[Mimedefang] Discarding bounces from mydoom, and other viruses that send outfake From: info
Does anyone have mimedefang-filter code to drop the "you sent us a virus" messages from the less clueful anti-virus engines? (Or point to the archives ...) Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Mimedefang whitelist_to
Do the spamssassin calls that mimedefang makes use the whitelist_to, etc settings in sa-mimedefang.cf? I ask because a couple addresses I have in there get mail with Spamassassin markup showing scores in the 1-2 range. Or am I not clear on how the whitelisting process will manifest itself? Thanks, Graham -- Graham Dunn, IT Manager Inscriber Technology, 26 Peppler St, Waterloo, ON, CA N2J3C4 519 570 9111 x243 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Status of multiple AV scan in v2.39
I vaguely remember some mention that this version supported scanning using multiple engines, rather than the "first found" approach. Is this the case or am I sadly confused? Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Password protected Bagle.F
Lucas Albers said: >As near as I unerstand from the clamav list. >Clam cannot detect encrypted virus's. >I believe this is a flaw in clamav, that cannot be easily remedied. > >This is "To the best of my knowldege." >You have some options. >Add in another virus scanner. >Bounce password protected zips. >Bounce zips. >Bounce password protected zips with certain file types. >The easiest thing to do, and what I am doing currently, is bounce zip >files for a few days, while I figure out what to do on my internal mail >server. >http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html >This is the first salvo in widespread adoption of password protected zip >files imo. >So consider zip-encrypted files a new file type extension. >So I reccomend to block: >zip-encrypted zip files by default. OK, maybe I'm mistaken, but I'm blocking quite a few password protected virus email (Worm.Bagle.Gen-zippwd, Worm.Bagle.F-zippwd-3). Is there a difference between "encrypted" and "password protected"? I'm using the following clamav.conf: LogFile /var/log/clamav/clamd.log PidFile /var/run/clamav/clamd.pid LocalSocket /var/spool/MIMEDefang/clamd.sock FixStaleSocket StreamSaveToDisk MaxDirectoryRecursion 15 User mailnull ScanMail ScanArchive ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 The *-zippwd viruses were not getting caught until I added the "ScanMail" directive. Graham -- Graham Dunn, IT Manager Inscriber Technology, 26 Peppler St, Waterloo, ON, CA N2J3C4 519 570 9111 x243 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Slaves dying shortly after startup
This started happening this afternoon, after I changed mimedefang-filter. When the slaves started dying, I reverted my changes, and restarted, but the problem persisted. I've tried running with the stock suggested-minimum-filter-for-windows-clients filter, same problem. The multiplexor will start the two slaves, which will then use all the CPU available like so: CPU states: 95.0% user, 0.0% nice, 3.1% system, 1.9% interrupt, 0.0% idle Mem: 78M Active, 59M Inact, 30M Wired, 376K Cache, 48M Buf, 205M Free Swap: 512M Total, 512M Free PID USERNAME PRI NICE SIZERES STATETIME WCPUCPU COMMAND 9910 mailnull 53 0 26120K 25768K RUN 0:06 52.12% 22.07% perl 9921 mailnull 53 0 15476K 15096K RUN 0:04 48.24% 15.92% perl They'll run like that for a minute, then get die: Mar 28 23:00:46 media mimedefang-multiplexor: started; minSlaves=2, maxSlaves=10, maxRequests=500, maxIdleTime=300, busyTimeout=600, clientTimeout=10 Mar 28 23:00:46 media mimedefang-multiplexor: Starting slave 0 (pid 9910) (1 running): Bringing slaves up to minSlaves (2) Mar 28 23:00:47 media mimedefang[9920]: Multiplexor alive - entering main loop Mar 28 23:00:49 media mimedefang-multiplexor: Starting slave 1 (pid 9921) (2 running): Bringing slaves up to minSlaves (2) Mar 28 23:01:06 media mimedefang-multiplexor: Slave 0 stderr: Out of memory! Mar 28 23:01:06 media mimedefang-multiplexor: Reap: Idle slave 0 (pid 9910) exited normally with status 1 (SLAVE DIED UNEXPECTEDLY) Mar 28 23:01:06 media mimedefang-multiplexor: Slave 0 resource usage: req=0, scans=0, user=10.142, sys=0.557, nswap=0, majflt=0, minflt=14691, maxrss=31840, bi=0, bo=0 Mar 28 23:01:08 media mimedefang-multiplexor: Slave 1 stderr: Out of memory! Mar 28 23:01:08 media mimedefang-multiplexor: Reap: Idle slave 1 (pid 9921) exited normally with status 1 (SLAVE DIED UNEXPECTEDLY) Mar 28 23:01:08 media mimedefang-multiplexor: Slave 1 resource usage: req=0, scans=0, user=10.155, sys=0.473, nswap=0, majflt=0, minflt=14691, maxrss=31840, bi=0, bo=0 The multiplexor will then restart them and the cycle will continue indefintely. There's no mail coming into the system, nothing queued (mailq reports empty). Is there a way to see what they're trying to do? This is using perl from ports, and as far as I can see, the right version is getting hit: media# ls -l `which perl` lrwxr-xr-x 1 root wheel 19 Feb 24 15:32 /usr/bin/perl -> /usr/local/bin/perl media# /usr/local/bin/perl -v This is perl, v5.6.1 built for i386-freebsd This is under freebsd 4.7, perl 5.6.1, mimedefang 2.41: Archive::Zip : yes HTML::Parser : yes HTML::TokeParser : yes Path:CONFDIR : yes (/usr/local/etc/mimedefang) Path:QUARANTINEDIR: yes (/var/spool/MD-Quarantine) Path:SENDMAIL : yes (/usr/sbin/sendmail) Path:SPOOLDIR : yes (/var/spool/MIMEDefang) SpamAssassin : yes Virus:CLAMAV : yes (/usr/local/bin/clamscan) Virus:CLAMD : yes (/usr/local/sbin/clamd) File::Scan: no HTMLCleaner : no Unix::Syslog : no Virus:AVP : no Virus:AVP5: no Virus:BDC : no Virus:FPROT : no Virus:FPROTD : no Virus:FSAV: no Virus:FileScan: no Virus:HBEDV : no Virus:NAI : no Virus:NVCC: no Virus:OpenAV : no Virus:SOPHIE : no Virus:SOPHOS : no Virus:SymantecCSS : no Virus:TREND : no Virus:TROPHIE : no Virus:VEXIRA : no Anomy::HTMLCleaner: missing Archive::Zip : Version 1.10 Digest::SHA1 : Version 2.07 File::Scan: missing HTML::Parser : Version 3.35 HTML::TokeParser : Version 2.28 IO::Socket: Version 1.26 IO::Stringy : Version 2.108 MIME::Base64 : Version 3.00 MIME::Tools : Version 5.411 MIME::Words : Version 5.404 Mail::Mailer : Version 1.60 Mail::SpamAssassin: Version 2.63 Unix::Syslog : Version 0.100 Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slaves dying shortly after startup
On Mon, Mar 29, 2004 at 05:07:24PM +0800, cc wrote: > Graham Dunn sighed and wrote:: > > > This started happening this afternoon, after I changed > > mimedefang-filter. When the slaves started dying, I reverted my changes, > > and restarted, but the problem persisted. I've tried running with the > > stock suggested-minimum-filter-for-windows-clients filter, same problem. > > Usually, this means that there's still a change in the mimedefang-filter > that was missing. The usual reason that I get this major hiccup is > because of some syntactical error (missing semicolon, etc..) I've taken a known good mimedefang-filter from another machine and the same symptoms occur. I truss'd the process and it seemed to occur after the spamassassin rules were being looked at. I pared down the number of third-party lists I was using (most notably the blacklist-uri series), and now things seem to be better. Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] slave error with razor2
On Fri, Apr 02, 2004 at 06:49:01PM -0500, Andrea Venturoli wrote: > ** Reply to note from Kelson Vibber <[EMAIL PROTECTED]> Thu, 01 Apr 2004 10:33:25 > -0800 > > > > >mimedefang-multiplexor: Slave 12 stderr: razor2 check skipped: Bad file > > >descriptor Died at > > >/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 409. > > > > IIRC, this means queries to the Razor servers are not responding. > > > > Try running razor-admin -discover as your MIMEDefang user. This should > > pick up a current list of Razor servers. > > Hmm, I'm having the same problem. > Tried razor-admin -discover, but nothing changed. > (FreeBSD 5.2.1-RELEASE-p3) > > Any other hint? > Is there any howto on mimedefang+spamassassin+razor? I'm running freeBSD-4.8. I had to give mailnull a valid shell, then su mailnull -c "razor-admin -discover" as root. I think this is a result of one of the razor sites being overloaded, maybe? Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Selectively blocking .zip files
We send and receive a fair amount of .zip file containing file types in
the $bad_exts category. As such, I'm trying to come up with a simple
method to allow certain zip files through, while excluding the nasty
ones.
The first shot I've taken at this is getting people to add a prefix onto
their zip attachment (supersecretword in the example). It's sort of
cludgy, but is very simple to communicate and doesn't change the
workflow.
Does anyone have ideas about potential problems with this?
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename ($) {
my($entity) = @_;
my($bad_exts, $re, $secret);
# Tacking this on to the start of the zip name will let it through
$secret = 'supersecretword';
# Bad extensions
$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fx
p|hlp|hta|hto|inf|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|s
cr|sct|sh|shb|shs|sys|vb|vbe|vbs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{)';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';
return 1 if (re_match($entity, $re));
# Look inside ZIP files unless the filename starts with our secret code
if !(re_match($entity, '^$secret*\.zip$) and
(re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
}
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] mimedefang-multiplexor: Slave 2 stderr: Warning: unable to close filehandle LOGF properly.
Just started using the embedded perl option and I've seen this a couple times over the last hour or so (different slaves). mimedefang-2.42 from ports, freebsd 4.8-stable, perl 5.6.1 (also from ports) There don't seem to be any negative consequences of this (mail is still humming along fine). Is this cause for concern? Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filename matching in filter_bad_filename
I'm trying to do something which should be simple, and yet still escapes me. Why won't (in filter_bad_filename()): # Attachments matching this regexp will go through $secret = '^itc*\.zip$'; return 0 if (re_match($entity, $secret)); return 0 on a filename of itcfoo.zip ? The line (re_match($entity, '\.zip$') will hit. Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filename matching in filter_bad_filename
On Fri, Jun 11, 2004 at 02:17:23PM -0400, David F. Skoll wrote:
> On Fri, 11 Jun 2004, Graham Dunn wrote:
>
> > $secret = '^itc*\.zip$';
>
> That regexp will match:
>
> it.zip
> itc.zip
> itcc.zip
> itccc.zip
> etc..
>
> You almost certainly meant to write:
>
> $secret = '^itc.*\.zip$';
OK, even with this in there, I'm still hitting the code that checks for
bad zips.
# Attachments matching this regexp will go through
$secret = '^itc.*\.zip$';
# Bad extensions
$bad_exts =
'(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fx
p|hlp|hta|hto|inf|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|s
cr|sct|sh|shb|shs|sys|vb|vbe|vbs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{)';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';
return 1 if (re_match($entity, $re));
return 0 if (re_match($entity, $secret));
# Look inside ZIP files
if ((re_match($entity, '\.zip$')) and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
I'm guessing there's something wrong with the way I've written this. Is
the "return 0 if (re_match($entity, $secret));" line ok?
Graham
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filename matching in filter_bad_filename
On Mon, Jun 14, 2004 at 03:37:13PM -0400, David F. Skoll wrote:
> On Mon, 14 Jun 2004, Graham Dunn wrote:
>
> > OK, even with this in there, I'm still hitting the code that checks for
> > bad zips.
>
> [...]
>
> > return 1 if (re_match($entity, $re));
> > return 0 if (re_match($entity, $secret));
>
> Ponder the order of those two statements...
OK ...
pondering "return 1 if (re_match($entity, $re));"
at this point, $re = '\.' . $bad_exts . '\.*$'; and there's no match,
because Content-Disposition.filename, Content-Type.name or
Content-Description is .zip, which is not in $re.
on to "return 0 if (re_match($entity, $secret));"
at this point, compare Content-Disposition.filename, Content-Type.name
or Content-Description against $secret (which is '^itc.*\.zip$'). As the
filename is itc-blah.zip, I'm seeing a match on "if ((re_match($entity,
'\.zip$')) {...}" and as the zip contains an exe, it's getting nabbed by
re_match_in_zip_directory().
As to the order, am I wrong in thinking that the logic is:
1) re_match($entity, $re) evaluates to 0, so don't return 1, move to the
next line,
2) re_match($entity, $secret) evaluates to 1, so return 0 to this if
statement:
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_drop_with_warning("An attachment named $fname was
removed from this document as it\nconstituted a security hazard. If you
require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
}
so no md_graphdefang_log, and no return action_drop_with_warning should
be called?
However, this is not what reality is showing me, so I humbly request
correction :]
Thanks,
Graham
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
On Mon, Aug 09, 2004 at 11:17:41PM -0400, Jeff Rife wrote: > On 9 Aug 2004 at 21:03, Kevin A. McGrail wrote: > > > > If the receiving MX servers always knew all valid recipient addresses > > > *at (E)SMTP connection time*, then there would be no bounces...only > > > rejections. > > > > > > This solves the problem without introducing anything new to (E)SMTP. > > > > At the core, this solution ignores the concept and purpose of a backup MX > > which is a reality and necessity for many companies where email is critical. > > There is no reason a backup MX server can't know if an address is valid > or not. How about "scaling"? I'm pretty sure my ISP will run (screaming, no doubt), from a scenario in which they rely on their customers to keep their list of valid addresses current. How about "MS Exchange"? :] Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscop e*
On Tue, Aug 10, 2004 at 06:44:43AM -0500, Damrose, Mark wrote: > > -Original Message- > > From: Lucas Albers [mailto:[EMAIL PROTECTED] > > > I tried to get read the ldap address book entries from my internal > > exchange server (5.5) but I could never get it to work. > > I couldn't justify the effort as I'm don't really see it as a > > big deal at > > this point. > > I'm sure i should, but I can't justify the effort for the return. > > Exchange 5.5 is a tough nut. That's what I have. > > Under the default lookup, you can only search on a primary e-mail > address. All of my users have @elgin.edu addresses, but many of > them also have @elgin.cc.il.us addresses from before 2 year colleges > were allowed back in .edu. You can use ldap to search on an > @elgin.edu address, but you can't use it to search for @elgin.cc.il.us. > [del] I have this running ... it gets secondary email addresses as well (you have to bind as a user with admin access in exchange - not neccessarily the same account as domain admin). http://pochacco.dnsalias.net/~gdunn/extract-exchange-55-20040810.tar.gz There's some filtering in there to only pull out addresses in specific domains (we have a shameful listserver that stores lists in hidden containers, and this will pull those and make the access file just monstrous). Let me know if this is what you were talking about... Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscop e*
On Tue, Aug 10, 2004 at 09:26:26AM -0400, Graham Dunn wrote: > > http://pochacco.dnsalias.net/~gdunn/extract-exchange-55-20040810.tar.gz > Forgot to add that you'll need to add whatever you have in @mx_domains to your "relay-domains" file. Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] uribl with SA 3
Marco Berizzi wrote: I'm running MD 2.45 with SpamAssassin 3 and uribl test are not working. My filter has SALocalTestOnly = 1 I have followed this message http://lists.roaringpenguin.com/pipermail/mimedefang/2004-August/023947.html and I commented out all tflags entry in /usr/share/spamassassin/25_uribl.cf Is there any other file to hack? You should change that to: SALocalTestOnly = 0 to enable the network tests. Also make sure that the skip_rbl_checks line in your local.cf (or sa-mimedefang.cf) is commented out, or set to 0 (the default). I just went through this, the best thing to do was to make sure you're running perl 8.5.latest and then not mess with anything else. It's set by default to do what you want :] Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Spamassassin not using SURBL
I'm stumped.
Just to get past the usual (at least as far as the archives go):
In mimdefang-filter:
$SALocalTestsOnly = 0;
In spamassassin/sa-mimdefang.cf:
skip_rbl_checks 0
uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+2')
describe SPAMCOP_URI_RBL URI's domain appears in spamcop database at sc.surbl.org
tflags SPAMCOP_URI_RBL net
score SPAMCOP_URI_RBL 3.0
According to perl -MCPAN -e shell:
LWP is up to date.
Stopped and started mimedefang.
Other network tests are showing up, RAZOR, etc.
I was testing by sending email containing a URL that I knew was in the
surbl.org database, but no SPAMCOP_URI_RBL tags.
Is there somethine else I should be doing to troubleshoot?
Thanks,
Graham
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spamassassin not using SURBL
On Tue, Oct 05, 2004 at 02:04:40PM -0700, Nathan Martinez wrote: > > Is there somethine else I should be doing to troubleshoot? > > > > I had a very similar problem and running 'spamassassin -D --lint' showed > me that my Net::DNS perl module was out of date. Once I upgraded > Net::DNS, everything worked just fine. Net::DNS is up to date. (version 0.48) Guess it's off to the SURBL lists. Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spamassassin not using SURBL
On Wed, Oct 06, 2004 at 09:02:43AM -0400, Graham Dunn wrote: > On Tue, Oct 05, 2004 at 02:04:40PM -0700, Nathan Martinez wrote: > > > Is there somethine else I should be doing to troubleshoot? > > > > > > > I had a very similar problem and running 'spamassassin -D --lint' showed > > me that my Net::DNS perl module was out of date. Once I upgraded > > Net::DNS, everything worked just fine. > > Net::DNS is up to date. (version 0.48) > > Guess it's off to the SURBL lists. What options are required when running spamassassin from the command line to get the same behaviour as you would see when run in mimedefang? Other than using -C /usr/local/etc/mimedefang/spamassassin/sa-mimedefang.cf Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] uribl with SA 3
Mattias Ahnberg wrote: "MB" == Marco Berizzi <[EMAIL PROTECTED]> writes: MB> I'm running MD 2.45 with SpamAssassin 3 and uribl test are not MB> working. My filter has SALocalTestOnly = 1 I have followed this MB> message Make sure you have the Net::DNS perl module installed and tested. I've run into this problem with two freebsd 4.10 systems. I needed to move to perl 5.8.5 to get the uribl tests working. Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIME type message/partial
Paul Murphy wrote: Jan-Pieter, On my system, your message shows a header which contains: X-message-flag: *** MICROSOFT OUTLOOK FATAL ERROR 15: PRESS ALT+F4 TO CONTINUE This also appears in yellow in the Outlook session as a header section to the message viewer - is this part of your message, or something which my Outlook added? Google has exactly one incidence of this header, in a mailing list for NNTP... cf. Stupid Outlook tricks, vol. 23. http://c2.com/cgi/wiki?MicrosoftOutlookExpress http://zgp.org/linux-elitists/[EMAIL PROTECTED] Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIME type message/partial
Kenneth Porter wrote: --On Tuesday, November 09, 2004 9:42 AM -0800 [EMAIL PROTECTED] wrote: Reminds me of the old online gaming joke. "Hey everybody, press Alt-F4 to activate (insert cool weapon name)"... then laugh as you see the "(player) disconnected" messages start to come in... A surprising number of people will bite if you say Ctrl-Alt-Del. This of course isn't nearly as funny with 2k/XP, which traps that for the login dialog, but back in the Win9x days it was a side-splitter. And let's not forget the hilarity on IRC that ensues when you mention that you can get a horoscope by typing "/sign " Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spamtrap on secondary MX
-ray wrote: I read an article in SysAdmin that talked about setting up a spamtrap on a secondary or tertiary MX box. The box would look like a good MTA, answers helo and 'mail from', but on 'rcpt to' always returns "451 Try again later". The idea being spammers prefer secondary MX's, but will never try again. A legit host that happens to connect will of course try again later (hopefully to primary MX). The author claims this reduced spam intake by 10%. Anyone done anything similar? Any thoughts? Seems like a simple way to catch a lot of spam... Check out milter-greylist, (this can be done in mimedefang, but it's a much more lightweight as a milter). Or any other greylist solution, for that matter. It's working quite well. I think there are still some issues that you hit if you're greylisting millions of entries, but for mid-small servers, it's quite nice. -- Graham Dunn, IT Manager Inscriber Technology Corporation 26 Peppler St, Waterloo, ON, CA N2J3C4 519 570 9111 x243 begin:vcard fn:Graham Dunn n:Dunn;Graham email;internet:[EMAIL PROTECTED] tel;work:+1(519) 570-9111 x243 tel;fax:+1(520)570-9140 x-mozilla-html:FALSE version:2.1 end:vcard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] -k option not being passed from FreeBSD rc.d script?
I'm in the midst of trying to debug a clamd zip failure Dec 9 09:26:36 ureshii mimedefang.pl[73455]: iB9EQaSe031074: Clamd returned error: /var/spool/MIMEDefang/mdefang-iB9EQaSe031074/Work/msg-73455-357.zip: Zip module failure and have enabled KEEP_FAILED_DIRECTORIES=yes in rc.d/mimdefang.sh however, these directories are still being cleaned out after the clamd failure. Is there an easy way to check what parameters are being passed? I doubt that it's a problem in the rc file, but I'd like to rule that out ... mimedefang-2.48 ClamAV devel-20041129/623/Thu Dec 9 08:47:37 2004 FreeBSD 5.3-RELEASE Thanks, Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] -k option not being passed from FreeBSD rc.d script?
David F. Skoll wrote: On Thu, 9 Dec 2004, Graham Dunn wrote: Is there an easy way to check what parameters are being passed? I doubt that it's a problem in the rc file, but I'd like to rule that out ... Why not edit the rc file and hard-code a -k option in? Then you'll know... In the immortal words of Guildenstern: "Pragmatism?! Is that all you have to offer?" :] Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question on confidentiality statements
Ian Mitchell wrote: FBI NOTICE: This e-mail message, including any attachments, is protected by the Digital Millennium Copyright Act (DCMA). The author(s) of this email have spent a considerable amount of time in thoughtful construction of the contents of the messages and as such, if you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Circumvention of the original distribution method intended for the message is not authorized and is prosecutable under the DCMA. Any and all reproduction shall be considered an attempt to bypass our double-ROT13 encryption, and hence actionable under aforementioned DCMA. Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Question on confidentiality statements
Ole Craig wrote: Pray tell, what is this "DCMA" of which you write? Is it by any chance related to that execrable legislation known as the "Digital Millenium Copyright Act"? (Which the observant reader will note is acronymised as "DMCA"...) Ole, whose pets are feeling peevish Sure, summon The Act That Must Not Be Named. See if I care. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] -k option not being passed from FreeBSD rc.d script?
Stephane Lentz wrote: On Thu, Dec 09, 2004 at 09:31:14AM -0500, Graham Dunn wrote: I'm in the midst of trying to debug a clamd zip failure Dec 9 09:26:36 ureshii mimedefang.pl[73455]: iB9EQaSe031074: Clamd returned error: /var/spool/MIMEDefang/mdefang-iB9EQaSe031074/Work/msg-73455-357.zip: Zip module failure Not a response to your problem but your post offers the opportunity to exchange info about the "Zip module failure" problem Do other people get frequent "Zip module failure" errors ? It started seeing them after upgrading to ClamAv 0.80. Upgrading to zlib 1.2.2 did not solve the problem. I tried the Clamav CVS version but it didn't solve it either (though some mentioned it did for them : http://lists.clamav.net/lurker/message/20041129.153452.4a6a491d.en.html) I was only getting them (so far) on a particular zip file that was compressed using a beta version of WinRAR by one of our techsupport people. I applied the cluestick and deleted the email from the queue. No upgrade I had tried made any difference. No problems yet (touch wood). Graham ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] ASCII art spam
Boggle. http://www.kurai.org/~gdunn/ascii-spam.png ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Even sillier disclaimers (was Re: defang startuperrors)
David F. Skoll wrote: [snip] > > Well! :-) We have an arms race, then. I'll change my disclaimer > to read "This disclaimer supersedes all other disclaimers, even if > the other disclaimers claim otherwise. This is a NUCLEAR POWERED > disclaimer that will ATOMIZE all other disclaimers. This disclaimer > is TOP DOG." I believe the legal term is "double-locked it, no erasies". HTH, HAND Graham ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
