Royce Williams | 1 May 01:21 2004

Local DNSBL lookups with rbldnsd (was: surbl)

On 4/13/2004 6:15 PM, Stephen Smoogen wrote:

 > Personally I think any RBL is a DoS waiting to happen. All it takes is
 > them being down/broken/etc and poof your servers are down for a bit with
 > the usual management questions of why did you allow it to happen.
 > The only way I would use an RBL in a large production enviroment is if
 > they had a DB push mechanism where I could sign up for a daily DB4 and
 > source file from either a central site or some osrt of P2P cloud.
 > But I am a grumpy young sysadmin.

One of the better ones (SBL+XBL) lets you set this up for free, if
you're "big enough" (250K+ queries/day).

SBL+XBL page:
Rsync zone access:

I had the same DoS worry; using a combination of
with rbldnsd and rsync, we've got a copy of the zone locally on each
mail server, coexisting nicely with the caching BIND already there.
It required a little setup up front, but we've been pleased with the
results.  We've also reduced DNS traffic by a substantial amount --
I refused 1.3M connections yesterday using SBL+XBL.  Because it's
effectively local, it's the first DNSBL check we perform now.

The Spamhaus folks were very helpful and they had a hole poked for
our rsync within a couple of hours of my follow-up email about our
setup.  They even have the rsyncs distributed across particular
(Continue reading)

Les Mikesell | 1 May 04:25 2004

Re: backup quarantine directory, large number of files.

On Thu, 2004-04-29 at 12:03, Lucas Albers wrote:
> I am trying to backup my quarantine directory.
> So I can delete the original from disk.
> But it appears tar is unable to handle the large number of files.
> What method have you used to backup upwards of 30K directories in a
> directory, on linux?

Tar does not have any limit on the number of files it can
handle, but you must let it recurse the directory itself
instead of letting the shell attempt to expand a wildcard
filename on the command line.  That is, if you tried
'tar cf /path/to/archive *', use 'tar cf /path/to/archive .'

  Les Mikesell
   les <at>

Murat Isik | 1 May 13:21 2004

verison check failed?


I am a long time user and big fan of mimedefang. My server run 2.39 until
yesterday, when I decided to upgrade to 2.42. What I did is to download all
the perl libraries and mimdefang itself and compile them in oder, just like
in the how-to.

I get this error when I start mimedefang or run the perl file from the
command line:

[root <at> murat murat]# /usr/bin/
Mail::Header defines neither package nor VERSION--version check failed at
/usr/lib/perl5/site_perl/5.8.1/MIME/ line 119.
BEGIN failed--compilation aborted at
/usr/lib/perl5/site_perl/5.8.1/MIME/ line 119.
Compilation failed in require at
/usr/lib/perl5/site_perl/5.8.1/MIME/ line 147.
BEGIN failed--compilation aborted at
/usr/lib/perl5/site_perl/5.8.1/MIME/ line 147.
Compilation failed in require at /usr/bin/ line 136.
BEGIN failed--compilation aborted at /usr/bin/ line 136.

I guess Mail::Header is related to with MIME-tools-5.411a but I cant really
figure it ut since I am newbie to perl

And also although my system has perl 5.8.3  and MD 2.39 run on 5.8.3 this
error includes 5.8., that is confusing for me....

My overall system is:

(Continue reading)

Bryan Martin | 1 May 16:30 2004

Detecting and adding headers if attachment found.

A lame newbie questions but here we go.

My intentions are to have procmailrc copy any message which has an
attachment to a certain directory but I need to have mimedefang add a header
to label it as such.  This way I can see what files are being blocked and if
any adjustments need to be made.

I come from a windows background so I attempted to add a "global variable"
to the top of the "mimedefang-filter" located in "/etc/mail".  With that I
had plans to make the global variable on/off to indicate whether or not
mimedefang found an attachment.  I added this at the top "$invalidAttachment
= "No";"  which to me indicates a global variable being defined with "No" as
the default value. Next inside the "filter" sub inside the "if
(filter_bad_filename($entity)) {" block I added "$invalidAttachment =
"Yes";" to indicate that an attachment has been found.  Later inside the
"filter_end" I added a statement like this:

 # BM 4/28/04 - Attempt to check for attachments
         if (my($invalidAttachment) eq "Yes"){

However, the message always comes in with "X-Attachment-Removed" equaling
nothing.  Can someone help me out?

(Continue reading)

Damrose, Mark | 3 May 08:05 2004

RE: MD SpamAssassin behavior change

From: Dirk Mueller [mailto:dmuell <at>]
> On Thursday 29 April 2004 23:51, Damrose, Mark wrote:
>>  Is there a way to turn 
>> this back off?
> You really don't want them to be turned off, because then 
> many spamassassin 
> checks don't work properly and the scores are generally way too low. 

I do all my dnsbl checks at the sendmail level before MD is invoked.

Is there anything else that SA uses those headers for?
Mark | 3 May 09:08 2004

Unsafe extensions

A quick question: where in the MIMEDefang source, or elsewhere, can I find
the list with unsafe file extensions? I'd like to add a few.


- Mark

Mark | 3 May 09:40 2004

Unsafe extensions

A quick question: where in the MIMEDefang source, or elsewhere, can I find
the list with unsafe file extensions? I'd like to add a few.


- Mark

Jan Pieter Cornet | 3 May 15:12 2004

Re: Re: $entity question

On Fri, Apr 30, 2004 at 08:26:13AM -0400, David F. Skoll wrote:
> On Fri, 30 Apr 2004, Kevin A. McGrail wrote:
> > if (-s "$entity->bodyhandle->path" <= $sizelimit) {
> $entity should always be defined, but $entity->bodyhandle or
> $entity->bodyhandle->path might not be -- you need to check both.

Oh, and the perl syntax is incorrect. Leave out the "" quotes around
the $entity->bodyhandle->path.


#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf <at> fpffmm4mmmpmfpmf.ppppmf>
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet
Tim Pushor | 3 May 17:46 2004

Re: Managing Quarantined Messages

David F. Skoll wrote:

>>Yeah thats fine, but two things initially popped up, one the not
>>filtering - I don't know if this would affect anything else -
>>how about if I use stream_by_recipient or domain - wouldn't these
>>messages be coming through with localhost being the relay? I would still
>>want to filter these..
>See PRESERVING RELAY INFORMATION in the mimedefang-filter man page to
>get around that.

Sorry for taking to long to reply.

So if I understand you correctly, you are suggesting:

Compile mimedefang with --with-ip-header, and if I determine that I need 
to stream_by_* ensure that I add_ip_validation_header(). Then later, if 
RelayAddr really *is* that means that this is one of my 
remailed quarantined messages (or any other message submitted to 
localhost unforunately), and that it shoudn't be rescanned.

One question though (assuming that I am correct above): Am I able to do 
any modifications to the message before quarantining? For example, say I 
strip EXE files from all messages but quarantine if there are encrypted 
zips. Can I strip the EXE before quarantining so if I decide to remail 
(Continue reading)

Alberto Ugarte | 3 May 17:25 2004

Problem running virus scanner


I'm using mimedefang version 2.42 compiled without antivirus because I only want to filter extensions but
it doesn't work. This is the error:[31452]: Problem running virus scanner: code=126, category=swerr, action=tempfail[31452]: filter: i4398rmU008368:  tempfail=1
mimedefang[8370]: i4398rmU008368: Tempfailing because filter instructed us to
sendmail[8368]: i4398rmU008368: Milter: data, reject=451 4.3.0 Problem running virus-scanner

Any suggestion?

Sorry for my english, and thanks in advance.
Alberto Ugarte.