<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi richard, thanks for your reply.<BR>
<BR>
personally, i dont have much mail traffic thru my server, i just have my one email domain, and an average day i process about 150 on a heavy day, 120 or so of which will be spam. my server doesnt even hit a 1.0 load average.<BR>
<BR>
i did install fail2ban, and i built some pretty effective regex to keep the repeaters from continually sending more spam to my server, but its these strange emails that try to kill mailscanner process that i see every day all day. as i mentioned, they seem to be always high scoring spams anyway, i just wonder if there is malicious code in the emails that i doing this. since my last /var/log/messages turn over, its happened 170 times.<BR>
<BR>
thanks,<BR>
Jonathan<BR> <BR>
<DIV>
<HR id=stopSpelling>
From: richard@fastnet.co.uk<BR>To: mailscanner@lists.mailscanner.info<BR>Subject: RE: emails that attempt to kill mailscanner {Scanned}<BR>Date: Wed, 14 Aug 2013 10:27:23 +0000<BR><BR>
<STYLE><!--
.ExternalClass .ecxshape {
}
--></STYLE>
<STYLE><!--
.ExternalClass p.ecxMsoNormal, .ExternalClass li.ecxMsoNormal, .ExternalClass div.ecxMsoNormal {
font-size:12.0pt;
font-family:"Times New Roman","serif";
}
.ExternalClass a:link, .ExternalClass span.ecxMsoHyperlink {
color:blue;
text-decoration:underline;
}
.ExternalClass span.ecxMsoHyperlinkFollowed {
color:purple;
text-decoration:underline;
}
.ExternalClass p.ecxMsoAcetate, .ExternalClass li.ecxMsoAcetate, .ExternalClass div.ecxMsoAcetate {
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
}
.ExternalClass span.ecxEmailStyle17 {
font-family:"Calibri","sans-serif";
color:#1F497D;
}
.ExternalClass span.ecxEmailStyle18 {
font-family:"Calibri","sans-serif";
color:#1F497D;
}
.ExternalClass span.ecxBalloonTextChar {
font-family:"Tahoma","sans-serif";
}
.ExternalClass .ecxMsoChpDefault {
font-size:10.0pt;
}
.ExternalClass div.ecxWordSection1 {
}
--></STYLE>
<DIV class=ecxWordSection1>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">This issue only happens to me when my server is over loaded. Once I gave it more CPU’s and RAM I’ve not had this problem again.</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">I find that running spamassassin as daemon and restarting that sometimes helps. The –U switch didn’t do anything for me. I’m using FreeBSD.</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">You should look at installing fail2ban or RBL’s on the MTA and check the server loan / swap information.</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">I do have a lot of mail coming my way, so I might be way off the mark here..</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Rich<BR><BR></SPAN><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #a6a6a6; FONT-SIZE: 11pt"></SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<DIV>
<DIV style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0cm; PADDING-LEFT: 0cm; PADDING-RIGHT: 0cm; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<P class=ecxMsoNormal><B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt" lang=EN-US>From:</SPAN></B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt" lang=EN-US> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of </B>Ritchie P. Fraser<BR><B>Sent:</B> 14 August 2013 09:17<BR><B>To:</B> MailScanner discussion<BR><B>Subject:</B> RE: emails that attempt to kill mailscanner {Scanned}</SPAN></P></DIV></DIV>
<P class=ecxMsoNormal> </P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">At the end of the first line in /usr/sbin/MailScanner… like so…</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">#!/usr/bin/perl -I/usr/lib/MailScanner -U</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Ritchie</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt" lang=EN-US>From:</SPAN></B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt" lang=EN-US> <A href="mailto:mailscanner-bounces@lists.mailscanner.info">mailscanner-bounces@lists.mailscanner.info</A> [<A href="mailto:mailscanner-bounces@lists.mailscanner.info">mailto:mailscanner-bounces@lists.mailscanner.info</A>] <B>On Behalf Of </B>Martin Hepworth<BR><B>Sent:</B> 13 August 2013 19:38<BR><B>To:</B> MailScanner discussion<BR><B>Subject:</B> Re: emails that attempt to kill mailscanner {Scanned}</SPAN></P>
<P class=ecxMsoNormal> </P>
<P class=ecxMsoNormal>You need to put the -U at the first line on the MailScanner perl script<BR><BR>On Tuesday, 13 August 2013, Jonathan Horne wrote:</P>
<DIV>
<DIV>
<P class=ecxMsoNormal>hmmm, its only some emails, not all of them (and its always emails that i would never accept anyway, high scoring spam). <BR> <BR>taking a look at hte mailscanner.conf file, i dont see offhand where to add a -U. any tips?<BR> <BR>jonathan<BR> </P>
<DIV>
<DIV style="TEXT-ALIGN: center" class=ecxMsoNormal align=center>
<HR align=center SIZE=2 width="100%">
</DIV>
<P class=ecxMsoNormal>Date: Tue, 13 Aug 2013 17:06:50 +0100<BR>Subject: Re: emails that attempt to kill mailscanner<BR>From: <A target=_blank>maxsec@gmail.com</A><BR>To: <A target=_blank>mailscanner@lists.mailscanner.info</A></P>
<DIV>
<P class=ecxMsoNormal>this problem is normally caused by config issues, like not having the -U switch set in the main MailScanner executable.</P></DIV>
<DIV>
<P class=ecxMsoNormal><BR clear=all></P>
<DIV>
<P class=ecxMsoNormal>-- <BR>Martin Hepworth, CISSP<BR>Oxford, UK</P></DIV>
<P class=ecxMsoNormal> </P>
<DIV>
<P class=ecxMsoNormal>On 13 August 2013 16:28, Jonathan Horne <<A target=_blank>jonathanmhorne@outlook.com</A>> wrote:</P>
<DIV>
<DIV>
<P class=ecxMsoNormal>i didnt try it yet... but if i set the number of attempts to 0 what will happen? i would like to just delete these emails immeidately, i dont see a need to retry it after 5 minutes.<BR> <BR>if 0 is not the right way to accomplish this, what is the correct way to dump emails that attempt to kill the process?<BR> <BR>thanks,<BR>jonathan</P></DIV></DIV>
<P class=ecxMsoNormal><BR>--<BR>MailScanner mailing list<BR><A target=_blank>mailscanner@lists.mailscanner.info</A><BR><A href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target=_blank>http://lists.mailscanner.info/mailman/listinfo/mailscanner</A><BR><BR>Before posting, read <A href="http://wiki.mailscanner.info/posting" target=_blank>http://wiki.mailscanner.info/posting</A><BR><BR>Support MailScanner development - buy the book off the website!</P></DIV>
<P class=ecxMsoNormal> </P></DIV>
<P class=ecxMsoNormal><BR>-- MailScanner mailing list <A target=_blank>mailscanner@lists.mailscanner.info</A> <A href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target=_blank>http://lists.mailscanner.info/mailman/listinfo/mailscanner</A> Before posting, read <A href="http://wiki.mailscanner.info/posting" target=_blank>http://wiki.mailscanner.info/posting</A> Support MailScanner development - buy the book off the website!</P></DIV></DIV></DIV>
<P class=ecxMsoNormal><BR><BR>-- <BR>-- <BR>Martin Hepworth, CISSP<BR>Oxford, UK<BR><BR>-- <BR>This message has been scanned for viruses and <BR>dangerous content by <A href="http://www.mailscanner.info/" target=_blank><B>MailScanner</B></A>, and is <BR>believed to be clean. </P></DIV><BR>-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!</DIV> </div></body>
</html>