RE: [Mimedefang] (no subject)
Quoting Mack <[EMAIL PROTECTED]>: try doing a quick grep InputMailFilters sendmail.cf and post back the output O InputMailFilters=mimedefang #O InputMailFilters Meni This message was sent using IMP, the Internet Messaging Program. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Mimedefang & clamd
Quoting Mack <[EMAIL PROTECTED]>: try adding this line to the top of the mimedefang-filter $Features{"Virus:CLAMAV"} = '/usr/local/bin/clamdscan'; and then doing a md-mx-ctrl reread I want to thank you Mack and all the rest of you guys for you wonderfull help. It worked and now it does scan for viruses! On more thing though if you plp don't mind... Mimedefang logs this discard in mail.log and discard the entire message, what i want though is a quarentine of the virus and notification to the original recipient...since my perl skills are poor, could you show my an example for quarentine instead of discard??? Thanks a million guys! Meni This message was sent using IMP, the Internet Messaging Program. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] trouble with Digest::SHA1
I'm having the following trouble on Centos 4.1: Sep 21 14:12:26 X mimedefang-multiplexor[7947]: Slave 0 stderr: Can't locate Digest/SHA1.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4 / Sep 21 14:12:26 X mimedefang-multiplexor[7947]: Slave 0 stderr: usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor Sep 21 14:12:26 X mimedefang-multiplexor[7947]: Slave 0 stderr: _perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/bin/mimedefang.pl line 72. BEGIN failed--compilation aborted at /usr/bin/mimedefang.pl line 72. mimedefang.pl -test works and perl can find the modules from other software. The module is here: [EMAIL PROTECTED] i386]# ls -la /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Digest/SHA1.pm -r--r--r-- 1 root root 6819 Dec 5 2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Digest/SHA1.pm Any ideas? Thanks, Fredrik Nyberg signature.asc Description: OpenPGP digital signature ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] (no subject)
Lol, wasn't really the answer i was hoping for, Do all your messages have the X-SPAM headers in them, or only the ones that get into your 'spamdrop' maybe check your submit.cf for the same thing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday 21 September 2005 08:09 To: mimedefang@lists.roaringpenguin.com Subject: RE: [Mimedefang] (no subject) Quoting Mack <[EMAIL PROTECTED]>: > try doing a quick > grep InputMailFilters sendmail.cf > > and post back the output O InputMailFilters=mimedefang #O InputMailFilters Meni This message was sent using IMP, the Internet Messaging Program. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang This Email Has Been Anti-Virus Scanned ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
Tired of the SCOMP TOS emails, eh? Have you considered simply using procmail rules instead of .forward's? :0 * !^X-Spam-Status: Yes * !^X-Spam-Flag: YES * !^X-Some-Other-Spam-Flag-You-Use: EEk! { :0 ! [EMAIL PROTECTED] } I believe the ! is forward Anyway, I imagine a daemon that checks all the .forwards on the system for aol.com and notifies you (or creates a .procmailrc file...) would be fairly straightforward. If you have slocate in cron, something really simple like this might help: locate -r \\.forward$ | xargs grep -i aol\\.com Regards, KAM Here's a good one. I am trying to think of a way to do stricter filtering on mail going out to aol.com, but I need to catch it after aliases and .forward files have been evaluated. The problem is with incoming mail that we redirect to aol.com by either of those means. I think milter can see only the RCPT address. Nonetheless maybe Mimedefang could do the logic and insert a tag into X-Spam-Score, and then we could put a rule into sendmail.cf to test for that tag after the recipient has been resolved through aliases and .forward. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] trouble with Digest::SHA1
Fredrik Nyberg DC wrote: I'm having the following trouble on Centos 4.1: Sep 21 14:12:26 X mimedefang-multiplexor[7947]: Slave 0 stderr: Can't locate Digest/SHA1.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4 / Sep 21 14:12:26 X mimedefang-multiplexor[7947]: Slave 0 stderr: usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor Sep 21 14:12:26 X mimedefang-multiplexor[7947]: Slave 0 stderr: _perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/bin/mimedefang.pl line 72. BEGIN failed--compilation aborted at /usr/bin/mimedefang.pl line 72. mimedefang.pl -test works and perl can find the modules from other software. The module is here: [EMAIL PROTECTED] i386]# ls -la /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Digest/SHA1.pm -r--r--r-- 1 root root 6819 Dec 5 2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Digest/SHA1.pm Any ideas? Thanks, Fredrik Nyberg ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang It was a permission problem due to a braindead .rpm, my bad... Cheers, Fredrik Nyberg signature.asc Description: OpenPGP digital signature ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] [OT] clamd doesn't recognize virus
Hello everybody. I'm using clam 0.87 with mimedefang 2.51. This morning a virus has been slipped through MD. This is the output from clamdscan: /tmp/photo.zip: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.143 sec (0 m 0 s) and this is the output from clamscan: photo.zip: Trojan.W32.PWS.Prostor.A FOUND --- SCAN SUMMARY --- Known viruses: 40212 Engine version: 0.87 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.20 MB Time: 5.939 sec (0 m 5 s) Clearly clamd doesn't recognize it as a virus and MD accept the message. Hints? ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] web->mail forms
We've mention spam from web mail forms here in the context of detecting it, but what about preventing it? If you need to send email from web forms, are there programs that are known to be secure or at least difficult to exploit by injecting addresses in the post data? -- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] clamd doesn't recognize virus
On 21/09/05, Marco Berizzi <[EMAIL PROTECTED]> wrote: > > Clearly clamd doesn't recognize it as a virus > and MD accept the message. > Hints? Well, the ClamAV list would have been a more logical place to post this. However, following the link on the clamav home page for submitting code for review gives: http://cgi.clamav.net/sendvirus.cgi -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] [OT] clamd doesn't recognize virus
Marco Berizzi wrote: > This morning a virus has been slipped through MD. > /tmp/photo.zip: OK > > and this is the output from clamscan: > photo.zip: Trojan.W32.PWS.Prostor.A FOUND Is it possible that between the clamdscan and the clamscan, that your virus definitions updated? Is it possible that clamd isn't receiving "virus definitions updated" messages from freshclam? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] clamd doesn't recognize virus
On 9/21/05, Marco Berizzi <[EMAIL PROTECTED]> wrote: > Hello everybody. > I'm using clam 0.87 with mimedefang 2.51. > This morning a virus has been slipped through MD. > This is the output from clamdscan: > /tmp/photo.zip: OK > Clearly clamd doesn't recognize it as a virus > and MD accept the message. > Hints? Drop all zips until clamav gets a working signature? -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
"Kevin A. McGrail" <[EMAIL PROTECTED]> wrote: Tired of the SCOMP TOS emails, eh? Real tired, since the cause is AOL users. Namely AOL users who forward their columbia.edu address to AOL. The options I can come up with are: 1. Filter mail to AOL more heavily, as in rejecting more legit mail. This is not only hard to accomplish but will probably result in more helpdesk calls about mail not being delivered. 2. Find all the forwards to AOL once a month or so and send them all mail asking them not to hit "report as spam" for forwarded mail. My guess is that plenty of them will start hitting "report as spam" when they get the reminders, and we'll be worse off than when we started. 3. Forbid people to forward to AOL. This is pretty much what AOL is telling us by their actions. This will create more helpdesk calls, and start chipping away at the alumni forwarding program. I don't like any of these, so I haven't given a whole lot of time to figuring out option No. 1. I guess a variant of No. 1 is to bounce back everything telling the sender what the AOL address is. By the way we are unusual I think in that we actually reject spam. Many universities accept spam and put it into the user's spam folder. For forwarding I imagine they just forward everything and leave it to the end system to sort it out. What does AOL do with them? Have you considered simply using procmail rules instead of .forward's? No, because (a) we're moving to a Cyrus system soon and we'll get rid of procmail, and (b) probably a lot of it is alumni forwarding which is done with an aliases file. However I have considered the hokey method used to make procmail act like a milter-- not AS a milter, but sort of LIKE a milter. Make a procmail mailer, and sendmail outputs to it, it checks, and it forks another sendmail if the message should be sent. This stinks because it starts up extra processes and it doesn't reject during smtp. This kind of thing is why milter was created, and I never wanted to think about it again. I think filtering by final recipient can't be done in a practical way. There, if someone takes that as a challenge, good. By final I mean by recipient after aliases and .forward files have been applied. Joe Brennan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] [OT] clamd doesn't recognize virus
Marco, > I'm using clam 0.87 with mimedefang 2.51. > This morning a virus has been slipped through MD. > This is the output from clamdscan: > /tmp/photo.zip: OK > > --- SCAN SUMMARY --- > Infected files: 0 > Time: 0.143 sec (0 m 0 s) > > and this is the output from clamscan: > > photo.zip: Trojan.W32.PWS.Prostor.A FOUND Two possibles: 1. Your freshclam updates are failing to notify clamd that there are newer files available - kill clamd and restart it, then use clamdscan again to verify that it finds the virus. 2. clamd is not configured to scan inside ZIP files - ensure that your clamd.conf file contains: ScanArchive ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M or some such sensible settings for your system. I believe clamscan has ZIP support enabled by default, while clamdscan has it disabled by default. Best Wishes, Paul. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
On Wed, Sep 21, 2005 at 11:43:15AM -0400, Joseph Brennan wrote: > I think filtering by final recipient can't be done in a practical way. > There, if someone takes that as a challenge, good. By final I mean by > recipient after aliases and .forward files have been applied. It's a bit of a hack, but you can find where a local recipient actually gets delivered after aliases, virtusertable, and .forward are applied with: sendmail -bv [EMAIL PROTECTED] if [EMAIL PROTECTED] has their mail sent to [EMAIL PROTECTED], you'll get output like: [EMAIL PROTECTED] deliverable: mailer esmtp, host aol.com, user [EMAIL PROTECTED] If it's locally deliverable, you'll get: [EMAIL PROTECTED] deliverable: mailer local, user user and if it's bogus: [EMAIL PROTECTED] User unknown It will add some overhead to your filter, but it's fairly simple to invoke sendmail -bv on each recipient address and check for aol.com. You'd probably want to cache the results for a short period of time to avoid fork-bombing your server with sendmail processes, though. Cheers, Dave -- Dave O'Neill <[EMAIL PROTECTED]>Roaring Penguin Software Inc. +1 (613) 231-6599 ext. 104 http://www.roaringpenguin.com/ For CanIt technical support, please mail: [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] clamd doesn't recognize virus
Thanks for all the reply and sorry for the OT. > Is it possible that between the clamdscan and the clamscan, that your > virus definitions updated? No. I have run the same test few minutes ago. Same problem. > Is it possible that clamd isn't receiving "virus definitions updated" > messages from freshclam? No. virus def are updated. Running ls -l /usr/share/clamav show me 2 files with current date (this morning). I have compiled this morning clamav 0.87 ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
Dave O'Neill <[EMAIL PROTECTED]> wrote: It's a bit of a hack, but you can find where a local recipient actually gets delivered after aliases, virtusertable, and .forward are applied with: sendmail -bv [EMAIL PROTECTED] . . . and if it's bogus: [EMAIL PROTECTED] User unknown The interesting thing is that sendmail seems to have done this lookup before calling milter. It says User unknown at RCPT, but Mimedefang gets to milter the message after DATA. Am I mistaken? Does Mimedefang know the recipient after aliases have been expanded? Joe Brennan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
On Wed, Sep 21, 2005 at 12:15:25PM -0400, Joseph Brennan wrote: > The interesting thing is that sendmail seems to have done this lookup > before calling milter. It says User unknown at RCPT, but Mimedefang > gets to milter the message after DATA. Yep. Sendmail passes all the addresses on to the milter, valid and invalid. For more details, see this thread in comp.mail.sendmail: http://groups.google.com/group/comp.mail.sendmail/browse_frm/thread/b595bee5991420a > Am I mistaken? Does Mimedefang know the recipient after aliases have > been expanded? Not unless you do alias expansion in your filter. MIMEDefang gets whatever was provided in the RCPT TO, even if Sendmail says it's invalid. Dave -- Dave O'Neill <[EMAIL PROTECTED]>Roaring Penguin Software Inc. +1 (613) 231-6599 ext. 104 http://www.roaringpenguin.com/ For CanIt technical support, please mail: [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] clamd doesn't recognize virus
On Sep 21, 2005, at 8:36 AM, Stephen J. Smoogen wrote: On 9/21/05, Marco Berizzi <[EMAIL PROTECTED]> wrote: Hello everybody. I'm using clam 0.87 with mimedefang 2.51. This morning a virus has been slipped through MD. This is the output from clamdscan: /tmp/photo.zip: OK Clearly clamd doesn't recognize it as a virus and MD accept the message. Hints? Drop all zips until clamav gets a working signature? You should read that more carefully. Clamav has a working signature: his second stanza is from _clamscan_. The problem is that clamscan _will_ find it, but _clamdscan_ doesn't. That is a perplexing one, but hopefully it's as simple as "freshclam updated in between the two runs". ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
As you have identified, your ideas don't work because the problem is just a fatal flaw in AOL's system of users improperly using the "this is spam" as a filtering system. They often use it rather than unsubscribing from legitimate mailing lists. #1 doesn't work because people mark "legit" mail because they are lazy. #2 doesn't work because people are idiots and our efforts to educate them have failed on this idea. #3 is a bit harsh and likely to cause problems as more and more ISPs start to implement similar systems DO NOT RECOMMEND YOU DO WHAT you suggested doing in what I have marked as option #4. It just sounds like a privacy nightmare. I suggest you apply for whitelist status and ignore the SCOMP TOS on a day to day basis. I look for patterns and issues out of whack but there is no way to make it nil and I think AOL understands this which is why their rules are to the best of my knowledge, percentage based. > 1. Filter mail to AOL more heavily, as in rejecting more legit mail. > This is not only hard to accomplish but will probably result in more > helpdesk calls about mail not being delivered. > > 2. Find all the forwards to AOL once a month or so and send them all > mail asking them not to hit "report as spam" for forwarded mail. My > guess is that plenty of them will start hitting "report as spam" when > they get the reminders, and we'll be worse off than when we started. > > 3. Forbid people to forward to AOL. This is pretty much what AOL is > telling us by their actions. This will create more helpdesk calls, > and start chipping away at the alumni forwarding program. > [#4 KAM] > I don't like any of these, so I haven't given a whole lot of time to > figuring out option No. 1. I guess a variant of No. 1 is to bounce > back everything telling the sender what the AOL address is. > I think filtering by final recipient can't be done in a practical way. > There, if someone takes that as a challenge, good. By final I mean > by recipient after aliases and .forward files have been applied. sendmail -bv might be what you want. In your milter, run sendmail -bv and the destination as well as cache the information. for example, I added a forward in my kam dir to [EMAIL PROTECTED] (munged to protect the innocent) sendmail -bv kam [EMAIL PROTECTED] deliverable: mailer esmtp, host somewherelese.com., user [EMAIL PROTECTED] Same with aliases & virtusertables: sendmail -bv [EMAIL PROTECTED] adams... deliverable: mailer local, user adams kmcgrail... deliverable: mailer local, user kmcgrail adamsb... deliverable: mailer local, user adamsb Regards, KAM ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] strange spam coming in
On Tue, 20 Sep 2005 [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote on 09/20/2005 03:58:35 PM: I'll dig into message's the html code to see if there's something I can use. Are you using SURBL? It can help alot if they point to the same URL(s) for the spamvertised items. Yes, I'm using SURBL but it won't help me in this case because the image is embedded in the mail, there is no URL in there. Blocking emails with images in them is not an option, because management and some users get legitimate mail with embedded images. I think the most viable solution for now is to build a whitelist of legitimate senders of email with images and block everything else. Fer ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] clamd doesn't recognize virus
> > Drop all zips until clamav gets a working signature? > > You should read that more carefully. Clamav has a working signature: > his second stanza is from _clamscan_. The problem is that clamscan > _will_ find it, but _clamdscan_ doesn't. > > That is a perplexing one, but hopefully it's as simple as "freshclam > updated in between the two runs". No, virus def are updated. I have rerun both clamdscan and clamscan and the problem hasn't gone away. I have also killed and restarted both freshclam and clamd. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] strange spam coming in
Fernando wrote: > Yes, I'm using SURBL but it won't help me in this case because the > image is embedded in the mail, there is no URL in there. That makes a difference... > Blocking emails with images in them is not an option, because > management and some users get legitimate mail with embedded images. > > I think the most viable solution for now is to build a whitelist of > legitimate senders of email with images and block everything else. Is it feasible to take a message with inline images and change it to have attached images instead? That could reduce the immediacy of the spam. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
"Kevin A. McGrail" <[EMAIL PROTECTED]> wrote: I suggest you apply for whitelist status and ignore the SCOMP TOS on a day to day basis. I look for patterns and issues out of whack but there is no way to make it nil and I think AOL understands this which is why their rules are to the best of my knowledge, percentage based. Whatever the rule is, 0.41% is enough to get you a warning note, and something below that is enough for a server to be tempfailed for 12 hours. "AOL understands" is questionable. I took a walk and now I think maybe I am trying to solve the wrong problem. It really is an AOL problem. Their users will keep using that button, and AOL will keep tempfailing. They're not getting any more spam than our own users here. So all I really have is a queue management problem and not a novel Mimedefang trick. So, getting off topic at this point. Joseph Brennan Columbia University Information Technology ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
On Wed, Sep 21, 2005 at 11:43:15AM -0400, Joseph Brennan wrote: > Real tired, since the cause is AOL users. Namely AOL users who > forward their columbia.edu address to AOL. The options I can come > up with are: > > 1. Filter mail to AOL more heavily, as in rejecting more legit mail. > This is not only hard to accomplish but will probably result in more > helpdesk calls about mail not being delivered. Au contraire, this is really easy to do, provided you can afford to run an additional mail server, which i'll call fascistfiltering.columbia.edu just for the example. Then simply put this entry in your mailertable: aol.com smtp:fascistfiltering.columbia.edu Make sure fascistfiltering allows relaying from your other mail server. You can even run mimedefang on the fascistfiltering machine, of course. You might want to block incoming SMTP connections to fascistfiltering except for connections from the mail server. -- #!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]> $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter by final recipient
> Whatever the rule is, 0.41% is enough to get you a warning note, and > something below that is enough for a server to be tempfailed for > 12 hours. "AOL understands" is questionable. > > I took a walk and now I think maybe I am trying to solve the wrong > problem. It really is an AOL problem. Their users will keep using > that button, and AOL will keep tempfailing. They're not getting any > more spam than our own users here. > > So all I really have is a queue management problem and not a novel > Mimedefang trick. So, getting off topic at this point. Are you on the "whitelist" with AOL and not just the SCOMP TOS feedback look? Regards, KAM ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server
If the host you're checking against, in md_check_against_smtp_server(), is using a Greet_Pause, how long will md_check_against_smtp_server wait()? Does it wait for as long as it needs to? does it timeout in less than 30 seconds? Some other timeout value? Can I set the timeout? ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
John Rudd wrote: > > If the host you're checking against, in md_check_against_smtp_server(), > is using a Greet_Pause, how long will md_check_against_smtp_server > wait()? Forever. But if you're using md_check_against_smtp_server, then you really ought to set greet_pause to zero for connections from the MIMEDefang machine, or you're just shooting yourself in the foot. Regards, David. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
On Sep 21, 2005, at 2:31 PM, David F. Skoll wrote: John Rudd wrote: If the host you're checking against, in md_check_against_smtp_server(), is using a Greet_Pause, how long will md_check_against_smtp_server wait()? Forever. But if you're using md_check_against_smtp_server, then you really ought to set greet_pause to zero for connections from the MIMEDefang machine, or you're just shooting yourself in the foot. Yeah, internally I don't have a greet_pause. I was just thinking about whether or not to do sender verification, sort of like verizon's call-back, with the same functionality ... for various reasons I wont, but it occurred to me that this would be impacted by the other side doing a greet_pause. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang