > > > > On Fri, Nov 1, 2019 at 2:59 PM Thom van der Boon wrote: > >> I have the same setup. >> >> check the age of the files in /var/spamassassin/version_number/ >> >> check wether there is a spamassassin update script in /etc/cron.daily >> (you will find nothing in your logs to check wether sa-update is working) >> >> If old files quick fix run as root: sa-update --verbose ; service >> mailscanner restart >> Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ >> >> In /etc/MailScanner/MailScanner.conf check and change the following >> parameters: >> >> Log Spam = yes >> Log SpamAssassin Rule Actions = yes >> Max Spam Check Size = 20m >> >> restart MailScanner after this and check your logs >> >> Tip 1: Use KAM.cf >> KAM.cf is a great collection of spamassassin rules >> Rules are here: >> https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf >> Script to auto-update: https://dsr.vanderboon.net/DSR/contrib/ >> >> >> Tip 2: Use securiteinfo.com to improve ClamAV detection >> It is an paid extension to ClamAV, but it costs less than ? 30/USD 35 >> per year (You only need pro version to protect your mail server) >> >> https://securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml >> >> Thom >> >> ------------------------------ >> *Van: *"Thomas Stephen Lee" >> *Aan: *"MailScanner Discussion" >> *Verzonden: *Vrijdag 1 november 2019 08:14:04 >> *Onderwerp: *MailScanner and Zimbra >> >> Hi, >> >> We use MailScanner on our mail server. >> >> MailScanner scans the incoming mails and relays it to a VM with Zimbra >> 8.8.15 installed. >> >> However we notice that Zimbra's spam software captures many spam mails >> which are not captured by MailScanner. >> >> Why is this so ? >> >> thanks >> >> --- >> Thomas Stephen Lee >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From xavier at diogenius.net Tue Nov 26 20:44:42 2019 From: xavier at diogenius.net (Xavier COLIGNON [Diogenius]) Date: Tue, 26 Nov 2019 21:44:42 +0100 Subject: Problem mailscanner not loging in debug mode Message-ID: An HTML attachment was scrubbed... URL: From michael at weiser.dinsnail.net Sat Nov 30 18:59:42 2019 From: michael at weiser.dinsnail.net (Michael Weiser) Date: Sat, 30 Nov 2019 19:59:42 +0100 Subject: MailScanner 5.2.1-1 Released In-Reply-To: References: Message-ID: <20191130185942.GC16166@weiser.dinsnail.net> Hi, On Tue, Nov 05, 2019 at 09:36:00AM -0500, Shawn Iverson via MailScanner wrote: > MailScanner 5.2.1-1 has been released. Many thanks goes to all contributors > and the entire MailScanner team. Thanks for all your work on this. > Please read the README below in its entirety before updating to MailScanner > 5.2.1-1. MailScanner has undergone refactoring to eliminate the need for > tarballs for major distributions. This is especially important if you are > using automated deployment tools to install MailScanner, since retooling > for the new packaging may be required. For the Gentoo ebuild[1] the current nix tarball was a drop-in replacement. I have yet to find any problems. :) [1] https://bugs.gentoo.org/584524#c8 -- Thanks, Michael