Max Kipness | 24 Jul 15:06 2014

Bayes test skipped on one email

Hello,

Has anyone ever seen this were bayes is skipped on one (or maybe more)
email only? Now I'm wondering if this happens at other times. I guess I
could do grep to see. This email, which had an SCR attachment barely got
through due to the lack of Bayes score on it. The email before it and
after it had Bayes scores.

Jul 24 05:25:08  xxxx-01 MailScanner[25466]: Message s6OAOTWg007338 from
xx.xx.xx.xx (fsodqraup <at> leftcoasteng.com) to xxxx.com is not spam,
SpamAssassin (not cached, score=3.935, required 4.5, autolearn=disabled,
DCC_CHECK 1.10, DIET_SPAM 0.25, DIGEST_MULTIPLE 0.29, FROM_12LTRDOM
0.10, PYZOR_CHECK 1.39, ZIP_ATTACHED 0.80)

Thanks,
Max
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Bryan Laurila | 18 Jul 19:47 2014

Blocking top-level domains

I had an interesting situation creep up on me this week where I thought that something was happening (or being processed) in MailScanner/SpamAssassin but apparently it was not.

I have two mail relay scanners running MailScanner & SpamAssassin on Suse Linux.  These boxes scan incoming mail for spam & viruses and then relay to my MS Exchange server.  I had an influx of spam this week coming in from several top-level domains that we wouldn’t normally receive any valid emails from anyway, like .eu, .in, .asia, .club, etc. 

Upon investigating the situation I found that the Trend Micro Scan Mail service on my Exchange server crashed which lead me to the discovery that MailScanner & SpamAssassin weren’t filtering mail from these unwanted top level domains as I thought and all that work was being done by my exchange server.

So, the question of the day is…  Where is the best place to turn on filtering or set a rule somehow to filter unwanted top-level domains at the MailScanner/SpamAssassin servers?

Like all things in IT there are probably multiple ways of doing this so I am curious as to what others are doing.  All thoughts & comments are welcome.

Thanks!

Bryan S. Laurila

Senior Network Support Analyst

Dickinson County Healthcare System

1721 South Stephenson Avenue

Iron Mountain, Michigan 49801

"Life begins at the end of your comfort zone!"


Confidentiality Notice:

This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above.  If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited.  As required by federal and state laws, you need to hold this information as privileged and confidential.

This message may contain Protected Health Information (PHI).  PHI is personal and sensitive information related to a person's health care.  It is being emailed to you after appropriate authorization from the patient or under circumstances that do not require patient authorization.  You, the recipient, are obligated to maintain it in a safe, secure and confidential manner.  Re-disclosure without additional patient consent or as permitted by law is prohibited.  Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law.

If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying or distribution of this information is Strictly Prohibited.  If you have received this communication in error, please notify the sender and destroy all copies of this communication and any attachments.


Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain, MI 49801, www.dchs.org
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Valentin Laskov | 17 Jul 13:24 2014
Picon

Spam rules

Hi all!

I'm receiving spam from (for ex.) someone <at> somewhere.com . I set this in my spam.blacklist.rules:

From:  someone <at> somewhere.com  yes

but this does not work because someone <at> somewhere.com is not From: address but Replay To: address in the
letters headers. From: 
address changes frequently.

How can I mark this as spam ?

Regards!
Valentin Laskov 

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Sam Gelbart | 11 Jul 10:51 2014

MailScanner Deficiency: Multi-Ruleset Processing per Email Recipient

Hi All, 

We at SYNAQ use and have used Mailscanner for many years. As an Email Hygiene provider MailScanner has
served us very well.
However, as we have grown (very rapidly in the past 6 months, to many more customer domains) we have noticed
some deficiencies in MailScanner. 

Below is a brief description covering our problem areas: 

Overview 
The issue has arisen due to SYNAQ's ever growing client base and the fact that we're provisioning more and
more customers (and email domains) on our hygiene platform, and that more than one of these customer
recipients/domains (and their applicable rulesets) are being addressed in the same email. 

Problem 1 
1) abc.co.za and xyz.co.za are both provisioned on our platform. 
2) abc.co.za has quarantining of SPAM configured, while xyz.co.za does not. 
3) Mailscanner accepts the message for processing but "chooses" user <at> abc.co.za and abc.co.za as the
Message's "to_address" and "to_domain". 
4) MailScanner determines that the message is SPAM and because it has "chosen"  <at> abc.co.za as the email
domain it deletes the message as the configured spam action for  <at> abc.coz.a is to delete. 
5) However the rule for xyz.co.za is to store/quarantine spam. This does not happen because of the actions
above and data is also never logged via MailWatch. 
6) The example above is a based on very simple scenario, and as you are aware this applies to many more complex
rulesets (size, File Type etc) across the system.

Problem 2 
1) abc.co.za and xyz.co.za are both provisioned on our platform. 
2) A third party emails both user <at> abc.co.za and user <at> xyz.co.za in a single email message. 
3) Mailscanner accepts the message for processing but "chooses" user <at> abc.co.za and abc.co.za as the
Message's "to_address" and "to_domain". 
4) When the message is processed, the MailWatch.pm script receives a message object for SQL logging with
data only for user <at> abc.co.za and abc.co.za; xyz.co.za is never logged. 

Finally we have considered splitting incoming messages by recipient at an MTA level to address this
problem, but our calculations show that it would require 3.5x more hardware to process this increased
mail load. So for us a MailsScanner solution is ideal.

Based on the above, could you tell me if there is anything that can be done from a MailScanner community point
of view to help develop MailScanner functionality to address these issues? 
We'd be very happy to give a nice donation for a fix or patch.

Also if the community has any ideas on other ways we can remedy this problem we welcome your feedback. 

Thanks and regards, 

Sam Gelbart
SYNAQ

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Chris Barber | 9 Jul 16:13 2014
Picon

White list issue

Hi All,

We have the latest MailScanner and Mailwatch combo running on CentOS. Has been working fine for a long time.
We have a couple of users who are receiving spam and it shows as white listed in the Mailwatch interface.
However, the email address nor the domain are on the white list at all. 

Has anyone seen this behavior? I am at a loss.

Thanks!
Chris
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Max Kipness | 4 Jul 16:10 2014

Live scoring vs. Test scoring

Good morning Guys,

I've noticed something that I'm a bit puzzled about.  Today I was
testing a spam message that got through with a low score. It's one of
those with a subject as ???????? and all it had was a very large
attachment.

Well when it passed through MailScanner the first time, it received the
following score:

score=1.911
required 4.5

BAYES_50 0.80
DCC_CHECK 1.10
HTML_MESSAGE 0.00
T_OBFU_PDF_ATTACH 0.01

Not sure why the bayes was so low as bayes is pretty much 99% accurate
at this point, but the real question is that when I ran it through
SpamAssassin again, it several other rules. I understand it could hit
other databases like Pyzor and get listed after I received my copy.
However, shouldn't the TVD_FW_GRAPHIC_NAME_LONG BODY, SARE_GIF_ATTACH
and DIET_SPAM, etc have hit the first time?

Am I missing something? Overall my accuracy is really high, but just
curious about this issue.

Content analysis details:   (7.6 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.3 TVD_FW_GRAPHIC_NAME_LONG BODY: Long image attachment name
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.4576]
 0.0 T_OBFU_PDF_ATTACH      BODY: PDF attachment with generic MIME type
 0.2 DIET_SPAM              FULL: DIET_SPAM
 1.4 SARE_GIF_ATTACH        FULL: Email has a inline gif
 1.1 DCC_CHECK              Detected as bulk mail by DCC
(dcc-servers.net)
 1.4 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 0.3 DIGEST_MULTIPLE        Message hits more than one network digest
check
 2.2 SB_GIF_AND_NO_URIS     SB_GIF_AND_NO_URIS
-1.1 AWL                    AWL: From: address is in the auto white-list

Thanks,
Max

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Max Kipness | 27 Jun 17:06 2014

Score on attachments

Hi,

I've asked this before, but never got an answer and thought I would give
it another shot.

I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is setup
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct. But
nothing else was triggered. I'm looking at some type of custom rule, but
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on the
fact that the message was caught by MailScanner with an attachment
warning.

Any ideas?

Thanks,
Max

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Jim Flowers | 23 Jun 14:15 2014
Picon

Archive Mail Problem In MailScanner-4.84

I regularly use a ruleset for directing copies of messages for particular addresses to alternate recipients.  Until 4.84, that is.

If I enter a ruleset with:

Archive Mail = /var/spool/MailScanner/rules/archive.rules
or
%rules-dir%/archive.rules

copies of all messages as files are stored in archive.rules as a directory.

If I first create a archive.rules file with my desired copying rules, all messages are appended to the file.

I would like to have this useful functionality back.

Thanks for any information.


--
Jim Flowers <jflowers <at> ezo.net>
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Jerry Benton | 21 Jun 03:22 2014

Phishing Update Service

Ok, I went a little further. There are now updated “safe” and “bad” phishing sites once per day. Read more and get the scripts here if you want them.




-
Jerry Benton



--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Jerry Benton | 21 Jun 00:53 2014

New Bad Phishing Sites Service for MailScanner

I have created a new update service for updating your bad phishing sites. You can download the bash script here:


Set your cron accordingly, etc. The file gets updated once per day around 04:30 UTC from phishtank.com, so no need to run it more than once per day.

-
Jerry Benton



--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Kevin Miller | 19 Jun 18:18 2014
Picon

Timeouts & display...

When I run the 'Spamassassin Rule Hits' report, it times out. Anybody know where I can increase the timeout
from 30 seconds to maybe a minute or so?

Also, is there a variable that I can change to display more than 50 records per page?

TIA...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


Gmane