Re: [Mimedefang] email wire tap

[Tim Pushor]

Richard Laager wrote:

1. Call add_recipient('[EMAIL PROTECTED]'); with the recipient to add.
If you modify the message, this is obviously going to deliver a
modified copy. Also, if you bounce or discard the message, this won't
work.
 

Just as an FYI - I'm not sure what you are attempting, but if your goal 
is to transparently forward copies of all mail he receives AND sends 
that this may not be the method to use. If you tack on a recipient to an 
email sent by the user and for whatever reason its undeliverable, your 
user is going to get the bounced message and be confused, at best.

Tim

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] email wire tap

[Richard Laager]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Charles Mount wrote:
> I have two similar needs for sending mail to an additional
> recipient. 
...
> Has anyone used MimeDefang to do something like this?

I use this technique for Bayes training. We randomly sample messages
for hand-sorting and then feed them back into the Bayes database.
It's all done automatically (except for the sorting, obviously): The
messages appear in an IMAP folder ready for sorting. They are sorted
into two IMAP folders and then our MXes train off the sorted mail and
then delete the messages.

Anyway, there are two ways:

1. Call add_recipient('[EMAIL PROTECTED]'); with the recipient to add.
If you modify the message, this is obviously going to deliver a
modified copy. Also, if you bounce or discard the message, this won't
work.

2. Call resend_message('[EMAIL PROTECTED]'); This will resend the
original message to the recipient you specify. You may need to
re-work your filter logic and/or add an exception for the address
used because the resent message is going to be processed by
MIMEDefang.

Obviously, if you only want to add the additional recipient in some
cases, you'll need to write the appropriate if statement yourself.

In either case, you'll want to add this code to either filter_begin
or filter_end. (Probably in filter_end, but it depends on your
needs.)

Richard Laager


-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQFaWo231OrleHxvOEQKqMQCaA/evxRYctdmyv79AKwvTjmIOgf4An0j6
h8eYqoA38QE0eR1G39tZmjC0
=zWQT
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] netsky.c passing MD-2.40 with clamav+uvscan

[Alan Lehman]

I'm seeing a fair number of netsky.c infected zip files pass my system 
(MD-2.40) with clamav and uvscan configured. Most are caught by MD, but 
 the misses are being caught at a downstream eggchange box running 
Mcafee groupshield. The default filter section "look inside zip files" 
is enabled. I tried blocking specific zip file names. That helped, but 
new ones kept showing up, so I gave up and started blocking all zip 
files today. That stopped the occurances at the exchange box. Any ideas?

It seems curious that groupshield catches stuff that gets past uvscan.

Also, since I started blocking zip files, I'm still seeing 
W32/[EMAIL PROTECTED] viruses being reported by MD. Does it scan for 
viruses in files that are rejected based on filename extension?

thanks,
Alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] boilerplate on multiple MX machines

[David F. Skoll]

On Mon, 15 Mar 2004, J.D. Bronson wrote:

> I thought I would post how I did this. I am not sure its correct, but it
> works exactly as I expect it to:

It shouldn't.

>  return if (in_message_context("X-Disclaimer-Added"));

in_message_context is an internal, undocumented function that is not
part of the MIMEDefang API.  It doesn't do what you think it does.

To make it work properly, you need to open the HEADERS file and check
for an existing header.  Search the list archives for HEADERS for examples.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] boilerplate on multiple MX machines

[J.D. Bronson]

On Mon, 15 Mar 2004, J.D. Bronson wrote:

> I have been able to delete some headers (X-VirusBLAH) and insert a new one
> (so there is only 1 added) but dont know how to do this with a boilerplate
> disclaimer.
Simplest way is to add an X-Disclaimer-Added: Yes header, and check for
its presence before you add your disclaimer.
I thought I would post how I did this. I am not sure its correct, but it 
works exactly as I expect it to:

sub filter_end
...
...
action_rebuild();
return if (in_message_context("X-Disclaimer-Added"));
action_add_header('X-Disclaimer-Added', "YES");
append_text_boilerplate($entity, "** DISCLAIMER **\n" 0);
}
..I hope thats correct and that it helps someone else with the same problem 
later on :)

If this is wrong, someone please tell me :)

Thanks again guys..now if I can only get rid of these text attachments :(





--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282
** DISCLAIMER **
Per Anti-Virus Policy, this e-email has been scanned for viruses.
Scanned clean by F-PROT ANTIVIRUS 4.4.0 - http://www.f-prot.com 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] boilerplate on multiple MX machines

[J.D. Bronson]

At 06:35 PM 3/15/2004, you wrote:
Why not just add a header like:

X-wixb-disclaimer: Yes

then check for that header and don't add the boilerplate if it exists.

Regards,
KAM
thanks Guys...I think I can figure this idea out :)





--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] users seeing strange text attachments??

[J.D. Bronson]

After I installed 2.40 (first time installer)...I am now seeing (using some 
email clients) text attachments that are the exact same thing as in the 
body of the email! - My email client (Eudora) does not show this, but 
Pegasus does.

I have tried turning on/off some features like:
remove_redundant_html_parts($entity);
action_rebuild();
Neither made any difference. I do add 'X-scanned' headers but I dont think 
that this would cause these attachments.

Here is the /var/log/maillog for this last message that showed this 'text' 
attachment:


from=<[EMAIL PROTECTED]>, size=1439, class=0, nrcpts=1, msgid=<6.1.0.3.2.200
proto=ESMTP, daemon=MTA, relay=thinkpad [192.168.82.5]
 Milter add: header: X-Virus-Scanned-By: F-PROT ANTIVIRUS
 Milter change: header  Content-Type: from text/plain; charset="us-ascii"; fo
rmat=flowed to multipart/mixed; boundary="--=_1079398238-362-0"
i2G0oc6p000366: Milter change: header  MIME-Version: from 1.0 to 1.0
 i2G0oc6p000366: Milter message: body replaced
 i2G0oc6p000366: Milter add: header: X-Scanned-By: MIMEDefang 2.40
i2G0oc6p000366: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (100/10), 
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31972, relay=local, 
dsn=2.0.0, stat=Sent
==

I would like to STOP these attachments somehow...

Help?

Thanks!



--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[David F. Skoll]

On Mon, 15 Mar 2004, John Barton wrote:

> AFAIK, reiser4 is still pretty early in development, and not ready for
> production servers. Another option is if you are already using ext3, try
> mounting the filesystem with the data=writeback option, this causes the
> journalling to act more like reiser, and has been shown to offer a big
> performance increase by itself.

A while back, Nick Christenson tested various Linux file systems with
Sendmail and didn't find much difference between them.

His book is excellent; highly recommended if you're going to run a busy
mail server:

http://www.jetcafe.org/~npc/book/sendmail/

--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] boilerplate on multiple MX machines

[Kevin A. McGrail]

Why not just add a header like:

X-wixb-disclaimer: Yes

then check for that header and don't add the boilerplate if it exists.

Regards,
KAM
- Original Message - 
From: "J.D. Bronson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 15, 2004 7:13 PM
Subject: [Mimedefang] boilerplate on multiple MX machines


> I have figured out how to use a disclaimer at the end of mimedefang-filter
> and it works well.
>
> Well TOO well. Each time the email passes from one machine to the next,
> another duplicate disclaimer is added. (as expected of course)
>
> I dont need to eliminate internal LAN-to-LAN disclaimers, but want a way
to
> have mimedefang only add (1) disclaimer.
>
> I have been able to delete some headers (X-VirusBLAH) and insert a new one
> (so there is only 1 added) but dont know how to do this with a boilerplate
> disclaimer.
>
> Is this possible and how?
>
>   Thanks!
>
>
>
>
>
> -- 
> J.D. Bronson
> Aurora Health Care // Information Services // Milwaukee, WI USA
> Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282
>
>
> ** DISCLAIMER **
> Per Anti-Virus Policy, this e-email has been scanned for viruses.
> Scanned clean by F-PROT ANTIVIRUS 4.4.0 - http://www.f-prot.com
>
>






> ___
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> [EMAIL PROTECTED]
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] boilerplate on multiple MX machines

[David F. Skoll]

On Mon, 15 Mar 2004, J.D. Bronson wrote:

> I have been able to delete some headers (X-VirusBLAH) and insert a new one
> (so there is only 1 added) but dont know how to do this with a boilerplate
> disclaimer.

Simplest way is to add an X-Disclaimer-Added: Yes header, and check for
its presence before you add your disclaimer.

Alternatively, check the relay IP, and if it's coming from another of your
machines, don't bother (re-)adding the disclaimer.

--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[John Barton]

AFAIK, reiser4 is still pretty early in development, and not ready for
production servers. Another option is if you are already using ext3, try
mounting the filesystem with the data=writeback option, this causes the
journalling to act more like reiser, and has been shown to offer a big
performance increase by itself.
-John

John Barton
[EMAIL PROTECTED]

>
> I'm even willing to try Reiser4.  Anybody tested this with MIMEDefang?
It supposed to be about twice as fast at everything except deleting, but
it also uses twice as much CPU.
>
>
> --Aaron



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] boilerplate on multiple MX machines

[J.D. Bronson]

I have figured out how to use a disclaimer at the end of mimedefang-filter 
and it works well.

Well TOO well. Each time the email passes from one machine to the next, 
another duplicate disclaimer is added. (as expected of course)

I dont need to eliminate internal LAN-to-LAN disclaimers, but want a way to 
have mimedefang only add (1) disclaimer.

I have been able to delete some headers (X-VirusBLAH) and insert a new one 
(so there is only 1 added) but dont know how to do this with a boilerplate 
disclaimer.

Is this possible and how?

 Thanks!





--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282
** DISCLAIMER **
Per Anti-Virus Policy, this e-email has been scanned for viruses.
Scanned clean by F-PROT ANTIVIRUS 4.4.0 - http://www.f-prot.com 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[Aaron Paetznick]

I'm even willing to try Reiser4.  Anybody tested this with MIMEDefang? 
It supposed to be about twice as fast at everything except deleting, but 
it also uses twice as much CPU.

--Aaron



Lucas Albers wrote:

Andrew J Caird said:

email), but several small, fast disks would serve you well.  The ideal
situation (well, in my opinion) is: one disk for OS and logs; one disk for
/var/spool/mqueue; one disk for the MD quarantine; enough RAM for a
RAMdisk for
MD's working directory.  If these servers will handle outgoing email,
you'll
need a bigger mqueue, probably.  If you have multiple controllers, you can
put
either mqueue or the MD quarantine on its own controller.
I read somewhere that reiserfs is faster then ext3 on small file
deletion/creation.
Typical mail load.
On a high load site, would type of file system really matter?
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] greylisting in filter_end after SA check?

[Cahya Wirawan]

Currently I use greylisting in filter_begin with 4 minutes
block time, it works fine and reduce most of the spams. But there
are still few spams slip through with the score between 3 and 6 
(my score threshold is 6) . My idea is to reply the sender a temporary
failure message if the score is between 3 and 6 and set the block time 
to an hour, with the hope if the spam come again later in an hour or
longer, I will have already more information from rbl,razor,dcc or so.
With this selected longer block time, only hard detected spam or 
new triple for legitimate email that look like spam will be delayed 
for an hour, but new triples with easy detected legitimate email will have
only 4 minutes block time. 
So the question is if someone else is doing this additional block time
for specific score and if it is worth to do it (hard detected spam get 
more score after an hour?) . and another question is if it is ok
to send temporary failure massage in filter_end (I think this is ok, 
isn't it? I just want to be sure :) )

thanks,
cahya.
 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[Lucas Albers]

Andrew J Caird said:
> email), but several small, fast disks would serve you well.  The ideal
> situation (well, in my opinion) is: one disk for OS and logs; one disk for
> /var/spool/mqueue; one disk for the MD quarantine; enough RAM for a
> RAMdisk for
> MD's working directory.  If these servers will handle outgoing email,
> you'll
> need a bigger mqueue, probably.  If you have multiple controllers, you can
> put
> either mqueue or the MD quarantine on its own controller.
I read somewhere that reiserfs is faster then ext3 on small file
deletion/creation.
Typical mail load.
On a high load site, would type of file system really matter?

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[David F. Skoll]

On Mon, 15 Mar 2004, Aaron Paetznick wrote:

> Ok I have a silly question then.  Why doesn't MIMEDefang have a runtime
> option to use shared memory or some other more intrinsic method?  Surely
> a ram disk is a functional but inelegant solution.

Because all the add-ons (virus scanners, Perl modules, ...) expect to
be handed a file.  (At the very least, *everything* works if handed a
file -- it's the least common denominator.)  While MIME::tools itself
is perfectly happy to store decoded parts into memory, you'd have to
modify all the other tools to work together with it.

A ramdisk is much simpler and more portable.  (Creating a ramdisk is
not portable, of course, but using one is.)

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[Aaron Paetznick]

David F. Skoll wrote:

You must, must, _must_, use a ramdisk for the /var/spool/MIMEDefang
directory.
Did I mention that you need to use a ramdisk for /var/spool/MIMEDefang?

Ok I have a silly question then.  Why doesn't MIMEDefang have a runtime 
option to use shared memory or some other more intrinsic method?  Surely 
a ram disk is a functional but inelegant solution.

--Aaron



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mimedefang-multiplexor: Unable to activate slave #

[David F. Skoll]

On Sun, 14 Mar 2004, Jon R. Kibler wrote:

> Ran into a MD error we have never seen before and we are not sure
> what is going on here. MD was restarted about an hour before this
> occurred (sendmail change).  Question: What causes the error "Unable
> to activate slave"?

Usually, it's fork() failing because of overload, but I don't see
anything in your log indicating that this is what happened.
Strange...

--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[Matthew Schumacher]

Kenneth,

Please read the FAQ it's right under your nose!!!

schu

Kenneth Porter wrote:
--On Monday, March 15, 2004 2:38 PM -0500 "David F. Skoll" 
<[EMAIL PROTECTED]> wrote:

You must, must, _must_, use a ramdisk for the /var/spool/MIMEDefang
directory.


Any pointers to a HOWTO for setting up the ramdisk? I'm about to set up 
a new server with enough memory to make it worthwhile.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[David F. Skoll]

On Mon, 15 Mar 2004, Kenneth Porter wrote:

> Any pointers to a HOWTO for setting up the ramdisk? I'm about to set up a
> new server with enough memory to make it worthwhile.

http://www.mimedefang.org/node.php?id=27
http://www.mimedefang.org/node.php?id=28

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[Kenneth Porter]

--On Monday, March 15, 2004 2:38 PM -0500 "David F. Skoll" 
<[EMAIL PROTECTED]> wrote:

You must, must, _must_, use a ramdisk for the /var/spool/MIMEDefang
directory.
Any pointers to a HOWTO for setting up the ramdisk? I'm about to set up a 
new server with enough memory to make it worthwhile.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] email wire tap

[Matthew Schumacher]

I call procmail in filter mode to do this because I didn't want to deal 
with the mailbox locking issues when trying to write email to a file 
from a mimedefang filter.  I also wanted mbox format which procmail does 
very well.

Another reason for this is the mail headers are not absolutely complete 
when the milter is called so mimedefang doesn't see the last received 
header which I wanted to capture anyway.

If you already use procmail for your LDA then this is trivial, but I am 
using the cyrus LDA.

As far as the performance hit goes, there is some, but I would MUCH 
rather call procmail than non persistent perl.

schu

Charles Mount wrote:
I have two similar needs for sending mail to an additional recipient.
Our security department has asked for the ability to have a copy of all
mail to/from a given single address or entire domain  sent to a security
mailbox in addition to the original destination.  The equivalent of an
email wire tap
I would also like to be able keep a copy of all mail received for a brief
period of time to hand sort for initial Bayes training.
Has anyone used MimeDefang to do something like this?





This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] clamav 0.68 and 0.70-rc

[Jason Englander]

...are out.  http://www.clamav.net/

-- 
Jason Englander <[EMAIL PROTECTED]>
394F 7E02 C105 7268 777A  3F5A 0AC0 C618 0675 80CA

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] email wire tap

[Matthew Schumacher]

David F. Skoll wrote:
Both of these can be done by setting up an "archive" account that uses procmail
or something similar to do the archiving.  Then it's just a matter of:
if (the_right_conditions_are_met()) {
add_recipient('[EMAIL PROTECTED]');
}
This was an issue at my place of work so this is how I got around it:

# archive messages from domain.com
:0
* FROM ?? domain.com
{
  :0 c
  /var/mail/archive/$DATE-$FROM
}
# archive messages to domain.com
:0
* TO ?? domain.com
{
  :0 c
  /var/mail/archive/$DATE-$TO
}
This will break out the archive to each employee on each day.  Every 
night I compress and gpg encrypt the messages.  If something happens and 
someone needs to read some mail they must request the messages from one 
person and the public key from another.  This keeps people from spying 
and insures a legit reason when looking though email.

David, not only is this legal in the US, but after Enron, the courts 
encourage it!!  Pretty lame if you ask me, but such is life.

schu
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] SOLVED Re: MIMEDefang Bug? Nope, looks like a sendmail issue/bug/implementation?

[Kevin A. McGrail]

Thank You!

This was the hint I needed.  The issue was DNS related.

I have removed the wildcard DNS issue and will investigate more about
canonification and why it works in other cases, etc.

Regards,
KAM


> Get rid of this wildcard record:
>
> *.somewhere.com.86400   CNAME   somewhere.com.
>
> or turn off hostname canonification, see cf/README.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] email wire tap

[Charles Mount]

I have two similar needs for sending mail to an additional recipient.
Our security department has asked for the ability to have a copy of all
mail to/from a given single address or entire domain  sent to a security
mailbox in addition to the original destination.  The equivalent of an
email wire tap
I would also like to be able keep a copy of all mail received for a brief
period of time to hand sort for initial Bayes training.

Has anyone used MimeDefang to do something like this?





This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.




___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] email wire tap

[David F. Skoll]

On Mon, 15 Mar 2004, Charles Mount wrote:

> I have two similar needs for sending mail to an additional recipient.
> Our security department has asked for the ability to have a copy of all
> mail to/from a given single address or entire domain  sent to a security
> mailbox in addition to the original destination.  The equivalent of an
> email wire tap
> I would also like to be able keep a copy of all mail received for a brief
> period of time to hand sort for initial Bayes training.

Both of these can be done by setting up an "archive" account that uses procmail
or something similar to do the archiving.  Then it's just a matter of:

if (the_right_conditions_are_met()) {
add_recipient('[EMAIL PROTECTED]');
}

As far as the e-mail wiretap usage goes, you'd best check with your
legal department first before implementing something like this.  It's
probably legal in the US, but it may be illegal in some other countries
to tap an employee's mail without his knowledge and/or consent.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[Andrew J Caird]

Quoting Aaron Paetznick <[EMAIL PROTECTED]>:

> 
> I'm assembling several front-end MIMEDefang filter servers.  These 
> machines will be used to filter incoming email and pass it along to our 
> mailstore.  They will be under extremely heavy load.  I'm wondering how 
> I/O intensive the Sendmail/MIMEDefang combination is in a setup like 
> this.  I would also be using File::Scan and clamd.
> 
> Could I get by with SATA drives, or should I go all out and get the 15K 
> SCSI models?  If I skimp on the drives I might be able to get a second 
> whole machine.  When used in this configuration, will CPU, memory, or 
> I/O be the bottleneck?
> 
> Thanks.
> 
> --Aaron

Aaron,

  In situations like the one you described, I/O is almost always the bottleneck,
followed by memory, then CPU.  If you skim the archives of this list, there is
a fair bit of discussion about putting parts of MD on RAM-based filesystems to
improve performance.

  For running sendmail in general, I/O is the central issue.  A good reference
for addressing this issue is "sendmail Performance Tuning" by Nick Christenson,
although he doesn't address the additional burdens imposed by milter.

  I don't know your budget or your definition of "extremely heavy load", but on
the assumption that your email volume won't decrease as the years go on,
investing in fast disks now might not be a bad plan.

  In addition to spindle speed, you might want to consider the number of
spindles and controllers.  That is, keeping the MD quarantine (if you're
planning on quarantining things) on a seperate disk from the mqueue directory
is a good idea, if you have the drive bays to support that.  Modern controllers
can handle reasonable loads to different disks, but, again, you can consider
seperate controllers, too.  

  It sounds like you may not need a lot of space, if these will simply be
passing incoming email on to internal hosts.  Assuming your internal mail hosts
are reliable (or at least closely watched), you probably don't need big disks
on your relay hosts (unless, again, you are planning on quarantining a lot of
email), but several small, fast disks would serve you well.  The ideal
situation (well, in my opinion) is: one disk for OS and logs; one disk for
/var/spool/mqueue; one disk for the MD quarantine; enough RAM for a RAMdisk for
MD's working directory.  If these servers will handle outgoing email, you'll
need a bigger mqueue, probably.  If you have multiple controllers, you can put
either mqueue or the MD quarantine on its own controller.  

  Hope this helps.
--
Andrew Caird
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Estimate of maximum messages via MD

[Stephen L Johnson]

On Fri, 2004-03-12 at 14:46, G. Roderick Singleton wrote:
> I am involved with an OSS project that is in desperate need of a tool
> like MD. Traffic is heavy, say in the order of 100k messages per day.
> Does any one use MD to handle this load and what configuration is
> needed?
> 
> Please reply directly and I will summarize to the list.

We are planning a rollout that should be able to handle 500K message per
day on a server.

Dual P3 1.2 GHz, 4GB RAM, 4x36 GB drives for spool storage. The
Mimedefang work directory will be a 250MB ram disk. 

>From my experience on a couple of smaller scale MD servers (Dual P3
800Mhz w/ 512MB of RAM), the important thing is enough having enough
RAM. 
1) Having the MD work directory in RAM. Saves tons on disk I/O
2) Having enough RAM to enough MD slaves to handle the mail load. 

Moving the MD directory from hard disk to a RAM drive was the biggest
boost to throughput. The smaller servers went from straining  1.5
msg/second to being able to handle upwards of 3 msg/second. And there
are servers with 512MB of RAM. And they handle roughly 20,000 incoming
e-mail a day. They operating at an load average of .7 .

-- 
Stephen L Johnson   [EMAIL PROTECTED]
Unix Systems Administrator  [EMAIL PROTECTED]
Department of Information Systems
State of Arkansas
501-682-4339

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] MIMEDefang Bug? Nope, looks like a sendmail issue/bug/implementation?

[Kevin A. McGrail]

Good Morning,

The following scenario was originally reported as a possible bug in
MIMEDefang.  However, further testing shows that it is an issue/error in
sendmail but I would appreciate feedback if anyone has seen anything similar
because this is driving me up a wall.

Here is the original scenario (based on some thoughts of what might be
causing the issue) and the steps we went through to try and resolve the
issue:

NOTE: Yes, we did make all the DB files and restart sendmail in between all
the tests.

Using MIMEDefang
FEATURE(always_add_domain)dnl
using virtusertable with a catchall for @defaultdomainadded.com
A user emails a domain that doesn't exist, the email is rewritten from:
[EMAIL PROTECTED] to [EMAIL PROTECTED]
The user does not get a bounce that the email did not arrive because the
catchall gets it instead (see header below).



Next Step:
Turning off always_add_domain did not fix the issue.  Same output
received.

Third Step:
Turning off the catchall (I tried editing AND a blank virtusertable same
result on both) AND the always add gives a user the error: "The message
could not be sent because one of the recipients was rejected by the server.
The rejected e-mail address was '[EMAIL PROTECTED]'. Subject 'test',
Account: 'SUMMER', Server: 'mail.somewhere.com', Protocol: SMTP, Server
Response: '550 5.1.1 <[EMAIL PROTECTED]>... User unknown', Port: 2025,
Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79"

We should get a Host unknown error, not

Fourth Step:
Turning off MIMEDefang seems to point that this is a sendmail issue:

sendmail[18643]: i2DDb8lq018643: <[EMAIL PROTECTED]>... User unknown

So it looks to me like instead of a domain not resolvable error or what
not, we get a user unknown error

Fifth Step:
Upgraded to sendmail 8.12.11 with no apparent change in the behavior.

Sixth Step:
Another system setup similarly gave the proper  DSN: Host unknown (Name
server: kjdsakjajd.com: host not found).  Looked and looked for differences
and can't find one.

Seventh Step:
Change DNS resolution to same as system that worked proper without
success.

Eighth Step:
Changed to same sendmail.mc from machine that worked without success.


So essentially we have a standard sendmail installation from source that
doesn't seem to be handling unresolvable domains in the to: properly.
Anyone have any pointers?

Regards,
KAM

Header from Actual email showing the issue.  Note the for and the to
differences. (Slightly modified to protect the server)

Return-Path: <[EMAIL PROTECTED]>
Received: from account2 (ip68-228-14-63.dc.dc.cox.net [68.228.14.63])
[ by mail.somewhere.com (8.12.10/8.12.10) with SMTP id i2DDOOpg018283
 for <[EMAIL PROTECTED]>; Sat, 13 Mar 2004 08:24:24 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "Kevin A. McGrail" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: test
Date: Sat, 13 Mar 2004 08:13:21 -0500
MIME-Version: 1.0
Content-Type: text/plain;
 charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Scanned-By: MIMEDefang 2.38
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
 mail.somewhere.com
X-Spam-Status: No, hits=-4.9 required=6.5 tests=BAYES_00 autolearn=ham
 version=2.63
X-Spam-Level:

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[David F. Skoll]

On Mon, 15 Mar 2004, Aaron Paetznick wrote:

> I'm assembling several front-end MIMEDefang filter servers.  These
> machines will be used to filter incoming email and pass it along to our
> mailstore.  They will be under extremely heavy load.  I'm wondering how
> I/O intensive the Sendmail/MIMEDefang combination is in a setup like
> this.  I would also be using File::Scan and clamd.

You must, must, _must_, use a ramdisk for the /var/spool/MIMEDefang
directory.

Did I mention that you need to use a ramdisk for /var/spool/MIMEDefang?

If you do that, then the I/O load is approximately the same as for
normal Sendmail.  Ideally, you want /var/spool/mqueue to be on a dedicated,
fast drive.  You also want to configure syslog not to flush to disk after
each log message.  In Linux, you do that by prefixing the output file
name in /etc/syslog.conf with "-".

> When used in this configuration, will CPU, memory, or I/O be the
> bottleneck?

Yes.

Seriously, it depends on the e-mail pattern.  Memory pressure is usually
quite high on busy machines; you want lots of RAM.  Once you have enough
memory, CPU and I/O pretty much fight it out evenly for the honor of
being the bottleneck (at least on a well-configured machine.)

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD I/O intensive?

[Kevin A. McGrail]

If it were my choice, I would increase the RAM as much as possible, use
3ware SATA RAID and RAM disks for MIMEDefang processing.  Also, I would try
and go for a Dual CPU Xeon before going to two boxes to avoid the excess
administrivia.

The bottleneck is typically your internet connection as MD is lightning fast
without the network tests enabled.

Define: Extremely Heavy Load in terms of how many emails per day avg.

Regards,
KAM

> I'm assembling several front-end MIMEDefang filter servers.  These
> machines will be used to filter incoming email and pass it along to our
> mailstore.  They will be under extremely heavy load.  I'm wondering how
> I/O intensive the Sendmail/MIMEDefang combination is in a setup like
> this.  I would also be using File::Scan and clamd.
>
> Could I get by with SATA drives, or should I go all out and get the 15K
> SCSI models?  If I skimp on the drives I might be able to get a second
> whole machine.  When used in this configuration, will CPU, memory, or
> I/O be the bottleneck?

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Mimedefang and DSPAM

[James Miller]

Hi All,

Has anyone come up with an example of adding DSPAM checking into Mimedefang?
I 'goggled' for it and didn't find anything useful.


Thanks,
Jim

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Check this X-header out

[Wesley Peters]

On Monday, March 15, 2004 7:54 AM, David F. Skoll  alleged:

> On Mon, 15 Mar 2004, Ben Kamen wrote:
> 
>> Has anyone else seen this - I just looked at a spam and saw:
> 
>> X-Habeas-SWE-1: winter into spring
> 
> ..etc..
> 
> This is Habeas's idea to allow "legitimate" bulk e-mail
> through.  Basically:
> 
> - Habeas copyrights a Haiku.
> - Habeas licenses the Haiku to "legitimate" e-mail senders.
> - Habeas convinces anti-spam vendors to permit mail with the
> Haiku in it
>   to pass.  In SpamAssassin, this is the HABEAS_SWE rule,
> with a default
>   score of -8.0
> - If spammers abuse the Habeas mark, Habeas sues for
> copyright violation.
> 
> Unfortunately, in my experience, spammers _do_ abuse the
> Habeas mark, so
> I've nuked the HABEAS_SWE score down to zero.  Sorry, Habeas;
> nice idea,
> but criminals who think nothing of taking over armies of computers to
> send spam are unlikely to be perturbed by copyright violation.

At SpamCon, several participants joked that the Habeas notice has
actually become a very good predictor of spam, since it hasn't
achieved widespread acceptance anywhere but spammers trying to
blow through your filters.

As always, YMMV.

-- Wes


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Ram based directory on FreeBSD 5.2x

[Wesley Peters]

On Wednesday, March 10, 2004 5:56 PM, J.D. Bronson  alleged:

> At 07:07 PM 3/10/2004, you wrote:
  -p permissions
>>> <---SNIP--->
  -w user:group
>>> <---SNIP--->
 These can be specified along with the rest of the mount options.  You
 have to do it this way, since memory disks evaporate during shutdown,
 there isn't anywhere else to record ownership and permissions. (*)
>>> 
>>> However, if you read the full man page you'll discover that under 5.x
>>> you can't put these options in 5.x.  I know, I tried.  For legacy
>>> support (hah) 
>>> 5.x doesn't support these.
>>> 
>>> I suspect the only answer is to raise a PR, but given the claim of
>>> legacy support I don't hold out much hope :(
>> 
>> You're right, when called as 'mount_mfs' it refuses to recognize -w
>> or -p.  Until somebody does something to replace it, mount_mfs needs
>> to stay functional.  If you file a PR, I'll fix it.  How's that for
>> support? 
>> 
>> 
>> -- Wes (aka [EMAIL PROTECTED])
> 
> 
> I personally filed this 'PR' today (03-10-2004).
> 
> Thanks.
> 
>   -JDB

Thank you.  I just put it into feedback.  Please reply to the PR
if/when the script meets your needs and I'll close it out (or 
fix any problems you encounter).

-- Wes

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Ram based directory on FreeBSD 5.2x

[Wesley Peters]

On Wednesday, March 10, 2004 11:29 PM, Rob  alleged:
>> 
>> Do you need more than this?  There's a better (more 5.x-ish) way to do
>> this; but it needs a starter script in /etc/rc.d and a configuration
>> knob in /etc/rc.conf.  I'll look into that, but you wouldn't see such
>> a feature in a "release" version until 5.3.
> 
> As long as there is some way to call it from fstab that
> allows you to run in
> non-compatability mode I don't expect there's a problem.
> It's that darn
> compatability mode :)  I personally would be happy with, say, mount_md as
> a hard link so that you can still provide full backwards support, while
> providing access to the full power of mdmfs (actually, that's exactly the
> hack I did on my own box - manually created a link).
> 
> Thanks for offering to fix this.  As somebody else has
> already raised a PR I
> won't.

I just committed the attached script to FreeBSD-CURRENT.  

NOTE: this script is NOT written for FreeBSD 4.x and won't do you a 
bit of good there.  If you're waiting to 5.3 to upgrade to FreeBSD
5, don't worry, it'll be there when you get there.

To use this, plunk it in /etc/rc.d with ownership and permissions the 
same as everything else in there.  You can configure as many 'ramdisks' 
as you like with the following settings in /etc/rc.conf:

ramdisk_units="n [n ...]"

A list of the md "unit numbers" to configure.  To configure md10 and md11 
use:

ramdisk_units="10 11"

You must specify at least a type for each ramdisk.  For each given type, 
there may be additional required options, such as a size for memory-
based types.  Note: since this runs BEFORE the fstab mounts, you will 
not be able to specify file-backed md devices, that is why the script 
is named 'ramdisk'.

ramdisk_{unit}_mdoptions="{mdconfig -a options}"

Examples:

ramdisk_10_mdoptions="-t malloc -s 64m"
ramdisk_11_mdoptinos="-t swap -s 1g"

You may optionally specify the options used to newfs each ramdisk with:

ramdisk_{unit}_fsoptions="{newfs options}"

Examples:

ramdisk_10_fsoptions="-b 2096 -f 512"
ramdisk_11_fsoptions="-O 1"

These options are passed directly to the newfs command.  No setting will
probably work in the general case; the "-b 2096 -f 512" settings are
suitable for relatively small ramdisks.

You can optionally specify ownership and permissions with:

ramdisk_{unit}_owner="{owner}"
ramdisk_{unit}_perms="{perms}"

where {owner} is any ownership specification suitable for the chown(1)
program and {perms} is any permission specification suitable for the
chmod(1) program.  The ownership and permission settings are applied
to the /dev/md{unit} device file after mdconfig -a and newfs have 
been run.

Sorry to spam the list with this volume of information, but I want
FreeBSD 5.x to be THE platform of choice for MIMEDefang users.  ;^)


ramdisk
Description: ramdisk
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] MD I/O intensive?

[Aaron Paetznick]

I'm assembling several front-end MIMEDefang filter servers.  These 
machines will be used to filter incoming email and pass it along to our 
mailstore.  They will be under extremely heavy load.  I'm wondering how 
I/O intensive the Sendmail/MIMEDefang combination is in a setup like 
this.  I would also be using File::Scan and clamd.

Could I get by with SATA drives, or should I go all out and get the 15K 
SCSI models?  If I skimp on the drives I might be able to get a second 
whole machine.  When used in this configuration, will CPU, memory, or 
I/O be the bottleneck?

Thanks.

--Aaron

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] W32/Bagle.p@MM spreading as rar

[Paul Whittney]

>From the sys adminpoint of view: The only way to be sure is to educate 
your users.

* Don't open any attachment if you were not expecting one,
* If its a zip or rar file, verify that the sender sent it,
* If unsure ask a sysadmin for help

Hey, maybe I should add an inline warning with the above info in for all
internal users, if a zip or rar file should come in. You could put a
nice notice, telephone number, and URL's for more info into it, in the
chance that they might read it

MIMEDefang does a great job, with or without SA hooks, but it can't do
your job for you.

I've had enough problems with "So, well.. I ran this zip file from 
such and such, yes it needed a password, but they sent that, and now my
computer is running really slow... hey, why did you unplug my network
cable?". Whats next? The .txt file that you have to rename to .exe, then
double click it?

-Paul Whittney

On Mon, Mar 15, 2004 at 01:00:26PM -0500, Kevin A. McGrail wrote:
> I am fairly 99% certain that you need WinRar to uncompress a RAR file in
> Windows.
> 
> Hopefully, this is a non-issue as anyone who is intelligent enough to know
> how to uncompress a RAR file will not blindly follow the instructions for
> the virus.
> 
> KAM
> 
> > Can windows even upzip an rar file? If so, how?
> 
> ___
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> [EMAIL PROTECTED]
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] W32/Bagle.p@MM spreading as rar

[Jon R. Kibler]

"Kevin A. McGrail" wrote:
> 
> I am fairly 99% certain that you need WinRar to uncompress a RAR file in
> Windows.
> 
> Hopefully, this is a non-issue as anyone who is intelligent enough to know
> how to uncompress a RAR file will not blindly follow the instructions for
> the virus.
> 
That's what I thought (unlike WinZip, its not something that everyone has), but just 
wanted to make sure!

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] W32/Bagle.p@MM spreading as rar

[Kevin A. McGrail]

I am fairly 99% certain that you need WinRar to uncompress a RAR file in
Windows.

Hopefully, this is a non-issue as anyone who is intelligent enough to know
how to uncompress a RAR file will not blindly follow the instructions for
the virus.

KAM

> Can windows even upzip an rar file? If so, how?

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] W32/Bagle.p@MM spreading as rar

[Mike Smith]

> Can windows even upzip an rar file? If so, how?

Yes, Windows can open .rar files...WinRar (http://www.rarsoft.com)

 - Mike



smime.p7s
Description: S/MIME cryptographic signature
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] W32/Bagle.p@MM spreading as rar

[Jason Williams]

At 12:48 PM 3/15/2004 -0500, you wrote:
Can windows even upzip an rar file? If so, how?
WinRAR should be able to unzip rar files.

http://www.rarlab.com/

Jason 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] W32/Bagle.p@MM spreading as rar

[Jon R. Kibler]

Marco Berizzi wrote:
> 
> After password protected zipped file, Bagle is spreading
> as a rar pwd protected file. Any hint how to scan rar
> pwd file?
> 

Can windows even upzip an rar file? If so, how?

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] W32/Bagle.p@MM spreading as rar

[Marco Berizzi]

After password protected zipped file, Bagle is spreading
as a rar pwd protected file. Any hint how to scan rar 
pwd file?

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Check this X-header out

[Paul Heinlein]

On Mon, 15 Mar 2004, Ben Kamen wrote:

> I'll edit my rules...

This works for me:

score HABEAS_SWE 0.0

--Paul Heinlein <[EMAIL PROTECTED]>
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Check this X-header out

[Ben Kamen]

I'll edit my rules...

Thanks!

 -Ben

David F. Skoll wrote:

On Mon, 15 Mar 2004, Ben Kamen wrote:


Has anyone else seen this - I just looked at a spam and saw:


X-Habeas-SWE-1: winter into spring


..etc..

This is Habeas's idea to allow "legitimate" bulk e-mail through.  Basically:

- Habeas copyrights a Haiku.
- Habeas licenses the Haiku to "legitimate" e-mail senders.
- Habeas convinces anti-spam vendors to permit mail with the Haiku in it
  to pass.  In SpamAssassin, this is the HABEAS_SWE rule, with a default
  score of -8.0
- If spammers abuse the Habeas mark, Habeas sues for copyright violation.
Unfortunately, in my experience, spammers _do_ abuse the Habeas mark, so
I've nuked the HABEAS_SWE score down to zero.  Sorry, Habeas; nice idea,
but criminals who think nothing of taking over armies of computers to
send spam are unlikely to be perturbed by copyright violation.
Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
--
Ben Kamen - O.D.T, S.P.
--
Home: [EMAIL PROTECTED]   http://www.benjammin.net
Work: [EMAIL PROTECTED]
gPG Pub Key - http://www.benjammin.net/www/pages/library
*
* NOTE: Opinions and Views discussed via email are my own and not that  *
* of the State of Illinois, University of Illinois or the Illinois Dept *
* of Natural Resources. *
*
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] newlines for spam report

[Paul Murphy]

> In mimedefang-filter, filter_end() has one line to generate 
> spam report, and the report shows okay if it is an attachment 
> with spam. However, I move it to its message header section, like:
> 
> action_change_header( "X-Spam-Report", "$report\n" );
> 
> The newlines do not work, everything goes into one line. Any 
> suggestion?

Per RFC822:

3.1.2.  STRUCTURE OF HEADER FIELDS

Once a field has been unfolded, it may be viewed as being com-
posed of a field-name followed by a colon (":"), followed by a
field-body, and  terminated  by  a  carriage-return/line-feed.
The  field-name must be composed of printable ASCII characters
(i.e., characters that  have  values  between  33.  and  126.,
decimal, except colon).  The field-body may be composed of any
ASCII characters, except CR or LF.  (While CR and/or LF may be
present  in the actual text, they are removed by the action of
unfolding the field.)

It breaks the standard, so your mail system will strip it out.

Best Wishes,

Paul.
__
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Check this X-header out

[David F. Skoll]

On Mon, 15 Mar 2004, Ben Kamen wrote:

> Has anyone else seen this - I just looked at a spam and saw:

> X-Habeas-SWE-1: winter into spring

..etc..

This is Habeas's idea to allow "legitimate" bulk e-mail through.  Basically:

- Habeas copyrights a Haiku.
- Habeas licenses the Haiku to "legitimate" e-mail senders.
- Habeas convinces anti-spam vendors to permit mail with the Haiku in it
  to pass.  In SpamAssassin, this is the HABEAS_SWE rule, with a default
  score of -8.0
- If spammers abuse the Habeas mark, Habeas sues for copyright violation.

Unfortunately, in my experience, spammers _do_ abuse the Habeas mark, so
I've nuked the HABEAS_SWE score down to zero.  Sorry, Habeas; nice idea,
but criminals who think nothing of taking over armies of computers to
send spam are unlikely to be perturbed by copyright violation.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Check this X-header out

[Ben Kamen]

Has anyone else seen this - I just looked at a spam and saw:

X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to .
What the heck? Is it worth reporting the spam to them?

 -Ben



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] newlines for spam report

[Hou, Ming]

Hi,

In mimedefang-filter, filter_end() has one line to generate spam report, and the 
report shows okay if it is an attachment with spam. However, I move it to its message 
header section, like:

action_change_header( "X-Spam-Report", "$report\n" );

The newlines do not work, everything goes into one line. Any suggestion?

Thank you very much.
ming

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang