[Mimedefang] backing up quarantine dir, ridiculously long awk script
Directions: change to quarantine dir. backs each day to seperate tar.bz2. pipe through bash to run. works well enough for me. awk command: ls | awk -F- '{print tar cjpf $1-$2-$3-$4.tar.bz2 $1-$2-$3-$4*}'|sort -u |head -n 1 -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIME::Parser: can't open tmpfile: Invalid argument
Hi, I'm rebuilding my primary MX, and I've been trialling MIMEDefang on my secondary MX. So I duplicated the bulk of the config from my secondary MX to my (yet to be commissioned) new primary MX. I get the following: mimedefang-multiplexor: Starting slave 0 (pid 3075) (1 running): About to perform scan mimedefang-multiplexor: Slave 0 stderr: MIME::Parser: can't open tmpfile: Invalid argument mimedefang-multiplexor: Slave 0 died prematurely -- check your filter rules mimedefang[1871]: Error from multiplexor: ERR No response from slave sm-mta[3062]: i5T7K1sb003062: Milter: data, reject=451 4.7.1 Please try again later Google has shown a couple of previous instances on this list, but my setup doesn't seem to be the same as these previous problems. I can't work out how to crank out some more debugging, which is what I ideally want to do. I'm running MIMEDefang 2.41 and Sendmail 8.12.11 (on both the secondary MX, which works, and the new primary MX, which exhibits the above). mimedefang.pl -test is happy mimedefang.pl -structure doesn't complain mimedefang.pl -prettyprint spits back an email message if I give it one So I don't feel that there is anything wrong with my mimedefang-filter (as it's the same as the one that works on my secondary MX). A big difference was a 2.6 kernel, as the primary is running 2.6.6 and the secondary 2.4.26, so I booted into a 2.4.26 kernel on the primary MX and the problem persisted, so it's not some bizarre tempfile problem. I guess the next step is an uber strace... I'd appreciate any suggestions. regards Andrew ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail mailertable question
[EMAIL PROTECTED] wrote on 06/28/2004 07:19:53 PM: Try using it with quotes around the custom SMTP response string: Bizarre! The books sendmail and sendmail Cookbook do not indicate the need for the quotes. Neither does the documnetation at http:/sendmail.org. But I tried it anyways and you were right on the money. eriecc.wnyric.org error:5.1.2:550 This domain no longer accepts email produced: 550 5.1.2 [EMAIL PROTECTED]... This domain no longer accepts email Thanks for the help! ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] I would like to discard all on a recipient basis
Why not just to a reject in the access list, that has the effect of discard, but notifies the sender. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting code, now with mysql Backend
Jonas Eckerman said: On Fri, 25 Jun 2004 12:49:34 -0700, Jeff Grossman wrote: I know my next question is pretty open ended, but what do people on this list prefer for their backend database, and why? [Jonas said snip, db-file works for me.] I'm unsure why you are suffering corruption in your db_file. I have been using db_file greylist for month's with never any corruption. I'm using my implementation of greylisting, but that seems irrelevant, as Jonas's implementation is working fine for him. Do you have: an older version of sa,db_file or bad disks, or high mail load? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Internet Virus hits IIS
--On Monday, June 28, 2004 10:59 AM -0400 Joseph Brennan [EMAIL PROTECTED] wrote: Anyone have a clue what the bad code is, so we could reject mail containing it? I believe the issue is that IE ignores MIME type inconsistently when deciding what to do with web content. The hostile website hosts a file with a graphic filename extension (eg. .jpg or .gif) but the file is actually HTML with hostile JavaScript capable of downloading and running an executable. IE interprets the HTML, runs the JS and trojans the machine. I recall bitching at one webmaster last year because his traceroute script output HTML but without a text/html MIME type, and Mozilla displayed the source, not the desired output. The script had obviously been tested only with IE, which helpfully interpreted the HTML because it had HTML tags in it. To effectively block, you'd need to block all links with graphic extensions. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Stripping received lines
I've got a colo'd server in Cogent address space that can't send mail to members at Road Runner addresses, presumably due to the Cogent black list. In the past I've successfully bounced the mail off my office server using mailertable entries but RR now recognizes the original source. I'm guessing that it now rejects mail with any Received lines in Cogent space, so I'd like to strip those before forwarding them on. Does anyone have code to strip such lines? Or can you suggest a better solution? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting code, now with mysql Backend
on 6/29/04 9:49 AM, Lucas Albers at [EMAIL PROTECTED] wrote: Jonas Eckerman said: On Fri, 25 Jun 2004 12:49:34 -0700, Jeff Grossman wrote: I know my next question is pretty open ended, but what do people on this list prefer for their backend database, and why? [Jonas said snip, db-file works for me.] I'm unsure why you are suffering corruption in your db_file. I have been using db_file greylist for month's with never any corruption. I'm using my implementation of greylisting, but that seems irrelevant, as Jonas's implementation is working fine for him. Do you have: an older version of sa,db_file or bad disks, or high mail load? If you were directing that question to me, I am not currently experiencing any database corruption. But, there has been some talk of database corruption on this list. I was trying to figure out if there is a better alternative to db_file with some of the corruption that has been mentioned. If many people are doing fine with db_file, then I might just stay with it. Jeff -- Jeff Grossman ([EMAIL PROTECTED]) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Internet Virus hits IIS
To effectively block, you'd need to block all links with graphic extensions. Cool!!! Well, I don't think the user community here is ready... yet. Joseph Brennan Academic Technologies Group, Academic Information Systems (AcIS) Columbia University in the City of New York ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Internet Virus hits IIS
[EMAIL PROTECTED] wrote on 06/28/2004 08:14:52 PM: I believe the issue is that IE ignores MIME type inconsistently when deciding what to do with web content. The hostile website hosts a file with a graphic filename extension (eg. .jpg or .gif) but the file is actually HTML with hostile JavaScript capable of downloading and running an executable. IE interprets the HTML, runs the JS and trojans the machine. I recall bitching at one webmaster last year because his traceroute script output HTML but without a text/html MIME type, and Mozilla displayed the source, not the desired output. The script had obviously been tested only with IE, which helpfully interpreted the HTML because it had HTML tags in it. To effectively block, you'd need to block all links with graphic extensions. I recall a similar discussion here about Outlook doing the same thing with attachments, ie. ignoring the extension and opening based on the contents of the file. In fact even in Windows Explorer, this can be don by renaming a .DOC file to .XYZ, and then doubleclicking on it. My goal is to nuke WinXP on this laptop, put Linux and Crossover Office on it so I can run Lotus Notes to get rid of as much microsloth softwarre ass possible. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting code, now with mysql Backend
Jeff Grossman said: [better] alternative to db_file with some of the corruption that has been mentioned. If many people are doing fine with db_file, then I might just stay with Well it's used as the native bayesian db format for SA, and their has not been complaints of corruption on the SA mailing list... I would think theoretically a database format would have less possible corruption. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang embedded perl stability issues
Chris Gauch said: The embedded perl interpreter definitely minimizes the memory usage by the MD slaves, but I don't really notice an overall improvement in total memory usage when using the embedded perl option. All 1.5GB of RAM is still used up entirely, and I have the same number of min/max slaves that I used when I went over this item a few month's ago. It uses less memory but does not show using less memory, depending on how ou measure memory used. I was not using the embedded perl interpreter. I also use a RAM disk for the /var/spool/MIMEDefang directory, and have that set at 128MB. Maybe I'm doing something wrong here, but I haven't found much documentation on the embedded perl interpreter, other than it improves throughput and reduces memory usage. Any insight would be appreciated. What OS and version of perl are you using. I would reccomend you use at least 5.8 if you are using the embedded perl version. How many slaves do you run? What is your mail volume? What is your max message size you accept? Could you add some delay to your cron jobs, so they don't all start at the same time? What is your maximum sendmail processes? The embedded perl should decrease memory usage, and increase startup time on pre-forked slaves. I noticed signifigant memory savings on my 6 slave system. Do you have a decent amount of memory in reserve, or are you generally allocating all of your memory? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang embedded perl stability issues
duh, didn't see any of the previous posts, until just now. I guess I never do a reread, always a restart, that would explain why I never saw the error. Dave, Should the default mimedefang-filter have use strict in it, in the default install? Would that solve some problems? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylisting code, now with mysql Backend
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lucas Albers Sent: Tuesday, June 29, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: Re: [Mimedefang] Greylisting code, now with mysql Backend Jeff Grossman said: [better] alternative to db_file with some of the corruption that has been mentioned. If many people are doing fine with db_file, then I might just stay with Well it's used as the native bayesian db format for SA, and their has not been complaints of corruption on the SA mailing list... I've had tons of problems with db_file corruption. In fact, I'm in the middle of trying to fix my own greylisting db_file corruption problem. I also have a db_file problem somewhere in graphdefang, although it's using MLDBM with db_file. My problems arose when freebsd updated from perl 5.8.2(.3?) to 5.8.4 last month. My SA db got blown away. db_file that I had previously seems to have gotten replaced by bsdpan-DB_File, a version from cspan. AFAICT, SA is working but I'm definately having problem with db_file in my greylisting and in graphdefang. -lee I would think theoretically a database format would have less possible corruption. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang embedded perl stability issues
Hi, Should the default mimedefang-filter have use strict in it, in the default install? Would that solve some problems? It can fix some unpropper written code which makes troubles in the reload szenario ... Martin ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIME::Parser: can't open tmpfile: Invalid argument (solved)
On Tue, Jun 29, 2004 at 05:45:14PM +1000, Andrew Pollock wrote: Hi, I'm rebuilding my primary MX, and I've been trialling MIMEDefang on my secondary MX. So I duplicated the bulk of the config from my secondary MX to my (yet to be commissioned) new primary MX. I get the following: mimedefang-multiplexor: Starting slave 0 (pid 3075) (1 running): About to perform scan mimedefang-multiplexor: Slave 0 stderr: MIME::Parser: can't open tmpfile: Invalid argument mimedefang-multiplexor: Slave 0 died prematurely -- check your filter rules mimedefang[1871]: Error from multiplexor: ERR No response from slave sm-mta[3062]: i5T7K1sb003062: Milter: data, reject=451 4.7.1 Please try again later [snip] Judicious stracing to the rescue. It highlighted the fact that my /tmp directory had totally bogus owners and permissions, which I fixed, solving the problem. regards Andrew ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] MIMEDefang embedded perl stability issues
From: Martin Blapp [mailto:[EMAIL PROTECTED] Should the default mimedefang-filter have use strict in it, in the default install? Would that solve some problems? It can fix some unpropper written code which makes troubles in the reload szenario ... *ALL* production Perl code should live under use strict - or have a very good reason why not! I almost wish use strict; was the default, and could only be turned off by a specific no strict; with a mandatory # turning off stricture because (can't think of a reason right now...) To use strict or not use strict is the subject of an ongoing religious war. Flame me at will. :) [EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang]
How do I set up auto-whitelisting in SA when running mimedefang? I uncommented the lines in my mimedefang-filter but it seems like I should do something to my sa-mimedefang.cf. I have SA 2.63 and mimedefang 2.39 Thanks much, Shawn ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail mailertable question
On Tue, 29 Jun 2004 12:44:28 -0400, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote on 06/28/2004 07:19:53 PM: Try using it with quotes around the custom SMTP response string: Bizarre! The books sendmail and sendmail Cookbook do not indicate the need for the quotes. Neither does the documnetation at http:/sendmail.org. But I tried it anyways and you were right on the money. I can't take credit for it. Search the archives and you'll find a message from none other than Dave Skoll telling me the same thing. :) But it doesn't hurt to have two messages in the archive with the same answer, now does it? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] ClamAV not detecting all viruses
OK here is the situation. I have clamav-daemon which is run before trend micro's vscan. The majority of viruses are found by clamav with no problems. One or two slip past and are picked up by trend. I altered my setup so the ones detected by trend get quarantined so I could look further. Change to the qdir and run clamdscan ENTIRE_MESSAGE and the virus is found. The viruses that are at issue are: HTML_Netsky.P, when vscan decompresses the attached file is detects it as WORM_NETSKY.P. For clamav it is Worm.SomeFool.P WORM_NETSKY.Q and Worm.SomeFool.Q also seem to be having this issue. So doing it by hand the clamav finds these viruses, but through mimedefang they are being missed. I am at a loss where to go from here. clamav can detect them, but clamav +mimedefang is missing them. Any thoughts or tips? Stewart ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
Stewart James wrote: OK here is the situation. I have clamav-daemon which is run before trend micro's vscan. The majority of viruses are found by clamav with no problems. One or two slip past and are picked up by trend. Which version of clamav. We had this issue before we installed 0.73. Still checking if it's OK in 0.73 Cheers Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
OK. It's .72, I remeber reading somewhere it was an issue in 0.70 but had been fixed. (and osrry to all for not inluding version numbers. Due to resource restraints (read: there is only one of me) I tend to rely on debian packages. A report of this issue being fixed 0.73 is enough for me to hold out for the debian package to hit testing (where I nabbing my clamav packages from). Thanks Bill. If things are still the same after .73, I'll wave a chicken in the air then re-email the issue. :) Stewart On Wed, 2004-06-30 at 11:07 +1000, Bill Maidment wrote: Stewart James wrote: OK here is the situation. I have clamav-daemon which is run before trend micro's vscan. The majority of viruses are found by clamav with no problems. One or two slip past and are picked up by trend. Which version of clamav. We had this issue before we installed 0.73. Still checking if it's OK in 0.73 Cheers Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
Stewart James wrote: OK. It's .72, I remeber reading somewhere it was an issue in 0.70 but had been fixed. (and osrry to all for not inluding version numbers. Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72 because of a Proxy issue, so I can't confirm if it actually did get fixed there. Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72 because of a Proxy issue, so I can't confirm if it actually did get fixed there. Well it's a 3 day wait (OK a couple more becuase that falls on a weekend here). I will see if 0.73 resolves it for me, if not, I can start looking at why not of it all. I will let the list know the outcome :) Cheers, Stewart ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang