lists.mailscanner.infolists.mailscanner.info/pipermail/mailscanner/2008-June.txtThe only thing I did...

Glenn Steen wrote:> I suppose you're asking what> syntax you need use for a ruleset "blacklisting" everything, and then> whitelisting some mails passing through MailScanner... In which case> you can do this with a normal ruleset ... The syntax is described in> numerous places (the EXAMPLES file in the rules subdirectory, the> wiki, the book...) ... So all you really need do is decide on what> setting (in MailScanner.conf) you should apply the ruleset, since this> will> a) decide what the rightmost value should be (it need make sense to> the setting applied to), and> b) affect what will actually happen.>> I'd think the "Is Definitely Spam"/"Is Definitely Not Spam" and> perhaps "Definite Spam Is Highscoring" settings could be used for> this, along with a "store" only "High Scoring Spam Actions" setting,> or similar ... (or perhaps use a SA "rule" to tag the messages and> selectively act on them with the new SA-rules actions... Seems a bit> backward, but might be more manageable for you).>> Note that for this to really work on a "per intern basis", you need> split your incoming mails into one/recipient, else MailScanner will> just use the rules applicable for the first recipient.>> Links that apply to all this:> http://www.mailscanner.info/MailScanner.conf.index.html#Is%20Definitely%20Spam> http://www.mailscanner.info/MailScanner.conf.index.html#Is%20Definitely%20Not%20Spam> http://www.mailscanner.info/MailScanner.conf.index.html#Definite%20Spam%20Is%20High%20Scoring> http://www.mailscanner.info/MailScanner.conf.index.html#High%20Scoring%20Spam%20Actions> http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:rulesets> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:how_to:split_mails_per_recipient> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient> (watch out for line wrapping in the above:-)>> HtH> Cheers>

Ahh.. thanks. For what it is worth, I did check out a few of those (some within the wiki lead to blank pages, and others are examples that didn't really cover what I was looking for). I really thought that there might have been some special syntax I was missing for the per-user blacklist rule where you'd have one master blacklist rule for that user which says "block everything" and the whitelist rules allowing email from certain individuals (whitelists win).

Thankfully, I already split the emails to one per recipient.

Perhaps you are right.. an "Is Definitely Spam" ruleset might do the trick. With entries like "To: [email protected] yes"...Hrmm.. I will have to test that.

Of course, after the first request at work to block inbound to a single user, I now have a list of 22 interns I need to block.. Ugh.

-Rich

Rich West wrote:>> Glenn Steen wrote:>> I suppose you're asking what>> syntax you need use for a ruleset "blacklisting" everything, and then>> whitelisting some mails passing through MailScanner... In which case>> you can do this with a normal ruleset ... The syntax is described in>> numerous places (the EXAMPLES file in the rules subdirectory, the>> wiki, the book...) ... So all you really need do is decide on what>> setting (in MailScanner.conf) you should apply the ruleset, since this>> will>> a) decide what the rightmost value should be (it need make sense to>> the setting applied to), and>> b) affect what will actually happen.>>>> I'd think the "Is Definitely Spam"/"Is Definitely Not Spam" and>> perhaps "Definite Spam Is Highscoring" settings could be used for>> this, along with a "store" only "High Scoring Spam Actions" setting,>> or similar ... (or perhaps use a SA "rule" to tag the messages and>> selectively act on them with the new SA-rules actions... Seems a bit>> backward, but might be more manageable for you).>>>> Note that for this to really work on a "per intern basis", you need>> split your incoming mails into one/recipient, else MailScanner will>> just use the rules applicable for the first recipient.>>>> Links that apply to all this:>> http://www.mailscanner.info/MailScanner.conf.index.html#Is%20Definitely%20Spam >>>> http://www.mailscanner.info/MailScanner.conf.index.html#Is%20Definitely%20Not%20Spam >>>> http://www.mailscanner.info/MailScanner.conf.index.html#Definite%20Spam%20Is%20High%20Scoring >>>> http://www.mailscanner.info/MailScanner.conf.index.html#High%20Scoring%20Spam%20Actions >>>> http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:rulesets >>>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient >>>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:how_to:split_mails_per_recipient >>>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient >>>> (watch out for line wrapping in the above:-)>>>> HtH>> Cheers>> >> Ahh.. thanks. For what it is worth, I did check out a few of those > (some within the wiki lead to blank pages, and others are examples > that didn't really cover what I was looking for). I really thought > that there might have been some special syntax I was missing for the > per-user blacklist rule where you'd have one master blacklist rule for > that user which says "block everything" and the whitelist rules > allowing email from certain individuals (whitelists win).>> Thankfully, I already split the emails to one per recipient.>> Perhaps you are right.. an "Is Definitely Spam" ruleset might do the > trick. With entries like "To: [email protected] yes"...> Hrmm.. I will have to test that.>> Of course, after the first request at work to block inbound to a > single user, I now have a list of 22 interns I need to block.. Ugh.If you don't want to mix this in with your anti-spam settings, you could use "Reject Messsage" setting, which has its own report file attached to it, which would make the rejection message easier for the senders to understand, than getting complete silence from your anti-spam settings.

Here's the docs on it from MailScanner.conf:

# You may not want to receive mail from certain addresses and/or to certain# addresses. If so, you can do this with your email transport (sendmail,# Postfix, etc) but that will just send a one-line message which is not# helpful to the user sending the message.# If this is set to yes, then the message set by the "Rejection Report"# will be sent instead, and the incoming message will be deleted.# If you want to store a copy of the original incoming message then use the# "Archive Mail" setting to archive a copy of it.# The purpose of this option is to set it to be a ruleset, so that you# can reject messages from a few offending addresses where you need to send# a polite reply instead of just a brief 1-line rejection message.Reject Message = no

Jules

-- Julian Field MEng CITP CEngwww.MailScanner.infoBuy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?Contact me at [email protected]

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654PGP public key: http://www.jules.fm/julesfm.asc

-- This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean.

Hi,

I'm basically a newbe with just a few small domains. I set upMailscanner with sendmail/ spamassassin/ clamAV and it seems greatexcept tons of spam are getting through. They are mostly all marked as{Spam?} and are all delivered.

Here is in my MailScanner.conf file

Spam List = SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTPSORBS-WEB SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SORBS-DUL SORBS-RHSBL CBLDSBL spamhaus.org spamhaus-XBL spamhaus-PBL NJABL

Spam Domain List = SORBS-BADCONF SORBS-NOMAIL

Do these look OK? How can I test these out? Any advice to a newbe as towhat I should do?

ThanksRick

-- This message has been scanned for viruses anddangerous content by Green Mountain Network, and isbelieved to be clean.

I am running MS 4.69.8 on Centos 5x. I seem to be having trouble with my whitelists? I seem to recall trying to address this some months back and I beleive someone mentioned that my whitelists added in the mailwatch interface (Lists), should not have the "@" symbol so I went through and removed them all one at a time and so now they look like the examples below. Is this correct? Is there something else I might be doing wrong?

ifossf.org defaultsrs.perfora.net defaultsungardhe.com default

Sample header

This one just came through as spam in spite of the from addreses (ifossf.org and srs.perfora.net) being in the whitelist?

Received: from serendipity.mountainhosting.ca (serendipity.mountainhosting.ca [66.249.13.171]) by gateway.johnnystork.ca (8.13.8/8.13.8) with ESMTP id m4VBvrCP003047 for ; Sat, 31 May 2008 04:57:53 -0700Received: from [127.0.0.1] (helo=mout.perfora.net) by serendipity.mountainhosting.ca with esmtp (Exim 4.68) (envelope-from ) id 1K2Pia-0001vb-45 for [email protected]; Sat, 31 May 2008 04:57:53 -0700Received: from mout.perfora.net ([74.208.4.194] helo=mout.perfora.net) by ASSP.nospam; 31 May 2008 04:57:51 -0700Received: from [192.168.1.2] (ool-44c09678.dyn.optonline.net [68.192.150.120]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0MKpCa-1K2PiM2XbS-0004bz; Sat, 31 May 2008 07:57:46 -0400Message-ID: Date: Sat, 31 May 2008 07:57:37 -0400From: Jenny Huang User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)MIME-Version: 1.0To: [email protected]: Tom Nolle Private , Yvette Dubel ,Johnny Stork Subject: Re: iFOSSF opportunities and strategyReferences:

In-Reply-To:

Content-Type: multipart/mixed;boundary="------------080200010605030109040204"X-Provags-ID: V01U2FsdGVkX18Wr3qsaKkWNC1/FXTVy0jtDrZT689qr0cSOzGYnEPsQerAdaVUm2vRNqf6eB7p5J2TEDtsux/SsOzFgaVwyjFYeWTyy6HFyrS23o1fjfOmdoxjuA2GYnVfX/hOYHM6n74=X-Assp-Delay: not delayed (noprocessing); 31 May 2008 04:57:51 -0700X-AntiAbuse: This header was added to track abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname - serendipity.mountainhosting.caX-AntiAbuse: Original Domain - openenterprise.caX-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]X-AntiAbuse: Sender Address Domain - srs.perfora.netX-Source:X-Source-Args:X-Source-Dir:

cached not

score=17.007 7 required

autolearn=spam -7.29 AWL From: address is in the auto white-list15.00 BAYES_99 Bayesian spam probability is 99 to 100%7.16 CRM114_CHECK 0.00 HTML_MESSAGE HTML included in message1.46 MIME_HTML_ONLY Message only has text/html MIME parts0.69 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)0.00 WHOIS_NETSOLPR URL registered as a NetSol Private Registration

Rick Bragg wrote:> Hi,>> I'm basically a newbe with just a few small domains. I set up> Mailscanner with sendmail/ spamassassin/ clamAV and it seems great> except tons of spam are getting through. They are mostly all marked as> {Spam?} and are all delivered. >> Here is in my MailScanner.conf file>> Spam List = SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTP> SORBS-WEB SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SORBS-DUL SORBS-RHSBL CBL> DSBL spamhaus.org spamhaus-XBL spamhaus-PBL NJABL>> Spam Domain List = SORBS-BADCONF SORBS-NOMAIL>>> Do these look OK? How can I test these out? Any advice to a newbe as to> what I should do?>> Thanks> Rick>>> Rick, I do not have the parameter name off the top of my head but look for Spam delivery. It is in the same general area as your AV. You can set it to delete, deliver, quarantine.

Guy

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1

Johnny Stork wrote:| I am running MS 4.69.8 on Centos 5x. I seem to be having trouble with| my whitelists? I seem to recall trying to address this some months back| and I beleive someone mentioned that my whitelists added in the| mailwatch interface (Lists), should not have the "@" symbol so I went| through and removed them all one at a time and so now they look like the| examples below. Is this correct? Is there something else I might be| doing wrong?|| ifossf.org default| srs.perfora.net default| sungardhe.com default

This does not look like the samples I have seen untill now. Where is thefirst column in your rules file?

Most rules look like:

# This next line gives an example of how you might enable this option for# a frequent customer of yours.#From: yourcustomer.com yes

# Under no circumstances should this be changed to "yes".FromOrTo: default no

Hugo.

- [email protected] http://hugo.vanderkooij.org/PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

A: Yes.>Q: Are you sure?>>A: Because it reverses the logical flow of conversation.>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.

-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIQuQmBvzDRVjxmYERAioIAJ4/cjYms+67c14F7SWq9NzXBAjqDQCfZKD8TBBZ6f/N4eH9yHcfjZ7dbEs==+6iz-----END PGP SIGNATURE-----


Rick Bragg wrote:| Hi,|| I'm basically a newbe with just a few small domains. I set up| Mailscanner with sendmail/ spamassassin/ clamAV and it seems great| except tons of spam are getting through. They are mostly all marked as| {Spam?} and are all delivered.|| Here is in my MailScanner.conf file|| Spam List = SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTP| SORBS-WEB SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SORBS-DUL SORBS-RHSBL CBL| DSBL spamhaus.org spamhaus-XBL spamhaus-PBL NJABL|| Spam Domain List = SORBS-BADCONF SORBS-NOMAIL||| Do these look OK? How can I test these out? Any advice to a newbe as to| what I should do?

Read the book.

First off I think you are using way too many lists here. It will costyou performance and speed of processing.

How are your messages classified? What scores do they get in generalfrom SpamAssassin? Did you tune your bayesian database?

Hugo.





iD8DBQFIQuWHBvzDRVjxmYERAnP4AJ9FxOjUA8/0BzWdz9VfpN2D2+2LowCfRR2tsyowFDMgXIu4Lf2/dBYcaGs==HoOL-----END PGP SIGNATURE-----

On Sun, 2008-06-01 at 20:08 +0200, Hugo van der Kooij wrote:> -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Rick Bragg wrote:> | Hi,> |> | I'm basically a newbe with just a few small domains. I set up> | Mailscanner with sendmail/ spamassassin/ clamAV and it seems great> | except tons of spam are getting through. They are mostly all marked as> | {Spam?} and are all delivered.> |> | Here is in my MailScanner.conf file> |> | Spam List = SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTP> | SORBS-WEB SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SORBS-DUL SORBS-RHSBL CBL> | DSBL spamhaus.org spamhaus-XBL spamhaus-PBL NJABL> |> | Spam Domain List = SORBS-BADCONF SORBS-NOMAIL> |> |> | Do these look OK? How can I test these out? Any advice to a newbe as to> | what I should do?> > Read the book.> > First off I think you are using way too many lists here. It will cost> you performance and speed of processing.> > How are your messages classified? What scores do they get in general> from SpamAssassin? Did you tune your bayesian database?> > Hugo.>

Thanks Hugo,I am new to this and would like to get a grasp on managing all thesecomponents. How should I go about choosing which "Spam List" and "SpamDomain List" services to use? Also, I'm not familiar with how to tunebayesian.

ThanksRick

-- This message has been scanned for viruses anddangerous content by Green Mountain Network, and isbelieved to be clean.

On Sun, 01 Jun 2008 20:08:08 +0200Hugo van der Kooij wrote:

> Rick Bragg wrote:> | Hi,> |> | I'm basically a newbe with just a few small domains. I set up> | Mailscanner with sendmail/ spamassassin/ clamAV and it seems great> | except tons of spam are getting through. They are mostly all> marked as | {Spam?} and are all delivered.> |> | Here is in my MailScanner.conf file> |> | Spam List = SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTP> | SORBS-WEB SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SORBS-DUL SORBS-RHSBL> CBL | DSBL spamhaus.org spamhaus-XBL spamhaus-PBL NJABL> |> | Spam Domain List = SORBS-BADCONF SORBS-NOMAIL> |> |> | Do these look OK? How can I test these out? Any advice to a newbe> as to | what I should do?

[snip]

"dnsbl.sorbs.net" contains all of the SORBS lists with the exception of:"spam.dnsbl.sorbs.net"

You might want to check: http://www.au.sorbs.net/using.shtml forfurther information.

Personally, I prefer "zen.spamhaus.org". It contains all of theusual spamhaus lists. Further info available at:http://www.spamhaus.org/zen/index.lasso

I might add that I am employing 'spamhaus' with Postfix. Once youaccept the mail, you can no longer legitimately reject it. Of course youcan delete it; however, I have never seen the logic in accepting todelete.

Then again, that is just my 2?.

-- [email protected]

During the voyage of life, remember to keep an eye out for afair wind; batten down during a storm; hail all passing ships;and fly your colors proudly.-------------- next part --------------A non-text attachment was scrubbed...Name: signature.ascType: application/pgp-signatureSize: 195 bytesDesc: not availableUrl : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080601/4426aed5/signature.bin

This is how they are listed in the Mailwatch interface? Are the whitlelist entries in a file? I assumed they were in the db somewhere since I add/manage them from mailwatch?

Hugo van der Kooij wrote:> -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1>> Johnny Stork wrote:> | I am running MS 4.69.8 on Centos 5x. I seem to be having trouble with> | my whitelists? I seem to recall trying to address this some months back> | and I beleive someone mentioned that my whitelists added in the> | mailwatch interface (Lists), should not have the "@" symbol so I went> | through and removed them all one at a time and so now they look like > the> | examples below. Is this correct? Is there something else I might be> | doing wrong?> |> | ifossf.org default> | srs.perfora.net default> | sungardhe.com default>> This does not look like the samples I have seen untill now. Where is the> first column in your rules file?>> Most rules look like:>> # This next line gives an example of how you might enable this option for> # a frequent customer of yours.> #From: yourcustomer.com yes>> # Under no circumstances should this be changed to "yes".> FromOrTo: default no>>> Hugo.>> - --> [email protected] http://hugo.vanderkooij.org/> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc>> A: Yes.> >Q: Are you sure?> >>A: Because it reverses the logical flow of conversation.> >>>Q: Why is top posting frowned upon?>> Bored? Click on http://spamornot.org/ and rate those images.>> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.7 (GNU/Linux)>> iD8DBQFIQuQmBvzDRVjxmYERAioIAJ4/cjYms+67c14F7SWq9NzXBAjqDQCfZKD8> TBBZ6f/N4eH9yHcfjZ7dbEs=> =+6iz> -----END PGP SIGNATURE-----

Also my "Is Definitely Not Spam" does not point to a file, but the db

Is Definitely Not Spam = &SQLWhitelist

Hugo van der Kooij wrote:> -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1>> Johnny Stork wrote:> | I am running MS 4.69.8 on Centos 5x. I seem to be having trouble with> | my whitelists? I seem to recall trying to address this some months back> | and I beleive someone mentioned that my whitelists added in the> | mailwatch interface (Lists), should not have the "@" symbol so I went> | through and removed them all one at a time and so now they look like > the> | examples below. Is this correct? Is there something else I might be> | doing wrong?> |> | ifossf.org default> | srs.perfora.net default> | sungardhe.com default>> This does not look like the samples I have seen untill now. Where is the> first column in your rules file?>> Most rules look like:>> # This next line gives an example of how you might enable this option for> # a frequent customer of yours.> #From: yourcustomer.com yes>> # Under no circumstances should this be changed to "yes".> FromOrTo: default no>>> Hugo.>> - --> [email protected] http://hugo.vanderkooij.org/> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc>> A: Yes.> >Q: Are you sure?> >>A: Because it reverses the logical flow of conversation.> >>>Q: Why is top posting frowned upon?>> Bored? Click on http://spamornot.org/ and rate those images.>> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.7 (GNU/Linux)>> iD8DBQFIQuQmBvzDRVjxmYERAioIAJ4/cjYms+67c14F7SWq9NzXBAjqDQCfZKD8> TBBZ6f/N4eH9yHcfjZ7dbEs=> =+6iz> -----END PGP SIGNATURE-----

I have inherited a mail scanner server running on BSD. I am not to familiarwith this application and its inner workings. We recently received amessage (first week of May), and it had a MS Word attachment that wasstripped, and quarantined. I was asked today to locate the file, and copyout of the quarantine folder and deliver it to the intended recipient.

I did a "find" for the file and a "grep" neither returned any results.

I would like to read the log files associated with this application in hopesto determine what happened to the attachment.

Could you please guide me in the location of either where the log files forthe application would be (not in /var/log), or a configuration file that mayindicate where the logs directory/files are kept.

I am guessing there aren't any logs being generated for this application.

thanks in advance.-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080602/b05d1530/attachment.html

> ------------------------------> > Message: 20> Date: Mon, 19 May 2008 21:24:53 -0400> From: "Alan Charlton" > Subject: Variables that can be used in inline.warning.txt and .html> reports> To: > Message-ID:>

> Content-Type: text/plain;charset="us-ascii"> > We've been trying to use some variables in the inline.warning.txt/html> files that don't seem to work. Specifically $datenumber and $to.> > We'd like to be able to provide our users with a link to release 'bad> content' or even 'virus' messages that they know are legitimate,similar> to what's in the recipient.spam.report.txt:> >http://$hostname/cgi-bin/release-msg.cgi?datenumber=$datenumber&id=$id&t> o=$to> > I know it's a little risky, but we're a software development companyand> we often get attachments that get caught, and our users tend to be> reasonably intelligent and cautious... and too impatient to submit a> ticket to IT every time a file is caught.> > Also for proper backup and archiving we'd like all legitimate emailsto> reach the end users' mailboxes...> > For more details on what we're trying to do check out:> http://www.global-domination.org/forum/viewtopic.php?t=968> > My searches for a solution turned up the following thread:>http://lists.mailscanner.info/pipermail/mailscanner/2007-September/07803> 0.html> > ...Which seems to imply that these variables need to be specifically> added to work in a given report.> > Is there any way we can add the variables ourselves? Or do we need to> request that they be added in a new release?> > Thanks,> Alan> > > ------------------------------

Bumping this up for another try... Does anyone know how to get$datenumber and $to to work in the inline.warning.txt and .html reports?

Any help would be appreciated.

Thanks,Alan

Since last Friday I've started getting this notification with every connection:

Jun 2 16:57:47 mail5 MailScanner[7787]: Cannot match against destination IP address when resolving configuration option "saactions"

MS appears to be working. The only thing I did was upgrade my kernel to:

2.6.9-67.0.15.ELsmp #1 SMP Tue Apr 22 13:50:33 EDT 2008 i686 i686 i386 GNU/Linux

This is on a Redhat ES 4 server.

Any ideas would be appreciated.

later,Ed

I have been using Linux Sendmail as me email MTA forever, but now have aneed to use Windows Exchange server and am wondering what people are usingas their Spam and virus protection (hopefully an inexpensive solution). Iwas hoping I could use MailScanner but don't see a Windows version. Anyideas?

Vernon Webb

(201) 703-1232

web designs & web hosting by comp-wiz.com, inc.

Information in this transmission is privileged & confidential. It isintended for the use of the individual or entity named above. Any review,dissemination, disclosure, alteration, printing, circulation or transmissionof this email or it's attachments is prohibited and unlawful.

-- This message has been scanned for viruses anddangerous content at comp-wiz.com, and isbelieved to be clean.

-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080602/da90fcc8/attachment.html

Rd03 wrote:> I have inherited a mail scanner server running on BSD. I am not to > familiar with this application and its inner workings. We recently > received a message (first week of May), and it had a MS Word > attachment that was stripped, and quarantined. I was asked today to > locate the file, and copy out of the quarantine folder and deliver it > to the intended recipient.>> I did a "find" for the file and a "grep" neither returned any results.>> I would like to read the log files associated with this application in > hopes to determine what happened to the attachment.Logging is done via the standard syslog mechanism. Consult your /etc/syslog.conf to see where mail logs are going, they should be in there. If there are any entries for the local* categories in syslog.conf, it's possible they are being logged to there.

The main directory to find on your BSD box will be called "MailScanner" and it contains, among other things, the master config file "MailScanner.conf". That's the chief file you are looking for. That's where you will find everything defined such as the location of the Quarantine and so on. Once you have found MailScanner.conf, things should become a lot clearer.>> Could you please guide me in the location of either where the log > files for the application would be (not in /var/log), or a > configuration file that may indicate where the logs directory/files > are kept.>> I am guessing there aren't any logs being generated for this application.There are logs, they are usually sent to the same location as the mail logs.

I hope that's enough to get you started.

Jules





Alan Charlton wrote:>> ------------------------------>>>> Message: 20>> Date: Mon, 19 May 2008 21:24:53 -0400>> From: "Alan Charlton" >> Subject: Variables that can be used in inline.warning.txt and .html>> reports>> To: >> Message-ID:>>>> > > >> Content-Type: text/plain;charset="us-ascii">>>> We've been trying to use some variables in the inline.warning.txt/html>> files that don't seem to work. Specifically $datenumber and $to.>>>> We'd like to be able to provide our users with a link to release 'bad>> content' or even 'virus' messages that they know are legitimate,>> > similar> >> to what's in the recipient.spam.report.txt:>>>>>> > http://$hostname/cgi-bin/release-msg.cgi?datenumber=$datenumber&id=$id&t> >> o=$to>>>> I know it's a little risky, but we're a software development company>> > and> >> we often get attachments that get caught, and our users tend to be>> reasonably intelligent and cautious... and too impatient to submit a>> ticket to IT every time a file is caught.>>>> Also for proper backup and archiving we'd like all legitimate emails>> > to> >> reach the end users' mailboxes...>>>> For more details on what we're trying to do check out:>> http://www.global-domination.org/forum/viewtopic.php?t=968>>>> My searches for a solution turned up the following thread:>>>> > http://lists.mailscanner.info/pipermail/mailscanner/2007-September/07803> >> 0.html>>>> ...Which seems to imply that these variables need to be specifically>> added to work in a given report.>>>> Is there any way we can add the variables ourselves? Or do we need to>> request that they be added in a new release?>>>> Thanks,>> Alan>>>>>> ------------------------------>> >> Bumping this up for another try... Does anyone know how to get> $datenumber and $to to work in the inline.warning.txt and .html reports?>> Any help would be appreciated.>> Thanks,> Alan> At the moment, the only variables it appears you can use are these: $filename = join(', ', keys %infected); $id = $this->{id}; $from = $this->{from}; $subject = $this->{subject};

I can add more if several people need them. If your Perl is up to it, you want to add code to sub ReadVirusWarning in Message.pm. Otherwise you'll have to bribe me to add them for you :-)

Jules





You must have set something to do with "SpamAssassin Rule Actions".I strongly suspect you have a ruleset attached to that setting, with a "To:" line that refers to an IP address, or possible a domain name involving only the characters 0-9 and a-f.

Please show us the ruleset you have attached to "SpamAssassin Rule Actions".

Ed wrote:> Since last Friday I've started getting this notification with every > connection:>> Jun 2 16:57:47 mail5 MailScanner[7787]: Cannot match against > destination IP address when resolving configuration option "saactions">>> MS appears to be working. The only thing I did was upgrade my kernel to:>> 2.6.9-67.0.15.ELsmp #1 SMP Tue Apr 22 13:50:33 EDT 2008 i686 i686 i386 > GNU/Linux>> This is on a Redhat ES 4 server.>> Any ideas would be appreciated.>> later,> Ed

Jules





We use MailSCanner infront of all our exchange servers, it's the cheapestand best antispam protection for exchange, it does require a linux serverthough.

Best regards

Jonas A. Larsen

From: [email protected][mailto:[email protected]] On Behalf Of Vernon WebbSent: 2. juni 2008 23:05To: [email protected]: Windows Exchange Server

I have been using Linux Sendmail as me email MTA forever, but now have aneed to use Windows Exchange server and am wondering what people are usingas their Spam and virus protection (hopefully an inexpensive solution). Iwas hoping I could use MailScanner but don't see a Windows version. Anyideas?

Vernon Webb

(201) 703-1232

web designs & web hosting by comp-wiz.com, inc.

Information in this transmission is privileged & confidential. It isintended for the use of the individual or entity named above. Any review,dissemination, disclosure, alteration, printing, circulation or transmissionof this email or it's attachments is prohibited and unlawful.

-- This message has been scanned for viruses and dangerous content at www.comp-wiz.com, and is believed to be clean.

-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080602/71104a79/attachment.html

Vernon Webb wrote:> I have been using Linux Sendmail as me email MTA forever, but now> have a need to use Windows Exchange server and am wondering what> people are using as their Spam and virus protection (hopefully an> inexpensive solution). I was hoping I could use MailScanner but don't> see a Windows version. Any ideas? > > Vernon Webb> (201) 703-1232> web designs & web hosting by comp-wiz.com, inc.> Information in this transmission is privileged & confidential. It is> intended for the use of the individual or entity named above. Any> review, dissemination, disclosure, alteration, printing, circulation> or transmission of this email or it's attachments is prohibited and> unlawful.

Put a MailScanner box in front of your Exchange server and pass everythingthrough. Been running like that for 3 years and haven't looked back. Youwon't be sorry. Many people here run that way so you'll get plenty offriendly help.

HTHKind regards,Ken

Ken GoodsNetwork AdministratorCropUSA Insurance, Inc.

What about inter-Exchange traffic? Exchange delivers locally whenboth sender and recipient are on the same server.

On 6/2/08, Ken Goods wrote:> Vernon Webb wrote:>> I have been using Linux Sendmail as me email MTA forever, but now>> have a need to use Windows Exchange server and am wondering what>> people are using as their Spam and virus protection (hopefully an>> inexpensive solution). I was hoping I could use MailScanner but don't>> see a Windows version. Any ideas?>>>> Vernon Webb>> (201) 703-1232>> web designs & web hosting by comp-wiz.com, inc.>> Information in this transmission is privileged & confidential. It is>> intended for the use of the individual or entity named above. Any>> review, dissemination, disclosure, alteration, printing, circulation>> or transmission of this email or it's attachments is prohibited and>> unlawful.>> Put a MailScanner box in front of your Exchange server and pass everything> through. Been running like that for 3 years and haven't looked back. You> won't be sorry. Many people here run that way so you'll get plenty of> friendly help.>> HTH> Kind regards,> Ken>>> Ken Goods> Network Administrator> CropUSA Insurance, Inc.> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!>

-- Sent from Gmail for mobile | mobile.google.com

My PGP key: http://www.douglasward.net/pubkey.asc

So you relay all the email through the Linux server to the Exchange server?How do you get around having people send email directly to the Exchangeserver box? Just block all email to port 25 except from the Linux server?

Vernon Webb201.703.1232

-----Original Message-----From: [email protected][mailto:[email protected]] On Behalf Of Ken GoodsSent: Monday, June 02, 2008 5:26 PMTo: 'MailScanner discussion'Subject: RE: Windows Exchange Server

Vernon Webb wrote:> I have been using Linux Sendmail as me email MTA forever, but now> have a need to use Windows Exchange server and am wondering what> people are using as their Spam and virus protection (hopefully an> inexpensive solution). I was hoping I could use MailScanner but don't> see a Windows version. Any ideas? > > Vernon Webb> (201) 703-1232> web designs & web hosting by comp-wiz.com, inc.> Information in this transmission is privileged & confidential. It is> intended for the use of the individual or entity named above. Any> review, dissemination, disclosure, alteration, printing, circulation> or transmission of this email or it's attachments is prohibited and> unlawful.

Put a MailScanner box in front of your Exchange server and pass everythingthrough. Been running like that for 3 years and haven't looked back. Youwon't be sorry. Many people here run that way so you'll get plenty offriendly help.

HTHKind regards,Ken

Ken GoodsNetwork AdministratorCropUSA Insurance, Inc.-- MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



Douglas Ward wrote:> What about inter-Exchange traffic? Exchange delivers locally when> both sender and recipient are on the same server.> > >

You're exactly correct.

I guess it depends on your network. We don't have anyone spamminginternally, we burned them all at the stake a while back. ;)

Email anti-virus is handled internally with workstation AV products.

Security in depth and all that rot... :)


Vernon Webb wrote:> So you relay all the email through the Linux server to the Exchange> server? How do you get around having people send email directly to> the Exchange server box? Just block all email to port 25 except from> the Linux server? > > Vernon Webb> 201.703.1232>

There are several ways, I use sendmail's relay-table, virtusertable, andmailertable.

http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:setup_a_gateway

And you're spot-on with blocking direct contact to the exchange server.Although it really isn't as much of a problem as you may think. Just removethe DNS entry for it and you can still let users POP off and SMTP (withauthentication) outgoing. I do get maybe 10-20 direct hits a day because itwas public at one time. Of course this does leave you with one point offailure, but that's all we had prior to installing the MailScanner box so itwas a wash. The MailScanner box is rock solid so it isn't an issue for us.YMMV

I used a guide on the MailScanner site for the initial setup. Take a lookaround there and see what you come up with. If you need more help or haveother questions don't hesitate to ask.


Thanks for the info. Works great.

Vernon Webb201.703.1232

-----Original Message-----From: [email protected][mailto:[email protected]] On Behalf Of Ken GoodsSent: Monday, June 02, 2008 7:01 PMTo: 'MailScanner discussion'Subject: RE: Windows Exchange Server

Vernon Webb wrote:> So you relay all the email through the Linux server to the Exchange> server? How do you get around having people send email directly to> the Exchange server box? Just block all email to port 25 except from> the Linux server? > > Vernon Webb> 201.703.1232>

There are several ways, I use sendmail's relay-table, virtusertable, andmailertable.

http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:setup_a_gateway

And you're spot-on with blocking direct contact to the exchange server.Although it really isn't as much of a problem as you may think. Just removethe DNS entry for it and you can still let users POP off and SMTP (withauthentication) outgoing. I do get maybe 10-20 direct hits a day because itwas public at one time. Of course this does leave you with one point offailure, but that's all we had prior to installing the MailScanner box so itwas a wash. The MailScanner box is rock solid so it isn't an issue for us.YMMV

I used a guide on the MailScanner site for the initial setup. Take a lookaround there and see what you come up with. If you need more help or haveother questions don't hesitate to ask.


-- MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner





For inter-exchange traffic, use Exchange IMF (intelligne Message Filter)It's a plugin that is very easy to use and setup. This should get youstarted:http://www.msexchange.org/tutorials/microsoft-exchange-intelligent-message-filter.html

http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html

Otherwise - do as everyone else has suggested. Put MailScanner on a boxbefore exchange and let it (and the MTA) do all the work.

-----Original Message-----From: [email protected][mailto:[email protected]] On Behalf Of DouglasWardSent: Monday, June 02, 2008 3:43 PMTo: MailScanner discussionSubject: Re: Windows Exchange Server

What about inter-Exchange traffic? Exchange delivers locally whenboth sender and recipient are on the same server.

On 6/2/08, Ken Goods wrote:> Vernon Webb wrote:>> I have been using Linux Sendmail as me email MTA forever, but now>> have a need to use Windows Exchange server and am wondering what>> people are using as their Spam and virus protection (hopefully an>> inexpensive solution). I was hoping I could use MailScanner but don't>> see a Windows version. Any ideas?>>>> Vernon Webb>> (201) 703-1232>> web designs & web hosting by comp-wiz.com, inc.>> Information in this transmission is privileged & confidential. It is>> intended for the use of the individual or entity named above. Any>> review, dissemination, disclosure, alteration, printing, circulation>> or transmission of this email or it's attachments is prohibited and>> unlawful.>> Put a MailScanner box in front of your Exchange server and pass everything> through. Been running like that for 3 years and haven't looked back. You> won't be sorry. Many people here run that way so you'll get plenty of> friendly help.>> HTH> Kind regards,> Ken>>> Ken Goods> Network Administrator> CropUSA Insurance, Inc.> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!>

-- Sent from Gmail for mobile | mobile.google.com

My PGP key: http://www.douglasward.net/pubkey.asc-- MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner



########################################################This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

[email protected] at Bandwidthco Computer Security is for your absoluteprotection.########################################################

########################################################This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

[email protected] at Bandwidthco Computer Security is for your absolute protection.########################################################

markee wrote:> For inter-exchange traffic, use Exchange IMF (intelligne Message Filter)> It's a plugin that is very easy to use and setup. This should get you> started:> http://www.msexchange.org/tutorials/microsoft-exchange-intelligent-message-f> ilter.html>> http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF> -v2.html>> Otherwise - do as everyone else has suggested. Put MailScanner on a box> before exchange and let it (and the MTA) do all the work.>>> -----Original Message-----> From: [email protected]> [mailto:[email protected]] On Behalf Of Douglas> Ward> Sent: Monday, June 02, 2008 3:43 PM> To: MailScanner discussion> Subject: Re: Windows Exchange Server>> What about inter-Exchange traffic? Exchange delivers locally when> both sender and recipient are on the same server.>>>> On 6/2/08, Ken Goods wrote:> >> Vernon Webb wrote:>> >>> I have been using Linux Sendmail as me email MTA forever, but now>>> have a need to use Windows Exchange server and am wondering what>>> people are using as their Spam and virus protection (hopefully an>>> inexpensive solution). I was hoping I could use MailScanner but don't>>> see a Windows version. Any ideas?>>>>>> Vernon Webb>>> (201) 703-1232>>> web designs & web hosting by comp-wiz.com, inc.>>> Information in this transmission is privileged & confidential. It is>>> intended for the use of the individual or entity named above. Any>>> review, dissemination, disclosure, alteration, printing, circulation>>> or transmission of this email or it's attachments is prohibited and>>> unlawful.>>> >> Put a MailScanner box in front of your Exchange server and pass everything>> through. Been running like that for 3 years and haven't looked back. You>> won't be sorry. Many people here run that way so you'll get plenty of>> friendly help.>>>> HTH>> Kind regards,>> Ken>>>>>> Ken Goods>> Network Administrator>> CropUSA Insurance, Inc.>> -->> MailScanner mailing list>> [email protected]>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>>>> Before posting, read http://wiki.mailscanner.info/posting>>>> Support MailScanner development - buy the book off the website!>>>> >> I think that by far the best option is to use your mailscanner machine as a filter prior to going to exchange, you can you is then as a smarthost on the way out as well. This will avoid the very perilous method of having your Windows SMTP MTA facing the internet and is the most robust and effective solution all round.

I have numerous clients doing it this way and it just works. If you are using sendmail as your MailScanner MTA I can provide complete help on how to make this work with MailScanner and exchange (all versions).

All the Exchange options and Microsoft based solutions tend to be the "inflatable dinghy" approach to filtering whereas MailScanner is the battleship solution, and it costs less.

P.

-- This message has been scanned for viruses anddangerous content by the Inexcom system Scanner,and is believed to be clean.Advanced heuristic mail scanning server [-].http://www.inexcom.co.uk

-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080603/3a3e0607/attachment.html

> I have numerous clients doing it this way and it just works. If you are > using sendmail as your MailScanner MTA I can provide complete help on > how to make this work with MailScanner and exchange (all versions).

And I can help with postfix (+ Active Directory / LDAP)!

As for the inter-Exchange traffic: this really should be "trusted" internal traffic, between internal servers, on an strictly internal network.If it is NOT then it should not be allowed to flow freely between servers directly.

In any case you should run a mail scanning virus scanner on your Exchange servers so internal viruses can not propagate.

Cheers,Ronny

I've been doing this for years, it's slightly off topic and there is stuff about this in the MailScanner wiki but as people tend to forget about that:-)

I have attached some old perl, based on something I found on the net years ago. It dumps list of Exchange recipients from an AD, use as basis for sendmail virtusers map or valid users map, run every 10 mins or so. Obviously change the passwords, domain controller names and baseDN.

Simplest in sendmail is to configure is to define a virtual domain, default recipient is "user does not exist type error", every other recipient becomes [email protected]... Then chuck in a mailertable entry or an MX for exchange.domain pointing at a hub transport (2007) or a front-end (2003) and use a script based on the attached perl to make the virtusers map.

Alternatively, if you know you will only ever need to send to Exchange and nowhere else you could use something like the M4 fragment attached. This is old so will probably need some tweaking for your site but it will give you an idea.

I'll leave it to Ronny here to help with postfix if you choose that route.

Hope that helps,

Gary

[email protected] wrote:>> I have numerous clients doing it this way and it just works. If you>> are using sendmail as your MailScanner MTA I can provide complete>> help on how to make this work with MailScanner and exchange (all>> versions).>> And I can help with postfix (+ Active Directory / LDAP)!>>> As for the inter-Exchange traffic: this really should be "trusted"> internal traffic, between internal servers, on an strictly internal> network. If it is NOT then it should not be allowed to flow freely> between servers directly.>> In any case you should run a mail scanning virus scanner on> your Exchange servers so internal viruses can not propagate.>>> Cheers,> Ronny

-------------- next part --------------A non-text attachment was scrubbed...Name: ldap_get_recips.plType: application/octet-streamSize: 3127 bytesDesc: ldap_get_recips.plUrl : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080603/4a6eabce/ldap_get_recips-0001.obj-------------- next part --------------A non-text attachment was scrubbed...Name: sendmail example.m4Type: application/octet-streamSize: 1085 bytesDesc: sendmail example.m4Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080603/4a6eabce/sendmailexample-0001.obj

Of course, I forgot to mention, there is an even easier way...

Just configure Exchange to block/reject invalid recipients (it doesn't in most default setups) set a mailertable entry for it and run milter-ahead.

That works as well, use whichever you are most comfortable with.

Gary

[email protected] wrote:> I've been doing this for years, it's slightly off topic and> there is stuff about this in the MailScanner wiki but as> people tend to forget about that:-)>> I have attached some old perl, based on something I found on> the net years ago. It dumps list of Exchange recipients from> an AD, use as basis for sendmail virtusers map or valid users> map, run every 10 mins or so. Obviously change the> passwords, domain controller names and baseDN.>> Simplest in sendmail is to configure is to define a virtual> domain, default recipient is "user does not exist type> error", every other recipient becomes [email protected]...> Then chuck in a mailertable entry or an MX for> exchange.domain pointing at a hub transport (2007) or a> front-end (2003) and use a script based on the attached perl to make> the virtusers map.>> Alternatively, if you know you will only ever need to send to> Exchange and nowhere else you could use something like the M4> fragment attached. This is old so will probably need some> tweaking for your site but it will give you an idea.>> I'll leave it to Ronny here to help with postfix if you choose that> route.>> Hope that helps,>> Gary>> [email protected] wrote:>>> I have numerous clients doing it this way and it just works. If you>>> are using sendmail as your MailScanner MTA I can provide complete>>> help on how to make this work with MailScanner and exchange (all>>> versions).>>>> And I can help with postfix (+ Active Directory / LDAP)!>>>>>> As for the inter-Exchange traffic: this really should be "trusted">> internal traffic, between internal servers, on an strictly internal>> network. If it is NOT then it should not be allowed to flow freely>> between servers directly.>>>> In any case you should run a mail scanning virus scanner on your>> Exchange servers so internal viruses can not propagate.>>>>>> Cheers,>> Ronny

Julian,

One buglet...

I'd edited MailScanner.conf to read:

Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd

And upgrade_MailScanner_conf complained

Your setting for 'Monitors for ClamAV Updates' is broken.It should look like this (unless your ClamAV is installedsomewhere else)Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd

As 0.93 no longer uses the .inc subdirectories this is broken.

Cheers,

Phil

--Phil RandalNetworks EngineerHerefordshire CouncilHereford, UK

-----Original Message-----From: [email protected] [mailto:[email protected]] On Behalf Of Julian FieldSent: 24 May 2008 23:34To: MailScanner discussionSubject: Re: ClamAV 0.93 released

I have just published a new beta of MailScanner including support for Mail::ClamAV 0.22, which is now provided in my ClamAV+SpamAssassin package. These two should work successfully as a pair, and I would appreciate testers.

Thanks!Jules.

P.S. It's nice to be out in the big wide world again, I didn't go outside the building for a week, now I just need to get my sleep cycle back to normal. I am too used to sleeping in a hospital bed, and to being awake at 6am (I normally was in the shower by 6:30am in hospital).

The latest news seems to be that they may pass my case back to the liver transplant team, and not do a small bowel transplant after all. But possibilities currently include everything up to, and including, replacing my stomach, duodenum, jejunum, ilium (small intestines, all 26 feet of it), liver, pancreas and all the blood vessels that join them all together. So just about anything is possible right now. Within the next month or two, I should hear what (if any) other tests they want to do, but my case will be discussed at a national level and they all have to agree what is best for me to have done. That could possibly take a few months, so I don't expect any quick news. I managed a very nice chat with a guy from their chronic pain team, and he had several new ideas for painkillers that the people in Southampton had never considered, which was very useful. Southampton's attitude seems to be that if a couple of Paracetomol (Tylenol) don't handle it, then they don't really know much about what to do :-) It's not quite as bad as that, but you get my drift :-) The Cambridge team at Addenbrookes actually appreciate the problem of your body becoming used to opiates and that you build up a tolerance to them, and had some ideas for new drugs which I have only rarely been exposed to before, such as Oramorph and Fentanyl.

That's about the latest news, I'll keep you posted.

Cheers,Jules.

P.S. It's my list, and I'll top-post if I want to ;-)

Alex Broens wrote:> On 5/23/2008 1:21 PM, David Lee wrote:>> On Mon, 28 Apr 2008, Denis Beauchemin wrote:>>>>> Leonardo Helman a ?crit :>>>> Hi I'm using clamavmodule>>>>>>>>>>>> I've made a patch for the Mail::ClamAV to compile (later I'll send >>>> it to the Mail::ClamAV mantainer)>>>>>>> Hello,>>>>>> Anything new on the official Mail::ClamAV module? I just looked and >>> version 0.21 still supports maxratio which have been removed from >>> Clam 0.93...>>>>>> Since there are known exploits for 0.92 I am beginning to feel the >>> urge to upgrade to 0.93...>>>> Scott Beck has released version 0.22 of Mail::ClamAV in the last few >> days.>>>> Could I suggest that some of us with test facilities and with a >> little technical experience try the various combinations of the older >> and newer versions of ClamAV and Mail::ClamAV and verify which >> combinations work and fail?>>>> 1. Old+old: We know that the combined earlier versions work.>>>> 2. New ClamAV + old Mail::ClamAV: It has been reported that the new>> ClamAV (0.93) breaks with older Mail::ClamAV (0.20/0.21). Could>> someone provide details of what this breakage is? Is there a quick>> recipe to reproduce the problem that ClamAV 0.93 had introduced?>>>> 3. New + new: Julian's Clam+SA package would ultimately be new+new. >> Can>> we verify that this fixes any previously verified breakage? Also >> that>> it does not seem to introduce any new problems.>>>> 4. Old ClamAV + new Mail::ClamAV: There are inevitably sites which use>> other sources (not Julian's package). Can we check what happens >> with>> if someone were to upgrade their Mail::ClamAV module but leave the>> main ClamAV software back on 0.92? (Probably not too important, but>> it would be a nice data point to complete the set...)>>>> Given Julian's sadly enforced absence from work, I'm sure he would >> appreciate it if we can do this tabulation for him.>> Will try to test new Mail::ClamAV with ClamAV 0.93 and on several old > versions of MS>>>

Jules

--Julian Field MEng CITP CEngwww.MailScanner.infoBuy the MailScanner book at www.MailScanner.info/store


PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc

--This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

--MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner



That stimulated what few synapses I have left to fire. I forgot I had made a change to the "SpamAssassin Rule Actions". I couldn't get it to work so I searched the mail list and found out what I was doing wrong by copying someone else's solution which had this line in the rule file:

FromOrTo: 127.0.0.1

I've removed that line and I'm no longer seeing that message in the log.

later,

Julian Field wrote:> You must have set something to do with "SpamAssassin Rule Actions".> I strongly suspect you have a ruleset attached to that setting, with a > "To:" line that refers to an IP address, or possible a domain name > involving only the characters 0-9 and a-f.>> Please show us the ruleset you have attached to "SpamAssassin Rule > Actions".>

Aye, for postfix we use recipient_address_verification so our MailScanner server never accepts emails that we cannot deliver onto the exchange servers and requires no extra tweaking on our part... It has massively cut the load on our MailScanner servers.

Jason________________________________________From: [email protected] [[email protected]] On Behalf Of Ronny T. Lampert [[email protected]]Sent: 03 June 2008 10:17To: MailScanner discussionSubject: Re: Windows Exchange Server

> I have numerous clients doing it this way and it just works. If you are> using sendmail as your MailScanner MTA I can provide complete help on> how to make this work with MailScanner and exchange (all versions).


As for the inter-Exchange traffic: this really should be "trusted"internal traffic, between internal servers, on an strictly internal network.If it is NOT then it should not be allowed to flow freely betweenservers directly.

In any case you should run a mail scanning virus scanner on yourExchange servers so internal viruses can not propagate.

Cheers,Ronny--MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner



Jason - Is there such a setting or configuration for Sendmail ? "recipient_address_verification"

I relay mail for several domains, some of which are Exchange Servers. Itwould be good to drop mail at MTA if Exchange Recips not VALID

RegardsKevin-----Original Message-----From: [email protected][mailto:[email protected]] On Behalf Of Jason EdeSent: 03 June 2008 14:00To: MailScanner discussionSubject: RE: Windows Exchange Server

Aye, for postfix we use recipient_address_verification so our MailScannerserver never accepts emails that we cannot deliver onto the exchange serversand requires no extra tweaking on our part... It has massively cut the loadon our MailScanner servers.

Jason________________________________________From: [email protected][[email protected]] On Behalf Of Ronny T. Lampert[[email protected]]Sent: 03 June 2008 10:17To: MailScanner discussionSubject: Re: Windows Exchange Server







Support MailScanner development - buy the book off the website!--MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner




This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use.

2008/6/3 Mail Admin :> Jason - Is there such a setting or configuration for Sendmail ?> "recipient_address_verification">> I relay mail for several domains, some of which are Exchange Servers. It> would be good to drop mail at MTA if Exchange Recips not VALID>> Regards> KevinOne need use a milter for Sendmail. smf-sav can be used (although youshouldn't do the _sender_ part, only recipient)... or milter-ahead(which will cost a bit, I think... I'm strictly PF myself:-).

Cheers-- Glenn

> -----Original Message-----> From: [email protected]> [mailto:[email protected]] On Behalf Of Jason Ede> Sent: 03 June 2008 14:00> To: MailScanner discussion> Subject: RE: Windows Exchange Server>> Aye, for postfix we use recipient_address_verification so our MailScanner> server never accepts emails that we cannot deliver onto the exchange servers> and requires no extra tweaking on our part... It has massively cut the load> on our MailScanner servers.>> Jason> ________________________________________> From: [email protected]> [[email protected]] On Behalf Of Ronny T. Lampert> [[email protected]]> Sent: 03 June 2008 10:17> To: MailScanner discussion> Subject: Re: Windows Exchange Server>>> I have numerous clients doing it this way and it just works. If you are>> using sendmail as your MailScanner MTA I can provide complete help on>> how to make this work with MailScanner and exchange (all versions).>> And I can help with postfix (+ Active Directory / LDAP)!>>> As for the inter-Exchange traffic: this really should be "trusted"> internal traffic, between internal servers, on an strictly internal network.> If it is NOT then it should not be allowed to flow freely between> servers directly.>> In any case you should run a mail scanning virus scanner on your> Exchange servers so internal viruses can not propagate.>>> Cheers,> Ronny> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!>> --> This message has been scanned for viruses and> dangerous content by MailScanner, and is> believed to be clean.>>> This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use.>> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!>

-- -- Glennemail: glenn < dot > steen < at > gmail < dot > comwork: glenn < dot > steen < at > ap1 < dot > se

Hi,

I don't know about sendmail I'm afraid. The actual postfix param is reject_unverified_recipient (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) although need to be careful only run that on incoming email.

Jason

________________________________________From: [email protected] [[email protected]] On Behalf Of Mail Admin [[email protected]]Sent: 03 June 2008 15:19To: 'MailScanner discussion'Subject: RE: Windows Exchange Server

Jason - Is there such a setting or configuration for Sendmail ?"recipient_address_verification"

I relay mail for several domains, some of which are Exchange Servers. Itwould be good to drop mail at MTA if Exchange Recips not VALID

RegardsKevin-----Original Message-----From: [email protected][mailto:[email protected]] On Behalf Of Jason EdeSent: 03 June 2008 14:00To: MailScanner discussionSubject: RE: Windows Exchange Server

Aye, for postfix we use recipient_address_verification so our MailScannerserver never accepts emails that we cannot deliver onto the exchange serversand requires no extra tweaking on our part... It has massively cut the loadon our MailScanner servers.

Jason________________________________________From: [email protected][[email protected]] On Behalf Of Ronny T. Lampert[[email protected]]Sent: 03 June 2008 10:17To: MailScanner discussionSubject: Re: Windows Exchange Server







Support MailScanner development - buy the book off the website!--MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner



--This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean.

This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use.

--MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner



On 6/3/2008 4:31 PM, Glenn Steen wrote:> One need use a milter for Sendmail. smf-sav can be used (although you> shouldn't do the _sender_ part, only recipient)... or milter-ahead > (which will cost a bit, I think... I'm strictly PF myself:-).

as to milter-aheadthe latest version uses the Pfix transport file for its DB - it ROCKS!(as well as the sendmail mailertable)

Using it on a few high traffic Pfix boxes and its holding up superbly.Worth every buck and more.

Alex

Hi,

I'd like to update the wiki about the postfix quarantine release script.For recent postfixes (2.3, 2.4) the script not really is working and also has a subtle bug (chmod +x the queue file BEFORE the copying is bad).

How'd I do that?

Cheers,Ronny

Fixed for the next release.Thanks for reporting this.

Randal, Phil wrote:> Julian,>> One buglet...>> I'd edited MailScanner.conf to read:>> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd>> And upgrade_MailScanner_conf complained>> Your setting for 'Monitors for ClamAV Updates' is broken.> It should look like this (unless your ClamAV is installed> somewhere else)> Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd >>> As 0.93 no longer uses the .inc subdirectories this is broken.>> Cheers,>> Phil>> --> Phil Randal> Networks Engineer> Herefordshire Council> Hereford, UK>> -----Original Message-----> From: [email protected] [mailto:[email protected]] On Behalf Of Julian Field> Sent: 24 May 2008 23:34> To: MailScanner discussion> Subject: Re: ClamAV 0.93 released>> I have just published a new beta of MailScanner including support for Mail::ClamAV 0.22, which is now provided in my ClamAV+SpamAssassin package. These two should work successfully as a pair, and I would appreciate testers.>> Thanks!> Jules.>> P.S. It's nice to be out in the big wide world again, I didn't go outside the building for a week, now I just need to get my sleep cycle back to normal. I am too used to sleeping in a hospital bed, and to being awake at 6am (I normally was in the shower by 6:30am in hospital).>> The latest news seems to be that they may pass my case back to the liver transplant team, and not do a small bowel transplant after all. But possibilities currently include everything up to, and including, replacing my stomach, duodenum, jejunum, ilium (small intestines, all 26 feet of it), liver, pancreas and all the blood vessels that join them all together. So just about anything is possible right now. Within the next month or two, I should hear what (if any) other tests they want to do, but my case will be discussed at a national level and they all have to agree what is best for me to have done. That could possibly take a few months, so I don't expect any quick news. I managed a very nice chat with a guy from their chronic pain team, and he had several new ideas for painkillers that the people in Southampton had never considered, which was very useful. Southampton's attitude seems to be that if a couple of Paracetomol (Tylenol) don't handle it, then they don't really know much about what to do :-) It's not quite as bad as that, but you get my drift :-) The Cambridge team at Addenbrookes actually appreciate the problem of your body becoming used to opiates and that you build up a tolerance to them, and had some ideas for new drugs which I have only rarely been exposed to before, such as Oramorph and Fentanyl.>> That's about the latest news, I'll keep you posted.>> Cheers,> Jules.>> P.S. It's my list, and I'll top-post if I want to ;-)>>> Alex Broens wrote:> >> On 5/23/2008 1:21 PM, David Lee wrote:>> >>> On Mon, 28 Apr 2008, Denis Beauchemin wrote:>>>>>> >>>> Leonardo Helman a ?crit :>>>> >>>>> Hi I'm using clamavmodule>>>>>>>>>>>>>>> I've made a patch for the Mail::ClamAV to compile (later I'll send >>>>> it to the Mail::ClamAV mantainer)>>>>>>>>>> >>>> Hello,>>>>>>>> Anything new on the official Mail::ClamAV module? I just looked and >>>> version 0.21 still supports maxratio which have been removed from >>>> Clam 0.93...>>>>>>>> Since there are known exploits for 0.92 I am beginning to feel the >>>> urge to upgrade to 0.93...>>>> >>> Scott Beck has released version 0.22 of Mail::ClamAV in the last few >>> days.>>>>>> Could I suggest that some of us with test facilities and with a >>> little technical experience try the various combinations of the older >>> and newer versions of ClamAV and Mail::ClamAV and verify which >>> combinations work and fail?>>>>>> 1. Old+old: We know that the combined earlier versions work.>>>>>> 2. New ClamAV + old Mail::ClamAV: It has been reported that the new>>> ClamAV (0.93) breaks with older Mail::ClamAV (0.20/0.21). Could>>> someone provide details of what this breakage is? Is there a quick>>> recipe to reproduce the problem that ClamAV 0.93 had introduced?>>>>>> 3. New + new: Julian's Clam+SA package would ultimately be new+new. >>> Can>>> we verify that this fixes any previously verified breakage? Also >>> that>>> it does not seem to introduce any new problems.>>>>>> 4. Old ClamAV + new Mail::ClamAV: There are inevitably sites which use>>> other sources (not Julian's package). Can we check what happens >>> with>>> if someone were to upgrade their Mail::ClamAV module but leave the>>> main ClamAV software back on 0.92? (Probably not too important, but>>> it would be a nice data point to complete the set...)>>>>>> Given Julian's sadly enforced absence from work, I'm sure he would >>> appreciate it if we can do this tabulation for him.>>> >> Will try to test new Mail::ClamAV with ClamAV 0.93 and on several old >> versions of MS>>>>>>>> >> Jules>> --> Julian Field MEng CITP CEng> www.MailScanner.info> Buy the MailScanner book at www.MailScanner.info/store>> MailScanner customisation, or any advanced system administration help?> Contact me at [email protected]>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc>>> --> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.>> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website! >

Jules






Ronny T. Lampert wrote:|> I have numerous clients doing it this way and it just works. If you|> are using sendmail as your MailScanner MTA I can provide complete help|> on how to make this work with MailScanner and exchange (all versions).|| And I can help with postfix (+ Active Directory / LDAP)!||| As for the inter-Exchange traffic: this really should be "trusted"| internal traffic, between internal servers, on an strictly internal| network.| If it is NOT then it should not be allowed to flow freely between| servers directly.|| In any case you should run a mail scanning virus scanner on your| Exchange servers so internal viruses can not propagate.

Not to mention that your scanner may not detect the specific sample atthe time it will pass the perimeter scanner.

Last year I spend a day in a AV lab and quite a bit of time with 4months worth of raw samples. The average figures we came up with was 110new samples per day of which about 40 were seen almost immediatly. Sothe majority of samples are analyzed only hours, days or even weeksafter they may hit you.

At the moment webbased ones seem the ones to change the fastest. But youmay still pass malware because your scanner(s) did not detect it.

Hugo.





iD8DBQFIRYlhBvzDRVjxmYERAi4DAKC4FBj/YBHF1uoBX0gLJeJstIi+ZQCbBLH6rY4pvDdGR0sberEk+N5vFk8==1ysb-----END PGP SIGNATURE-----

Hi,

I had this configuration which reduced alot of bounces going into user's mailbox.I was quite happy with this but today some users noticed that gmail's vacation messageswere beiing blocked.

Use Watermarking = yesAdd Watermark = yesCheck Watermarks With No Sender = yesTreat Invalid Watermarks With No Sender as Spam = spamCheck Watermarks To Skip Spam Checks = yesWatermark Secret = %org-name%-SECRET!Watermark Lifetime = 604800Watermark Header = X-%org-name%-MailScanner-Watermark:

I tried a few changes, like setting it toTreat Invalid Watermarks With No Sender as Spam = 5orCheck Watermarks To Skip Spam Checks = no

but the vacation messages were still beiing blocked.the only way i got the vacations to come in was with the following configuration:

Use Watermarking = yesAdd Watermark = yesCheck Watermarks With No Sender = noTreat Invalid Watermarks With No Sender as Spam = spamCheck Watermarks To Skip Spam Checks = yesWatermark Secret = %org-name%-SECRET!Watermark Lifetime = 604800Watermark Header = X-%org-name%-MailScanner-Watermark:

I find this scary to set it to 'no' as from what i understand, it will just disable the watermarks checks

# Do you want to check watermarks?# This can also be the filename of a ruleset.Check Watermarks With No Sender = no

can anyone help me on this, just to make sure i'm not doing something crazy :)

thanks,Charles

Charles Lacroix wrote:> Hi,>> I had this configuration which reduced alot of bounces going into > user's mailbox.> I was quite happy with this but today some users noticed that gmail's > vacation messages> were beiing blocked.>

The watermark feature examines all messages that have a null sender. In sendmail logs these are the ones with:

"from="

If gmail uses that approach to send vacation messages, and does not include the original message in the reply, then it will trigger the bad watermark action. So if you want to be able to receive these and still use the watermark feature, maybe you could just add 2 or 3 points for a bad watermark.

Mark

If I run it by hand, update_bad_phishing_sites works fine, but thescript in /etc/cron.hourly seems to be somewhat confused. The followingis sent to root:=========running hourly cronjob scripts

SCRIPT: check_MailScanner, OK.SCRIPT: update_bad_phishing_sites exited with RETURNCODE = 255.SCRIPT: update_virus_scanners, OK.=========

Any clues?

...Kevin-- Kevin Miller Registered Linux User No: 307357CBJ MIS Dept. Network Systems Admin., Mail Admin.155 South Seward Street ph: (907) 586-0242Juneau, Alaska 99801 fax: (907 586-4500

Hi,

I'm trying to set a SPF record for our new MainScanner/Exchange setup and wasn'tsure what data to include. Currently, the only approved IP is the MainScannerbox IP. Of course, since the Exchange box has a local non-routable IP(192.168.1.x), the MainScanner box always returns a SPF FAIL on all emailscoming from the Exchange box.

So am I suppose to include the non-routable IP in my SPF record? Or what is thenormal way to fix this issue?

Thanks.

I would set up exchange to email out using a smarthost which is the mailscanner box.

-----Original Message-----From: Henry Kwan

Date: Tue, 3 Jun 2008 23:00:23 To:[email protected]: SPF setting for MailScanner setup.

Hi,

I'm trying to set a SPF record for our new MainScanner/Exchange setup and wasn'tsure what data to include. Currently, the only approved IP is the MainScannerbox IP. Of course, since the Exchange box has a local non-routable IP(192.168.1.x), the MainScanner box always returns a SPF FAIL on all emailscoming from the Exchange box.

So am I suppose to include the non-routable IP in my SPF record? Or what is thenormal way to fix this issue?

Thanks.

-- MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner



Philip Zeigler writes:

> > I would set up exchange to email out using a smarthost which is the> mailscanner box. >

Hi,

The Exchange box is already configured to smarthost-relay all outbound messagesthrough the Mailscanner box. The issue is that Mailscanner doesn't recognizethe Exchange box as a valid SPF sender.

Should I include the Exchange box's non-routable IP in my SPF record or is thereanother way to resolve this issue?

Or does it not even matter since I've whitelisted my Exchange box (via/etc/MailScanner/spam.whitelist.rules)?

Thanks.

On 6/4/2008 2:50 AM, Henry Kwan w

lists.mailscanner.infolists.mailscanner.info/pipermail/mailscanner/2008-June.txtThe only thing I did...

Documents

Transcript of lists.mailscanner.infolists.mailscanner.info/pipermail/mailscanner/2008-June.txtThe only thing I did...