From kevin.miller at juneau.org Wed Oct 2 18:43:27 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 2 Oct 2019 18:43:27 +0000 Subject: Debian Buster In-Reply-To: <28a66ad780544186b29205782e43a802@City-Exch-DB2.cbj.local> References:

<28a66ad780544186b29205782e43a802@City-Exch-DB2.cbj.local> Message-ID: <90861ca5e5d0440a90a7ea477bd2f3eb@City-Exch-DB2.cbj.local> A quick follow-up for those who have upgraded to Buster or will soon; If you're using postgrey, I noticed that reloading it failed. The fix was found here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934068 The same issue also plagues opther applications such as exim. I also noticed that when logwatch is updated, the /usr/share/logwtch/default.conf/ignore.conf file is overwritten w/o warning, so a lot of log entries I usually ignore were suddenly again present in the daily log summary. An easy fix. sa-compile also would ab-end. The solution is to remove it with apt, do a purge, the reinstall. apt-get remove sa-compile apt-get purge sa-compile apt-get install sa-compile And if you're using MailWatch in conjunction with MailScanner, I had to re-install a some modules from cpan: cpan -i DBD::mysql cpan -i Encoding::FixLatin cpan -i Digest::SHA1 After fixing the php7.0 issue mentioned in the previous post, run a2enmod php7.3 I think that's the crux of the issue I encountered. Hope this helps others. If you're not using Debian, I apologize for the OT noise... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner On Behalf Of Kevin Miller Sent: Friday, August 02, 2019 8:54 AM To: 'MailScanner Discussion' Subject: RE: Debian Buster I upgraded my test box to Buster from Stretch. It does work but there were a few things that went bump in the process. For instance, php is upgraded so the links in /etc/apache2/mods-enabled broke (only an issue if you're running MailWatch on top of MailScanner). Stretch: lrwxrwxrwx 1 root root 29 Apr 11 2018 php7.0.conf -> ../mods-available/php7.0.conf lrwxrwxrwx 1 root root 29 Apr 11 2018 php7.0.load -> ../mods-available/php7.0.load Buster: lrwxrwxrwx 1 root root 29 Jul 11 08:54 php7.3.conf -> ../mods-available/php7.3.conf lrwxrwxrwx 1 root root 29 Jul 11 08:54 php7.3.load -> ../mods-available/php7.3.load An easy fix but it took me a while to figure out what the trouble was. Had a couple of other issues that were puzzlers too, but again easy fixes after I tracked them down. Can't recall what all the problems were now or if they were MailScanner issues or more MailWatch issues. Looking back at the history file on my test box, I see I had to fiddle with opendmarc after upgrading. Debian seems to screw up the opendmarc start script: Edit /etc/systemd/system/multi-user.target.wants/opendmarc.service Change the line below: ExecStart=/usr/sbin/opendmarc To: ExecStart=/usr/sbin/opendmarc -p $SOCKET -c /etc/opendmarc.conf -u opendmarc -P /var/run/opendmarc/opendmarc.pid Also had to fiddle with sa-compile to get it working again. Not an show stopper but better performance if it's enabled. Not sure what other issues I had. As Shawn says, give it a go on a test box first if you have one unless you can live w/o email for a few hours. Best of luck... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner On Behalf Of L.P.H. van Belle via MailScanner Sent: Thursday, August 01, 2019 11:00 PM To: MailScanner Discussion Cc: L.P.H. van Belle Subject: Debian Buster EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________ Hai, Just to verify, is mailscanner with mailwatch Debian Buster compliant? Before i upgrade my server.. :-) Greetz, Louis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From mailscanner at abetts.com Thu Oct 3 15:05:11 2019 From: mailscanner at abetts.com (Andy Betts) Date: Thu, 03 Oct 2019 16:05:11 +0100 Subject: Quarantine path issue Message-ID: <35f3ecc34e2a4bf9268057e6abdf9010@abetts.com> Hi I'm not sure if this is a configuration issue with MailScanner or a Mailwatch issue. Something has recently changed with my install and I'm not sure where I should be looking. Until a couple of days ago, MailScanner was storing spam messages in /var/spool/MailScanner/quarantine//. Mailwatch could see this directory and was working as expected. I have the usual spam action and high spam action set to store, but after a restart of the service I can now see that Mailscanner is now storing spam in a sub directory called spam, this is causing issues with MailWatch not seeing this directory and I'm now unable to release those emails. Has the default location for the store action changes, or is this a Mailwatch configuration issue? Thanks in advance Andy -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Thu Oct 3 16:27:47 2019 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 3 Oct 2019 09:27:47 -0700 Subject: Quarantine path issue In-Reply-To: <35f3ecc34e2a4bf9268057e6abdf9010@abetts.com> References: <35f3ecc34e2a4bf9268057e6abdf9010@abetts.com> Message-ID: <58112e98-05a0-ff2b-44d3-82bb0be3346d@msapiro.net> On 10/3/19 8:05 AM, Andy Betts wrote: > > Something has recently changed with my install and I'm not sure where I > should be looking. Until a couple of days ago, MailScanner was storing > spam messages in /var/spool/MailScanner/quarantine//. Mailwatch > could see this directory and was working as expected. I have the usual > spam action and high spam action set to store, but after a restart of > the service I can now see that Mailscanner is now storing spam in a sub > directory called spam, this is causing issues with MailWatch not seeing > this directory and I'm now unable to release those emails. > > Has the default location for the store action changes, or is this a > Mailwatch configuration issue? In my experience going back many years, MailScanner's quarantine directory is set in MailScanners config via the Quarantine Dir setting and defaults to /var/spool/MailScanner/quarantine. This directory contains sub directories by date. The typical structure of one of these date directories is > /var/spool/MailScanner/quarantine/20190904: > total 16 > drwxr-x--- 4 postfix ms_access 4096 Sep 4 17:01 ./ > drwxrwxr-x 34 postfix ms_access 4096 Oct 3 06:28 ../ > drwxr-x--- 2 postfix ms_access 4096 Sep 4 17:01 976E86113D.AB735/ > drwxr-x--- 2 postfix ms_access 4096 Sep 4 16:52 spam/ > > /var/spool/MailScanner/quarantine/20190904/976E86113D.AB735: > total 2984 > drwxr-x--- 2 postfix ms_access 4096 Sep 4 17:01 ./ > drwxr-x--- 4 postfix ms_access 4096 Sep 4 17:01 ../ > -rw-r----- 1 postfix ms_access 94208 Sep 4 17:01 Dhlprotected.exe > -rw-r----- 1 postfix ms_access 1245184 Sep 4 17:01 Dhl protected.iso > -rw-r----- 1 postfix ms_access 1707518 Sep 4 17:01 message > > /var/spool/MailScanner/quarantine/20190904/spam: > total 228 > drwxr-x--- 2 postfix ms_access 4096 Sep 4 16:52 ./ > drwxr-x--- 4 postfix ms_access 4096 Sep 4 17:01 ../ > -rw-r----- 1 postfix ms_access 9595 Sep 4 03:04 11F831F8E3.A2E91 > -rw-r----- 1 postfix ms_access 5741 Sep 4 03:53 134C849691.A4D68 > -rw-r----- 1 postfix ms_access 2575 Sep 4 09:18 25D672EBFC.AF3C1 > -rw-r----- 1 postfix ms_access 31351 Sep 4 11:08 2F09A84C47.A5E83 > -rw-r----- 1 postfix ms_access 2527 Sep 4 08:14 33AC414A36.A1A2B > -rw-r----- 1 postfix ms_access 1768 Sep 4 15:37 3DD9197D0B.AB02F > -rw-r----- 1 postfix ms_access 2672 Sep 4 07:53 47E8CDD574.AD39A > -rw-r----- 1 postfix ms_access 28567 Sep 4 16:52 48180274E1.AE412 > -rw-r----- 1 postfix ms_access 18302 Sep 4 15:08 557C65DA41.A45AA > -rw-r----- 1 postfix ms_access 13810 Sep 4 01:44 8D6CFDB7A7.A2A5C > -rw-r----- 1 postfix ms_access 2496 Sep 4 12:43 9E8C2CFD5E.A0C88 > -rw-r----- 1 postfix ms_access 18356 Sep 4 16:50 ACFD9CC632.A29FB > -rw-r----- 1 postfix ms_access 24282 Sep 4 06:04 AEA41F756.ACD58 > -rw-r----- 1 postfix ms_access 2525 Sep 4 14:03 B17EFA5DE3.AB1DA > -rw-r----- 1 postfix ms_access 6610 Sep 4 07:18 C6673503DB.A87D2 > -rw-r----- 1 postfix ms_access 2609 Sep 4 12:11 D32A2503A9.A6113 > -rw-r----- 1 postfix ms_access 9779 Sep 4 13:03 E6B6B54A01.A8F5A > -rw-r----- 1 postfix ms_access 9083 Sep 4 07:16 E9500B982E.AB339 I.e. it contains a 'spam' sub-directory and zero or more 'queue-id' directories. The 'spam' sub-directory contains spam messages by queue-id. The 'queue-id' directories, 976E86113D.AB735 in this example, contain messages with viruses. The 'message' file is the complete message and the other files are the infected attachments. Again, in my experience the quarantined spam has always been in a 'spam' sub-directory. However, this can be affected by the Spam Actions and High Scoring Spam Actions settings. I'm not familiar with MailWatch and I don't know what settings are available there. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From th3penguinwhisperer at gmail.com Sun Oct 6 19:19:11 2019 From: th3penguinwhisperer at gmail.com (PenguinWhispererThe .) Date: Sun, 6 Oct 2019 21:19:11 +0200 Subject: Found x messages in the Processing Attempts Database In-Reply-To: <4813a613-ab9b-488a-237e-09b5f7c256da@msapiro.net> References:

<0b9ab8da-b3e2-c2e6-0806-a068ad6a9044@msapiro.net> <4813a613-ab9b-488a-237e-09b5f7c256da@msapiro.net> Message-ID: Thanks for the advice. I removed the database, those old directories and restarted mailscanner. On Thu, 26 Sep 2019 at 23:12, Mark Sapiro wrote: > On 9/26/19 12:45 PM, PenguinWhispererThe . wrote: > > What's odd, although you mention this table is dynamic, I see the same > > entries being in the processing table for days now (even after > > restarting mailscanner again). > > > > sqlite> select * from processing; > > sAG1Zwmx014496|1|1416101917 > > sAI21lCL048525|1|1416276373 > > sAKESsEI061854|1|1416493861 > > sAL8iGJv065844|1|1416559666 > > sAP200rp009088|1|1416881004 > > sAP3FvgT009543|1|1416885645 > > sB57KW1j077564|1|1417764217 > > sB8BHQpJ098939|1|1418037788 > > sBC23AJO030564|1|1418350119 > > sBH23A1i063616|1|1418781917 > > sBI200Sg068899|1|1418868275 > > t2J22LZI009097|1|1426730686 > > t2S331Uu068277|1|1427512130 > > t3H12Hb5011899|1|1429232748 > > t3M128WX002854|2|1429664969 > > t3R126rV097720|1|1430096883 > > t4Q4qEWM099846|1|1432616194 > > t4S16p8x092225|1|1432775494 > > t5319C2P088537|1|1433293928 > > t5619Hcj004247|1|1433553112 > > t5717xY9040021|2|1433639777 > > t5B4hNKH095310|1|1433997939 > > t5I6eSQR022704|1|1434609981 > > t5M1HEZL012536|1|1434936137 > > t6J1P7LT079641|1|1437269327 > > t6K1Hep2095660|1|1437355245 > > t6R14i8f014786|2|1437959694 > > t843arsW033210|1|1441338030 > > t8614UXF088483|1|1441501659 > > > > Since I first mailed to this mailing list there's still 29 messages in > > the processing database. > > Those are all ancient. The three columns are respectively the MTA queue > ID, the number of tries and a timestamp. The timestamp is seconds since > the epoch and is the time that MailScanner will next retry the message. > As I said, they are ancient - the most recent one is Sat Sep 5 18:07:39 > 2015. > > When messages are retried, the the number of tries is incremented, but > when it reaches the configured Maximum Processing Attempts (default 6) > the message won't be further retrieed. > > > > When I try to find files that correspond with the first column I find > > none (perhaps I'm searching for them in the wrong way). Not sure what > > the difference is between the ones starting with s and t. Is it possible > > some of these messages are still in the database but no longer exist and > > so never get removed from it? > > > As I said, the first column is an MTA queue id with the addition of the > s or t prefix (I don't know what that means), but these entries are all > so old, that the messages are probably no longer queued. > > I suggest you just remove the Processing Attempts Database. As it says > in MailScanner.conf > > > # This is the location of the database file used to track the number of > > # times any message has been attempted. > > # To clear out the database, just delete the file, MailScanner will re- > > # create it automatically when it starts. > > Processing Attempts Database = > /var/spool/MailScanner/incoming/Processing.db > > This will clear these old entries and then you can focus on any new ones. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Tue Oct 8 20:14:59 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Tue, 8 Oct 2019 20:14:59 +0000 Subject: Filename.rules.conf Message-ID: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> I've recently set up dmarc and have been getting reports that often have multiple extensions. I've tried messing with the filename.rules.conf entries to allow some of them through but so far I haven't found the magic combination to do so. MailScanner sends this: Report: MailScanner: Attempt to hide real filename extension (1emailsrvr.com.xml) although the real filename is found in this mail.log entry: Oct 8 11:47:05 mxt MailScanner[43737]: Filename Checks: Found possible filename hiding (E0CFA1001B6.AE939 emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8-c9cac0aa676c.xml) This file is actually contained in emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8-c9cac0aa676c.zip for whatever that's worth. Entries I've tried in filename.rules.conf are: allow \.xml$ - - allow \*\.com*\.xml$ - - allow \*\.com*\.zip$ - - as well as entries without the "*" So how does one all these through? Thanks... ...Kevin -- Kevin Miller 907 586-0242 City & Borough of Juneau From mark at msapiro.net Wed Oct 9 00:50:39 2019 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 8 Oct 2019 17:50:39 -0700 Subject: Filename.rules.conf In-Reply-To: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> Message-ID: On 10/8/19 1:14 PM, Kevin Miller wrote: > I've recently set up dmarc and have been getting reports that often have multiple extensions. I've tried messing with the filename.rules.conf entries to allow some of them through but so far I haven't found the magic combination to do so. > > MailScanner sends this: > Report: MailScanner: Attempt to hide real filename extension (1emailsrvr.com.xml) > although the real filename is found in this mail.log entry: > Oct 8 11:47:05 mxt MailScanner[43737]: Filename Checks: Found possible filename hiding (E0CFA1001B6.AE939 emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8-c9cac0aa676c.xml) > > This file is actually contained in > emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8-c9cac0aa676c.zip > for whatever that's worth. If it's in a .zip or other archive, you need to pot the rules in archives.filename.rules.conf > Entries I've tried in filename.rules.conf are: > allow \.xml$ - - > allow \*\.com*\.xml$ - - > allow \*\.com*\.zip$ - - > as well as entries without the "*" > > So how does one all these through? you want allow .*\.com\.xml$ - - and you want it before deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension I'm not sure if the '.*' is required, but it definitely should not be '\*'. Or you can use the MailScanner configuration settings Allow Filenames = \.com\.xml$ which I think works for archives. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Wed Oct 9 17:28:20 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 9 Oct 2019 17:28:20 +0000 Subject: Filename.rules.conf In-Reply-To: References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> Message-ID: <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> Thanks Mark. Total spaced the archives.filename.rules.conf - that was the ticket. I had to expand the regex a bit as follows: allow *\.com*\.xml$ - - to allow for the series of characters before and after .com but before .xml but that was easy enough once I took the quarter you sent and bought a clue! :-) Appreciate the help. Now to figure out how to parse/manage the flood of dmarc reports coming in... -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Tuesday, October 8, 2019 4:51 PM To: mailscanner at lists.mailscanner.info Subject: Re: Filename.rules.conf EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________ On 10/8/19 1:14 PM, Kevin Miller wrote: > I've recently set up dmarc and have been getting reports that often have multiple extensions. I've tried messing with the filename.rules.conf entries to allow some of them through but so far I haven't found the magic combination to do so. > > MailScanner sends this: > Report: MailScanner: Attempt to hide real filename extension > (1emailsrvr.com.xml) although the real filename is found in this mail.log entry: > Oct 8 11:47:05 mxt MailScanner[43737]: Filename Checks: Found > possible filename hiding (E0CFA1001B6.AE939 > emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8 > -c9cac0aa676c.xml) > > This file is actually contained in > > emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8 > -c9cac0aa676c.zip > for whatever that's worth. If it's in a .zip or other archive, you need to pot the rules in archives.filename.rules.conf > Entries I've tried in filename.rules.conf are: > allow \.xml$ - - > allow \*\.com*\.xml$ - - > allow \*\.com*\.zip$ - - > as well as entries without the "*" > > So how does one all these through? you want allow .*\.com\.xml$ - - and you want it before deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension I'm not sure if the '.*' is required, but it definitely should not be '\*'. Or you can use the MailScanner configuration settings Allow Filenames = \.com\.xml$ which I think works for archives. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From mark at msapiro.net Wed Oct 9 18:02:18 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 9 Oct 2019 11:02:18 -0700 Subject: Filename.rules.conf In-Reply-To: <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> Message-ID: <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> On 10/9/19 10:28 AM, Kevin Miller wrote: > Thanks Mark. > Total spaced the archives.filename.rules.conf - that was the ticket. I had to expand the regex a bit as follows: > allow *\.com*\.xml$ - - > to allow for the series of characters before and after .com but before .xml but that was easy enough once I took the quarter you sent and bought a clue! :-) These are regexps, not globs. Mailscanner recognizes this common error and converts a leading * to .*, but not others, so *\.com*\.xml$ will match names ending with '.com.xml', '.comm.xml', '.commm.xml;, etc, but not, e.g. '.comic.xml'. you want '.*\.com[^.]*\.xml' to match names ending with .com followed by zero or more non-dots followe by .xml. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Wed Oct 9 18:20:49 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 9 Oct 2019 18:20:49 +0000 Subject: Filename.rules.conf In-Reply-To: <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> Message-ID: <5a8e1792f13c4031bcadc3fbc20ce13c@City-Exch-DB2.cbj.local> Gotcha. Although it's working as is, I'll change it to make sure there aren't any oddities that arise long after I remember that I added it. Pays in the long run to do it right, rather than just "good enough for now". Thanks again... -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Wednesday, October 9, 2019 10:02 AM To: mailscanner at lists.mailscanner.info Subject: Re: Filename.rules.conf EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________ On 10/9/19 10:28 AM, Kevin Miller wrote: > Thanks Mark. > Total spaced the archives.filename.rules.conf - that was the ticket. I had to expand the regex a bit as follows: > allow *\.com*\.xml$ - - > to allow for the series of characters before and after .com but before > .xml but that was easy enough once I took the quarter you sent and > bought a clue! :-) These are regexps, not globs. Mailscanner recognizes this common error and converts a leading * to .*, but not others, so *\.com*\.xml$ will match names ending with '.com.xml', '.comm.xml', '.commm.xml;, etc, but not, e.g. '.comic.xml'. you want '.*\.com[^.]*\.xml' to match names ending with .com followed by zero or more non-dots followe by .xml. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From bilal.ahmed at kfueit.edu.pk Sun Oct 13 18:03:12 2019 From: bilal.ahmed at kfueit.edu.pk (Bilal Ahmad) Date: Sun, 13 Oct 2019 23:03:12 +0500 Subject: block all emails having same address in To and From Message-ID: Dear All, I want to block all emails having same address in To and From header . Any solution plz Sent from my Samsung Galaxy smartphone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Sun Oct 13 22:15:07 2019 From: djones at ena.com (David Jones) Date: Sun, 13 Oct 2019 22:15:07 +0000 Subject: block all emails having same address in To and From In-Reply-To: References: Message-ID: <72E8AF14-057D-4871-A8E6-4C05C7BA6115@ena.com> I wouldn?t recommend that. There is legitimate emails that is sent using Bcc with the same from/to address. Also, the visible From/To address could be different from the envelope-from/envelope-to addresses which may be a better indicator of spam. I solve this problem using postfwd and adding headers for the envelope recipient count at the Postfix MTA level so I can detect abuse of the Bcc with the envelope-to. The problem with this is inbound email will be split up by the sending MTA so you will only see recipients in the envelope-to that are destined for your mail server based on the MX lookup. More than likely, there is a better way to detect and block the email you are seeing with the same From and To address. If you post a lightly redacted version in pastebin.com and reply back with the link, then we may be able to help with some ideas. Dave From: MailScanner on behalf of Bilal Ahmad via MailScanner Reply-To: MailScanner Discussion Date: Sunday, October 13, 2019 at 1:12 PM To: "mailscanner at lists.mailscanner.info" Cc: Bilal Ahmad Subject: block all emails having same address in To and From Dear All, I want to block all emails having same address in To and From header . Any solution plz Sent from my Samsung Galaxy smartphone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmgomess at gmail.com Wed Oct 23 09:53:15 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Wed, 23 Oct 2019 06:53:15 -0300 Subject: Sign Clean Messages not work Message-ID: I?m trying to use Sign Clean but not working. Any tip? MailScanner 5.1.3 %report-dir% = /etc/MailScanner/reports/pt_br Sign Clean Messages = yes Inline Text Signature = %report-dir%/inline.sig.txt Inline HTML Signature = %report-dir%/inline.sig.html Marcelo Gomes -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Wed Oct 23 10:07:13 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 23 Oct 2019 06:07:13 -0400 Subject: Sign Clean Messages not work In-Reply-To: References: Message-ID: Marcelo, Did you remember to set up your rulesets for the signing? Inline HTML Signature = %rules-dir%/sig.html.rules Inline Text Signature = %rules-dir%/sig.text.rules On Wed, Oct 23, 2019 at 5:53 AM Marcelo Machado wrote: > > I?m trying to use Sign Clean but not working. Any tip? > > MailScanner 5.1.3 > %report-dir% = /etc/MailScanner/reports/pt_br > > Sign Clean Messages = yes > Inline Text Signature = %report-dir%/inline.sig.txt > Inline HTML Signature = %report-dir%/inline.sig.html > > Marcelo Gomes > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Wed Oct 23 10:08:52 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 23 Oct 2019 06:08:52 -0400 Subject: Sign Clean Messages not work In-Reply-To: References:

Message-ID: Whoops my bad, haven't had my coffee yet. That should work as you show without a ruleset, but you may try using a ruleset instead. On Wed, Oct 23, 2019 at 6:07 AM Shawn Iverson wrote: > Marcelo, > > Did you remember to set up your rulesets for the signing? > > Inline HTML Signature = %rules-dir%/sig.html.rules > Inline Text Signature = %rules-dir%/sig.text.rules > > > On Wed, Oct 23, 2019 at 5:53 AM Marcelo Machado > wrote: > >> >> I?m trying to use Sign Clean but not working. Any tip? >> >> MailScanner 5.1.3 >> %report-dir% = /etc/MailScanner/reports/pt_br >> >> Sign Clean Messages = yes >> Inline Text Signature = %report-dir%/inline.sig.txt >> Inline HTML Signature = %report-dir%/inline.sig.html >> >> Marcelo Gomes >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > [image: Cybersecurity] > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmgomess at gmail.com Wed Oct 23 10:30:17 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Wed, 23 Oct 2019 07:30:17 -0300 Subject: Sign Clean Messages not work In-Reply-To: References:

Message-ID: Yes, but as I showed is not working Em qua, 23 de out de 2019 ?s 07:09, Shawn Iverson via MailScanner < mailscanner at lists.mailscanner.info> escreveu: > Whoops my bad, haven't had my coffee yet. > > That should work as you show without a ruleset, but you may try using a > ruleset instead. > > On Wed, Oct 23, 2019 at 6:07 AM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Marcelo, >> >> Did you remember to set up your rulesets for the signing? >> >> Inline HTML Signature = %rules-dir%/sig.html.rules >> Inline Text Signature = %rules-dir%/sig.text.rules >> >> >> On Wed, Oct 23, 2019 at 5:53 AM Marcelo Machado >> wrote: >> >>> >>> I?m trying to use Sign Clean but not working. Any tip? >>> >>> MailScanner 5.1.3 >>> %report-dir% = /etc/MailScanner/reports/pt_br >>> >>> Sign Clean Messages = yes >>> Inline Text Signature = %report-dir%/inline.sig.txt >>> Inline HTML Signature = %report-dir%/inline.sig.html >>> >>> Marcelo Gomes >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 option 7 >> iversons at rushville.k12.in.us >> >> [image: Cybersecurity] >> > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > [image: Cybersecurity] > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmgomess at gmail.com Wed Oct 23 10:54:59 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Wed, 23 Oct 2019 07:54:59 -0300 Subject: Sign Clean Messages not work In-Reply-To: References:

Message-ID: My MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 1500 hostnames from the phishing whitelist Read 5899 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist MailWatch: Starting up MailWatch SQL Blacklist MailWatch: Read 268 blacklist entries Config: calling custom init function MailWatchLogging MailWatch: Started MailWatch SQL Logging child Config: calling custom init function SQLWhitelist MailWatch: Starting up MailWatch SQL Whitelist MailWatch: Read 253 whitelist entries Checking version numbers... Version number in MailScanner.conf (5.1.3) is correct. Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to (998) MailScanner setting UID to (998) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database netset: cannot include 127.0.0.0/8 as it has already been included SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 3 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Blocked Filename Detected (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Virus Scanning: Clamd found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist MailWatch: Closing down MailWatch SQL Blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist MailWatch: Closing down MailWatch SQL Whitelist Em qua, 23 de out de 2019 ?s 07:30, Marcelo Machado escreveu: > Yes, but as I showed is not working > > Em qua, 23 de out de 2019 ?s 07:09, Shawn Iverson via MailScanner < > mailscanner at lists.mailscanner.info> escreveu: > >> Whoops my bad, haven't had my coffee yet. >> >> That should work as you show without a ruleset, but you may try using a >> ruleset instead. >> >> On Wed, Oct 23, 2019 at 6:07 AM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Marcelo, >>> >>> Did you remember to set up your rulesets for the signing? >>> >>> Inline HTML Signature = %rules-dir%/sig.html.rules >>> Inline Text Signature = %rules-dir%/sig.text.rules >>> >>> >>> On Wed, Oct 23, 2019 at 5:53 AM Marcelo Machado >>> wrote: >>> >>>> >>>> I?m trying to use Sign Clean but not working. Any tip? >>>> >>>> MailScanner 5.1.3 >>>> %report-dir% = /etc/MailScanner/reports/pt_br >>>> >>>> Sign Clean Messages = yes >>>> Inline Text Signature = %report-dir%/inline.sig.txt >>>> Inline HTML Signature = %report-dir%/inline.sig.html >>>> >>>> Marcelo Gomes >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 option 7 >>> iversons at rushville.k12.in.us >>> >>> [image: Cybersecurity] >>> >> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 option 7 >> iversons at rushville.k12.in.us >> >> [image: Cybersecurity] >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmgomess at gmail.com Thu Oct 24 11:50:17 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Thu, 24 Oct 2019 08:50:17 -0300 Subject: Sign Clean Messages not work In-Reply-To: References:

Message-ID: Anyone can help me? Em qua, 23 de out de 2019 ?s 07:54, Marcelo Machado escreveu: > My MailScanner --lint > > > Trying to setlogsock(unix) > > Reading configuration file /etc/MailScanner/MailScanner.conf > Reading configuration file /etc/MailScanner/conf.d/README > Read 1500 hostnames from the phishing whitelist > Read 5899 hostnames from the phishing blacklists > Config: calling custom init function SQLBlacklist > MailWatch: Starting up MailWatch SQL Blacklist > MailWatch: Read 268 blacklist entries > Config: calling custom init function MailWatchLogging > MailWatch: Started MailWatch SQL Logging child > Config: calling custom init function SQLWhitelist > MailWatch: Starting up MailWatch SQL Whitelist > MailWatch: Read 253 whitelist entries > > Checking version numbers... > Version number in MailScanner.conf (5.1.3) is correct. > > Your envelope_sender_header in spamassassin.conf is correct. > MailScanner setting GID to (998) > MailScanner setting UID to (998) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > netset: cannot include 127.0.0.0/8 as it has already been included > SpamAssassin reported no errors. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 3 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamd > =========================================================================== > Filename Checks: Blocked Filename Detected (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED::Eicar-Test-Signature :: ./1/ > Virus Scanning: Clamd found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > =========================================================================== > > If any of your virus scanners (clamd) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > Config: calling custom end function SQLBlacklist > MailWatch: Closing down MailWatch SQL Blacklist > Config: calling custom end function MailWatchLogging > Config: calling custom end function SQLWhitelist > MailWatch: Closing down MailWatch SQL Whitelist > > Em qua, 23 de out de 2019 ?s 07:30, Marcelo Machado > escreveu: > >> Yes, but as I showed is not working >> >> Em qua, 23 de out de 2019 ?s 07:09, Shawn Iverson via MailScanner < >> mailscanner at lists.mailscanner.info> escreveu: >> >>> Whoops my bad, haven't had my coffee yet. >>> >>> That should work as you show without a ruleset, but you may try using a >>> ruleset instead. >>> >>> On Wed, Oct 23, 2019 at 6:07 AM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Marcelo, >>>> >>>> Did you remember to set up your rulesets for the signing? >>>> >>>> Inline HTML Signature = %rules-dir%/sig.html.rules >>>> Inline Text Signature = %rules-dir%/sig.text.rules >>>> >>>> >>>> On Wed, Oct 23, 2019 at 5:53 AM Marcelo Machado >>>> wrote: >>>> >>>>> >>>>> I?m trying to use Sign Clean but not working. Any tip? >>>>> >>>>> MailScanner 5.1.3 >>>>> %report-dir% = /etc/MailScanner/reports/pt_br >>>>> >>>>> Sign Clean Messages = yes >>>>> Inline Text Signature = %report-dir%/inline.sig.txt >>>>> Inline HTML Signature = %report-dir%/inline.sig.html >>>>> >>>>> Marcelo Gomes >>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 option 7 >>>> iversons at rushville.k12.in.us >>>> >>>> [image: Cybersecurity] >>>> >>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 option 7 >>> iversons at rushville.k12.in.us >>> >>> [image: Cybersecurity] >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Thu Oct 24 14:40:20 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Thu, 24 Oct 2019 10:40:20 -0400 Subject: Sign Clean Messages not work In-Reply-To: References:

Message-ID: Marcelo, Do you have anything unusual showing up in your mail log that might give us more clues? On Thu, Oct 24, 2019 at 7:50 AM Marcelo Machado wrote: > Anyone can help me? > > Em qua, 23 de out de 2019 ?s 07:54, Marcelo Machado > escreveu: > >> My MailScanner --lint >> >> >> Trying to setlogsock(unix) >> >> Reading configuration file /etc/MailScanner/MailScanner.conf >> Reading configuration file /etc/MailScanner/conf.d/README >> Read 1500 hostnames from the phishing whitelist >> Read 5899 hostnames from the phishing blacklists >> Config: calling custom init function SQLBlacklist >> MailWatch: Starting up MailWatch SQL Blacklist >> MailWatch: Read 268 blacklist entries >> Config: calling custom init function MailWatchLogging >> MailWatch: Started MailWatch SQL Logging child >> Config: calling custom init function SQLWhitelist >> MailWatch: Starting up MailWatch SQL Whitelist >> MailWatch: Read 253 whitelist entries >> >> Checking version numbers... >> Version number in MailScanner.conf (5.1.3) is correct. >> >> Your envelope_sender_header in spamassassin.conf is correct. >> MailScanner setting GID to (998) >> MailScanner setting UID to (998) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> netset: cannot include 127.0.0.0/8 as it has already been included >> SpamAssassin reported no errors. >> Connected to Processing Attempts Database >> Created Processing Attempts Database successfully >> There are 3 messages in the Processing Attempts Database >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = clamd" >> Found these virus scanners installed: clamd >> >> =========================================================================== >> Filename Checks: Blocked Filename Detected (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED::Eicar-Test-Signature :: ./1/ >> Virus Scanning: Clamd found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> >> =========================================================================== >> >> If any of your virus scanners (clamd) >> are not listed there, you should check that they are installed correctly >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> Config: calling custom end function SQLBlacklist >> MailWatch: Closing down MailWatch SQL Blacklist >> Config: calling custom end function MailWatchLogging >> Config: calling custom end function SQLWhitelist >> MailWatch: Closing down MailWatch SQL Whitelist >> >> Em qua, 23 de out de 2019 ?s 07:30, Marcelo Machado >> escreveu: >> >>> Yes, but as I showed is not working >>> >>> Em qua, 23 de out de 2019 ?s 07:09, Shawn Iverson via MailScanner < >>> mailscanner at lists.mailscanner.info> escreveu: >>> >>>> Whoops my bad, haven't had my coffee yet. >>>> >>>> That should work as you show without a ruleset, but you may try using a >>>> ruleset instead. >>>> >>>> On Wed, Oct 23, 2019 at 6:07 AM Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> Marcelo, >>>>> >>>>> Did you remember to set up your rulesets for the signing? >>>>> >>>>> Inline HTML Signature = %rules-dir%/sig.html.rules >>>>> Inline Text Signature = %rules-dir%/sig.text.rules >>>>> >>>>> >>>>> On Wed, Oct 23, 2019 at 5:53 AM Marcelo Machado >>>>> wrote: >>>>> >>>>>> >>>>>> I?m trying to use Sign Clean but not working. Any tip? >>>>>> >>>>>> MailScanner 5.1.3 >>>>>> %report-dir% = /etc/MailScanner/reports/pt_br >>>>>> >>>>>> Sign Clean Messages = yes >>>>>> Inline Text Signature = %report-dir%/inline.sig.txt >>>>>> Inline HTML Signature = %report-dir%/inline.sig.html >>>>>> >>>>>> Marcelo Gomes >>>>>> >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 option 7 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> [image: Cybersecurity] >>>>> >>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 option 7 >>>> iversons at rushville.k12.in.us >>>> >>>> [image: Cybersecurity] >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmgomess at gmail.com Fri Oct 25 16:32:01 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Fri, 25 Oct 2019 13:32:01 -0300 Subject: Sign Clean Messages not work In-Reply-To: References:

Message-ID: Shawn, I found two lines with the same parameter in MailScanner.conf and after I deleted one of them it worked. Thank you. Em qui, 24 de out de 2019 ?s 11:41, Shawn Iverson via MailScanner < mailscanner at lists.mailscanner.info> escreveu: > Marcelo, > > Do you have anything unusual showing up in your mail log that might give > us more clues? > > On Thu, Oct 24, 2019 at 7:50 AM Marcelo Machado > wrote: > >> Anyone can help me? >> >> Em qua, 23 de out de 2019 ?s 07:54, Marcelo Machado >> escreveu: >> >>> My MailScanner --lint >>> >>> >>> Trying to setlogsock(unix) >>> >>> Reading configuration file /etc/MailScanner/MailScanner.conf >>> Reading configuration file /etc/MailScanner/conf.d/README >>> Read 1500 hostnames from the phishing whitelist >>> Read 5899 hostnames from the phishing blacklists >>> Config: calling custom init function SQLBlacklist >>> MailWatch: Starting up MailWatch SQL Blacklist >>> MailWatch: Read 268 blacklist entries >>> Config: calling custom init function MailWatchLogging >>> MailWatch: Started MailWatch SQL Logging child >>> Config: calling custom init function SQLWhitelist >>> MailWatch: Starting up MailWatch SQL Whitelist >>> MailWatch: Read 253 whitelist entries >>> >>> Checking version numbers... >>> Version number in MailScanner.conf (5.1.3) is correct. >>> >>> Your envelope_sender_header in spamassassin.conf is correct. >>> MailScanner setting GID to (998) >>> MailScanner setting UID to (998) >>> >>> Checking for SpamAssassin errors (if you use it)... >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database >>> netset: cannot include 127.0.0.0/8 as it has already been included >>> SpamAssassin reported no errors. >>> Connected to Processing Attempts Database >>> Created Processing Attempts Database successfully >>> There are 3 messages in the Processing Attempts Database >>> Using locktype = posix >>> MailScanner.conf says "Virus Scanners = clamd" >>> Found these virus scanners installed: clamd >>> >>> =========================================================================== >>> Filename Checks: Blocked Filename Detected (1 eicar.com) >>> Other Checks: Found 1 problems >>> Virus and Content Scanning: Starting >>> Clamd::INFECTED::Eicar-Test-Signature :: ./1/ >>> Virus Scanning: Clamd found 1 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 1 viruses >>> >>> =========================================================================== >>> >>> If any of your virus scanners (clamd) >>> are not listed there, you should check that they are installed correctly >>> and that MailScanner is finding them correctly via its >>> virus.scanners.conf. >>> Config: calling custom end function SQLBlacklist >>> MailWatch: Closing down MailWatch SQL Blacklist >>> Config: calling custom end function MailWatchLogging >>> Config: calling custom end function SQLWhitelist >>> MailWatch: Closing down MailWatch SQL Whitelist >>> >>> Em qua, 23 de out de 2019 ?s 07:30, Marcelo Machado >>> escreveu: >>> >>>> Yes, but as I showed is not working >>>> >>>> Em qua, 23 de out de 2019 ?s 07:09, Shawn Iverson via MailScanner < >>>> mailscanner at lists.mailscanner.info> escreveu: >>>> >>>>> Whoops my bad, haven't had my coffee yet. >>>>> >>>>> That should work as you show without a ruleset, but you may try using >>>>> a ruleset instead. >>>>> >>>>> On Wed, Oct 23, 2019 at 6:07 AM Shawn Iverson < >>>>> iversons at rushville.k12.in.us> wrote: >>>>> >>>>>> Marcelo, >>>>>> >>>>>> Did you remember to set up your rulesets for the signing? >>>>>> >>>>>> Inline HTML Signature = %rules-dir%/sig.html.rules >>>>>> Inline Text Signature = %rules-dir%/sig.text.rules >>>>>> >>>>>> >>>>>> On Wed, Oct 23, 2019 at 5:53 AM Marcelo Machado >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> I?m trying to use Sign Clean but not working. Any tip? >>>>>>> >>>>>>> MailScanner 5.1.3 >>>>>>> %report-dir% = /etc/MailScanner/reports/pt_br >>>>>>> >>>>>>> Sign Clean Messages = yes >>>>>>> Inline Text Signature = %report-dir%/inline.sig.txt >>>>>>> Inline HTML Signature = %report-dir%/inline.sig.html >>>>>>> >>>>>>> Marcelo Gomes >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner at lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Shawn Iverson, CETL >>>>>> Director of Technology >>>>>> Rush County Schools >>>>>> 765-932-3901 option 7 >>>>>> iversons at rushville.k12.in.us >>>>>> >>>>>> [image: Cybersecurity] >>>>>> >>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 option 7 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> [image: Cybersecurity] >>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > [image: Cybersecurity] > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Sat Oct 26 00:11:44 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Sat, 26 Oct 2019 00:11:44 +0000 Subject: Filename.rules.conf In-Reply-To: <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> Message-ID: <3bcce1c09d7746d081e3034fee6e5385@City-Exch-DB2.cbj.local> > These are regexps, not globs. Mailscanner recognizes this common error and converts a leading * to .*, > but not others, so *\.com*\.xml$ will match names ending with '.com.xml', '.comm.xml', '.commm.xml;, > etc, but not, e.g. '.comic.xml'. > you want '.*\.com[^.]*\.xml' to match names ending with .com followed by zero or more non-dots followed by .xml. The regex is working fine for the most part, but I had to add this one with \.gz$ on the end to catch additional entries: .*\.com[^.]*\.xml\.gz$ For some reason it stumbles on this filename: rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz I wanted to try to debug why, so I went to https://regex101.com/ and for the regex entered: .*\.com[^.]*\.xml\.gz$ And the filename for the test string It reports a "Full match" But MailScanner still stumbles on it and replaces the attachment with the text warning: "This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "rocketmail.com.gz" is on the list of unacceptable attachments for this site and has been replaced by this warning message. At Fri Oct 25 12:05:03 2019 the virus scanner said: MailScanner: Executable DOS/Windows programs are dangerous in email (nrocketmail.com)" The allow line is well above these lines: deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email and I do have tabs, not spaces in the all rules. File doesn't recognize it as an executable; it's definitely the name that's tripping it up. mkm at mis-mkm-lnx:~/Downloads$ file rocketmail.com\!jnuairport.com\!1571875200\!1571961599.xml.gz rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz: gzip compressed data, last modified: Fri Oct 25 04:30:42 2019, from Unix, original size 1078 Similar files are making it through, such as: yahoo.com!ci.juneau.ak.us!1571097600!1571183999.xml.gz I thought it might be having .com in the name twice, so added this rule: allow .*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$ to no avail (it also passes on regex101.com). Any help appreciated! ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From mark at msapiro.net Sat Oct 26 00:59:04 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 25 Oct 2019 17:59:04 -0700 Subject: Filename.rules.conf In-Reply-To: <3bcce1c09d7746d081e3034fee6e5385@City-Exch-DB2.cbj.local> References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> <3bcce1c09d7746d081e3034fee6e5385@City-Exch-DB2.cbj.local> Message-ID: <81b88a7a-1f73-b459-50e2-5033ef092864@msapiro.net> On 10/25/19 5:11 PM, Kevin Miller wrote: > > The regex is working fine for the most part, but I had to add this one with \.gz$ on the end to catch additional entries: > .*\.com[^.]*\.xml\.gz$ Or you could just use the single regexp .*\.com[^.]*\.xml(\.gz)?$ which will match anything followed by '.com' followed by 0 or more non dots followed by '.xml' and either ending there or followed by '.gz'. > For some reason it stumbles on this filename: > rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz > > I wanted to try to debug why, so I went to https://regex101.com/ and for the regex entered: > .*\.com[^.]*\.xml\.gz$ > And the filename for the test string > It reports a "Full match" As you see, your regexp matches that name, but > But MailScanner still stumbles on it and replaces the attachment with the text warning: > "This is a message from the MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail attachment "rocketmail.com.gz" > is on the list of unacceptable attachments for this site and has been > replaced by this warning message. Mailscanner says the name it's looking at is "rocketmail.com.gz" without the .xml. What are the headers of all the sub-parts of the message? You should be able to find the message in MailScanner's quarantine. > At Fri Oct 25 12:05:03 2019 the virus scanner said: > MailScanner: Executable DOS/Windows programs are dangerous in email (nrocketmail.com)" > > The allow line is well above these lines: > deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email > deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email > and I do have tabs, not spaces in the all rules. but the allow line doesn't match "rocketmail.com.gz" which seems to be the name MailScanner is looking at. > File doesn't recognize it as an executable; it's definitely the name that's tripping it up. > mkm at mis-mkm-lnx:~/Downloads$ file rocketmail.com\!jnuairport.com\!1571875200\!1571961599.xml.gz > rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz: gzip compressed data, last modified: Fri Oct 25 04:30:42 2019, from Unix, original size 1078 The results from `file` are onle relevant for file type rules, not file name rules. > Similar files are making it through, such as: > yahoo.com!ci.juneau.ak.us!1571097600!1571183999.xml.gz > > I thought it might be having .com in the name twice, so added this rule: > allow .*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$ > to no avail (it also passes on regex101.com). Again, the name MailScanner is rejecting is "rocketmail.com.gz". To understand why, we need to see all the MIME part headers from the message. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Mon Oct 28 22:13:18 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 28 Oct 2019 22:13:18 +0000 Subject: Filename.rules.conf In-Reply-To: <81b88a7a-1f73-b459-50e2-5033ef092864@msapiro.net> References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> <3bcce1c09d7746d081e3034fee6e5385@City-Exch-DB2.cbj.local> <81b88a7a-1f73-b459-50e2-5033ef092864@msapiro.net> Message-ID: > Or you could just use the single regexp > .*\.com[^.]*\.xml(\.gz)?$ > which will match anything followed by '.com' followed by 0 or more non dots followed by '.xml' and either ending there or followed by '.gz'. Nice. I did just, thanks. >> For some reason it stumbles on this filename: >> rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz >> >> I wanted to try to debug why, so I went to https://regex101.com/ and for the regex entered: >> .*\.com[^.]*\.xml\.gz$ >> And the filename for the test string >> It reports a "Full match" >As you see, your regexp matches that name, but >> But MailScanner still stumbles on it and replaces the attachment with the text warning: >> "This is a message from the MailScanner E-Mail Virus Protection Service >> ---------------------------------------------------------------------- >> The original e-mail attachment "rocketmail.com.gz" >> is on the list of unacceptable attachments for this site and has been >> replaced by this warning message. >Mailscanner says the name it's looking at is "rocketmail.com.gz" without the .xml. >What are the headers of all the sub-parts of the message? You should be able to find the message in MailScanner's quarantine. Normally when (my) MailScanner stores spam/nonspam, it puts a single file in /var/spool/MailSanner/quarantine//nonspam (or spam). When the message is blocked for a bad filename it lands in /var/spool/MailSanner/quarantine//QUEUE.ID which contains the message, and any attachments separated out. Here's an example of one such message: https://pastebin.com/9kRE9fXE "rocketmail.com.gz" isn't present in the original message. I presumed that MailScanner was just repacking the filename similarly to what it does in the report when encountering an overly long filename. > The results from `file` are only relevant for file type rules, not file name rules. I know - I just added that to cover my bases. > Again, the name MailScanner is rejecting is "rocketmail.com.gz". To understand why, we need to see all the MIME part headers from the message. It's in the pastebin post. Thanks much... ...Kevin -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From mark at msapiro.net Wed Oct 30 18:38:32 2019 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 30 Oct 2019 11:38:32 -0700 Subject: Filename.rules.conf In-Reply-To: References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> <3bcce1c09d7746d081e3034fee6e5385@City-Exch-DB2.cbj.local> <81b88a7a-1f73-b459-50e2-5033ef092864@msapiro.net> Message-ID: On 10/28/19 3:13 PM, Kevin Miller wrote: > >> Again, the name MailScanner is rejecting is "rocketmail.com.gz". To understand why, we need to see all the MIME part headers from the message. > > It's in the pastebin post. The pastebin post is clear that the only name is "rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz" and any of the regexps '.*\.com[^.]*\.xml\.gz$', '.*\.com[^.]*\.xml(\.gz)?$' or '.*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$' will match that. I've looked at the code and it appears that MailScanner is actually looking at what it calls safename which may or may not be the "rocketmail.com.gz" name in the report. I'm not particularly fluent in perl and I haven't found exactly how safename is made from the original name. I'm not sure, but I'm guessing that that will also be the name of the attachment stored in the /var/spool/MailSanner/quarantine//QUEUE.ID/ directory. But if that's the case and it's looking at a name like "rocketmail.com.gz" which it made from "rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz", it's hard to understand why other similar names are accepted. I do note that your earlier posts referred to the file being contained in a zip archive and you needed to put your allow rules in archives.filename.rules.conf. However, the file in the pastbin is not in a zip archive so it needs a rule in filename.rules.conf. Do you have your rules in both places? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Wed Oct 30 22:32:46 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Wed, 30 Oct 2019 22:32:46 +0000 Subject: Filename.rules.conf In-Reply-To: References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> <3bcce1c09d7746d081e3034fee6e5385@City-Exch-DB2.cbj.local> <81b88a7a-1f73-b459-50e2-5033ef092864@msapiro.net>

Message-ID: <1e2662cf73444bff94632d878b60f233@City-Exch-DB2.cbj.local> Thanks again for looking Mark. I have entries in both filename.rules.conf and archive.filename.rules.conf. I think the path of least resistance at this point is just to enter "rocketmail.com.gz" in them as well. If that's what it's seeing, then I'll just live with it and give it a pass. Funny thing is, I haven't received any more reports from rocketmail since last week. Sooner or later one should turn up I expect. Best... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Wednesday, October 30, 2019 10:39 AM To: mailscanner at lists.mailscanner.info Subject: Re: Filename.rules.conf EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS ________________________________ On 10/28/19 3:13 PM, Kevin Miller wrote: > >> Again, the name MailScanner is rejecting is "rocketmail.com.gz". To understand why, we need to see all the MIME part headers from the message. > > It's in the pastebin post. The pastebin post is clear that the only name is "rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz" and any of the regexps '.*\.com[^.]*\.xml\.gz$', '.*\.com[^.]*\.xml(\.gz)?$' or '.*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$' will match that. I've looked at the code and it appears that MailScanner is actually looking at what it calls safename which may or may not be the "rocketmail.com.gz" name in the report. I'm not particularly fluent in perl and I haven't found exactly how safename is made from the original name. I'm not sure, but I'm guessing that that will also be the name of the attachment stored in the /var/spool/MailSanner/quarantine//QUEUE.ID/ directory. But if that's the case and it's looking at a name like "rocketmail.com.gz" which it made from "rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz", it's hard to understand why other similar names are accepted. I do note that your earlier posts referred to the file being contained in a zip archive and you needed to put your allow rules in archives.filename.rules.conf. However, the file in the pastbin is not in a zip archive so it needs a rule in filename.rules.conf. Do you have your rules in both places? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From lee.iitb at gmail.com Thu Oct 31 04:02:19 2019 From: lee.iitb at gmail.com (Thomas Stephen Lee) Date: Thu, 31 Oct 2019 09:32:19 +0530 Subject: Filename.rules.conf In-Reply-To: <1e2662cf73444bff94632d878b60f233@City-Exch-DB2.cbj.local> References: <829bbca593b840dc89101a831675d397@City-Exch-DB2.cbj.local> <246d12a8b3344ecfb358208cffe1f960@City-Exch-DB2.cbj.local> <18565eda-3013-7fba-f987-060b4cf2aa97@msapiro.net> <3bcce1c09d7746d081e3034fee6e5385@City-Exch-DB2.cbj.local> <81b88a7a-1f73-b459-50e2-5033ef092864@msapiro.net>

<1e2662cf73444bff94632d878b60f233@City-Exch-DB2.cbj.local> Message-ID: Hi, We too had same issue. put the rules in both filename.rules.conf and archive.filename.rules.conf and ran the following command with our email ids replaced. $ echo "Testing MailScanner new config for whitelisting rocketmail dmarc on $(date +"%d/%m/%Y") at $(date +"%T")" | mailx -a rocketmail.com.gz -r "User " -S from="From: User " -s "Testing MailScanner new config on $(date +"%d/%m/%Y") at $(date +"%T")" user at example.com and the mail came through without issues. Also, you can send one or two mails to some contact with rocketmail id from your server and wait for the dmarc report. thanks --- Thomas Stephen Lee On Thu, Oct 31, 2019 at 4:03 AM Kevin Miller wrote: > Thanks again for looking Mark. I have entries in both filename.rules.conf > and archive.filename.rules.conf. I think the path of least resistance at > this point is just to enter "rocketmail.com.gz" in them as well. If that's > what it's seeing, then I'll just live with it and give it a pass. > > Funny thing is, I haven't received any more reports from rocketmail since > last week. Sooner or later one should turn up I expect. > > Best... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > -----Original Message----- > From: MailScanner juneau.org at lists.mailscanner.info> On Behalf Of Mark Sapiro > Sent: Wednesday, October 30, 2019 10:39 AM > To: mailscanner at lists.mailscanner.info > Subject: Re: Filename.rules.conf > > EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS > > ________________________________ > > On 10/28/19 3:13 PM, Kevin Miller wrote: > > > >> Again, the name MailScanner is rejecting is "rocketmail.com.gz". To > understand why, we need to see all the MIME part headers from the message. > > > > It's in the pastebin post. > > The pastebin post is clear that the only name is "rocketmail.com! > jnuairport.com!1571875200!1571961599.xml.gz" and any of the regexps > '.*\.com[^.]*\.xml\.gz$', '.*\.com[^.]*\.xml(\.gz)?$' or > '.*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$' will match that. > > I've looked at the code and it appears that MailScanner is actually > looking at what it calls safename which may or may not be the > "rocketmail.com.gz" name in the report. I'm not particularly fluent in perl > and I haven't found exactly how safename is made from the original name. > I'm not sure, but I'm guessing that that will also be the name of the > attachment stored in the /var/spool/MailSanner/quarantine//QUEUE.ID/ > directory. > > But if that's the case and it's looking at a name like "rocketmail.com.gz" > which it made from "rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz", > it's hard to understand why other similar names are accepted. > > I do note that your earlier posts referred to the file being contained in > a zip archive and you needed to put your allow rules in > archives.filename.rules.conf. However, the file in the pastbin is not in a > zip archive so it needs a rule in filename.rules.conf. Do you have your > rules in both places? > > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: