Rose, Bobby | 1 Aug 04:42 2009

Is Definitely Not Spam and Ignore Spam Whitelist If Recipients Exceed Options oddity

I have a ruleset for Is Definitely Not Spam and everything works fine except if that that address sends a message with more recipients than what is set for Ignore Spam Whitelist If Recipients Exceed.  In that case, the message seems to get blacklisted.  If the entry is removed from the whitelist ruleset, then the issue doesn’t occur (but I’ll still see the log entry saying that ignored whitelist.

 

Has anyone else noticed this or is it just me and I have to keep digging for the reason?

Thanks

-=Bobby

 


This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you.
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Rose, Bobby | 1 Aug 04:43 2009

MailScanner and Mailwatch 1.04 bug

When a message is both detected as a virus and high scoring spam, Mailscanner seems to drop the virus report when the info is passed onto Mailwatch.pm.  The virusinfected flag is passed but not the reports.  Both virus and spam reports appear in the maillogs ok so this->{reports} must be set at some point.   But it’s just not getting passed on to the MailWatch.pm   I threw in some debug stuff in Mailwatch.pm just to see if the info was getting that far and it’s not.

 

Any suggestions?


This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you.
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Dave Jones | 1 Aug 04:57 2009
Picon

Re: lstat() failed on: /mnt/ramdisk/...

>From June 24th:

http://thread.gmane.org/gmane.mail.virus.mailscanner/71122/focus=71160

>> lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166
>
>Which version of MailScanner are you running? If you're using a version
>< 4.76.24, and you only have tnef.* in your lstat errors, this is a
>known bug. Upgrading to the latest MailScanner release will fix it (or
>at least >= 4.76.24), as the tnef processing has been updated to correct
>the permission errors.
>
>(see http://www.bluequartz.us/phpBB2/viewtopic.php?t=87165 for
>reference, and "16 Fixed permissions and ownership problems with data
>extracted from TNEF winmail.dat attachments." under fixes of 4.76.24-3
>from  http://www.mailscanner.info/ChangeLog).
>
> Cheers,
>-Joshua

I upgraded MailScanner to version 4.77.10-1 a few weeks ago and still
have thousands of these errors in the maillog.

I also changed my ramdisk to tmpfs (and rebooted to remove the ramdisk
from memory).

Is there something else that I could have wrong?

-- 
Dave Jones
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

--[ UxBoD ]-- | 1 Aug 09:23 2009
Picon

Re: New beta release 4.78.3 -- "spam-viruses"

----- "Julian Field" <MailScanner <at> ecs.soton.ac.uk> wrote:

> I have just released a new beta, the first in quite a while.
> 
> This has one major re-arrangement done to it, in that the virus
> scanning 
> is now done *before* the spam checking, instead of after it as it has
> 
> always been in the past. This results in you virus-scanning all the
> spam 
> you are about to delete, but for virtually all virus scanners the cost
> 
> of scanning a few extra files is very minimal compared to the cost of
> 
> running SpamAssassin on them anyway. So it won't make much difference
> to 
> the speed at all. And you have the advantage that you won't be 
> spam-scanning viruses any more.
> 
> The need for this is because...
> 
> I have introduced a solution to the issue of what I am calling 
> "spam-viruses" which are messages detected as being spam by your
> *virus* 
> scanner. At least ClamAV and F-Prot can do this now. Automatically 
> deleting mail which a third-party ClamAV signature database thinks is
> 
> probably spam is not a very good idea, as there are false alarms which
> 
> have bitten most of us in the past.
> 
> So what you want is a way of assigning a spam score to different 
> "spam-viruses" so you can use the signature databases to varying
> effect, 
> depending on what you think of their reliability. Some of the ClamAV 
> databases have far more false alarms (false positives) than others, as
> 
> documented here:
>          http://www.sanesecurity.net/databases.htm
> 
> So now a list of all the "spam-viruses" found in a message will be put
> 
> in a new message header before the message is passed to SpamAssassin,
> so 
> you can do everything from simply assigning a score if the header
> exists 
> at all, to assigning different scores to different spam-viruses as you
> 
> like. You can make it as simple or as complex as you choose. I have 
> given you a sample rule to start from in spam.assassin.prefs.conf.
> 
> So you need to do 2 other things:
> 1. Set the name of the header used for this: see the "Spam-Virus
> Header" 
> setting in MailScanner.conf.
> 2. Define what virus names are actually spam-viruses. See the "Virus 
> Names Which Are Spam" setting in MailScanner.conf.
> 
> The second of those is given very simply. No regular expressions or 
> anything complicated like that, sorry.
> You give a space-separated list of strings which are the names of the
> 
> spam-viruses.
> You can use the "*" wildcard character to mean "any number of zero or
> 
> more characters", just like you do in filenames. You can use several
> "*" 
> wildcards in each string, of course.
> Other than that the string will be matched against the whole virus
> name, 
> with a case sensitive match.
> If you want to match just a sub-string of the virus name, put a "*" at
> 
> the start and end of the string, such as in "*UNOFFICIAL*" for
> example.
> Two simple examples are "HTML/*" and "Sane*UNOFFICIAL" which are 
> hopefully both self-explanatory.
> 
> For more information about these 2 settings, see the MailScanner.conf
> file.
> 
> I think this keeps the configuration nice and simple for most people,
> 
> but allows the 0.1% of wizards to build really complex setups.
> 
> If you strongly disagree with the way I have done it, please do let me
> 
> know, this is only a beta so I can easily change it at this point 
> without upsetting anyone. :-)
> 
> Hopefully you will find this a useful new feature, and that the cost
> of 
> the code re-arrangement is not too high.
> 
> Have a good weekend, and please let me know if you have any "issues" 
> with any of it!
> 
> Jules
> 
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your
> boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> 

I am sure the 0.1% of wizards will be hitting Amazon and sending something your way Jules ... Great work this
is exactly what I needed :) Time to build up the new server and get installing :D

Best Regards,

-- 
SplatNIX IT Services :: Innovation through collaboration

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

--[ UxBoD ]-- | 1 Aug 17:37 2009
Picon

Help on new install please ?

Hi, 

Just installing a new mini-itx server with CentOS 5.3. Should I go with Julians Clam/SA tarball or use the
repo ? 

Best Regards, 

-- 
SplatNIX IT Services :: Innovation through collaboration 
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Martin Hepworth | 1 Aug 20:35 2009
Picon

Re: lstat() failed on: /mnt/ramdisk/...

try changing the type of tnef scanner, if the external binary change it to the internal one and/or vice versa


--
Martin Hepworth
Oxford, UK

2009/8/1 Dave Jones <davejones70 <at> gmail.com>
>From June 24th:

http://thread.gmane.org/gmane.mail.virus.mailscanner/71122/focus=71160

>> lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166
>
>Which version of MailScanner are you running? If you're using a version
>< 4.76.24, and you only have tnef.* in your lstat errors, this is a
>known bug. Upgrading to the latest MailScanner release will fix it (or
>at least >= 4.76.24), as the tnef processing has been updated to correct
>the permission errors.
>
>(see http://www.bluequartz.us/phpBB2/viewtopic.php?t=87165 for
>reference, and "16 Fixed permissions and ownership problems with data
>extracted from TNEF winmail.dat attachments." under fixes of 4.76.24-3
>from  http://www.mailscanner.info/ChangeLog).
>
> Cheers,
>-Joshua

I upgraded MailScanner to version 4.77.10-1 a few weeks ago and still
have thousands of these errors in the maillog.

I also changed my ramdisk to tmpfs (and rebooted to remove the ramdisk
from memory).

Is there something else that I could have wrong?

--
Dave Jones
--
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Alex Neuman van der Hans | 1 Aug 21:52 2009

Re: Help on new install please ?

They're both good. I prefer the tarball, but using the repo gets clamd  
out of the way in an easier fashion, IMHO.

On Aug 1, 2009, at 10:37 AM, --[ UxBoD ]-- wrote:

> Just installing a new mini-itx server with CentOS 5.3. Should I go  
> with Julians Clam/SA tarball or use the repo ?

-- 
Alex Neuman van der Hans
Reliant Technologies
+507 6781-9505
+507 202-1525
alex <at> rtpty.com
Skype: alexneuman

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Jules Field | 2 Aug 13:48 2009
Picon

Re: Is Definitely Not Spam and Ignore Spam Whitelist If Recipients Exceed Options oddity


On 01/08/2009 03:42, Rose, Bobby wrote:
>
> I have a ruleset for Is Definitely Not Spam and everything works fine 
> except if that that address sends a message with more recipients than 
> what is set for Ignore Spam Whitelist If Recipients Exceed. In that 
> case, the message seems to get blacklisted. If the entry is removed 
> from the whitelist ruleset, then the issue doesn’t occur (but I’ll 
> still see the log entry saying that ignored whitelist.
>
So you're saying that the "Is Definitely Not Spam" is ignored if the 
message has more recipients than set in "Ignore Spam Whitelist If 
Recipients Exceed"? In that case, that is exactly what it is meant to 
do. "Is Definitely Not Spam" is the "Spam Whitelist" the other option is 
talking about.

> Has anyone else noticed this or is it just me and I have to keep 
> digging for the reason?
>
> Thanks
>
> -=Bobby
>
>
> ------------------------------------------------------------------------
> This document may include proprietary and confidential information of 
> Wayne State University Physician Group and may only be read by those 
> person(s) to whom it is addressed. If you have received this e-mail 
> message in error, please notify us immediately. This document may not 
> be reproduced, copied, distributed, published, modified or furnished 
> to third parties, without prior written consent of Wayne State 
> University Physician Group. Thank you.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Jules Field | 2 Aug 13:52 2009
Picon

Re: Help on new install please ?

I tend to use SA from my tarball, and ClamAV from 
http://packages.sw.be/clamav which is an RPM repository. That way 
MailScanner gets SA the way it wants, but you get clamd and stuff too.

The install.sh for my tarball will ask you if you want to install 
ClamAV, just say no and tell it the path to clamscan when it asks for it.

On 01/08/2009 16:37, --[ UxBoD ]-- wrote:
> Hi,
>
> Just installing a new mini-itx server with CentOS 5.3. Should I go with Julians Clam/SA tarball or use the
repo ?
>
> Best Regards,
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Mark Sapiro | 2 Aug 16:27 2009
Picon

Question about Spear.Phishing.Rules script

I am running the Spear.Phishing.Rules.v2.04 script.

Recently I noticed a message:

Failed to retrieve http://www.mailscanner.tv/emails.2009-30.227 at ...

in the script output. If I try to visit that URL with a browser, I get
a "not found". I noticed this once before; I think the URL may have
been <http://www.mailscanner.tv/emails.2009-28.227> (from my browser
history), but I can't verify this as all the week 28 files seem to be
gone now.

My questions are:

Is it normal for a file to be missing or does this indicate a problem?

If the other time really was emails.2009-28.227, is the 227 significant
or a coincidence?

-- 
Mark Sapiro <mark <at> msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


Gmane