RE: [Mimedefang] Random Word Spam

[Cormack, Ken]

Touche', David.  LOL

> Your message did not trigger my rule, because you didn't have
> 15 or more lower-case words _of at least 4 letters each_ in a row with
> no punctuation. :-)
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] not catching TNEF and embedded mime viruses

[Cormack, Ken]

In a post related to a clamav question, the URL
http://www.testvirus.org/?co= was given.  I ran my own server through the
battery of tests on that site.  I was hoping the site had some explanations
of the specific vulnerablilities it tries to exploit in tests 16 through 22.
Our system, with MIMEDefang and Vexira did very well overall, but missed
some of the tests in that group.

It's a given that my Vexira could identify the EICAR, as the success of most
of the tests proved.  But it could only scan the peices of the message that
MIMEDefang chose to send to it.

With good descriptions of the vulnerabilities "exploited" in tests 17, 18,
19, 20, and 22, it shouldnt be hard to built some checks for these into
mimedefang-filter.

Does anyone know where good descriptions of these "exploits" might be found?

Thanks

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] not catching test viruses

[Cormack, Ken]

Group,

It is evident that some of us have hosts that are letting some things slip
through, that shouldnt.  These being highlighted by varying results we've
had with the tests used at http://www.testvirus.org/?co=

The following may be of help to those able/willing to write and contribute
MIMEDefang filters for these...
http://www.declude.com/virus/vulnerability.htm

Ken


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Douglas, Jason
Sent: Tuesday, January 20, 2004 12:45 PM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] not catching test viruses


> In a post related to a clamav question, the URL
http://www.testvirus.org/?co= was given.

I am using the "bad windows extensions" list and clamav to virus scan.
The only tests that got through for me are the following:

#  8 Eicar virus sent using BinHex encoding within a MIME segment
#18 Outlook 'Blank Folding' Vulnerability (does not include Eicar virus,
but your mail server still must catch this)
#22 A file with a CLSID extension which may hide the real file extension
(does not include Eicar virus, but your mail server still must catch
this)

I would very much be interested in any solutions that come up as a
result of this discussion. Thanks!


Jason Douglas
Network Support Technician
http://scopicmedia.ca/
http://scopicmedia.com/jasond/




___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] not catching test viruses

[Cormack, Ken]

I havent looked yet at the mimedefang-filter code (been busy this afternoon
with other fires), but does MD pass the header to a virus-scanner?  Or just
the body and attachments?  That at least might give a scanner a chance to
spot something.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Tuesday, January 20, 2004 3:57 PM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] not catching test viruses


On Tue, 20 Jan 2004, Kevin A. McGrail wrote:

> It might be of interest that using Symantec Anti-Virus for SMTP and NO
> Mimedefang missed the following tests to my knowledge though it's much
> harder because Symantec does a receive and modify rather than a block on
> emails.  It's very possible some of these were "defanged" but it's very
> difficult for me to ascertain.

I think some of the AV tests are pretty ridiculous, especially the MS
Outlook bug test.

At some point, you have to give up trying to duplicate all kinds of
weird and wonderful bugs in desktop software on the server, and just
get the desktop people to upgrade or switch.

It's possible to write a polymorphic virus with no constant signature
longer than a couple of bytes, or possibly even a single byte,
depending on how creative you can get with x86 assembly programming.
We'll eventually see virus-writing toolkits that make these
"signature-less" viruses easy to create, and then what?

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Fwd: RE: [Mimedefang] not catching test viruses]

[Cormack, Ken]

> The ones that slipped by for me were #17,#18.
>
> 19# and 20# showed up, but they were stripped, and it was just a blank
> emails.

The bodies were blank, but look at the headers.  (In Outlook, Open the
message, then go to "View/Options" and scroll through the Internet header.)

>
> You can catch clsid with this extension match:

> $bad_exts =
'... |\{[^\}]+\})';

> This is my current bad_ext match.

The above is in my bad_exts list, too, but still the CLSID seemed to slip
through (dont know why yet... I see no typo in my definition.)

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Building rpms from CPAN modules

[Cormack, Ken]

I realize this is sorely OT, but I remember seeing someone post the command
in a recent discussion, and now I cant find hit.

Does someone remember how to build a Redhat RPM from a CPAN module tarball?

Thanks!
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Building rpms from CPAN modules

[Cormack, Ken]

Thanks, all, for repsonding to this O.T. thread.  :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kenneth
Porter
Sent: Friday, January 23, 2004 10:09 PM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Building rpms from CPAN modules


--On Friday, January 23, 2004 3:16 PM -0600 Stephen Johnson 
<[EMAIL PROTECTED]> wrote:

> Easy. Grab the cpan2rpm program from a CPAN site. That will do the job
> for you.

This has been superceded by the RPM::Specfile package and its utility 
cpanflute2:

Name: perl-RPM-SpecfileRelocations: (not relocateable)
Version : 1.13  Vendor: (none)
Release : 8
Group   : Development/Libraries
Source RPM: perl-RPM-Specfile-1.13-8.src.rpm
Size: 20616License: GPL or Artistic
Signature   : (none)
Packager: RPM Package Builder <[EMAIL PROTECTED]>
URL : http://search.cpan.org/dist/RPM-Specfile/
Summary : RPM-Specfile Perl module
Description :
RPM-Specfile Perl module.



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Request for help: Virus-scanner invocation revie w [was Re: New .zipvirus]

[Cormack, Ken]

I'd like to see it call multiple scanners, if installed.  :)

I use Central Command's Vexira here (the server version), David, and the
flags you use appear to be working fine.

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Tuesday, January 27, 2004 8:16 AM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] Request for help: Virus-scanner invocation review
[was Re: New .zipvirus]


On Tue, 27 Jan 2004, Kevin A. McGrail wrote:

> Add the --mime switch to detect MIME encoded virus's.

I'm planning on a 2.40 release soon.  Would all virus-scanner owners please
review how MD invokes the scanner and suggest improvements?  I do not
own/use any virus-scanning software, so I rely on you folks to tell me
how to invoke it correctly.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Greylist TEMPFAILS being viewed as 5.x.x PERM fails?

[Cormack, Ken]

List,

Quite some time ago, we implimented greylisting, based on code snippets
posted here by various people.  I'd like to share a problem we're having, to
see if it rings a bell with anyone on this list.

When a triplet is first encountered, we tempfail the message and add the
triplet to the database.  The next time we see that same triplet, the
message is allowed straight in.  This is working perfectly... except for a
handful of problematic sending systems.

It seems that RFC brain-dead mailers are out there, that interpret a
tempfail as if it were a 5.x.x permanent failure, and the failure is being
handed back to the sending user's MUA.

Can anyone tell me, have you:
A. "fought the good fight to prove you are not sending a 5.x.x series status
code"... and won
B. Found something in your milter code or sendmail.cf that IS in fact,
sending a 5.x.x when a triplet is greylisted
C. had experience with any such brain-dead MTAs that misinterperet a 4.x.x
code
D. Found a fix, short of whitelisting the problematic hosts

Thanks all, for lending a look into this issue.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Scott
Harris
Sent: Wednesday, January 28, 2004 2:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [Mimedefang] Problem running clamd but not clamscan


 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Lucas Albers
> Sent: Wednesday, January 28, 2004 10:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Mimedefang] Problem running clamd but not clamscan
> 
> How did you get the timing for this from mimedefang?
> Scott Harris said:
> 

-T option to mimedefang, such as:

/usr/local/bin/mimedefang  -T -k -U defang -m
/var/spool/MIMEDefang/mimedefang-multiplexor.sock -p /var/spool/MIMEDef
ang/mimedefang.sock &


   -T Causes mimedefang to log the run-time of the Perl filter using
syslog.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Greylist TEMPFAILS being viewed as 5.x.x PERM fa ils?

[Cormack, Ken]

Thank you, David, for shedding light on this.  If nothing else, I can now
say "Put a sniffer on your segment, and see for yourself."

Ken


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Wednesday, January 28, 2004 2:20 PM
To: '[EMAIL PROTECTED]'
Subject: Re: [Mimedefang] Greylist TEMPFAILS being viewed as 5.x.x PERM
fails?


On Wed, 28 Jan 2004, Cormack, Ken wrote:

> It seems that RFC brain-dead mailers are out there, that interpret a
> tempfail as if it were a 5.x.x permanent failure, and the failure is being
> handed back to the sending user's MUA.

No, what's going on is that the brain-dead senders receive 4xx for all their
RCPT commands.  They then issue a DATA command (in spite of the fact that
they MUST not issue DATA unless at least one RCPT succeeded) and Sendmail
correctly responds with a 5xx code.

I believe Novell Groupwise has this bug.  Old SLMail servers did too.

> A. "fought the good fight to prove you are not sending a 5.x.x series
status
> code"... and won

Yes.

> B. Found something in your milter code or sendmail.cf that IS in fact,
> sending a 5.x.x when a triplet is greylisted

See above.

> C. had experience with any such brain-dead MTAs that misinterperet a 4.x.x
> code

Yes.

> D. Found a fix, short of whitelisting the problematic hosts

Yes.  With CanIt/CanIt-PRO, we can optionally delay greylisting until
the end of the DATA phase.  This wastes bandwidth, but does give most
of the benefits of greylisting without triggering problems on buggy
servers.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Has anyone used fang.pl

[Cormack, Ken]

Has anyone ever used fang.pl (in the "contrib" directory of the MIMEDefang
source tree) to reconstruct an email?

It looks like I've just been handed my first-ever "need to recover" from a
quarantine dir.

What can I expect fang.pl to do, and do I need to disable mimedefang in
order to get the mail recovered and forwarded to the user?

I have located the particular qdir containing the quarantined message.  It
quietly sits waiting for me in
/var/spool/MD-Quarantine/qdir-2004-01-28-14.09.22-001

Thanks to any/all who would know what to do next, as this thing isnt
documented (that I can find).

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] filters for subject content

[Cormack, Ken]

> I believe he asked for a NON-spamassassin way to do this unless I have
> gotten the threads confused.

> > They're SpamAssassin rules.  They go in your SpamAssassin configuration
> > file, not your MIMEDefang filter.

Here is what I use, to block subject lines via sendmail.  Add this to the
LOCAL_RULESET section of your sendmail.mc file.  You then create two files.
They are:

/etc/mail/subjects_full
and
/etc/mail/subjects_part

The subjects_full file should contain complete "exact match" subjects you
wish to block.  The subjects_part file (partial subjects) should contain
just keywords you wish to block, that could appear in any subject.  For
instance, if you want to block ANY message with a subject containing the
word "mortgage", you simply put that word in the subjects_part file.  If you
want to block only a specific subject heading with that word, you would put
the complete subject line in the subject_full file.

Note that the search against these files is NOT case-sensitive.  I generally
just populate these files with everything in lower-case.  The rule will
match regardless of UPPER/lower case.  Also, and this is IMPORTANT... in
these two files, you MUST REPLACE ANY SPACES WITH PERIODS.

Finally, below is the actual ruleset I use.  BE CERTAIN to replace any
occurrances of "[TAB]" with an actual tab character, before attempting to
use this.  Do NOT simply copy/paste into your sendmail.mc without taking
care of those [TAB] indicators.

Have fun!

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown


LOCAL_RULESETS
##
###
###  Email Virus and Anti-SPAM stuff...
###
###  Add exact-match subject lines to /etc/mail/subjects_full
###  Add substrings to match in subject lines to /etc/mail/subjects_part
###  In both files, all spaces MUST be replaced with periods (.)
###
###  Create two files called /etc/mail/subjects_full and
###  /etc/mail/subjects_part.  The former has complete
###  unwanted 'subject' lines, while the latter has only
###  substrings within 'subject' lines.
### 
###  As an example, suppose you want to filter out 'viagra'
###  spam.  The following entry in your subjects_part
###  file would do it:
###viagra
### 
###  In the case of multi-word entries, all spaces MUST be
###  replaced with periods.  For example:
###herbal.viagra
### 
###  These filters are not case-sensitive.
### 
##
F{FullSubjects} -o /etc/mail/subjects_full
F{PartSubjects} -o /etc/mail/subjects_part
HSubject:[TAB]$>CheckSubject

SCheckSubject
R$={FullSubjects}$*[TAB]$: REJECTSUBJECT
R$* $={PartSubjects} $*[TAB]$: REJECTSUBJECT
R$* REJECTSUBJECT $*[TAB]$#error $: "553 Access Denied - MSG may contain
SPAM/WORM/VIRUS/HOAX."

RADV : $*[TAB]$#error $: "553 Delivery blocked; HSubject: indicates
unsolicited commercial email."
R ADV : ADLT $*[TAB]$#error $: "553 Delivery blocked; HSubject: indicates
unsolicited adult-content email."
RADV $*[TAB]$#error $: "553 Delivery blocked; HSubject: indicates
unsolicited commercial email."
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] memory leak?

[Cormack, Ken]

> Any ideas about what might bring the machine to it's knees like this?

Ron,

I too, am running MimeDefang on a Linux kernel (2.4.24smp compiled from the
kernel.org tarball), but I am not seeing the CPU problem you are
encountering.  In addition to Sendmail and MIMEDefang (plus Spamassassin,
greylisting, and the commercial "Vexira" anti-virus from Central Command"),
the system also runs a BIND 9 DNS service.

"sar -r 3 3" numbers show good use of memory, and this is a 2GB system using
a suitably-sized tmpfs RAMdisk for /var/spool/MIMEDefang.  The machine
handles 75K emails per day totalling about 2GB of volume.

05:04:11 PM kbmemfree kbmemused  %memused kbbuffers  kbcached kbswpfree
kbswpused  %swpused  kbswpcad
05:04:18 PM653696   1415984 68.42128920628328   1036360
16256  1.54  2072
05:04:22 PM652888   1416792 68.45128920628332   1036360
16256  1.54  2072
05:04:20 PM651960   1417720 68.50128924628360   1036360
16256  1.54  2072
Average:   652848   1416832 68.46128921628340   1036360
16256  1.54  2072

In addition to sendmail/MIMEDefang, this box also runs BIND.  Forgive the
line-wrap, but here are my relevant numbers from "top".  On this particular
system, MD has been running for about a week since last application restart.

77 processes: 76 sleeping, 1 running, 0 zombie, 0 stopped
CPU0 states:   1.1% user   0.5% system0.0% nice   0.0% iowait  97.3%
idle
CPU1 states:   6.1% user   0.5% system0.0% nice   0.0% iowait  92.3%
idle
Mem:  2069680k av, 1414576k used,  655104k free,   0k shrd,  128556k
buff
   906440k active, 327016k inactive
Swap: 1052616k av,   16256k used, 1036360k free  629152k
cached

  PID USER PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
19645 named 10   0  152M 143M  1424 S 0.1  7.1 158:18
/usr/local/sbin/named -u named -t /home/chroot_dns
28341 defang 9   0 28224  27M  2504 S 0.6  1.3   0:17 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
28345 defang 9   0 26740  26M  2496 S 0.0  1.2   0:06 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
28348 defang 8   0 26472  25M  2468 S 0.0  1.2   0:04 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
30380 defang 8   0 25756  25M  2152 S 0.0  1.2   0:03 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
30883 defang 9   0 25360  24M  2128 S 0.0  1.2   0:02 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
31500 defang 9   0 25360  24M  2128 S 0.0  1.2   0:03 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
32175 defang 9   0 25360  24M  2128 S 0.0  1.2   0:03 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
32715 defang 9   0 25360  24M  2128 S 0.0  1.2   0:03 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
  869 defang 9   0 25360  24M  2128 S 0.0  1.2   0:02 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
 1489 defang 9   0 25360  24M  2128 S 0.0  1.2   0:02 /usr/bin/perl
-w /usr/local/bin/mimedefang.pl -f /etc/mail/mim
23191 root   9   0  2292 2184  1864 S 0.0  0.1   0:21 sendmail:
running queue: /var/spool/mqueue
 1292 root   9   0  2204 2160  1568 S 0.0  0.1   0:00 sendmail:
i19LvujH001292 mail3.subscribermail.com [66.102.106.
 1792 root  17   0  2160 2136  1612 S 0.0  0.1   0:00 sendmail:
./i19M0CjH001788 mail2.yellowcorp.com.: client DATA 
 1722 root   9   0  2144 2112  1600 S 0.0  0.1   0:00 sendmail:
./i19LxpjH001700 ohmx-1.columbus.rr.com.: user open
 1732 root   9   0  2108 2080  1584 S 0.0  0.1   0:00 sendmail:
server srv01.1ecards.com [66.98.192.69] cmd read
 1583 root   9   0  2100 1848  1456 S 0.0  0.0   0:00 sendmail:
server w2kmail3.palmbeach.k12.fl.us [165.161.3.108] 
23182 root   1   0  1676 1304  1172 S 0.0  0.0   3:20 sendmail:
accepting connections
  514 root   9   0  1260 1124  1084 S 0.0  0.0   0:20 /usr/sbin/sshd
23188 root   9   0  1628 1100  1100 S 0.0  0.0   0:00 sendmail:
Queue control   
13388 root   9   0  1620 1088   932 S 0.0  0.0   0:00 ksh
 1646 root  12   0  1028 1028   820 R 0.3  0.0   0:00 top
13357 hc43   9   0  1016 1016   844 S 0.0  0.0   0:00 -ksh
20287 defang 9   0   984  968   672 S 0.0  0.0   0:17
/usr/local/bin/mimedefang -r -P /var/spool/MIMEDefang/mimedefa
20270 defang 9   0  1024  960   816 S 0.0  0.0   1:08
/usr/local/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang

Perhaps you can give us more info about your system?


KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTE

[Mimedefang] Versigin to screw things up again

[Cormack, Ken]

This will (again) break any sendmail-based defense against unresolvable
sender domains.  I have greylisting in place, and my BIND is configured with
the latest delegation-related directives, but would it be something to
consider, to have MIMEDefang reject a message if the domainname of the
sender resolves to VeriSign's search site?  (This would help people who dont
do greylisting and/or dont control their DNS server's configuration.

http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9.html


KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Virus messages changed in new version of Vexira and Antivir

[Cormack, Ken]

-Original Message-
> Why not:
>
>   $CurrentVirusScannerMessage =~ m/ALERT: \[(\S+)/
>
> in case they introduce "trojan", "malware" or some other stupid
> change in a future version?

Doesnt this cause a square-bracket imbalance?
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Aggressive mailers

[Cormack, Ken]

Geeze, and I once thought I was being "overly agressive" when I reduced my
vendor's sendmail default retry value from 1 hour to 5 minutes.  LOL


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Friday, February 13, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Aggressive mailers


On Fri, 13 Feb 2004, Jon R. Kibler wrote:

> Yesterday a mailer went amok when trying to get a mail through to
> our server. It was tempfailed by the greylist as it should, but
> instead of waiting for awhile before trying again it retried 886 times
> in 10 minutes (after witch it was let though by the greylist).

> What you describe is not uncommon.

Sympatico (a Canadian ISP) also has a rather aggressive retry schedule.
Magma (another Canadian ISP) goes to the other extreme, and seems to retry
only every 12 hours!

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Summary of new Vexira

[Cormack, Ken]

David,

Below is a snippet of an email we just received about an update to Vexira,
including descriptions of some new command-line switches you might be
interested in incorporating into the default commandline you pass to Vexira,
from within MIMEDefang.

Ken

General
=== 
1. Detects other malware types, such as dialers, games, jokes and 
possible malicious softare using the "DetectDialer", "DetectJoke", 
"DetectGame", "DetectPMS" directives in vexira.conf  

2. Pack libary updated to support mailboxes and "exploding 
archives" (aka mailbombs)

3. More intense selfcheck on startup

Command Line Scanner

1. exclude files or paths with "--exclude=" argument
2. allow warnings to be handled as alerts with "--warnings-as-
alerts" argument 
3. send emails when alerts are found using the "--log-email=" 
argument 
4. scan mbox files with "--scan-in-mbox" argument 
5. set max archive size and recursion with "--archive-max-size=" 
and "--archive-max-recursion" arguments 
6. detect other types, such as dialers, games, jokes and possible 
malicious software using the "--with-dialer" "--with-game" "--with-
joke" "--with-pm" arguments, or you can detect all types with the "--
alltype" argument

Guard
=
1. run external program with each alert using the "ExternalProgram"
directive in vaguard.conf
2. supports Dazuko 2.0
3. file cache integrated into vexira binary (no longer a separate
vexira-fc file)
4. files are backed up before attempting to repair
5. support for file including/excluding
6. support for filenames of any length added

Updater
===
1. keep backups after each update using the 
"UpdaterKeepBackups" directive in vexira.conf
2. supports chunked HTTP/1.1 download formats
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Incredible spam obfuscation

[Cormack, Ken]

This thing is really nice!  In less than 10 minutes of run-time with this
trap in place, it's already caught 10 messages.  Thanks to Joe for spotting
this and for working out (and posting) a solution, and to Paul for the
tweak.  :)

Ken


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Joseph
Brennan
Sent: Friday, February 20, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Incredible spam obfuscation



> Would it be helpful to tweak the regex just a bit?
>
>   if ( /<(iframe|script|object)\b/i ) {


I like it.

Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Incredible spam obfuscation

[Cormack, Ken]

> Cormack, Ken said:
> > This thing is really nice!  In less than 10 minutes of run-time with
this
> > trap in place, it's already caught 10 messages.  Thanks to Joe for
> > spotting
> > this and for working out (and posting) a solution, and to Paul for the
> > tweak.  :)

> I like being explicit.
> Could you post the complete SA rule so I could ga run it through my
corpus?
> Then I can bugzilla file it on bugzilla.spamassassin.org.

sub filter () {
# ...

# Check for bad code in HTML parts
if ($type eq "text/html") {
my($bla,$badtag);
if ($io = $entity->open("r")) {
while (defined($_ = $io->getline)) {
# note iframe, script, object
if ( /<(iframe|script|object)\b/i ) {
$badtag = $1;
s/<(iframe|script|object)\b/close;
}
if ($badtag) {
if ($io = $entity->open("w")) {
$io->print($bla);
$io->close;
}
if ($badtag) { $badtag .= " tag deactivated"; }
md_graphdefang_log('modify',"$badtag");
action_change_header("X-Warning",
 "$badtag by Columbia filter");
action_rebuild();
}
}

# ...
}
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] OT - Cant figure out why this is being rejected

[Cormack, Ken]

This is most likely off-topic, and for that I appologize.  I'm trying to
figure out why my mail servers are rejecting mail addressed to domain
literals such as "[EMAIL PROTECTED]" with a "550 5.7.1 Relaying
denied" error.  I dont see anything in my MIMEDefang config that would be
doing this, and I'm stuck as to what might be causing it.  Anyone have any
thoughts?  My sendmail is 8.12.11.  Thanks all, in advance.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] OT - Cant figure out why this is being rejected

[Cormack, Ken]

Sendmail knows itself as follows, on my box...

 SYSTEM IDENTITY (after readcf) 
  (short domain name) $w = mail01

As you can see, it properly knows it's own short-name.  I defind class w in
the file "Fw /etc/mail/local-host-names".  In that file, I already have the
IP address listed.  This is driving me nuts!  Everywhere that I'm supposed
to have the IP listed, it's listed.  But keep the suggestions coming!
Doubtless, we'll find it!  LOL

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jon R.
Kibler
Sent: Monday, February 23, 2004 10:58 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] OT - Cant figure out why this is being
rejected


"Cormack, Ken" wrote:
> 
> This is most likely off-topic, and for that I appologize.  I'm trying to
> figure out why my mail servers are rejecting mail addressed to domain
> literals such as "[EMAIL PROTECTED]" with a "550 5.7.1 Relaying
> denied" error.  I dont see anything in my MIMEDefang config that would be
> doing this, and I'm stuck as to what might be causing it.  Anyone have any
> thoughts?  My sendmail is 8.12.11.  Thanks all, in advance.
> 
Is [98.83.130.15] a local host? To check:
/usr/lib/sendmail -bt
$=w

If you don't see it there, that's your problem!

How to fix it? Could be complicated -- depending upon your system's network
configuration. If you still have questions, contact me off-list and include
the results of your $=w and an ifconfig -a on that box.

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] OT - Cant figure out why this is being rejected

[Cormack, Ken]

They're already in there.  That's why I cant figure this out.  They're in
access.db too:

Both as ...
198.83.130.15   OK

and...
[198.83.130.15] OK

::scratching head::


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul
Sent: Monday, February 23, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] OT - Cant figure out why this is being
rejected


>This is most likely off-topic, and for that I appologize.  I'm trying to
>figure out why my mail servers are rejecting mail addressed to domain
>literals such as "[EMAIL PROTECTED]" with a "550 5.7.1 Relaying
>denied" error.  I dont see anything in my MIMEDefang config that would be
>doing this, and I'm stuck as to what might be causing it.  Anyone have any
>thoughts?  My sendmail is 8.12.11.  Thanks all, in advance.

That's sendmail, not MD, check the file /etc/mail/local-host-names. You may
wish to add the IP addresses in there with the domain names you wish to
accept mail for...

Paul

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Found the problem - was RE: [Mimedefang] OT - Cant figure out why this is being rejected

[Cormack, Ken]

I had the following sendmail LOCAL_RULESET.  I just need to add an access
check to it.  When turned off this rule, the domain literal worked fine...

dnl # Check HTo: to verify user or alias exists
dnl # What about BCC? Also, what about mailer tabled domains?
dnl # Must not be blank
dnl # Allow To: username only from localhost (for emailed log files)
dnl HTo:$>CheckTo
dnl
dnl SCheckTo
dnl R$* ( $* ) $*   $: $1
dnl R$* < $* > $*   $: $2
dnl R$* $: <$1>
dnl R<$+ @ $+ . $-> $: [EMAIL PROTECTED]
dnl R<$+>   $: <$1> <$&{client_name}>
dnl R<$+> < localhost > $@ OK
dnl #R<$+> <$+> $: <$1> <$2 . $m>
dnl #R<$+> < $j >   $@ OK
dnl R<$+> <$*>  $: <$1>
dnl R<$+>   $#error $: "553 Delivery blocked; HTo: specified an
invalid address"
dnl R<$@>   $#error $: "553 Delivery blocked; HTo: specified a
null address"

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Cormack, Ken
Sent: Monday, February 23, 2004 11:08 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Mimedefang] OT - Cant figure out why this is being
rejected


Sendmail knows itself as follows, on my box...

 SYSTEM IDENTITY (after readcf) 
  (short domain name) $w = mail01

As you can see, it properly knows it's own short-name.  I defind class w in
the file "Fw /etc/mail/local-host-names".  In that file, I already have the
IP address listed.  This is driving me nuts!  Everywhere that I'm supposed
to have the IP listed, it's listed.  But keep the suggestions coming!
Doubtless, we'll find it!  LOL

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jon R.
Kibler
Sent: Monday, February 23, 2004 10:58 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] OT - Cant figure out why this is being
rejected


"Cormack, Ken" wrote:
> 
> This is most likely off-topic, and for that I appologize.  I'm trying to
> figure out why my mail servers are rejecting mail addressed to domain
> literals such as "[EMAIL PROTECTED]" with a "550 5.7.1 Relaying
> denied" error.  I dont see anything in my MIMEDefang config that would be
> doing this, and I'm stuck as to what might be causing it.  Anyone have any
> thoughts?  My sendmail is 8.12.11.  Thanks all, in advance.
> 
Is [98.83.130.15] a local host? To check:
/usr/lib/sendmail -bt
$=w

If you don't see it there, that's your problem!

How to fix it? Could be complicated -- depending upon your system's network
configuration. If you still have questions, contact me off-list and include
the results of your $=w and an ifconfig -a on that box.

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] OT - Cant figure out why this is being rejected

[Cormack, Ken]

You dont "relay" to the localhost.  Anyway, the problem has been solved.
Thanks  :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Joseph
Brennan
Sent: Monday, February 23, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [Mimedefang] OT - Cant figure out why this is being
rejected




--On Monday, February 23, 2004 11:03 AM -0500 "Cormack, Ken" 
<[EMAIL PROTECTED]> wrote:

> They're already in there.  That's why I cant figure this out.  They're in
> access.db too:
>
> Both as ...
> 198.83.130.15 OK
>
> and...
> [198.83.130.15]   OK


If you want to allow relay, you want RELAY not OK.

Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Replacing SpamAssassin with DSPAM

[Cormack, Ken]

-Original Message-
::snip::

> Basically, I'm trying to avoid drastic changes to my mail system, since
> it generally works OK.  So, the farther the changes get from sendmail,
> theoretically changes should inflict less damage.

Andy, have you considered (or do you currently use) greylisting, via
MIMEDefang?  That, more than any other single sendmail ruleset, access.db
block, or MIMEDefang rule that we use, has taken the biggest chunk out of
the spams we used to deal with.  Just a thought.


KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] relaying mail

[Cormack, Ken]

Unless you have coded any exceptions into your mimedefang-filter such as "if
the IP address of the relay host is that of the Exchange server, then skip
this test", then yes, all mail will be scanned, in both directions.

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Andrew
Jayes
Sent: Thursday, February 26, 2004 6:14 AM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] relaying mail



Hi All,
A little off topic but Can anyone give me some pointers. I have
my mimedefang gateway ready to go but I wanted some advice before I put
it live.

The setup is as follows: mail coming in is forwarded from the firewall
to the mimedefang gateway which will then relay the mail on to an
exchange server for local delivery. On the way out the exchange is using
a smart host to pass the mail to the mimedefang gateway and then out to
the world at large.

I just want to check, 

Will the mimedefang gateway perform all of the scanning on the mail that
is to be relayed?

Both incoming and outgoing?

Also I am not a sendmail expert, is there anything that you can point
out to me as 'obvious mistakes' not to make when relaying through
sendmail. I don't want to inadvertently become a spammer myself.

Many thanks,

Andrew Jayes

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] MD, Vexira, and ecrypted .zips

[Cormack, Ken]

Not being strong in perl -at all-, I'm wondering if the list can take a look
at the code below, from mimedefang.pl, and tell me what might be wrong.
We'd like to have MIMEDefang quarantine any encrypted .zip files, and the
Vexira antivirus that we run returns a zero return code when it encounters
such an archive, despite the "WARNING" message that it also prints.  Does
the list have any suggestions before I try this?  Thanks in advance!

sub interpret_vexira_code ($) {
# Based on info from Nels Lindquist
# Based on code from H+BEDV AntiVir
my($code) = @_;

## OK
#return ($code, 'ok', 'ok') if ($code == 0);

# Check for encrypted zip files
$VirusName = $1 if ($CurrentVirusScannerMessage =~ m/WARNING: archive
not completely scanned: contents encrypted/);
$VirusName = "Encrypted-ZIP-file";

# If 0 return code and no "WARNING", we're ok
if ($code == 0 && $VirusName eq "") {
return ($code, 'ok', 'ok');
}

# If 0 return code and a WARNING was found, quarantine the attachment
if ($code == 0 && $VirusName eq "Encrypted-ZIP-File") {
return ($code, 'encrypted', 'quarantine');
}

# Virus or virus in memory
if ($code == 1 or $code == 2) {
$VirusName = $1 if ($CurrentVirusScannerMessage =~ m/ALERT: \[(\S+)/
or
$CurrentVirusScannerMessage =~ /!Virus! \S+
(\S+)/ or
$CurrentVirusScannerMessage =~ m/VIRUS: file
contains code of the virus '(\S+)'/);
$VirusName = "unknown-Vexira-virus" if $VirusName eq "";
return ($code, 'virus', 'quarantine');
}

# All other codes should not happen
return ($code, 'swerr', 'tempfail');
}

KEN
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] survey: dropping password protected file

[Cormack, Ken]

> We just went through the same thing and have told people we will be
> dropping zip files until we work out a sane way of 'scanning' ones that
> are bad. Of course the .zip item is already being deprecated by the .txt
> virii that tell the user in the email to rename the .txt to .zip and
> open it up and then run the application for security reasons.

Something like the following would probably serve as a basis for inspecting
"the magic" of a zip archive, regardless of filename extension.  This
particular example looks to see if the first 2 bytes are "MZ", but this
could be changed to look for "PK", instead...

# Reject Microsoft executables, regardless of extension, by
# identifying their magic
sub Reject_MS_Executables
if ( defined $entity->bodyhandle) [
  my $path = $entity->bodyhandle->path;
  if ($path) {
if (open FILE, "<$path") {
  my $file_data;
  my $read_chars;
  $read_chars = read FILE, $file_data, 1024;
  close FILE;
  if ($read_chars > 2) {
if ((substr ($file_data, 0, 2)) eq 'MZ') {
  md_graphdefang_log('MS_Magic');
  action_bounce ('Microsoft Executables are not accepted here',
'550', '5.7.0');
  return;
{
  }
}
  }
}


KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Archive::Zip problem?

[Cormack, Ken]

List,

Two days ago, we incorporated the Archive::Zip functionality (along with a
few suggested improvements), to our filter.  That code, is below.

We saw this log entry in today's logs (we havent looked back yet, to see how
many times this has occurred.)

Mar  4 09:47:19 mail01 mimedefang-multiplexor: Slave 11 stderr: called at
/etc/mail/mimedefang-filter line 527
^Imain::filter('MIME::Entity=HASH(0x97646b8)','Document.zip','.zip','applica
tion/octet-stream') called at /usr/local/bin/mimedefang.pl line 513
^Imain::rebuild_entity('MIME::Entity=HASH(0x91211dc)','MIME::Entity=HASH(0x9
7646b8)') called at /usr/local/bin/mimedefang.pl line 4705
^Imain::do_scan('/var/spool/MIMEDefang/mdefang-i24ElHuN024909') called at
/usr/local/bin/mimedefang.pl line 4322 ^Imain::do_main_loop() called at
/usr/local/bin/mimedefang.pl line 4284 ^Imai

We have Archive::Zip 1.09 from CPAN installed, and it's dependencies are
good, as well.  For reference, I've indicated in the code below, which line
numbers are which, as referenced in the log messages above.

I've indicated which line below, is line 527 in my filter.  Watch out for
line-wrap.

if (lc($ext) =~ /\.zip$/) {
use Archive::Zip qw(:ERROR_CODES);
my $path = $entity->bodyhandle->path;
my $zip = Archive::Zip->new();
527 if ($zip->read($path) == AZ_OK) {
md_syslog('debug', "Scanning zip file, Path=$path");
my $tfname = Archive::Zip::tempFileName('.');
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
$size = $member->uncompressedSize();
md_syslog('debug', "Scanning zip entry $file, size=$size");
# Approx. 50MB size limit
if ($size > 50e6) {
md_graphdefang_log('Archive member too big ', $file,
$RelayAddr);
action_bounce("Archive member $file too big");
return;
}

if ($member->isEncrypted()) {
md_syslog('debug', "scanning Encrypted ZIP member
$file");
my ($bad_exts, $re);
$bad_exts =
'(ade|adp|app|asd|asf|asx|b64|bas|bat|bhx|ceo|chm|cmd|com|cpl|crt|dll|exe|fx
p|hlp|hqx|hta|hto|inf|ini|ins|isp|js|jse?|lib|lnk|mim|mp3|msc|msi|msp|mst|oc
x|ops|pcd|pif|prf|prg|rar|reg|scf|scr|sct|sh|shb|shs|sys|url|uu|uue|vb|vbe|v
bs|vcf|vcs|vxd|wav|wma|wmd|wms|wmz|wsc|wsf|wsh|xxe|\{[^\}]+\})';
$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
if (lc($file) =~ $re) {
md_graphdefang_log('Encrypted_badfile',
$file,$RelayAddr);
action_notify_administrator("A file called $file was
detected in an encrypted ZIP file attached to an incoming e-mail -
quarantined.");
action_quarantine_entire_message("An encrypted ZIP
attachment containing $file was removed from this document as
it\nconstituted a security hazard.  If you require this document, please
contact\nInformation Security to arrange for it to be released.\n");
action_discard();
return;
}
md_syslog('warning', "Encrypted file $file");
} else {
 $zip->extractMember($member, $tfname);
md_syslog('debug', "Scanning ZIP entry $file");
use File::Scan;
my $scanner = File::Scan->new;
my $virus = $scanner->scan($tfname);
unlink($tfname);
if ($virus) {
md_graphdefang_log('virus-zip', $virus, $RelayAddr);
action_discard();
return;
}
}
}
}
}

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Archive::Zip problem?

[Cormack, Ken]

> Archive::Zip likes to spew backtraces to STDERR when it's reading a 
> malformed zip file.  Michal Jankowski suggested calling 
> setErrorHandler() with a dummy subroutine to cause these to be ignored: 
>
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020650.html

> Cheers,
> Dave

That'll work, Dave!  Thanks!

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Archive::Zip problem?

[Cormack, Ken]

Thanks, Michal!  :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michal
Jankowski
Sent: Thursday, March 04, 2004 2:08 PM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Archive::Zip problem?


"Cormack, Ken" <[EMAIL PROTECTED]> writes:

> We saw this log entry in today's logs (we havent looked back yet, to see
how
> many times this has occurred.)
>
> Mar  4 09:47:19 mail01 mimedefang-multiplexor: Slave 11 stderr: called at
> /etc/mail/mimedefang-filter line 527
>
^Imain::filter('MIME::Entity=HASH(0x97646b8)','Document.zip','.zip','applica
> tion/octet-stream') called at /usr/local/bin/mimedefang.pl line 513

> use Archive::Zip qw(:ERROR_CODES);
> my $path = $entity->bodyhandle->path;
> my $zip = Archive::Zip->new();
> 527 if ($zip->read($path) == AZ_OK) {

You are seeing a (garbled for whatever reason) default error
message/trace from Archive::Zip, printed whenever there is an error in
processing .zip file.

Add

Archive::Zip::setErrorHandler(sub {});

before your call to $zip->read

  MJ
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Block subject

[Cormack, Ken]

> What can I do to block a message with a determinated subject with 
> mimedefang ???

I've posted this a few times before.

Blocking emails based on the Subject line can be done by adding the
following LOCAL_RULESET to your sendmail.mc file, and then rebuilding
sendmail.cf.  PLEASE NOTE that there are TABS in the code below.  If you
copy/paste the code below into yout sendmail.mc file, BE SURE TO REPLACE any
occurances of "[TAB]" with a real TAB.

Once the sendmail.cf has been rebuilt (and sendmail restarted), create two
files.  The first file (subjects_full) will contain COMPLETE SUBJECT LINES,
using PERIODS to replace any spaces.  The second file can contain any
KEYWORDS or portions of subject lines (again, replacing any spaces with
periods).

For example, in /etc/mail/subjects_full you might have something like:

Mothers.Day.Order.Confirmation
Dangerous.Virus.Warning
Virus.ALERT!!!
Important!.Read.carefully!!
How.to.protect.yourself.from.the.IL0VEY0U.bug!
I.Cant.Believe.This!!!
Thank.You.For.Flying.With.Arab.Airlines
Variant.Test
Yeah,.Yeah.another.time.to.DEATH...
LOOK!
Bewerbung.Kreolina
Recent.Virus.Attacks-Fix
PresenteUOL
IMPORTANT:.Official.virus.and.bug.fix
NEUE.ANTI-VIRUS-LISTE
BUG.&.VIRUS.FIX
New.Variation.on.LOVEBUG.Update.Anti-Virus!!
Snowhite.and.the.Seven.Dwarfs.-.The.REAL.story
Resume.-.Janet.Simons
US.PRESIDENT.AND.FBI.SECRET
Check.this.out,.it's.funny!
Cool.Notepad.Demo
Moin,.alles.klar?
Hi,.how.are.you?

In /etc/mail/subjects_part you could have something like:

unsecured.gold.mastercard
unsecured.mastercard
unsecured.platinum.card
unsecured.visa
viagra
v.i.a.g.r.a
vi*agra
v1agra
v*1a*gra

These are plain ascii files... NOT database hashes.  And, there is no need
to restart sendmail whenever you add anything to these files.  Changes take
effect immediately.

Have fun!


LOCAL_RULESETS
##
###
###  Email Virus and Anti-SPAM stuff...
###
###  Add exact-match subject lines to /etc/mail/subjects_full
###  Add substrings to match in subject lines to /etc/mail/subjects_part
###  In both files, all spaces MUST be replaced with periods (.)
###
###  Create two files called /etc/mail/subjects_full and
###  /etc/mail/subjects_part.  The former has complete
###  unwanted 'subject' lines, while the latter has only
###  substrings within 'subject' lines.
###
###  As an example, suppose you want to filter out 'viagra'
###  spam.  The following entry in your subjects_part
###  file would do it:
###viagra
###
###  In the case of multi-word entries, all spaces MUST be
###  replaced with periods.  For example:
###herbal.viagra
###
###  These filters are not case-sensitive.
###
##
F{FullSubjects} -o /etc/mail/subjects_full
F{PartSubjects} -o /etc/mail/subjects_part
HSubject:   $>CheckSubject

SCheckSubject
R$={FullSubjects}$*[TAB]$: REJECTSUBJECT
R$* $={PartSubjects} $*[TAB]$: REJECTSUBJECT
R$* REJECTSUBJECT $*[TAB]$#error $: "553 Access Denied - MSG may contain
SPAM/WORM/VIRUS/HOAX."

RADV : $*[TAB]$#error $: "553 Delivery blocked; HSubject: indicates
unsolicited commercial email."
R ADV : ADLT $*[TAB]$#error $: "553 Delivery blocked; HSubject: indicates
unsolicited adult-content email."
RADV $*[TAB]$#error $: "553 Delivery blocked; HSubject: indicates
unsolicited commercial email."



KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Block subject

[Cormack, Ken]

Hmmm... You're correct, David.  I just tested with a test-subject line,
sending myself a message with that subject from my yahoo account.  Didnt
bounce until I restarted sendmail.  ::scratching head::  When I had long-ago
noted my observation, it must have been in conjunction with some other mods
I had made, that had required a sendmail restart.  I stand corrected.  :)

(Guess I'll have to look into revising the rules to create hashes.)

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Monday, March 08, 2004 12:52 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Mimedefang] Block subject 


On Mon, 8 Mar 2004, Cormack, Ken wrote:

> F{FullSubjects} -o /etc/mail/subjects_full
> F{PartSubjects} -o /etc/mail/subjects_part



> These are plain ascii files... NOT database hashes.  And, there is no need
> to restart sendmail whenever you add anything to these files.  Changes
take
> effect immediately.

Are you sure?  I believe Sendmail only reads F directives once, at
startup.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Block subject

[Cormack, Ken]

> > These are plain ascii files... NOT database hashes.  And, there is no
need
> > to restart sendmail whenever you add anything to these files.  Changes
take
> > effect immediately.

> Are you sure?  I believe Sendmail only reads F directives once, at
> startup.

Just figured out the confusion... and we were BOTH correct, David.

Yes, the F directives are read at startup... and... no restart is needed.
One only needs to send a "kill -1" to the PID of the parent sendmail
process.  This forces a re-read of the flat-files, without the need to
restart sendmail.

Ken


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Monday, March 08, 2004 12:52 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Mimedefang] Block subject 


On Mon, 8 Mar 2004, Cormack, Ken wrote:

> F{FullSubjects} -o /etc/mail/subjects_full
> F{PartSubjects} -o /etc/mail/subjects_part



> These are plain ascii files... NOT database hashes.  And, there is no need
> to restart sendmail whenever you add anything to these files.  Changes
take
> effect immediately.

Are you sure?  I believe Sendmail only reads F directives once, at
startup.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Block subject

[Cormack, Ken]

> :-)
> 
> If you read the source code for Sendmail, you'll see that kill -1
> causes Sendmail to re-exec itself, so it is restarting.

LOL  I guess the devil is in the details.   I'll shut up now.  LOL


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Monday, March 08, 2004 2:18 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Mimedefang] Block subject 


On Mon, 8 Mar 2004, Cormack, Ken wrote:

> Yes, the F directives are read at startup... and... no restart is needed.
> One only needs to send a "kill -1" to the PID of the parent sendmail
> process.  This forces a re-read of the flat-files, without the need to
> restart sendmail.


Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Sugested Change for MIMEDefang 2.40

[Cormack, Ken]

Just upgraded our DMZ SMTP gateways to MIMEDefang 2.40 yesterday (the
embedded Perl is running great, David!)

But while merging our previous customizations with the new code, I noticed a
minor error in the commandline switches for both HBEDV (Antivir) and Vexira
(Central Command).

Where you have "-allfiles" (single hyphen) the switch should be a
double-hyphen ("--allfiles").  Also, I'd like to suggest the possible use of
"--warnings-as-alerts", as well as checking for the word "WARNING:" in the
output of the scanner.  This may help catch encrypted zips.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Question about new function in MD 2.40

[Cormack, Ken]

Group,

Not being a perl guy (yet), I'm looking through the mimedefang-filter and
mimedefang.pl files, and spotted the recently-added Archive::Zip stuff that
is new to 2.40, and I have a question.

In mimedefang-filter, I see the following, in sub filter_bad_filename:

# Look inside ZIP files
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
return re_match_in_zip_directory($path, $re);
}
}
}

I found the "re_match_in_zip_directory" function in mimedefang.pl, and I'm
wondering if I'm reading the code correctly.  Is the net result of these
changes to simply reject any zip-member file contained within a zip, simply
based on the filename extension of that member file?

I know there was discussion a week or so ago, and in fact, I incorporated
what appears to be a super-set of this stuff into my own filter last week
(specifically, to detect zips containing huge files, and zips that were
encrypted.)

Is my understanding of the new code above, correct?

Thanks, gents, in advance, for helping me grok this stuff.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Reporting Encrypted-ZIP-files w/ vexira

[Cormack, Ken]

Group,

I'd like to have encrypted zip files logged as such, rather than have them
logged as "unknown-Vexira-virus".

In my mimedefang.pl, I use the following commandline parameters for Vexira.

--allfiles --alltypes --warnings-as-alerts -z -rs

Running that commandline against my test zip, I use the following:
vexira --allfiles --alltypes --warnings-as-alerts -z -rs
testfile.zip

This generates the output below.  I'd like to be able to key on the words
"contents encrypted" and report the file as "Encrypted-ZIP-file", rather
than "unknown-Vexira-virus".  The change would need to go in sub
interpret_vexira_code ($), but I'm not sure of the syntax needed.  My
attempt shown commented below, doesnt work.  Any ideas?

sub interpret_vexira_code ($) {
# Based on info from Nels Lindquist
# Based on code from H+BEDV AntiVir
my($code) = @_;

# OK
return ($code, 'ok', 'ok') if ($code == 0);

# Virus or virus in memory
if ($code == 1 or $code == 2) {
$VirusName = $1 if ($CurrentVirusScannerMessage =~ m/ALERT: \[(\S+)/
or
$CurrentVirusScannerMessage =~ /!Virus! \S+
(\S+)/ or
$CurrentVirusScannerMessage =~ m/VIRUS: file
contains code of the virus '(\S+)'/);
#   $VirusName = "Encrypted-ZIP-file" if ($$CurrentVirusScannerMessage
=~ m/contents encrypted/);
$VirusName = "unknown-Vexira-virus" if $VirusName eq "";
return ($code, 'virus', 'quarantine');
}

# All other codes should not happen
return ($code, 'swerr', 'tempfail');
}

Here's the output from Vexira, that I'm trying to key off of.

Vexira Antivirus / Linux Version 2.2.0-9
Copyright (C) 2002-2004 Central Command, Inc. and/or its suppliers.
Portions copyright (C) 1996-2004 H+BEDV Datentechnik GmbH.
All rights reserved.

Loading /usr/lib/Vexira/vexira.vdf ...


VDF version: 6.24.0.51 created 11 Mar 2004


Vexira Antivirus license: 200300 for ACS, Inc. Procurement Division PO
8442805  

WARNING: testfile.zip archive not completely scanned: contents encrypted

 

- scan results -

 directories:0

   files:1

  alerts:0

warnings:1

   scan time: 00:00:01



Thank you for using Vexira Antivirus!

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Reporting Encrypted-ZIP-files w/ vexira

[Cormack, Ken]

Doh!

Geez... and I stared and stared at it...  ::stupid_mode=ON::

Thanks, David!  LOL


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Thursday, March 11, 2004 12:57 PM
To: '[EMAIL PROTECTED]'
Subject: Re: [Mimedefang] Reporting Encrypted-ZIP-files w/ vexira


On Thu, 11 Mar 2004, Cormack, Ken wrote:

> #   $VirusName = "Encrypted-ZIP-file" if ($$CurrentVirusScannerMessage

Looks like one too many "$" signs there...  ^^

Regards,

David
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Authentication warnings and "cannot write" errors

[Cormack, Ken]

Dear group,

Poking through my maillog, I'm seeing log entries that appear below.  As I
read mimedefang.pl, there are a few places where it looks like MIMEDefang is
originating new messages, and sending them, addressed from the defang user,
using the "-f" switch for sendmail.

In which case, it is failing to write the message to my /var/spool/mqueue
directory, which has the following perms:
drwxr-xr-x2 root mail   299008 Mar 11 16:20 mqueue

Should I make the "defang" user a member of group "mail", and open up write
privalegdes to the group, on the mqueue directory?

Thanks for any advice.

Ken

Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463:
Authentication-Warning: mail01.roadway.com: defang set sender to
[EMAIL PROTECTED] using -f
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463: SYSERR(defang):
collect: Cannot write ./dfi2BKlb11031463 (bfcommit, uid=515, gid=510):
Permission denied
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463:
[EMAIL PROTECTED], size=319, class=0, nrcpts=1, [EMAIL PROTECTED]
Mar 11 15:47:36 mail01 mimedefang-multiplexor: Slave 6 stderr: collect:
Cannot write ./dfi2BKlb11031463 (bfcommit, uid=515, gid=510): Permission
denied 
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463:   0: fl=0x0,
mode=10600: FIFO: dev=0/5, ino=53234656, nlink=1, u/gid=515/515, size=0
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463:   1: fl=0x1,
mode=10600: FIFO: dev=0/5, ino=53171457, nlink=1, u/gid=515/515, size=0
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463:   2: fl=0x1,
mode=10600: FIFO: dev=0/5, ino=53171457, nlink=1, u/gid=515/515, size=0
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463:   3: fl=0x2,
mode=140777: SOCK localhost->[[UNIX: /dev/log]]
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463:   4: fl=0x1,
mode=20666: CHR: dev=72/11, ino=30115, nlink=1, u/gid=0/0, size=0
Mar 11 15:47:37 mail01 sendmail[31463]: i2BKlb11031463: SYSERR(defang):
queueup: cannot create queue file ./qfi2BKlb11031463, euid=515: Permission
denied
Mar 11 15:47:36 mail01 mimedefang-multiplexor: Slave 6 stderr: queueup:
cannot create queue file ./qfi2BKlb11031463, euid=515: Permission denied 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Authentication warnings and "cannot write" error s

[Cormack, Ken]

Alan,
(B
(BThanks for reminding me that the local submission queue is clientmqueue, and
(Bnot mqueue.
(BIt's "native" perms were:
(B
(Bdrwxrwx---2 smmspsmmsp4096 Oct  3 12:09 clientmqueue
(B
(BI've made "defang" a member of group smmsp.  I'll monitor, to see if that
(Bclears the problem.
(B
(B
(BKEN CORMACK, RHCE
(BSr. UNIX Systems Analyst,
(BOpen Systems Group
(BSr. Software Analyst,
(BTSG Midrange Systems Group
(BAFFILIATED COMPUTER SERVICES, INC.
(B
$B!H(JIf that that is $B!G(Jis$B!G(J is that that is not $B!G(Jnot is$B!G(J, 
(Bis that that is $B!G(J
(Bnot is$B!G(J that that is not $B!G(Jis$B!G(J?  It is!$B!I(J - Ken Cormack
(B
(B"Sendmail administration is not black magic.  There are legitimate technical
(Breasons why it requires the sacrificing of a live chicken." - Unknown
(B
(B-Original Message-
(BFrom: [EMAIL PROTECTED]
(B[mailto:[EMAIL PROTECTED] Behalf Of alan
(Bpremselaar
(BSent: Thursday, March 11, 2004 6:22 PM
(BTo: [EMAIL PROTECTED]
(BSubject: Re: [Mimedefang] Authentication warnings and "cannot write" errors
(B
(B
(BOn 3/12/04 6:23 AM, "Cormack, Ken" <[EMAIL PROTECTED]> wrote:
(B
(B> Dear group,
(B> 
(B> Poking through my maillog, I'm seeing log entries that appear below.  As I
(B> read mimedefang.pl, there are a few places where it looks like MIMEDefang
(Bis
(B> originating new messages, and sending them, addressed from the defang
(Buser,
(B> using the "-f" switch for sendmail.
(B> 
(B> In which case, it is failing to write the message to my /var/spool/mqueue
(B> directory, which has the following perms:
(B> drwxr-xr-x2 root mail   299008 Mar 11 16:20 mqueue
(B> 
(B> Should I make the "defang" user a member of group "mail", and open up
(Bwrite
(B> privalegdes to the group, on the mqueue directory?
(B> 
(B> Thanks for any advice.
(B> 
(B> Ken
(B> 
(B...snip...
(B
(BKen,
(B
(B  The notifications generated by MIMEDefang should be going thru your
(Bsubmission queue runner, and thus using /var/spool/clientmqueue.
(B
(Byou should confirm the existence of that directory and the permissions and
(Bmake sure you have a submission queue running.  I think the default is 1hour
(Band I set mine for 5mins.  (on redhat, this is configurable in
(B/etc/sysconfig/sendmail)
(B
(Banyways, i'd guess it's SOMEthing related to the /var/spool/clientmqueue
(Bdirectory.
(B
(BHTH
(B
(Balan
(B
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Authentication warnings and "cannot write" error s

[Cormack, Ken]

I'm now confused.  I just looked at my sendmail binary, and it is SETGID to
(Bsmmsp.  So theoretically, any process calling sendmail should behave as
(Bthough it were already group smmsp when it tries to write to the
(Bclientmqueue directory.
(B
(B
(B-Original Message-
(BFrom: [EMAIL PROTECTED]
(B[mailto:[EMAIL PROTECTED] Behalf Of Kevin A.
(BMcGrail
(BSent: Friday, March 12, 2004 8:48 AM
(BTo: [EMAIL PROTECTED]
(BSubject: Re: [Mimedefang] Authentication warnings and "cannot write" errors
(B
(B
(B> Thanks for reminding me that the local submission queue is clientmqueue,
(Band
(B> not mqueue.
(B> It's "native" perms were:
(B>
(B> drwxrwx---2 smmspsmmsp4096 Oct  3 12:09 clientmqueue
(B>
(B> I've made "defang" a member of group smmsp.  I'll monitor, to see if that
(B> clears the problem.
(B
(BI've never had to do this but I might not have seen the issue.  DFS, any
(Binput if this should be a necessary step for all installations?
(B
(BRegards,
(BKAM
(B
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Authentication warnings and "cannot write" error s

[Cormack, Ken]

Paul -

Your response makes the most sense.  I've added defang as a trusted user,
restored group membership back to the way it was for user "defang", double
checked the queue dirs, and reread sendmail.cf with a "killall -1 sendmail".

I'll monitor this and see what happens.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul
Whittney
Sent: Friday, March 12, 2004 9:33 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Authentication warnings and "cannot write"
errors


I think this is where the sendmail trusted users comes in.
May also depend on the logging options of your sendmail setup 

I've not tested this yet (but I'm getting there)...

In the .mc file for your site add:
FEATURE(`use_ct_file')dnl  # trusted-users
(It may be in as default...)

Should result in the .cf containing:
Ft/etc/mail/trusted-users

Also, there should be lines:
Troot
Tdaemon

Then add the user that mimedefang is running as to /etc/mail/trusted-users
restart sendmail (or killall -HUP sendmail)

Anyone see any issues with this? Is this better than giving mimedefang any
additional privileges?

-Paul Whittney

On Fri, Mar 12, 2004 at 08:48:19AM -0500, Kevin A. McGrail wrote:
> > Thanks for reminding me that the local submission queue is clientmqueue,
> and
> > not mqueue.
> > It's "native" perms were:
> >
> > drwxrwx---2 smmspsmmsp4096 Oct  3 12:09 clientmqueue
> >
> > I've made "defang" a member of group smmsp.  I'll monitor, to see if
that
> > clears the problem.
> 
> I've never had to do this but I might not have seen the issue.  DFS, any
> input if this should be a necessary step for all installations?
> 
> Regards,
> KAM
> 
> ___
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> [EMAIL PROTECTED]
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MIMEDefang 2.41 is released

[Cormack, Ken]

>   (entity_contains_virus_hbedv): Replace -allfiles with correct
>   --allfiles (Ken Cormack)

David,

Did you also make the same change for Vexira?

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] ramdisks on Linux

[Cormack, Ken]

> It's become obvious that using ramdisks with MIMEDefang is very 
> important.  This might be a strange/silly question, but if I wanted to 
> use a ramdisk for both the sendmail mqueue and the MIMEDefang work 
> directory, would it be better to use two smaller, or one large ramdisk? 

Be careful!  You do NOT want to put the mqueue directory on a RAMdisk.  If
you should experience a power outage, you would lose everything in the
queue.

Be careful of what you consider putting on a RAMdisk.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MIMEDefang crashing regularly

[Cormack, Ken]

Very quickly, run a "mailstats" command.  Assuming you have
statistics-keeping configured into your sendmail, and the statiscs file
actually exists, you should be able to see output that (among other things)
will show you exactly what kind of traffic you process.  If you truncate the
statistics file nightly (truncate, not delete), then you can get daily
totals every day.

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Aaron
Paetznick
Sent: Wednesday, March 17, 2004 1:25 PM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] MIMEDefang crashing regularly



I have to use these settings as my volume is just that high.  I don't 
know how many emails it processes per day as I haven't installed a stats 
package yet, but it's a dual Xeon with 4GB RAM, and it's pretty much 
consumed.  It handles mail for some 10,000 mailboxes.


--Aaron



Kevin A. McGrail wrote:
> 77 slaves?  How much memory do you have on this machine?
> 
> I'd estimate a guess on the order of 3GB minimum needed to make this work,
> maybe more.
> 
> I think you need to look at lowering your sendmail processes and your
> mimedefang mins/max to much more reasonable levels.
> 
> How many emails are you doing per day approximately and how much RAM do
you
> have in this box?
> 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MIMEDefang crashing regularly

[Cormack, Ken]

Aaron,

This is exactly the type of output I was hoping to see.  Now, since you were
perhaps unaware of the existance of "mailstats", I will assume that these
numbers are a running total since "day 1".

What you need to do, in order to see your daily average mail flow, is find
the statistics file, and then truncate it.  You can find it this way:

# grep statistics sendmail.cf
O StatusFile=/etc/mail/statistics

Next, truncate the file to reset the counters to zero:

# cd /etc/mail
> statistics

Finally, run mailstats again, in 24 hours.  That will show you the traffic
flow since the last time the statistics file was truncated.

set up a cron task to nightly run the mailstats command and email you the
output.  Immediately after the crontask emails the output, have the cron
task truncate the file.  Do this every day for a week and then average the
numbers.  You'll then be able to accurately determine exactly what your mail
volume is (both the number of messages, and the total size of those
messages).  In other words, you'll know if you're seeing one million
messages 100-bytes each, or one hundred messages 1,000,000-bytes each.
You'll be able to calculate average message size, and so on.

With that understanding, you'll then have the information you need to
properly scale and tune your box.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Aaron
Paetznick
Sent: Wednesday, March 17, 2004 1:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] MIMEDefang crashing regularly



Does this help?


[EMAIL PROTECTED] root]# mailstats
Statistics from Tue Mar  2 05:32:10 2004
  M   msgsfr  bytes_from   msgstobytes_to  msgsrej msgsdis  Mailer
  10  0K   175508 777613K0   0  *file*
  3   518588   13242775K  1027762   19261080K19576   18788  cyrusv2
  6  4054979   33506488K   236854   10013590K   109432  2968311  esmtp
=
  T  4573567   46749263K  1440124   30052283K   129008  2987099
  C  3906342  1908910   3116107


--Aaron



Cormack, Ken wrote:
> Very quickly, run a "mailstats" command.  Assuming you have
> statistics-keeping configured into your sendmail, and the statiscs file
> actually exists, you should be able to see output that (among other
things)
> will show you exactly what kind of traffic you process.  If you truncate
the
> statistics file nightly (truncate, not delete), then you can get daily
> totals every day.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Block mail by subject

[Cormack, Ken]

> I wouldnt recommend blocking on all of the known virus email subjects. 
> Many of them could be legitimately used.  My director (Boss 3x removed) 
> had emails blocked by a filter based strictly on the subject.  He was not 
> a happy camper.


Would he be happier with a virus?  It sounds to me like he would be.  So I'd
code an exception based on him the sender, and him the recipient, to not do
any filtering whatsoever.  Let his box fill with spam, and let him be the
source of all virus propagation within the organization.


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Block mail by subject

[Cormack, Ken]

> Sarcasm noted.

Thanks for realizing that.  :)

> Finally we got a tech at the other end to admit they were blocking
> the subject "For your review" because one of the viruses was using
> that as a subject.

So you took heat because of an action/decision/policy on the receiving end?
Someone (the offended "higher-up") owes you an applogy.

I've posted my own solution to blocking subject-lines before, a couple of
times, on this list.  It impliments subject line keyword blocks,
complete-match blocks, and sends a 5.X.X rejection notice.  Search the list
archives for references to the CheckSubject rule for sendmail that I use.  I
currently match on 39 complete subjects, and 1270 subject keywords
(including mutations).  And given greylisting and other header checks
performed by sendmail and MIMEDefang on my systems, it still catches over
350 messages per day.  Before adding greylisting to our defenses, this was
honestly THE single most effective rule in our arsenal, formerly catching
several thousand spams per day.  We had ONE instance about a year ago where
a systemically-generated report created on a UNIX system in-house just
happened to try using a subject-line that we blocked.  A phone call to the
programmer describing the issue was all it took.  The developer re-worded
the subject just enough to miss the filter, and there have been no further
reports of false positives.  Just be careful (as always) with what you put
in the bad subject block lists.

Ken

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] SMTP Pipelining, and GREYLISTING

[Cormack, Ken]

All -
 
Please read the thread below.  If you impliment greylisting with MIMEDefang,
you MIGHT want to disable sendmail's support for PIPELINING.  (See rfc 2920:
SMTP Service Extension for Command Pipelining)
 
You can check your sendmail to see if it currently supports pipelining, as
follows:
 
sendmail -d0.1 -bt < /dev/null
 
If you see PIPELINING in the "Compiled with" options, then pipelining
support is active.  To disable support for pipelining (which is enabled by
default if you compile the sendmail source tar-ball), you need to add the
following statement to your devtools/Site/site.config.m4 and recompile
sendmail.
 
APPENDDEF(`conf_sendmail_ENVDEF', `-DPIPELINING=0')
 
Ken
-Original Message-
From: Cormack, Ken 
Sent: Wednesday, March 24, 2004 4:14 PM
To: '[EMAIL PROTECTED]'
Cc: 'System Administrator (Roadway)'; Charlton, Dane; Tyler Hudak (E-mail)
Subject: Pipelining SMTP - was RE: test

Eric,

I have checked our SMTP engine's HELO response, and have confirmed that the
sendmail engine was, in fact, configured to support pipelining, as follows:
 
> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail01.roadway.com ESMTP - This system checks to see who you really are
ehlo localhost
250-mail01.roadway.com Hello mail01.roadway.com [127.0.0.1], pleased to meet
you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 5000
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
 
The problem was that the "451 4.3.0 Tempfailed:" came from a milter/plugin
in use on our end which impliments greylisting (and which does not consider
the possible use of pipelining in the sendmail engine itself.)
 
Rather than disabling the greylist, which has proven itself to be a valuable
defense against spammers, I have disabled our sendmail's support for the
PIPELINING command.  Our sendmail will no longer announce support for
pipelining...
 
I appreciate that you took the time to research the problem, and for
reporting it to us.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310


-Original Message-
From: Eric Toll 
Sent: Wednesday, March 24, 2004 2:21 PM
To: System Administrator 
Subject: RE: test
 
<> 

Perhaps you should look at PIPELINING RFC. With ESMTP command pipelining,
the client sends the DATA command BEFORE the server has replied to all the
RCPT TO requests.
 
My system is RFC Compliant, looks like your (Sendmail) is doing a validation
of users before accepting?
 
Regards,
Eric
 
 
Eric Toll, CNE 
Director of Computer Services 
VIP Structures, Inc. 
One Websters Landing
Syracuse, NY 13206
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] SMTP Pipelining, and GREYLISTING

[Cormack, Ken]

Steffen,

As I understand the greylisting implimentation suggested by a member of this
list (and further explained by David S.), per the RFCs (821 and 2821) that
preceded pipelining, the client SMTP host is supposed to check that AT LEAST
ONE "RCPT TO:" succeeded, BEFORE issuing the DATA command.

Greylisting (as it's implimented here), will tempfail a message as soon as
it receives a recpient to be greylisted.  At that point, a good client will
NOT blindly ignore the 4.X.X and continue on, sending the DATA command.

"Bad" clients that ignore this 4.X.X, and continue on to send the DATA
command, are then given a 5.X.X permanent failure code.

With pipelining as I understand it, it is entirely possible for the sending
client SMTP host to "batch up" commands, and send them in a burst.  If that
pipelined "batch" includes "EHLO..., MAIL FROM:, RCPT TO:, and DATA", then
when greylisting steps in at the RCPT TO, sends a temp fail, and finds that
the sending client has "apparently ignored the 4.X.X error" and has already
sent the DATA command, then the greylisting server will FAIL the message.

Disabling support for pipelining at the server SMTP host, will allow the
conversation to more properly react to a greylisting tempfail, at the cost
of a couple extra packets.

As for the paragraph you reference, from RFC 2920, I suspect that just as
there are mailers that only partially impliment, incorrectly impoliment, or
choose to ignore portions of rfc821/2821, I suspect there would be
pipeline-capable hosts that only partially impliment, incorrectly impliment,
or partially ignore RFC 2920.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steffen
Kaiser
Sent: Friday, March 26, 2004 8:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] SMTP Pipelining, and GREYLISTING


On Thu, 25 Mar 2004, Cormack, Ken wrote:

Hello Ken,

please forgive my ignorance, but what problem is this thread about
actually? And why is pipelining a problem with greylisting only?
This kicks in whenever the server (temp-) fails a recipient, but accepts
the SMTP dialogue in advance (aka pipelining).

What do I miss?

Actually, if you read the SMTP RFC, the client may always sent the whole
message to your server, regardless wether or not it recieved a negative
response, it's the duty of the server to act as a bitbucket in this case.

However, does this paragraphe RFC2920:
  "Client SMTP implementations that employ pipelining MUST check ALL
   statuses associated with each command in a group. For example, if
   none of the RCPT TO recipient addresses were accepted the client must
   then check the response to the DATA command -- the client cannot
   assume that the DATA command will be rejected just because none of
   the RCPT TO commands worked.  If the DATA command was properly
   rejected the client SMTP can just issue RSET, but if the DATA command
   was accepted the client SMTP should send a single dot."

imply that the client have to wait for the response of DATA?

Bye,

-- 
Steffen Kaiser
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Getting "Error from multiplexor: ERR No response from slave"

[Cormack, Ken]

Group,

I am looking to see if I can replicate the content-filtering functionality
of eManager, which we currently use on our internal Exchange servers, via
custom SpamAssassin rules.

Porting the "forbidden strings" from eManager into SA "rawbody" rules, I
have thus added 7100 new rules to SpamAssassin.  Having SUCH a HUGE number
of rules, I am now seeing the following in my logs (where I had never
previously seen such errors before), and would like to ask the group if this
looks like some sort of timeout (due to extra time needed to process so many
rules), and which timeout values might be re-tuned to compensate.  Or am I
just insane for thinking SA can handle that number of rules.

Here's the error I'm seeing...

Mar 26 10:49:07 mail01 mimedefang[6968]: Error from multiplexor: ERR No
response from slave

Thanks, in advance, for any feedback.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Getting "Error from multiplexor: ERR No response from slave"

[Cormack, Ken]

> Do all these rules have pretty much the same value?
> Can they be combined into single rules that match on multiple strings?
> Just quadruple your timeouts and see if it can handle all those rules.

Lucas,

The script produces descrete rawbody rules for each line of text in the
input file.  As for point-value, I am originally setting everything to a
point value of zero.  My intent was to observe the performance impact of
such a huge set of rules, without (yet) letting the rules otherwise
influence the message in any way.  Once we knew how "expensive" the rules
were, the intent was to score them high enough to reject the message (since
that's what they do on the Exchange boxes internal to my organization).

If the input file looks like this:

line one
line two
line three

The resulting rules look like this:

rawbody  LOCAL_EMGR_STRING_1 /line one/i
describe LOCAL_EMGR_STRING_1 Unacceptable word or phrase
scoreLOCAL_EMGR_STRING_1 0

rawbody  LOCAL_EMGR_STRING_2 /line two/i
describe LOCAL_EMGR_STRING_2 Unacceptable word or phrase
scoreLOCAL_EMGR_STRING_2 0

rawbody  LOCAL_EMGR_STRING_3 /line 4/i
describe LOCAL_EMGR_STRING_3 Unacceptable word or phrase
scoreLOCAL_EMGR_STRING_3 0

Each line of text in the input file represents a string or phrase that on
the Exchange servers, is considered evil enough to cause message rejections.
There is no pattern or other relationship between the lines of input...
they're just a list of dirty words, phrases, and other no-no patterns.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] tmpfs queue directories

[Cormack, Ken]

> In that FAQ David recommends 2.5 to 3 times the max message size x the
> maximum number of MD slaves.  Does this still hold true with the newest 
> versions of MD?  That FAQ entry is almost a year old.


Although the recommendatation made in the FAQ has not changed, it might be
helpful to "temper" that recommendation against your actual mail flow.  Your
mileage will definately vary.

For example, on my servers, I track, on a daily basis, such statistics as
average and peak message flow-rates, and average and largest message size.
I also take rapid (every 2-seconds) snapshots of my ramdisk utilization, to
watch for the 24-hour peak.  For example, here are samples from this
morning's reports for one of my systems.  My sendmail allows a max
attachment size of 50MB.

Based on the numbers below, for message flow rates, message volume, and
average message size, I have sized my ramdisk at only 128MB (the O/S rounded
it up to 134MB).  Here's the current df output:

/dev/shm  134MB  4.4MB  129MB   4% /var/spool/MIMEDefang

It has operated that way for several months, with peak utilization seldom
reaching anything close to 70%.  Here are other numbers that support my
decision (and satisfaction with) the 128MB size, on my machines.  Again,
that size may definately NOT work for you.

PEAK RAMDISK UTILIZATION: 28%
Time of Peak Utilization: 11:46

MAX NUMBER OF MIMEDEFANG MILTERS
  40 Max Allowed
  36 Busy
  36 Loaded

MIMEDEFANG "MILTER" PROCESSING TIME TALLIES
Shortest time to process: 1ms
 Longest time to process: 39649ms
 Average time to process: 1803ms

AVERAGE MESSAGE SIZE: 54 KB

SMALLEST MESSAGE(S)
Size: 1 Byte
Msg=i2QFnFGv007270

LARGEST MESSAGE(S)
Size: 19255646 Bytes
Msg=i2QGdlBh023803

AVERAGE RATE - MESSAGES PER MINUTE
  MIDNIGHT-8AM: 36
   8AM-5PM: 80
  5PM-MIDNIGHT: 32
   24 HOUR: 51

TOP 10 BUSIEST MINUTES:
  210 Msgs/Min @ 10:25
  189 Msgs/Min @ 10:26
  171 Msgs/Min @ 12:55
  149 Msgs/Min @ 11:08
  148 Msgs/Min @ 10:27
  144 Msgs/Min @ 11:22
  138 Msgs/Min @ 05:00
  136 Msgs/Min @ 08:40
  133 Msgs/Min @ 10:23

So... take the recommendation in the FAQ to heart, but then if you fully
understand the nature of your mail flow, scale it back to a more reasonable
number if the nature of your mail-flow allows.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] tmpfs queue directories

[Cormack, Ken]

Everything you need to generate these numbers (and many more) is in your
sendmail log.  I run a script that greps and tallies anything I can think
of.

For example, here's a snippet of code from my script.  This code shows the
viruses stopped by MIMEDefang and my antivirus package (I use Vexira)...

  VIRUS_NAMES=`grep MDLOG ${LOG} \
  | grep "[_,]virus," \
  | awk '{ print $6 }' \
  | cut -f4 -d"," \
  | cut -f1 -d"@" \
  | sort -u`
  if [ "${VIRUS_NAMES}" != "" ]
  then
print "\nMIMEDEFANG STOPPED THE FOLLOWING VIRUSES"
for V_NAME in ${VIRUS_NAMES}
do
  V_COUNT=`grep MDLOG ${LOG} \
  | grep ${V_NAME} \
  | wc -l`
  print "${V_COUNT}Hits: ${V_NAME}"
done
  fi

The output of that piece of script looks like this:

MIMEDEFANG STOPPED THE FOLLOWING VIRUSES
  15 Hits: Heuristic/PwdRAR
   3 Hits: W32/Bagle.P.1
  48 Hits: W32/Bagle.j
   2 Hits: W32/Bugbear.b
  12 Hits: W32/Klez.gen
   1 Hits: W32/Mydoom
  37 Hits: W32/Netsky
  10 Hits: W32/Netsky.c
   2 Hits: W32/Netsky.j
  24 Hits: W32/Netsky.p
   1 Hits: W32/Sobig.f
  11 Hits: Worm/Bagle.H
   1 Hits: Worm/Bagle.Htm.11
   1 Hits: Worm/Bagle.Htm.12
  14 Hits: Worm/Bagle.J
  11 Hits: Worm/Bagle.O
  49 Hits: Worm/Bagle.U.2
   2 Hits: Worm/Mydoom.F
   2 Hits: Worm/NetSky.B.1
  27 Hits: Worm/NetSky.P
   3 Hits: Worm/Netsky.K

The code may not be optimal, but it works just fine.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Monday, March 29, 2004 12:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [Mimedefang] tmpfs queue directories


[EMAIL PROTECTED] wrote on 03/29/2004 08:38:26 
AM:
> 
> For example, on my servers, I track, on a daily basis, such statistics 
as
> average and peak message flow-rates, and average and largest message 
size.
> I also take rapid (every 2-seconds) snapshots of my ramdisk utilization, 
to
> watch for the 24-hour peak.  For example, here are samples from this
> morning's reports for one of my systems.  My sendmail allows a max
> attachment size of 50MB.

How do you collect all those statistics?  I'm fairly new to this and I'd 
love to show reports like this to managgement.  It's the sort of stuff 
they drool over!  Oh, and it would help me manage the system. 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Getting "Error from multiplexor: ERR No response from slave"

[Cormack, Ken]

Kelson,

You've solved the problem...

> As I understand it, setting the score of a SpamAssassin rule to 0 disables

> the rule.  For testing, small values like 0.01 are recommended.

Excellent point.  I've raised the value to 0.01 for my tests.

> If you haven't already, you should run spamassassin -D --lint and 
> mimedefang.pl -test to make sure there are no syntax errors lying in wait.

Running "spamassasin -D --lint" caught a few occurrences of special
characters in the stings, that seemed to be tripping up the SA engine's
regex parser.  Until I get those characters properly escaped, I removed
those with "grep -v" and re-ran the "-D --lint" with those entries removed.
The test results were clean.

"top" shows the size of my multiplexor threads has grown from approx 20M
each, to now about 75MB each.  I'm running it with embedded perl mode, with
the lion's share of that footprint in shared memory, so it's not as bad as
it sounds.  :)

Consequently, with the rules now free of regex problems, processing appears
to be doing fine, and I am no longer seeing the timeout errors I was getting
before.  Thanks for the suggestion.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Resource Question

[Cormack, Ken]

With what you are currently doing, your hardware is more than enough.  I run
a pair of dula-proc 800MHx Compaq DL380's with half the disk, 2GB of RAM,
1GB of swap, custom sendmail rulesets, MIMEDefang doing all kinds of
filtering, greylisting, SpamAssassin (which just had 7000+ additional
rawbody rules to it), commercial virus scanning, zip-file inspection, and
DNS.  My boxes handle an average of 50-80K connections a day, and process
about 2GB of mail each day.  During heaviest business hours, the primary box
has peaked at 47% CPU utilization.  Note that I also use a RAM disk to keep
I/O delays short.  My average email is 47K in size, with max size set at
50MB.  Greylisting also helps tremendously, by relieving the need for the
more CPU-intensive filtering.  Based on your mail flow and on what you do
with your boxes, you should be fine.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mark
Penkower
Sent: Tuesday, April 06, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] Resource Question


I am using Mimedefang 2.39.


My Mail server is a Pentium 2.4 GHZ with 2 gig of Ram.  I have a 4 Gig
Swap Drive.  I have a raided 70 Gig SCSI Drive.

On average,the combined incoming and outgoing messages number between
3,000 and 5,000.  The total volume is never more than 500 meg.

I don't do much with Mimedefang.  I bounce banned attachments, and add a
disclaimer to all outgoing emails.  In the future, I will have
Mimedefang BCC all outgoing emails assigned accounts.  I don't need
Mimedefang to do any Virus Checking.


I assume that the hardware that I am using is plenty and that I should
never run out of resources with my current Mimedefang Configuration.

Can somebody verify this.


Thanks


Mark Penkower



___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Counting mail traffic

[Cormack, Ken]

> I tried to count mail traffic with MIMEDefang. Everything goes fine but
> sometimes i see empty strings in my maillog file, such as:
> Tue Apr 13 19:58:54 2004
> 42080
> There is no ip and recipient.
> How can i solve this problem?

Simply use the "mailstats" command.  It will give you output that you need.

Make sure your sendmail is configured with statistics enabled, by placing
the following line in your sendmail.mc file:

define(`STATUS_FILE', `/etc/mail/statistics')

Create the statistics file using the following command, if it does not
already exist:

touch /etc/mail/statistics

Then, every night, run the following two commands in a cron task, and let
the cron task mail you the results:

mailstats
> /etc/mail/statistics

Ken

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Tuning MIMEDefang - memory usage, etc.

[Cormack, Ken]

Group,

I'm looking for some feedback regarding memory tuning, for MIMEDefang.

I have a pair of 2GB Compaq DL380 servers with RH Linux 8.0 (kernel 2.4.25),
sendmail 8.12.11, MIMEDefang 2.41, with Mail::SpamAssassin 2.63.  I have a
fairly large number of third-party SA rules (backhair, bigevil, and so on)
in addition to approx. 7000 rawbody rules replicating strings I exported
from the content filters we run on the internal Exchange servers.  Both my
sendmail and MIMEDefang are each configured for 30 max child processes,
mainly to handle production batch jobs that run on some internal servers and
which can pump thousands of emails through my system in periodic bursts
lasting several minutes.

My installation is configured to use MIMEDefang's Embedded perl feature, and
each of my servers uses a 128MB RAM filesystem for /var/spool/MIMEDefang.
Lastly, I have sysctl configuring shmmax and shmall for 1.5GB of shared
memory.

A typical snapshot of "top" on my primary server shows the following memory
usage by MD (chopped here, with relevant fields only, to reduce line-wrap):

SIZE  RSS SHARE %MEM
134M 134M 45568  6.6
133M 133M 45640  6.6
132M 132M 45364  6.5
129M 129M 45772  6.4
127M 127M 45920  6.3
117M 117M 47264  5.7
115M 115M 45836  5.7
114M 114M 46400  5.6
112M 112M 47428  5.5
111M 111M 47292  5.5
111M 111M 47480  5.5
111M 111M 47468  5.5
111M 111M 47460  5.5
111M 111M 47400  5.5
110M 110M 47344  5.4
108M 108M 47704  5.3
108M 108M 47440  5.3
108M 108M 48088  5.3
107M 107M 48128  5.3
107M 107M 47672  5.3
105M 105M  104M  5.2
105M 105M  104M  5.2

My "sar -r" numbers (for memory utilization) look good in my opinion, with
%memused at 50-60% (with spikes into the 70-90% range), and %swpused at < 1%
(with peaks in the 10-30% range) during business hours.

I'm curious to know what some of you may think, regarding any suggested
tuning tweaks you could recommend, particularly for either the max number of
concurrent child daemons, shared memory, or the following MIMEDefang
tuneables, which are currently at their defaults.

# Limit slave processes' resident-set size to this many kilobytes.  Default
# is unlimited.
# MX_MAX_RSS=1

# Limit total size of slave processes' memory space to this many kilobytes.
# Default is unlimited.
# MX_MAX_AS=3

Any suggestions that will help maximize my memory utilization would be
appreciated.  Adding the 7000+ rules to SpamAssassin caused the memory
footprint of my MD threads to double in size, and I'd like to know if anyone
has any concerns or suggestions based on my above configuration and memory
usage.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH  44310
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Counting mail traffic

[Cormack, Ken]

If you need a breakdown of mailsize per users, then it might be easiest to
parse your maillog.  Each log entry showing the "from=" also shows the
sendmail message ID and the "size=".  You would need to search for the
"size=", capture the message ID number, then search the log again, for the
"to=" entry that has the same message ID number.

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Egor
Moskvichev
Sent: Thursday, April 15, 2004 1:02 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Counting mail traffic


> Simply use the "mailstats" command.  It will give you output that you
need.

Thank you for an answer.
I've tried your method, but it's not i really need. Mailstats output is very
lack of information:

Statistics from Thu Apr 15 12:49:43 2004
 M   msgsfr  bytes_from   msgstobytes_to  msgsrej msgsdis  Mailer
 30  0K5 20K0   0  local
 54 19K0  0K0   0  esmtp
=
 T4 19K5 20K0   0
 C620

I need to know mail traffic for each user exactly.

Egor Mockvichev

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Need to bounce emails that contain certain keywo rds in the body

[Cormack, Ken]

The easiest way would be to create "rawbody" rules, for SpamAssassin.  For
example:

rawbody  MY_RULE_1 /some text to block/i
describe MY_RULE_1 Unacceptable word or phrase
scoreMY_RULE_1 2.0

In this example, I use a SA score of 2.0.  However, if you want to outright
reject a message with such text, score the rule high enough to trigger your
filter to reject or quarantine the message, as desired.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Monday, April 19, 2004 12:18 PM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] Need to bounce emails that contain certain
keywords in the body


I Need to bounce emails that contain certain keywords in the body
Please post stock filter code to do this
Thank you 
Mark Penkower
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Slightly OT: System shutdown by non-privledged u ser

[Cormack, Ken]

Dont forget to also restrict logins for that account to just the physical
console.  You dont want people being able to telnet in to do this.

As for the post regarding control-alt-delete "and then powering down before
it reboots", any production Linux server should have it's "3-finger salute"
commented out of the inittab file.  I'll explain why.

In our shop, we have racks and racks of NT servers.  Our Linux mail servers
happen to also be rack-mounted, sharing space in a rack with some NT
servers.  In addition, the servers in that rack share a common
keyboard/video/mouse (KVM).

Now tell me... what happens when an NT admin walks up to the console in that
rack, and hits control-alt-delete to log into one of the NT servers, without
first checking the KVM's menu to see which server is currently the "active"
server on that keyboard?

Bingo... the NT admin has just rebooted your server.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Tuesday, April 20, 2004 9:16 AM
To: MIMEDefang, 
Subject: Re: [Mimedefang] Slightly OT: System shutdown by non-privledged
user


On Tue, 20 Apr 2004 [EMAIL PROTECTED] wrote:

> I need to develop a procedure to allow a non-priveledged user (computer
> room operator) to shut down my mail filter systems in case of power
> failure and the large room UPS running out of power.

If the operator has physical access to the machine, how about
doing Ctrl-Alt-Del and shutting it off before it reboots?  (This assumes
you're using Linux on x86.)

Otherwise, you can create a user called "shutdown" whose passwd entry
would look like this:

shutdown:x:0:0:Shutdown Operator:/:/sbin/shutdown

and create a password that you give out to the operator.  In fact,
many Linux distros already have a "shutdown" user, albeit with a locked
password.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Slightly OT: System shutdown by non-privledged u ser

[Cormack, Ken]

>> Dont forget to also restrict logins for that account to just the 
>> physical console.  You dont want people being able to telnet in
>> to do this.
 
> Excellent point.  As a linux learner, how do I do this? 

Bone up on pam.  Here's an example...

http://www.linux.ucla.edu/pipermail/linux/2000-November/004102.html

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Filtering new Mirosoft virus email ...

[Cormack, Ken]

> Hi Ken,
> I tried installing your script on my mailserver, but it has a strange
> behaviour.
> I added these lines into subjects_full:

> re:.thanks!
> re:.approved

Mirko -

I'm assuming by "script" you mean the sendmail LOCAL_RULESET "CheckSubject"
rule that I use, in sendmail.mc/cf.  Generally speaking, I use the
subjects_part list far more that the subjects_full list, simply because if I
declare a full match on "approved", and then an email comes in "re:
approved", the complete subject obviously no longer matches.

So technically, if you wanted to use the subjects_full file, you'd have to
account for all of the following variants:

approved
re: approved
fwd: approved
... and so on.

On the other hand, you have to be carefule with what you put in the partial
subjects file (subjects_part), because adding the word "approved" there
would also bounce emails with subjects such as "management just approved
your project".

If the likelyhood of clashes such as that example bother you, then add all
the permutations you can think of, to the full file.  Other times, the
partial list can cover you, with less likelyhood of causing clashes like the
one I just described.

Lastly, it sounds like you may be forgetting that recent versions of
sendmail actually now use TWO .cf files... sendmail.cf (for files received
via port 25), and submit.cf (for messages "submitted" locally on the
machine... with the "mail" command, for example.)

Be sure you have the rule added to BOTH .cf files, or you will have
different behavior, depending upon whether the mail was received via port
25, or whether you typed a "mail" command at the commandline.

mirko

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MIMEDefang 2.43 is released

[Cormack, Ken]

> Dumb question, but where, now, is the HELO argument accessible?

Rich,

I sent this reply to a similar post, just a couple days ago.  It will fix
your helo check.

Where I had the following in filter_relay():

#sub filter_relay {
#
#   my ($hostip, $hostname, $helo) = @_;

I now use this, in filter_sender():

sub filter_sender {

   my ($sender, $ip, $name, $helo) = @_;

filter_sender takes four arguements, where filter_relay took three.  The
names change slightly, but if you start the functions as I did, allowing for
four arguements, and then change the names of the corresponding variables in
your helo check, that should be all you need (in addition to ensuring you
start mimedefang with the -s switch, to activate the filter_sender
function.)

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Heads up: Change in behvior for 2.43

[Cormack, Ken]

> Does this mean that for those of us who reject on invalid EHLO/HELO this
rejection
> will now have to take place after the DATA phase, instead of after MAIL?
In the
> past four days, my relay has rejected 17,463 delivery attempts due to
EHLO/HELO
> parameters that contain my domain, or are bare IP addresses.  Do you think
that the
> impact of having to accept DATA from these relays before being able to
reject will
> be noticeable?  Or is there another approach that I'm missing?

Michael,  about your helo check...

Where I had the following in filter_relay():

#sub filter_relay {
#
#   my ($hostip, $hostname, $helo) = @_;

I now use this, in filter_sender():

sub filter_sender {

   my ($sender, $ip, $name, $helo) = @_;

filter_sender takes four arguements, where filter_relay took three.  The
names change slightly, but if you start the functions as I did, allowing for
four arguements, and then change the names of the corresponding variables in
your helo check, that should be all you need (in addition to ensuring you
start mimedefang with the -s switch, to activate the filter_sender
function.)

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] backup quarantine directory, large number of fil es.

[Cormack, Ken]

> What method have you used to backup upwards of 30K directories in a
> directory, on linux?

I'd use cpio...

# cd /var/spool/MD-Quarantine

cpio to an on-disk archive...
# find . -depth -print | cpio -ocvB > /tmp/backup.cpio

cpio to a tape device...
# find . -depth -print | cpio -ocvB > /dev/devicename

To restore the whole thing, use this syntax...
# cd /var/spool/MD-Quarantine
# cpio -icvdumB < /tmp/backup.cpio
or
# cpio -icvdumB < /dev/devicename

To restore a select file or directory...
# cpio -icvdumB "dirname/filename" < /tmp/backup.cpio

...and so on.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'?  It is!" - Ken Cormack

"Sendmail administration is not black magic.  There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Upgrade from 2.38 to 2.42

[Cormack, Ken]

Peter -

If you use any sort of virus scanner, then preserving your old
mimedefang-filter will NOT work, since David moved the virus-scanner calls
from mimedefang-filter to mimedefang.pl just a version-or-two ago.

So, either:

1. you dont employ an external virus scanner (other than File::Scan)
2. you merged your customizations into the new mimedefang-filter and dont
remember doing so
3. you had never modified your original mimedefang-filter and/or
mimedefang.pl in the first place, and just blindly overwrote them with the
new versions
4. you upgraded all portions of mimedefang except for mimedefang.pl and
mimedefang-filter (not sure how well that would work)
5. you did not upgrade (at least not from as far back as 2.38 to 2.42 in one
swoop.)

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Peter
P. Benac
Sent: Thursday, April 29, 2004 3:48 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] Upgrade from 2.38 to 2.42


Did for me!!


> HI all,
>
>   Working a lot here, that a miss some upgrades of MD.
>   Is there any special item that I should take care when upgrading
> from 2.38 to 2.42?
>   My filter will work seamless?
>
>
> - Marcelo
>
>
> ___
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> [EMAIL PROTECTED]
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>


-- 
Peter P. Benac, CCNA
Emacolet Networking Services, Inc
Phone: 919-847-1740
Web: http://www.emacolet.com
For free expert system and network management advice visit:
http://www.nmsusers.org

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] variables available for greylisting

[Cormack, Ken]

List,

I am needing to relocate my greylisting from filter_recipient, to filter_end
(to stop the whining from broken MTAs that choke on a 4.X.X before the DATA
phase of the SMTP dialog).  I'm wondering if the values used in building the
triplet from filter_recipient as shown below, are also available from within
filter_end.  Specifically, the recipient address, the sender address, and
the ip of the connecting host.

My filter_recipient currently looks like this:

sub filter_recipient ($) {
my($recip, $sender, $ip, $rest_of_the_junk) = @_;
if (greylist_whitelist($ip) || whitelist_recipemail($recip)) {
return ("CONTINUE", "");
}
if (should_greylist($sender,$recip,$ip)) {
md_syslog('warning', "Greylisted Triad:$sender:$recip:$ip");
return("TEMPFAIL", "Tempfailed: Your server should
auto-resend");
}
return ("CONTINUE", "");
}

The greylist_whitelist, whitelist_recipient, and should_greylist are all
functions defined elswhere in my mimedefang-filter file, and which do the
actual work of greylisting.

Could I be so lucky as to simply set "MX_RECIPIENT_CHECK=no" in
/etc/sysconfig/mimedefang (to disable filter_recipient), and then rename my
filter)recipient to something like "sub my_greylist" and expect it to work?

Thanks for any responses.

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] variables available for greylisting

[Cormack, Ken]

> Yes, but that's half of the story. Then you have to call my_greylist 
> with proper arguments and check its return status and do something. 
> Better change the return values in my_greylist to something simpler. 
> You'll have to call it for each recipient and decide whether to tempfail 
> or accept, in either case for *all* recipients.
> The arguments can be ($Recipients[index], $Sender, $RelayAddr)

What we're basically looking to do, is this.

If the SA score is >= 15, discard.
If the SA score is >= 10 and < 15, quarantine.
If the SA score is >= 5 and < 10, greylist.
If the SA score is < 5, allow the mail without greylisting.

This way, we toss the stuff that is clearly junk, quarantine the stuff that
is likely to be junk, greylist the stuff that is borderline, and allow clean
stuff to come straight through.

Most of the logic branching based on SA score is already in place.  And
currently, the grelisting logic works fine when called from
filter_recipient.  I'm just interested in knowing whether the elements of
the triplet were still available for me to use, in filter_end.

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] How to determine if SendMail is configured with MILTER support...

[Cormack, Ken]

Run the following command to confirm MILTER support in your compiled
sendmail...

$ sendmail -d0.1 -bt < /dev/null
Version 8.12.11
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SCANF
TCPWRAPPERS
USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
  (short domain name) $w = myhost
  (canonical domain name) $j = myhost.mydomain.com
 (subdomain name) $m = mydomain.com
  (node name) $k = myhost.mydomain.com


ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter  


Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken
Morley
Sent: Monday, May 24, 2004 2:22 PM
To: '[EMAIL PROTECTED]'
Subject: [Mimedefang] How to determine if SendMail is configured with
MILTER support...


I am building a Red Hat ES3 server to support SendMail, MIMEDefang, ClamAV,
etc.

I downloaded source to /usr/src/sendmail/sendmail-8.12.11 and I created a
./devtools/Site/site.config.m4 containing:

dnl Milter
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE')

Everything compiled, checked and installed as normal, without obvious error.

Now, when I run sendmail -bi I get several messages that I don't get on my
Red Hat 8 installation:

Warning: Option: AuthOptions requires SASL support (-DSASL)
Warning: Option: InputMailFilters requires Milter support (-DMILTER)
Warning: Option: Milter requires Milter support (-DMILTER)
Warning: Option: Milter requires Milter support (-DMILTER)
Warning: Option: Milter requires Milter support (-DMILTER)
Warning: Option: Milter requires Milter support (-DMILTER)
Warning: Option: Milter requires Milter support (-DMILTER)
Warning: Filter usage ('X') requires Milter support (-DMILTER)

This leads me to believe that Milter support is NOT compiled into my
SendMail.  Can anyone tell me how to check SendMail to see if Milter support
is enabled or not?

Any idea what I did wrong here?

Thanks!


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] MessageID anti-impersonation function for sub filter()

[Cormack, Ken]

All,

Yesterday, I had a spam come in, in which I noticed the MessageID contained
my own domain.  Since the originating MTA is responsible for generating the
MessageID, and since the message came from the outside, I added the
following in sub filter() of my mimedefang-filter last night.  Over night,
it caught about 20 messages.

if ($MessageID =~ /[EMAIL PROTECTED]>$/i && !Exclude_FromInternal() &&
!Exclude_FromDmz()) {
md_syslog 'info', "bogus_MessageID: Originating MTA claims to be us
in MessageID $MessageID.";
return ('REJECT', 'Originating MTA can not claim to be us in
MessageID.');
}

While I'm on the subject, here's a nice CheckMessageId rule, for sendmail.
Add this to the LOCAL_RULESETS section of your sendmail.mc, and regenerate
your .cf file.  This rule ensures that a MessageID is present, and is of the
correct format.  It also checks the RHS (right hand side) against access.db.

As always, watch out for line-wrap...

# Check for valid Message ID
# Check message id for valid hostname (after @)
HMessage-Id:$>CheckMessageId

SCheckMessageId
# Record the presence of the header
R$* $: $(storage {MessageIdCheck} $@ OK $) $1
# check for local Message-Id: header for non-local headers
# Put client hostname in an initial lookup focus
# anything  -> < lookup focus >anything
R$* $: < $&{client_name} > < $1 >
# test if client hostname in lookup focus ends with one of our
#   domains, $=m, if so the message is locally generated and all
#   Message-Id: header are OK
R< localhost > < $+ >   $@ OK
# reject all other locally generated Message-Id: headers because
#   client hostname is not local
R< $+ > < $+ @ $j > $#error $: "553 Delivery blocked; HMessage-ID:
indicates local generation but client is not local (may be forged)"
# strip trash lookup focus leaving the original header
R< $+ > < $+ >  < $2 >

# Check MessageID for blocked domain names
R< $+ @ $+ >$: $(access $2 $: OK $)
ROK$*   $@ OK
RREJECT$*   $#error $: "553 Delivery blocked; HMessage-ID:
failed access database lookup"
RDISCARD$*  $#discard $: discard
RERROR:$*   $#error $: $1
R< $+ @ $+ >$@ OK
# Valid messageIDs should not get this far
R$* $#error $: "553 Delivery blocked; HMessage-ID:
indicated invalid format"


KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MessageID anti-impersonation function for sub fi lter()

[Cormack, Ken]

> 1. Are you sure it actually came in with that Message-ID?  Sendmail
> adds one if there is not one present and the added one will of course
> have your host's name in it.  I forget whether it has been added
> already at milter stage.

Yes, I'm sure.  It actually contained <[EMAIL PROTECTED]@domain>

Regarding the adding of a MessageID where none is present, rfc2822 does
state that it should already have one.  I realize it also says that if a
message arrives without one, that one should be added.  However, since this
system is an external relay host, with no "local submissions" occurring, it
can be asserted that a message can be held accountable to rfc2822's first
assertion that one should exist.  No legitimate MTA that I'm aware of, omits
the MessageID.

> 2. If a host generated Message-IDs with the name of the recipient
> domain in them, does that violate any standard?  I agree that it
> looks spammy, and SpamAssassin scores for this, but I am not sure
> mail should be rejected as a general rule.

We've been outright rejecting such mail for a year, averaging 3 or 4 dozen a
day between both servers, with zero complaints based on missing MessageID
rejections.

> 3. Some client software does not create Message-ID and relies on the
> smtp server to generate it.  This includes both PC mail clients and
> also some PC products that generate mail from databases.  A host that
> acts as smtp server needs to recognize any such permitted use-- perhaps
> by IP address or by detecting use of smtp auth.

We have no internal clients connecting directly to this system.  Our clients
talk to Exchange, which then through IMS and an internal wildcard SMTP relay
then hand off outbound traffic to The 'Net.  We screen for inbound connects
from clients in many ways, and do not, as a policy, allow connections
directly from MUAs.  Thus, we do not run POP3, IMAP, or other client
protocols.  Ergo, since everything comes via SMTP, we assume it comes from
an SMTP MTA server of one sort or another.  Ergo, it should already have a
MessageID.

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MessageID anti-impersonation function for sub fi lter()

[Cormack, Ken]

To test your concern, I sent myself test emails to my yahoo account.  Then,
using yahoo's "Display Full Headers" option, I confirmed that my Exchange
server's IMS had placed a valid MessageID into the outbound message.

That MessageID incorporated the hostname - dot - domainname, to the right of
the "@" symbol.

Similar messages sent from a couple internal production UNIX boxes as well,
ALL included the hostname of the originating MTA.  In NO cases, did any
outbound test messages go out as simply "@roadway.com" in the MessageID.
They ALL went out as "@hostname.roadway.com".  Therefore, I feel at ease
blocking anything that comes in, that lacks the hostname to the right of the
"@" symbol, in the MessageID.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Frank
Doepper
Sent: Wednesday, May 26, 2004 10:34 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] MessageID anti-impersonation function for sub
filter()


Am 26.05.04 um 08:49 schrieb Cormack, Ken:

>Yesterday, I had a spam come in, in which I noticed the MessageID
>contained my own domain.  Since the originating MTA is responsible for
>generating the MessageID, and since the message came from the outside

What about forwarded mail? If someone from outside resends mail
originating from your domain to someone else within your domain?

FD
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Can I bounce by subject and body without Spamass assin?

[Cormack, Ken]

> Can I bounce by subject and body without Spamassassin?

> If so, a simple exapmle would be appreciated.

I posted a ready-to-run sendmail ruleset to reject based on subject, a while
back.  A search of the archives will give you what you need.

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Access list

[Cormack, Ken]

> When does the access list get check before mimedefang or after?

The short answer is "both".

Access.db gets checked multiple times, at multiple points during the SMTP
transaction, depending upon what SENDMAIL features you have enabled or
disabled (assuming you even have support enabled).

The milter also gets called multiple times by sendmail, during each
transaction.

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Logging which virus scanner

[Cormack, Ken]

List,

Might there be a way to have MD log which (of multiple) installed virus
scanner detects a virus, in an infected email?  I'd be interested in seeing
how many viruses are intercepted by File::Scan, relative to my Vexira.

Thanks!

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] TMDA

[Cormack, Ken]

rawbody  MY_BOOM /theboom/i
describe MY_BOOM Unacceptable word or phrase
scoreMY_BOOM

:)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Friday, June 18, 2004 8:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] TMDA


On Thu, 17 Jun 2004, Vikas Rangarajan wrote:

> Has anyone set up TMDA with MIMEDefang systemwide?

Please don't.  Challenge/Response systems are pure, unmitigated evil, and
anyone who uses one quickly gets into my blacklists.

> *
> * http://www.theboom.com*
> *   theBoom is an award-winning product from UmeVoice, Inc.:*

This is spam; please don't post it to this list.

--
David.

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Test message

[Cormack, Ken]

Diagnosing whether I'm still sending in HTML.  Please disregard this
message.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] JPEG exploit checking in mimedefang-filter

[Cormack, Ken]

I cant take credit for the code, myself... I may have merely quoted it in a
post.  The original code was posted by Tomasz Ostrowski.

Ken

-Original Message-
From: Joseph Brennan [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 12, 2004 1:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [Mimedefang] JPEG exploit checking in mimedefang-filter



Reference to Ken Cormack's filter code, Sep 28, using djpeg
to diagnose success or fail...


>my($code, $category, $action) =
>run_virus_scanner( "djpeg -fast -dither none
> -grayscale -scale 1/8 -outfile /dev/null $path" );


We find that jpg attachments in mail sent with the OSX Mail program
fail this test, quite a lot, maybe all the time.

I'm going to be looking into it.  If anyone else is ahead of me on
a solution please say so.

Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] JPEG exploit checking in mimedefang-filter

[Cormack, Ken]

What I REALLY like about this is that it performs a straight-forward "are
you what you say you are?" test, rather than the more nebulous and
error-prone "are you not what you pretend to be?"

Thanks for posting this, Tomasz!

Ken

-Original Message-
From: Tomasz Ostrowski [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 28, 2004 4:56 AM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] JPEG exploit checking in mimedefang-filter


I have written a quick and dirty checking for corrupt jpeg files in
mimedefang-filter. It uses program "djpeg", which should be in most
Linux and Unices distributions, to convert the file to bitmap writing
in /dev/null. It lets the file in, if it manages to successfully convert
it, or rejects it otherwise.

It should catch the latest JPEG virus. At least it catches the sample
I have found here:
http://www.easynews.com/virus.html

###
# New function: check for corrupted JPEG files
sub filter_corrupt_jpeg ($) {
my($entity) = @_;

if (re_match($entity, '\.jp(e?)g$') ) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
my($code, $category, $action) =
run_virus_scanner( "djpeg -fast -dither none -grayscale
-scale 1/8 -outfile /dev/null $path" );
if ($action ne 'proceed') {
return $code;
}
if ($code) {
return $code;
}
}
}
}

return 0;
}
###

###
# This should go in filter() function
if (filter_corrupt_jpeg($entity)) {
md_graphdefang_log('corrupt_jpeg', $fname, $type);
action_bounce("Access denied. Corrupt file $fname not allowed.",
"554", "5.7.1");
return action_discard();
}

###

Regards
Tometzky
-- 
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
  Winnie the Pooh
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] roaringpenguin.com is listed in rfc-ignorant

[Cormack, Ken]

One of Can-It's competitors must have a mindpsring connection, David.   ;>

-Original Message-
From: David F. Skoll [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 28, 2004 4:25 PM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] roaringpenguin.com is listed in rfc-ignorant


Hi, all.

The ignoramuses at RFC-Ignorant have decided to blacklist
roaringpenguin.com.
Details at:

http://www.rfc-ignorant.org/tools/detail.php?domain=roaringpenguin.com&submi
tted=1087414364&table=postmaster

Note the final line on that page.  Ironic, isn't it?

I have a long-standing policy of not bending to the whims of zealous
blacklisters.  If you use RFC-Ignorant.org (and you get this message),
complain to the admins who run it.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] roaringpenguin.com is listed in rfc-ignorant

[Cormack, Ken]

>> One of Can-It's competitors must have a mindpsring connection, David.
;>

> The person who submitted the report is Derek Balling
> <[EMAIL PROTECTED]>, and I think he's misguided rather than
> malicious.  (I think he's the founder of milter.org - right?)

Since the IP address belongs to mindspring, and his email is megacity, let's
hope mindspring publishes an SPF that disallows him the ability to send
outbound email.  Poetic Justice.  ;>

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] SIG11's with Mimedefang 2.48

[Cormack, Ken]

In the past, I've seen SIG11's happen for two other reasons...

1.  Bad memory
2.  Pushing an over-clocked machine faster than it's memory can handle.

Do either of these apply in this case?  I mean, the upgrade to MD 2.48 might
just be coincidental timing with a RAM stick that's about to fail
altogether.

Ken

-Original Message-
From: David F. Skoll [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 02, 2004 11:07 AM
To: [EMAIL PROTECTED]
Subject: Re: [Mimedefang] SIG11's with Mimedefang 2.48


On Tue, 2 Nov 2004, Martin Blapp wrote:

> Have you seen this error too on older versions ? I just got it
> once. Of course I

I have not seen it, and it's very odd.

> Nov 2 16:22:51 mx3 mimedefang[56969]: iA2FMXpa037602: Could not open
> MIMEDefang 2.48 on 192.168.0.1/COMMANDS: No such file or directory

It looks like the scan directory is being overwritten by
"MIMEDefang 2.48 on 192.168.0.1", which makes no sense whatsoever..

Could it be a FreeBSD-specific issue?  A bug in pthreads?

The code that generates "MIMEDefang 2.48 on 192.168.0.1" is around
line 1431 of mimedefang.c, and I see no way that it can overwrite
data->dir (which is what appears to be happening.)

Anyone else seeing this?

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Frustration...

[Cormack, Ken]

> -Original Message-
> From: Yang Xiao [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, November 04, 2004 2:45 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Mimedefang] Frustration...

::snip::

> As for MailScanner, I like it's ability to convert dangerous HTML and
> Javascript codes and strip them, I think MIMEDefang does this as well,
> but I haven't look into it yet, if that's the case, I need to find a
> reason to run MailScanner if at all.

The single biggest advantage of MIMEDefang over MailScanner, is that
MailScanner can not reject mail during the SMTP dialogue.  You must complete
the incoming transaction to its conclusive "close the connection", before
MailScanner even begins to look at the mail.

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] tmpfs on Linux

[Cormack, Ken]

It is likely that your tmpfs (ramdisk) is too big for the amount of total
physical RAM installed in the system.  Secondly, you don't state how many
concurrent processes you are running, and so on.

The system will swap when it runs low on usable RAM.  Whatever RAM you've
dedicated to the tmpfs is not otherwise "useable" to the running programs.
Thus, paging/swapping occurs.

Add more RAM to the system, and take a good practical look at how big your
ramdisk truly needs to be.  I know the worst-case calculation says to
multiply the max message size by the max number of allowed child processes.
However, it has been my experience that I in no way need a RAM disk of 2GB,
which is equal to 50MB (my max message size) x 40 (max concurrent child
processes).  My average message size lately has been around 46K.  And as
rare as it is for me to receive a single 50MB email, I have not yet seen an
instance where I've had to process 2 messages of that size, concurrently
(though I have seen a mix of 10, 15, 4, and 30MB messages all at once, for
example.)  My RAMdisk is set to 128MB, and I have only seen it go 100% full
once or twice, in my daily reports.  In those cases, the messages were
tempfailed by MIMEDefang, and succesfully re-transmitted on the next attempt
by the sending servers.  As an example (from last night's report of
yesterday's traffic), this configuration succesfully handles the following
message rates, on a 2GB dual-proc system:

AVERAGE RATE - MESSAGES PER MINUTE
  MIDNIGHT-8AM: 36
   8AM-5PM: 104
  5PM-MIDNIGHT: 50
   24 HOUR: 66

TOP 10 BUSIEST MINUTES:
  278 Msgs/Min @ 10:27
  275 Msgs/Min @ 10:21
  263 Msgs/Min @ 10:33
  255 Msgs/Min @ 10:32
  253 Msgs/Min @ 10:31
  251 Msgs/Min @ 10:26
  250 Msgs/Min @ 10:23
  247 Msgs/Min @ 10:25
  246 Msgs/Min @ 10:29

PEAK RAMDISK UTILIZATION: 53%
Time of Peak Utilization: 15:30

Ken

-Original Message-
From: Greg Miller [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 10, 2004 9:05 AM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] tmpfs on Linux


Platform is RedHat EL AS 3
Dual Xeon 3.0 Ghz CPU
1 GB RAM
Load is between 1-3 messages per second.

System performs very well, most of the time, with only 2-3 busy slaves.
However, on occasion, I will see all 15 of my slaves busy, lots of disk
I/O to swap, and "Please try again later" messages in the maillog.

I am using tmpfs for /var/spool/MIMEDEFANG as recommended in the FAQ. I
believe my tmpfs is being sent to swap during these periods and causing
horrible performance.

Has anyone else seen this behavior? Any solutions out there?
Thanks.

-- 
Greg Miller, RHCE, CCNA, MCSE
Senior Network Specialist
University of Richmond
[EMAIL PROTECTED]
(804) 289-8546
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] filter end

[Cormack, Ken]

Try this, in filter_end...

foreach $recip(@Recipients) {
if ($recip =~ /[EMAIL PROTECTED]/i) {
do something here ;
last;
}
}


Ken


-Original Message-
From: Keith Patton [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 07, 2005 9:49 AM
To: mimedefang@lists.roaringpenguin.com
Subject: [Mimedefang] filter end


All,

 Is there and easy was to get the recipient in the filter_end subroutine 
of mimedefang-filter ??

I need a disposition based on # hit and destination 

thanks,

Keith

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Question about add_recipient

[Cormack, Ken]

List,

I have been asked to find a way to have alerts that are emailed to a
particular pager automatically copied to two other engineer's pager email
addresses.  I'm experimenting with the following code snippet, and would
like to see if someone can explain an anomaly I'm seeing...

In sub filter_end, I'm doing the following:

foreach $recip(@Recipients) {
if ($recip =~ /[EMAIL PROTECTED]/i) {
add_recipient ('[EMAIL PROTECTED]');
add_recipient ('[EMAIL PROTECTED]');
last;
}
}

When we sent a test-page to pager #1.  Pager #3 received one copy (as
expected), but pager #2 received TWO copies of the test page.  Looking at
the description of the "add_recipient" function in `man mimedefang-filter`,
it is unclear whether successive calls to this function would cause the
glitch that I'm seeing.

Can anyone explain why I am seeing TWO copies sent to the first added
recipient, and how I may stop that from happening?

Thanks!

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Follow-up... RE: [Mimedefang] Question about add_recipient

[Cormack, Ken]

List,

The incident with one recipient getting two copies may have been a fluke.  I
can only find one occurance of the affected recipient's email address in my
maillog, for that test message.  And that log entry refers to the added
address only once.


-Original Message-
From: Cormack, Ken 
Sent: Tuesday, January 11, 2005 1:10 PM
To: 'mimedefang@lists.roaringpenguin.com'
Subject: [Mimedefang] Question about add_recipient


List,

I have been asked to find a way to have alerts that are emailed to a
particular pager automatically copied to two other engineer's pager email
addresses.  I'm experimenting with the following code snippet, and would
like to see if someone can explain an anomaly I'm seeing...

In sub filter_end, I'm doing the following:

foreach $recip(@Recipients) {
if ($recip =~ /[EMAIL PROTECTED]/i) {
add_recipient ('[EMAIL PROTECTED]');
add_recipient ('[EMAIL PROTECTED]');
last;
}
}

When we sent a test-page to pager #1.  Pager #3 received one copy (as
expected), but pager #2 received TWO copies of the test page.  Looking at
the description of the "add_recipient" function in `man mimedefang-filter`,
it is unclear whether successive calls to this function would cause the
glitch that I'm seeing.

Can anyone explain why I am seeing TWO copies sent to the first added
recipient, and how I may stop that from happening?

Thanks!

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Question about add_recipient

[Cormack, Ken]

That's the long-term fix.  Unfortunately, there are about 400+ scripts and
programs in which the original pager address was directly coded.  It'll take
time for the programmer to update all those locations in the code.  Several
things such as you suggest were already discussed with the developer.  Such
as "define the recipients in an environment file, then have your programs
email the referenced recipients - one file to update/edit if changes are
ever needed."

Remember that people think independently from the smtp relay admin.  They
write their code without consulting me, and don't need my permission to do
their own thing, in this regard.  I get called when they have problems after
the fact, but they don't ask "what's the best way to do this?" before-hand.

As for why I don't use an alias...

A) I needed to prevent double-interpretation in the event one of my servers
has to hand-off to the other (sendmail's confFALLBACK_MX capability, which
we use)

B) I don't like aliasing an email address that is not of my own domain (it's
our paging vendor's domain, ergo it's their address, ergo I shouldn't be
mucking with it)

C) We have the option to perform other manipulations (such as calling
"remove_redundant_html_parts" to all outbound mail destined to our pagers),
and so on.

  :)

Ken

-Original Message-
From: Kenneth Porter [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 11, 2005 1:50 PM
To: mimedefang@lists.roaringpenguin.com
Subject: Re: [Mimedefang] Question about add_recipient


--On Tuesday, January 11, 2005 1:10 PM -0500 "Cormack, Ken" 
<[EMAIL PROTECTED]> wrote:

> I have been asked to find a way to have alerts that are emailed to a
> particular pager automatically copied to two other engineer's pager email
> addresses.

This looks like a job for /etc/aliases. Instead of publishing the raw pager 
account, publish an alias. You can then copy mail for that alias to as many 
mailboxes as you want.

I can never remember my pager number, so I just put an easy-to-remember 
alias in my alias file, and add my regular email to that so that if I miss 
a page from poor reception, I still see it in my regular mailbox, which I 
check fairly frequently.

Something like:

pager-ken: [EMAIL PROTECTED], ken

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] "Cant open tmpfile" error

[Cormack, Ken]

Group,

For some unknown reason, one of my two MIMEDefang gateways has started
dumping the following into my logs...

Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Slave 3 stderr:
MIME::Parser: can't open tmpfile: Invalid argument
Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Slave 3 died prematurely
-- check your filter rules
Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Reap: Idle slave 3 (pid
9587) exited normally with status 22 (SLAVE DIED UNEXPECTEDLY)

The box in question happens to be my secondary MX host (MX weight of 20, in
DNS).  It is also the "FALLBACK_MX_HOST" for my primary MX host.  Other than
those differences, the systems are identical in their configuration.

"Mimedefang.pl -features" reports the same versions of all relevant perl
modules, on both systems, as follows...

I'm using the embedded perl mode on both machines (and have been for
months).

I've double-checked disk space (both for blocks free and free inodes) on the
/var/spool/MIMEDefang RAMdisk, and even ran without the RAMdisk It made
no difference4.

I'm stumped, in that the two servers are the same, and both have been
running fine for months.

Does anyone have any suggestions as to where I should start looking for the
cause?


Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] REPOST - RE: "Cant open tmpfile" error

[Cormack, Ken]

This is a re-post... I forgot to add the output of "mimedefang.pl
-features"...

MIMEDefang version 2.49

Archive::Zip  : yes
File::Scan: yes
HTML::Parser  : yes
HTML::TokeParser  : yes
HTMLCleaner   : yes
Net::DNS  : yes
Path:CONFDIR  : yes (/etc/mail)
Path:QUARANTINEDIR: yes (/var/spool/MD-Quarantine)
Path:SENDMAIL : yes (/usr/sbin/sendmail)
Path:SPOOLDIR : yes (/var/spool/MIMEDefang)
SpamAssassin  : yes
Unix::Syslog  : yes
Virus:FileScan: yes
Virus:VEXIRA  : yes (/usr/bin/vexira)
Virus:AVP : no
Virus:AVP5: no
Virus:BDC : no
Virus:CLAMAV  : no
Virus:CLAMD   : no
Virus:CSAV: no
Virus:FPROT   : no
Virus:FPROTD  : no
Virus:FSAV: no
Virus:HBEDV   : no
Virus:NAI : no
Virus:NVCC: no
Virus:OpenAV  : no
Virus:SOPHIE  : no
Virus:SOPHOS  : no
Virus:SymantecCSS : no
Virus:TREND   : no
Virus:TROPHIE : no

Anomy::HTMLCleaner: Version 1.21
Archive::Zip  : Version 1.09
Digest::SHA1  : Version 2.10
File::Scan: Version 1.39
HTML::Parser  : Version 3.31
HTML::TokeParser  : Version 2.24
IO::Socket: Version 1.27
IO::Stringy   : Version 2.108 
MIME::Base64  : Version 3.03
MIME::Tools   : Version 5.417
MIME::Words   : Version 5.417
Mail::Mailer  : Version 1.60
Mail::SpamAssassin: Version 3.02
Net::DNS  : Version 0.47
Unix::Syslog  : Version 0.100


-Original Message-----
From: Cormack, Ken 
Sent: Thursday, February 03, 2005 4:30 PM
To: 'mimedefang@lists.roaringpenguin.com'
Subject: "Cant open tmpfile" error


Group,

For some unknown reason, one of my two MIMEDefang gateways has started
dumping the following into my logs...

Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Slave 3 stderr:
MIME::Parser: can't open tmpfile: Invalid argument
Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Slave 3 died prematurely
-- check your filter rules
Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Reap: Idle slave 3 (pid
9587) exited normally with status 22 (SLAVE DIED UNEXPECTEDLY)

The box in question happens to be my secondary MX host (MX weight of 20, in
DNS).  It is also the "FALLBACK_MX_HOST" for my primary MX host.  Other than
those differences, the systems are identical in their configuration.

"Mimedefang.pl -features" reports the same versions of all relevant perl
modules, on both systems, as follows...

I'm using the embedded perl mode on both machines (and have been for
months).

I've double-checked disk space (both for blocks free and free inodes) on the
/var/spool/MIMEDefang RAMdisk, and even ran without the RAMdisk It made
no difference4.

I'm stumped, in that the two servers are the same, and both have been
running fine for months.

Does anyone have any suggestions as to where I should start looking for the
cause?


Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Solved - RE: REPOST - RE: "Cant open tmpfile" error

[Cormack, Ken]

Nevermind As was noted in a post in the archives, my /tmp directory had
hosed perms  I don't know how that happened, but it seems to work now.

Ken

-Original Message-
From: Cormack, Ken 
Sent: Thursday, February 03, 2005 4:31 PM
To: 'mimedefang@lists.roaringpenguin.com'
Subject: REPOST - RE: "Cant open tmpfile" error


This is a re-post... I forgot to add the output of "mimedefang.pl
-features"...

MIMEDefang version 2.49

Archive::Zip  : yes
File::Scan: yes
HTML::Parser  : yes
HTML::TokeParser  : yes
HTMLCleaner   : yes
Net::DNS  : yes
Path:CONFDIR  : yes (/etc/mail)
Path:QUARANTINEDIR: yes (/var/spool/MD-Quarantine)
Path:SENDMAIL : yes (/usr/sbin/sendmail)
Path:SPOOLDIR : yes (/var/spool/MIMEDefang)
SpamAssassin  : yes
Unix::Syslog  : yes
Virus:FileScan: yes
Virus:VEXIRA  : yes (/usr/bin/vexira)
Virus:AVP : no
Virus:AVP5: no
Virus:BDC : no
Virus:CLAMAV  : no
Virus:CLAMD   : no
Virus:CSAV: no
Virus:FPROT   : no
Virus:FPROTD  : no
Virus:FSAV: no
Virus:HBEDV   : no
Virus:NAI : no
Virus:NVCC: no
Virus:OpenAV  : no
Virus:SOPHIE  : no
Virus:SOPHOS  : no
Virus:SymantecCSS : no
Virus:TREND   : no
Virus:TROPHIE : no

Anomy::HTMLCleaner: Version 1.21
Archive::Zip  : Version 1.09
Digest::SHA1  : Version 2.10
File::Scan: Version 1.39
HTML::Parser  : Version 3.31
HTML::TokeParser  : Version 2.24
IO::Socket: Version 1.27
IO::Stringy   : Version 2.108 
MIME::Base64  : Version 3.03
MIME::Tools   : Version 5.417
MIME::Words   : Version 5.417
Mail::Mailer  : Version 1.60
Mail::SpamAssassin: Version 3.02
Net::DNS  : Version 0.47
Unix::Syslog  : Version 0.100


-Original Message-
From: Cormack, Ken 
Sent: Thursday, February 03, 2005 4:30 PM
To: 'mimedefang@lists.roaringpenguin.com'
Subject: "Cant open tmpfile" error


Group,

For some unknown reason, one of my two MIMEDefang gateways has started
dumping the following into my logs...

Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Slave 3 stderr:
MIME::Parser: can't open tmpfile: Invalid argument
Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Slave 3 died prematurely
-- check your filter rules
Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Reap: Idle slave 3 (pid
9587) exited normally with status 22 (SLAVE DIED UNEXPECTEDLY)

The box in question happens to be my secondary MX host (MX weight of 20, in
DNS).  It is also the "FALLBACK_MX_HOST" for my primary MX host.  Other than
those differences, the systems are identical in their configuration.

"Mimedefang.pl -features" reports the same versions of all relevant perl
modules, on both systems, as follows...

I'm using the embedded perl mode on both machines (and have been for
months).

I've double-checked disk space (both for blocks free and free inodes) on the
/var/spool/MIMEDefang RAMdisk, and even ran without the RAMdisk It made
no difference4.

I'm stumped, in that the two servers are the same, and both have been
running fine for months.

Does anyone have any suggestions as to where I should start looking for the
cause?


Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] "Cant open tmpfile" error

[Cormack, Ken]

David,

The problem turned out to be restricted perms on /tmp.  Instead of finding
them at 1777, I found them to be set to 755.  How they got like that, I'm
not sure.  However, we were testing some new backup/restore software on the
morning when the mail logs say the problem first started happening, and I
had the backup admin perform some test "restores to alternate directories",
to the /tmp directory on that server.  That was Tuesday.  I'm wondering if
the restore process somehow changed the perms on the directory, and am
following through with him on that hypothesis.

Ken



-Original Message-
From: David F. Skoll [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 03, 2005 4:52 PM
To: 'mimedefang@lists.roaringpenguin.com'
Subject: Re: [Mimedefang] "Cant open tmpfile" error


On Thu, 3 Feb 2005, Cormack, Ken wrote:

> Feb  3 16:16:09 mail02 mimedefang-multiplexor[574]: Slave 3 stderr:
> MIME::Parser: can't open tmpfile: Invalid argument

This is coming from deep in the guts of IO::File->new_tmpfile.
Could you have a TMPDIR environment variable set that's pointing
somewhere strange?  Could /tmp be full?

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Anyone using File::Scan?

[Cormack, Ken]

I can say the same thing, David.

I use it, and it scores many hits per day (in addition to other antivirus
engines that I run).  But I have received no complaints from users, though I
have not reviewed anything it flagged.

I like the idea of "--enable-filescan" during configure.

Ken

-Original Message-
From: Arthur Corliss [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 15, 2005 10:32 PM
To: mimedefang@lists.roaringpenguin.com
Subject: Re: [Mimedefang] Anyone using File::Scan?


On Tue, 15 Feb 2005, David F. Skoll wrote:

> Hi,
>
> Does anyone use File::Scan with MIMEDefang?  It seems to cause a lot
> of problems with false positives.
>
> For the next release, I'm considering removing the auto-detection
> of File::Scan.  In other words, if you want File::Scan, you'll have to
> specifically ask for it in your filter.

I haven't reviewed any of the hits it gets, but I do use, and over the past
year or two I haven't gotten any complaints about it.

--Arthur Corliss
  Bolverk's Lair -- http://arthur.corlissfamily.org/
  Digital Mages -- http://www.digitalmages.com/
  "Live Free or Die, the Only Way to Live" -- NH State Motto
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Anyone using File::Scan?

[Cormack, Ken]

That's cool.  I see your point.


-Original Message-
From: David F. Skoll [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 16, 2005 8:47 AM
To: 'mimedefang@lists.roaringpenguin.com'
Subject: RE: [Mimedefang] Anyone using File::Scan?


On Wed, 16 Feb 2005, Cormack, Ken wrote:

> I like the idea of "--enable-filescan" during configure.

I don't like that idea.  I'd rather have it so you put this in your
filter:

use File::Scan;
$Features{"File::Scan"} = 1;

to enable it.  Putting too much in configure makes life difficult for
package maintainers.

Regards,

David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Anyone using File::Scan?

[Cormack, Ken]

-Original Message-
From: alan premselaar [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 16, 2005 9:25 AM
To: mimedefang@lists.roaringpenguin.com
Subject: Re: [Mimedefang] Anyone using File::Scan?

::SNIP::

> I think the change would be good, because up until now, if File::Scan is 
> installed, it's used.  I could see a case where it may be installed but 
> not desired to be used.

Likewise, I have clam installed on my system (in addition to File::Scan),
but use clamd, and not clamscan, with MIMEDefang.  It didn't take much to
disable clamscan in my mimedefang.pl:

#$Features{'Virus:CLAMAV'}   = ('/usr/local/bin/clamscan' ne '/bin/false' ?
'/usr/local/bin/clamscan' : 0);
$Features{'Virus:CLAMAV'}   = ('/bin/false' ne '/bin/false' ? '/bin/false' :
0);

Manually disabling and auto-enabled feature, or re-enabling a disabled
formerly auto-enabled featured makes little difference.

There are two camps of thought One feels the potential for
false-positive is greater than the risk of letting a virus slip through.
The other feels the risk of a virus is greater than the risk of a
false-positive.  Taking a stand on either side of that fence would be fodder
for an interesting discussion, I'm sure.

Which is worse... The company president not getting an email because a false
positive flagged one of his incoming emails?  Or opening up hundreds (if not
thousands) of desktop clients to a virus, with the resulting potentials for
loss of productivity and data?  We share an Exchange "Global address List"
with our parent company.  There are a LOT of addresses in there... Just ripe
for grabbing by some virus.  I suppose if the email to the president or the
board of directors, were for an offer to buy the company for $3 billion, he
wouldn't want to miss that.

Ken

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MIMEDefang + HTML::Cleaner problem with UTF-8 an d other encodings

[Cormack, Ken]

> Running RH9 + Mimedefang-2.49 + anomy-HTMLCleaner-1.25

If memory servers, I remember there being discussion somewhere a couple
years ago saying that RH9 was first RH version to ship with the variable
"LANG" set to "UTF-8" in the file /etc/sysconfig/i18n, and that this was
causing some wierdness with certain perl functions.

I don't know where you are located, but you might try setting "LANG=en_US"
in /etc/sysconfig/i18n (the same way that RH8 was set), and see if that
helps.

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] re:MIMEDefang + HTML::Cleaner problem with UTF-8 and other encodings

[Cormack, Ken]

> Checked on other system running same soft but on rh7.3 - same problem .
> Is RH7.3 also have UTF-8 problem?
> /etc/sysconfig/i18n  file in RH7.3 doesn't contain any UTF-8 definitions .

I wasn't certain the LANG variable would be a solution... It was just
something I remembered about perl in general, under redhat 9.  I tracked
down the message I had seen, that first mentioned perl wierdness.  It's
here: http://info.ccone.at/INFO/Mail-Archives/redhat/May-2003/msg00319.html

The message discussed problems building a particular perl module.  My
thought was that maybe you had a bad build of a module somewhere.

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Trying to find cause of tempfails

[Cormack, Ken]

Group,

This morning, I've been trying to diagnose a type of tempfail I'm repeatedly
seeing, when a particular party tries emailing to us.  The tempfail verbage
is non-descript, and doesn't match any strings I've got in my filter.
Perhaps one of you could help identify the reason these are tempfailing?

Just one such example looks like this (some address munging applied, to
protect the innocent)...

Mar  7 01:00:19 mail01 sendmail[31935]: j2760J2V031935:
from=<[EMAIL PROTECTED]>, size=26614, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA,
relay=gbhub.mungeddomain.com [151.147.XXX.32]
Mar  7 01:00:21 mail01 sendmail[31935]: j2760J2V031935: Milter: data,
reject=451 4.3.2 Please try again later
Mar  7 01:00:21 mail01 sendmail[31935]: j2760J2V031935:
to=<[EMAIL PROTECTED]>, delay=00:00:02, pri=56614, stat=Please try
again later

As you can see, the log entries don't say much, and none of my rules (that
I'm aware of) send a "451 4.3.2" tempfail, specifically.

Anyone recognize this?

Ken
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang