[Mimedefang] Mimedefang - ClamAV statistical data?

2017-09-13 Thread Fred de Brouwer 
Dear mailing list members,


Our Mimedefang environment consists of the following:
- ClamAV [clamd].
- SpamAssassin including a module:  Stats.pm.
https://wiki.apache.org/spamassassin/StatsPlugin

In the section filter_begin the Virus-scan is performed and when virus/malware 
is detected it is bounced using:
- return action_bounce("Virus $VirusName detected/not accepted here”);

The Stats.pm module stores statistical data based on the SpamAssassin score in 
a database and because the Antivirus scan is performed separately from 
SpamAssassin the statistics module does not ‘know’ the Antivirus-scan outcome 
and as such no statistical data is stored. I would like to add statistical data 
from the VirusScanner as well and if possible to use the Stats.PM module 
directly from within Mimedefang.


* The question I have:
Has someone successfully used such a module directly from within Mimedefang?
Maybe some coding example or some other idea when applicable?


Any help would be much appreciated.

Kind regards
 Fred de Brouwer


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] adding promotional banner to top of email

2017-06-26 Thread Fred de Brouwer 
On 26 Jun 2017, at 08:55, Mark Coetser  wrote:
> 
> On 24/06/2017 16:22, Dianne Skoll wrote:
>> On Sat, 24 Jun 2017 10:18:59 -0400
>> Dianne Skoll  wrote:
>> 
>>> You'd need to roll your own.  It's non-trivial, given the infinite
>>> ways HTML can be malformed.
>> 
>> I would also echo the comments of others on the list who have recommended
>> against this.  Adding promotional material to emails will quickly
>> get them marked as spam, and if you add it to emails in transit that you
>> did not originate, you could quite possibly be breaking the law.
> 
> Thanks for all the input everyone, I have already advised the customer about 
> all these issues but they dont care
Most likely ‘they’ will start to care when things go terribly wrong, especially 
when reputation damage occurs.


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Found typo in module (./script/mimedefang-util @ v2.78)...

2016-05-25 Thread Fred de Brouwer 
Hi,

While trying to sort out the behaviour of a new type of malware 
I found a typo in the shebang line in one of the perl-modules:
./script/mimedefang-util

It it missing the path to the perl binary...
It’s not a big, problem the tool can be started by prepending perl
on the command line. It would be nice to be corrected in future releases.


-=-

This is the list of files having the perl-shebang line: (contrib filtered)

~/src/mimedefang-2.78$ grep -R '#!.*perl’ .  | grep -v contrib
./mimedefang-notify.7:#!/usr/bin/perl -w
./mimedefang.pl:#!/usr/bin/perl
./script/mimedefang-util:#!perl -w<- misses the path "/usr/bin/"
./mimedefang-notify.7.in:#!/usr/bin/perl -w

--
Met vriendelijke groet / Kind regards,
 Fred de Brouwer




___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] rfc822_date test (was Re: Any way to get MD to accept a Postfix queue ID at RCPT time?)

2015-04-29 Thread Fred de Brouwer 
It might be worthwhile to check the POSIX strftime Clib-function:


As example:
$ perl -we 'use POSIX; print strftime(%a, %d %b %Y %H:%M:%S %z, 
localtime(time()) ).\n'
Wed, 29 Apr 2015 16:45:31 +0200

$ date --rfc-822
Wed, 29 Apr 2015 16:45:32 +0200



I am unfamiliar with differences in platforms or impact in code when used ...

--
Met vriendelijke groet / Kind regards,
 Fred de Brouwer



On 29 Apr 2015, at 16:29, Dianne Skoll d...@roaringpenguin.com wrote:

 On Wed, 29 Apr 2015 10:17:34 -0400
 Bill Cole mdlist-20140...@billmail.scconsult.com wrote:
 
 I am quite happy to hear that it was a summer intern who wrote that.
 It didn't seem up to the quality I'm used to seeing in MD and I'm
 glad it isn't a sign of encroaching senility (but I project...)
 
 :)
 
 No, I'm not senile yet.  OK, since my recent life change I've started
 crying at pictures of puppies and babies and craving chocolate... but
 I digress...
 
 I'll look at implementing a sane test for rfc2822_date that doesn't rely
 on the OS date command at all.
 
 Regards,
 
 Dianne.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] running mimedefang with a second instance of spamassassin

2012-04-19 Thread Fred Bacon 
I could use some advice.  I'm running mimedefang 2.73, spamassassin
3.3.1 and perl 5.10.1 on a Red Hat 6.2 machine.

I'm putting the finishing touches on a project that I started a couple
of months ago.  The idea is to run a second instance of spamassassin
from my mimedefang filter with a special set of rules.  In my case,
I'm not trying to detect spam, I'm trying to detect certain types of
messages coming in to a specific address and route them to specific
people.  After testing my rules against a corpus of about 750
messages, I feel confident that that is working correctly.

To create a second instance of spamassassin, I copied the relevant
code from mimedefang.pl, changed the function names and put them into
my mimedefang-filter.   Instead of using SASpamTester, I create
another instance of spamassassin and use that within my filter.

Unfortunately, this is only working intermittently.  Maybe every fifth
or sixth message will be detected.  The remaining messages return no
matched rules at all!  I've attached a copy of my mimedefang-filter
file.

When I run spamassassin from the command line with my rules, I use the
following options

spamassassin -C /etc/mail/journal -t -L  message

This recognizes even those messages which aren't recognized from my
mimedefang-filter.  Furthermore, it doesn't use the standard rules, so
that only my special rule set is used.

Within my filter, I've variously tried setting site_rules_filename,
rules_filename and both together equal to /etc/mail/journal, but the
results are not equivalent to what I get with the command line.
Usually (but not always!), no rules will match on the message
whatsoever.  Can someone tell me if I'm doing this wrong?

Thanks for any help that you can give me.

Fred Bacon




I'll pull out a few of the important sections from my filter.  First
is my initialization subroutine

sub sa_journal_init (;$) {
my($config) = @_;
my $LOCAL_SITE_RULES_DIR = '/etc/mail/journals';
my $LOCAL_STATE_DIR = '/var/lib';

unless ($Features{SpamAssassin}) {
md_syslog('err', Attempt to call SpamAssassin function, but
SpamAssassin is not installed.);
return undef;
}

if (!defined($SAToCTester)) {
if (!defined($config)) {
if (-r '/etc/mail/sa-mimedefang.cf') {
$config = '/etc/mail/sa-mimedefang.cf';
} else {
return undef;
}
}

my $sa_args = {
local_tests_only= 1,
dont_copy_prefs = 1,
site_rules_filename = $LOCAL_SITE_RULES_DIR,
userstate_dir   = $LOCAL_STATE_DIR,
userprefs_filename  = $config,
user_dir= $Features{'Path:QUARANTINEDIR'},
};

$SAToCTester = Mail::SpamAssassin-new( $sa_args );
pop_status_tag();
}

return $SAToCTester;
}


In my filter_end section, I've added the code:

# First we want to deal with journals.
# We require that SpamAssassin be installed, since our scheme is based
# on SpamAssassin rules.
if ($Features{SpamAssassin}) {
# we want to search the list of recipients
foreach $rcpt (@Recipients) {
# We are only testing for TOCs in xxx and yyy's email
if ( $rcpt =~ /^?(xxx|yyy)\@example\.com?$/i 
!($Subject =~ /\[TOC\]/) ) {
# first let's see if this is a journal.
# We use a special instance of SpamAssassin with a limited
# number of rules related to journals.
my($hits, $req, $names, $report) = sa_journal_check();

# Debugging help
md_syslog ( 'warning', Journal Names:  $names );
md_syslog ( 'warning', Journal Subject: $Subject );
action_change_header ( X-Journal-Rules, $names );

# We should only have matched one journal,
# but take precautions just in case
@journals = split /,/, $names;
foreach $jname (@journals) {
if ( exists %journal_list-{$jname} ) {
# Okay, this is a journal, we need to remove
the current
# addressee and redirect the message to the mailing list
delete_recipient($rcpt);
action_change_header(To, 'w...@example.com');
add_recipient('w...@example.com');

# we need to add the journal tag as a Keywords header
# so that GNU Mailman will recognize it.
action_change_header(Keywords, $jname );

# Since this was a journal table of contents,
let's return here.
md_graphdefang_log('mail_in');
return;
}
}
}
}
}


mimedefang-filter
Description: Binary data

Re: [Mimedefang] MIMEDefang Digest, Vol 101, Issue 2

2012-02-06 Thread Fred Bacon 
On Mon, 2012-02-06 at 12:00 -0500, 
  Now, does this sound reasonable, or is it too complex?
 
 Why don't you just add the mailing list address(es) directly as a
 recipient when you add the headers?  You can write a lookup script in
 mimedefang to match the mailing list addresses with the subject
 matter.

I think that you are correct.  It is probably the easier way to go.  As
I came to the end of writing my original message, that idea struck me as
a possibility.  It was one of the reasons for writing everything down.
Explaining your idea is often the best way to find its strengths and
weaknesses.

Thanks,

Fred

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] suspicious characters in headers

2010-08-12 Thread Fred Bacon 
Lately, I've been having problems with legitimate messages being
quarantined due to suspicious characters in headers.  The messages in
question come from a Government mailing list from the National Institute
of Allergy and Infectious Diseases.  I can't see anything which I would
consider suspicious in the headers listed in the quarantine message.

Could someone explain what constitutes suspicious characters and how
this might be circumvented for these messages?  Is there any control
over the algorithm, or is this a case where I have to turn off this
feature completely to avoid the problem?

I'm running mimedefang 2.68 on a fully patched CentOS 5 system.

Fred Bacon


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Blocking tiny messages

2006-12-14 Thread Fred Tarasevicius 
Hello Kenneth,

Tuesday, December 5, 2006, 4:14:20 AM, you wrote:

 Given the recent run of messages that contain just a short number, I'm
 inclined to reject any message that contains a body of less than 20-40
 bytes as being a nuisance. Does anyone have a piece of code that does that?
 (I'll copy it to the wiki.)

It would be a safer idea to look at the headers of a few of these
short messages and see if you can find the hidden secret.  There's a
surprise in it for you if you can, you'll have a safe sign to remove
these from your server and a safe rule you can use if this botnet
reactivates with stupid configuration.  For the blind, look at the
message-id and you'll see some easy pattern matching.


header   FH_MSGID_00MESSAGEID =~ /\$\@/
describe FH_MSGID_00Special MSGID
scoreFH_MSGID_0010




-- 
Best regards,
 Fredmailto:[EMAIL PROTECTED]

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Amusing coincidence

2006-04-13 Thread Fred Bacon 
I need some advice on how to avoid a problem in the future.  One
employee received a message with the Subject

Person's Name sent you and email from www.marriot.com

She forwarded the message using Thunderbird to another employee.
Thunderbird attached the forwarded message as an attachment using the
Subject line as the name for the attachment.

MIMEDefang stripped the attachment out of the message and sent me the
notice:
 
 A MULTIPART attachment of type message/rfc822, named Person's Name
 sent you an email from www.marriott.com was dropped.

It took me some time to recognize what happened.  The file name
manufactured by Thunderbird from the subject line happens to end with
what looks like a .com extension.

My filter_multipart is subroutine is pretty basic (see relevant section
below), but I need two bits of advice.  The action_notify_administrator
succeeded.  The action_quarantine message was put into the email when
the attachment was stripped out.  However, the attachment did not
actually end up in the quarantine directory!

===
sub filter_multipart () {
my($entity, $fname, $ext, $type) = @_;

return if message_rejected(); # Avoid unnecessary work

if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
action_notify_administrator(A MULTIPART attachment of type
$type, named $fname was dropped.\n);
return action_quarantine($entity,An attachment of type $type,
named $fname was removed from this document as it\nconstituted a network
security hazard.  If you require this document, \nplease contact the
sender and arrange an alternate means of receiving it.\n);
}
...

return action_accept();
}
===

So I have two questions:

1) What happened to the quarantined attachment?

2) Will changing the conditional

 if (filter_bad_filename($entity)) 

   to

 if (filter_bad_filename($entity) and ($type ne message/rfc822))  

   prevent a similar event from recurring?

I'm running MIMEDefang 2.52. 

Fred Bacon
Senior Scientist
Aerodyne Research, Inc.


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re[2]: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick

2006-03-17 Thread Fred Tarasevicius 
Hello Kevin,

Friday, March 17, 2006, 1:13:02 PM, you wrote:

 However, just today or yesterday there was a new rule that did an eval test
 and some num of link proportions that I'm looking forward to seeing results
 from.  It was an idea from Fred Tarasevicius.

Yes it was me helping with ideas on this one, just curious, how did
you hear it was me?  I was talking with Theo through e-mail and I
never seen any mention on the -dev list about my name ;)
Thank you,

-- 
Best regards,
 Fredmailto:[EMAIL PROTECTED]

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Requesting help making a mod to my filter

2005-10-25 Thread Fred 
Hello,
I would like to modify my filter to include the scores for the spamassassin
tests next to the name of the test,
Using SA config options you can make your X-Spam-Score line look like this:

BAYES_50=0.001,HTML_MESSAGE=0.0001,FOO=1.0, etc.

Is it possible to reproduce this in the mimedefang-filter?

Thank you,

Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Slave died prematurely and SpamAssassin

2005-09-26 Thread Fred Bacon 
Hi,

This may simply be the result of my doing things incorrectly, but I have
been seeing an increase in the number of Slave x died
prematurely...check your filter rules messages in my logs.  This
results in messages failing to be delivered. 

I'm running MIMEDefang 2.52 and SpamAssassin 3.0.4 on a Fedora Core 2
system.  I've set MX_EMBED_PERL=yes in my /etc/sysconfig/mimedefang
file. .

After some research, the problem seems to correlate with any change to
the SpamAssassin configuration files.  If I add an address to the white
list, or create a new rule, or get an update from SARE and then I run
/sbin/service mimedefang reread (or even do nothing) the mimedefang
slaves start dieing at an increasing rate.  Running /sbin/service
mimedefang restart fixes the problem. 

Was I doing the wrong thing all along, or should giving the multiplexor
the reread command have worked?  

What are the consequences of giving the restart command while incoming
mail is being processed?

If you make changes to the SpamAssassin configuration, what is the
appropriate way to make MIMEDefang recognize and utilize those changes?

Fred

-- 
Fred Bacon [EMAIL PROTECTED]
Aerodyne Research, Inc.

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Invoking multiple virus scanners

2005-06-01 Thread Fred Bacon 
When you have more than one virus scanner installed and used by
mimedefang, is there a way to specify the order in which they are
invoked.  For political reasons, I would like to have TrendMicro's
virus scanner invoked before ClamAV.

-- 
=
 Fred Bacon email: [EMAIL PROTECTED]
 Aerodyne Research, Inc. http://www.aerodyne.com
 45 Manning Rd  Phone: (978) 663-9500 ext 273
 Billerica, MA 01821-3976 FAX: (978) 663-4918
=
Me spill chukker woks grate, I needle gramma chicken!

___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Mangled Message

2004-05-12 Thread Fred Felgenhauer 
Has anyone seen this happen?  All of the header info appears in the message
body.

Since the X-Spam-Flag header is in the body and not the header, the

message is not Spam anymore!

Below is how the message shows up in the mail client.

This only happens rarely on one box.

MD/SA/Sendmail box relays to Exchange 2000 with rule.dll server side

rules looking for X-Spam-Flag Header.

Anybody seen anything similar?


From: Henry Parsons [mailto:[EMAIL PROTECTED]
Sent: None
To: Matson, Bruce H.
Subject: free digital cable celibacy grout whirligig

Date: Mon, 10 May 2004 02:00:53 +0600 EST
Message-ID: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary=--=_1084173322-19309-485
X-Spam-Score: 14.8 (**)
CLICK_BELOW,EXCUSE_14,FOR_FREE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_B
ASE64_ILLEGAL,MIME_BASE64_TEXT,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,MIME_
HTML_ONLY_MULTI,NEW_DOLLARS,NEW_EXCLAM,NEW_FREE,NEW_LCOST,OFFERS_ETC,RCV
D_IN_RFCI,REMOVE_PAGE,SUB_FREE_OFFER
X-Spam-Flag: YES
X-Scanned-By: MIMEDefang 2.39
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 10 May 2004 07:15:22.0606 (UTC)
FILETIME=[8EEED8E0:01C4365E]

This is a multi-part message in MIME format...

=_1084173322-19309-485
Content-Type: multipart/alternative; boundary=--076203815710757793
Content-Transfer-Encoding: binary

This is a multi-part message in MIME format...

076203815710757793
Content-Type: text/html;
Content-Transfer-Encoding: base64
Content-Disposition: inline

TmV4dCBHZW5lcmF0aW9uIFBQViBEZXZpY2UuLi4uLg0KDQpObyBNb3JlIFBh
eWluZyBmb3IgTW92aWVzICYgRXZlbnRzIG9uIENBQkxFIQ0KDQpGcmVlIFRW
IGlzIEhlcmUhDQoNCk5FVyEhISEgLS0tICAgIEVsaW1pbmF0ZSBDYWJsZSBC

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Filter modification help needed

2004-03-30 Thread Fred 
Hello,
I'm wondering if it would be a good idea to add a header for the primary MX
server for the domain in the From: header.

Adding this header might allow for some nice rules in SpamAssassin to be
developed.

I'm currently adding HELO, RCVD_IP and RCVD_HOST, and creating rules for
HELO with much success!

I'm seeing a few sites using 127.0.0.1 as a primary MX for their domain and
I want to see if a SA rule might help here.

I would prefer to do this by adding a header and checking the contents of
the header with a SA rule. (whitelisting in SA)

I need help producing the primary MX of the from domain, I can handle adding
the headers and making the rules.

Thanks for any help you can offer.

Freddy T
http://www.FreddyT.com/

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Getting started with MIMEDefang

2004-03-16 Thread Fred 
Jason Williams wrote:
 Hello everyone.

Hello!

 I recently started working with MIMEDefang here. I've been able to get the
 default setup working 'out of the box' sort a speak, but I was looking to
 build upon what I currently have.

I am doing exactly the same as you are.

 Setup:

 FreeBSD 4.9
 Sendmail 8.12.11 (built from Ports tree)
 MIMEDefang 2.39 (built from ports)

This is the same here again, however 2.41 is released now, it's easy to
install over your current setup.
(since you installed the ports version of MD 2.39, you can install the
source version of 2.41 and everything will work fine)
You didn't mention your perl version?  I installed 5.6.1 (hearing of many of
my favorite programs requiring this or newer).

 Basically, after building both sendmail and MIMEDefang from the ports
tree,
 making a few adjustments to sendmail, MIMEDefang was working. It was
 stripping off attachments like it should, which is great. However, im
 looking to expand upon this using both ClamAV as well as SpamAssassin.

I took this same approach, ClamAV can be a little trouble installing, it
requires a lot of additional requirements.  Once you get past that, it seems
to do the job great for us.  It all depends on how you install (ports vs.
source).


 Granted, I am new to MIMEDefang and I am by no means, a Perl expert, but I
 can get by.

Sounds like me again, show me some code and I can tweak it all night ;)  Two
weeks ago I never seen FreeBSD before, today I am using it for inbound mail
relays.


 First thing I wanted to ask was in regards to ClamAV. I see that I can use
 both CLAMD and CLAMAV and wanted to see if there was a recommendation on
 one of this. Is one better than the other, or will with they both work?

Being only 2 weeks into this project, I seem to understand clamd is a daemon
version of clamav.
With 2.4x of MIMEDefang, it uses multiple virus scanners if they are
installed, but does this apply to
clamav  clamd?  Will it use one if the other fails?  Hopefully someone else
can clear this bit up for both of us.

 Secondly, is concerned with having MIMEDefang call the virus scanner. I
was
 reading through mimedefang-filter, and see the sections that you can
 specify the scanner. Do I need to do anything to the list, like possibly
 move clamav to the top, or possibly remove the other entries for the virus
 scanners?

Improvements in 2.4x versions use all virus scanners by default.  I'm not
sure how this works with clamd  clamav (clamscan?).


 I'll stop right there for the time being. I want to make sure I can get
 MIMEDefang working first with the AV scanner, and then i'll proceed on to
SA.

I'll try and help as much as I can, now that I am able to understand this
program, I would like to help others do the same.  Blocking during the SMTP
session is the answer to all my problems and I am so greatful this program
allows me to do that!  Thank you to those in charge of development!

I have a graph of our e-mail traffic on the bottom of our homepage (in my
sig).

Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] all_spam_to question

2004-01-29 Thread Fred Felgenhauer 
Here is my workaround. I am doing stream_by recipient and score
USER_IN_ALL_SPAM_TO set to 0 (or else
other recipients of same e-mail get message tagged as not spam)

How costly is reading the local.cf for each recipient?

sub all_spam_to () {
$username = $Recipients[0];
$username =~ tr///d;
$allspam = all_spam_to $username;
open(CF, /etc/mail/spamassassin/local.cf);
while(CF){
if (/^$allspam/i){
close(CF);
return 1;
}
}
close(CF);
return 0;
}

filter_end

if (all_spam_to()){

md_syslog('warning',Skipping SpamAssassin\n);

}else{

run sa checks
}

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Check extensions beforer virus scan

2004-01-27 Thread Fred Felgenhauer 
I am having trouble figuring out how to check for bad extensions BEFORE
doing a virus scan (sweep). I am trying to bounce because of a bad extension
first
to avoid the expense of scanning for viruses. No matter what I try, virus
scanning always
happens first, anybody doing this?

Fred

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] all_spam_to question

2004-01-24 Thread Fred Felgenhauer 

I am running MD/SA forwarding to another mail server with no local delivery,
stream_by_recipient is setup correctly and working fine. I cannot find a way
around this problem though:

SA local.cf has all_spam_to [EMAIL PROTECTED] A spam message will come in
with recipients usera, userb and userc.
SA tags the message as not spam for userb and userc also.

I even tried this:

sub filter_recipient {
if ( $recipient =~ /[EMAIL PROTECTED]/ ) {
 return('ACCEPT_AND_NO_MORE_FILTERING', ok);
 } else {
  return('CONTINUE', ok);
  }
}

This just stops filtering on the entire message, not just the one recipient.

I scoured the list and cannot find a way around this behaviour.

I thought stream_by _recipient breaks up the message into (in this case)
three seperate messages then when they get
to filter_end, get the SA check seperately. Not the case, all messages get
scored as all_spam_to in my case.

Must I replace the recipient list
(TO:[EMAIL PROTECTED];[EMAIL PROTECTED];[EMAIL PROTECTED])
on each seperate message with TO:[EMAIL PROTECTED] on the first one,
TO:[EMAIL PROTECTED] on the second one and TO:[EMAIL PROTECTED] on the
first one ? Where, filter_recipient, filter_begin? possible?

So does all_spam_to mean all_spam_to all recipients of message if any one
recipient matches at that that?

Just because one employee wants porn e-mails or something, the boss now gets
it too since the message is TO:
[EMAIL PROTECTED] and [EMAIL PROTECTED]

Bossman is not happy.

Thank all,

Fred


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang