AW: [Mimedefang] Solaris socket files.

2004-04-21 Thread A . Jones 
You won't ever see anything in a socket file, whether Solaris or any other
Unix-like OS. A socket is not really a file. It's a FIFO (first in, first
out) that is grounded in the filesystem for the sake of being able to name
it, and because everything in Unix is a "file". Applications treat named
sockets a lot more like network (e.g. UDP) sockets than files. So, no reason
to worry.

-&


-Ursprüngliche Nachricht-
Von: Larry Guest [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 22. April 2004 05:52
An: [EMAIL PROTECTED]
Betreff: [Mimedefang] Solaris socket files.


I have just install the latest mimedefang on a Solaris 9 server.

I can get it to run and it seems to be working.  But I don't see
anything in the ".sock" file.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Bounce if its not for a local user.

2004-04-21 Thread Bill Maidment 
Use the sendmail access file to define accepted users and then reject 
anything else for that domain.

Bill

Larry Guest wrote:

I would like to filter mail and bounce anything that is not for a local
user.  
I assume I will have to setup a file on the server and list all the
valid users in this file.  There are only about 50 at the most so this
is not a problem.

Any ideas?

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Bounce if its not for a local user.

2004-04-21 Thread Larry Guest 
I would like to filter mail and bounce anything that is not for a local
user.  
I assume I will have to setup a file on the server and list all the
valid users in this file.  There are only about 50 at the most so this
is not a problem.

Any ideas?


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Solaris socket files.

2004-04-21 Thread Larry Guest 
I have just install the latest mimedefang on a Solaris 9 server.

I can get it to run and it seems to be working.  But I don't see
anything in the ".sock" file.

Not sure if its working the right way or not and if it will be stable in
production like this.
Is there supposed to be anything in these files.

Here is what I see.




# pwd
/var/spool/MIMEDefang
# ls -la
total 8
drwx--   2 defang   other512 Apr 21 20:26 .
drwxr-xr-x  14 root bin  512 Apr 19 14:16 ..
-rw-r-   1 defang   other  5 Apr 21 18:41
mimedefang-multiplexor.pid
srw---   1 defang   other  0 Apr 21 18:41
mimedefang-multiplexor.sock
-rw-r-   1 defang   other  5 Apr 21 18:41 mimedefang.pid
srwxr-x---   1 defang   other  0 Apr 21 18:41 mimedefang.sock
# ls -la ../
total 28
drwxr-xr-x  14 root bin  512 Apr 19 14:16 .
drwxr-xr-x  35 root sys  512 Apr  8 10:50 ..
drwx--   2 defang   other512 Apr 19 14:16 MD-Quarantine
drwx--   2 defang   other512 Apr 21 20:26 MIMEDefang
drwxrwx---   2 smmspsmmsp   1024 Apr 21 20:26 clientmqueue
drwxr-xr-x   4 root sys  512 Apr  7 16:25 cron
drwxr-xr-x   2 uucp uucp 512 Apr  7 16:25 locks
drwxrwxr-x   5 lp   lp   512 Apr  7 16:31 lp
drwxr-xr-x   2 root other   1024 Apr 21 20:26 mqueue
drwxrwxrwt   7 root bin  512 Apr 19 19:21 pkg
drwxr-xr-x   2 root lp   512 Apr  7 16:43 print
drwxrwxrwt   2 root bin  512 Apr  7 17:03 samba
drwxr-xr-x   5 uucp uucp 512 Apr  7 17:06 uucp
drwxrwxrwt   2 uucp uucp 512 Apr  7 17:06 uucppublic
# 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Problem scanning multiple attachments with Kaspersky Anti-Virus for Linux Workstation 5.0.2.0

2004-04-21 Thread Cahya Wirawan 
On Thu, Apr 01, 2004 at 09:29:04PM -0500, David F. Skoll wrote:
> On Fri, 2 Apr 2004, Ernst-Paul ten Brinke wrote:
> 
> > Let's say you send a message with an attachment a.zip en b.zip and a.zip
> > contains a virus and b.zip not.
> 
> > Calling aveclient with multiple files or in this case with a * returns only
> > the scan return code of the last MIME part scanned.
> 
> Wow.  aveclient is badly broken, then; I recommend switching to a different
> virus scanner.  Otherwise, you'll have to call entity_contains_virus
> for each part, and that's a waste of time.

Hi David, what is the intention to scan all files in the $CWD/Work 
directory including the original email INPUTMBOX? I see it in
mimedefang.pl :
  sub message_contains_virus_avp5 () {
  ...
  my($code, $category, $action) =
  run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$CWD/Work/* 2>&1","INFECTED");
  ...
  }

because for kaspersky it is enough only to scan INPUTMBOX , and it is
not necessary to scan again each part of the email. 
And this makes also problem for mimedefang because if we scan all
files in Work directory, kaspersky 5 will return error code for the latest
file it scanned. 
Also if I change the code above to:
  run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$CWD/Work/INPUTMBOX 2>&1","INFECTED");
mimedefang with kasperky will recognize correctly an email with multiple
attachments, no matter in which order the attachment is.

regards,
cahya.
  

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Sendmail upgrade...

2004-04-21 Thread Henrik Schmiediche 

Thanks.

I have a working sendmail.mc. I am using Solaris 8, but my sendmail is stock
from sendmail.org.

OT: Not happy with Fedora Core 1 on my test system. Will try Suse 9 (9.1)
next. If that works well, then I will switch to SUSE as the default desktop
OS.


Sincerely,

   - Henrik


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Doug Brott
Sent: Wednesday, April 21, 2004 3:01 PM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Sendmail upgrade...

Henrik Schmiediche wrote:

>Hello,
>I recently implemented mimedefang using sendmail 8.12.10. I have never
>upgraded sendmail with mimedefang present. Before I break everything... if
I
>want to upgrade Sendmail 8.12.10 to 8.12.11 do I need to reinstall
>mimedefang as well? Any other caveats to watch out for?
>
>Sincerely,
>
>   - Henrik
>
>  
>
As long as you have a working sendmail.mc file, things should be fairly 
straight forward.  I'm not sure what OS you are using, but if you are 
using Fedora Core 1, I would caution against attempting to upgrade to 
sendmail 8.12.11.  RedHat/Fedora has made enough patch fixes to the base 
sendmail code that makes it troublesome to accomplish.  Fedora Core 2 
has a later sendmail available, and I believe that that fits within the 
constraints established for the Fedora installations.

Now, if you are using another distribution, it may very well be trivial 
to do the upgrade from 8.12.10 to 8.12.11.  In fact, this is what I used 
to do until I got lazy.  If that is the case, then make sure you have a 
working sendmail.mc file so that you can re-generate the sendmail.cf 
with the new version of sendmail.  You sohuld be able to stop sendmail, 
install the new one and then start sendmail again with things working as 
expected.

Good luck and let us know how it works out.

Regards.

-- 
Doug Brott
[EMAIL PROTECTED]

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Fw: m4 error for site.config.m4 ?

2004-04-21 Thread Dan Tulovsky 
You can get a newer version of m4 here:

ftp://ftp.gnu.org/gnu/m4/

Dan
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Benson
Lei
Sent: Tuesday, April 20, 2004 8:52 AM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] Fw: m4 error for site.config.m4 ?


Hi,

I am using the Red Hat Linux v9.0 + its bundled software ( the rpm
package of m4 is v4.2). I want to re-compile the sendmail from source
code for installing the Mimedefang.

However, while I just got into the step ( sh Build ).

There is a problem for compiling the config file "site.config.m4") as
the attached image...m4 compiler.

Is there any idea ??

Thank you for your help

With best regards
Benson


PS. the site.config.m4 is just having two lines as your site provides:

dnl Milter
APPENDDEF(`conf_sendmail_ENVDEF`,`-DMILTER`)



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sendmail upgrade...

2004-04-21 Thread Doug Brott 
Henrik Schmiediche wrote:

   Hello,
I recently implemented mimedefang using sendmail 8.12.10. I have never
upgraded sendmail with mimedefang present. Before I break everything... if I
want to upgrade Sendmail 8.12.10 to 8.12.11 do I need to reinstall
mimedefang as well? Any other caveats to watch out for?
Sincerely,

  - Henrik

 

As long as you have a working sendmail.mc file, things should be fairly 
straight forward.  I'm not sure what OS you are using, but if you are 
using Fedora Core 1, I would caution against attempting to upgrade to 
sendmail 8.12.11.  RedHat/Fedora has made enough patch fixes to the base 
sendmail code that makes it troublesome to accomplish.  Fedora Core 2 
has a later sendmail available, and I believe that that fits within the 
constraints established for the Fedora installations.

Now, if you are using another distribution, it may very well be trivial 
to do the upgrade from 8.12.10 to 8.12.11.  In fact, this is what I used 
to do until I got lazy.  If that is the case, then make sure you have a 
working sendmail.mc file so that you can re-generate the sendmail.cf 
with the new version of sendmail.  You sohuld be able to stop sendmail, 
install the new one and then start sendmail again with things working as 
expected.

Good luck and let us know how it works out.

Regards.

--
Doug Brott
[EMAIL PROTECTED]
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fw: m4 error for site.config.m4 ?

2004-04-21 Thread Alexander Dalloz 
Am Di, den 20.04.2004 schrieb Benson Lei um 15:51:

> Hi,
> 
> I am using the Red Hat Linux v9.0 + its bundled software ( the rpm package
> of m4 is v4.2). I want to re-compile the sendmail from source code for
> installing the Mimedefang.
> 
> However, while I just got into the step ( sh Build ).
> 
> There is a problem for compiling the config file "site.config.m4") as the
> attached image...m4 compiler.
> 
> Is there any idea ??
> 
> Thank you for your help
> 
> With best regards
> Benson
> 
> 
> PS. the site.config.m4 is just having two lines as your site provides:
> 
> dnl Milter
> APPENDDEF(`conf_sendmail_ENVDEF`,`-DMILTER`)

A bit few instructions. I doubt m4 is too old on RH9. But why do you
want to compile a new sendmail source on top of RH9 when at same time
you was too lame (sorry for being that direct) to install the latest bug
fixing kernel but running the fair old and highly vulnerable old initial
RH9 kernel with a lot local and remote (root) vulnerabilies? At least
your attached screenshot shows that old kernel (source) version.

The Sendmail for RH9 has milter support, if that was the reason for self
compiliation.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl
Sirendipity 21:18:38 up 3 days, 4:04, load average: 0.05, 0.14, 0.19 
   [ ÎÎÏÎÎ Ï'ÎÏÏÎÎ - gnothi seauton ]
 my life is a planetarium - and you are the stars

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fw: m4 error for site.config.m4 ?

2004-04-21 Thread Nels Lindquist 
On 20 Apr 2004 at 21:51, Benson Lei wrote:

> I am using the Red Hat Linux v9.0 + its bundled software ( the rpm package
> of m4 is v4.2). I want to re-compile the sendmail from source code for
> installing the Mimedefang.

You don't need to; just install the sendmail-devel package.  It's got 
all the headers and libraries necessary for building MIMEDefang.

Nevertheless, for future reference...

> There is a problem for compiling the config file "site.config.m4") as the
> attached image...m4 compiler.

> dnl Milter
> APPENDDEF(`conf_sendmail_ENVDEF`,`-DMILTER`)

Watch your quotes.  m4 is very particular; you need an opening 
backtick (`), but a closing single quote (').

Should be:

APPENDDEF(`conf_sendmail_ENVDEF',`-DMILTER')
   ^  ^
Nels Lindquist <*>

Quidquid latine dictum sit altum viditur.

Whatever is said in Latin, sounds profound.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Another Update to MIMEDefang Filter KAM

2004-04-21 Thread Kevin A. McGrail 
It's my belief that anomy's html cleaning abilities are significantly
lack-luster/problematic/etc. as to possible merit removal from MIMEDefang at
some near point in the future ;-)

In case anyone cares, $/ is the input delimiter variable and is typically
set to \n (newline).  By setting it to undef, it reads the whole shebang as
a single file.  However, I'm not sure you really answered the question below
BUT I think you might have pointed me in the right direction because of this
tidbit in the docs:

Body Stores body When open()ed,
  class:   data in:returns:

MIME::Body::File disk file   IO::Handle  <--

So knowing that it's a front-end for IO::Handle, I searched the source code
for Handle.pm confirmed that it reacts to the $/ changes.  Therefore, here
is the updated code to do one regexp after slurping and implements the size
check thanks to DFS and Stefen's input:

NOTE: It's in the filter () section in the file here:
http://www.peregrinehw.com/downloads/MIMEDefang/mimedefang-filter-KAM

#Disable bad HTML code -- Based on work by Columbia University / Joseph
Brennan
#Modified by KAM 2004-04-16
#Modified by KAM 2004-04-21 to add slurp of entire message and one
regexp check + size check
if ($type eq "text/html") {
  my($currentline, $output, $badtag, $delimiter_backup, $sizelimit);

  $badtag = 0;
  $output = "";
  $sizelimit = 1048576; #1MB #max size of an email you want to check in
bytes
  $delimiter_backup = $/;

  if (-s "$entity->bodyhandle->path" <= $sizelimit) {
if ($io = $entity->open("r")) {
  undef $/; # undef the seperator to slurp it in.
  $output = $io->getline;
  $io->close;
  $badtag = $output =~ s/<(iframe|script|object)\b/open("w")) {
  $io->print($output);
  $io->close;
}
md_graphdefang_log('modify',"$badtag Iframe/Object/Script tag(s)
deactivated by MIMEDefang");
action_change_header("X-Warning", "$badtag Iframe/Object/Script
tag(s) deactivated by MIMEDefang");
action_rebuild();
  }
}
  }
  $/ = $delimiter_backup;
}


Regards,
KAM

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: Getting the size of an entity (was Re: [Mimedefang] Update to MIMEDefang Filter KAM)

2004-04-21 Thread Kevin A. McGrail 
Thanks.  I'm just about to add this to the code then.

KAM

> You can get the name of the file holding the data as
> $entity->bodyhandle->path and then test its size with the Perl "-s"
> operator.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] PL HELP Whole mail service is down !!!

2004-04-21 Thread manishankar pandey 
Dear all,

I am using MIMEDefang 2.41 and installed recently ..
Today we took the shutdown of the server and after
that mail service is not at all working ...

/var/log/syslog has follwoing messege :-

1)Milter(Mimedefang): error connecting to filter:
connection refused by
/var/spool/MIMEDefang/mimedefang.sock

2)milter(mimedefang): to error state
Milter: initialization failed,temp failing connection

I tried to start manually also from 
/etc/init.d giving command 
#./mimedefang start 

but when running ps -ef to see the process running not
seeing anything related with MIMEDefang running...:-(

In /var/spool/MIMEDefang/

there is no file name mimedefang.sock is getting
created also.

What could be the permission for a user  I mean
'defang' user on the system ...

What I am missing please let me know


Thanks in advance and desperately looking for your
help..

Mimedefang is configured on SOLARIS 9 here


--- "David F. Skoll" <[EMAIL PROTECTED]> wrote:
> On Wed, 21 Apr 2004, Murat Isik wrote:
> 
> > Is there anthing else than adding this code, like
> a change to the init
> > script just like in filter_recipient or so?
> 
> Yes; you need to use "-r" with "mimedefang".
> 
> Regards,
> 
> David.
> ___
> Visit http://www.mimedefang.org and
> http://www.canit.ca
> MIMEDefang mailing list
> [EMAIL PROTECTED]
>
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang





__
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] relaying for multiple domains and servers and LDAPlookups

2004-04-21 Thread Kevin A. McGrail 
> Why can't spyware be prosecuted under current hacking laws (at least in
> the US) as an illegal use of computer resources - CPU cycles if nothing
> else?  For that matter, do the same with virus writers.

Assuming this is the more valid Spyware that is installed as a tag-along or
drive by, then the user is "sort of" agreeing to the product.  In Maryland
and Virginia, at least, the EULA is an in force contract.

I know the FTC has recommended some guidelines for MUCH clearer notification
and uninstalls for all spyware (and perhaps more) but currently, the best I
know in the US, spyware is legal.  Heck, even Microsoft does it with IE and
Media Player and Windows Update.

KAM

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] dnsbl

2004-04-21 Thread Murat Isik 
Thanks for the replies,

sub filter_relay {

my ( $ip, $name, $helo) = @_;
if (relay_is_blacklisted($ip, 'sbl.spamcop.net')) {
return('REJECT', 'You are listed in sbl.spamcop.net, see url=$ip for more
details);
}
}


Is there anthing else than adding this code, like a change to the init
script just like in filter_recipient or so? I am asking this since I added
this code:

sub filter_relay {

my ( $ip, $name, $helo) = @_;
if (relay_is_blacklisted($ip, 'sbl.spamcop.net')) {
return('REJECT', 'You are listed in sbl.spamcop.net, see
url=$ip for more details');
} else {
md_syslog('warning',"Spamcop checked");
}
}

and I get nothing related in the maillog.

Have a nice day.

Murat Isik


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] dnsbl

2004-04-21 Thread David F. Skoll 
On Wed, 21 Apr 2004, Murat Isik wrote:

> Is there anthing else than adding this code, like a change to the init
> script just like in filter_recipient or so?

Yes; you need to use "-r" with "mimedefang".

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Sendmail upgrade...

2004-04-21 Thread Henrik Schmiediche 

Hello,
I recently implemented mimedefang using sendmail 8.12.10. I have never
upgraded sendmail with mimedefang present. Before I break everything... if I
want to upgrade Sendmail 8.12.10 to 8.12.11 do I need to reinstall
mimedefang as well? Any other caveats to watch out for?

Sincerely,

   - Henrik


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD 2.42 find wrong version of kaspersky 5

2004-04-21 Thread David F. Skoll 
> thanks david, but that is not my point. my point is that MD should
> not take kavscanner as a virus scanner during MD installation if
> the server has only kaspersky version 5.

I'll fix it for the next release.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD 2.42 find wrong version of kaspersky 5

2004-04-21 Thread Cahya Wirawan 
On Wed, Apr 21, 2004 at 11:19:55AM -0400, David F. Skoll wrote:
> In your filter, set:
> 
>   $Features{'Virus:AVP'} = 0;
> 
> and MD will no longer use kavscanner.

thanks david, but that is not my point. my point is that MD should
not take kavscanner as a virus scanner during MD installation if 
the server has only kaspersky version 5.

cahya.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Problem scanning multiple attachments with Kaspersky Anti-Virus for Linux Workstation 5.0.2.0

2004-04-21 Thread Cahya Wirawan 
On Thu, Apr 01, 2004 at 09:29:04PM -0500, David F. Skoll wrote:
> > Let's say you send a message with an attachment a.zip en b.zip and a.zip
> > contains a virus and b.zip not.
> 
> > Calling aveclient with multiple files or in this case with a * returns only
> > the scan return code of the last MIME part scanned.
> 
> Wow.  aveclient is badly broken, then; I recommend switching to a different
> virus scanner.  Otherwise, you'll have to call entity_contains_virus
> for each part, and that's a waste of time.

I have also the same problem with aveclient, but if I save the 2
messages with different order of attachment in 2 mbox files, and than
I scan it manually with aveclient, then aveclient says the same virus warning
and I get the right return code 4 from both emails. so I think aveclient
is working ok.

cahya 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD 2.42 find wrong version of kaspersky 5

2004-04-21 Thread David F. Skoll 
On Wed, 21 Apr 2004, Cahya Wirawan wrote:

> I have installed kaspersky 5 for fileserver, it has
> aveclient and kavscanner in binary directory, but a
> new MD installation will think that I have kasperky 5
> (aveclient) and the old kaspersky (because of kavscanner,
> although actually this belong to kasperky 5). So
> the mail will be scanned with both aveclient and kavscanner.

In your filter, set:

$Features{'Virus:AVP'} = 0;

and MD will no longer use kavscanner.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] relaying for multiple domains and servers and LDAP lookups

2004-04-21 Thread WBrown 
[EMAIL PROTECTED] wrote on 04/21/2004 09:51:20 
AM:

> 
> Since I am assuming by LDAP, you really mean MS LDAP or AD for Microsoft
> Exchange, I *really* recommend the LDAP to Access table solution.

Actually, they are mostly Lotus Domino servers, but we are filtering for 
one Exchange server already.  They are all in seperate internet domains.
 
> A) it's the most basic level to reject the connection with sendmail 
before
> throwing the email to a 20MB+ program

Thats why I was interested in building a single aggregatte LDAP and 
pointing sendmail at it.

> C) all the research and reading we have done tells us that an NT/2K/2K3
> server will NOT withstand a dictionary attack that causes LDAP lookups
> galore.  The concept of "lightweight" behooves Microsoft programmers ;-) 
 In
> fact, the threshold was ridiculously low like 3 queries per second tying 
up
> a 450Mhz PII server.  Granted you might have a better server but still,
> that's ridiculous scalability.

Somehow I amd not supprised.  You mean "lightweight" doesn't mean 
"collapse under slight load"?  

> In closing, a second solution I might suggest is the idea I had for the
> check against SMTP server in MD.  In short, build a DB tie that caches
> correct and incorrect answers on the fly and expires them periodically.
> Unfortunately, because of dictionary attacks, this could lead to a
> *potential* DoS if you get 4 billion incorrect requests on a server with 
15
> correct answers.

Sure, if I was more of a programmer!! I used to be, but have been on the 
system admin (especially mail servers of late) side of things for quite a 
while and the programming skills are pretty rusty!  I'm still learning the 
basics of perl.  This sounds like it would be a bit of a project.
 
> I can also recommend, for those that haven't figured this out yet, do 
NOT
> use first name emails (i.e. [EMAIL PROTECTED]).  Use's multi-name,
> firstname.lastname, firstinitial.lastname, etc. etc.  We are DEFINITELY
> seeing ratware that is taking SPAM lists and DOMAIN lists and lists of 
names
> and combining it all into super dictionary attacks.  Think about entire 
days
> filled with nothing but email addresses starting with
> [EMAIL PROTECTED]

for the most part, it's FisrtinitialLastname without a seperator.  Makes 
it easy to send someone email, but also easy for the spammers.  I'm 
convinced that sender authentication like SPF is the way to go.  I was 
reading the spooge from Microsoft about Domain keys, and he wants to 
violate RFCs by using underscores in DNS records.  Not to mention the 
complexity of XML in DNS records.  What's wrong with plain text in the 
right format?  (OK, getting off the soapbox now)

> 

What's really scarry is I had the same thought about a GAIN type network 
of spam zombies yesterday!  Were you eavesdropping on my thoughts in the 
shower?  
 
> 
> If the above happened, the "legitimate" spyware programs would all look
> REALLY bad and be lambasted by the media, FTC, consumer groups, 
consumers,
> gophers, etc.
> 

Why can't spyware be prosecuted under current hacking laws (at least in 
the US) as an illegal use of computer resources - CPU cycles if nothing 
else?  For that matter, do the same with virus writers.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Specific quarantine folder

2004-04-21 Thread David F. Skoll 
On Wed, 21 Apr 2004, Ashley M. Kirchner wrote:

> Is there some way to execute action_quarantine() and specify what
> folder to drop the data in?

Yes, but its undocumented behavior -- don't count on it!

Before executing action_quarantine, set $QuarantineDir to wherever:

   if (spam) {
$QuarantineDir = '/var/spool/MD-Quarantine/spam';
   } elseif (virus) {
$QuarantineDir = '/var/spool/MD-Quarantine/virus';
   } else {
$QuarantineDir = '/var/spool/MD-Quarantine/unknown';
   }

   action_quarantine();

--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] MD 2.42 find wrong version of kaspersky 5

2004-04-21 Thread Cahya Wirawan 
Hi,
I have installed kaspersky 5 for fileserver, it has
aveclient and kavscanner in binary directory, but a
new MD installation will think that I have kasperky 5
(aveclient) and the old kaspersky (because of kavscanner,
although actually this belong to kasperky 5). So
the mail will be scanned with both aveclient and kavscanner.
That is waste of time, MD should only use aveclient.
kavscanner in kasperky 5 is stand alone scanner, it will
load the whole virus database everytime it is executed.

regards,
cahya.  
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Specific quarantine folder

2004-04-21 Thread Ashley M. Kirchner 
   Is there some way to execute action_quarantine() and specify what 
folder to drop the data in?  Right now, everything gets quarantined in 
/var/spool/MD-Quarantine, and I'd like to do something like:

   /var/spool/MD-Quarantine/spam/
   /var/spool/MD-Quarantine/virus/
   /var/spool/MD-Quarantine/unknown/
   ...and have data dropped in those folder (just like it currently 
does in MD-Quarantine) based on a particular criteria in the filter.  
Possible?

--
H| I haven't lost my mind; it's backed up on tape somewhere.
 +
 Ashley M. Kirchner    .   303.442.6410 x130
 IT Director / SysAdmin / WebSmith . 800.441.3873 x130
 Photo Craft Laboratories, Inc.. 3550 Arapahoe Ave. #6
 http://www.pcraft.com . .  ..   Boulder, CO 80303, U.S.A. 



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] relaying for multiple domains and servers and LDAP lookups

2004-04-21 Thread Kevin A. McGrail 
> > Another alternative would be to pull the information from all the end
mail
> > servers using LDAP and dump it all into one local LDAP directory.  I
could
> > then query that local server (which would not require remote server to
> > even be up).
>
> That's also a possibility.  You don't need the whole LDAP directory; all
> you need is a list of valid addresses.  You could dump that into an access
> table and do it all in Sendmail.

Since I am assuming by LDAP, you really mean MS LDAP or AD for Microsoft
Exchange, I *really* recommend the LDAP to Access table solution.

A) it's the most basic level to reject the connection with sendmail before
throwing the email to a 20MB+ program
B) we tried a LOT of routes and this is really a simple yet elegant and
long-term solution.  Many of the other solutions we tried are too fragile,
prone to delays, etc.
C) all the research and reading we have done tells us that an NT/2K/2K3
server will NOT withstand a dictionary attack that causes LDAP lookups
galore.  The concept of "lightweight" behooves Microsoft programmers ;-)  In
fact, the threshold was ridiculously low like 3 queries per second tying up
a 450Mhz PII server.  Granted you might have a better server but still,
that's ridiculous scalability.

In closing, a second solution I might suggest is the idea I had for the
check against SMTP server in MD.  In short, build a DB tie that caches
correct and incorrect answers on the fly and expires them periodically.
Unfortunately, because of dictionary attacks, this could lead to a
*potential* DoS if you get 4 billion incorrect requests on a server with 15
correct answers.

Your Mileage May Vary but I am seeing more eggregious and outlandish attacks
daily and withstanding virii that try and send 120K emails an hour is
getting to be routine.

I can also recommend, for those that haven't figured this out yet, do NOT
use first name emails (i.e. [EMAIL PROTECTED]).  Use's multi-name,
firstname.lastname, firstinitial.lastname, etc. etc.  We are DEFINITELY
seeing ratware that is taking SPAM lists and DOMAIN lists and lists of names
and combining it all into super dictionary attacks.  Think about entire days
filled with nothing but email addresses starting with
[EMAIL PROTECTED]


Additionally, here's my scary thought for the day.  Not really my thought
though as I was speaking with the lead sales guy at Pest Patrol yesterday
and we were discussing spyware problems we've seen/predict.  PestPatrol's
prediction is that someone will compromise a "popular" spyware program and
get a hold of the trickler (the program that trickles in exe's out of order
and low bandwidth to allow for program updates, etc.  A fairly common
practice in the spy/malware arena).

With this exploited capability, someone could install anything and do it
MUCH faster than viruses have.  Think about something like GAIN (running on
like 30 million computers) that gets exploited and the person now in control
triggers a SPAMMING program to trickle, install and run on all those
"zombie" spyware infested machines.

Some (all? many?) of these tricklers run at the SAME level that a firewall
software would run on the machine to bypass some of the more standard
firewall software.  And you typically can't find them through stateful
packet inspections because they run low-volume, out of order packets on port
80.



If the above happened, the "legitimate" spyware programs would all look
REALLY bad and be lambasted by the media, FTC, consumer groups, consumers,
gophers, etc.


Regards,
KAM

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] relaying for multiple domains and servers and LDAP lookups

2004-04-21 Thread David F. Skoll 
On Wed, 21 Apr 2004 [EMAIL PROTECTED] wrote:

> Is there a way (hopefully easy) to configure sendmail or mimedefang to
> query a number of different servers to validate email recipients before
> accepting a message.

What's your definition of "easy"? :-)

The obvious way is to have a per-domain table of which server to do the
lookup against.  Something like:

%ldap_servers = ( 'domain1.com' => 'ldap.domain1.com',
  'abc.net' => 'directory.abc.net');

# Extract domain from address -- may need to remove angle brackets,
# make lower-case, etc.
$domain = $addr;
$domain =~ s/.*\@//;
$server = $ldap_servers{$domain};
if (defined($server)) {
# Do the LDAP lookup
}

> Another alternative would be to pull the information from all the end mail
> servers using LDAP and dump it all into one local LDAP directory.  I could
> then query that local server (which would not require remote server to
> even be up).

That's also a possibility.  You don't need the whole LDAP directory; all
you need is a list of valid addresses.  You could dump that into an access
table and do it all in Sendmail.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] relaying for multiple domains and servers and LDAP lookups

2004-04-21 Thread WBrown 
Is there a way (hopefully easy) to configure sendmail or mimedefang to 
query a number of different servers to validate email recipients before 
accepting a message. For example, email is recieved for xyz.org, I would 
look to their LDAP server, but a message for abc.org would be queried 
against the LDAP server for ABC.

Another alternative would be to pull the information from all the end mail 
servers using LDAP and dump it all into one local LDAP directory.  I could 
then query that local server (which would not require remote server to 
even be up).

Of the two options, it seems the second is preferrable, but I'm open to 
being convinced the first option is the way to go.  In our organization, 
there may be a need in the future for something similar to the second 
option, which could build upon my efforts.



---

"I DON'T LIKE SPAM!!" -- Monty Python

William Brown
Messaging/Filtering Services
Erie 1 BOCES
(716)821-7285

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Update to MIMEDefang Filter KAM

2004-04-21 Thread Steffen Kaiser 
On Mon, 19 Apr 2004, Joseph Brennan wrote:

> b) Steffen, it sounds like you have a simpler way in mind to do the
> changes and know whether to do the open("w").  What is it?

Well, no; no "better" way. I've just checked out mimedefang.pl's
anomy_clean_html function, which uses perl's open() and is, therefore,
slurp'able. To stick to the MIME::Entity

Anyway, the IO::Handle used by MIME::Body is slurp'able, at least in my
simple sample:

use IO::Handle;

$fh = new IO::Handle;
if ($fh->fdopen(fileno(STDIN), "r")) {
   $line1 = <$fh>;
   undef $/;
   $lines = <$fh>;

   print "Line 1: $line1";
   print "=== remaining lines:\n" , $lines;
}

To use open("w") looks good for me, because you emit all the message
within one call. -- One might try using:

  ### Create a body which stores data in an in-core array:
  $body = new MIME::Body::InCore [EMAIL PROTECTED];

or similiar, however, this keeps everything in the local memory of the
slave and probably some other part of MIMEDefang assumes that the body is
located on disk - and this is a RAMdisk most of the time, I guess.

Bye,

-- 
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang