From adrian at pa0rda.nl Tue Oct 21 10:34:25 2025 From: adrian at pa0rda.nl (Adrian P. van Bloois) Date: Tue, 21 Oct 2025 12:34:25 +0200 Subject: MailScanner Digest, Vol 228, Issue 3 In-Reply-To: References: Message-ID: <20251021103425.GA48495@pa0rda.nl> I'm not sure if MailScanner is still developed. If you take the sources from github you can choose which packaging you want, rpm or deb or whatever. On Sun, Sep 21, 2025 at 12:00:01PM +0000, mailscanner-request at lists.mailscanner.info wrote: > Send MailScanner mailing list submissions to > mailscanner at lists.mailscanner.info > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.mailscanner.info/mailman/listinfo/mailscanner > or, via email, send a message with subject or body 'help' to > mailscanner-request at lists.mailscanner.info > > You can reach the person managing the list at > mailscanner-owner at lists.mailscanner.info > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of MailScanner digest..." > > > Today's Topics: > > 1. Question about mailscanner package updates (Maarten) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 20 Sep 2025 14:37:47 +0200 > From: Maarten > To: mailscanner at lists.mailscanner.info > Subject: Question about mailscanner package updates > Message-ID: > Content-Type: text/plain; charset=US-ASCII; format=flowed > > Hello, > > I'm redoing my personal mailserver setup and going from CentOS to > Debian. Now I'm using Ansible to setup everything. I have just finished > my entire setup and > I just discovered that /etc/MailScanner/conf.d is included for custom > settings. I don't really want to redo my MailScanner configuration right > now. So my > question is if mailscanner is updated with an rpm or deb package and you > then have to run ms-configure --update at what point are updated changes > made to > MailScanner.conf so that I figure out at what point in my Ansible code > to make backup of my current configuration so that I can compare the old > config to > the new config to check if I need to make any Changes to my Ansible > template of MailScanner.conf? > > > > ------------------------------ > > Subject: Digest Footer > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > ------------------------------ > > End of MailScanner Digest, Vol 228, Issue 3 > ******************************************* -- Adri P. van Bloois It's never too late for early music!!! From mailscanner at feedmebits.nl Tue Oct 21 12:43:38 2025 From: mailscanner at feedmebits.nl (Maarten) Date: Tue, 21 Oct 2025 14:43:38 +0200 Subject: MailScanner Digest, Vol 228, Issue 3 In-Reply-To: <20251021103425.GA48495@pa0rda.nl> References: <20251021103425.GA48495@pa0rda.nl> Message-ID: Thanks for your reply! I did that. Is there anyone is this mailinglist that knows if that's the case or not? If it's not being developed anymore than it might be better for me to switch to something else. Not sure what a better alternative would be if MailScanner is not being actively developed anymore? On 2025-10-21 12:34, Adrian P. van Bloois wrote: > I'm not sure if MailScanner is still developed. > If you take the sources from github you can choose which packaging you > want, rpm or deb or whatever. > > > > On Sun, Sep 21, 2025 at 12:00:01PM +0000, > mailscanner-request at lists.mailscanner.info wrote: >> Send MailScanner mailing list submissions to >> mailscanner at lists.mailscanner.info >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> or, via email, send a message with subject or body 'help' to >> mailscanner-request at lists.mailscanner.info >> >> You can reach the person managing the list at >> mailscanner-owner at lists.mailscanner.info >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of MailScanner digest..." >> >> >> Today's Topics: >> >> 1. Question about mailscanner package updates (Maarten) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sat, 20 Sep 2025 14:37:47 +0200 >> From: Maarten >> To: mailscanner at lists.mailscanner.info >> Subject: Question about mailscanner package updates >> Message-ID: >> Content-Type: text/plain; charset=US-ASCII; format=flowed >> >> Hello, >> >> I'm redoing my personal mailserver setup and going from CentOS to >> Debian. Now I'm using Ansible to setup everything. I have just >> finished >> my entire setup and >> I just discovered that /etc/MailScanner/conf.d is included for custom >> settings. I don't really want to redo my MailScanner configuration >> right >> now. So my >> question is if mailscanner is updated with an rpm or deb package and >> you >> then have to run ms-configure --update at what point are updated >> changes >> made to >> MailScanner.conf so that I figure out at what point in my Ansible code >> to make backup of my current configuration so that I can compare the >> old >> config to >> the new config to check if I need to make any Changes to my Ansible >> template of MailScanner.conf? >> >> >> >> ------------------------------ >> >> Subject: Digest Footer >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> ------------------------------ >> >> End of MailScanner Digest, Vol 228, Issue 3 >> ******************************************* > > -- > Adri P. van Bloois > > > It's never too late for early music!!! From jerry.benton at mailborder.com Tue Oct 21 12:55:31 2025 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 21 Oct 2025 12:55:31 +0000 Subject: MailScanner Digest, Vol 228, Issue 3 In-Reply-To: References: <20251021103425.GA48495@pa0rda.nl> Message-ID: >From ChatGPT: * If you want maximum control and are willing to build your filtering gateway logic (routing, policy, custom filters) from the ground up: go with MailScanner. It gives you the tools, you fill in the logic. * If you want a robust, production-ready gateway that still allows customization but less build-from-scratch: go with Proxmox Mail Gateway. * If you prefer something simpler because you don?t want to spend a lot of time building and you?re more concerned with ?it works out of the box?: consider MailCleaner ? but check viability/updates for your scale, because of the development status. My suggestion: MailScanner or Proxmox. If you want to use MailScanner but want a GUI and are ok with CentOS, try https://efa-project.org -- Jerry Benton www.mailborder.com +1 843-800-8605 From: MailScanner on behalf of Maarten via MailScanner Date: Tuesday, October 21, 2025 at 08:44 To: MailScanner Discussion Cc: Maarten , Adrian P. van Bloois Subject: Re: MailScanner Digest, Vol 228, Issue 3 Thanks for your reply! I did that. Is there anyone is this mailinglist that knows if that's the case or not? If it's not being developed anymore than it might be better for me to switch to something else. Not sure what a better alternative would be if MailScanner is not being actively developed anymore? On 2025-10-21 12:34, Adrian P. van Bloois wrote: > I'm not sure if MailScanner is still developed. > If you take the sources from github you can choose which packaging you > want, rpm or deb or whatever. > > > > On Sun, Sep 21, 2025 at 12:00:01PM +0000, > mailscanner-request at lists.mailscanner.info wrote: >> Send MailScanner mailing list submissions to >> mailscanner at lists.mailscanner.info >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> or, via email, send a message with subject or body 'help' to >> mailscanner-request at lists.mailscanner.info >> >> You can reach the person managing the list at >> mailscanner-owner at lists.mailscanner.info >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of MailScanner digest..." >> >> >> Today's Topics: >> >> 1. Question about mailscanner package updates (Maarten) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sat, 20 Sep 2025 14:37:47 +0200 >> From: Maarten >> To: mailscanner at lists.mailscanner.info >> Subject: Question about mailscanner package updates >> Message-ID: >> Content-Type: text/plain; charset=US-ASCII; format=flowed >> >> Hello, >> >> I'm redoing my personal mailserver setup and going from CentOS to >> Debian. Now I'm using Ansible to setup everything. I have just >> finished >> my entire setup and >> I just discovered that /etc/MailScanner/conf.d is included for custom >> settings. I don't really want to redo my MailScanner configuration >> right >> now. So my >> question is if mailscanner is updated with an rpm or deb package and >> you >> then have to run ms-configure --update at what point are updated >> changes >> made to >> MailScanner.conf so that I figure out at what point in my Ansible code >> to make backup of my current configuration so that I can compare the >> old >> config to >> the new config to check if I need to make any Changes to my Ansible >> template of MailScanner.conf? >> >> >> >> ------------------------------ >> >> Subject: Digest Footer >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> ------------------------------ >> >> End of MailScanner Digest, Vol 228, Issue 3 >> ******************************************* > > -- > Adri P. van Bloois > > > It's never too late for early music!!! -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at feedmebits.nl Tue Oct 21 13:00:47 2025 From: mailscanner at feedmebits.nl (Maarten) Date: Tue, 21 Oct 2025 15:00:47 +0200 Subject: MailScanner Digest, Vol 228, Issue 3 In-Reply-To: References: <20251021103425.GA48495@pa0rda.nl> Message-ID: <0374e504bfdc0303f7b5a08618cdb498@feedmebits.nl> Hello Jerry, I'm happy with MailScanner. My only worries was that someone here mentioned that MailScanner isn't actively developed anymore that's why I was asking if anyone knew any alternatives. Other option could also to try it without MailScanner since I'm only using it for mp personal mail setup Kind Regards, Maarten On 2025-10-21 14:55, Jerry Benton wrote: > From ChatGPT: > > * If you want maximum control and are willing to build your > filtering gateway logic (routing, policy, custom filters) from the > ground up: go with MailScanner. It gives you the tools, you fill in > the logic. > * If you want a robust, production-ready gateway that still allows > customization but less build-from-scratch: go with Proxmox Mail > Gateway. > * If you prefer something simpler because you don?t want to spend a > lot of time building and you?re more concerned with ?it works out > of the box?: consider MailCleaner ? but check viability/updates > for your scale, because of the development status. > > My suggestion: MailScanner or Proxmox. > > If you want to use MailScanner but want a GUI and are ok with CentOS, > try https://efa-project.org > > -- > > Jerry Benton > > www.mailborder.com [1] > > +1 843-800-8605 > > From: MailScanner > > on behalf of Maarten via MailScanner > > Date: Tuesday, October 21, 2025 at 08:44 > To: MailScanner Discussion > Cc: Maarten , Adrian P. van Bloois > > Subject: Re: MailScanner Digest, Vol 228, Issue 3 > > Thanks for your reply! I did that. > > Is there anyone is this mailinglist that knows if that's the case or > not? If it's not being developed anymore than it might be better for > me > to switch to something else. > Not sure what a better alternative would be if MailScanner is not > being > actively developed anymore? > > On 2025-10-21 12:34, Adrian P. van Bloois wrote: >> I'm not sure if MailScanner is still developed. >> If you take the sources from github you can choose which packaging > you >> want, rpm or deb or whatever. >> >> >> >> On Sun, Sep 21, 2025 at 12:00:01PM +0000, >> mailscanner-request at lists.mailscanner.info wrote: >>> Send MailScanner mailing list submissions to >>> mailscanner at lists.mailscanner.info >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> or, via email, send a message with subject or body 'help' to >>> mailscanner-request at lists.mailscanner.info >>> >>> You can reach the person managing the list at >>> mailscanner-owner at lists.mailscanner.info >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of MailScanner digest..." >>> >>> >>> Today's Topics: >>> >>> 1. Question about mailscanner package updates (Maarten) >>> >>> >>> > ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Sat, 20 Sep 2025 14:37:47 +0200 >>> From: Maarten >>> To: mailscanner at lists.mailscanner.info >>> Subject: Question about mailscanner package updates >>> Message-ID: >>> Content-Type: text/plain; charset=US-ASCII; format=flowed >>> >>> Hello, >>> >>> I'm redoing my personal mailserver setup and going from CentOS to >>> Debian. Now I'm using Ansible to setup everything. I have just >>> finished >>> my entire setup and >>> I just discovered that /etc/MailScanner/conf.d is included for > custom >>> settings. I don't really want to redo my MailScanner configuration >>> right >>> now. So my >>> question is if mailscanner is updated with an rpm or deb package > and >>> you >>> then have to run ms-configure --update at what point are updated >>> changes >>> made to >>> MailScanner.conf so that I figure out at what point in my Ansible > code >>> to make backup of my current configuration so that I can compare > the >>> old >>> config to >>> the new config to check if I need to make any Changes to my Ansible >>> template of MailScanner.conf? >>> >>> >>> >>> ------------------------------ >>> >>> Subject: Digest Footer >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >>> ------------------------------ >>> >>> End of MailScanner Digest, Vol 228, Issue 3 >>> ******************************************* >> >> -- >> Adri P. van Bloois >> >> >> It's never too late for early music!!! > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Links: > ------ > [1] http://www.mailborder.com From jerry.benton at mailborder.com Tue Oct 21 13:27:45 2025 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 21 Oct 2025 13:27:45 +0000 Subject: MailScanner Development Message-ID: Maarten, I started a new thread. Don?t reply to the old one. It keeps triggering admin approval because the subject matches a thread. So, here is the history: * Julian Field created the original MailScanner * He walked away and I took over the project. * I dragged MailScanner into the current era by rewriting it and releasing v5. I did this because my product used MailScanner. * I rewrote Mailborder (my commercial product) dropping MailScanner in favor of a more modern C and PHP based product. * Since I have to focus on Mailborder, I stopped actively developing MailScanner. (no time) * Shawn Iverson took over the primary development of MailScanner, but I still own the project. Since Shawn created the eFA Project, he has a vested interest in MailScanner development. * Shawn has moved along in his career and does not have the time he had before. (I am assuming.) * Mark Sapiro is involved, but he mostly focuses on Mailman. He helps provides answers to questions, but rarely develops MailScanner. So, this is where we are. No one else has stepped up to help further develop MailScanner. At some point in the future I may release an open source version of Mailborder that would be a stripped down version of the commercial product. I want to give the community something, but I also have to feed my family. So ? -- Jerry Benton www.mailborder.com +1 843-800-8605 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at feedmebits.nl Tue Oct 21 13:35:21 2025 From: mailscanner at feedmebits.nl (Maarten) Date: Tue, 21 Oct 2025 15:35:21 +0200 Subject: MailScanner Development In-Reply-To: References: Message-ID: Hello Jerry, Thanks for the information and the history. I will just take out MailScanner out of my postfix config and work without it since it's just on my personal mailserver. I will see if I can find anti-spam measure which I can use but I have found since I have setup enforcing of spf, dkim and dmarc that I haven't really received much spam anymore. Thanks for your time and for the work you and others have done on MailScanner. Kind Regards, Maarten On 2025-10-21 15:27, Jerry Benton wrote: > Maarten, > > I started a new thread. Don?t reply to the old one. It keeps > triggering admin approval because the subject matches a thread. > > So, here is the history: > > * Julian Field created the original MailScanner > * He walked away and I took over the project. > * I dragged MailScanner into the current era by rewriting it and > releasing v5. I did this because my product used MailScanner. > * I rewrote Mailborder (my commercial product) dropping MailScanner > in favor of a more modern C and PHP based product. > * Since I have to focus on Mailborder, I stopped actively developing > MailScanner. (no time) > * Shawn Iverson took over the primary development of MailScanner, but > I still own the project. Since Shawn created the eFA Project, he has a > vested interest in MailScanner development. > * Shawn has moved along in his career and does not have the time he > had before. (I am assuming.) > * Mark Sapiro is involved, but he mostly focuses on Mailman. He helps > provides answers to questions, but rarely develops MailScanner. > > So, this is where we are. No one else has stepped up to help further > develop MailScanner. At some point in the future I may release an open > source version of Mailborder that would be a stripped down version of > the commercial product. I want to give the community something, but I > also have to feed my family. So ? > > -- > > Jerry Benton > > www.mailborder.com [1] > > +1 843-800-8605 > > > > Links: > ------ > [1] http://www.mailborder.com From jerry.benton at mailborder.com Tue Oct 21 13:40:33 2025 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 21 Oct 2025 13:40:33 +0000 Subject: MailScanner Development In-Reply-To: References: Message-ID: Shawn Iverson asked me to post this to the thread. HE is unable to post to the thread with a Gmail account. ----------- Hello Jerry, I guess because I'm using a gmail account, I cannot post directly to the list. Feel free to share with the list. To All, I have recently stepped away from development altogether and have purged my Github account. This includes MailScanner, MailWatch, eFa, and other projects in which I was involved. It originally started out as a hobby, but over time it became a burden for me. It did help me out in my career and allowed me to expand my skill set, at one point even leading me to land a high paying role due to my expertise in mail filtering. However, my priorities in life have changed, and the thankless work of countless hours of development without compensation no longer appeals to me. That doesn't mean that someone else cannot step in and continue development. It is open source, after all. I think someone else has already taken the helm of eFa and created a fork. Sincerely, Shawn ----------- -- Jerry Benton www.mailborder.com +1 843-800-8605 From: MailScanner on behalf of Maarten via MailScanner Date: Tuesday, October 21, 2025 at 09:35 To: MailScanner Discussion Cc: Maarten Subject: Re: MailScanner Development Hello Jerry, Thanks for the information and the history. I will just take out MailScanner out of my postfix config and work without it since it's just on my personal mailserver. I will see if I can find anti-spam measure which I can use but I have found since I have setup enforcing of spf, dkim and dmarc that I haven't really received much spam anymore. Thanks for your time and for the work you and others have done on MailScanner. Kind Regards, Maarten On 2025-10-21 15:27, Jerry Benton wrote: > Maarten, > > I started a new thread. Don?t reply to the old one. It keeps > triggering admin approval because the subject matches a thread. > > So, here is the history: > > * Julian Field created the original MailScanner > * He walked away and I took over the project. > * I dragged MailScanner into the current era by rewriting it and > releasing v5. I did this because my product used MailScanner. > * I rewrote Mailborder (my commercial product) dropping MailScanner > in favor of a more modern C and PHP based product. > * Since I have to focus on Mailborder, I stopped actively developing > MailScanner. (no time) > * Shawn Iverson took over the primary development of MailScanner, but > I still own the project. Since Shawn created the eFA Project, he has a > vested interest in MailScanner development. > * Shawn has moved along in his career and does not have the time he > had before. (I am assuming.) > * Mark Sapiro is involved, but he mostly focuses on Mailman. He helps > provides answers to questions, but rarely develops MailScanner. > > So, this is where we are. No one else has stepped up to help further > develop MailScanner. At some point in the future I may release an open > source version of Mailborder that would be a stripped down version of > the commercial product. I want to give the community something, but I > also have to feed my family. So ? > > -- > > Jerry Benton > > www.mailborder.com [1] > > +1 843-800-8605 > > > > Links: > ------ > [1] http://www.mailborder.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From xserverlinux at gmail.com Thu Oct 23 22:51:47 2025 From: xserverlinux at gmail.com (Rick Gutierrez) Date: Thu, 23 Oct 2025 16:51:47 -0600 Subject: MailScanner Development In-Reply-To: References: Message-ID: It?s sad to hear that development on MailScanner will no longer continue. In fact, the last update to MailScanner was around this time last year. I hope this project doesn?t die out like other great open-source projects. As for me, whenever I can, I make a financial donation to projects because I know developers have to make a living. my best regards! -- rickygm http://gnuforever.homelinux.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Fri Oct 24 14:11:40 2025 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 24 Oct 2025 14:11:40 +0000 Subject: MailScanner Development In-Reply-To: References:

Message-ID: Rick, As I mentioned before, I am kicking the idea around of releasing an open source version of Mailborder. I don't have the cycles to maintain both Mailborder and MailScanner, but I could do something with Mailborder. Maybe sometime next year. -- Jerry Benton www.mailborder.com +1 843-800-8605 From: MailScanner on behalf of Rick Gutierrez Date: Thursday, October 23, 2025 at 18:52 To: MailScanner Discussion Subject: Re: MailScanner Development It?s sad to hear that development on MailScanner will no longer continue. In fact, the last update to MailScanner was around this time last year. I hope this project doesn?t die out like other great open-source projects. As for me, whenever I can, I make a financial donation to projects because I know developers have to make a living. my best regards! -- rickygm http://gnuforever.homelinux.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From betsys at well.com Fri Oct 24 21:27:16 2025 From: betsys at well.com (betsys at well.com) Date: Fri, 24 Oct 2025 17:27:16 -0400 Subject: Whitelisted emails still get defanged (how to whitelist these?) Message-ID: <03cd01dc452c$f8fc63c0$eaf52b40$@well.com> I am in beta with latest Mailscanner and Mailwatch with postfix and Spamassassin. Is there a way to keep whitelisted messages from being defanged? 2025-10-24T13:44:25.148402-07:00 sentry MailScanner[55478]: Message 8594084A4F.A876D from x.x.x.x (0100019a17f71a52-7031ce0b-b836-4d6f-89f8-c143d40cf11d-000000 at spf.ses.auth.a ws.example.com) is whitelisted 2025-10-24T13:44:25.428061-07:00 sentry MailScanner[55478]: Content Checks: Detected and have disarmed hidden tags in HTML message in 8594084A4F.A876D from 0100019a17f71a52-7031ce0b-b836-4d6f-89f8-c143d40cf11d-000000 at spf.ses.auth.aw s.example.com (That's the envelope-from , the From: is helpdesk at mycompany.com) Or is there another way to do this? Big picture: We use a third-party helpdesk provider. They send email from helpdesk at mycompany.com , via Amazon SES (with proper SPF and DKIM set up by us) I have spf.ses.auth.aws.example.com in spam.whitelist.rules. They add some custom URL's, like: X-Example-Account: mycompany I also know which URL's I'd want to exclude, if excluding specific URL's was possible For obvious reasons, I wouldn't want to whitelist From:helpdesk at mycompany.com or all of Amazon SES Any thoughts? Thanks very much Betsy -- MailWatch Version: 1.2.23 Operating System Version: Ubuntu 24.04.3 LTS (Noble Numbat) Postfix Version: 3.8.6 MailScanner Version: 5.5.3 ClamAV Version: 1.4.3 SpamAssassin Version: 4.0.0 PHP Version: 8.3.6 MySQL Version: 10.11.13-MariaDB-0ubuntu0.24.04.1 -- # grep Allow /etc/MailScanner/MailScanner.conf |grep -v ^# Allow Password-Protected Archives = no Allowed Sophos Error Messages = Allow Partial Messages = no Allow External Message Bodies = no Allow IFrame Tags = disarm Allow Form Tags = disarm Allow Script Tags = disarm Allow WebBugs = yes Allow Object Codebase Tags = disarm Allow Filenames = Allow Filetypes = Allow File MIME Types = Archives: Allow Filenames = Archives: Allow Filetypes = Archives: Allow File MIME Types = Allow Multiple HTML Signatures = no -- # cat /etc/MailScanner/rules/spam.whitelist.rules |grep -v ^# From: /[\@\.]example-outgoing\.mycompany\.com$/ yes From: /[\@\.]spf\.ses\.auth\.aws\.example\.com$/ yes FromOrTo: default no -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Sat Oct 25 03:49:45 2025 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 24 Oct 2025 20:49:45 -0700 Subject: Whitelisted emails still get defanged (how to whitelist these?) In-Reply-To: <03cd01dc452c$f8fc63c0$eaf52b40$@well.com> References: <03cd01dc452c$f8fc63c0$eaf52b40$@well.com> Message-ID: <85096e8e-61d4-46e8-b6df-42fddb0a4801@msapiro.net> On 10/24/25 14:27, betsys at well.com wrote: > I am in beta with latest Mailscanner and Mailwatch with postfix and > Spamassassin. Is there a way to keep whitelisted messages from being > defanged? > > 2025-10-24T13:44:25.148402-07:00 sentry MailScanner[55478]: Message > 8594084A4F.A876D from x.x.x.x > (0100019a17f71a52-7031ce0b-b836-4d6f-89f8-c143d40cf11d-000000 at spf.ses.auth.aws.example.com) is whitelisted > > 2025-10-24T13:44:25.428061-07:00 sentry MailScanner[55478]: Content > Checks: Detected and have disarmed hidden tags in HTML message in > 8594084A4F.A876D from > 0100019a17f71a52-7031ce0b-b836-4d6f-89f8-c143d40cf11d-000000 at spf.ses.auth.aws.example.com > > (That?s the envelope-from , the From: is helpdesk at mycompany.com) > > Or is there another way to do this? ?Big picture: Have you set Find Phishing Fraud = No This could be in a rule set -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From betsys at well.com Tue Oct 28 22:18:50 2025 From: betsys at well.com (betsys at well.com) Date: Tue, 28 Oct 2025 18:18:50 -0400 Subject: Another noob question - Dangerous Content and Virus subject meaning and scope Message-ID: <002901dc4858$d6d92830$848b7890$@well.com> Setting "Dangerous Content Scanning = yes" disables all the content-based checks except Virus scanning, Allow Partial Messages and Allow External Message Bodies. But which are all the content-based checks? Does this apply to attachments? To iFrame/Form Tags/Script Tags/webbug etc? Dangerous HTML? Does it affect/override MCP? I'm being asked what we should tell the users about a message which arrives with the Content Subject Text in the header, and I'm realizing I'm not sure of the scope. Similarly, if I have clamav enabled and Deliver Disinfected Files = no Will we ever see an occurrence of the {Virus?} subject? (I realize we'll learn some of this during the beta, but the helpdesk team wants to get docs written ahead of the beta) -------------- next part -------------- An HTML attachment was scrubbed... URL: From betsys at well.com Wed Oct 29 03:50:48 2025 From: betsys at well.com (betsys at well.com) Date: Tue, 28 Oct 2025 23:50:48 -0400 Subject: Why no subject changes or higher score for this phishing email? Message-ID: <338c01dc4887$368f2d50$a3ad87f0$@well.com> Got a piece of mail identified as ham, with no header changes. The Hidden URL?s were correctly highlighted. I would have expected this to put up some sort of phishing alert. Do I need to enable Disarmed Modify Subject for this? I disabled the Disarmed Modify Subject because it was getting added to every single message with a hidden link, seemed like, many innocent messages. (I have since fixed my RBL checks, and I?ve set up another email address to bypass MailScanner so?s I can get my hands on the unaltered originals) 2025-10-28T18:45:02.175284-07:00 sentry MailScanner[183011]: Found phishing fraud from https://www.prayers1.com/US/Kosciusko/863615230361694/WeeKids-Children%%27s-Ministry?e=1602972382 claiming to be www.facebook.com in BC4DE84A9A.A1DD7 2025-10-28T18:45:02.243128-07:00 sentry MailScanner[182315]: Content Checks: Detected and have disarmed hidden, phishing tags in HTML message in BC4DE84A9A.A1DD7 from support at prayers1.com X-MyOrg-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=2.706, required 4, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DMARC_NONE 0.90, HTML_MESSAGE 0.00, HTTPS_HTTP_MISMATCH 0.10, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.00, RCVD_IN_VALIDITY_RPBL_BLOCKED 0.00, RCVD_IN_VALIDITY_SAFE_BLOCKED 0.00, RCVD_IN_ZEN_BLOCKED_OPENDNS 0.00, SPF_HELO_NONE 0.00, URIBL_BLACK 1.70, URIBL_BLOCKED 0.00, URIBL_DBL_BLOCKED_OPENDNS 0.00) X-MyOrg-MailScanner-SpamScore: 2 Thanks, Betsy Excerpts from MailScanner.conf: (I haven?t touched the phishing*sites* files, beyond the automatic updates) Allow Form Tags = disarm Allow IFrame Tags = disarm Allow Object Codebase Tags = disarm Allow Script Tags = disarm Allow WebBugs = yes Also Find Numeric Phishing = yes Content Modify Subject = start Content Subject Text = {Dangerous Content?} Convert Dangerous HTML To Text = no Convert HTML To Text = no Dangerous Content Scanning = yes Disarmed Modify Subject = no Disarmed Subject Text = {Disarmed} Find Phishing Fraud = yes Highlight Mailto Phishing = yes Highlight Phishing Fraud = yes Inline HTML External Warning = %report-dir%/inline.external.warning.html Inline HTML Signature = %report-dir%/inline.sig.html Inline HTML Warning = %report-dir%/inline.warning.html Log Dangerous HTML Tags = no <-- changing this to yes Log Silent Viruses = yes Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Phishing Modify Subject = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Subject Text = {Possible Phishing} Quarantine Silent Viruses = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Still Deliver Silent Viruses Unmodified = no Still Scan Silent Viruses = no Use Stricter Phishing Net = yes Virus Modify Subject = start Virus Subject Text = {Virus?} MailWatch Version: 1.2.23 Operating System Version: Ubuntu 24.04.3 LTS (Noble Numbat) Postfix Version: 3.8.6 MailScanner Version: 5.5.3 ClamAV Version: 1.4.3 SpamAssassin Version: 4.0.0 PHP Version: 8.3.6 MySQL Version: 10.11.13-MariaDB-0ubuntu0.24.04.1 GeoIP Database Version: No database downloaded -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Oct 29 16:39:14 2025 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 29 Oct 2025 09:39:14 -0700 Subject: Why no subject changes or higher score for this phishing email? In-Reply-To: <338c01dc4887$368f2d50$a3ad87f0$@well.com> References: <338c01dc4887$368f2d50$a3ad87f0$@well.com> Message-ID: <8389d6b6-30de-4aea-99a4-ed4e98ac025f@msapiro.net> On 10/28/25 20:50, betsys at well.com wrote: > Got a piece of mail identified as ham, with no header changes. The > Hidden URL?s were correctly highlighted. > > I would have expected this to put up some sort of phishing alert. Do I > need to enable *Disarmed Modify Subject* for this? Yes, if you want it flagged in the Subject:. It is flagged in the message body in any case. > I disabled the Disarmed Modify ?Subject because it was getting added to > every single message with a hidden link, seemed like, many innocent > messages. The disarming applies to any `a` tag with display text that looks like a url or web address that doesn't match the host in the target. Yes, this can happen to `innocent` mail that uses things like tracking links that ultimately redirect to the display text address after collecting tracking information. Granted, these aren't true phishing attacks, but my personal view is they are just as bad. Whether or not you want the disarming to be flagged in the Subject: header is up to you, and you can use a ruleset to do it selectively based on the sender and/or recipient, but not on the actual content of the tag. You can also exempt certain senders using the phishing.safe.sites.custom file. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Wed Oct 29 19:34:19 2025 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 29 Oct 2025 12:34:19 -0700 Subject: Another noob question - Dangerous Content and Virus subject meaning and scope In-Reply-To: <002901dc4858$d6d92830$848b7890$@well.com> References: <002901dc4858$d6d92830$848b7890$@well.com> Message-ID: <3f5eb19f-e902-4ba8-8f02-981b19d2d4ac@msapiro.net> On 10/28/25 15:18, betsys at well.com wrote: > Setting ?Dangerous Content Scanning = yes? disables all the > content-based checks except Virus scanning, Allow Partial Messages and > Allow External Message Bodies. Actually, ?Dangerous Content Scanning = no? > But which are all the content-based checks? Does this apply to > attachments? To iFrame/Form Tags/Script Tags/webbug etc? Dangerous HTML? I think so. > ?Does it affect/override MCP? I'm not sure about this, but MCP is probably obsolete. Back in 2009 MailScanner 4.78.3 reversed the order of spam and virus checks, doing Virus first[1]. This allows various clamav rule hits to be treated as spam hits which can obviate the need for MCP. I think there was a subsequent post from Jules about this, but I can't find it. Also, SpamAssassin Rule Actions can be used to accomplish similar results to MCP without the additional overhead[2]. > I?m being asked what we should tell the users about a message which > arrives with the Content Subject Text in the header, and I?m realizing > I?m not sure of the scope. > > Similarly, if I have clamav enabled and > > Deliver Disinfected Files = no > > Will we ever see an occurrence of the {Virus?} subject? For this you probably also want Deliver Cleaned Messages = no > (I realize we?ll learn some of this during the beta, but the helpdesk > team wants to get docs written ahead of the beta) [1] http://lists.mailscanner.info/pipermail/mailscanner/2009-July/092711.html [2] http://lists.mailscanner.info/pipermail/mailscanner/2010-February/094867.html -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan