Re: [Mimedefang] Including archetypal filters to include in release?
Kevin A. McGrail wrote: (B) That's not a restriction of Windows, I believe. That's a limitation of certain Windows UA's. I'm working on a patch to Thunderbird, that should work on XP as well. Yes, I was implying the MUA. I don't see it chaning in Outlook/OE anytime soon so while it's nice that there is a thunderbird fix for the issue, the reality for me is that I believe this check will have hideously high FPs. Then there's Eudora, which, at least through version 6, will HELO with the local host name attached to the domain name of the SMTP server. This gets really annoying, because chances are that the resulting FQDN doesn't exist if you're dealing with a home computer named by the end user. This of course can be resolved by requiring SMTP-AUTH, but when you still have half your users on POP-before-SMTP, it limits your options a bit. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Pre-Emptive Greylist entries
Gary Funck wrote: But isn't it likely that if spammers are going to the trouble to add SPF records that they're also going to the trouble to retry after a tempfail, and thus defeat greylisting? They haven't so far, and they've been using SPF records for, what, two years now? Some groups of spammers were among the early adopters, because they thought it would get them a free ride past filters. Of course, It's much easier to add v=spf1 +all to your DNS than to write an smtp client that will retry every delivery attempt in a situation where you expect most of your output to get blocked, dropped, or hidden. Why waste the time and bandwidth? It may not be your own connection anymore, but hey, access to those botnets costs money! -- Kelson Vibber SpeedGate Communications, www.speed.net ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] resending mail sent to /var/spool/mail
Stephen Ford wrote: We had one of our internal mail servers die for a little while today and when I run mailq (I'm on a Solaris 9 system) there are 1600 messages waiting with connection refused errors in /var/spool/mqueue. This should do it: sendmail -q -O QueueDirectory=/path/to/queue That starts a sendmail process that will run through the queue once. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: dictionary attacks looking for a valid user
Kenneth Porter wrote: --On Thursday, December 29, 2005 12:23 PM -0800 Kelson Vibber wrote: There is also confMAX_RCPTS_PER_MESSAGE, which limits the total number of recipients any message can target. But that includes valid recipients. Is that a global setting or can that be configured based on authentication or IP of the sender? Global, IIRC. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records *long w/morbid horoscope*
At 06:27 PM 8/11/2004, Jeff Rife wrote: it is the responsibility of the MX machine to know what is and is not deliverable. Again, this completely solves the issue of forged return address bounce e-mails. Actually, no it doesn't. Let's try another ISP-as-MX scenario, this time where the company runs its own mail server as primary MX, but uses the ISP's server as a secondary: 1. Spammer targets the backup MX (us), assuming it's less protected. 2. We queue, reject, or discard the message. 3. Mail ends up at customer's primary mail server, which rejects *on different criteria*. 4. Customer's server issues an SMTP reject to our server. At this point, we technically *should* generate a bounce. The address we sent it on to was valid, but the message could not be delivered. We have no way of knowing, short of something SPF-like provided by the apparent sender's domain, whether the return address is valid, invalid, or valid-but-forged. On the other hand, if we *did* have that information, we could have blocked the mail without even queueing it up for the primary MX. Now if you run all your MXes yourself, you can make sure they all use the same criteria and only reject mail at the border. But that's a bit more difficult when one is in-house and the other belongs to your ISP, who may not even be running the same mail server software as you, never mind the same filtering software. And then there's the scenario in which the forged message makes it through to a valid address, someone reads it and fires off a complaint to the person they think sent it... Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Deadline for SPF records
At 06:21 AM 8/9/2004, Joseph Brennan wrote: Bounces would go straight to the FROM, I assume? So, all we do is change all the mail servers on the net. :-) Hey, most* people stopped running open relays, right? Change IS possible. It's likely to be painful, but it's possible. * Yes, there are still open relays out there, but these days it's generally considered a misconfiguration rather than a deliberate setup. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records
At 12:42 PM 8/9/2004, David F. Skoll wrote: So SPF is a good technology to combat joe-jobs providing everyone in the Internet uses it. :-( See http://www.rhyolite.com/anti-spam/you-might-be.html To be fair, SPF has never pushed itself (to my knowledge) as the FUSSP. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Deadline for SPF records
At 04:12 PM 8/9/2004, [EMAIL PROTECTED] wrote: I agree that invalid bounces from forged addresses aren't really a blip on the scale of email problems. Also they can easily be solved using existing technology - just have every organization push their valid user list to the mail servers on their network boundary. Then the mail will be rejected at RCPT TO time, with no undeliverable message generated. (The ratware and spamware won't generate an undeliverable message when faced with a 550 No such user.) irony Unfortunately, this won't work until the entire Internet does it. /irony Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SpamCopURI w/SA2.64 w/Chris' umask Patch
On Thursday 05 August 2004 11:34 am, Kevin A. McGrail wrote: Just an FYI that I edited the Makefile.PL for SpamCopURI to change 2.63 to 2.64 (3 instances) for the new SA 2.64 w/Chris' umask patch and all seems to be working fine. SpamCopURI overwrites two SpamAssassin files (Conf.pm and PerMsgStatus.pm) with pre-patched files. Unfortunately at least one of these has changed between SA 2.63 and SA 2.64, so you end up losing some of those fixes -- and the changes from Chris' patch -- if you install SA first and SpamCopURI second. It looks like the solution is to apply diff-2.63 from the SpamCopURI source to SpamAssassin and reinstall SA. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
On Friday 30 July 2004 03:03 am, Martin Blapp wrote: Clamav is not catching 5 tests, and viri are slipping throuh ! At least test 8 and 23 are very important to catch I think: There's timing... I was just looking at this stuff yesterday. I got the same results initially (except for #25, which had been defanged), but after investigation was able to easily block the rest by copying a few bits over from the current example filter. From what I can tell, it looks like these would all be detected by a default install of the latest MimeDefang paired with a current Clamd with the ScanMail option enabled. Test #5: Eicar virus sent using BinHex encoding (this is a rarely used Macintosh mail format) Test #8: Eicar virus sent using BinHex encoding within a MIME segment sent Actually, it's MIMEDefang that doesn't detect these, because it doesn't decode BinHex. So if you're just passing the message parts MD sees to ClamAV, it doesn't have a chance to see them. ClamAV will detect them in the raw message if you have the ScanMail option active in clamav.conf. Take a cue from the current example filter and call md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling message_contains_virus. This way, clamd gets to look at the raw message in addition to the MD-decoded parts and will pick out the binhex attachment. Note that you have to do something in response to this rather than wait for entity_contains_virus, because MD won't see that entity. Test #22: Eicar virus within zip file hidden using the MIME Continuation Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) sent Test #23: Eicar virus within zip file hidden using the Empty MIME Boundary Vulnerability (attachment can be opened by all versions of Microsoft Outlook and Outlook Express) Interestingly, after I made that change I discovered that Clam was picking up these two as well. Given the wide range of MIME parsers and malformations that will slip by some and get picked up by others, it's good to have two different implementations scanning your mail. Again, you have to take action on message_contains_virus, and not wait for the per-entity results, because MD will see these as invalid MIME and not as attachments. Test #25 (non-virus): Attachment with a CLSID extension which may hide the real file extension. BThis does not include the Eicar virus/B, however your mailserver should still block this since the CLSID technique can be used to hide the true extension of a malicious file. (attachment can be opened by any Windows computer) ClamAV has no reason to detect this: it doesn't include a virus. That said, MIMEDefang's default filter_bad_filename should pick this up. It does here. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] staying synced with example filter (was: Re: TestVirus.org)
At 09:40 AM 7/30/2004, Royce Williams wrote: What's everyone else doing with reference to the example filter? Well, I used to go through the example filter on each upgrade and copy bits over, but ours has gotten extremely complicated over time, so now I just go through the changelog and look for things that would be useful or necessary. We also have a lot of custom functions that we keep in a separate file. Eventually I plan to do a massive cleanup, at which point it should become feasible to maintain the rest of our changes as a diff and keep things more in sync. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] TestVirus.org
At 09:55 AM 7/30/2004, J.D. Bronson wrote: Could you kindly post exactly what you did? OK: Take a cue from the current example filter and call md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling message_contains_virus. That's it. I just placed md_copy_orig_msg_to_work_dir_as_mbox_file(); in filter_begin, right before message_contains_virus(). (Actually I still have some old code calling specific scanners, but that's the only change that was necessary.) Can you also expand on this please? (examples ?) The mimedefang-filter.example probably says it better than I could -- particularly since I still have a lot of complicated code left over from older customizations. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] TestVirus.org
At 09:24 AM 7/30/2004, David F. Skoll wrote: On Fri, 30 Jul 2004 [EMAIL PROTECTED] wrote: How bad would the performance hit be to do the action_rebuild on every message? Not that bad. If you add boilerplate, for example, you're doing that anyway. However, if you're short on disk I/O, it will cause problems, because it essentially doubles your Sendmail queue I/O usage. This would be done in the MD working directory, though, right? So if you're running that on a ramdisk, it shouldn't be too much of a difference. I would think the main drawback of this would be in altering signed messages. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Testing and dictionary attack..
At 09:14 AM 7/7/2004, Net Guy wrote: What has been decided: Do I just drop eMail from whomever that has the wrong reciepent, or do I bounce it ( nouser: No user here by that name )? In my limited view of things I see that either could have benefits: Bounce - the folks that are real and not spammers know that they screwed up the address. Drop - the spammers think that the address works, so the spam lists grow with invalid names. I suggest bounce (in the action_bounce, reject at SMTP time sense). The potentially large consequence of losing a legitimate message outweighs the likely small benefit of polluting the spammers' lists. I say it's a small benefit because: - If you're dropping the message, you still need to waste the bandwidth to make them think you've accepted it. - Unless you're tarpitting it, it won't slow them down much. - Many spammers don't clean up their lists anyway. Heck, many legit mailing lists don't either. We get lots of mail sent to long-dead accounts, some of which I ended up reactivating, watching for (and unsubscribing from) legit newsletters, and turning into spamtraps. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] grammar nit
At 08:43 AM 7/8/2004, [EMAIL PROTECTED] wrote: He claims that some intellectual property has made its way into Linux. Does anybody know specifically what he is talking about? Or is it all just BS, and the real issue is that Linux resembles SysV UNIX, and therefore it is theft of intectual property. Thats like suing a band who sing songs that sound like Metallica songs! Well, in 1 1/2 years they've made a lot of noise, but given no specifics. On the rare occasions they've provided examples, those examples been debunked quickly (basic functions with obvious solutions, code available from other sources under the BSD license, etc.). At times they've claimed to have millions of lines of infringing code, but lately they've said they don't know exactly what code was involved, and they can't find it without access to IBM's source. The IBM suit is currently focusing on code IBM wrote in-house for things like the JFS filesystem, added to AIX, and later added to Linux -- basically claiming that because the code touched Unix at some point, SCO owns it. (And they call the *GPL* viral!) Sort of like suing a band for singing a song that Metallica *covered*. An excellent resource on this issue, if you're interested, is http://groklaw.net . Also informative: http://twiki.iwethey.org/twiki/bin/view/Main/SCOvsIBM and http://www.opensource.org/sco-vs-ibm.html Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sender validation
At 08:59 AM 6/24/2004, [EMAIL PROTECTED] wrote: Can you explain your criteria for accepting a sender if the host is not an MX for the domain? We have CanIT Pro and the mismatch rules tened to block alot of the send the page to a friend and e-card type emails. I had to give up on them (the mismatch rules, that is). It looks like he's not checking that the sending server *is* an MX for the domain, (which would cause problems with sites that use separate servers for incoming and outgoing mail), but checking *an* MX to see if it recognizes the supposed sender's address. The logic is more along the lines of: - Sender claims to be [EMAIL PROTECTED] - Look up MX records for speed.net - Connect to mail.speed.net and see if it accepts mail for [EMAIL PROTECTED] - From User unknown error, conclude that the sender is invalid and reject the message In the old days, it might have been done using VRFY, but so many sites have disabled it to throw a roadblock in front of dictionary attacks. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] grammar nit
At 07:47 AM 6/22/2004, Jan Pieter Cornet wrote: The SCO that is now sueing the world has little to do with the SCO that released SCO unix (formerly XENIX). See: http://www.campusprogram.com/reference/en/wikipedia/s/sa/santa_cruz_operation.html So I don't think the derogatory comment is warranted at all. You are aware that the current litigious SCO has owned SCO UNIX for several years, right? From the very page you linked to: SCO announced on August 2, 2001 that they would sell their Server Software and Services Divisions, as well as UnixWare and OpenServer technologies, to Caldera Systems, Inc. and In August 2002, Caldera International changed its name to SCO Group Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Using DCC in SpamAssassin which is called by MimeDefang
At 02:34 PM 6/16/2004, [EMAIL PROTECTED] wrote: I asked a similar question recently: who has had what experience with DCC/Razor/Pyzor, presumably via MIMEDefang and SpamAssassin? All three will work with MD/SA. Razor is probably the simplest, since SA is already running in Perl and can call the Razor Perl modules directly. It also has the advantage that SA has different rules to handle various Razor results - if Razor gives a message a 50-100% probability of being spam, SA will score it higher than if Razor gives it a 10-50% change. The main drawback to Razor is that it presently has the lowest hit rate of the three, although this should change soon since the next version of the client will add one of the more effective hashes being used by the SpamNet client (Razor's commercial sibling). One trick I've found: I usually have to run make install twice, or it doesn't set up all the links in /usr/(local/)bin. Pyzor hits more spam than Razor, but has two drawbacks: first, it runs in Python, and firing up a Python instance for each hit is slower than just calling a Perl module in an already runnng Perl. Second, the client doesn't do much in the way of error recovery when it encounters a message it doesn't recognize. This isn't much of a problem when called from SA - it just counts as if Pyzor didn't find it - but can be frustrating when you try to report a mailbox full of confirmed spam and it dies because the third message claims to use the plain content transfer encoding. Be sure to check the Readme's section on file permissions. I've actually seen the pyzor client get installed non-executable. DCC has the highest hit rate, but that's partly because its stated goal is not to identify spam, but to identify bulk mail. By definition that includes wanted newsletters, mailing lists, etc, although few people actually report mail according to that standard. Because of this, I've lowered the SA score for DCC_CHECK from 2.9 to 1. I remember having a bit more trouble getting it running than either Razor or Pyzor, but it's been long enough that I don't remember exactly what I had to do. Several people posted some comparisons a fe months ago. I think this was on the SA list. There is certainly overlap among the three databases (about 60% of spam we see that trips one of them trips at least two), but there's enough difference that it could be worth running two or even all three. In any case, I would recommend using the razor_timeount, pyzor_timeout, and dcc_timeout options in your SA config so that network slowdowns and server outages don't add too much time to your mail processing. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Using DCC in SpamAssassin which is called by MimeDefang
At 01:30 PM 6/16/2004, Al Sparks wrote: A simple question, so I know whether it can be done or not. Is anyone using SA to access DCC iff SA is called by MD? === Al Is that a misspelling, or do you mean if and only if? If it's just a misspelling, then I can tell you yes, we use DCC through SA called by MD Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Unsafe embedded Perl (was RE: [Mimedefang] [PATCH] Memleak bug in mimedefang found and fixed)
At 10:35 AM 6/7/2004, David F. Skoll wrote: On Mon, 7 Jun 2004, Kelson Vibber wrote: Does this mean the embedded perl should not be used *at all* on these platforms, or just that the normal reread method will not work? Just that the normal reread method will not work, as far as I know. OK. Thanks! Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Can I bounce be looking at keywords in the body without using spamassassin?
At 06:12 AM 6/4/2004, Mark Penkower wrote: Can I bounce be looking at keywords in the body without using spamassassin? Can you? Yes. Should you? Probably not. Blocking mail by keyword is considerably more likely to cause false positives than score-based filters. Some examples: State of Virginia. Breast cancer study. The city of Intercourse, Pennsylvania. News about assassinations. Jokes or news about certain highly-advertised drugs. Free software. A sextet. (Or sextuplets, or cities like Middlesex, Essex, Wessex, etc.) John Hancock You can probably think of more examples. Plus, of course, $P@/\/\/\/\ERZ can just D|5GUl$3 orr miiispel there wurdz 2 @V0|D the keyword filter. By the time you put together a sufficiently long list of variations you may as well be using something more elaborate. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Correction about Autolearn Headers
At 09:13 AM 6/1/2004, David F. Skoll wrote: On Tue, 1 Jun 2004, Kevin A. McGrail wrote: Therefore, the only way to make this work that I can see is to modify mimedefang.pl. It would be a simple change to return $status, comment out the $status-finish, and return $status to the subfilter where you would need to run a $status-finish on it in the subfilter. You can do this already; just call spam_assassin_status from your filter, and process the status object yourself. Heck, it's even documented in the mimedefang-filter man page. :-) This was possible in SA 2.5x - however, beginning with 2.60, the SpamAssassin object no longer exposes the auto-learn results or the function to build the status line. (It didn't technically expose either before, but you could get the status line through an undocumented function -- which no longer exists.) You can construct it from all the other pieces, but auto-learn isn't available. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] /var/spool/MIMEdefang
At 08:55 AM 5/21/2004, Vivek Kumar wrote: There are following 3 files in /var/spool/MIMEDefang directory, which are pretty big in size. auto_whitelist bayes_toks bayes_seen What are these 3 files for ?? Does these files always grow ?? Can we empty these files ( for space) ?? Those files are used by SpamAssassin for its auto whitelist and its Bayesian classifier. You shouldn't delete them unless (a) the data has been corrupted or (b) you turn these features off in your SpamAssassin config. The auto whitelist is more of a score averaging system - it adjusts scores based on what else that sender has sent you in the past - and if you have it running it updates the data whenever SA processes a message. The bayes database learns from the spam and non-spam you get, based on manually teaching it (This folder is all spam, this one is all non-spam) and/or on messages that SA scores very high or very low, if you have auto-learning enabled in your SA config. (The key command here is sa-learn). In both cases, information is always being added to the database, so you can expect the files to keep growing until data starts expiring (see the SA docs for more info). Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Want to modify read-receipt img tags in mail
At 01:50 PM 5/20/2004, Kevin A. McGrail wrote: or replace with a href=$1$2IMAGE/a and leave the plain text alone. Almost the same thing. I'd like to see this written out with HTML::Parser when you do it. I don't understand what you mean when you put IMAGE above. I think he means just the text IMAGE - so that the reader knows something was supposed to be there, but there's no risk of the server being contacted. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail Queue Runner
At 10:02 AM 5/13/2004, you wrote: Will Mimedefang cease to work if use it for other tasks? If so, what functions would those be? A queue runner is needed for any situation in which MIMEDefang creates a new message, such as resend_message, action_notify_whoever and stream_by_whatever. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] evolution forging HELO?
At 07:57 AM 5/7/2004, Ole Craig wrote: He's using evolution, and it insists on sending HELO mail.cs.umass.edu which of course is my server, and not his laptop. Hmm. I don't use Evolution normally, but I have a copy for tech support purposes. I just sent myself a test message, and HELO'ed with its own IP address. (FWIW, this is Evolution 1.4 as provided by Fedora Core 1.) Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Detecting bogus AOL addresses
I recently came across the specification for valid AOL addresses. It's
simple, and easy to put into a regexp. It's only blocked 8 messages in the
last few hours since I went from logging to rejecting, but that's 8 messages
that didn't need to be scanned for viruses or spam.
In case anyone else might find it useful, here's an abbreviated version of my
filter_sender:
sub filter_sender () {
my ($sender, $ip, $name, $helo) = @_;
$sender =~ s/.*\//;
$sender =~ s/\.*//;
$sender = lc($sender);
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
if ($sender =~ /[EMAIL PROTECTED]/i $sender ne '[EMAIL PROTECTED]'
$sender !~ /^[a-z][a-z0-9]{2,[EMAIL PROTECTED]/i) {
return ('REJECT', 'Forged AOL address detected.');
#md_syslog 'info', $QueueID: Forged AOL address detected.;
}
return ('CONTINUE', 'ok');
}
--
Kelson Vibber
SpeedGate Communications, www.speed.net
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: Sasser info
At 09:56 AM 5/4/2004, SRAR Mail Administrator wrote: From http://www.sophos.com/virusinfo/articles/sasserfbi.html : Microsoft has announced that it is working closely with law enforcement agencies, ... in an attempt to try and identify those responsible for the widespread Sasser internet worm. Question: Will they be starting at Microsoft's headquarters, and arrest Bill's developer staff? That depends: If a manufacturer discovers a defect and issues a recall, is it liable for damages that occur *after* the recall has been carried out? To bring back the eternal car analogy: suppose someone discovers that a particular Ford model has defective airbags that will explode if the car is hit from a certain direction. Ford issues a recall, there's been time for people to go in and get the airbags fixed. Then someone goes around and starts hitting these cars with a sledgehammer in such a way as to trigger those airbags that haven't been replaced. In this scenario, Ford would bear some liability for injuries, deaths, etc. from the defective product before the recall (shared, of course, with the people who caused the collisions), and possibly early in the recall period. But what about damages *after* the recall, *after* people have had the opportunity to get their car fixed? Assuming they didn't know about the defect when they sold the cars, is Ford still liable legally? Morally? Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Separate Filters for Separate Recipients
At 04:43 PM 5/4/2004, Kjell Uddeborg wrote: It does seem to split up the messages based on the recipients but they do not get delivered until I restart the sendmail server. Have you ever seen this problem before? Anything MD resends goes into the submission queue, not the regular queue. You need to run a second instance of Sendmail as a queue runner. See the MIMEDefang README for more detail, but essentially what you need is: sendmail -Ac -q5m This will start a second sendmail process which will run through the submission queue every five minutes. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skip MD for some users
At 11:18 AM 4/26/2004, Nathan Martinez wrote: Everything works fine for me, but now a few users want to be excluded from the Spam scanning that I am doing. Because of the way milter works, you cannot skip MD on a per-user basis. There are two approaches you can take, both inside mimedefang-filter: 1. Use filter_recipient and the ACCEPT_AND_NO_MORE_FILTERING return code - which has the disadvantage that you stop filtering for any other recipients of the same message. 2. Check the list of recipients before doing the actual spam scanning (right before calling SpamAssassin, for instance). This has the same disadvantage, but you can work around it using stream_by_recipient in filter_begin - which of course has its own disadvantage (resending the same message once per recipient). Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] surbl
At 01:46 PM 4/13/2004, Lucas Albers wrote: Need to patch SA. I'm leery of modifying my code, and hopefully the package maintainer for my OS will fold in surbl into their package. As I understand it, the next release of SpamAssassin will be able to handle this type of feature without patching. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] surbl
At 04:48 AM 4/13/2004, David F. Skoll wrote: I think a DB of known spam URL's is safe. Following URL's makes me nervous... Then SURBL should be fine. It's just a RHSBL, built from domains advertised in spam rather than domains that (appear to) send it. A client using SURBL just parses URLs out of the message and queries the domain names against the SURBL zone. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] slave error with razor2
At 01:24 PM 3/31/2004, [EMAIL PROTECTED] wrote: mimedefang-multiplexor: Slave 12 stderr: razor2 check skipped: Bad file descriptor Died at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 409. IIRC, this means queries to the Razor servers are not responding. Try running razor-admin -discover as your MIMEDefang user. This should pick up a current list of Razor servers. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bounce without attachment
At 07:02 AM 3/30/2004, [EMAIL PROTECTED] wrote:
In my mimedefang-filter, i have
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_bounce($ext found in mail - rejected);
}
My problem is, the mail est rejecter and mimedefand send reject
notification with the attachment file. How can i reject mail with
attachement and notify the sender without the file ?
Unless you've re-sent the mail locally (through one of the stream_by_
functions), you're not generating the bounce notice at all. action_bounce
only issues an SMTP reject code. The notice you're seeing is actually
generated by whichever server passed the mail to you.
If you have another server funnelling mail to the MIMEDefang server, you
can reconfigure that one to generate notices without attachments, but
unfortunately you can't configure servers that aren't under your control.
Kelson Vibber
SpeedGate Communications www.speed.net
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Getting Error from multiplexor: ERR No response from slave
At 05:59 AM 3/29/2004, Cormack, Ken wrote: As for point-value, I am originally setting everything to a point value of zero. My intent was to observe the performance impact of such a huge set of rules, without (yet) letting the rules otherwise influence the message in any way. As I understand it, setting the score of a SpamAssassin rule to 0 disables the rule. For testing, small values like 0.01 are recommended. If all these scores are set to 0, SA isn't using them, so something else may be going on. If you haven't already, you should run spamassassin -D --lint and mimedefang.pl -test to make sure there are no syntax errors lying in wait. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Command rejected
At 11:40 AM 3/25/2004, Kelson Vibber wrote: see the man page for mimedefang_filter for more options. Er, make that mimedefang-filter. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Gentoo, Red Hat, etc. (was Re: [Mimedefang] Latest MIME-Tools)
At 01:28 PM 3/22/2004, Justin wrote: RPM is really quite lame. If you ever want to really annoy RPM uninstall the very dated version of Perl and all it's various modules that come with RH and compile and install the latest greatest from source. RPM will never forgive you that one. :) Just out of curiosity, has anyone tried this on Debian? How well does apt-get/dpkg handle that one? And as I understand it, even in Gentoo you'd still have to use portage to get the benefits of its package management. Sure, it'll be newer than the version in Red Hat or Debian Stable, but if you installed from source instead of using emerge, you'd still run into problems. I don't think it's a failing of RPM so much as it's a failing of package managers in general - namely, if you install anything that the PM doesn't know about, it acts as if it isn't there. The only way you can get around that is if you can override the PM and tell it, Look, Perl's really installed. I know I can't tell you in detail where all the files are, or what libraries and utilities it depends on, but it's installed, honest! Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Gentoo, Red Hat, etc. (was Re: [Mimedefang] Latest MIME-Tools)
At 03:48 PM 3/22/2004, Les Mikesell wrote: There are two approaches that work. One is to keep locally compiled things under /usr/local which is often their default, and adjust your PATH to use them instead of the system version when desired. I used to do this. Actually, I still do this on servers with sendmail, apache, and php. Stow helps a little, but it's still pain to deal with, especially when you've replaced a system package or you need to uninstall or upgrade something. The other is write a spec file (you can usually adapt the old one from RH) to build your own RPM. The latter way keeps the RPM database up to date, makes it easy to install on other machines, and makes it possible to uninstall everything. This is now my preferred way to handle it, both at home and at work. It's just cleaner, and it's usually not much more difficult than building the source manually (and sometimes easier!). Often all you have to do is update the version number and grab the new source (which you would have done anyway). And it's becoming more common for projects (like MD) to include their own .spec files, so all you have to do is run rpmbuild -ta whatever.tar.gz Although with my desktop machines running Fedora, I've found that using apt-get and synaptic with FreshRPMs, DAG and ATRPMs is very nice. Often if I don't need something right away, I'll wait a day or two, see if it shows up, and only then build my own package. Kelson Viber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Latest MIME-Tools
At 02:43 PM 3/22/2004, Les Mikesell wrote: But, it would be great if someone packaged MimeDefang and Clamav for an rpm install... Both are available from the DAG RPM repository at http://dag.wieers.com/home-made/apt/ Alexander mentioned earlier today that Dag's .spec for MD is now included in the MD source distribution. You can use apt or yum (at least, I *think* I remember setting up yum to use it at one point), or you can just go to http://dag.wieers.com/packages/ and grab the RPMs. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mount noatime (was: ramdisks on Linux)
At 07:20 AM 3/17/2004, Chris Myers wrote: Mount /tmp as ramdisk, noatime Unless you're using tmpwatch to clear out old files in /tmp. You can set it to decide based on mtime instead of atime, but atime is the default. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] special use IPv4 addresses to consider: RFC 3330
At 07:34 PM 3/9/2004, Jeremy Mates wrote: * Network Guy [EMAIL PROTECTED] Aaaa, block ALL incoming unroutable IP addys at the router. You should not permit an IP from the 192.168.. 10... ( can't remember that other one just now ) and 127.0.0.1. And if you can't/won't block it at the router, you can use filter_relay - but remember that locally-submitted mail shows up as being from 127.0.0.1! Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How can I get this email blocked?
At 11:06 AM 3/9/2004, Matt Rossiter wrote: It usally gets tagged with a spam score of 2.5 and my tolerance is 5.0. The link in this email takes you to a domain called storefree.biz - can someone suggest away of eliminating this spam? If the messages include common phrases, you could write a SpamAssassin rule to catch them. You'll probably be better off posting this to the SpamAssassin list, though. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] add to sa score for clients that only give hostname in helo.
At 11:20 AM 3/8/2004, Jason Englander wrote: ...but you could set a global variable in filter_relay to reflect whether or not it only has a hostname component, then act on it where you can run action_change_header, change the SA score, etc. Actually, no, you can't - filter_relay and filter_end can get run by different slaves, so variables defined in filter_relay aren't necessarily going to stick around. (See the Global Variable Lifetime section in the mimedefang-filter man page.) ...unless this has changed between 2.39 and 2.40 (I haven't upgraded yet). Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] New way of obfuscating text
At 09:32 PM 2/10/2004, Randy Hammock wrote: Have not seen this one yet; however, I've recently gotten SPAM where they set the text color to be the same as the background color. They used this mostly around blocks of random words (to fool Bayesian filters) and around other random letters to obfuscate the words they wanted hidden from the spam checker but show up when read. If the text is the same color as the background on SPAM, it's waaay to old to eat! Seriously, though, I think SpamAssassin already looks for that. (SPAM = processed lunch meat, and spam = junk email: http://www.spam.com/ci/ci_in.htm ) Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] action_tempfail and delete_recipient question
At 05:43 PM 2/3/2004, Xiaoyan Ma wrote: How can I only tempfail 2 of 5 recipients then? Unless I'm mistaken, you don't tempfail a recipient so much as you tempfail a message. (If anyone can correct me, please do!) Is stream_by_recipient the right approach No, stream_by_recipient won't do what you want. That would accept the message, then resend it locally. As far as the sending machine is concerned, the message will have gotten through. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Security note: Open port 25 on internal mail se rvers
At 04:16 PM 2/4/2004, [EMAIL PROTECTED] wrote: One SMTP server (A) that accepts only authenticated sessions and allows relay for those. Another SMTP server (B) that accepts any session but does not allow relay. The trick is to only have A listed as an MX record. B does *not* need to be listed as an MX record. Usually B is listed explicity (by DNS name) in the off-campus-client's email client as the Sending Mail Server or SMTP Server - no need to advertise it in DNS, though a portscanner will still find it. Er, shouldn't that be the other way around? Or am I misreading? Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Additional Spamassassin Rules
At 02:40 PM 2/3/2004, David F. Skoll wrote: On Tue, 3 Feb 2004, Ole Holm Nielsen wrote: Actually, the SpamAssassin docs state that you *shouldn't* drop local rules in /usr/share/spamassassin, since they will be removed when upgrading SpamAssassin (yes, I learned the hard way :-). Not if you number them 70_* or higher, I believe. Of course, this relies on SpamAssassin never changing their numbering system. Better to stick with the recommended location (/etc/mail/spamassassin) than to watch things stop working when you install SpamAssassin 2005. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Has anyone used fang.pl
At 02:20 PM 1/28/2004, Cormack, Ken wrote: Has anyone ever used fang.pl (in the contrib directory of the MIMEDefang source tree) to reconstruct an email? It looks like I've just been handed my first-ever need to recover from a quarantine dir. I had problems figuring it out too, but I found that if you use quarantine_entire_message, it works to call: sendmail -f`cat SENDER` `cat RECIPIENTS` ENTIRE_MESSAGE (source: http://lists.roaringpenguin.com/pipermail/mimedefang/2003-April/014049.html ) Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Using more than one virus scanner is a good idea.
Mydoom/Novarg/Worm.SCO seems to be really persistent. Despite using both ClamAV and manual checking (for known filenames or zips with the particular file size), one copy actually got through to my inbox this morning where it was caught by Norton Antivirus. (Not that I would have opened it, of course!) Now that File::Scan detects it, I'm still seeing a lot of copies slipping past it and getting caught by Clam. So I'd definitely recommend using more than one virus scanner when possible! Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang with spamc/spamd
At 09:19 AM 1/28/2004, Steve Moore wrote: Is it possible to have mimedefang use spamc/spamd rather than loading spamassassin? And if so what changes do I make to mimedefang-filter to accomplish this? MIMEDefang calls SpamAssassin's perl routines directly. It doesn't actually load SpamAssassin, so calling out to spamc/spamd would probably slow things down. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Anyone else having problems with Clamd 0.65?
At 01:59 PM 1/27/2004, Lucas Albers wrote: Can you try just running clamscan? I was setting up a new backup mx server and when I ran clamd it had milter problems, it appeared just running clamscan worked corrrectly. That will probably be the next thing I try, if my current setup fails. I looked up more info on clamav, and found a suggestion to move to a newer snapshot. I'd been reluctant to do so before (since this *is* a production server), but in the face of Mydoom I decided it was time to give it a try, and I grabbed yesterday's snapshot. It's held up for the past 18 hours or so, which is longer than 0.65 seems to have managed. So far, so good. I'm just reluctant to sacrifice the efficiency gains clamd has over clamscan. But if push comes to shove, I'll drop back to clamscan. These days, inefficient virus scanning is better than none at all. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Tracking down the delay (Razor timeout!)
At 11:21 AM 1/28/2004, Adam Porter wrote: So I guess my questions now are: How do I find set up a good, reliable set of RBLs? Do I need to invest a lot of time or can I automate it? Is this an anomaly with cloudmark's db/service or does this kind of thing happen a lot? (PS: I re-initialized my razor client but it hasn't helped.) I've heard of similar problems with Pyzor today (which is completely separate from Razor). With two similar services bogging down, I suspect they are due to the increased traffic caused by Mydoom and sites that bounce/notify senders. http://news.com.com/2100-7355-5148995.html states: On Tuesday and today, people have noticed that the Internet is a percentage slower. The bounce-back e-mails could account for up to 25 percent of this slowdown It's especially applicable in this case. The increased volume from both the virus and responses to it translates directly into increased load on Razor, Pyzor, DCC, and anything else where recipients check each message against a centralized server (or group of servers). At least from the tone of the article, it sounds like more and more people are coming to realize that auto-notification on viruses just doesn't make sense anymore. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Check extensions beforer virus scan
At 02:25 PM 1/27/2004, Jim McCullars wrote: So I guess the answer is in filter(), just change the order of the virus scan and the bad_ext check, but leave the code in filter_begin() alone. Alternatively, remove the calls in filter_begin, then entity_contains_virus out of the if ($FoundVirus) block. On one hand, you do scan each entity individually. On the other, you don't scan anything that you're already deleting. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New .zip virus?
At 04:57 PM 1/26/2004, David F. Skoll wrote: I'm seeing bounces from messages I supposedly sent containing a .zip file. I think there's a new .zip virus out there. Watch out; the default filter will not catch these. Yes: http://news.com.com/2100-7349_3-5147605.html Apparently it's called MyDoom, Novarg or Mimail.somethingorother, and infected machines are DDOSing SCO's website. Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] rejecting on helo,drive-by-relay,forged_sender,
At 10:00 AM 1/16/2004, [EMAIL PROTECTED] wrote: As it's been said elsewhere, it won't take off until some of the biggies adopt it - AOL, Yahoo, MSN. Then it might catch on. Actually, AOL is already posting SPF records, at least on an experimental basis. (They turned it off over the weekend, then turned it back on with changes on Monday.) Give it a try: dig aol.com TXT or nslookup -type=txt aol.com Kelson Vibber SpeedGate Communications www.speed.net ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
