[Mimedefang] Question about DATE_IN_PAST_96_XX
I was wondering... if you take an email that's more than 3 days old, and you do a "Redirect" (in T-Bird, i.e. a blind bounce, rather than forwarding as an attachment... that is only Resent-To:, Resent-From:, Resent-Date: gets added to it... ) Will is use the correct date when figuring out the time-shifting? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
More confusion... Ok, I used the *CHARSET_FARAWAY tests with scores of 5.0 in the previous email. Then I ran a message with: Content-Type: text/plain; charset="ISO-8859-9" even though my "ok_locales en fr" are set (so tr isn't included). Didn't see any CHARSET_FARAWAY matches. For both "en" and "fr", ISO-8859-1 or "ASCII" should be the only two character sets, right? What am I missing? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
So, did the message attached below fire up because it contained the words "porn" and "viagra"? Does that mean that not only spam, but talking about spam, is subject to filtration? ;-) I was going to try the config below... I'll see how it works. I ran the spamassassin -t -x test that's in the HOWTO, but I think it generates different results by hand than when run out of MdF. Not sure why. Will dig deeper. -Philip # Needed when calling SpamAssassin from within MdF remove_header all Report required_hits 5 # languages... ok_locales en fr # used by CJK score HTML_COMMENT_8BITS1.5 # gibberish score CHARSET_FARAWAY 5.0 score CHARSET_FARAWAY_HEADER5.0 score HTML_CHARSET_FARAWAY 5.0 score MIME_CHARSET_FARAWAY 5.0 score UNWANTED_LANGUAGE_BODY5.0 # malformed score MIME_BASE64_TEXT 5.0 # shouting score UPPERCASE_75_100 2.0 score MANY_EXCLAMATIONS 2.5 score PLING_PLING 2.0 score SUBJ_ALL_CAPS 1.5 # machines with bogus clocks score DATE_IN_FUTURE_12_24 2.0 score DATE_IN_FUTURE_24_48 2.5 score DATE_IN_FUTURE_48_96 3.0 score DATE_IN_FUTURE_96_XX 3.25 score DATE_IN_PAST_96_XX3.0 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 2006-01-29 at 14:30, Philip Prindeville wrote: > Les Mikesell wrote: > > >I reject values that can only be reached by my local settings > >for viagra/porn, and send the rest through with the score > >value arranged for easy individual filtering (the asterisk list > >as the first thing in the header). > > > > Can you post your configs and diffs? I don't think anyone would want to duplicate it exactly, but sa-mimedefang.cf has things like: whitelist_from *.microsoft.com and score ADULT_SITE 100 score SUBJ_VIAGRA 100 and mimedefang-filter has sub filter_end ($) { my($entity) = @_; return if message_rejected(); # Spam checks if SpamAssassin is installed if ($Features{"SpamAssassin"} && !relayIsTrusted($RelayAddr)) { if (-s "./INPUTMSG" < 100*1024) { # Only scan messages smaller than 100kB. Larger messages # are extremely unlikely to be spam, and SpamAssassin is # dreadfully slow on very large messages. my($hits, $req, $names, $report) = spam_assassin_check(); my($score); if ($hits < 40) { $score = "*" x int($hits); } else { $score = "*" x 40; } ## drop if SA score over 100 if ($hits > 100) { md_graphdefang_log('spam', $hits, $RelayAddr); md_syslog('warning', "Discarding because of spam score hits"); action_bounce("Message screened as spam, please rephrase"); return action_discard(); } if ($hits >= $req) { action_change_header("X-Spam-Score", "$hits ($score) $names"); ### note local header here with *'s only action_change_header("X-FS-Spam-Score", "$score"); md_graphdefang_log('spam', $hits, $RelayAddr); action_add_part($entity, "text/plain", "-suggest", "$report\nX-FS-Spam-Score: $score", "SpamAssassinReport.txt", "inline"); } else { # Delete any existing X-Spam-Score header? action_delete_header("X-Spam-Score"); } } } The relyIsTrusted subroutine was posted by someone a long time ago and contains a list of local addresses where the spam scan can be skipped. -- Les Mikesell [EMAIL PROTECTED] This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: On Sun, 2006-01-29 at 14:30, Philip Prindeville wrote: > Les Mikesell wrote: > > >I reject values that can only be reached by my local settings > >for viagra/porn, and send the rest through with the score > >value arranged for easy individual filtering (the asterisk list > >as the first thing in the header). > > > > Can you post your configs and diffs? [...] Content analysis details: (94.60 points, 5 required) IN_REP_TO (-0.5 points) Has a In-Reply-To header REFERENCES (-0.5 points) Has a valid-looking References header EMAIL_ATTRIBUTION (-0.5 points) BODY: Contains what looks like an email attribution ADULT_SITE (100.0 points)BODY: Possible porn - Adult Web Sites QUOTED_EMAIL_TEXT (-0.5 points) BODY: Contains what looks like a quoted email text REPLY_WITH_QUOTES (-0.5 points) Reply with quoted text USER_AGENT_XIMIAN (-2.9 points) Headers indicate a non-spam MUA (Ximian) X-FS-Spam-Score: ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Nod32 integration on Mimedefang
> Just a few comments on this since I tried looking into nod32 just a few > days ago: > > Looking at the website, I'd expect version 2.51 to be most current, not > 1.0.4? On the other hand, trial versions for linux don't seem to be > freely available any longer. > > The manual for 2.5 does list a feature that would make nod32 interesting > for use in scanning email: there's now a scanner daemon and commandline > client for the daemon (/usr/sbin/nod32d, /usr/bin/nod32cli). I wrote a different patch for NOD32 based on the documentation at http://u4.eset.com/manuals/guide_nod32ls.pdf This patches uses nod32cli to do the scanning and uses different command-line arguments and return code parsing from the previously posted patch. Feedback is welcome. -- Matt diff -ur ../mimedefang-2.55.orig/README ./README --- ../mimedefang-2.55.orig/README 2005-02-08 11:04:22.0 -0500 +++ ./README2006-01-24 17:13:18.094103000 -0500 @@ -239,6 +239,7 @@ --disable-fprot Do not include support for F-prot Anti-Virus --disable-sophieDo not include support for Sophie --disable-nvcc Do not include support for Nvcc + --disable-nod32 Do not include support for ESET NOD32 5) Add the following line to your Sendmail "m4" configuration file. (You DO use the m4 configuration method, right?) diff -ur ../mimedefang-2.55.orig/configure.in ./configure.in --- ../mimedefang-2.55.orig/configure.in2006-01-18 13:54:02.0 -0500 +++ ./configure.in 2006-01-24 17:16:21.559921000 -0500 @@ -509,6 +509,7 @@ AC_ARG_ENABLE(nvcc, [ --disable-nvcc Do not include support for Nvcc], ac_cv_nvcc=$enableval, ac_cv_nvcc=yes) AC_ARG_ENABLE(clamd, [ --disable-clamd Do not include support for clamd], ac_cv_clamd=$enableval, ac_cv_clamd=yes) AC_ARG_ENABLE(trophie, [ --disable-trophie Do not include support for Trophie], ac_cv_trophie=$enableval, ac_cv_trophie=yes) +AC_ARG_ENABLE(nod32, [ --disable-nod32 Do not include support for Eset NOD32], ac_cv_nod32=$enableval, ac_cv_nod32=yes) ANTIVIR_PATH="$PATH:/usr/lib/AntiVir:/usr/local/uvscan:/opt/AVP:/etc/iscan:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bd7:/usr/local/bd7/bin:/opt/kav/bin:/opt/kav/5.5/kav4unix/bin/" @@ -587,6 +588,10 @@ if test "$ac_cv_trophie" = yes; then AC_PATH_PROG(TROPHIE, trophie, /bin/false, $ANTIVIR_PATH) fi + +if test "$ac_cv_nod32" = yes; then + AC_PATH_PROG(NOD32, nod32cli, /bin/false, $ANTIVIR_PATH) +fi fi test -z "$HBEDV" && HBEDV=/bin/false @@ -607,6 +612,7 @@ test -z "$NVCC" && NVCC=/bin/false test -z "$CLAMD" && CLAMD=/bin/false test -z "$TROPHIE" && TROPHIE=/bin/false +test -z "$NOD32" && NOD32=/bin/false if test "$ac_cv_debugging" = yes ; then ENABLE_DEBUGGING=-DENABLE_DEBUGGING @@ -987,6 +993,17 @@ GOT_VIRUS_SCANNER=1 fi +if test "$NOD32" = "/bin/false" ; then + if test "$ac_cv_nod32" != "yes" ; then + echo "NOD32 'nod32cli'NO (Disabled by configure command)" + else + echo "NOD32 'nod32cli'NO (not found)" + fi +else + echo "NOD32 'nod32cli'YES - $NOD32" + GOT_VIRUS_SCANNER=1 +fi + fi if test "$GOT_VIRUS_SCANNER" = "0" ; then diff -ur ../mimedefang-2.55.orig/mimedefang-filter.5.in ./mimedefang-filter.5.in --- ../mimedefang-2.55.orig/mimedefang-filter.5.in 2006-01-17 18:14:41.0 -0500 +++ ./mimedefang-filter.5.in2006-01-24 17:11:49.302178000 -0500 @@ -784,6 +784,9 @@ $Features{"Virus:TROPHIE"} is the full path to Trophie if it is installed; 0 if it is not. +$Features{"Virus:NOD32"} is the full path to ESET NOD32 if it is installed; +0 if it is not. + \fBNOTE:\fR Perl-module based features (SpamAssassin, HTMLCleaner and Virus:FileScan) are determined at runtime and may change as these are added and removed. Most Virus features are predetermined at the time of @@ -1843,6 +1846,8 @@ .B message_contains_virus_fprot() .TP .B message_contains_virus_fprotd() +.TP +.B message_contains_virus_nod32() These functions should be called in \fBlist context\fR. They use the indicated anti-virus software to scan the message for viruses. These @@ -1880,6 +1885,9 @@ .TP .B f-prot F-RISK F-PROT - http://www.f-prot.com/ +.TP +.B nod32 +ESET "NOD" - http://www.eset.com/ .TP .B message_contains_virus_openantivirus([$host]) @@ -2374,6 +2382,10 @@ Trophie (http://www.vanja.com/tools/trophie/), which uses the libvsapi library from Trend Micro, is supported in daemon-scanning mode. +.TP +.B o +NOD32 (http://www.eset.com/) + .SH AUTHORS \fBmimedefang\fR was written by David F. Skoll <[EMAIL PROTECTED]>. The \fBmimedefang\fR home page is \fIhttp://www.mimedefang.org/\fR. diff -ur ../mimedefang-2.55.orig/mimedefang.pl.in ./mimedefang.pl.in --- ../mimedefang-2.55.orig/mimedefang.pl.in2006-01-18 13:54:02.0 -0500 +++ ./mimedefang.pl.in 2006-01-24 17:04:20.209126000 -0500
Re: [Mimedefang] Question for the HOWTO page
Les Mikesell wrote: I reject values that can only be reached by my local settings for viagra/porn, and send the rest through with the score value arranged for easy individual filtering (the asterisk list as the first thing in the header). Can you post your configs and diffs? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
On Sun, 2006-01-29 at 12:41, Philip Prindeville wrote: > Does everyone use the built-in scoring, or do they write their own? I used the sa-mimedefang.cf file to whitelist some known business-related senders and bump up the scoring on viagra and porn related items to unrealistically high values. > Also, instead of flagging spam, what about just rejecting the email in > filter_end() if SA reports too high a probability of it being spam? I reject values that can only be reached by my local settings for viagra/porn, and send the rest through with the score value arranged for easy individual filtering (the asterisk list as the first thing in the header). -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question for the HOWTO page
Does everyone use the built-in scoring, or do they write their own? I can see how, at the very least, you'd want to configure your set of ok_locales for SA. Perhaps the MdF (RPM) distribution could contain a set of sample sa-mimedefang.cf.example files? Also, instead of flagging spam, what about just rejecting the email in filter_end() if SA reports too high a probability of it being spam? The system-wide checks could be a set of inoffensive checks that everyone agrees are highly reliable. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
AW: [Mimedefang] Nod32 integration on Mimedefang
Hi Giovanni, > Today I wrote a simple patch to mimedefang.pl to run nod32 > antivirus on my Linux box. > I don't know if someone did the same, but I can't find > anything similar on the web > I use sendmail with libmilter, mimedefang2.54 and the last version of > nod32 (the eval version) for Linux (downloaded from home page) > > I installed nod32 in /opt directory and I made a sym link > /opt/nod32 to > /opt/nod32-1.04-1_101 dir Just a few comments on this since I tried looking into nod32 just a few days ago: Looking at the website, I'd expect version 2.51 to be most current, not 1.0.4? On the other hand, trial versions for linux don't seem to be freely available any longer. The manual for 2.5 does list a feature that would make nod32 interesting for use in scanning email: there's now a scanner daemon and commandline client for the daemon (/usr/sbin/nod32d, /usr/bin/nod32cli). While on the topic: what other scanners work with a daemon/commandline system? I'd expect these to be able to handle significantly higher volumes of mail compared to "stand-alone" commandline scanners. Some datapoints I've got so far: * Clamav has a daemon (and a fairly extensive history of security problems) * kaspersky version 4 had a daemon/client config that worked quite well. * kaspersky 5 daemon client was so broken that I stoped using it (commandline client didn't scan archives, didn't scan mailbox format and returned result codes based just on the last file scanned, disregarding previous results) - has this been fixed since? * f-prot seems to have a supported daemon - haven't tried that yet. Info on other scanners that you're happy with are apreciated :-) Thanks, Martin ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang