From blickarocks at yahoo.com.au  Mon Aug  2 14:55:38 2021
From: blickarocks at yahoo.com.au (Blicka)
Date: Tue, 3 Aug 2021 00:55:38 +1000
Subject: View Difference Between Original Email & Disarmed Version
Message-ID: <0e058830-7a0e-7db8-36d0-7b40138a9cdd@yahoo.com.au>

Hello,

Does anyone know how to view the difference between the raw content of an incoming email and the resultant copy which is disarmed?

My customers say "So what got removed?"

Thanks


From mark at msapiro.net  Tue Aug  3 00:45:34 2021
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 2 Aug 2021 17:45:34 -0700
Subject: View Difference Between Original Email & Disarmed Version
In-Reply-To: <0e058830-7a0e-7db8-36d0-7b40138a9cdd@yahoo.com.au>
References: <0e058830-7a0e-7db8-36d0-7b40138a9cdd@yahoo.com.au>
Message-ID: <be61848b-c6a3-2bb4-2616-6a99685b9f06@msapiro.net>

On 8/2/21 7:55 AM, Blicka via MailScanner wrote:
> Hello,
> 
> Does anyone know how to view the difference between the raw content of 
> an incoming email and the resultant copy which is disarmed?
> 
> My customers say "So what got removed?"

The answer is "nothing" Things did get added though. MailScanner does 
two kinds of disarming. It disarms links whose display text looks like a 
host name and whose target is a different host. It does this by 
transforming a link like

<a href="https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxs...> 
planbayarea.org</a>

by adding

<font color="red"><b>MailScanner has detected a possible fraud attempt 
from "lnks.gd" claiming to be</b></font>

so the link becomes

<a href="https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxs...><font 
color="red"><b>MailScanner has detected a possible fraud attempt from 
"lnks.gd" claiming to be</b></font> planbayarea.org</a>.

This transformation is obvious in the resultant email because of the red 
"MailScanner has detected a possible fraud attempt from "lnks.gd" 
claiming to be".

The other disarming consists of pointing Web Bug 1x1 pixel image tags to 
point to a non-tracking site. E.g.,

<img src="https://links.govdelivery.com/track?enid=ZWFzPTEmYnVsbG..." 
width="1" height="1" />

gets something like

https://s3.amazonaws.com/msv5/images/spacer.gif" width="1" height="1" 
alt="Web Bug from

added so it becomes

<img src="https://s3.amazonaws.com/msv5/images/spacer.gif" width="1" 
height="1" alt="Web Bug from 
https://links.govdelivery.com/track?enid=3DZWFzPTEmYnVsbG..." />

The https://s3.amazonaws.com/msv5/images/spacer.gif location is whatever 
is configured as 'Web Bug Replacement' in your MailScanner configuration.

This transformation is not visible in the rendered HTML, but neither was 
the original. If you want to see it, you can look for 'Web Bug' in the 
HTML source.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From rodney at rcrcomputing.com  Tue Aug  3 19:36:32 2021
From: rodney at rcrcomputing.com (Rodney Richison)
Date: Tue, 3 Aug 2021 14:36:32 -0500
Subject: Upgrade question
Message-ID: <e1081d50-4aac-fa99-3bac-2d53ab562518@rcrcomputing.com>

Have a quick question on the upgrade path for ubuntu.

I see now there are .deb files to install, however, that is not the 
method we used to install mailscanner many moons ago.

Have upgraded before using the install.sh
Was wondering, from here. Should I still use the .deb file for the upgrade?

|/usr/sbin/ms-configure --update|




-- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210803/59b7ba50/attachment.html>

From shawniverson at summitgrid.com  Tue Aug  3 19:44:12 2021
From: shawniverson at summitgrid.com (Shawn Iverson)
Date: Tue, 3 Aug 2021 15:44:12 -0400
Subject: Upgrade question
In-Reply-To: <e1081d50-4aac-fa99-3bac-2d53ab562518@rcrcomputing.com>
References: <e1081d50-4aac-fa99-3bac-2d53ab562518@rcrcomputing.com>
Message-ID: <a1efa5de-4e1d-6047-77fd-3abe662d6acf@summitgrid.com>

Yes, use the deb before executing the ms-configure command.

On 8/3/21 3:36 PM, Rodney Richison wrote:
> Have a quick question on the upgrade path for ubuntu.
>
> I see now there are .deb files to install, however, that is not the 
> method we used to install mailscanner many moons ago.
>
> Have upgraded before using the install.sh
> Was wondering, from here. Should I still use the .deb file for the 
> upgrade?
> |/usr/sbin/ms-configure --update|
>
>
>
> -- 
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210803/12fd4eb3/attachment.html>

From mailscanner-list at okla.com  Wed Aug  4 08:35:21 2021
From: mailscanner-list at okla.com (OKLA Mailscanner)
Date: Wed, 4 Aug 2021 03:35:21 -0500
Subject: ESETS endpoint antivirus for linux?
Message-ID: <275f01d7890b$aa16b760$fe442620$@okla.com>

Is ESETS endpoint antivirus for linux supported with the latest stable
release?

 

Thanks,

Tracy Greggs

 



-- 
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210804/bebf5699/attachment.html>

From shawniverson at summitgrid.com  Wed Aug  4 10:26:57 2021
From: shawniverson at summitgrid.com (Shawn Iverson)
Date: Wed, 4 Aug 2021 06:26:57 -0400
Subject: ESETS endpoint antivirus for linux?
In-Reply-To: <275f01d7890b$aa16b760$fe442620$@okla.com>
References: <275f01d7890b$aa16b760$fe442620$@okla.com>
Message-ID: <153d7dd7-0074-2c0a-f28b-16836997ada4@summitgrid.com>

It should work with some effort. ESETS does require some permission work 
to run properly with MailScanner. I don't have the details, though.

On 8/4/21 4:35 AM, OKLA Mailscanner via MailScanner wrote:
>
> Is ESETS endpoint antivirus for linux supported with the latest stable 
> release?
>
> Thanks,
>
> Tracy Greggs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210804/80609e85/attachment.html>

From mailscanner at barendse.to  Wed Aug 11 07:31:14 2021
From: mailscanner at barendse.to (mailscanner at barendse.to)
Date: Wed, 11 Aug 2021 09:31:14 +0200 (CEST)
Subject: MailScanner has detected a possible fraud attempt from
 "eur03.safelinks.protection.outlook.com" claiming to be [whatever]
Message-ID: <alpine.DEB.2.22.394.2108110928330.71364@mail.vaag.nu>

Is there any way to 'exempt' links that have been neutralized by outlook 
from getting the "detected a possible fraud attempt" ?  More and more 
emails contain this and one warning is added on every link every time the 
mail is replied to so they just stack up in the email.

Thanks!



From alex at vidadigital.com.pa  Wed Aug 11 11:56:34 2021
From: alex at vidadigital.com.pa (Alex Neuman)
Date: Wed, 11 Aug 2021 06:56:34 -0500
Subject: MailScanner has detected a possible fraud attempt from
 "eur03.safelinks.protection.outlook.com" claiming to be [whatever]
In-Reply-To: <alpine.DEB.2.22.394.2108110928330.71364@mail.vaag.nu>
References: <alpine.DEB.2.22.394.2108110928330.71364@mail.vaag.nu>
Message-ID: <CANyE0PopAZQOFLJNcdCvty-yGBXfdu2_ce7AQEndWjA_gv=0_A@mail.gmail.com>

I think you mean "neutralized by O365" - Outlook is just the client and
doesn't neutralize links by itself. Some antivirus programs also do this by
redirecting through their individual checkers.

You could use the following setting:
Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
And use a list of sites to be exempted from this, such as "*.
safelinks.protection.outlook.com".
I've never tested this though.

[image: logo]
*Alex Neuman van der Hans* *Producer/Host**, Vida Digital*
+1 (440) 253-9789 <+1+(440)+253-9789> | +507 6781-9505 <+507+6781-9505> |
Panama |alex at vidadigital.com.pa | vidadigital.com.pa/
<https://mailtrack.io/trace/link/7f4d9f0b57f5096949aa8122756a2713657cc366?url=http%3A%2F%2Fvidadigital.com.pa%2F&userId=2636895&signature=a1a084ce7b4b8c86>

Skype:alexneuman
<https://mailtrack.io/trace/link/8dbe4c846cec9046bbedf452b393e6e6005b60d9?url=https%3A%2F%2Fwebapp.wisestamp.com%2Fsig_iframe%3Forigin%3Dmac-mail%26signature_id%3D5234486814965760%26t%3D0.5662234535507977%23&userId=2636895&signature=53e96139a496d495>
 | wiseintro.co/alexneuman
<https://mailtrack.io/trace/link/6a618da68f0f5ad2ac4a2d1cf67986733cf36398?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=392d8d8846d6d2fb>

<https://mailtrack.io/trace/link/d9359e718769aa3c21171ff25cdc6ea746e2229f?url=http%3A%2F%2Ffacebook.com%2Fvidadigital&userId=2636895&signature=52a65430f47e586e>
<https://mailtrack.io/trace/link/abe49e3dbcb32aec6b18999e49e0f59011b0fe1f?url=http%3A%2F%2Fpa.linkedin.com%2Fin%2Falexneuman&userId=2636895&signature=d01341ca0fdfda2d>
<https://mailtrack.io/trace/link/07046e3fe7db1e46faa02e5ffba0ea7e7ca25bb6?url=http%3A%2F%2Ftwitter.com%2Falexneuman&userId=2636895&signature=347df93aac1d044a>
<https://mailtrack.io/trace/link/007ef14609208d00ac58bf16365faf71cf19dcf0?url=http%3A%2F%2Fpinterest.com%2Fvidadigital&userId=2636895&signature=0c7fdee1b8932fd0>
<https://mailtrack.io/trace/link/374b7e38b3a1eac628bac84ad66733741b92bc4f?url=http%3A%2F%2Fyoutube.com%2Fvidadigital%3Fsub_confirmation%3D1&userId=2636895&signature=51c2389cca99e3e9>
<https://mailtrack.io/trace/link/5c4af9cab0ae0839fcae06daacba7f24da103960?url=http%3A%2F%2Finstagram.com%2Fvidadigital&userId=2636895&signature=443a9dd5cb2d7780>
<https://mailtrack.io/trace/link/de93068d1eddfa69ed74314250bfc5d634141044?url=http%3A%2F%2Famazon.com%2F%3Ftag%3Dvidadigi-20&userId=2636895&signature=bab75d7a29b3b5fb>
<https://mailtrack.io/trace/link/5d4b96dd2303adb791c08bb7c89e5e05d725e772?url=http%3A%2F%2Fskype%3Aalexneuman%2F%3Fcall%26topic%3DSignature&userId=2636895&signature=dddb58b9a7a5e220>
<https://mailtrack.io/trace/link/b01cf64225693f03260b47a602d3921e3f3587d4?url=http%3A%2F%2Fapi.whatsapp.com%2Fsend%3Fphone%3D50767819505&userId=2636895&signature=c2e4ad73aa19753e>
<https://mailtrack.io/trace/link/3da858618bd7045f249d5d8f023e025e6ce73849?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=8a128c4513b4e613>

[image: image.gif]

On Wed, Aug 11, 2021 at 2:31 AM <mailscanner at barendse.to> wrote:

> Is there any way to 'exempt' links that have been neutralized by outlook
> from getting the "detected a possible fraud attempt" ?  More and more
> emails contain this and one warning is added on every link every time the
> mail is replied to so they just stack up in the email.
>
> Thanks!
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> <https://mailtrack.io/trace/link/7ca8819a00ae3f429a3ab572e87a56d94e249f4b?url=http%3A%2F%2Flists.mailscanner.info%2Fmailman%2Flistinfo%2Fmailscanner&userId=2636895&signature=d16de527d3f99390>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/f07d314c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.gif
Type: image/gif
Size: 42 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/f07d314c/attachment.gif>

From mhdhazwan at sains.com.my  Wed Aug 11 08:49:43 2021
From: mhdhazwan at sains.com.my (Muhammad Hazwan Bin Abdul Rahman)
Date: Wed, 11 Aug 2021 16:49:43 +0800
Subject: MailScanner to detect same sender with multiple incoming email
Message-ID: <2fbcc09c-c401-0887-c9f5-1cd18594f3ac@sains.com.my>

I have a mail server that configured with mailscanner and spamaassassin. 
Lately, I have received a kind of bot attack of email which the sender 
send an email to multiple recipient( >100) in a short time.

One of my rule in spamassassin is to detect any sender in which is 
sending to more then 20 person as high scoring spam value.
However, since the attack is a private 1 to 1 mail but many recipient 
(im assuming the attacker using some kind of script), my rule cant hit 
that behavior.

Im asking is there any other way in trying to catch this style of attack 
using mailscanner and spamassassin?

Using Centos 7 as my OS.

Thanks

-- 
Regards,
Hazwan


From alex at vidadigital.com.pa  Wed Aug 11 18:31:14 2021
From: alex at vidadigital.com.pa (Alex Neuman)
Date: Wed, 11 Aug 2021 13:31:14 -0500
Subject: MailScanner to detect same sender with multiple incoming email
In-Reply-To: <2fbcc09c-c401-0887-c9f5-1cd18594f3ac@sains.com.my>
References: <2fbcc09c-c401-0887-c9f5-1cd18594f3ac@sains.com.my>
Message-ID: <CANyE0PpnAkaDEwFPQXpE_7CiHS1XNWUu4RwLJ6KQh6nxVued7A@mail.gmail.com>

Probably not. You may have to implement a rule using milter-sender or
similar tools.
[image: logo]
*Alex Neuman van der Hans* *Producer/Host**, Vida Digital*
+1 (440) 253-9789 <+1+(440)+253-9789> | +507 6781-9505 <+507+6781-9505> |
Panama |alex at vidadigital.com.pa | vidadigital.com.pa/
<https://mailtrack.io/trace/link/6d93d0f9fd85f8182408c621adbea1714eabe93c?url=http%3A%2F%2Fvidadigital.com.pa%2F&userId=2636895&signature=4a9377a1fcef9ef7>

Skype:alexneuman
<https://mailtrack.io/trace/link/e695afa85ee0c4170aac2e55b7906da3acaf0326?url=https%3A%2F%2Fwebapp.wisestamp.com%2Fsig_iframe%3Forigin%3Dmac-mail%26signature_id%3D5234486814965760%26t%3D0.5662234535507977%23&userId=2636895&signature=a20e7f314b8f7c6f>
 | wiseintro.co/alexneuman
<https://mailtrack.io/trace/link/83955116e94c4c95be4f79f1456fd7e1322421a8?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=0cee64d378bc22da>

<https://mailtrack.io/trace/link/43d5bdcc5baeaf6334c673c3f26602ada23fc41a?url=http%3A%2F%2Ffacebook.com%2Fvidadigital&userId=2636895&signature=f8bdf43ced6e23ab>
<https://mailtrack.io/trace/link/99181635a1ea098db6a51eafda53e4beab94e4ee?url=http%3A%2F%2Fpa.linkedin.com%2Fin%2Falexneuman&userId=2636895&signature=992a8674f1478d5e>
<https://mailtrack.io/trace/link/a4d583331434cea491f481bae9a8c8010c913b6b?url=http%3A%2F%2Ftwitter.com%2Falexneuman&userId=2636895&signature=c8daab5f62d07b04>
<https://mailtrack.io/trace/link/bf770a2847f67ac835ea05dec59f7014f1f6cddc?url=http%3A%2F%2Fpinterest.com%2Fvidadigital&userId=2636895&signature=4a2a52b675e5362b>
<https://mailtrack.io/trace/link/dc8ff75aea9f31aaf2178ba051c94af58e13ed70?url=http%3A%2F%2Fyoutube.com%2Fvidadigital%3Fsub_confirmation%3D1&userId=2636895&signature=0e2660fe79cbdaa6>
<https://mailtrack.io/trace/link/725b75029c5a8ab2e69d5680dbb6624955faf26e?url=http%3A%2F%2Finstagram.com%2Fvidadigital&userId=2636895&signature=8bf52022c418e35d>
<https://mailtrack.io/trace/link/eaf848801d570153847072f8ca1a1392a300c5a0?url=http%3A%2F%2Famazon.com%2F%3Ftag%3Dvidadigi-20&userId=2636895&signature=8a014408afc45312>
<https://mailtrack.io/trace/link/87b67ca033052bce4c4ece3040d988f655693e96?url=http%3A%2F%2Fskype%3Aalexneuman%2F%3Fcall%26topic%3DSignature&userId=2636895&signature=cf13a5b2dff2b0b6>
<https://mailtrack.io/trace/link/ac7e8bf03485b901b82cc5d9a947f059e78199b5?url=http%3A%2F%2Fapi.whatsapp.com%2Fsend%3Fphone%3D50767819505&userId=2636895&signature=0403175a9024ec89>
<https://mailtrack.io/trace/link/bf015edc1534fb81e466e31ce423c7eadfd53536?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=cf3ee7ca0fab1229>


On Wed, Aug 11, 2021 at 12:29 PM Muhammad Hazwan Bin Abdul Rahman <
mhdhazwan at sains.com.my> wrote:

> I have a mail server that configured with mailscanner and spamaassassin.
> Lately, I have received a kind of bot attack of email which the sender
> send an email to multiple recipient( >100) in a short time.
>
> One of my rule in spamassassin is to detect any sender in which is
> sending to more then 20 person as high scoring spam value.
> However, since the attack is a private 1 to 1 mail but many recipient
> (im assuming the attacker using some kind of script), my rule cant hit
> that behavior.
>
> Im asking is there any other way in trying to catch this style of attack
> using mailscanner and spamassassin?
>
> Using Centos 7 as my OS.
>
> Thanks
>
> --
> Regards,
> Hazwan
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> <https://mailtrack.io/trace/link/7da342fe5e9daeeddced71149651fc4e4b5baa8f?url=http%3A%2F%2Flists.mailscanner.info%2Fmailman%2Flistinfo%2Fmailscanner&userId=2636895&signature=b9d4ffab8ed1efb1>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/c2a04666/attachment.html>

From rforeman at lsfiore.com  Wed Aug 11 18:49:07 2021
From: rforeman at lsfiore.com (Robert Foreman)
Date: Wed, 11 Aug 2021 18:49:07 +0000
Subject: MailScanner to detect same sender with multiple incoming email
In-Reply-To: <CANyE0PpnAkaDEwFPQXpE_7CiHS1XNWUu4RwLJ6KQh6nxVued7A@mail.gmail.com>
References: <2fbcc09c-c401-0887-c9f5-1cd18594f3ac@sains.com.my>
 <CANyE0PpnAkaDEwFPQXpE_7CiHS1XNWUu4RwLJ6KQh6nxVued7A@mail.gmail.com>
Message-ID: <2D88DF5005F21148A721DDC080F7C4E87BDCCCAF@FIORE-EXCH.lsfiore.com>

I have a script in crontab to check smtp log information from zeek.every so often.  You?ll need to make the script executable with chmod a+rx /nsm/zeek/smtp-toomany.sh

Crontab entry:
*/10 * * * * /nsm/zeek/smtp-toomany.sh

Script: /nsm/zeek/spool/zeek/smtp-toomany.sh

# Alert for more than 9 of anything of the same type
# Alert for more than 750 messages in the past hour


#!/bin/bash
touch /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt

cat /nsm/zeek/spool/zeek/smtp.log | jq . | grep -E "from|subject|received|reply_to" | sort | uniq -c | sort -nr | awk ' $1 > 9' > /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt

if (($(/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt) > 0))
then
  mail -s "ALERT: [SMTP] More than 9 messages from the same from|subject|received|reply_to in the last hour" your at email.com < /nsm/zeek/spool/zeek/smtp-toomany-mailfrom.txt
fi


if (( $(/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log) > 750))
then
    echo "ALERT: More than 750 messages in the last hour (check made every 17min)" >/nsm/zeek/spool/zeek/smtp-toomany.txt
    cat /nsm/zeek/spool/zeek/smtp.log | jq .mailfrom | grep -v -E 'null' | sort | uniq -c  | sort -nr >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo `/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log` "total messages"  >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo "Source: mymachine@/nsm/zeek/spool/zeek/smtp.log" >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    mail -s "ALERT: [SMTP] More than 750 messages in the last hour (check made every 17min)" your at email.com < /nsm/zeek/spool/zeek/smtp-toomany.txt
  else
    echo "Less than 750 messages in the last hour (check made every 17min)" >/nsm/zeek/spool/zeek/smtp-toomany.txt
    cat /nsm/zeek/spool/zeek/smtp.log | jq .mailfrom | grep -v -E 'null' | sort | uniq -c  | sort -nr >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo `/usr/bin/wc -l < /nsm/zeek/spool/zeek/smtp.log` "total messages"  >>/nsm/zeek/spool/zeek/smtp-toomany.txt
    echo "Source: mymachine@/nsm/zeek/spool/zeek/smtp.log" >>/nsm/zeek/spool/zeek/smtp-toomany.txt
fi


From: MailScanner [mailto:mailscanner-bounces+rforeman=lsfiore.com at lists.mailscanner.info] On Behalf Of Alex Neuman
Sent: Wednesday, August 11, 2021 2:31 PM
To: MailScanner Discussion
Subject: Re: MailScanner to detect same sender with multiple incoming email

Probably not. You may have to implement a rule using milter-sender or similar tools.
[Image removed by sender. logo]

Alex Neuman van der Hans Producer/Host, Vida Digital
+1 (440) 253-9789<tel:+1+(440)+253-9789> | +507 6781-9505<tel:+507+6781-9505> | Panama |alex at vidadigital.com.pa<mailto:alex at vidadigital.com.pa> | vidadigital.com.pa/<https://mailtrack.io/trace/link/6d93d0f9fd85f8182408c621adbea1714eabe93c?url=http%3A%2F%2Fvidadigital.com.pa%2F&userId=2636895&signature=4a9377a1fcef9ef7>
Skype:alexneuman<https://mailtrack.io/trace/link/e695afa85ee0c4170aac2e55b7906da3acaf0326?url=https%3A%2F%2Fwebapp.wisestamp.com%2Fsig_iframe%3Forigin%3Dmac-mail%26signature_id%3D5234486814965760%26t%3D0.5662234535507977%23&userId=2636895&signature=a20e7f314b8f7c6f> | wiseintro.co/alexneuman<https://mailtrack.io/trace/link/83955116e94c4c95be4f79f1456fd7e1322421a8?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=0cee64d378bc22da>
[Image removed by sender.]<https://mailtrack.io/trace/link/43d5bdcc5baeaf6334c673c3f26602ada23fc41a?url=http%3A%2F%2Ffacebook.com%2Fvidadigital&userId=2636895&signature=f8bdf43ced6e23ab>

[Image removed by sender.]<https://mailtrack.io/trace/link/99181635a1ea098db6a51eafda53e4beab94e4ee?url=http%3A%2F%2Fpa.linkedin.com%2Fin%2Falexneuman&userId=2636895&signature=992a8674f1478d5e>

[Image removed by sender.]<https://mailtrack.io/trace/link/a4d583331434cea491f481bae9a8c8010c913b6b?url=http%3A%2F%2Ftwitter.com%2Falexneuman&userId=2636895&signature=c8daab5f62d07b04>

[Image removed by sender.]<https://mailtrack.io/trace/link/bf770a2847f67ac835ea05dec59f7014f1f6cddc?url=http%3A%2F%2Fpinterest.com%2Fvidadigital&userId=2636895&signature=4a2a52b675e5362b>

[Image removed by sender.]<https://mailtrack.io/trace/link/dc8ff75aea9f31aaf2178ba051c94af58e13ed70?url=http%3A%2F%2Fyoutube.com%2Fvidadigital%3Fsub_confirmation%3D1&userId=2636895&signature=0e2660fe79cbdaa6>

[Image removed by sender.]<https://mailtrack.io/trace/link/725b75029c5a8ab2e69d5680dbb6624955faf26e?url=http%3A%2F%2Finstagram.com%2Fvidadigital&userId=2636895&signature=8bf52022c418e35d>

[Image removed by sender.]<https://mailtrack.io/trace/link/eaf848801d570153847072f8ca1a1392a300c5a0?url=http%3A%2F%2Famazon.com%2F%3Ftag%3Dvidadigi-20&userId=2636895&signature=8a014408afc45312>

[Image removed by sender.]<https://mailtrack.io/trace/link/87b67ca033052bce4c4ece3040d988f655693e96?url=http%3A%2F%2Fskype%3Aalexneuman%2F%3Fcall%26topic%3DSignature&userId=2636895&signature=cf13a5b2dff2b0b6>

[Image removed by sender.]<https://mailtrack.io/trace/link/ac7e8bf03485b901b82cc5d9a947f059e78199b5?url=http%3A%2F%2Fapi.whatsapp.com%2Fsend%3Fphone%3D50767819505&userId=2636895&signature=0403175a9024ec89>

[Image removed by sender.]<https://mailtrack.io/trace/link/bf015edc1534fb81e466e31ce423c7eadfd53536?url=http%3A%2F%2Fwiseintro.co%2Falexneuman&userId=2636895&signature=cf3ee7ca0fab1229>






[Image removed by sender.]
On Wed, Aug 11, 2021 at 12:29 PM Muhammad Hazwan Bin Abdul Rahman <mhdhazwan at sains.com.my<mailto:mhdhazwan at sains.com.my>> wrote:
I have a mail server that configured with mailscanner and spamaassassin.
Lately, I have received a kind of bot attack of email which the sender
send an email to multiple recipient( >100) in a short time.

One of my rule in spamassassin is to detect any sender in which is
sending to more then 20 person as high scoring spam value.
However, since the attack is a private 1 to 1 mail but many recipient
(im assuming the attacker using some kind of script), my rule cant hit
that behavior.

Im asking is there any other way in trying to catch this style of attack
using mailscanner and spamassassin?

Using Centos 7 as my OS.

Thanks

--
Regards,
Hazwan



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner<https://mailtrack.io/trace/link/7da342fe5e9daeeddced71149651fc4e4b5baa8f?url=http%3A%2F%2Flists.mailscanner.info%2Fmailman%2Flistinfo%2Fmailscanner&userId=2636895&signature=b9d4ffab8ed1efb1>
CONFIDENTIAL ? This message and any attachments are confidential, and intended only for the individual or entity named above. If you are not the intended recipient, please do not read, copy, use or disclose this communication to others; also please notify the sender by replying to this message, and then delete it from your system. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 500 bytes
Desc: image001.jpg
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 344 bytes
Desc: image002.jpg
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210811/a2b24457/attachment-0002.jpg>

From it at festa.bg  Fri Aug 13 06:36:32 2021
From: it at festa.bg (Valentin Laskov)
Date: Fri, 13 Aug 2021 09:36:32 +0300
Subject: ms-update-sa.xxxxxxxxx files in /tmp
Message-ID: <0dd29733-bdf0-9043-877f-369ff1cb12ce@festa.bg>

Hello,

I have many empty files as ms-update-sa.1208053701 in /tmp directory

Regards!
Valentin


From mhdhazwan at sains.com.my  Fri Aug 13 11:17:09 2021
From: mhdhazwan at sains.com.my (Muhammad Hazwan Bin Abdul Rahman)
Date: Fri, 13 Aug 2021 19:17:09 +0800
Subject: HTML disarm method
Message-ID: <c52a6b91-c783-72ce-299a-15c46df8afb1@sains.com.my>

Hi All,

I'm trying to disarm HTML a-tag using regex search and replace utilizing 
MailScanner? CustomAction.pm.

However, I'm currently blocked by the used of the custom parameter itself.

1. How do I pass custom(parameter)? Any example? Reason is I want this 
custom to run only during message score is spam.

2. How do I know my custom logic is running? via Maillog too general to 
tell.
Log example:

 ?MailScanner[XXXX]: Spam Actions: message XXXXXX.XXXX actions are 
custom,deliver,header

3. How do I access the content of the email itself, many of the .pm file 
are focus more to header part , was this correct "$message"? or I need 
to point to something? Any place where I can refer for all this 
information?

Thanks

-- 
Regards,
Hazwan


From mark at msapiro.net  Fri Aug 13 15:42:57 2021
From: mark at msapiro.net (Mark Sapiro)
Date: Fri, 13 Aug 2021 08:42:57 -0700
Subject: ms-update-sa.xxxxxxxxx files in /tmp
In-Reply-To: <0dd29733-bdf0-9043-877f-369ff1cb12ce@festa.bg>
References: <0dd29733-bdf0-9043-877f-369ff1cb12ce@festa.bg>
Message-ID: <75432bac-0865-e4f1-b4b9-55b1215a1ad0@msapiro.net>

On 8/12/21 11:36 PM, Valentin Laskov wrote:
> Hello,
> 
> I have many empty files as ms-update-sa.1208053701 in /tmp directory

These are log files written by the /usr/sbin/ms-update-sa job. The 
digits are a time stamp. E.g. 12/8 05:37:01 for the above. See 
/etc/MailScanner/defaults for what jobs are run and how often.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From shawniverson at summitgrid.com  Sat Aug 14 10:17:38 2021
From: shawniverson at summitgrid.com (Shawn Iverson)
Date: Sat, 14 Aug 2021 06:17:38 -0400
Subject: HTML disarm method
In-Reply-To: <c52a6b91-c783-72ce-299a-15c46df8afb1@sains.com.my>
References: <c52a6b91-c783-72ce-299a-15c46df8afb1@sains.com.my>
Message-ID: <44e4e69a-0956-c55f-4297-d2143eb70174@summitgrid.com>


On 8/13/21 7:17 AM, Muhammad Hazwan Bin Abdul Rahman wrote:
> Hi All,
>
> I'm trying to disarm HTML a-tag using regex search and replace 
> utilizing MailScanner? CustomAction.pm.
>
> However, I'm currently blocked by the used of the custom parameter 
> itself.
>
> 1. How do I pass custom(parameter)? Any example? Reason is I want this 
> custom to run only during message score is spam.

Here's an example of passing "spam" or "notspam" as a parameter.

https://github.com/E-F-A/v4/blob/master/rpmbuild/SOURCES/eFa-4.0.4/eFa/CustomAction.pm

>
> 2. How do I know my custom logic is running? via Maillog too general 
> to tell.
> Log example:
>
> ?MailScanner[XXXX]: Spam Actions: message XXXXXX.XXXX actions are 
> custom,deliver,header

You will want to add logging logic to your CustomAction.pm yourself.

>
> 3. How do I access the content of the email itself, many of the .pm 
> file are focus more to header part , was this correct "$message"? or I 
> need to point to something? Any place where I can refer for all this 
> information?
>
> Thanks
>
Again, take look at the sample CustomAction.pm above, specifically the 
CustomAction sub.

From shawniverson at summitgrid.com  Sat Aug 14 10:54:19 2021
From: shawniverson at summitgrid.com (Shawn Iverson)
Date: Sat, 14 Aug 2021 06:54:19 -0400
Subject: HTML disarm method
In-Reply-To: <44e4e69a-0956-c55f-4297-d2143eb70174@summitgrid.com>
References: <c52a6b91-c783-72ce-299a-15c46df8afb1@sains.com.my>
 <44e4e69a-0956-c55f-4297-d2143eb70174@summitgrid.com>
Message-ID: <800897e2-68e3-7938-f275-bea74052402b@summitgrid.com>


>>
>> 3. How do I access the content of the email itself, many of the .pm 
>> file are focus more to header part , was this correct "$message"? or 
>> I need to point to something? Any place where I can refer for all 
>> this information?
>>
>> Thanks
>>
> Again, take look at the sample CustomAction.pm above, specifically the 
> CustomAction sub.
>
>
Also take a look at Message.pm for subroutines that access the and 
modify the message itself. The message content is typically not stored 
in memory but rather on disk and will need parsed and written back.

From mailscanner at barendse.to  Mon Aug 16 15:16:04 2021
From: mailscanner at barendse.to (mailscanner at barendse.to)
Date: Mon, 16 Aug 2021 17:16:04 +0200 (CEST)
Subject: Viewing archived email - is there a way or a script to search and
 view the archive?
Message-ID: <alpine.DEB.2.22.394.2108161708320.30612@mail.vaag.nu>

Hi list!

Google didn't help me much but as the archive option has been in 
MailScanner for quite a while, I guess other people must have looked at 
this.

I am runng Ubuntu 20.04 + postfix + MailScanner and using the archive 
option to retain all in+outbound email. The email gets stored in
the form of a file, i.e. :
/var/spool/MailScanner/archive/20210812/1912312116B.ABDE5

Is there any way to make the archive searchable either by text or email 
addresses mail was sent/to from? Doing grep and then postcat on each file 
works but becomes cumbersome if search criterium is wide and there are 
a lot of hits.

Google brought me a lot of hits on finding stuff in the postfix queue and 
then doing something with that but very little on an archive.

Thanks! Remco

From shawniverson at summitgrid.com  Mon Aug 16 16:14:35 2021
From: shawniverson at summitgrid.com (Shawn Iverson)
Date: Mon, 16 Aug 2021 12:14:35 -0400
Subject: Viewing archived email - is there a way or a script to search and
 view the archive?
In-Reply-To: <alpine.DEB.2.22.394.2108161708320.30612@mail.vaag.nu>
References: <alpine.DEB.2.22.394.2108161708320.30612@mail.vaag.nu>
Message-ID: <4fd75e38-fc0b-6e4a-4197-aed0f34a4aa5@summitgrid.com>

Tried MailWatch? https://mailwatch.org/

I'm not sure it will look in the archive, though, but if not, it could 
be a feature request.

On 8/16/21 11:16 AM, mailscanner at barendse.to wrote:
> Hi list!
>
> Google didn't help me much but as the archive option has been in 
> MailScanner for quite a while, I guess other people must have looked 
> at this.
>
> I am runng Ubuntu 20.04 + postfix + MailScanner and using the archive 
> option to retain all in+outbound email. The email gets stored in
> the form of a file, i.e. :
> /var/spool/MailScanner/archive/20210812/1912312116B.ABDE5
>
> Is there any way to make the archive searchable either by text or 
> email addresses mail was sent/to from? Doing grep and then postcat on 
> each file works but becomes cumbersome if search criterium is wide and 
> there are a lot of hits.
>
> Google brought me a lot of hits on finding stuff in the postfix queue 
> and then doing something with that but very little on an archive.
>
> Thanks! Remco
>
>

From mailscanner at barendse.to  Thu Aug 19 09:16:58 2021
From: mailscanner at barendse.to (mailscanner at barendse.to)
Date: Thu, 19 Aug 2021 11:16:58 +0200 (CEST)
Subject: NOQUEUE: reject: RCPT from unknown
Message-ID: <alpine.DEB.2.22.394.2108191058321.30612@mail.vaag.nu>

I'm trying to figure out why some cannot send email.

In my postfix main.cf I have :

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination

smtpd_helo_required = yes
smtpd_helo_restrictions =
     permit_mynetworks
     permit_sasl_authenticated
     check_helo_access hash:/etc/postfix/helo_access
     reject_invalid_helo_hostname
     reject_non_fqdn_helo_hostname
     reject_unknown_helo_hostname

smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unknown_sender_domain
    reject_unknown_client_hostname
    reject_unknown_reverse_client_hostname

Some mail gets rejected with :

Aug 18 14:01:26 gw1 postfix/smtpd[171903]: NOQUEUE: reject: RCPT from 
unknown[95.97.58.162]: 450 4.7.25 Client host rejected: cannot find your 
hostname, [95.97.58.162]; from=<xxxxxxx at mijnders-transport.nl> 
to=<xxxxxxxx at xxxx.com> proto=ESMTP helo=<mijnders-transport.nl>

But then when I do :
host 95.97.58.162 
162.58.97.95.in-addr.arpa domain name pointer smtp.mijnders-transport.nl.

I already added the domain to helo_access, where am I going wrong?

From belle at bazuin.nl  Thu Aug 19 11:21:41 2021
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Thu, 19 Aug 2021 13:21:41 +0200
Subject: NOQUEUE: reject: RCPT from unknown
In-Reply-To: <alpine.DEB.2.22.394.2108191058321.30612@mail.vaag.nu>
References: <alpine.DEB.2.22.394.2108191058321.30612@mail.vaag.nu>
Message-ID: <vmime.611e3ec5.1396.2e8c1f5c715ed104@ms249-lin-003.rotterdam.bazuin.nl>

dig mx mijnders-transport.nl
;mijnders-transport.nl.         IN      MX

;; ANSWER SECTION:
mijnders-transport.nl.  3600    IN      MX      10 mail.mijnders-transport.nl.
mijnders-transport.nl.  3600    IN      MX      20 mailcluster01.ic-cloud.nl.
mijnders-transport.nl.  3600    IN      MX      15 smtp.mijnders-transport.nl.

dig a mail.mijnders-transport.nl
;; ANSWER SECTION:
mail.mijnders-transport.nl. 3600 IN     A       95.97.58.162

dig a mailcluster01.ic-cloud.nl.
;; ANSWER SECTION:
mailcluster01.ic-cloud.nl. 3600 IN      A       5.200.9.229
mailcluster01.ic-cloud.nl. 3600 IN      A       80.113.12.211

dig a smtp.mijnders-transport.nl
;; ANSWER SECTION:
smtp.mijnders-transport.nl. 3600 IN     A       80.101.110.162

dig -x 95.97.58.162
;; ANSWER SECTION:
162.58.97.95.in-addr.arpa. 86400 IN     PTR     smtp.mijnders-transport.nl.

dig -x 80.101.110.162
;; ANSWER SECTION:
162.110.101.80.in-addr.arpa. 86400 IN   PTR     a80-101-110-162.adsl.xs4all.nl.

dig -x 5.200.9.229
;; ANSWER SECTION:
229.9.200.5.in-addr.arpa. 3600  IN      PTR     smtp2.ic-cloud.nl.

dig -x 80.113.12.211
;; ANSWER SECTION:
211.12.113.80.in-addr.arpa. 14400 IN    PTR     smtp1.ic-cloud.nl.

So far, this look good but now this.. 

helo=<mijnders-transport.nl>
dig a mijnders-transport.nl
;; ANSWER SECTION:
mijnders-transport.nl.  3600    IN      A       157.97.171.171

Do you see what you did wrong? 

The hint is : 
mail.mijnders-transport.nl. 3600 IN     A       95.97.58.162
162.58.97.95.in-addr.arpa. 86400 IN     PTR     smtp.mijnders-transport.nl.

Remove the A DNS record for mail.mijnders-transport.nl and add CNAME to smtp.mijnders-transport.nl
That should fix part 1. 

Also, change the helo name to : mail.mijnders-transport.nl

Dont use "DOMAINNAMES" anywhere, use FQDN's.. 
mijnders-transport.nl != FQDN 

Repeat my steps as shown above, if your output is diffent, 
then maybe you "just" adjusted the dns and its not fully ready? 

I hope this helps you a bit.
If not, start reading here.
https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.4 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: MailScanner 
> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
info] Namens mailscanner at barendse.to
> Verzonden: donderdag 19 augustus 2021 11:17
> Aan: MailScanner mailing list
> Onderwerp: NOQUEUE: reject: RCPT from unknown
> 
> I'm trying to figure out why some cannot send email.
> 
> In my postfix main.cf I have :
> 
> smtpd_relay_restrictions = permit_mynetworks 
> permit_sasl_authenticated 
> defer_unauth_destination
> 
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
>      permit_mynetworks
>      permit_sasl_authenticated
>      check_helo_access hash:/etc/postfix/helo_access
>      reject_invalid_helo_hostname
>      reject_non_fqdn_helo_hostname
>      reject_unknown_helo_hostname
> 
> smtpd_sender_restrictions =
>     permit_mynetworks
>     permit_sasl_authenticated
>     reject_unknown_sender_domain
>     reject_unknown_client_hostname
>     reject_unknown_reverse_client_hostname
> 
> Some mail gets rejected with :
> 
> Aug 18 14:01:26 gw1 postfix/smtpd[171903]: NOQUEUE: reject: RCPT from 
> unknown[95.97.58.162]: 450 4.7.25 Client host rejected: 
> cannot find your 
> hostname, [95.97.58.162]; from=<xxxxxxx at mijnders-transport.nl> 
> to=<xxxxxxxx at xxxx.com> proto=ESMTP helo=<mijnders-transport.nl>
> 
> But then when I do :
> host 95.97.58.162 
> 162.58.97.95.in-addr.arpa domain name pointer 
> smtp.mijnders-transport.nl.
> 
> I already added the domain to helo_access, where am I going wrong?
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 


From pramod at mindspring.co.za  Mon Aug 23 10:49:45 2021
From: pramod at mindspring.co.za (Pramod Daya)
Date: Mon, 23 Aug 2021 10:49:45 +0000
Subject: Embedded Hostile links
Message-ID: <JNZP275MB0867E7F60CF3B1AA968F2A38F7C49@JNZP275MB0867.ZAFP275.PROD.OUTLOOK.COM>

Hi,

I'm seeing embedded hostile links in HTML formatted emails - which are not getting picked up by spearphishing detection.  When I look at the email as plain text, they don't show up..   I tried creating a rule to identify the suspicious sites (usually bit.ly) and I can't seem to detect it with a spamassassin rule that search the body of the email.   Is spamassassin not able to view HTML formatted emails ?

Any advice would be welcome.

Thank you,
Pramod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210823/5ae5b529/attachment.html>

From shawniverson at summitgrid.com  Mon Aug 23 13:20:34 2021
From: shawniverson at summitgrid.com (Shawn Iverson)
Date: Mon, 23 Aug 2021 09:20:34 -0400
Subject: Embedded Hostile links
In-Reply-To: <JNZP275MB0867E7F60CF3B1AA968F2A38F7C49@JNZP275MB0867.ZAFP275.PROD.OUTLOOK.COM>
References: <JNZP275MB0867E7F60CF3B1AA968F2A38F7C49@JNZP275MB0867.ZAFP275.PROD.OUTLOOK.COM>
Message-ID: <8c2234a2-4676-da98-d69d-a451da227d94@summitgrid.com>

This may be more of a spamassassin-related issue.? Spamassassin should 
be able to read the HTML as well as text body.

On 8/23/21 6:49 AM, Pramod Daya via MailScanner wrote:
>
> Hi,
>
> I?m seeing embedded hostile links in HTML formatted emails ? which are 
> not getting picked up by spearphishing detection.? When I look at the 
> email as plain text, they don?t show up..?? I tried creating a rule to 
> identify the suspicious sites (usually bit.ly) and I can?t seem to 
> detect it with a spamassassin rule that search the body of the 
> email.?? Is spamassassin not able to view HTML formatted emails ?
>
> Any advice would be welcome.
>
> Thank you,
>
> Pramod
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210823/840b779c/attachment.html>

From it at festa.bg  Thu Aug 26 07:01:35 2021
From: it at festa.bg (Valentin Laskov)
Date: Thu, 26 Aug 2021 10:01:35 +0300
Subject: Viewing archived email - is there a way or a script to search and
 view the archive?
In-Reply-To: <alpine.DEB.2.22.394.2108161708320.30612@mail.vaag.nu>
References: <alpine.DEB.2.22.394.2108161708320.30612@mail.vaag.nu>
Message-ID: <c0dc6b76-78ae-8083-b374-702156b817f9@festa.bg>

Hello,

You can consider using forward instead of archive messages. For example, 
MailScanner in my config forwards all messages containing rar file 
attachments to a special mailbox.

Regards!
Valentin


?? 16.08.2021 ? 18:16, mailscanner at barendse.to ??????:
> Hi list!
>
> Google didn't help me much but as the archive option has been in 
> MailScanner for quite a while, I guess other people must have looked 
> at this.
>
> I am runng Ubuntu 20.04 + postfix + MailScanner and using the archive 
> option to retain all in+outbound email. The email gets stored in
> the form of a file, i.e. :
> /var/spool/MailScanner/archive/20210812/1912312116B.ABDE5
>
> Is there any way to make the archive searchable either by text or 
> email addresses mail was sent/to from? Doing grep and then postcat on 
> each file works but becomes cumbersome if search criterium is wide and 
> there are a lot of hits.
>
> Google brought me a lot of hits on finding stuff in the postfix queue 
> and then doing something with that but very little on an archive.
>
> Thanks! Remco
>
>

-- 
????????!

???????? ??????
???????? ?????????????
"????? ???????" ??
???. "??. ?????????" 48
9000 ??. ?????
???.:   +359 52 669137
GSM: +359 888 669137
Fax:   +359 52 669110


From jeffreymen6 at gmail.com  Thu Aug 26 07:52:51 2021
From: jeffreymen6 at gmail.com (Jeffrey Mendoza)
Date: Thu, 26 Aug 2021 01:52:51 -0600
Subject: Viewing archived email - is there a way or a script to search and
 view the archive?
In-Reply-To: <c0dc6b76-78ae-8083-b374-702156b817f9@festa.bg>
References: <alpine.DEB.2.22.394.2108161708320.30612@mail.vaag.nu>
 <c0dc6b76-78ae-8083-b374-702156b817f9@festa.bg>
Message-ID: <CAHb2hoBeHQmGOPTk=N7ty-hifjzSn-AxJOnk-DrETEoenr8Hrg@mail.gmail.com>

Why are you sending this to me.

On Thu, Aug 26, 2021, 1:01 AM Valentin Laskov <it at festa.bg> wrote:

> Hello,
>
> You can consider using forward instead of archive messages. For example,
> MailScanner in my config forwards all messages containing rar file
> attachments to a special mailbox.
>
> Regards!
> Valentin
>
>
> ?? 16.08.2021 ? 18:16, mailscanner at barendse.to ??????:
> > Hi list!
> >
> > Google didn't help me much but as the archive option has been in
> > MailScanner for quite a while, I guess other people must have looked
> > at this.
> >
> > I am runng Ubuntu 20.04 + postfix + MailScanner and using the archive
> > option to retain all in+outbound email. The email gets stored in
> > the form of a file, i.e. :
> > /var/spool/MailScanner/archive/20210812/1912312116B.ABDE5
> >
> > Is there any way to make the archive searchable either by text or
> > email addresses mail was sent/to from? Doing grep and then postcat on
> > each file works but becomes cumbersome if search criterium is wide and
> > there are a lot of hits.
> >
> > Google brought me a lot of hits on finding stuff in the postfix queue
> > and then doing something with that but very little on an archive.
> >
> > Thanks! Remco
> >
> >
>
> --
> ????????!
>
> ???????? ??????
> ???????? ?????????????
> "????? ???????" ??
> ???. "??. ?????????" 48
> 9000 ??. ?????
> ???.:   +359 52 669137
> GSM: +359 888 669137
> Fax:   +359 52 669110
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210826/882e5560/attachment.html>

From pramod at mindspring.co.za  Mon Aug 30 14:02:11 2021
From: pramod at mindspring.co.za (Pramod Daya)
Date: Mon, 30 Aug 2021 14:02:11 +0000
Subject: MailScanner 5.3.4 clamd does not appear to be participating.
In-Reply-To: <28624052-0755-4034-8BD7-42DFD2E26A2E@noc.ac.uk>
References: <CWXP123MB4584FB8665FBAE55B75EBAAEA47C9@CWXP123MB4584.GBRP123.PROD.OUTLOOK.COM>
 <c7f0b9f5-7764-ee86-1d9d-dd1dbbb25952@adsl.cgsecurity.org>
 <28624052-0755-4034-8BD7-42DFD2E26A2E@noc.ac.uk>
Message-ID: <JNZP275MB0867999106604A766AC3B10EF7CB9@JNZP275MB0867.ZAFP275.PROD.OUTLOOK.COM>

I?m having a similar issue which I can't resolve.  What user do you run clamd as ? 

_________________________________________________
Pramod Daya (CEO)
M.Sc. Computer Science (U. of Oregon)
Unit 5, Melomed Office Park
Punters Way, Kenilworth
Cape Town, South Africa 7708
www.mindspring.co.za(http://goo.gl/maps/My5KC)
???? 

Work: +27 21?657 1780
Cell:   +27 83?6750367???????? 
pramod at mindspring.co.za


-----Original Message-----
From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> On Behalf Of Andrews, Vincent
Sent: Thursday, 01 April 2021 16:20
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: MailScanner 5.3.4 clamd does not appear to be participating.

Hello,
Thanks for those pointers, it was an ownership issue to do with /var/run/clamd.mailscanner/clamd.sock. It was owned by the wrong account. It seems to be up and running now.

Vince.

?On 31/03/2021, 15:17, "MailScanner on behalf of Christophe GRENIER" <mailscanner-bounces+v.andrews=noc.ac.uk at lists.mailscanner.info on behalf of grenier at cgsecurity.org> wrote:

    Caution: This email has originated from outside of the organisation. Do not click links or open attachments unless you have verified the sender and content is safe. Thank you.



    On Wed, 31 Mar 2021, Andrews, Vincent wrote:

    > Hello,
    >
    > We have a new MailScanner V5.3.4 on a CentOS 7 system. Running the ?lint command proves that it can use both Sophos and clamd, however it is only Sophos that appears to be catching
    > viruses.
    >
    > Clamd is installed via the OS route ? version is 0.103.0-3.
    >
    > MailScanner.conf is ?Virus Scanners = auto? was ?Virus Scanners = clamd, sophos?.
    >
    > Virus.scanners.conf entry for clamd is /bin/false, but as I cannot see a specific wrapper I assume that is Ok.
    >
    > I am loath to cut out Sophos from the list and see what happens.
    >
    > Do I need to do anything else?

    Hello

    A good start is to check your clamd configuration.
    On my CentOS servers, I am using /etc/clamd.d/mailscanner.conf
    MaxThreads 50
    FixStaleSocket true
    LocalSocket /var/run/clamd.mailscanner/clamd.sock
    User postfix
    LogFile /var/log/clamd.mailscanner
    LogFileMaxSize 0
    LogVerbose yes
    LogClean no
    Debug no
    LogTime yes
    TemporaryDirectory /var/tmp

    Check the daemon with
    systemctl status clamd at mailscanner.service

    If it's OK, use clamdscan (not clamscan) to check a file that can be read
    by everyone (ie. /etc/hosts):
    clamdscan -c /etc/clamd.d/mailscanner.conf /etc/hosts
    /etc/hosts: OK

    ----------- SCAN SUMMARY -----------
    Infected files: 0
    Time: 0.002 sec (0 m 0 s)
    Start Date: 2021:03:31 16:13:29
    End Date:   2021:03:31 16:13:29

    Regards,
            Christophe
    --
        ,-~~-.___.     ._.
       / |  '     \    | |--------.   Christophe GRENIER
      (  )         0   | |        | grenier at cgsecurity.org
       \_/-, ,----'    | |        |
          ====         !_!-v---v--.
          /  \-'~;      .--------.   TestDisk & PhotoRec
         /  __/~| ._-""||        |   Data Recovery
       =(  _____|_|____||________|   https://www.cgsecurity.org



This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system.
The National Oceanography Centre (NOC) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. NOC does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.
Opinions, conclusions or other information in this message and attachments that are not related directly to NOC business are solely those of the author and do not represent the views of NOC.



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner