lists.mailscanner.infolists.mailscanner.info/pipermail/mailscanner/2006-april.txtwhy is this trying...

ERROR IN /var/log/maillog :

Mailserver MailScanner-MRTG[3544]: Unable to find a mountpoint for /var/www/html/mailscanner-mrtg/incoming/. Please set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint. You can see a list of mointpoints on your system by using the df command

I m using a.. mailscanner-mrtg-0.10.00-1.src.rpm b.. mrtg-2.13.2.tar.gz c.. gd-2.0.11.tar.gz d.. zlib-1.2.3.tar.gz e.. libpng-1.2.5.tar.gz f.. And SENDMAIL 8.13.5 and MailScannerI M using MRTG for the Base and Mailscanner-mrtg tool to Maintaine My Graphs for my MailServer

I only Have these mount Points

[root@Jadoo]# df -hFilesystem Mounted on/dev/sda3 //dev/sda1 /bootnone /dev/shm/dev/sdb1 /var

Is there ANY Way - i can Make the Above Graph - Visible ??????????

Thanks and regards,M.Nauman HabibNetwork EngineerICT DepartmentWorldCALL Multimedia Pvt Ltd16-S Gulberg II Lahore, PakistanOff: 92 (42) 5877051-55Cell : 0321-4311830

-- This message has been scanned for viruses anddangerous content by WorldCall Scanner, and isbelieved to be clean.

Any ideas what could be causing the following problem when startingMailScanner version 4.50.15, Sendmail 8.13.6, Spamassassin 3.1.0 andPerl 5.8.1 - I've been fighting this problems for months now whenstarting MailScanner though it does not happen every time I manuallystart MailScanner.

Starting MailScanner daemons:

incoming sendmail: /etc/init.d/MailScanner: line 390: 11791Segmentation fault $SENDMAIL -bd -OPrivacyOptions=noetrn-ODeliveryMode=queueonly -OQueueDirectory=$INQDIR -OPidFile=$INPID

When the problem occurs, MailScanner does not start.

I can make the problem happen by starting and stopping MailScanner aboutfour times in a row.

Thanks,

Damian

-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060331/e0df86f1/attachment.html

I've updated MailScanner as suggested & supplied the "broken" messagedirectly to Julian. Hopefully this will help with this issue. Thanks forthe responses.

RegardsKArl

-----Original Message-----From: [email protected][mailto:[email protected]] On Behalf Of SteveFreegardSent: 31 March 2006 09:32To: MailScanner discussionSubject: Re: Not often I post

Hi Karl,

On Thu, 2006-03-30 at 23:02 +0100, Karl Bailey wrote:> Only when I have a problem, which I seem to at the moment. Two day in> a row now I have had a problem with MailScanner 4.51.5-1 running in> RedHat FC1. It employs spam assassin, kaspersky, f-prot & mcafee virus> scanning. CPU usage etc hovers around 25% & all in all it works very> well processing around 20000 messages (6GBytes) a day.> > > > I have received a single message that brings mailscanner to it's> knees .. the message enters the inbound mail queue, the MailScanner> processes defunct one by one till MailScanner is effectively not> processing mail any more, mail builds up in the inbound mail queue.> This is exasperated by the fact that although MailScanner reports as> defunct in the process list it is actually still identifying spam, &> generating spam warning messages, which in turn end up in the inbound> queue... this seems to lead to a "DOS" effect. > > > > I have isolated the single message in it's raw queue qf & df files.> Every time I place it into the inbound queue the processes defunct, &> yes I am ensuring there is no file permissions problems... If anyone> wants a copy of the message I can send them the queue files.... I'm> suspicious though that the Virus Scanning is where the problem lies,> hence without the combination of VC's listed above it may run through> the queue ... Any ideas? The one thing I've noticed about the header(qf> file) is that there seems to be some very long boundary strings> emplyed.>

We had a number of customers with exactly the same problem on 4.51.5 -an upgrade to 4.51.6 solved the problem for them.

Kind regards,Steve.

-- Steve FreegardDevelopment DirectorFort Systems Ltd.Tel: +44 (0)1243 200 001Mobile: +44 (0)7740 364 348Skype: smfreegard

-- MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Registered Office: 5-7 Abbey Court, Eagle Way, Sowton, Exeter, Devon, EX2 7HYRegistered Number 2892803 Registered in England & Wales

The information contained in this e-mail is confidential and may be subject tolegal privilege. If you are not the intended recipient, you must not use,copy, distribute or disclose the e-mail or any part of its contents or takeany action in reliance on it. If you have received this e-mail in error,please e-mail the sender by replying to this message. All reasonableprecautions have been taken to ensure no viruses are present in this e-mail.Landmark Information Group Limited cannot accept responsibility for loss ordamage arising from the use of this e-mail or attachments and recommend thatyou subject these to your virus checking procedures prior to use.

www.landmarkinfo.co.uk

On 01/04/06, Damian Mendoza wrote:>>>> Any ideas what could be causing the following problem when starting> MailScanner version 4.50.15, Sendmail 8.13.6, Spamassassin 3.1.0 and Perl> 5.8.1 ? I've been fighting this problems for months now when starting> MailScanner though it does not happen every time I manually start> MailScanner.>>>> Starting MailScanner daemons:>> incoming sendmail: /etc/init.d/MailScanner: line 390: 11791> Segmentation fault $SENDMAIL -bd -OPrivacyOptions=noetrn> -ODeliveryMode=queueonly -OQueueDirectory=$INQDIR -OPidFile=$INPID>>>> When the problem occurs, MailScanner does not start.>>>> I can make the problem happen by starting and stopping MailScanner about> four times in a row.>>>>>> Thanks,>>>> Damian

This is very likely a HW problem. Start troubleshooting by running amemory tester worth its salt on the system (http://www.memtest86.com/... Assuming you are running on an x86 architecture... It is includedon many Live-CD distros, Ubuntu etc etc).

Also run fsck on every filesystem on the box (means you need boot tosomething else .... Knoppix, SystemResqueCD, R.I.P. or your OS' normal"non-disk" boot method). It's fairly unlikely, but a bum filesystem*could* trip you up.

If those are "green", then something else is tipping you up (bum NIC,bad drivers, botched libs .... the list is "endless":-).

---- Glennemail: glenn < dot > steen < at > gmail < dot > comwork: glenn < dot > steen < at > ap1 < dot > se

I have just released the stable release for April, version 4.52.

It's been a quiet month, just one major new feature which I hope the ISP's among you, in particular, will find useful.

There is now an option in the Phishing Net settings that will make it slightly less strict. If you have a web server email.domain.com pretending to be www.domain.com it will not complain as the "domain.com" strings match.

It also knows a pretty complete list of all the second level domains used by many countries. So email.domain.org.uk and www.domain.org.uk will match. But www.domain1.org.uk and www.domain2.org.uk will _not_ match. This is because it knows that ".org.uk" is a generic domain name used by the UK to cover a whole group of different websites (UK non-profits).

This also adds a new configuration file, %etc-dir%/country.domains.conf.

Download it as usual from www.mailscanner.info.

-- Julian Fieldwww.MailScanner.infoBuy the MailScanner book at www.MailScanner.info/storeProfessional Support Services at www.MailScanner.bizMailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean.

I think this was fixed in 4.51.6, it certainly doesn't appear to cause any problems now.

Karl Bailey wrote:> I've updated MailScanner as suggested & supplied the "broken" message> directly to Julian. Hopefully this will help with this issue. Thanks for> the responses.>> Regards> KArl >> -----Original Message-----> From: [email protected]> [mailto:[email protected]] On Behalf Of Steve> Freegard> Sent: 31 March 2006 09:32> To: MailScanner discussion> Subject: Re: Not often I post>> Hi Karl,>> On Thu, 2006-03-30 at 23:02 +0100, Karl Bailey wrote:> >> Only when I have a problem, which I seem to at the moment. Two day in>> a row now I have had a problem with MailScanner 4.51.5-1 running in>> RedHat FC1. It employs spam assassin, kaspersky, f-prot & mcafee virus>> scanning. CPU usage etc hovers around 25% & all in all it works very>> well processing around 20000 messages (6GBytes) a day.>>>> >>>> I have received a single message that brings mailscanner to it's>> knees .. the message enters the inbound mail queue, the MailScanner>> processes defunct one by one till MailScanner is effectively not>> processing mail any more, mail builds up in the inbound mail queue.>> This is exasperated by the fact that although MailScanner reports as>> defunct in the process list it is actually still identifying spam, &>> generating spam warning messages, which in turn end up in the inbound>> queue... this seems to lead to a "DOS" effect. >>>> >>>> I have isolated the single message in it's raw queue qf & df files.>> Every time I place it into the inbound queue the processes defunct, &>> yes I am ensuring there is no file permissions problems... If anyone>> wants a copy of the message I can send them the queue files.... I'm>> suspicious though that the Virus Scanning is where the problem lies,>> hence without the combination of VC's listed above it may run through>> the queue ... Any ideas? The one thing I've noticed about the header>> > (qf> >> file) is that there seems to be some very long boundary strings>> emplyed.>>>> >> We had a number of customers with exactly the same problem on 4.51.5 -> an upgrade to 4.51.6 solved the problem for them.>> Kind regards,> Steve.>>




On 3/31/06, Julian Field wrote:> Switch off the incoming sendmail (kill the one that listening for> messages).

Is that the one that says 'sendmail: accepting connections' when I doa 'ps ax', or is the one that says '/usr/sbin/sendmail -q15m -OPidFile/var/run/sendmail.out.pid'

> Wait for MailScanner to stop delivering any new messages.> Delete everything left in mqueue.in.> Stop MailScanner completely and restart it.

Wouldn't this work fine too?===================================cd /var/spool/mqueue.infind . -mtime +5 -print | xargs rm===================================

--TAC Support Team

On 3/31/06, Jeff A. Earickson wrote:> First, figure out the maximum time that you hold email before returning> it as undeliverable. Mine is three days, eg "Timeout.queuereturn=3d"> in my sendmail settings. Then cd to the queue directory in question,> and do:>> find . -mtime +3 -print | xargs rm>> Voila, old files are gone. No need to stop sendmail or MailScanner.

Hi Jeff

This is great. Worked wonders... thanks a bunch for this...

The default was 5d for my server.

On a separate note, would you care to share why you configured it for3 days instead of the default 5 days that was configured on mysendmail configuration?

Regards--TAC Support Team

On 4/1/06, Mark McCoy wrote:> Do a 'man find' first. On some Unices, "-mtime +3" means "older than> 3 minutes", not "older than 3 days".

Ah! thanks for pointing this out. I checked the man page. Apparentlythis version of Linux means days, so we're okay on that.

Thanks for the warning.

Regards--TAC Support Team

As others pointed out, RTFM before using a new UNIX command. I didn'tknow that +3 could mean minutes on some Linux systems. I would expectthe syntax to be something like "+3m" for that, so as not to break forolder UNIX systems (Solaris in my case).

I use 3 days because if a message won't go in 3 days, it almost certainlywon't go in 5. DNS/dead server issues are usually noticed and fixed inthree days. The rest is typos, replies to spam and bogus addresses.Get it outta my mail queue! I also use Timeout.queuewarn=4h insteadof the one day default, to give users a quicker clue that their messageisn't moving (so they can fix their typos).

Jeff EaricksonColby College

On Sat, 1 Apr 2006, TAC Forums wrote:

> Date: Sat, 1 Apr 2006 18:16:01 +0530> From: TAC Forums > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: mqueue and mqueue.in have more files than necessary ... should I> worry?> > On 3/31/06, Jeff A. Earickson wrote:>> First, figure out the maximum time that you hold email before returning>> it as undeliverable. Mine is three days, eg "Timeout.queuereturn=3d">> in my sendmail settings. Then cd to the queue directory in question,>> and do:>>>> find . -mtime +3 -print | xargs rm>>>> Voila, old files are gone. No need to stop sendmail or MailScanner.>> Hi Jeff>> This is great. Worked wonders... thanks a bunch for this...>> The default was 5d for my server.>> On a separate note, would you care to share why you configured it for> 3 days instead of the default 5 days that was configured on my> sendmail configuration?>> Regards> --> TAC Support Team> -- > MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!>

Yesterday I put a small test file in CustomFunctions for debugging a problem with module SQLSpamSettings.pm and left it there after I finished. Later I found in the logs that MailScanner had tried (and failed, of course) to include it. Wouldn't it be better to just include files with the standard perl module suffix of .pm?

Kai

-- Kai Sch?tzl, Berlin, GermanyGet your web at Conactive Internet Services: http://www.conactive.com

Just updated my spamassassin rule sets and got this message:

EvilNumber has changed on host.domain.net.Version line: # Version: 02.00.01 # The evilnumber set has been renamedto match SARE's updated standards, the new name is 70_sare_evilnum0.cf. Please remove evilnumber local language files

Where do I find the evilnumber local language files?

dave

I'm pretty sure I've already done that.

Kai Schaetzl wrote:> Yesterday I put a small test file in CustomFunctions for debugging a > problem with module SQLSpamSettings.pm and left it there after I finished. > Later I found in the logs that MailScanner had tried (and failed, of > course) to include it. Wouldn't it be better to just include files with > the standard perl module suffix of .pm?>> Kai>>




Julian Field wrote on Sat, 01 Apr 2006 23:44:04 +0100:

> I'm pretty sure I've already done that.

I'm running 4.51.6

Kai


Hi all,

I was scanning my syslog and found the following:

mailscanner[1794]: called with 2 bind variables when 0 are needed

and this repeats. All seems to be working properly but I am wondering what this message really means and how to correct it.

Any ideas ??

Phil

It looks like a DBI (database abstraction layer) error.

Nate

Nathan Olson wrote on Sat, 1 Apr 2006 20:02:06 -0600:

> It looks like a DBI (database abstraction layer) error.

Yes. Do you use any CustomFunctions, f.i. for/from Mailwatch?

Kai


Dave Filchak wrote on Sat, 01 Apr 2006 16:23:36 -0500:

> Where do I find the evilnumber local language files?

/etc/mail/spamassassin

Kai


On Sat, 2006-04-01 at 23:44 +0100, Julian Field wrote:> I'm pretty sure I've already done that.

You did as it was one of my feature requests -- as of 4.50, only filesof extensions .pl or .pm are included.

Cheers,Steve.

No - not using custom functions...

Phil

On Apr 2, 2006, at 6:02 AM, Kai Schaetzl wrote:

> Nathan Olson wrote on Sat, 1 Apr 2006 20:02:06 -0600:>>> It looks like a DBI (database abstraction layer) error.>> Yes. Do you use any CustomFunctions, f.i. for/from Mailwatch?>> Kai>> -- > Kai Sch?tzl, Berlin, Germany> Get your web at Conactive Internet Services: http://www.conactive.com>>>> -- > MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!

On Sat, 2006-04-01 at 09:43 +0500, Muhammad Nauman wrote:> ERROR IN /var/log/maillog :> > Mailserver MailScanner-MRTG[3544]: Unable to find a mountpoint for > /var/www/html/mailscanner-mrtg/incoming/. Please set MailScanner Work > Directory in mailscanner-mrtg.conf to a valid mountpoint. You can see a > list of mointpoints on your system by using the df command>

This has been discussed many times on the MSMRTG forums on thesourceforge site. Given your partitioning you should set 'MailScannerWork Directory' in mailscanner-mrtg.conf to /var (and certainly not whatyou appear to have set it to which doesn't look like anything that wouldnormally be used for MailScanner's work directory).

If this is a production machine you might want to reconsider youpartitioning scheme, having logs, spool and work directory on the samepartition will not give you the best performance (not to mention therisk to your mail flow if your logs fill up the disk).

Kevin

=================================================================

BMRB wins two BMRA awards - http://www.bmrb.co.uk_________________________________________________________________This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Steve Freegard wrote on Sun, 02 Apr 2006 13:05:58 +0100:

> You did as it was one of my feature requests -- as of 4.50, only files > of extensions .pl or .pm are included.

That's what I mean! Why .pl? Official Perl module extension is .pm. Why include .pl? If I want to troubleshoot a module the first thing is put a pl file in there and include the .pm ...

Kai


So, as the topic says, why does MS rename postfix queue IDs? Whats is the reason for this?

--Apr 2 15:34:01 fbsd postfix/smtpd[18878]: 1EE3E2B2036: client=localhost[127.0.0.1]Apr 2 15:34:01 fbsd postfix/cleanup[18879]: 1EE3E2B2036: hold: header Received:...Apr 2 15:34:04 fbsd MailScanner[17694]: Requeue: 1EE3E2B2036.F1395 to F39462B2043--

Why add the .##### to the ID? Also, is it really necessary to change the ID when re queuing the message?

I do not see anything in /etc/mail/spamassassin that resembles a local language file??

Dave

Dave Filchak wrote on Sat, 01 Apr 2006 16:23:36 -0500:

> > Where do I find the evilnumber local language files?>

/etc/mail/spamassassin

Kai

-- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com

On 02/04/06, Mike Jakubik wrote:> So, as the topic says, why does MS rename postfix queue IDs? Whats is> the reason for this?>> --> Apr 2 15:34:01 fbsd postfix/smtpd[18878]: 1EE3E2B2036:> client=localhost[127.0.0.1]> Apr 2 15:34:01 fbsd postfix/cleanup[18879]: 1EE3E2B2036: hold: header> Received:> ...> Apr 2 15:34:04 fbsd MailScanner[17694]: Requeue: 1EE3E2B2036.F1395 to> F39462B2043> -->> Why add the .##### to the ID? Also, is it really necessary to change the> ID when re queuing the message?

This is a bit of a FAQ it seems, for the postfix implementation... Inoticed that with MW and PF, since PF _will reuse queue IDs_, that Igot a rather disturbing amount of duplicates in my database....(Could've been any database logging too, or even a script calculatingthings based on the queue ID. Any such system was bound to have a fairamount of errors, particularly if you employ a "less than simplisticpartitioning scheme", since the amount of continuous i-nodeconsumption will play a role too. I had var on its own partition, sogot hit pretty bad) ... I badgered first Steve for a fix, thenJules... Who was gracious enough to oblige.

As mentioned, the whole problem is that the queue ID will be reused,since it is calculated from the i-node and the present microsecond...Sounds rather random, but simply isn't "random enough" (as Julescomment in the code goes:).... Even in some rather common "standardsetups" you _will_ be bit by this.

Jules solution (to manage some extra randomness, tagged on behind avery "scriptabe"/"ignorable" is purelybriliant. And no, it should stay, no matter what;-).


On 02/04/06, Glenn Steen wrote:> On 02/04/06, Mike Jakubik wrote:> > So, as the topic says, why does MS rename postfix queue IDs? Whats is> > the reason for this?> >> > --> > Apr 2 15:34:01 fbsd postfix/smtpd[18878]: 1EE3E2B2036:> > client=localhost[127.0.0.1]> > Apr 2 15:34:01 fbsd postfix/cleanup[18879]: 1EE3E2B2036: hold: header> > Received:> > ...> > Apr 2 15:34:04 fbsd MailScanner[17694]: Requeue: 1EE3E2B2036.F1395 to> > F39462B2043> > --> >> > Why add the .##### to the ID? Also, is it really necessary to change the> > ID when re queuing the message?>> This is a bit of a FAQ it seems, for the postfix implementation... I> noticed that with MW and PF, since PF _will reuse queue IDs_, that I> got a rather disturbing amount of duplicates in my database....> (Could've been any database logging too, or even a script calculating> things based on the queue ID. Any such system was bound to have a fair> amount of errors, particularly if you employ a "less than simplistic> partitioning scheme", since the amount of continuous i-node> consumption will play a role too. I had var on its own partition, so> got hit pretty bad) ... I badgered first Steve for a fix, then> Jules... Who was gracious enough to oblige.>> As mentioned, the whole problem is that the queue ID will be reused,> since it is calculated from the i-node and the present microsecond...> Sounds rather random, but simply isn't "random enough" (as Jules> comment in the code goes:).... Even in some rather common "standard> setups" you _will_ be bit by this.>> Jules solution (to manage some extra randomness, tagged on behind a> very "scriptabe"/"ignorable" is purely> briliant. And no, it should stay, no matter what;-).>(Replying to myself.... Sigh:-)About the requeueing bit, that is necessary, yes. "man postsuper"tells a lot about the "hoary" details of how PF really works:-).


Glenn Steen wrote:> On 02/04/06, Glenn Steen wrote:> >> On 02/04/06, Mike Jakubik wrote:>> >>> So, as the topic says, why does MS rename postfix queue IDs? Whats is>>> the reason for this?>>>>>> -->>> Apr 2 15:34:01 fbsd postfix/smtpd[18878]: 1EE3E2B2036:>>> client=localhost[127.0.0.1]>>> Apr 2 15:34:01 fbsd postfix/cleanup[18879]: 1EE3E2B2036: hold: header>>> Received:>>> ...>>> Apr 2 15:34:04 fbsd MailScanner[17694]: Requeue: 1EE3E2B2036.F1395 to>>> F39462B2043>>> -->>>>>> Why add the .##### to the ID? Also, is it really necessary to change the>>> ID when re queuing the message?>>> >> This is a bit of a FAQ it seems, for the postfix implementation... I>> noticed that with MW and PF, since PF _will reuse queue IDs_, that I>> got a rather disturbing amount of duplicates in my database....>> (Could've been any database logging too, or even a script calculating>> things based on the queue ID. Any such system was bound to have a fair>> amount of errors, particularly if you employ a "less than simplistic>> partitioning scheme", since the amount of continuous i-node>> consumption will play a role too. I had var on its own partition, so>> got hit pretty bad) ... I badgered first Steve for a fix, then>> Jules... Who was gracious enough to oblige.>>>> As mentioned, the whole problem is that the queue ID will be reused,>> since it is calculated from the i-node and the present microsecond...>> Sounds rather random, but simply isn't "random enough" (as Jules>> comment in the code goes:).... Even in some rather common "standard>> setups" you _will_ be bit by this.>>>> Jules solution (to manage some extra randomness, tagged on behind a>> very "scriptabe"/"ignorable" is purely>> briliant. And no, it should stay, no matter what;-).>>>> > (Replying to myself.... Sigh:-)> About the requeueing bit, that is necessary, yes. "man postsuper"> tells a lot about the "hoary" details of how PF really works:-).>

Thats for the detailed explanation. In this case i agree with you, things should stay the same. Do you think it is safe to assume that a logged msg id in a db will not be duplicated, say over a span of 3 years? I think one should probably still refer to records by record id, not msg id, just to be safe...

I found a file like this getting quarantined as "bad content". (Ahm, what actually happens then - the message is delivered without the attachment, or what happens?)

042-06-Logos.ly01.pdf

This is the rule that hit on it. I don't see the value of this rule.

# Deny all other double file extensions. This catches any hidden filenames.deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension

What is the point of disallowing whatever.whatever.pdf? Why is this trying tho hide the real filename extension? Maybe that (whatever.bat.pdf) is doing this, but it's much less troublesome than (whatever.pdf.bat).

Can I rule this over with

allow \.pdf$

?If so, I suggest adding quite a few of these exclusions.

Moreover. How can I release that file? I released it and it was immediately caught again although 127.0.0.1 is whitelisted and Mailwatch lists a Status of "W/L Bad Content" now.

Kai


Hi All,

I'm hoping I'm not about to "break new ground" :) Has anyone got any reports on using MailScanner on Mac OSX (Intel)? I'm simplifying my network at home with a Mac Mini (Core Duo thing) replacing 3 old tired PC's.

So far I've figured out that OSX is using Perl 5.8.6 and Postfix of some flavour. Does anyone have any pre-installation validation tools or advice on what to expect? I know OSX is BSD under the hood, but the directory structure is seriously weird for someone coming from a "pure" Linux/BSD/Unix background.

BTW - where the hell does OSX keep it's cron jobs and services? I've got Apache+MySQL running on it but they both came with neato *.dmg packages....I'm a real OSX n00b I'm afraid :P Unlike most n00b's though I'm happy to work with Julian to get the bugs sorted and possibly create a OSX "port" complete with dmg package etc....now THAT interests me!

Thanks in advance.

James-- I've got a bad feeling about this.-------------- next part --------------A non-text attachment was scrubbed...Name: not availableType: application/pgp-signatureSize: 189 bytesDesc: not availableUrl : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060403/7c0425c9/attachment.bin

Dave Filchak wrote on Sun, 02 Apr 2006 17:35:47 -0400:

> I do not see anything in /etc/mail/spamassassin that resembles a local language file??

I see. Sorry, I can't be of more help, I abandoned evilnumbers long ago. Maybe there are different files for numbers by country and they refer to that? Ask on the satalk list.

Kai


Hi Julian / All,

This might have been asked before, sorry if a repost ;-)

Is it possible to set up an email address on a server that mailscanner picksup as a spam reporting address to which the users can forward emails thatthe users consider spam for SpamAssassin to learn from.

If not, might this not be a nifty feature 8)

Thx

Craig

-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060403/7841a331/attachment.html

On 2 Apr 2006, at 22:36, Glenn Steen wrote:> Jules solution (to manage some extra randomness, tagged on behind a> very "scriptabe"/"ignorable" is purely> briliant. And no, it should stay, no matter what;-).

You're too kind :-)

-- Julian Fieldwww.MailScanner.infoBuy the MailScanner book at www.MailScanner.info/storePGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


On 2 Apr 2006, at 22:40, James Gray wrote:

> Hi All,>> I'm hoping I'm not about to "break new ground" :) Has anyone got > any reports> on using MailScanner on Mac OSX (Intel)? I'm simplifying my > network at home> with a Mac Mini (Core Duo thing) replacing 3 old tired PC's.

There are a few people (and I mean _very_ few) doing this, after a guy at Sophos got it working on 10.3.

It's one of the projects I want to get onto, and may be able to put in some time on it very soon.

There are those 2 packaging systems (Fink and the other one I can't remember) which would provide an easy, though cumbersome, solution.

Would that be good enough for now?

What I really want is a system that uses launchd properly and at least has a system preference for starting and stopping it. Slimserver nearly does this, but in a pre-Tiger form, not using launchd. I would much rather "do it properly" than hack something together.

If anyone can point me in the right direction, such as an example package that already does all this that I can plug into, that would be fantastic.

But even working out how to program for launchd would be a start. The OSX way of booting appears to be very complicated, involving reams of XML.

Sorry that doesn't really answer your question, but....

>> So far I've figured out that OSX is using Perl 5.8.6 and Postfix of > some> flavour. Does anyone have any pre-installation validation tools or > advice on> what to expect? I know OSX is BSD under the hood, but the directory> structure is seriously weird for someone coming from a "pure" Linux/ > BSD/Unix> background.>> BTW - where the hell does OSX keep it's cron jobs and services? > I've got> Apache+MySQL running on it but they both came with neato *.dmg> packages....I'm a real OSX n00b I'm afraid :P Unlike most n00b's > though I'm> happy to work with Julian to get the bugs sorted and possibly > create a OSX> "port" complete with dmg package etc....now THAT interests me!>> Thanks in advance.>> James> -- > I've got a bad feeling about this.> -- > MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!



On 3 Apr 2006, at 07:57, Craig Retief ((CSFS)) wrote:> Is it possible to set up an email address on a server that > mailscanner picks up as a spam reporting address to which the users > can forward emails that the users consider spam for SpamAssassin to > learn from.Funnily enough, it's already there. Your users must "redirect" or "bounce" their message to the address, as "forward" results in all sorts of mangling happen to the message on the way.

All you need to do is collect that mail in a mailbox on your MailScanner server, run sa-learn on it, move it to the end of a "cumulative" file, and repeat every day.

You want to move it out of the way as otherwise you will be re- teaching SpamAssassin stuff it has already seen, which is a waste of time. But I would still keep it so you can re-teach it all if your Bayes db dies/corrupts.

Start by reading the docs for "sa-learn", it can slurp in an entire Unix mbox format mailbox at one go (with the "--mbox" switch).

Hope that helps get you started.

Here's the cron job I use to do it, which you might find useful.

#!/bin/sh

SPAM=/var/spool/mail/spamNOTSPAM=/var/spool/mail/notspamTOTAL=.cumulative

LOGFILE=/var/log/learn.spam.log#PREFS=/etc/MailScanner/spam.assassin.prefs.confSALEARN=/usr/bin/sa-learn

date >> $LOGFILEif [ -f $SPAM ]; then BOX=${SPAM}.processing mv $SPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --spam --mbox $BOX >> $LOGFILE 2>&1 cat $BOX >> ${SPAM}${TOTAL} echo >> ${SPAM}${TOTAL} rm -f $BOXfi

if [ -f $NOTSPAM ]; then BOX=${NOTSPAM}.processing mv $NOTSPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --ham --mbox $BOX >> $LOGFILE 2>&1 cat $BOX >> ${NOTSPAM}${TOTAL} echo >> ${NOTSPAM}${TOTAL} rm -f $BOXfi



-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060403/6412434b/attachment.html

On 02/04/06, Mike Jakubik wrote:> Glenn Steen wrote:> > On 02/04/06, Glenn Steen wrote:> >> >> On 02/04/06, Mike Jakubik wrote:> >>> >>> So, as the topic says, why does MS rename postfix queue IDs? Whats is> >>> the reason for this?> >>>> >>> --> >>> Apr 2 15:34:01 fbsd postfix/smtpd[18878]: 1EE3E2B2036:> >>> client=localhost[127.0.0.1]> >>> Apr 2 15:34:01 fbsd postfix/cleanup[18879]: 1EE3E2B2036: hold: header> >>> Received:> >>> ...> >>> Apr 2 15:34:04 fbsd MailScanner[17694]: Requeue: 1EE3E2B2036.F1395 to> >>> F39462B2043> >>> --> >>>> >>> Why add the .##### to the ID? Also, is it really necessary to change the> >>> ID when re queuing the message?> >>>> >> This is a bit of a FAQ it seems, for the postfix implementation... I> >> noticed that with MW and PF, since PF _will reuse queue IDs_, that I> >> got a rather disturbing amount of duplicates in my database....> >> (Could've been any database logging too, or even a script calculating> >> things based on the queue ID. Any such system was bound to have a fair> >> amount of errors, particularly if you employ a "less than simplistic> >> partitioning scheme", since the amount of continuous i-node> >> consumption will play a role too. I had var on its own partition, so> >> got hit pretty bad) ... I badgered first Steve for a fix, then> >> Jules... Who was gracious enough to oblige.> >>> >> As mentioned, the whole problem is that the queue ID will be reused,> >> since it is calculated from the i-node and the present microsecond...> >> Sounds rather random, but simply isn't "random enough" (as Jules> >> comment in the code goes:).... Even in some rather common "standard> >> setups" you _will_ be bit by this.> >>> >> Jules solution (to manage some extra randomness, tagged on behind a> >> very "scriptabe"/"ignorable" is purely> >> briliant. And no, it should stay, no matter what;-).> >>> >>> > (Replying to myself.... Sigh:-)> > About the requeueing bit, that is necessary, yes. "man postsuper"> > tells a lot about the "hoary" details of how PF really works:-).> >>> Thats for the detailed explanation. In this case i agree with you,> things should stay the same. Do you think it is safe to assume that a> logged msg id in a db will not be duplicated, say over a span of 3> years? I think one should probably still refer to records by record id,> not msg id, just to be safe...>I haven't "done the math" for that long a time-period. Remember thatthe likelihood of "ID reuse" is dependant not only on the time period(3 years), but also on the frequency (meaning amount of messageshandled)... And on how you've partitioned things.In my case it would be safe for that time-period, yes, but fortunatelyI don't need to handle more than three months, so ... I'm"super-safe":-). Without the fix, I had several duplicates/day,seriously confusing things ... particularily in the quarantineview.... So for me this is an essential fix.

>From the message POV, record id is meaningless. Sure, that makes theduplicates "non-duplicates" from a DB POV, but they don't really helpwith the messages (where you often don't have anything more than themessage ID or queue ID to start with, if that), so ... yes andno:-):-).


On 03/04/06, Julian Field wrote:> On 2 Apr 2006, at 22:36, Glenn Steen wrote:> > Jules solution (to manage some extra randomness, tagged on behind a> > very "scriptabe"/"ignorable" is purely> > briliant. And no, it should stay, no matter what;-).>> You're too kind :-)>

On the contrary, one cannot be kind enough about this;-)


On Mon, 2006-04-03 at 08:48 +0100, Julian Field wrote:> On 2 Apr 2006, at 22:36, Glenn Steen wrote:> > Jules solution (to manage some extra randomness, tagged on behind a> > very "scriptabe"/"ignorable" is purely> > briliant. And no, it should stay, no matter what;-).> > You're too kind :-)> ----I found it convenient to add...

*Remove = Requeue

to /etc/log.d/conf/services/mailscanner.conf

so I didn't get all of them logged though because they contributed tothe nightmare in logwatch

Craig

Thx Julian, helps a lot. ;-)

Craig

On 3 Apr 2006, at 07:57, Craig Retief ((CSFS)) wrote:Is it possible to set up an email address on a server that mailscanner picksup as a spam reporting address to which the users can forward emails thatthe users consider spam for SpamAssassin to learn from.Funnily enough, it's already there. Your users must "redirect" or "bounce"their message to the address, as "forward" results in all sorts of manglinghappen to the message on the way.

All you need to do is collect that mail in a mailbox on your MailScannerserver, run sa-learn on it, move it to the end of a "cumulative" file, andrepeat every day.

You want to move it out of the way as otherwise you will be re-teachingSpamAssassin stuff it has already seen, which is a waste of time. But Iwould still keep it so you can re-teach it all if your Bayes dbdies/corrupts.

Start by reading the docs for "sa-learn", it can slurp in an entire Unixmbox format mailbox at one go (with the "--mbox" switch).

Hope that helps get you started.

Here's the cron job I use to do it, which you might find useful.

#!/bin/sh

SPAM=/var/spool/mail/spamNOTSPAM=/var/spool/mail/notspamTOTAL=.cumulative

LOGFILE=/var/log/learn.spam.log#PREFS=/etc/MailScanner/spam.assassin.prefs.confSALEARN=/usr/bin/sa-learn

date >> $LOGFILEif [ -f $SPAM ]; thenBOX=${SPAM}.processingmv $SPAM $BOXsleep 5 # Wait for writing current message to complete$SALEARN --spam --mbox $BOX >> $LOGFILE 2>&1cat $BOX >> ${SPAM}${TOTAL}echo >> ${SPAM}${TOTAL}rm -f $BOXfi

if [ -f $NOTSPAM ]; thenBOX=${NOTSPAM}.processingmv $NOTSPAM $BOXsleep 5 # Wait for writing current message to complete$SALEARN --ham --mbox $BOX >> $LOGFILE 2>&1cat $BOX >> ${NOTSPAM}${TOTAL}echo >> ${NOTSPAM}${TOTAL}rm -f $BOXfi


On Mon, April 3, 2006 00:31, Kai Schaetzl wrote:> Dave Filchak wrote on Sun, 02 Apr 2006 17:35:47 -0400:>>> I do not see anything in /etc/mail/spamassassin that resembles a local>> language file??

I think you will find it called evilnumbers.cf. The SARE naming scheme ismore like xx_sare_rule.cf where xx is a pair of digits. I would suggesthaving a read about the new evilnumbers rules as there are now 4 types topick from. http://www.rulesemporium.com

Drew

-- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.www.themarshalls.co.uk/policy

On Mon, 2006-03-20 at 10:41 +0100, [email protected] wrote:> > I wanted to know if there was a solution for the problem of "removed> carriage returns" in attached text files passing through a MailScanner> configured as a gateway with CentOS 4.2 ans Sendmail with ClamAV and> Sophos. > I have read in the mailinglist that it should be a perl bug but in> which module, and how to fix it ? > Do you have an idea where I could point my searches to ?

this problem is not fixed, the only workaround appears to be turn off"Sign Clean Messages". Unfortunately, it doesnt look like this problemwill be fixed any time soon. As I understand it, it is a "hard" probleminvolving perl itself, rather than the MIME::Tools module but IANAP.

G

> > Best regards / Vriendelijke groeten / Cordialement,> > ---> Bernard Lheureux > Consultant / System Engineer - Networking Team > > IBS TECHNOLOGY AND SERVICES> Leuvense Steenweg, 643 > 1930 Zaventem - Belgium > Phone: +32-(0)2-723.91.11 Fax: +32-(0)2-723.92.99> http://www.ibsts.be> -- Greg Matthews 01491 692445Head of UNIX/Linux, iTSS Wallingford

-- This message (and any attachments) is for the recipient only. NERCis subject to the Freedom of Information Act 2000 and the contentsof this email and any reply you make may be disclosed by NERC unlessit is exempt from release under the Act. Any material supplied toNERC may be stored in an electronic records management system.

'scuse top post...

I've never implemented a vacation message because I've seen far too muchof this sort of thing. Is there any docu on implementing sensible vacmessage that wont spam lists, wont respond more than once per sender etcplus any other gotchas?

G

On Sun, 2006-03-26 at 16:43 -0500, Matt Kettler wrote:> And one wonders why so many people despise lists which insert a "Reply-To"> header that points back to the list..> > Too many *CENSORED* out there that think "reply" is an appropriate behavior for> a vacation rule.> > Of course, if we're lucky someone will spamcop freecom.net's mailservers.> > (Spamcop DOES accept reports for broken vacation rules, which this clearly is,> and it was done by a systems admin who should know better. While I hate to see> companies listed because some *CENSORED* in marketing crafted up his own> vacation rule without following procedure, I don't have any sympathy for freecom> if they get listed for this.)> -- Greg Matthews 01491 692445Head of UNIX/Linux, iTSS Wallingford


I often get "orphaned" data files lying around. ie those df fileswithout a corresponding qf envelope file. I use the following script toclean them up:

#!/bin/bash# clean up orphaned df* files in mqueue.in# no known cause for these files yet.

/etc/init.d/MailScanner stop

sleep 2dir="/var/spool/mqueue.in"

file=`find $dir -mtime +1`for i in ${file} do m=`basename ${i}` j=${m:2} if [ ! -e "${dir}/qf${j}" ]; then mv ${i} /var/tmp/ fi doneechodf -hl

/etc/init.d/MailScanner start

exit 0

-- Greg Matthews 01491 692445Head of UNIX/Linux, iTSS Wallingford


On Mon, 3 Apr 2006, Greg Matthews wrote:

> I've never implemented a vacation message because I've seen far too much > of this sort of thing. Is there any docu on implementing sensible vac > message that wont spam lists, wont respond more than once per sender etc > plus any other gotchas?

I wrote an extensive configuration for Exim. Here are some parts of it, which may provide clues. The trick is basically to severely limit the things to which an autoreply message will be sent.

## Vacation functionality attempts to follow best practice; in particular it## heeds some parts of these:## http://www.faqs.org/rfcs/rfc3834.html (Autoresponder rules)## http://www.ietf.org/internet-drafts/draft-ietf-sieve-vacation-06.txt## http://www.ietf.org/rfc/rfc2369.txt (List-* headers)... condition = "${if or { \ { match {$h_precedence:} {(?i)junk|bulk|list} } \ { eq {$sender_address} {} } \ { def:header_X-Cron-Env: } \ { def:header_Auto-Submitted: } \ { def:header_List-Help: } \ { def:header_List-Unsubscribe: } \ { def:header_List-Subscribe: } \ { def:header_List-Owner: } \ { def:header_List-Archive: } \ { def:header_Autorespond: } \ { def:header_X-Autoresponse: } \ { def:header_X-eBay-MailTracker: } \ { def:header_X-MaxCode-Template: } \ { match {$h_X-FC-MachineGenerated:} {true} } \ { match {$message_body} {\\N^Your \"cron\" job on\\N} } \ { match {$h_Subject:} {\\NÔut of Office\\N} } \ { match {$h_Subject:} {\\NÂuto-Reply:\\N} } \ { match {$h_Subject:} {\\NÂutoresponse:\\N} } \ { match {$h_From:} {\\N(via the vacation program)\\N } } \ { match_address {$header_X-Local-Original-Recipient:} \ {$header_To: $header_CC: $header_Bcc: \ $header_Resent-To: $header_Resent-Cc: $header_Resent-Bcc:} \ } \ } {no} {yes} \ }"

You may also include a test for mail that you scored as spam, and not reply to that.

You should also ensure any autoresponder system only replies once per sender address, at least within a fixed time period (7 days perhaps).

The autoresponse itself should contain an "Auto-Submitted:" header field with the value "auto-replied".

Finally, you shouldn't respond to a message from certain addresses; here is a partial list of regular expressions I use:

^.*-request@.*ôwner-.*@.*^.*-owner@.*^.*-admin@.*^bounce-.*@.*^.*-outgoing@.*^.*-relay@.*^.*-bounces@.*^mailer@.*^postmaster@.*^mailer-daemon@.*^mailer_daemon@.*^majordomo@.*^majordom@.*^mailman@.*^nobody@.*^reminder@.*^listserv@.*^daemon@.*^server@.*^root@.*^noreply@.*^bounce@.*^news@.*^httpd@.*^www@.*^nagios@.*^sales@.*înfo@.*^listmaster@.*^mailmaster@.*^squid@.*^support@.*êxim@.*[email protected]

with certain other local-only additions.

Jethro.

> > G> > On Sun, 2006-03-26 at 16:43 -0500, Matt Kettler wrote:> > And one wonders why so many people despise lists which insert a "Reply-To"> > header that points back to the list..> > > > Too many *CENSORED* out there that think "reply" is an appropriate > > behavior for a vacation rule.> > > > Of course, if we're lucky someone will spamcop freecom.net's mailservers.> > > > (Spamcop DOES accept reports for broken vacation rules, which this > > clearly is, and it was done by a systems admin who should know better. > > While I hate to see companies listed because some *CENSORED* in > > marketing crafted up his own vacation rule without following > > procedure, I don't have any sympathy for freecom if they get listed > > for this.)> > > -- > Greg Matthews 01491 692445> Head of UNIX/Linux, iTSS Wallingford

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Jethro R BinksComputing Officer, IT ServicesUniversity Of Strathclyde, Glasgow, UK

On Mon, 2006-04-03 at 09:08 +0100, Julian Field wrote:> Funnily enough, it's already there. Your users must "redirect" or> "bounce" their message to the address, as "forward" results in all> sorts of mangling happen to the message on the way.

good luck getting your users to "do the right thing"

G



-----Original Message-----From: [email protected][mailto:[email protected]] On Behalf Of GregMatthewsSent: 03 April 2006 02:17 PMTo: MailScanner discussionSubject: Re: Spam Reporting Address

On Mon, 2006-04-03 at 09:08 +0100, Julian Field wrote:> Funnily enough, it's already there. Your users must "redirect" or> "bounce" their message to the address, as "forward" results in all> sorts of mangling happen to the message on the way.

>good luck getting your users to "do the right thing"

I wish one had enough time to be able to train all the users to "do theright thing", unfortunately it one of the byproducts of having users ;-)

C

>G

>-- >Greg Matthews 01491 692445>Head of UNIX/Linux, iTSS Wallingford

>-- >This message (and any attachments) is for the recipient only. NERC>s subject to the Freedom of Information Act 2000 and the contents>of this email and any reply you make may be disclosed by NERC unless>it is exempt from release under the Act. Any material supplied to>NERC may be stored in an electronic records management system.

-- MailScanner mailing [email protected]://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Hi Jethro...

thanks for the reply, I was really looking for a client-side solution. Irun our coroporate "mail relay" system which feeds into the corporatemail system over which I have no control. The relay servers are not theplace to implement vacation messages so client-side is my only option.

However, your regex list looks quite useful. My local mailbox is servedby sendmail on solaris and I connect with an IMAP client. I have shell(and root) access to the sendmail server.

G

On Mon, 2006-04-03 at 13:16 +0100, Jethro R Binks wrote:> On Mon, 3 Apr 2006, Greg Matthews wrote:> > > I've never implemented a vacation message because I've seen far too much > > of this sort of thing. Is there any docu on implementing sensible vac > > message that wont spam lists, wont respond more than once per sender etc > > plus any other gotchas?> > I wrote an extensive configuration for Exim. Here are some parts of it, > which may provide clues. The trick is basically to severely limit the > things to which an autoreply message will be sent.> > ## Vacation functionality attempts to follow best practice; in particular it> ## heeds some parts of these:> ## http://www.faqs.org/rfcs/rfc3834.html (Autoresponder rules)> ## http://www.ietf.org/internet-drafts/draft-ietf-sieve-vacation-06.txt> ## http://www.ietf.org/rfc/rfc2369.txt (List-* headers)> ...> condition = "${if or { \> { match {$h_precedence:} {(?i)junk|bulk|list} } \> { eq {$sender_address} {} } \> { def:header_X-Cron-Env: } \> { def:header_Auto-Submitted: } \> { def:header_List-Help: } \> { def:header_List-Unsubscribe: } \> { def:header_List-Subscribe: } \> { def:header_List-Owner: } \> { def:header_List-Archive: } \> { def:header_Autorespond: } \> { def:header_X-Autoresponse: } \> { def:header_X-eBay-MailTracker: } \> { def:header_X-MaxCode-Template: } \> { match {$h_X-FC-MachineGenerated:} {true} } \> { match {$message_body} {\\N^Your \"cron\" job on\\N} } \> { match {$h_Subject:} {\\NÔut of Office\\N} } \> { match {$h_Subject:} {\\NÂuto-Reply:\\N} } \> { match {$h_Subject:} {\\NÂutoresponse:\\N} } \> { match {$h_From:} {\\N(via the vacation program)\\N } } \> { match_address {$header_X-Local-Original-Recipient:} \> {$header_To: $header_CC: $header_Bcc: \> $header_Resent-To: $header_Resent-Cc: $header_Resent-Bcc:} \> } \> } {no} {yes} \> }"> > You may also include a test for mail that you scored as spam, and not > reply to that.> > You should also ensure any autoresponder system only replies once per > sender address, at least within a fixed time period (7 days perhaps).> > The autoresponse itself should contain an "Auto-Submitted:" header field > with the value "auto-replied".> > Finally, you shouldn't respond to a message from certain addresses; here > is a partial list of regular expressions I use:> > ^.*-request@.*> ôwner-.*@.*> ^.*-owner@.*> ^.*-admin@.*> ^bounce-.*@.*> ^.*-outgoing@.*> ^.*-relay@.*> ^.*-bounces@.*> ^mailer@.*> ^postmaster@.*> ^mailer-daemon@.*> ^mailer_daemon@.*> ^majordomo@.*> ^majordom@.*> ^mailman@.*> ^nobody@.*> ^reminder@.*> ^listserv@.*> ^daemon@.*> ^server@.*> ^root@.*> ^noreply@.*> ^bounce@.*> ^news@.*> ^httpd@.*> ^www@.*> ^nagios@.*> ^sales@.*> înfo@.*> ^listmaster@.*> ^mailmaster@.*> ^squid@.*> ^support@.*> êxim@.*> [email protected]> > with certain other local-only additions.> > Jethro.> > > > > > G> > > > On Sun, 2006-03-26 at 16:43 -0500, Matt Kettler wrote:> > > And one wonders why so many people despise lists which insert a "Reply-To"> > > header that points back to the list..> > > > > > Too many *CENSORED* out there that think "reply" is an appropriate > > > behavior for a vacation rule.> > > > > > Of course, if we're lucky someone will spamcop freecom.net's mailservers.> > > > > > (Spamcop DOES accept reports for broken vacation rules, which this > > > clearly is, and it was done by a systems admin who should know better. > > > While I hate to see companies listed because some *CENSORED* in > > > marketing crafted up his own vacation rule without following > > > procedure, I don't have any sympathy for freecom if they get listed > > > for this.)> > > > > -- > > Greg Matthews 01491 692445> > Head of UNIX/Linux, iTSS Wallingford> > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .> Jethro R Binks> Computing Officer, IT Services> University Of Strathclyde, Glasgow, UK> -- > MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner> > Before posting, read http://wiki.mailscanner.info/posting> > Support MailScanner development - buy the book off the website! -- Greg Matthews 01491 692445Head of UNIX/Linux, iTSS Wallingford


Recently some users have discovered a new trick to send blocked andpotentially harmful file through the MailScanner gateway.They create an email messages with a Microsoft Word or Excel documentattachment, which contains an embedded OLE object or package.The embedded object can by ANY other file, including executables etc.When scanned by MailScanner, the executable and other embedded objectsare not detected and the message is passed through to the users mailbox!Obviously this is not what we would like to happen.I have found a little program 'ripOLE' onhttp://freshmeat.net/projects/ripole/, which will extract all embeddedobjects from a Word Document.Would it be easy to integrate 'ripOLE' or an equivalent program intoMailScanner to be called for attachments? If the embedded objects areextracted into the normal temp directory, then MailScanner will subjectthem to the same file-name/type restrictions as normal attachments.Probably 'ripOLE' only need to be called when the /usr/bin/file commandhas determined the attachment to be some kind of 'Microsoft Office Data'file.

Adri.

If I quarantine messages above a certain size using:

Maximum Message Size = 15000000

and then send a message larger than this, the recipient is sent thereport defined by:

Stored Virus Message Report = %report-dir%/stored.virus.message.txt

I've rejigged our stored.virus.message.txt file to be more generic (lessvirus orientated) but shouldnt this have its own report?

also, a small cleanup required for sender.error.report.txt:

The mail scanner said this about the message: Report: $report

should be:

The mail scanner said this about the message: $report

optionally, you might also want to change "virus scanner" to "mailscanner" or similar in these reports.



Kai Schaetzl wrote:> I found a file like this getting quarantined as "bad content". (Ahm, what > actually happens then - the message is delivered without the attachment, > or what happens?)>> 042-06-Logos.ly01.pdf>> This is the rule that hit on it. I don't see the value of this rule.>> # Deny all other double file extensions. This catches any hidden > filenames.> deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding Attempt to hide real filename extension>> What is the point of disallowing whatever.whatever.pdf? Why is this trying > tho hide the real filename extension? Maybe that (whatever.bat.pdf) is > doing this, but it's much less troublesome than (whatever.pdf.bat).>> Can I rule this over with>> allow \.pdf$>> ?> If so, I suggest adding quite a few of these exclusions.>> Moreover. How can I release that file? I released it and it was > immediately caught again although 127.0.0.1 is whitelisted and Mailwatch > lists a Status of "W/L Bad Content" now.>>>> Kai>> You can, if you put it before the double extension rule. Depending on the clients' wishes, I either disable it altogether (the double extension rule) or I add allow rules at the top for trusted filetypes (my preferred choice). I think you can override it with another setting introduced a couple of versions ago.

I once tried getting it to work on OS X Server, but gave up ;) - I think it can be done, except I'm not very postfix-savvy.

You *could*, however, run it using any Linux-for-Mac distro; I haven't heard of any for the Intel Macs yet (if anybody knows, I'd appreciate the heads-up), but if one's not available right now I suspect they should be here RSN.

Julian Field wrote:>> On 2 Apr 2006, at 22:40, James Gray wrote:>>> Hi All,>>>> I'm hoping I'm not about to "break new ground" :) Has anyone got any >> reports>> on using MailScanner on Mac OSX (Intel)? I'm simplifying my network >> at home>> with a Mac Mini (Core Duo thing) replacing 3 old tired PC's.>> There are a few people (and I mean _very_ few) doing this, after a guy > at Sophos got it working on 10.3.>> It's one of the projects I want to get onto, and may be able to put in > some time on it very soon.>> There are those 2 packaging systems (Fink and the other one I can't > remember) which would provide an easy, though cumbersome, solution.>> Would that be good enough for now?>> What I really want is a system that uses launchd properly and at least > has a system preference for starting and stopping it. Slimserver > nearly does this, but in a pre-Tiger form, not using launchd. I would > much rather "do it properly" than hack something together.>> If anyone can point me in the right direction, such as an example > package that already does all this that I can plug into, that would be > fantastic.>> But even working out how to program for launchd would be a start. The > OSX way of booting appears to be very complicated, involving reams of > XML.>> Sorry that doesn't really answer your question, but....>>>>> So far I've figured out that OSX is using Perl 5.8.6 and Postfix of some>> flavour. Does anyone have any pre-installation validation tools or >> advice on>> what to expect? I know OSX is BSD under the hood, but the directory>> structure is seriously weird for someone coming from a "pure" >> Linux/BSD/Unix>> background.>>>> BTW - where the hell does OSX keep it's cron jobs and services? I've >> got>> Apache+MySQL running on it but they both came with neato *.dmg>> packages....I'm a real OSX n00b I'm afraid :P Unlike most n00b's >> though I'm>> happy to work with Julian to get the bugs sorted and possibly create >> a OSX>> "port" complete with dmg package etc....now THAT interests me!>>>> Thanks in advance.>>>> James>> --I've got a bad feeling about this.>> --MailScanner mailing list>> [email protected]>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>>>> Before posting, read http://wiki.mailscanner.info/posting>>>> Support MailScanner development - buy the book off the website!>> --Julian Field> www.MailScanner.info> Buy the MailScanner book at www.MailScanner.info/store> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654>>> --This message has been scanned for viruses and> dangerous content by MailScanner, and is> believed to be clean.>> --MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!

/etc/crontab/var/cron/tabs

On 4/2/06, James Gray wrote:>> Hi All,>> I'm hoping I'm not about to "break new ground" :) Has anyone got any> reports> on using MailScanner on Mac OSX (Intel)? I'm simplifying my network at> home> with a Mac Mini (Core Duo thing) replacing 3 old tired PC's.>> So far I've figured out that OSX is using Perl 5.8.6 and Postfix of some> flavour. Does anyone have any pre-installation validation tools or advice> on> what to expect? I know OSX is BSD under the hood, but the directory> structure is seriously weird for someone coming from a "pure"> Linux/BSD/Unix> background.>> BTW - where the hell does OSX keep it's cron jobs and services? I've got> Apache+MySQL running on it but they both came with neato *.dmg> packages....I'm a real OSX n00b I'm afraid :P Unlike most n00b's though> I'm> happy to work with Julian to get the bugs sorted and possibly create a OSX> "port" complete with dmg package etc....now THAT interests me!>> Thanks in advance.>> James> --> I've got a bad feeling about this.>>> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!>>>>-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060403/d28c5c1e/attachment.html

I agree the startup method of OSX is strange.

I have not used it but /etc/rc refers to standard unix startup file.

/etc/rc.local

Darwin 8.5.0Mac OSX 10.4.5

On 4/3/06, Julian Field wrote:>>> On 2 Apr 2006, at 22:40, James Gray wrote:>> > Hi All,> >> > I'm hoping I'm not about to "break new ground" :) Has anyone got> > any reports> > on using MailScanner on Mac OSX (Intel)? I'm simplifying my> > network at home> > with a Mac Mini (Core Duo thing) replacing 3 old tired PC's.>> There are a few people (and I mean _very_ few) doing this, after a> guy at Sophos got it working on 10.3.>> It's one of the projects I want to get onto, and may be able to put> in some time on it very soon.>> There are those 2 packaging systems (Fink and the other one I can't> remember) which would provide an easy, though cumbersome, solution.>> Would that be good enough for now?>> What I really want is a system that uses launchd properly and at> least has a system preference for starting and stopping it.> Slimserver nearly does this, but in a pre-Tiger form, not using> launchd. I would much rather "do it properly" than hack something> together.>> If anyone can point me in the right direction, such as an example> package that already does all this that I can plug into, that would> be fantastic.>> But even working out how to program for launchd would be a start. The> OSX way of booting appears to be very complicated, involving reams of> XML.>> Sorry that doesn't really answer your question, but....>> >> > So far I've figured out that OSX is using Perl 5.8.6 and Postfix of> > some> > flavour. Does anyone have any pre-installation validation tools or> > advice on> > what to expect? I know OSX is BSD under the hood, but the directory> > structure is seriously weird for someone coming from a "pure" Linux/> > BSD/Unix> > background.> >> > BTW - where the hell does OSX keep it's cron jobs and services?> > I've got> > Apache+MySQL running on it but they both came with neato *.dmg> > packages....I'm a real OSX n00b I'm afraid :P Unlike most n00b's> > though I'm> > happy to work with Julian to get the bugs sorted and possibly> > create a OSX> > "port" complete with dmg package etc....now THAT interests me!> >> > Thanks in advance.> >> > James> > --> > I've got a bad feeling about this.> > --> > MailScanner mailing list> > [email protected]> > http://lists.mailscanner.info/mailman/listinfo/mailscanner> >> > Before posting, read http://wiki.mailscanner.info/posting> >> > Support MailScanner development - buy the book off the website!>> --> Julian Field> www.MailScanner.info> Buy the MailScanner book at www.MailScanner.info/store> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654>>> --> This message has been scanned for viruses and> dangerous content by MailScanner, and is> believed to be clean.>> --> MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!>-------------- next part --------------An HTML attachment was scrubbed...URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060403/68ce0fd2/attachment.html

Sorry, no more speculation then.

Kai


Alex Neuman van der Hans wrote on Mon, 03 Apr 2006 09:37:39 -0500:

> You can, if you put it before the double extension rule. Depending on > the clients' wishes, I either disable it altogether (the double > extension rule) or I add allow rules at the top for trusted filetypes > (my preferred choice). I think you can override it with another setting > introduced a couple of versions ago.

Thanks for the answer. Some months ago Julian introduced simpler Allow Filenames = \.txt$ \.pdf$stuff which can either be used directly in MailScanner or with a ruleset. That's what I did now for txt and pdf. I added them like "\.txt$ \.pdf$" to the file and may add more. Can I also put them line after line in that file?Additionally I also commented out this double extension rule.

However, how am I supposed to release this stuff if necessary? If I release it it's immediately caught again by MS. The whitelist works only for spam.

Kai


Or you could run it with sendmail. Sendmail builds just fine on OS X. (I'm using mimedefang at home, where I'm using OSX as my mail server, though, so I don't have the mailscanner part of the puzzle available to help ... but I wouldn't expect it to be _any_ different than installing it on FreeBSD, except the startup scripting)

On Apr 3, 2006, at 7:40 AM, Alex Neuman van der Hans wrote:

> I once tried getting it to work on OS X Server, but gave up ;) - I > think it can be done, except I'm not very postfix-savvy.>> You *could*, however, run it using any Linux-for-Mac distro; I haven't > heard of any for the Intel Macs yet (if anybody knows, I'd appreciate > the heads-up), but if one's not available right now I suspect they > should be here RSN.>>> Julian Field wrote:>>>> On 2 Apr 2006, at 22:40, James Gray wrote:>>>>> Hi All,>>>>>> I'm hoping I'm not about to "break new ground" :) Has anyone got >>> any reports>>> on using MailScanner on Mac OSX (Intel)? I'm simplifying my network >>> at home>>> with a Mac Mini (Core Duo thing) replacing 3 old tired PC's.>>>> There are a few people (and I mean _very_ few) doing this, after a >> guy at Sophos got it working on 10.3.>>>> It's one of the projects I want to get onto, and may be able to put >> in some time on it very soon.>>>> There are those 2 packaging systems (Fink and the other one I can't >> remember) which would provide an easy, though cumbersome, solution.>>>> Would that be good enough for now?>>>> What I really want is a system that uses launchd properly and at >> least has a system preference for starting and stopping it. >> Slimserver nearly does this, but in a pre-Tiger form, not using >> launchd. I would much rather "do it properly" than hack something >> together.>>>> If anyone can point me in the right direction, such as an example >> package that already does all this that I can plug into, that would >> be fantastic.>>>> But even working out how to program for launchd would be a start. The >> OSX way of booting appears to be very complicated, involving reams of >> XML.>>>> Sorry that doesn't really answer your question, but....>>>>>>>> So far I've figured out that OSX is using Perl 5.8.6 and Postfix of >>> some>>> flavour. Does anyone have any pre-installation validation tools or >>> advice on>>> what to expect? I know OSX is BSD under the hood, but the directory>>> structure is seriously weird for someone coming from a "pure" >>> Linux/BSD/Unix>>> background.>>>>>> BTW - where the hell does OSX keep it's cron jobs and services? >>> I've got>>> Apache+MySQL running on it but they both came with neato *.dmg>>> packages....I'm a real OSX n00b I'm afraid :P Unlike most n00b's >>> though I'm>>> happy to work with Julian to get the bugs sorted and possibly create >>> a OSX>>> "port" complete with dmg package etc....now THAT interests me!>>>>>> Thanks in advance.>>>>>> James>>> --I've got a bad feeling about this.>>> --MailScanner mailing list>>> [email protected]>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>>>>>> Before posting, read http://wiki.mailscanner.info/posting>>>>>> Support MailScanner development - buy the book off the website!>>>> --Julian Field>> www.MailScanner.info>> Buy the MailScanner book at www.MailScanner.info/store>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654>>>>>> --This message has been scanned for viruses and>> dangerous content by MailScanner, and is>> believed to be clean.>>>> --MailScanner mailing list>> [email protected]>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>>>> Before posting, read http://wiki.mailscanner.info/posting>>>> Support MailScanner development - buy the book off the website!>> -- > MailScanner mailing list> [email protected]> http://lists.mailscanner.info/mailman/listinfo/mailscanner>> Before posting, read http://wiki.mailscanner.info/posting>> Support MailScanner development - buy the book off the website!

We had a odd issue today - one of my colleagues sent a plain text message which was flagged as having a disallowed file type ...

The original e-mail attachment "the entire message"is on the list of unacceptable attachments for this site and has beenreplaced by this warning message.

After a fair amount of log trawling (which didn't help much) and experimentation we eventually worked out that it was provoked by the 5th to 8th characters of the body of the message being 'free'. This gets picked up by the Linux file command as Apple QuickTime movie file because of the following entry in /usr/share/file/magic (this is RH AS4) ...

4 string free Apple QuickTime movie file (free)

It would have helped if somewhere (either in the logs or in the message sent to the sender) we could show what type of file we thought it was rather than just saying that it's something that's not on our allowed list (if this should be happening already we'll check our configs).

I'm not sure what we plan to do to fix this here. Obvious kludges that occur to me are taking the entry out of the magic file (and recompiling the version magic uses), doing the same thing but having a separate version of the magic file for use by MailScanner or being less restrictive in the set of file types we let through.

Paul-- Paul HaldaneUnix Systems TeamInformation Systems and ServicesUniversity of Newcastle upon Tyne

I'm seeing a lot of I/O errors from sendmail on messages that have passedthrough the MailScanner/SpamAssassin combo here. Is this a known issue oram I experiencing something unusual here? My MailScanner version is 4.51.6and SpamAssassin version is 2.63.

Mar 31 00:47:52 guardian sm-mta[14185]: k2V8lW3W014185:Authentication-Warning: guardian.hartwellcorp.com: mail set sender to using -fMar 31 00:47:52 guardian sm-mta[14185]: k2V8lW3W014185:from=, size=35586, class=0, nrcpts=3,msgid=,relay=mail@localhostMar 31 00:47:52 guardian sm-mta[14185]: k2V8lW3W014185:to=, delay=00:00:20, mailer=esmtp, pri=94833,stat=queuedMar 31 00:47:52 guardian sm-mta[14185]: k2V8lW3W014185:to=, delay=00:00:20, mailer=esmtp, pri=94833,stat=queuedMar 31 00:47:52 guardian sm-mta[14185]: k2V8lW3W014185:to=, delay=00:00:20, mailer=esmtp, pri=94833,stat=queuedMar 31 00:59:18 guardian sendmail[14195]: k2V8lW3W014185:to=,,, delay=00:11:46, xdelay=00:11:01, mailer=esmtp, pri=184833,relay=hart-exchange.hartwellcorp.com. [10.11.10.12], dsn=4.0.0, stat=I/Oerror

--Michael St. LaurentHartwell Corporation "That which does not kill me, makes me stranger." -Llewellyn, Ozy and Millie

> -----Original Message-----> From: [email protected]> [mailto:[email protected]]On Behalf Of Adri> Koppes> Sent: Monday, April 03, 2006 9:12 AM> To: [email protected]> Subject: Microsoft Word and Excel documents with embedded harmfull> objects>>> Recently some users have discovered a new trick to send blocked and> potentially harmful file through the MailScanner gateway.> They create an email messages with a Microsoft Word or Excel document> attachment, which contains an embedded OLE object or package.> The embedded object can by ANY other file, including executables etc.> When scanned by MailScanner, the executable and other embedded objects> are not detected and the message is passed through to the users mailbox!> Obviously this is not what we would like to happen.> I have found a little program 'ripOLE' on> http://freshmeat.net/projects/ripole/, which will extract all embedded> objects from a Word Document.> Would it be easy to integrate 'ripOLE' or an equivalent program into> MailScanner to be called for attachments? If the embedded objects are> extracted into the normal temp directory, then MailScanner will subject> them to the same file-name/type restrictions as normal attachments.> Probably 'ripOLE' only need to be called when the /usr/bin/file command> has determined the attachment to be some kind of 'Microsoft Office Data'> file.>

I looked at this program and it could be called from SafePipe on eachattachment after exploding them, as it's quite fast and will return errorcode 102 when a file is not in OLE format and also returns the string "File'filename' is not OLE2 format". If called on an OLE file without OLEattachments it returns error code 30 and the string "ripOLE: decoding offilename resulted in error 30".

The bad thing I see is there is no way to control the output name of theobject. ripole does basic sanitization (removes non-alphanumeric andlow/high order chars but that is about that. There wouldn't be any way totell the program a new name to output to as there may be many files embeddedin a single input file.

I suppose you could have it output to a safe subdir under the working dirand handle anything found there as non alphanumeric (such as "/" but not".") is removed in the sanitize function and couldn't escape the MS suppliedpath name (like /path/../../filename). It would add another layer to theexplode as you would have to explode, ripole, make safe names of files foundin the ripole attachment dir, move them to the current working dir, explodeanything new, etc before scanning. I do believe clamAV catches infected OLEstreams but this could be a good way to send bad things.

Rick

--This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean.

I've never built sendmail from source, but it *shouldn't* be too hard. I think I'll give it a whack one of these days and maybe post my experiences to the Wiki.

John Rudd wrote:> Or you could run it with sendmail. Sendmail builds just fine on OS > X. (I'm using mimedefang at home, where I'm using OSX as my mail > server, though, so I don't have the mailscanner part of the puzzle > available to help ... but I wouldn't expect it to be _any_ different > than installing it on FreeBSD, except the startup scripting)>>> On Apr 3, 2006, at 7:40 AM, Alex Neuman van der Hans wrote:>>> I once tried getting it to work on OS X Server, but gave up ;) - I >> think it can be done, except I'm not very postfix-savvy.>>>> You *could*, however, run it using any Linux-for-Mac distro; I >> haven't heard of any for the Intel Macs yet (if anybody knows, I'd >> appreciate the heads-up), but if one's not available right now I >> suspect they should be here RSN.>>>>>> Julian Field wrote:>>>>>> On 2 Apr 2006, at 22:40, James Gray wrote:>>>>>>> Hi All,>>>>>>>> I'm hoping I'm not about to "break new ground" :) Has anyone got >>>> any reports>>>> on using MailScanner on Mac OSX (Intel)? I'm simplifying my >>>> network at home>>>> with a Mac Mini (Core Duo thing) replacing 3 old tired PC's.>>>>>> There are a few people (and I mean _very_ few) doing this, after a >>> guy at Sophos got it working on 10.3.>>>>>> It's one of the projects I want to get onto, and may be able to put >>> in some time on it very soon.>>>>>> There are those 2 packaging systems (Fink and the other one I can't >>> remember) which would provide an easy, though cumbersome, solution.>>>>>> Would that be good enough for now?>>>>>> What I really want is a system that uses launchd properly and at >>> least has a system preference for starting and stopping it. >>> Slimserver nearly does this, but in a pre-Tiger form, not using >>> launchd. I would much rather "do it properly" than hack something >>> together.>>>>>> If anyone can point me in the right direction, such as an example >>> package that already does all this that I can plug into, that would >>> be fantastic.>>>>>> But even working out how to program for launchd would be a start. >>> The OSX way of booting appears to be very complicated, involving >>> reams of XML.>>>>>> Sorry that doesn't really answer your question, but....>>>>>>>>>>> So far I've figured out that OSX is using Perl 5.8.6 and Postfix of >>>> some>>>> flavour. Does anyone have any pre-installation validation tools or >>>> advice on>>>> what to expect? I know OSX is BSD under the hood, but the directory>>>> structure is seriously weird for someone coming from a "pure" >>>> Linux/BSD/Unix>>>> background.>>>>>>>> BTW - where the hell does OSX keep it's cron jobs and services? >>>> I've got>>>> Apache+MySQL running on it but they both came with neato *.dmg>>>> packages....I'm a real OSX n00b I'm afraid :P Unlike most n00b's >>>> though I'm>>>> happy to work with Julian to get the bugs sorted and possibly >>>> create a OSX>>>> "port" complete with dmg package etc....now THAT interests me!>>>>>>>> Thanks in advance.>>>>>>>> James>>>> --I've got a bad feeling about this.>>>> --MailScanner mailing list>>>> [email protected]>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting>>>>>>>> Support MailScanner development - buy the book off the website!>>>>>> --Julian Field>>> www.MailScanner.info>>> Buy the MailScanner book at www.MailScanner.info/store>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654>>>>>>>>> --This message has been scanned for viruses and>>> dangerous content by MailScanner, and is>>> believed to be clean.>>>>>> --MailScanner mailing list>>> [email protected]

lists.mailscanner.infolists.mailscanner.info/pipermail/mailscanner/2006-april.txtwhy is this trying...

Documents