Paul Hutchings | 1 Sep 09:37 2008
Picon

RE: virus detection reporting wrong scanner

Still appears to be happening.

All I did was download the beta and run the usual ./install.sh -
presumably that would overwrite the manual change I made a week or so
back to handle the changed vba32 output?

-----Original Message-----
From: mailscanner-bounces <at> lists.mailscanner.info
[mailto:mailscanner-bounces <at> lists.mailscanner.info] On Behalf Of Julian
Field
Sent: 31 August 2008 14:11
To: MailScanner discussion
Subject: Re: virus detection reporting wrong scanner

Please try this with the latest beta (4.71.9) and let me know if it 
still recurs.

Paul Hutchings wrote:
> I'm using clamd, avg and vba32.
>
> In maillog, I see the following:
>
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found
1
> infections
> Aug 31 02:11:56 relay MailScanner[22637]: Infected message
> C5B321FC55.019F5 came from 217.76.130.123
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
> viruses
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
(Continue reading)

Caza Henha | 1 Sep 11:09 2008
Picon

Rules with IP addresses


Hi,
 
I have recently installed Mailscanner with Postfix and MailWatch and it seems over the last week the system is running great, however I am now getting requests to tweak the default rules that I have from various users in different departments. I have been trying to delve into the knitty gritty of the rules and understand the principles and they do not seem very complicated and when looking at some examples on the Wiki things shouldn't be to difficult.
 
Consequently I have noticed a number of examples have IP addresses in the From section of the rules and I was just wondering where this IP address was coming from and what it can actually be as I cannot seem to find any documentation on it. For example is this IP address (or the RegEx of one) the connecting smtp server (or any smtp server that the mail has passed through), client address, MX address of the sending domain etc or any combination of all the previous?
 
Also can this be used in a "To" configuration, the reason I ask is that essentially we have four internal smtp servers which does sound like we process a lot of mail but they are basically queues for our application servers. Due to the current "trial" policy all spam is being marked and delivered and sorted at the client software, however we have a trouble ticket application that is currently getting lots of spam and because it sends out confirmation receipts etc we are getting bounces that are filling the queues. Although easy, I don't necessarily wish to have loads of "To" rules with the individual addresses of the trouble ticket system so I was wondering whether I could have the IP address (or even better the FQDN) of the forwarding SMTP server in the To rule, something like the following:
 
spam.rules
 
To:     ticketing.example.com    delete    // Ticketing SMTP server
To:     exchange.example.com   store     // Exchange server
FromOrTo:  default                  deliver
 
Is the above possible? If not is the following,
 
 
To:     192.168.15.1    delete    // Ticketing SMTP server
To:     192.168.15.2   store      // Exchange server
FromOrTo:  default                  deliver
 
Kind Regards,
 
Caza
 

Win £3000 to spend on whatever you want at Uni! Click here to WIN!
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Julian Field | 1 Sep 13:20 2008
Picon

Re: virus detection reporting wrong scanner

The report is definitely coming from ClamAV (clamav, clamavmodule or 
clamd) as the HTML.Phishing.Bank-.... is in their style.
Are you sure you're not looking at a different report from the message?

What does "MailScanner --lint" say about this?

Paul Hutchings wrote:
> Still appears to be happening.
>
> All I did was download the beta and run the usual ./install.sh -
> presumably that would overwrite the manual change I made a week or so
> back to handle the changed vba32 output?
>
> -----Original Message-----
> From: mailscanner-bounces <at> lists.mailscanner.info
> [mailto:mailscanner-bounces <at> lists.mailscanner.info] On Behalf Of Julian
> Field
> Sent: 31 August 2008 14:11
> To: MailScanner discussion
> Subject: Re: virus detection reporting wrong scanner
>
> Please try this with the latest beta (4.71.9) and let me know if it 
> still recurs.
>
> Paul Hutchings wrote:
>   
>> I'm using clamd, avg and vba32.
>>
>> In maillog, I see the following:
>>
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found
>>     
> 1
>   
>> infections
>> Aug 31 02:11:56 relay MailScanner[22637]: Infected message
>> C5B321FC55.019F5 came from 217.76.130.123
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
>> viruses
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
>> 1731 bytes per second
>>
>> In the report I see this:
>>
>> The following e-mails were found to have: Virus Detected
>>
>>     Sender: skatemurcia.com <at> llgc793.servidoresdns.net
>> IP Address: 217.76.130.123
>>  Recipient: someone <at> ourdomain.com
>>    Subject: Security Message - Important System Notification.
>>  MessageID: C5B321FC55.019F5
>> Quarantine: 
>>     Report: Clamd: msg-22637-48.html was infected:
>> HTML.Phishing.Bank-1248 
>>
>> Any suggestions?  I know last week I had to modify one of the
>> MailScanner files to deal with the way that vba32 output changed since
>> the last MailScanner release.
>>
>> Lint output:
>>
>> Trying to setlogsock(unix)
>> Read 850 hostnames from the phishing whitelist
>> Read 5262 hostnames from the phishing blacklist
>> Checking version numbers...
>> Version number in MailScanner.conf (4.70.7) is correct.
>>
>> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
>> MailScanner setting GID to  (89)
>> MailScanner setting UID to  (89)
>>
>> Checking for SpamAssassin errors (if you use it)...
>> SpamAssassin temporary working directory is
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database
>> SpamAssassin reported no errors.
>> I have found clamd avg vba32 scanners installed, and will use them all
>> by default.
>> Using locktype = posix
>> MailScanner.conf says "Virus Scanners = auto"
>> Found these virus scanners installed: clamd, vba32, avg
>>
>>     
> ========================================================================
>   
>> ===
>> Virus and Content Scanning: Starting
>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 1 infections
>> Avg: Virus identified EICAR_Test in eicar.com
>> Virus Scanning: Avg found 1 infections
>> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected
>> EICAR-Test-File
>> Virus Scanning: vba32 found 1 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 1 viruses
>>
>>     
> ========================================================================
>   
>> ===
>> Virus Scanner test reports:
>> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>> Avg said "Found virus EICAR_Test in file eicar.com"
>> vba32 said "Found virus EICAR-Test-File in eicar.com"
>>
>> If any of your virus scanners (clamd,vba32,avg)
>> are not listed there, you should check that they are installed
>>     
> correctly
>   
>> and that MailScanner is finding them correctly via its
>> virus.scanners.conf.
>>
>> Cheers,
>> Paul
>>
>>
>>   
>>     
>
> Jules
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Julian Field | 1 Sep 13:22 2008
Picon

Re: Rules with IP addresses


Caza Henha wrote:
>
> Hi,
>  
> I have recently installed Mailscanner with Postfix and MailWatch and 
> it seems over the last week the system is running great, however I am 
> now getting requests to tweak the default rules that I have from 
> various users in different departments. I have been trying to delve 
> into the knitty gritty of the rules and understand the principles and 
> they do not seem very complicated and when looking at some examples on 
> the Wiki things shouldn't be to difficult.
>  
> Consequently I have noticed a number of examples have IP addresses in 
> the From section of the rules and I was just wondering where this IP 
> address was coming from and what it can actually be as I cannot seem 
> to find any documentation on it. For example is this IP address (or 
> the RegEx of one) the connecting smtp server (or any smtp server that 
> the mail has passed through), client address, MX address of the 
> sending domain etc or any combination of all the previous?
It is the IP address of the machine that was the client end of the SMTP 
connection to the server. So in the case of a customer-facing SMTP 
server, it will be the customer's client IP address. In the case of an 
MX it would be the IP address of the SMTP server talking to you.
>  
> Also can this be used in a "To" configuration,
No. Due to the way mail delivery works, you don't know the IP address of 
the destination until you have already started sending the message. 
Can't be done.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Nigel Kendrick | 1 Sep 13:57 2008
Picon

RE: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST


-----Original Message-----
From: mailscanner-bounces <at> lists.mailscanner.info
[mailto:mailscanner-bounces <at> lists.mailscanner.info] On Behalf Of Julian
Field
Sent: Friday, August 15, 2008 2:20 PM
To: MailScanner discussion
Subject: Re: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST

Nigel Kendrick wrote:
> Just noticed ClamAV throwing the following error into Maillog:
>
> Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed
> with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at
> /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line
> 120. 
>
> In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a
> freshcalm and restarted MailScanner and still getting the same. Can't find
> much in the way of notes about this...!?
>   
Did the "make test" phase of building the Mail::ClamAV module succeed?

Jules

Hi Jules,

Just back from holiday and picking this one up. Yes, the "make test" runs
fine.

I have come across this comment but not sure what to make of it (or what to
do)...

http://kobesearch.cpan.org/htdocs/Mail-ClamAV/Mail/ClamAV.pm.html#CL_SCAN_PH
ISHING_DOMAINLIST

"CL_SCAN_PHISHING_DOMAINLIST

    With a minor version bump clamav development team removed this and broke
backwards compatibility, so it is no longer supported in this module as of
0.22."

That's the version (0.22) of Mail::ClamAV I am running on the affected
server - but it's also that version on servers working OK?

Confused!?

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Paul Hutchings | 1 Sep 15:02 2008
Picon

RE: virus detection reporting wrong scanner

The lint seems to check out just fine.  Maybe my understanding is wrong,
but I thought that if multiple engines caught a virus in a message it
listed that multiple engines had detected something in the report that's
sent to postmaster (or wherever) - all I know is I have an entry in
maillog by vba32 saying it detected a virus, at the same time an email
was deleted and a report sent to postmaster saying it was because clam32
had detected a virus - yet there's no report in the postmaster mailbox
that mentions vba32.

-----Original Message-----
From: mailscanner-bounces <at> lists.mailscanner.info
[mailto:mailscanner-bounces <at> lists.mailscanner.info] On Behalf Of Julian
Field
Sent: 01 September 2008 12:20
To: MailScanner discussion
Subject: Re: virus detection reporting wrong scanner

The report is definitely coming from ClamAV (clamav, clamavmodule or 
clamd) as the HTML.Phishing.Bank-.... is in their style.
Are you sure you're not looking at a different report from the message?

What does "MailScanner --lint" say about this?

Paul Hutchings wrote:
> Still appears to be happening.
>
> All I did was download the beta and run the usual ./install.sh -
> presumably that would overwrite the manual change I made a week or so
> back to handle the changed vba32 output?
>
> -----Original Message-----
> From: mailscanner-bounces <at> lists.mailscanner.info
> [mailto:mailscanner-bounces <at> lists.mailscanner.info] On Behalf Of
Julian
> Field
> Sent: 31 August 2008 14:11
> To: MailScanner discussion
> Subject: Re: virus detection reporting wrong scanner
>
> Please try this with the latest beta (4.71.9) and let me know if it 
> still recurs.
>
> Paul Hutchings wrote:
>   
>> I'm using clamd, avg and vba32.
>>
>> In maillog, I see the following:
>>
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found
>>     
> 1
>   
>> infections
>> Aug 31 02:11:56 relay MailScanner[22637]: Infected message
>> C5B321FC55.019F5 came from 217.76.130.123
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
>> viruses
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
>> 1731 bytes per second
>>
>> In the report I see this:
>>
>> The following e-mails were found to have: Virus Detected
>>
>>     Sender: skatemurcia.com <at> llgc793.servidoresdns.net
>> IP Address: 217.76.130.123
>>  Recipient: someone <at> ourdomain.com
>>    Subject: Security Message - Important System Notification.
>>  MessageID: C5B321FC55.019F5
>> Quarantine: 
>>     Report: Clamd: msg-22637-48.html was infected:
>> HTML.Phishing.Bank-1248 
>>
>> Any suggestions?  I know last week I had to modify one of the
>> MailScanner files to deal with the way that vba32 output changed
since
>> the last MailScanner release.
>>
>> Lint output:
>>
>> Trying to setlogsock(unix)
>> Read 850 hostnames from the phishing whitelist
>> Read 5262 hostnames from the phishing blacklist
>> Checking version numbers...
>> Version number in MailScanner.conf (4.70.7) is correct.
>>
>> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
>> MailScanner setting GID to  (89)
>> MailScanner setting UID to  (89)
>>
>> Checking for SpamAssassin errors (if you use it)...
>> SpamAssassin temporary working directory is
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database
>> SpamAssassin reported no errors.
>> I have found clamd avg vba32 scanners installed, and will use them
all
>> by default.
>> Using locktype = posix
>> MailScanner.conf says "Virus Scanners = auto"
>> Found these virus scanners installed: clamd, vba32, avg
>>
>>     
>
========================================================================
>   
>> ===
>> Virus and Content Scanning: Starting
>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 1 infections
>> Avg: Virus identified EICAR_Test in eicar.com
>> Virus Scanning: Avg found 1 infections
>> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected
>> EICAR-Test-File
>> Virus Scanning: vba32 found 1 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 1 viruses
>>
>>     
>
========================================================================
>   
>> ===
>> Virus Scanner test reports:
>> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>> Avg said "Found virus EICAR_Test in file eicar.com"
>> vba32 said "Found virus EICAR-Test-File in eicar.com"
>>
>> If any of your virus scanners (clamd,vba32,avg)
>> are not listed there, you should check that they are installed
>>     
> correctly
>   
>> and that MailScanner is finding them correctly via its
>> virus.scanners.conf.
>>
>> Cheers,
>> Paul
>>
>>
>>   
>>     
>
> Jules
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Julian Field | 1 Sep 15:07 2008
Picon

Re: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST


Nigel Kendrick wrote:
>  
>
> -----Original Message-----
> From: mailscanner-bounces <at> lists.mailscanner.info
> [mailto:mailscanner-bounces <at> lists.mailscanner.info] On Behalf Of Julian
> Field
> Sent: Friday, August 15, 2008 2:20 PM
> To: MailScanner discussion
> Subject: Re: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST
>
>
>
> Nigel Kendrick wrote:
>   
>> Just noticed ClamAV throwing the following error into Maillog:
>>
>> Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed
>> with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at
>> /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line
>> 120. 
>>
>> In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a
>> freshcalm and restarted MailScanner and still getting the same. Can't find
>> much in the way of notes about this...!?
>>   
>>     
> Did the "make test" phase of building the Mail::ClamAV module succeed?
>
> Jules
>
>
>
>
> Hi Jules,
>
> Just back from holiday and picking this one up. Yes, the "make test" runs
> fine.
>
> I have come across this comment but not sure what to make of it (or what to
> do)...
>
> http://kobesearch.cpan.org/htdocs/Mail-ClamAV/Mail/ClamAV.pm.html#CL_SCAN_PH
> ISHING_DOMAINLIST
>
> "CL_SCAN_PHISHING_DOMAINLIST
>
>     With a minor version bump clamav development team removed this and broke
> backwards compatibility, so it is no longer supported in this module as of
> 0.22."
>
> That's the version (0.22) of Mail::ClamAV I am running on the affected
> server - but it's also that version on servers working OK?
>
> Confused!?
>   
I removed the mention of CL_SCAN_PHISHING_DOMAINLIST some time ago, it's 
certainly not in the latest version.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Julian Field | 1 Sep 15:36 2008
Picon

MailScanner ANNOUNCE: 4.71 stable released

Hi folks!

I have just released a new stable version of MailScanner, version 4.71.

The main changes this month are:

- If a message contains a *.doc document, a new attachment can be added 
containing the text of the document. This will save your users from 
having to save the attachment, potentially switch operating systems, and 
open up Microsoft Word or OpenOffice just to read the words in the 
document. My users absolutely *love* this feature, it saves them a huge 
amount of time and hassle when memos are circulated by the management. 
See the "Add Text Of Doc" setting in MailScanner.conf for more details 
of how to configure this.
- Updated support for Esets and F-Secure virus scanners.
- Thanks to F-Secure for donating me a set of server licences so I can 
always be sure that I am supporting the latest versions of their 
products. Much appreciated!
- One for Fetchmail users: used together with the "--invisible" option 
to fetchmail, MailScanner will correctly use the IP address of the 
connecting SMTP client, and not "localhost" or "127.0.0.1" for the IP 
address in rulesets.
- Added protection against denial-of-service attacks on the HTML text 
parser Perl module. There is a message involving thousands of <FONT> 
tags in circulation which breaks previous versions of MailScanner when 
they try to analyse the HTML of the email message. This is in no way an 
attack on MailScanner, but on the underlying HTML::Parser Perl module.
- Improved support of DSN messages from bigfoot.com which incorrectly 
use the "message/partial" MIME identifier.

Download it all as usual from www.mailscanner.info.

The full Change Log is here:
* New Features and Improvements *
1 Upgraded from File::Temp 0.19 to File::Temp 0.20 to resolve installation
  problem reported with Fedora Core 8 systems.
2 New Feature: We can now extract the plain text of Microsoft Word (up 
to 2004)
  documents in the *.doc format, and add it as new attachments to a message.
  This is done using the "antiword" program available from
  http://www.winfield.demon.nl/. There are 3 new configuration settings for
  this feature:
  "Add Text Of Doc" - This switches the feature on and off. Off by default.
  "Antiword" - Full command to run the antiword binary. Adding "-f" to it
  makes it highlight emphasized text in the output, which I find helps.
  "Antiword Timeout" - The greatest length of time antiword is allowed 
to run.
3 Improvement to phishing net, now correctly ignores ':80' in http URLs.
3 Implemented support for Esets version 3.
4 Implemented support for F-Secure 7.01.
5 Added protection against attacks on the HTML text parser (Perl module
  HTML::Parser) which is used to analyse HTML messages for dangerous tags.
  There is a message in circulation that breaks this, causing Perl to 
trigger
  a "Segmentation Fault". This protection is necessary, but may have an 
impact
  on the performance of MailScanner. Until the Perl module is fixed, 
however,
  this is very necessary protection for your email systems.
7 Added new option "Read IP Address From Received Header" which you can 
set to
  yes if you are running fetchmail and injecting mail from fetchmail 
into your
  MTA using SMTP. You need to set the "--invisible" option to fetchmail 
as well
  to stop it adding its own "Received:" header. See the "Advanced" 
section of
  MailScanner.conf for more info on this.
8 Added new rules to filename.rules.conf to allow for days of the week and
  months in filenames like my_document.july.doc so they aren't caught by the
  double filename extension trap.
8 Improved error notification if your permissions on /tmp are all wrong. It
  now tells you exactly what to type to fix them.
8 Improved VBA32 output parser to handle slightly different new output 
format.
8 Improved 'partial message' handling to only remove the partial-message
  section of the message, and not the whole thing. This is particularly
  relevant to DSNs from bigfoot.com
10 Improved F-Secure scanning within executables.

* Fixes *
3 Improvement to "Sign Clean Messages" so the signature now appears where it
  should, above any </body> tag as well as above any </html> tag.
6 Fix to Exim support to allow for arbitrarily-named Exim ACLs. Fix kindly
  provided by dominik.schramm <at> businessmart.de.
6 Fix for missing watermarks, courtesy of Lasantha Marian.
7 Fix for case when Rebuild Bayes Every = 0 and Bayes is still rebuilt.
7 TNEF attachments will be added with correct filenames when TNEF Expander =
  internal. It was erroneously adding them with their "safe" filenames.
9 Removed a load of extra debug output code.
9 "Partial messages" are now quarantined correctly.
10 Removed duplicate warning output when "Virus Scanners = none".

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--

-- 
MailScanner-announce mailing list
mailscanner-announce <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner-announce

Before posting, read the Wiki (http://wiki.mailscanner.info/).

Support MailScanner development - buy the book off the website! 

Nigel Kendrick | 1 Sep 16:53 2008
Picon

RE: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST


> Confused!?
>   
I removed the mention of CL_SCAN_PHISHING_DOMAINLIST some time ago, it's 
certainly not in the latest version.

Jules

Hi Jules,

I've just installed 4.71.10 and that's fixed it.

Thanks

Nigel 

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

R Wahyudi | 1 Sep 18:22 2008
Picon

Re: mailscanner in ISP

Scott Silva wrote:
> on 8-8-2008 2:52 AM ram spake the following:
>> On Thu, 2008-08-07 at 15:06 +0100, Paulo Roncon wrote:
>>> Hello all,
>>>
>>> I work in a ISP and we want to install mailscanner to stop OUTBOUND 
>>> spam as its becoming a bottleneck...
>>> I dont have any network metrics, as the guy in charge in out. I'm 
>>> thinking 1000000 plus messages/day.
>>>
>>> Questions:
>>> -Anyone has ideias of the kind of HW solution nedeed?
Use dedicated outgoing mail servers that handle just outgoing mail -  
dont mix outgoing with incomming mail server.
I would go with clusters of less powerfull hardware and do load 
balancing instead of having just one or two powerfull hardware.
This will provide high availability and allows you to stop server that 
saturated with spam without affecting your service.
>>> -OUTBOUND filtering: Its gonna be *->*. Do you see any problems
block all outgoing port 25 except to your mail server and ask user to 
use SMTP auth if they want to connect to external mail.
This will reduce A LOT of spam coming out of your user. Most worms send 
email directly to the internet from the infected host.

I've written auto-blacklist that will block IP address that send more 
than 4 spam/virus within 5 minutes, ban the IP for 30 minutes, and 
automatically remove it after 30 minutes.
If users get blocked they will get SMTP error message which redirect 
them to a website where they can see the reason they get blocked and 
also display offending email header as evidence.. and at the same time 
allows you to upsell
your security product.  You can view the rough example here : 
http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:postfix_auto_blacklist

Tips configuring lightweight SA for outgoing mail :
- Remove most of the body checking & reverse IP checking .. most of the 
time they give false positive and this will speed up SA
- Skip bayes
- use Surbl and increase its scoring highly ..
- Do not use dynamic ip blacklist - most of your user will be on dynamic IP
- use razor/pyzor and dcc & increase their score

MTA tips:
- Rate limit is a must - try policyd if you use postfix
- Monitor your deferred queue, setup nagios to beep if you see a spike

Regards,
Rianto Wahyudi

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


Gmane