AW: [Mimedefang] Logging doesn't work with MIMEDefang 2.39 on Sol aris 8
Just a follow up on my posting from a long time ago. A collegue of mine
installed MD 2.41 yesterday, and now everything is logged properly.
-&
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 4. Februar 2004 09:54
An: [EMAIL PROTECTED]
Betreff: AW: [Mimedefang] Logging doesn't work with MIMEDefang 2.39 on Sol
aris 8
Thanks Charles. Just for the heck of it, i tried this, and it didn't work.
You see, the problem is not in my syslog.conf, and i already had
md_graphdefang_log_enable() in there (with 'mail' and 0), so this really
doesn't change anything. Does anyone else have another suggestion?
-&
-Ursprüngliche Nachricht-
Von: Charles Mount [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 3. Februar 2004 16:42
An: [EMAIL PROTECTED]
Betreff: Re: [Mimedefang] Logging doesn't work with MIMEDefang 2.39 on
Solaris 8
In /etc/syslog.conf add a line like --
local4.debug /export2/log/mimedefang
Then in your mimedefang-filter add a line like --
md_graphdefang_log_enable('local4');
You will need to find the syslog daemon process ID with
ps -ef|grep syslogd
then do a kill -HUP on that process id.
I suggest that you then add to
/usr/lib/newsyslog
so that you get a new log file at the same time as /var/log/syslog etc.
A.Jones
@mvv.de To:
[EMAIL PROTECTED]
Sent by: cc:
mimedefang-bounc Subject: [Mimedefang] Logging
doesn't work with MIMEDefang
es 2.39 on Solaris 8
02/02/2004 01:38
AM
Please respond
to mimedefang
(Prefix: I tried sending this a couple of days ago, but it was bounced
because our Exchange server automatically added multipart/alternative HTML,
although i explicitly said that i only want text (ARGH!). In the meantime,
Don has sent in a similar problem report. I thought i would send this
anyway, at least to say that his problem is not isolated, and hopefully to
provide some more helpful information in finding and fixing the problem.)
Greetings everyone!
I'm so sure it's my own stupid mistake somewhere, but i'm not
finding it. I have MIMEDefang 2.39 installed on Solaris 8 (with Perl 5.8.0
from www.sunfreeware.com -- the Perl that is installed with Solaris 8 has
been removed from the system). I also have Unix::Syslog 0.100 installed,
and
a small test program confirms that it is found and usable. My syslog.conf
on
the mail server includes a line "*.debug @else" where "else" is the name of
the syslog host. On Else, i have an entry in syslog.conf that says "*.debug
/home/log/alles". In other words, EVERYTHING gets dumped into
else:/home/log/alles. That works, too, and has for quite some time.
MIMEDefang is set up to use the MIMEDefang multiplexor and embedded Perl.
The whole setup has been tested and works.
Now the problem: no matter what filter i use (including the
default
filter), none of the logging function calls in /etc/mail/mimedefang-filter
actually log anything. md_graphdefang_log_enable() is not commented out,
nor
are any calls to md_syslog(), md_graphdefang_log(), or any friends of same.
In else:/home/log/alles, i see lots of logging from the mail servers when i
test them, but all are from sendmail or mimedefang, and not from the
embedded Perl instance in mimedefang-multiplexor.
I have searched the mailing list archives, Google, and looked
at the
FAQ. I tried what was listed at the end of the page for the question "How
do
I get md_log to log my messages properly" just for the heck of it, and
nothing is logged. I also tried setting $GraphDefangSyslogFacility
explicitly in /etc/mail/mimedefang-filter, just for giggles, but that
didn't
help, either. Can someone gives a clueless person a hint?
-&
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
Gwendolynn ferch Elydyr wrote: > Hola! > > I'm testing a mimedefang2.39/spamassassin2.63 combnation for catching > spam, which was working nicely last week - catching the vast majority > of spam, and otherwise behaving as desired. > > Now, I'm suddenly getting results like 11 out of 207 messages which are > clearly spam[0] being caught. Spammers are smart and catch on to the default rules in SpamAssassin. I am part of a group who creates rules for SpamAssassin like Antivirus vendors (daily updates). The dev's of SpamAssassin have a hard time getting releases out fast enough. With the changes coming for 3.0, it won't take as long to get updates out. You can always check out our rules here: Official links: http://wiki.apache.org/spamassassin/CustomRulesets Mirror of many more rules: http://www.merchantsoverseas.com/wwwroot/gorilla/rules.htm User contributed SA Wiki http://www.exit0.us/ The stock rules are well known and many spammers know how to avoid them! Frederic Tarasevicius ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEDefang 2.42-BETA-1 available
Hi, MIMEDefang 2.42-BETA-1 is at http://www.mimedefang.org/node.php?id=1 This includes experimental support for SpamAssassin 3.0.0. NOTE: SA 3.x support HAS NOT BEEN TESTED. I have merely verified that it still works fine with 2.x. If some of the bleeding-edge SA users could test it, I'd appreciate it. Complete changelog since 2.41 follows. Regards, David. 2004-03-24 David F. Skoll <[EMAIL PROTECTED]> * MIMEDefang 2.42-BETA-1 * mimedefang.pl.in (spam_assassin_mail): Add support for SpamAssassin 3.0.0's new Perl API. UNTESTED! * mimedefang-multiplexor.c (activateSlave): Call closelog() so embedded Perl interpreter doesn't accidentally reuse syslog file decriptor (Josh Kelley) 2004-03-16 David F. Skoll <[EMAIL PROTECTED]> * Version 2.41 RELEASED ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Issues Spamassassin 3.0.0 and Mimedefang 2.41
Cool... thanks David I will be waiting for testing. Without Mimedefang and Spamassassin our lifes would be hard ! Chrs J.P.. -- Original Message --- From: "David F. Skoll" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent: Wed, 24 Mar 2004 12:30:32 -0500 (EST) Subject: Re: [Mimedefang] Issues Spamassassin 3.0.0 and Mimedefang 2.41 > On Wed, 24 Mar 2004, J.P van Oyen wrote: > > > Running Mimedefang 2.41 and Spamassassin (die hard version 3.0.0) I > > am getting some errors. Using Spamassassin 2.63 all is working great > > The SpamAssassin Perl API has changed for version 3.0.0 and it won't > yet work with MIMEDefang. Someone on the list sent me a patch; just > haven't got around to incorporating it yet. > > Regards, > > David. > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang --- End of Original Message --- -- \__/ -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang not calling spamassassin
Am Do, den 25.03.2004 schrieb Steve Pfister um 00:28: > Sorry if this is something obvious, but I'm kind of stuck. I'm using RedHat > Linux 9, sendmail 8.12.11, mimedefang 2.39, and spamassassin 2.63. MD > seems to be running fine, and does seem to be invoking the virus scanner > (clamav 0.65), but never calls spamassassin. My mimedefang-filter is based > on the example minimum filter for windows clients, with very little > modifications (if any). If I do a mimedefang.pl -features, it shows: > > SpamAssassin : yes > Mail::SpamAssassin: Version 2.63 > > It looks like it should be called, but nothing ever happens. What might I be > missing? > > Thanks! You did read the notes about the header modification using SpamAssassin with MimeDefang? It is important that you modify the example filter file to have the additional SPAM score header tags. Just see the MimeDefang source tarball. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2174.nptl Sirendipity 01:27:27 up 5 days, 10:09, load average: 0.21, 0.25, 0.19 [ ÎÎÏÎÎ Ï'ÎÏÏÎÎ - gnothi seauton ] my life is a planetarium - and you are the stars signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 15:49, Stephen Smoogen wrote: > Ok here is what I think happened for me at least.. I didnt have enough > SPAM in my bayesian filter as the sa-learn --dump magic only showed 155 > spam messages. I thought I had feed it a lot more but I think that it > had 'forgotten' some. I noticed that a lot of tests have a weight of 0 > when Bayes is turned on so I think spamassassin was not giving it the > full weight it should. > Yes, just learn more spam. Actually, I have difficulty understanding why I would want to use bayes at the user level because most folks either do not have the knowledge or do not have the time to gain the knowledge that is needed to handle their own bayes database. There are probably some sophisticated tools available commercially, but doesn't spam cost enough already! My site-wide bayes has over 4000 ham and over 4000 spam and it is extremely rare for a spam message to get through undetected. Granted my volumes are low, only 170 or so spam messages a day and I may see 1 or 2 spam messages a month in my inbox. I think you mentioned Can-it, I have not seen that one but I do know that SA rocks :) Alex ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Mimedefang not calling spamassassin
Sorry if this is something obvious, but I'm kind of stuck. I'm using RedHat Linux 9, sendmail 8.12.11, mimedefang 2.39, and spamassassin 2.63. MD seems to be running fine, and does seem to be invoking the virus scanner (clamav 0.65), but never calls spamassassin. My mimedefang-filter is based on the example minimum filter for windows clients, with very little modifications (if any). If I do a mimedefang.pl -features, it shows: SpamAssassin : yes Mail::SpamAssassin: Version 2.63 It looks like it should be called, but nothing ever happens. What might I be missing? Thanks! ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting DB Problem
Same problem here. This happens because of concurrency. I wrote a test program for two cases, with all the triplets being new and unique 1. 1 mail delivery attempts, sequential, one after the other. Works fine. 2. Five threads, each doing 2000 mail delivery attempts. A new connection is established for each mail delivery attempt. In this case, database stops to grow after a short time. I couldn't figure out what is the problem, instead switched to relaydelay implementation by Evan Harris. Hammond, Alan wrote: I recently attempted to implement greylisting using pieces of code posted by Jonas Eckerman and David Skoll. On the initial test the database appeared to grow normally as new entries were added until it reached a size of just over 5 Megs (3 days) at which point it stopped growing and based on the log files new entries were not being successfully added to the database. On the second and third test the database grew to a size of 1.3 Megs (1 day) where the same problem occurred. My system is RH9 with 1 Gig of RAM using Mimedefang 2.39. Any suggestions on what might be the cause or what I can look at to resolve this would be appreciated. Alan Hammond Clackamas County Network Engineer ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 12:05, Alex S Moore wrote: > On Wed, 2004-03-24 at 12:41, Stephen Smoogen wrote: > > On Wed, 2004-03-24 at 11:00, Justin wrote: > > > On Wed, 24 Mar 2004, Gwendolynn ferch Elydyr wrote: > > > > > > http://www.spamassassin.org/tests.html > > > > Duh. Ok that seems to be the case, and a definate reason not to have > > site wide Bayesian filtering turned on. [And another reason for CanIT] > > Turning off the site-wide Bayesian lines brought the scores in line with > > the other side. > > > > Sorry, I do not understand. Why not use site-wide Bayesian filtering > and how does site-wide scoring relate to this html link? > Ok here is what I think happened for me at least.. I didnt have enough SPAM in my bayesian filter as the sa-learn --dump magic only showed 155 spam messages. I thought I had feed it a lot more but I think that it had 'forgotten' some. I noticed that a lot of tests have a weight of 0 when Bayes is turned on so I think spamassassin was not giving it the full weight it should. However, since I have shown that I only know how to compile these things and not set them up.. I am probably still on crack. > Alex > > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
[EMAIL PROTECTED] wrote on 03/24/2004 02:48:52 PM: > 'Fault' isn't really the issue here - if you want to blame > something, blame the mailers that execute received content > as a hidden side effect of opening or previewing a message. > The more relevant issue is: whose problem is it when your > boss gets a few hundred rejection notices saying he sent a virus? > That is the result when everyone sends notifications instead > of just discarding virus-generated messages. AHHH, but we don't know for sure that the messages being dropped (in the context of this thread) were infected. All we know is they had the same subject as some viruses being sent. That is not proof of infection. In that case, reject. If you *KNOW* that it has a virus, then drop. Rejecting with notification is a good temporary measure until updated virus definitions are available. I can explain a false notice a lot easier than mail that did not go through. The virus writers are not stupid. They pick subjects that are reasonable messages to receive. They want - no, NEED people to think it could be a legitimate message. Who in their right mind would open a message with a subject of "WARNING! Virus enclose - please to be opened"? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] sa-learn and mimedefang 2-63
Good morning, Excuse me but I speak english a little. I have installed spamassassin 2.63 with mimedefang 2.35 under a redhat 9. 1) I want to use sa-learn and its bayes files. Is there something to do in /etc/mail/spamassassin/sa-mimedefang.cf file ? Is there an howto file to do this 2) I want to use spamd (daemon) with my mimedefang filter. Do you have a howto file for this. Thank you for your informations - Paul SARLAT Universite Antilles Guyane CRIG (CRI Guadeloupe) Campus de Fouillole 97159 Pointe à Pitre tel 0590 93 86 63 fax 0590 21 03 41 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] headers not showing up on quarantine messages
I recently started reporting some quarantined email to spamcop.net. In the process I determined that a few messages did not contain the full headers. Any idea how to determine how the headers could be missing? This has only happened on very few messages. Sample HEADERS from message: - Date: Wed, 24 Mar 2004 19:40:11 + MIME-Version: 1.0 From: "Ted E. Petersen" <[EMAIL PROTECTED]> Subject: Better than V g Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: quoted-printable -- As you can see it does not show any relay information, and the logs clearly indicate it was relayed. I am using 2.39. from my maillog: Mar 24 12:45:42 traffic sm-mta[29658]: i2OJjaxw029658: from=<[EMAIL PROTECTED]>, size=2057, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=c-24-20-0-23.client.comcast.net [24.20.0.23] Mar 24 12:45:42 traffic mimedefang.pl[21781]: MDLOG,i2OJjaxw029658,spam,25.771,24.20.0.23,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Better than V g -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject (OT)
[EMAIL PROTECTED] wrote on 03/24/2004 02:42:33 PM: > Is the vanity domain's mail server at fault in this situation? Should it's > MTA deliver everything in the foreground, holding open the original SMTP > connection and deferring a final response to it until it sees if my server > will accept the message or not? (If so, does this approach scale for sites > that accept a large amount of mail?) Should ".forward" style redirecting be > done away with altogether? I would say that yes, the vanity server is responsible. It is the one that accepted the virus in the first place. In this day and age, running a mail server without virus protection is asking for trouble. What if the original user sets up a .forward to your server, but then closes his account on your server. Everything that was forwarded to your server would then bounce. I suppose you could hold the user partly responsible in this scenario because he didn't cancel the .forward. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 12:05, Alex S Moore wrote: > On Wed, 2004-03-24 at 12:41, Stephen Smoogen wrote: > > On Wed, 2004-03-24 at 11:00, Justin wrote: > > > On Wed, 24 Mar 2004, Gwendolynn ferch Elydyr wrote: > > > > > > http://www.spamassassin.org/tests.html > > > > Duh. Ok that seems to be the case, and a definate reason not to have > > site wide Bayesian filtering turned on. [And another reason for CanIT] > > Turning off the site-wide Bayesian lines brought the scores in line with > > the other side. > > > > Sorry, I do not understand. Why not use site-wide Bayesian filtering > and how does site-wide scoring relate to this html link? > Looking at the scores of one of the emails, it looks like for an email that got a razor2 score it got a 0. Turning of Bayesian filtering, it got close to a 1. I dont know why it is happening this way.. I must have screwed something up here.. $SALocalTestsOnly = 0; -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
On Wed, 2004-03-24 at 13:23, [EMAIL PROTECTED] wrote: > > If you reject with an SMTP 5xx, you simply force the previous > > SMTP relay to do exactly the same thing. Unless it is the > > first hop doing the scanning, all you have is the forged > > header information to construct the error reply, and PC's > > almost always use a relay. > > And it's their own dang fault for passing along spam and/or viruses. I > refuse to accept responsibility for other's problems. I certainly have > (cause?) enough of my own! 'Fault' isn't really the issue here - if you want to blame something, blame the mailers that execute received content as a hidden side effect of opening or previewing a message. The more relevant issue is: whose problem is it when your boss gets a few hundred rejection notices saying he sent a virus? That is the result when everyone sends notifications instead of just discarding virus-generated messages. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject (OT)
[EMAIL PROTECTED] wrote: > Les Mikesell wrote on 03/24/2004 > 01:17:29 PM: >> If you reject with an SMTP 5xx, you simply force the previous >> SMTP relay to do exactly the same thing. Unless it is the >> first hop doing the scanning, all you have is the forged >> header information to construct the error reply, and PC's >> almost always use a relay. > > And it's their own dang fault for passing along spam and/or viruses. > I refuse to accept responsibility for other's problems. I certainly > have (cause?) enough of my own! I'm curious...What about relays that are doing a ".forward" style redirect? For example, lets say that one of my mail users registers a vanity domain and sets up a mail server for this domain and creates an account for himself. Let's say that he configures this account to forward to his mail account at my server using the MTA's ".forward" feature. Most MTA's default configurations will accept any email coming to this account, then attempt to relay it to the address in the ".forward" file. Now, I can reject with a 5xx during the SMTP dialog all I want, but I am indirectly causing the vanity domain's mail server to compose bogus bounces to innocent users. If this vanity address gets 100 forging viruses in a day, then I am indirectly responsible for 100 bogus bounces being delivered to innocent users. Is the vanity domain's mail server at fault in this situation? Should it's MTA deliver everything in the foreground, holding open the original SMTP connection and deferring a final response to it until it sees if my server will accept the message or not? (If so, does this approach scale for sites that accept a large amount of mail?) Should ".forward" style redirecting be done away with altogether? These aren't rhetorical questions...I'm honestly interested in people's opinions. It's largely due to the ".forward" factor that I favor action_discard() wherever possible over action_bounce()... ___ Michael Sims Project Analyst - Information Technology Crye-Leike Realtors Office: (901)758-5648 Pager: (901)769-3722 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
[EMAIL PROTECTED] wrote on 03/24/2004 01:17:29 PM: > If you reject with an SMTP 5xx, you simply force the previous > SMTP relay to do exactly the same thing. Unless it is the > first hop doing the scanning, all you have is the forged > header information to construct the error reply, and PC's > almost always use a relay. And it's their own dang fault for passing along spam and/or viruses. I refuse to accept responsibility for other's problems. I certainly have (cause?) enough of my own! At least modern viruses use their own SMTP engines to deliver directly, avoiding the relay issue. I wonder if they think this will provide better luck in delivering the message without it being filtered. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Problems with Mimedefang & Spamassassin
Ok, I am officially an idiot. Even though I had downloaded the latest bigevil.cf file to my system, it was not ftping the new one to my mail server (was putting version 2.12I on the system). Now that I figured out my mistake and have put 2.12J on, the problem seems to be fixed. I am adding all of my filters back one by one to verify that there are no more conflicts. Thanks for the help. Guess version 2.12I had a problem (or at least the version of it that I downloaded). - Matt -Original Message- From: Matt Yahna [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 11:03 AM To: '[EMAIL PROTECTED]' Subject: [Mimedefang] Problems with Mimedefang & Spamassassin (This message was posted to the Spamassassin list as well, but was told it would be better here) We currently use the following configuration for blocking Spam: Solaris 8 Mimedefang 2.41 SpamAssassin 2.63 Perl 5.8.0 Sendmail 8.12.11 Over the weekend, I noticed several message in the syslog that the milter timed out, and that some messages were taking several hours to finally get through the system. We were still blocking spam, but it was taking a long time. I was getting reports from users that they were not getting messages from clients, and would see in the log that their message was refused because the milter was too busy to accept it. This never used to happen, we would get emails right away even after they went through SA. I have tried adding more mimedefang instances to the multiplexor, but they just get used and get busy. I have 20 running right now, and all are busy. Does anyone have any idea why this just started happening? I thought maybe it was because of some of the new rules that I installed, but even after turning most of them off, I still have the problem! I have the following rules installed (all downloaded recently): 99_FVGT_Tripwire.cf airmax.cf random.current.cfantidrug.cf backhair.cf sa-blacklist.cfbigevil.cf sa-blacklist.current.uri.cf bogus-virus-warnings.cf chickenpox.cf evilnumbers.cf weeds.cf I ran a spamassassin -d --lint and receive no errors. Here are some of the errors in my syslog: Mar 24 09:33:42 spawn mimedefang-multiplexor: [ID 316382 mail.info] Killing busy slave 17 (pid 23428): Busy timeout Mar 24 09:33:42 spawn mimedefang[5240]: [ID 847421 mail.error] Error from multiplexor: ERR Filter timed out - system may be overloaded (consider increasing busy timeout)Mar 24 09:33:44 spawn mimedefang-multiplexor: [ID 364399 mail.info] Slave status: Stopped=0 Idle=0 Busy=20 Killed=0 Queued=0 Msgs=3193 Activations=3183Mar 24 09:33:44 spawn sm-mta[23419]: [ID 801593 mail.error] i2OGSDCS023419: Milter (mimedefang): timeout before data read Mar 24 09:33:45 spawn sm-mta[23419]: [ID 801593 mail.info] i2OGSDCS023419: Milter (mimedefang): to error state Mar 24 09:32:10 spawn sm-mta[23532]: [ID 801593 mail.info] i2OGW3iQ023532: Milter: data, reject=451 4.7.1 Please try again later One of the things I just noticed was the following log entry (after changing back to 10 max slaves): Mar 24 10:25:42 spawn mimedefang-multiplexor: [ID 472408 mail.info] Slave status : Stopped=0 Idle=0 Busy=10 Killed=0 Queued=0 Msgs=3 Activations=10 Why would 10 of them be busy with only 3 messages? Or does that mean that 10 messages have come through to the filter, and it has let 3 pass? Here are more log messages (after turning sendmail logging up). It seems to try to quit the filter, but doesn't actually shut the filter down? I am not sure. I can't seem to find any other indication of a problem other than it complaining that it can't connect to the filter and these types of messages repeating in syslog: Mar 24 10:26:03 spawn sm-mta[29020]: [ID 801593 mail.info] NOQUEUE: connect from 66-95-174-36.client.dsl.net [66.95.174.36] Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r (mimedefang): init success to negotiate Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r: connect to filters Mar 24 10:26:04 spawn mimedefang[28186]: [ID 627436 mail.warning] mfconnect: No free slaves Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: milte r=mimedefang, action=connect, tempfail Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r (mimedefang): time command (C), 0 Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r: connect, ending Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r (mimedefang): quit filter I did notice that I am running perl 5.8.0, and not the latest (5.8.3). So I am currently compiling 5.8.3 to see if it helps. Any help would be greatly appreciated. - Matt ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
On Wed, 2004-03-24 at 11:45, [EMAIL PROTECTED] wrote: > At least you were rejecting, not dropping. Amazing how many places think > it's acceptable to just drop. > If you sent a lot of messages (say from [EMAIL PROTECTED], or webmaster) you would quickly realize that notification is worse. Every pc that has your address on a message in the inbox is likely to get a virus and send thousands of copies with your address forged as the From:. When any other system rejects with notification, you get it - and everyone who depends on you to keep their PC running will call you every time they get one of these... > The other thing that was totally amazing is how many spam filtering > solution there are that will accept a message, let the SMTP connection > close, and then scan/filter the email. They have no choice but to beleive > the sender information if they wish to return a failure message. For > people like that, I have this very nice bridge for sale in NYC. If you reject with an SMTP 5xx, you simply force the previous SMTP relay to do exactly the same thing. Unless it is the first hop doing the scanning, all you have is the forged header information to construct the error reply, and PC's almost always use a relay. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Embedded Perl problems - bugfix
I think that I've found and fixed a problem in MIMEDefang's embedded Perl mode. The problem: The MIMEDefang multiplexor uses the openlog and syslog functions to write to the syslog. These functions use a file descriptor kept in a static variable somewhere to do the actual writing. However, when the multiplexor forks off a child, the child closes all open FDs. If the Perl filter then opens a file, it may happen to get the same FD that the openlog/syslog functions expect to use. Bad things ensue. (On my system, the FD conflict was causing slave processes to hang.) Solution: Add a closelog() call to mimedefang-multiplexor.c's activateSlave function, just before "Close unneeded file descriptors" loop. Josh Kelley ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 24 Mar 2004, Stephen Smoogen wrote: > Try turning off the bayes AND also turn off the line that removes scores > if they are too low. Check to see if something else is putting in > points. I've turned off bayes, but I'm not sure which line you're talking about second. If you mean listing scores in each mail, I've got scores and tests attached to every email - and I'm seeing scores as low as 0.0001 for various tests [not right now, but previously, for bayes]. With bayes turned off, I'm unfortunately still seeing these ultra-low scores (eg) X-Spam-Score: 0.784 () BIZ_TLD vs X-Spam-Status: Yes, hits=9.5 required=5.0 tests=BAYES_99,BIZ_TLD, MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL,RCVD_IN_SORBS autolearn=no version=2.61 Out of the ones that are caught as spam, many of them would have passed as ham if I hadn't decreased my spam threshold to 4. cheers! == "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 11:41, Stephen Smoogen wrote:
> The second problem I was having is that 2 upstream sites are using
> mimedefang+spamassassin in their systems and for some reason I was
> seeing their score printed versus my own. When I commented out the line
>
> # action_delete_header("X-Spam-Score");
>
In otherwords.. I think I have been smoking crack :(.
--
Stephen John Smoogen[EMAIL PROTECTED]
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 12:41, Stephen Smoogen wrote: > On Wed, 2004-03-24 at 11:00, Justin wrote: > > On Wed, 24 Mar 2004, Gwendolynn ferch Elydyr wrote: > > > > http://www.spamassassin.org/tests.html > > Duh. Ok that seems to be the case, and a definate reason not to have > site wide Bayesian filtering turned on. [And another reason for CanIT] > Turning off the site-wide Bayesian lines brought the scores in line with > the other side. > Sorry, I do not understand. Why not use site-wide Bayesian filtering and how does site-wide scoring relate to this html link? Alex ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Problems with Mimedefang & Spamassassin
(This message was posted to the Spamassassin list as well, but was told it would be better here) We currently use the following configuration for blocking Spam: Solaris 8 Mimedefang 2.41 SpamAssassin 2.63 Perl 5.8.0 Sendmail 8.12.11 Over the weekend, I noticed several message in the syslog that the milter timed out, and that some messages were taking several hours to finally get through the system. We were still blocking spam, but it was taking a long time. I was getting reports from users that they were not getting messages from clients, and would see in the log that their message was refused because the milter was too busy to accept it. This never used to happen, we would get emails right away even after they went through SA. I have tried adding more mimedefang instances to the multiplexor, but they just get used and get busy. I have 20 running right now, and all are busy. Does anyone have any idea why this just started happening? I thought maybe it was because of some of the new rules that I installed, but even after turning most of them off, I still have the problem! I have the following rules installed (all downloaded recently): 99_FVGT_Tripwire.cf airmax.cf random.current.cfantidrug.cf backhair.cf sa-blacklist.cfbigevil.cf sa-blacklist.current.uri.cf bogus-virus-warnings.cf chickenpox.cf evilnumbers.cf weeds.cf I ran a spamassassin -d --lint and receive no errors. Here are some of the errors in my syslog: Mar 24 09:33:42 spawn mimedefang-multiplexor: [ID 316382 mail.info] Killing busy slave 17 (pid 23428): Busy timeout Mar 24 09:33:42 spawn mimedefang[5240]: [ID 847421 mail.error] Error from multiplexor: ERR Filter timed out - system may be overloaded (consider increasing busy timeout)Mar 24 09:33:44 spawn mimedefang-multiplexor: [ID 364399 mail.info] Slave status: Stopped=0 Idle=0 Busy=20 Killed=0 Queued=0 Msgs=3193 Activations=3183Mar 24 09:33:44 spawn sm-mta[23419]: [ID 801593 mail.error] i2OGSDCS023419: Milter (mimedefang): timeout before data read Mar 24 09:33:45 spawn sm-mta[23419]: [ID 801593 mail.info] i2OGSDCS023419: Milter (mimedefang): to error state Mar 24 09:32:10 spawn sm-mta[23532]: [ID 801593 mail.info] i2OGW3iQ023532: Milter: data, reject=451 4.7.1 Please try again later One of the things I just noticed was the following log entry (after changing back to 10 max slaves): Mar 24 10:25:42 spawn mimedefang-multiplexor: [ID 472408 mail.info] Slave status : Stopped=0 Idle=0 Busy=10 Killed=0 Queued=0 Msgs=3 Activations=10 Why would 10 of them be busy with only 3 messages? Or does that mean that 10 messages have come through to the filter, and it has let 3 pass? Here are more log messages (after turning sendmail logging up). It seems to try to quit the filter, but doesn't actually shut the filter down? I am not sure. I can't seem to find any other indication of a problem other than it complaining that it can't connect to the filter and these types of messages repeating in syslog: Mar 24 10:26:03 spawn sm-mta[29020]: [ID 801593 mail.info] NOQUEUE: connect from 66-95-174-36.client.dsl.net [66.95.174.36] Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r (mimedefang): init success to negotiate Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r: connect to filters Mar 24 10:26:04 spawn mimedefang[28186]: [ID 627436 mail.warning] mfconnect: No free slaves Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: milte r=mimedefang, action=connect, tempfail Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r (mimedefang): time command (C), 0 Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r: connect, ending Mar 24 10:26:04 spawn sm-mta[29020]: [ID 801593 mail.info] i2OHQ38X029020: Milte r (mimedefang): quit filter I did notice that I am running perl 5.8.0, and not the latest (5.8.3). So I am currently compiling 5.8.3 to see if it helps. Any help would be greatly appreciated. - Matt ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 11:00, Justin wrote:
> On Wed, 24 Mar 2004, Gwendolynn ferch Elydyr wrote:
>
> > Further poking about yesterday showed that SA alone seems to be handing
> > out fairly reasonable scores, but SA in combination with MD is seeing
> > hideously low scoring. It doesn't look to me as though I've turned off
> > any SA rules via MD - bayes, dns and rbl checks are all enabled - but
> > even after a restart, I'm not having much luck here.
>
> Are the differences in scores the same as the difference in scores
> pre-defined in SA for use when the calling instance meets a certain
> requirement or requirements? Ie network test are enabled, bayes is
> enabled, or bayes and network tests are enabled. The heuristic tests pick
> different scores for 4 different scenarios. If Bayes isn't enabled when
> calling from MD but it is when called with spamc then there will be a
> definite difference in scores.
>
> http://www.spamassassin.org/tests.html
Duh. Ok that seems to be the case, and a definate reason not to have
site wide Bayesian filtering turned on. [And another reason for CanIT]
Turning off the site-wide Bayesian lines brought the scores in line with
the other side.
The second problem I was having is that 2 upstream sites are using
mimedefang+spamassassin in their systems and for some reason I was
seeing their score printed versus my own. When I commented out the line
# action_delete_header("X-Spam-Score");
--
Stephen John Smoogen[EMAIL PROTECTED]
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 11:23, Gwendolynn ferch Elydyr wrote: > > > > http://www.spamassassin.org/tests.html > > I'm familiar with the scoring - and in both cases, bayes and network > scoring are enabled. Unfortunately the difference in scores is quite > inconsistant, and doesn't seem to reflect that type of difference. > > > > Is anybody running with a spam threshold hovering around 1 or 2 ? > > > > Nope, or at least they shouldn't be. The hueristic tests were run on the > > basis that 5 was the spam/ham threshold. If you want to raise the scores > > to tag more spam, add more tests like network tests and bayes. > > I have network tests and bayes enabled [and just went through the > process of rebuilding my bayes database, just to make sure that there > wasn't something odd in there]. The scores are still very, very low. Try turning off the bayes AND also turn off the line that removes scores if they are too low. Check to see if something else is putting in points. -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Greylisting DB Problem
I recently attempted to implement greylisting using pieces of code posted by Jonas Eckerman and David Skoll. On the initial test the database appeared to grow normally as new entries were added until it reached a size of just over 5 Megs (3 days) at which point it stopped growing and based on the log files new entries were not being successfully added to the database. On the second and third test the database grew to a size of 1.3 Megs (1 day) where the same problem occurred. My system is RH9 with 1 Gig of RAM using Mimedefang 2.39. Any suggestions on what might be the cause or what I can look at to resolve this would be appreciated. Alan Hammond Clackamas County Network Engineer Alan Hammond Clackamas County Network Engineer ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Greylisting DB Problem
I recently attempted to implement greylisting using pieces of code posted by Jonas Eckerman and David Skoll. On the initial test the database appeared to grow normally as new entries were added until it reached a size of just over 5 Megs (3 days) at which point it stopped growing and based on the log files new entries were not being successfully added to the database. On the second and third test the database grew to a size of 1.3 Megs (1 day) where the same problem occurred. My system is RH9 with 1 Gig of RAM using Mimedefang 2.39. Any suggestions on what might be the cause or what I can look at to resolve this would be appreciated. Alan Hammond Clackamas County Network Engineer ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Sendmail 8.12.11 compatibility
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Ville Jorma > > Is MIMEDefang compatible with sendmail 8.12.11? I've been running it with 8.12.11 since .11 came out - no problems. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of "no" was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 24 Mar 2004, Justin wrote: > Are the differences in scores the same as the difference in scores > pre-defined in SA for use when the calling instance meets a certain > requirement or requirements? Ie network test are enabled, bayes is > enabled, or bayes and network tests are enabled. The heuristic tests pick > different scores for 4 different scenarios. If Bayes isn't enabled when > calling from MD but it is when called with spamc then there will be a > definite difference in scores. > > http://www.spamassassin.org/tests.html I'm familiar with the scoring - and in both cases, bayes and network scoring are enabled. Unfortunately the difference in scores is quite inconsistant, and doesn't seem to reflect that type of difference. > > Is anybody running with a spam threshold hovering around 1 or 2 ? > > Nope, or at least they shouldn't be. The hueristic tests were run on the > basis that 5 was the spam/ham threshold. If you want to raise the scores > to tag more spam, add more tests like network tests and bayes. I have network tests and bayes enabled [and just went through the process of rebuilding my bayes database, just to make sure that there wasn't something odd in there]. The scores are still very, very low. cheers! == "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail 8.12.11 compatibility
Yes. > Is MIMEDefang compatible with sendmail 8.12.11? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 24 Mar 2004, Gwendolynn ferch Elydyr wrote: > Further poking about yesterday showed that SA alone seems to be handing > out fairly reasonable scores, but SA in combination with MD is seeing > hideously low scoring. It doesn't look to me as though I've turned off > any SA rules via MD - bayes, dns and rbl checks are all enabled - but > even after a restart, I'm not having much luck here. Are the differences in scores the same as the difference in scores pre-defined in SA for use when the calling instance meets a certain requirement or requirements? Ie network test are enabled, bayes is enabled, or bayes and network tests are enabled. The heuristic tests pick different scores for 4 different scenarios. If Bayes isn't enabled when calling from MD but it is when called with spamc then there will be a definite difference in scores. http://www.spamassassin.org/tests.html > Is anybody running with a spam threshold hovering around 1 or 2 ? Nope, or at least they shouldn't be. The hueristic tests were run on the basis that 5 was the spam/ham threshold. If you want to raise the scores to tag more spam, add more tests like network tests and bayes. HTH Justin ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Sendmail 8.12.11 compatibility
Hello, Is MIMEDefang compatible with sendmail 8.12.11? According to sendmail's release notes, it contains at least some milter-related changes: - When a milter invokes smfi_delrcpt() compare the supplied recipient address also against the printable addresses of the current list to deal with rewritten addresses. Based on patch from Sean Hanson of The Asylum - Return normal error code for unknown SMTP commands instead of the one specified by check_relay or a milter for a connection. Problem noted by Andrzej Filip. - LIBMILTER: Add extra checks in case a broken MTA sends bogus data to libmilter. Based on code review by Rob Grzywinski Regards, Ville ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
> So you took heat because of an action/decision/policy on the receiving end? Welcome to my nightmare! > I've posted my own solution to blocking subject-lines before, a couple of > times, on this list. It impliments subject line keyword blocks, > complete-match blocks, and sends a 5.X.X rejection notice. Search the list > archives for references to the CheckSubject rule for sendmail that I use. I > currently match on 39 complete subjects, and 1270 subject keywords > (including mutations). And given greylisting and other header checks > performed by sendmail and MIMEDefang on my systems, it still catches over > 350 messages per day. Before adding greylisting to our defenses, this was > honestly THE single most effective rule in our arsenal, formerly catching > several thousand spams per day. We had ONE instance about a year ago where > a systemically-generated report created on a UNIX system in-house just > happened to try using a subject-line that we blocked. A phone call to the > programmer describing the issue was all it took. The developer re-worded > the subject just enough to miss the filter, and there have been no further > reports of false positives. Just be careful (as always) with what you put > in the bad subject block lists. At least you were rejecting, not dropping. Amazing how many places think it's acceptable to just drop. The other thing that was totally amazing is how many spam filtering solution there are that will accept a message, let the SMTP connection close, and then scan/filter the email. They have no choice but to beleive the sender information if they wish to return a failure message. For people like that, I have this very nice bridge for sale in NYC. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 10:04, David F. Skoll wrote: > Try running SpamAssassin as the "defang" user with the same configuation > file used by MIMEDefang. There may be something in defang's home > directory, Bayes data, etc. that could be causing the trouble. > At the moment there is only a .razor/ .pyzor/ directory in there. Nothing looked too out of the place. I have turned off all white listing and the bayesian learning in the sa-mimedefang.cf line. I am going to see if that has any effect.. I found out that the other server is using an old mimedefang but the latest spamassassin and we get very different scores. I am going to see if there is something else different between the two boxes that is allowing the older mimedefang to catch things better (ie does that admin have something in /etc/mail/mimedefang-filter I dont :)). > Regards, > > David. > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Issues Spamassassin 3.0.0 and Mimedefang 2.41
On Wed, 24 Mar 2004, J.P van Oyen wrote: > Running Mimedefang 2.41 and Spamassassin (die hard version 3.0.0) I > am getting some errors. Using Spamassassin 2.63 all is working great The SpamAssassin Perl API has changed for version 3.0.0 and it won't yet work with MIMEDefang. Someone on the list sent me a patch; just haven't got around to incorporating it yet. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Issues Spamassassin 3.0.0 and Mimedefang 2.41
Running Mimedefang 2.41 and Spamassassin (die hard version 3.0.0) I am getting some errors. Using Spamassassin 2.63 all is working great ! I am seeing : Mar 24 18:02:11 www mimedefang-multiplexor: Slave 1 stderr: Argument "3.0.0" isn't numeric in subroutine entry at (eval 37) line 1. Mar 24 18:02:14 www mimedefang.pl[10148]: MDLOG,i2OH21eY010140,mail_in,213.211.129.27,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,VIRUS IN YOUR MAIL Mar 24 18:02:15 www mimedefang-multiplexor: Slave 1 stderr: Can't locate object method "new" via package "Mail::SpamAssassin::NoMailAudit" (perhaps you forgot to load "Mail::SpamAssassin::NoMailAudit"?) at /usr/local/bin/mimedefang.pl line 5545. Mar 24 18:02:15 www mimedefang-multiplexor: Slave 1 died prematurely -- check your filter rules Mar 24 18:02:15 www mimedefang-multiplexor: Reap: Idle slave 1 (pid 10148) exited normally with status 255 (SLAVE DIED UNEXPECTEDLY) Mar 24 18:02:15 www mimedefang-multiplexor: Slave 1 resource usage: req=1, scans=1, user=8.700, sys=1.100, nswap=0, majflt=1321, minflt=6969, maxrss=0, bi=0, bo=0 Any hints...? -- \__/ -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 09:56, David F. Skoll wrote: > On Wed, 24 Mar 2004, Stephen Smoogen wrote: > > > I am going to be turning off the auto-whitelist because it is now filled > > with spam addresses due to the low scores. > > Ah! I never use auto-anything because it's susceptible to poisoning. > Could spammers have found a way to poison this? > I dont know enough about it. I turned on the autowhite list yesterday but have had the auto-bayesian turned on from day-one... even though I have fed it a good amount of ham/spam I am going to turn it off to see if I have better luck. Still no idea where the Required_Hits >7 is coming from though. > Regards, > > David. > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 24 Mar 2004, David F. Skoll wrote: > > I am going to be turning off the auto-whitelist because it is now filled > > with spam addresses due to the low scores. > > Ah! I never use auto-anything because it's susceptible to poisoning. > Could spammers have found a way to poison this? Hrm. I've got the auto-whitelisting turned off [auto-everything turned off in fact]. cheers! == "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
I would reccomend you just code up some SA rules to add score for certain subjects. Then give whatever value you want to those keywords. Look at antidrug for some good rules, and learn how to make your own rules. # http://mywebpages.comcast.net/mkettler/sa/antidrug.cf I have never blocked by subject or filename, I just rely on SA and the virus scanner. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
Try running SpamAssassin as the "defang" user with the same configuation file used by MIMEDefang. There may be something in defang's home directory, Bayes data, etc. that could be causing the trouble. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 24 Mar 2004, Stephen Smoogen wrote: > I am going to be turning off the auto-whitelist because it is now filled > with spam addresses due to the low scores. Ah! I never use auto-anything because it's susceptible to poisoning. Could spammers have found a way to poison this? Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 09:19, David F. Skoll wrote: > On Wed, 24 Mar 2004, Stephen Smoogen wrote: > > > I took the time time to look at my fairly default home box last night, > > and seem to be seeing the same things on the scores. Everything is Red > > Hat 9 and I am not using puremessage. > > That is weird! I'm not seeing that at all. Could permissions on > some of the SpamAssassin configuration files be wrong? > Here is what I am seeing: [EMAIL PROTECTED] smooge]# ls -la /etc/mail/spamassassin/ total 3704 drwxrwxr-x2 defang smmsp4096 Mar 24 09:29 . drwxr-xr-x3 root root 4096 Mar 23 15:32 .. -rw---1 defang defang 12288 Mar 24 09:29 auto-whitelist -rw-r--r--1 defang defang1423596 Mar 24 09:29 bayes_journal -rw-rw-r--1 defang smmsp 315392 Mar 20 08:55 bayes_seen -rw-rw-r--1 defang smmsp 2637824 Mar 20 08:55 bayes_toks -rw-r--r--1 root root 410 Mar 16 17:03 local.cf -rw-r--r--1 root root 3435 Mar 17 17:06 sa-mimedefang.cf -rw-r--r--1 root root 62 Mar 17 16:35 spamassassin-default.rc -rwxr-xr-x1 root root 35 Mar 17 16:35 spamassassin-helper.sh -rw-r--r--1 root root 55 Mar 17 16:35 spamassassin-spamc.rc I am going to be turning off the auto-whitelist because it is now filled with spam addresses due to the low scores. I am also not sure where the line about the required_hits =7 is coming from as I have set everything to 5 as far as I can tell. > Regards, > > David. > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 24 Mar 2004, Stephen Smoogen wrote: > I took the time time to look at my fairly default home box last night, > and seem to be seeing the same things on the scores. Everything is Red > Hat 9 and I am not using puremessage. That is weird! I'm not seeing that at all. Could permissions on some of the SpamAssassin configuration files be wrong? Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Wed, 2004-03-24 at 08:18, Gwendolynn ferch Elydyr wrote: > On Tue, 23 Mar 2004, Stephen Smoogen wrote: > > Hmmm puremessage sticks it in /opt normally but I think can be put > > elsewhere. What OS are you running? If you are running an RPM style > > distro and want to check the integrity of the RPMS to see if something > > got written over by puremessage (rpm -V mimedefang) > > I'm running RedHat 9 - but I built both my MD and SA installs, so I can't > use RPM to check them, unfortunately. > > > The other thing that can happen is if /opt is in the PATH somewhere then > > puremessage perl might get called before the other perl. > > Running SA in debug mode doesn't show any touches into /opt - but I'm > still seeing surprisingly low scores [I've modified my default down > to 4 - but most spam is hovering between 1 and 3, which seems all wet] > > Further poking about yesterday showed that SA alone seems to be handing > out fairly reasonable scores, but SA in combination with MD is seeing > hideously low scoring. It doesn't look to me as though I've turned off > any SA rules via MD - bayes, dns and rbl checks are all enabled - but > even after a restart, I'm not having much luck here. > I took the time time to look at my fairly default home box last night, and seem to be seeing the same things on the scores. Everything is Red Hat 9 and I am not using puremessage. perl modules I have compiled and installed: perl-Archive-Tar-1.07-1.fdr_rhel.3 perl-Archive-Zip-1.09-1.fdr_rhel.3 perl-Compress-Zlib-1.33-1.fdr_rhel.3 perl-Convert-ASN1-0.18-1.fdr_rhel.3 perl-Digest-1.05-1.fdr_rhel.3 perl-Digest-Nilsimsa-0.06-1.fdr_rhel.3 perl-Digest-SHA1-2.07-1.fdr_rhel.3 perl-FreezeThaw-0.43-1.fdr_rhel.3 perl-HTML-Parser-3.35-1.fdr_rhel.3 perl-HTML-Tagset-3.03-1.fdr_rhel.3 perl-IO-Socket-SSL-0.95-1.fdr_rhel.3 perl-IO-Zlib-1.01-1.fdr_rhel.3 perl-IO-stringy-2.109-1.fdr_rhel.3 perl-MIME-tools-RP-Patched-5.411a-1.fdr_rhel.3 perl-MLDBM-2.01-1.fdr_rhel.3 perl-MailTools-1.60-1.fdr_rhel.3 perl-Net-DNS-0.46-1.fdr_rhel.3 perl-Net_SSLeay.pm-1.25-1.fdr_rhel.3 perl-Time-HiRes-1.56-1.fdr_rhel.3 perl-TimeDate-1.16-1.fdr_rhel.3 perl-Unix-Syslog-0.100-1.fdr_rhel.3 perl-razor-agents-2.36-1.fdr_rhel.3 Default perl modules perl-5.8.0-88.3 perl-Bit-Vector-6.1-33 perl-CGI-2.81-88.3 perl-CPAN-1.61-88.3 perl-Crypt-SSLeay-0.45-7 perl-DB_File-1.804-88.3 perl-Date-Calc-5.3-3 perl-DateManip-5.40-30 perl-Digest-HMAC-1.01-11 perl-File-MMagic-1.16-3 perl-Filter-1.29-3 perl-Parse-Yapp-1.05-30 perl-SGMLSpm-1.03ii-11 perl-URI-1.21-7 perl-XML-Dumper-0.4-25 perl-XML-Encoding-1.01-23 perl-XML-Grove-0.46alpha-25 perl-XML-Parser-2.31-15 perl-XML-Twig-3.09-3 perl-libwww-perl-5.65-6 perl-libxml-enno-1.02-29 perl-libxml-perl-0.07-28 perl-suidperl-5.8.0-88.3 Mimedefang mimedefang-2.41-1.fdr_rhel.3 mimedefang-contrib-2.41-1.fdr_rhel.3 /etc/mail/mimedefang is basically the default version for 2.41 with my email address placed in there, and a 'default' message variable for the various attachments to be removed. /etc/mail/spamassassin/sa-mimedefang.cf required_hits 5.0 ok_locales en rewrite_subject 0 report_header 1 use_terse_report 1 skip_rbl_checks 1 score HABEAS_SWE 2.0 use_razor2 1 use_dcc 0 use_pyzor 1 use_bayes 1 auto_learn 1 bayes_path /etc/mail/spamassassin/bayes bayes_auto_learn_threshold_nonspam 0.5 bayes_auto_learn_threshold_spam 5.5 bayes_learn_to_journal 1 bayes_journal_max_size 512 bayes_file_mode 0644 auto_whitelist_path /etc/mail/spamassassin/auto-whitelist auto_whitelist_file_mode0644 This is the same as a RHL-7.1 machine I am tracking that has mimedefang-2.27/spamassassin-2.53. That machine is scoring the same spam messages at above 12 but the message has a score here of 2.02. My Spam X-Spam-Status: No, hits=1.246 required=7 tests=BIZ_TLD,HTML_MESSAGE,NO_REAL_NAME The older spam X-Spam-Status: No, hits=4.769 required=7 tests=BIZ_TLD,GAPPY_SUBJECT,HTML_40_50,HTML_MESSAGE,MIME_HTML_ONLY Maybe I have something turned off incorrectly? > Is anybody running with a spam threshold hovering around 1 or 2 ? > > I'm quite puzzled here. > -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
> Sarcasm noted. Thanks for realizing that. :) > Finally we got a tech at the other end to admit they were blocking > the subject "For your review" because one of the viruses was using > that as a subject. So you took heat because of an action/decision/policy on the receiving end? Someone (the offended "higher-up") owes you an applogy. I've posted my own solution to blocking subject-lines before, a couple of times, on this list. It impliments subject line keyword blocks, complete-match blocks, and sends a 5.X.X rejection notice. Search the list archives for references to the CheckSubject rule for sendmail that I use. I currently match on 39 complete subjects, and 1270 subject keywords (including mutations). And given greylisting and other header checks performed by sendmail and MIMEDefang on my systems, it still catches over 350 messages per day. Before adding greylisting to our defenses, this was honestly THE single most effective rule in our arsenal, formerly catching several thousand spams per day. We had ONE instance about a year ago where a systemically-generated report created on a UNIX system in-house just happened to try using a subject-line that we blocked. A phone call to the programmer describing the issue was all it took. The developer re-worded the subject just enough to miss the filter, and there have been no further reports of false positives. Just be careful (as always) with what you put in the bad subject block lists. Ken ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Blocking RAR viruses
I've modified mimedefang-filter.example so it blocks RAR files with
executables. It uses freeware "unrar" program, which source and
binaries can be downloaded from RARLAB:
http://www.rarlab.com/rar_add.htm
Patch follows.
It blocks Beagle worm password protected RAR files.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
--- mimedefang-filter.example Tue Mar 16 10:53:37 2004
+++ mimedefang-filter Fri Mar 19 14:14:40 2004
@@ -116,6 +116,25 @@
}
}
}
+
+# Look inside RAR files
+if (re_match($entity, '\.r(ar|[0-2][0-9])$') ) {
+ my $bh = $entity->bodyhandle();
+ if (defined($bh)) {
+ my $path = $bh->path();
+ if (defined($path)) {
+ my($code, $category, $action) =
+ run_virus_scanner( "unrar lb $path" );
+ if ($action ne 'proceed') {
+ return $code;
+ }
+ if ($code) {
+ return $code;
+ }
+ return 1 if $VirusScannerMessages =~ /$re/i;
+ }
+ }
+}
return 0;
}
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
[EMAIL PROTECTED] wrote on 03/24/2004 08:22:38 AM: > > Would he be happier with a virus? It sounds to me like he would be. So I'd > code an exception based on him the sender, and him the recipient, to not do > any filtering whatsoever. Let his box fill with spam, and let him be the > source of all virus propagation within the organization. > Sarcasm noted. He was the sender to another recipient and the message was just vanishing. That's one of the beautifull things about MD (and CanIT), is that it can issue a permanent failure when you refuse to accept a message. If the receiver had done that, I would have had something to go on when trying to help my director. All I had to go on was my logs showing the message being delivered. Finally we got a tech at the other end to admit they were blocking the subject "For your review" because one of the viruses was using that as a subject. By issuing a reject, the wrath justifiably falls upon the relay being used to send the virus, not us. And if a real sender gets rejected, they have some clue as to what's going on. If a virus is detected, I am far more agreeable that the message can be quietly discarded. But blocking on content without notification is wrong. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SA suddenly not catching spam
On Tue, 23 Mar 2004, Stephen Smoogen wrote: > Hmmm puremessage sticks it in /opt normally but I think can be put > elsewhere. What OS are you running? If you are running an RPM style > distro and want to check the integrity of the RPMS to see if something > got written over by puremessage (rpm -V mimedefang) I'm running RedHat 9 - but I built both my MD and SA installs, so I can't use RPM to check them, unfortunately. > The other thing that can happen is if /opt is in the PATH somewhere then > puremessage perl might get called before the other perl. Running SA in debug mode doesn't show any touches into /opt - but I'm still seeing surprisingly low scores [I've modified my default down to 4 - but most spam is hovering between 1 and 3, which seems all wet] Further poking about yesterday showed that SA alone seems to be handing out fairly reasonable scores, but SA in combination with MD is seeing hideously low scoring. It doesn't look to me as though I've turned off any SA rules via MD - bayes, dns and rbl checks are all enabled - but even after a restart, I'm not having much luck here. Is anybody running with a spam threshold hovering around 1 or 2 ? I'm quite puzzled here. cheers! == "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, Tomasz Ostrowski wrote: > Unfortunately for this to work there has to be good antivirus program > on the server. Well, yes. It's just designed to stop people from using action_notify_sender if one of the *_contains_virus functions finds a virus. > And silent discard violates SMTP RFC... Yes, it does, but the SMTP RFCs were written a long time ago for a more friendly environment. In my opinion, silently discarding viruses is OK, because there are hardly ever any false-positives, and bouncing may do more harm than good. However, I concede that replying with a 5xx code is the "proper" thing to do. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, David F. Skoll wrote: > On Wed, 24 Mar 2004, Tomasz Ostrowski wrote: > > > I'd advocate so action_notify_sender is removed as well - because > > over 99% virus e-mail come with forged return address. > > There's an interlock that disables action_notify_sender if a virus > is detected. Check the mimedefang.pl source. :-) Nice :-) Unfortunately for this to work there has to be good antivirus program on the server. And silent discard violates SMTP RFC... Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
> I wouldnt recommend blocking on all of the known virus email subjects. > Many of them could be legitimately used. My director (Boss 3x removed) > had emails blocked by a filter based strictly on the subject. He was not > a happy camper. Would he be happier with a virus? It sounds to me like he would be. So I'd code an exception based on him the sender, and him the recipient, to not do any filtering whatsoever. Let his box fill with spam, and let him be the source of all virus propagation within the organization. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, Tomasz Ostrowski wrote: > I'd advocate so action_notify_sender is removed as well - because > over 99% virus e-mail come with forged return address. There's an interlock that disables action_notify_sender if a virus is detected. Check the mimedefang.pl source. :-) Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] stream_by_recipient takes too long
On Wed, 24 Mar 2004, Murat Isik wrote: > I am running MD 2.39 on Fedora Core 1. I have been palying around > with stream_by_recipient in order to be able to assign different mail > users different priviliges. So far, technically, it works fine. First > it does virus check. Then if a mail with an attachment to be filtered > is sent to a priviliged user and cc ed to an unpriviled user, the > first one gets the attachment and the second doesnot. So far so > good. However there is one problem . Even in local delivery it takes > around an hour for the both users to get these mails. Here is my code > I use: Read the filter man page to see exactly how it works. Then edit /etc/sysconfig/sendmail and add this line: SMQUEUE=5m and restart Sendmail. Your times will drop to around 5 minutes. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] stream_by_recipient takes too long
Hello,
I am running MD 2.39 on Fedora Core 1. I have been palying around with
stream_by_recipient in order to be able to assign different mail users
different priviliges. So far, technically, it works fine. First it does
virus check. Then if a mail with an attachment to be filtered is sent to a
priviliged user and cc ed to an unpriviled user, the first one gets the
attachment and the second doesnot. So far so good. However there is one
problem . Even in local delivery it takes around an hour for the both users
to get these mails. Here is my code I use:
somewhere before filter_begin:
sub canonicalize_email ($) {
my($email) = @_;
$email =~ s/^$//;
$email = lc($email);
return $email;
}
at the very end of filter_begin:
return if (stream_by_recipient());
in filter after virus checking part:
if (canonicalize_email($Recipients[0]) eq '[EMAIL PROTECTED]') {
return;
}
Here is what the maillog says when I send mail with attachment to both
users:
Mar 24 11:33:27 alpha sendmail[30040]: i2O9XRJM030040:
from=<[EMAIL PROTECTED]>, size=10564, class=0, nrcpts=2,
msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA,
relay=[213.74.112.180]
Mar 24 11:33:28 alpha sendmail[30044]: i2O9XSum030044:
Authentication-Warning: alpha.domain.com: defang set sender to
<[EMAIL PROTECTED]> using -f
Mar 24 11:33:28 alpha sendmail[30044]: i2O9XSum030044:
from=<[EMAIL PROTECTED]>, size=10723, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Mar 24 11:33:28 alpha sendmail[30044]: i2O9XSum030044:
to=<[EMAIL PROTECTED]>, delay=00:00:00, mailer=esmtp, pri=40723,
dsn=4.4.3, stat=queued
Mar 24 11:33:29 alpha sendmail[30046]: i2O9XT23030046:
Authentication-Warning: alpha.domain.com: defang set sender to
<[EMAIL PROTECTED]> using -f
Mar 24 11:33:29 alpha sendmail[30046]: i2O9XT23030046:
from=<[EMAIL PROTECTED]>, size=10723, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Mar 24 11:33:29 alpha sendmail[30046]: i2O9XT23030046:
to=<[EMAIL PROTECTED]>, delay=00:00:00, mailer=esmtp, pri=40723,
dsn=4.4.3, stat=queued
Mar 24 11:33:30 alpha mimedefang.pl[30018]: i2O9XRJM030040: streamed by
domain or recipient and resent.
Mar 24 11:33:30 alpha mimedefang[6079]: i2O9XRJM030040: Discarding because
filter instructed us to
Mar 24 11:33:30 alpha sendmail[30040]: i2O9XRJM030040: Milter: data, discard
Mar 24 11:33:30 alpha sendmail[30040]: i2O9XRJM030040: discarded
At first I thought the mail got discarded somehow but about an hour later I
got both of the mails into my testing outlook. During that time sendmail
queue was empty so the mails got stuck somewhere else I guess.
Any ideas?
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] stream_by_recipient takes too long
> However there is one problem . Even in local delivery > it takes around an hour for the both users to get these > mails. Stream_by_recipient forces the system to resend messages entirely, so they get submitted to the local queue again, as your log entries show: > Mar 24 11:33:28 alpha sendmail[30044]: i2O9XSum030044: > to=<[EMAIL PROTECTED]>, delay=00:00:00, mailer=esmtp, > pri=40723, dsn=4.4.3, stat=queued > Mar 24 11:33:30 alpha mimedefang.pl[30018]: i2O9XRJM030040: > streamed by domain or recipient and resent. My suspicion is that your client mail queue is only being processed once an hour, or longer. Check the local queue using mailq -Ac and then force it to run using sendmail -Ac -q -v and watch the queue clear. If this is the case, change the interval for your submission queue in the Sendmail startup script (usually /etc/init.d/sendmail) by editing the line which starts the sm-msp part of sendmail as below: /usr/sbin/sendmail -L sm-msp-queue -Ac -q1& Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
> By the way anyone reading this, can you tell me how I mite modify this > chunk of code to block subjects where one word is rejectable e.g. > > Buy your Viagra > Get your Viagra > Viagra cheap > > Different subjects with a common word > > \ [*] Viagra [*] / or something like that You could start with $subject =~ /Viagra/i; which will catch all subjects which contain the word, in a case-insensitive way. However, 99% of Viagra ads now coming through have some form of obfuscation, including but not limited to: [EMAIL PROTECTED] V|agra Viägra V.I.A.G.R.A. Vi agra And so on. Use Spamassassin, auto whitelisting, greylisting, Vipul's Razor, DCC, and bayesian filtering and you'll kill 99.9% of them. Filter only by subject and you'll get less than 2% if you're lucky. Then try the same with Cialis and all of the other interesting strings, and see if your filter can do all of its checks before Sendmail times it out... Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] stream_by_recipient takes too long
Hello,
I am running MD 2.39 on Fedora Core 1. I have been palying around with
stream_by_recipient in order to be able to assign different mail users different
priviliges. So far, technically, it works fine. First it does virus check. Then if a
mail with an attachment to be filtered is sent to a priviliged user and cc ed to an
unpriviled user, the first one gets the attachment and the second doesnot. So far so
good. However there is one problem . Even in local delivery it takes around an hour
for the both users to get these mails. Here is my code I use:
somewhere before filter_begin:
sub canonicalize_email ($) {
my($email) = @_;
$email =~ s/^$//;
$email = lc($email);
return $email;
}
at the very end of filter_begin:
return if (stream_by_recipient());
in filter after virus checking part:
if (canonicalize_email($Recipients[0]) eq '[EMAIL PROTECTED]') {
return;
}
Here is what the maillog says when I send mail with attachment to both users:
Mar 24 11:33:27 alpha sendmail[30040]: i2O9XRJM030040: from=<[EMAIL PROTECTED]>,
size=10564, class=0, nrcpts=2, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA,
relay=[213.74.112.180]
Mar 24 11:33:28 alpha sendmail[30044]: i2O9XSum030044: Authentication-Warning:
alpha.domain.com: defang set sender to <[EMAIL PROTECTED]> using -f
Mar 24 11:33:28 alpha sendmail[30044]: i2O9XSum030044: from=<[EMAIL PROTECTED]>,
size=10723, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Mar 24 11:33:28 alpha sendmail[30044]: i2O9XSum030044: to=<[EMAIL PROTECTED]>,
delay=00:00:00, mailer=esmtp, pri=40723, dsn=4.4.3, stat=queued
Mar 24 11:33:29 alpha sendmail[30046]: i2O9XT23030046: Authentication-Warning:
alpha.domain.com: defang set sender to <[EMAIL PROTECTED]> using -f
Mar 24 11:33:29 alpha sendmail[30046]: i2O9XT23030046: from=<[EMAIL PROTECTED]>,
size=10723, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Mar 24 11:33:29 alpha sendmail[30046]: i2O9XT23030046: to=<[EMAIL PROTECTED]>,
delay=00:00:00, mailer=esmtp, pri=40723, dsn=4.4.3, stat=queued
Mar 24 11:33:30 alpha mimedefang.pl[30018]: i2O9XRJM030040: streamed by domain or
recipient and resent.
Mar 24 11:33:30 alpha mimedefang[6079]: i2O9XRJM030040: Discarding because filter
instructed us to
Mar 24 11:33:30 alpha sendmail[30040]: i2O9XRJM030040: Milter: data, discard
Mar 24 11:33:30 alpha sendmail[30040]: i2O9XRJM030040: discarded
At first I thought the mail got discarded somehow but about an hour later I got both
of the mails into my testing outlook. During that time sendmail queue was empty so the
mails got stuck somewhere else I guess.
Any ideas?
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Block mail by subject
Hi,
In filter_begin I have the following code:
if (($msgSubject =~ /RE: [A-Z] {2,},(?: [A-Z]+!?)+/) ||
($msgSubject =~ /\bparis hilton\b/ )) {
#Bounce the mail!
action_bounce("Forbiden subject matter - Rejected");
}
As already pointed out this is gona cause you problems if you list all
virus subjects! However just for stopping spam that always has the same
subject it's a good temporary measure.
By the way anyone reading this, can you tell me how I mite modify this
chunk of code to block subjects where one word is rejectable e.g.
Buy your Viagra
Get your Viagra
Viagra cheap
Different subjects with a common word
\ [*] Viagra [*] / or something like that
Cheers
andrew
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 18:44
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Block mail by subject
[EMAIL PROTECTED] wrote on 03/23/2004 12:33:20
PM:
> How can I block a mail depending of the subject ?? This is for
blocking
> messages with viruses, for example a message with the subjet: "Re:
Your
> files" belong to a virus, I have a list of all the posibles subjects,
> how can I block this subjects one by one or all once ?
I wouldnt recommend blocking on all of the known virus email subjects.
Many of them could be legitimately used. My director (Boss 3x removed)
had emails blocked by a filter based strictly on the subject. He was
not
a happy camper.
Why not block the known unsafe extensions, and then virus scan the rest?
Clam AV is doing a good job of picking off the inbound viruses for me.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, Jobst Schmalenbach wrote: > action_notify_recipient($message) > > Now I wonder is there any reason for this? How about: drop_with_warning The part is deleted and a warning is added to the mail message. replace_with_warning The part is deleted and instead replaced with a text message. -and- delete_recipient($recip) This function deletes $recip from the list of recipients. That person will not receive a copy of the mail. $recip should exactly match an entry in the @Recipients array for delete_recipi ent() to work. Note that delete_recipient does not modify the @Recipients array; it just makes a note to Sendmail to delete the recipient. for any recipient in your domain. Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, Jobst Schmalenbach wrote: > I want to notify the recipient (if the recipient is in OUR domain) > that I killed a message for a reason. $ grep 'Milter: data, reject' /var/log/maillog | wc -l 3457 $ head -1 /var/log/maillog | cut -d " " -f 1-3 Mar 21 00:09:26 Over 1000 virus messages blocked every day. For only about 150 users. Are you really sure you want to annoy your users with these notifications? I'd advocate so action_notify_sender is removed as well - because over 99% virus e-mail come with forged return address. Only action_bounce should be possible - and it could be used only if all MX hosts for domain use mimedefang. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Notify recipient?
All, I can see function like action_notify_administrator($message) action_notify_sender($message) but not action_notify_recipient($message) Now I wonder is there any reason for this? I want to notify the recipient (if the recipient is in OUR domain) that I killed a message for a reason. If I want to do this do I need to include the smtp tools or is there any other way of sending some email message to the recipient? jobst -- The email address in this email is used for Mailing Lists Only. Please reply ONLY to the list email address, do not reply to the email directly, it is send to /dev/null if not from the mailing list domain. perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' __, Jobst Schmalenbach, Technical Director _ _.--'-n_/ Barrett Consulting Group P/L & The Meditation Room P/L -(_)--(_)= +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
