Re: [Mimedefang] Overcoming RPM stupidity
On Tue, Dec 19, 2006 at 09:21:44PM -0500, Jeff Rife wrote: On 19 Dec 2006 at 22:09, Michael Lang wrote: On Tue, Dec 19, 2006 at 12:57:03PM -0600, Richard Laager wrote: On Sun, 2006-12-17 at 20:46 -0500, Jeff Rife wrote: In the Fedora 6 RPM for MIMEDefang, mimedefang.pl was created using no Well, the bug has been reported and the solution they came up with to add perl-Unix-Syslog to the requirements for mimedefang...which will mean that anybody who for some reason wants to use Sys::Syslog can't. It's the exact opposite of my problem, but I don't suppose anybody else will notice. I probably wouldn't have cared if my edits to mimedefang.pl hadn't been silently overwritten. that will happen again aslong as you dont follow the guides of RPM :) the config files in the Spec of Davids RPM are the correct ones to add your own modification without getting them overwritten next update, BUT you also need to take care for your own if function layout changes, or new functions get introduced ... %config(noreplace) /etc/mail/mimedefang-filter %config(noreplace) /etc/mail/sa-mimedefang.cf %config(noreplace) /etc/mail/sa-mimedefang.cf.example %config(noreplace) /etc/sysconfig/%{name} for my side i only modifyed less as possible in the original files and added a require('myfilter.pl') the mimedefang-filter file. I overwrite there the functions i need or add additional ones ... Doing mystic things in %post and so isnt a good idea cause, you may shoot some dependencies used by other packages (conflicts with Unix::Syslog) or there's maybe no Network connectivity to CPAN mirrors, ... Well, you could just build the package with and without Unix::Syslog available and diff all the files. Then, when you find the one file that is changed is mimedefang.pl, you can have %post do a patch *if* a perl script finds that Unix::Syslog is installed on the system. Of course, if RPM had a more flexible requirements syntax, you could have things like optional requirements or pick one of (as this is). hmm thats not what i meant ... currently you have two packages for mimedefang from the default spec. If David or someone seperates the logfunctions into an additional Script and uses a require to add this function it would be possible to handle it the same way as i do with the filter itself. The Spec whould then build mimedefang (Core) mimedefang-contrib (contrib) mimedefang-modules (Sys::Syslog) you could then build a mimedefang-modules-unix-syslog adding your Syslog functionality and simple replace the provided with your own. Greetz mIke -- Jeff Rife | This? This is ice. This is what happens to | water when it gets too cold. This? This is | Kent. This is what happens to people when | they get too sexually frustrated. | -- Chris Knight, Real Genius ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang pgpMEcQGWgzbU.pgp Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Overcoming RPM stupidity
On Wed, Dec 20, 2006 at 07:39:51AM -0600, Les Mikesell wrote: Michael Lang wrote: %config(noreplace) /etc/mail/mimedefang-filter %config(noreplace) /etc/mail/sa-mimedefang.cf %config(noreplace) /etc/mail/sa-mimedefang.cf.example %config(noreplace) /etc/sysconfig/%{name} for my side i only modifyed less as possible in the original files and added a require('myfilter.pl') the mimedefang-filter file. I overwrite there the functions i need or add additional ones ... The RedHat way of thinking would probably put the user-configurable piece in something like /etc/sysconfig/mimedefang-filter.pl and have the base system version include that. Then at some unspecified time in the future, a GUI tool might appear to help edit that file. they do ... your /etc/sysconfig/mimedefang file tells which filter file to use ... but the main problem was that even the filter itself should not be overwritten as declared in the specfile, so the changes where made to /usr/bin/mimedefang.pl i suppose which was replace by the update. Greetz mIke -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang pgpac60An8pXZ.pgp Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Overcoming RPM stupidity
On Tue, Dec 19, 2006 at 12:57:03PM -0600, Richard Laager wrote: On Sun, 2006-12-17 at 20:46 -0500, Jeff Rife wrote: In the Fedora 6 RPM for MIMEDefang, mimedefang.pl was created using no Features at all. For most of them, this isn't a big deal, as I can put $Features{'whatever'} = 1 in mimedefang-filter and it works. But, this isn't true for Unix::Syslog (or at least I haven't found a way to overcome it). I've been following the rest of this thread, but seriously, the subject captures the problem. The Fedora 6 MIMEDefang RPM has a bug. Report it to the Fedora people to get a fixed RPM. If you need a faster solution, fix the RPM yourself and install that, then send them the patch. that depends on what you define as a bug ... if there's a modular setup for the script an using Sys::Syslog is legal and okay it's not a bug. AFAIK the Fedora guys build there RPMs using Plague, which i think is the best way to build and provide RPMS to a big community. So if the SPEC file doesnt say something different than *you need Unix::Syslog* the build will complete without a problem. Doing mystic things in %post and so isnt a good idea cause, you may shoot some dependencies used by other packages (conflicts with Unix::Syslog) or there's maybe no Network connectivity to CPAN mirrors, ... one thing you could do is to seperate the Syslog part from the filter, putting just a wrapper into the code and deploying a default mimdefang-syslog module which handles the real implemtation (for default installs Sys::syslog) and then a second RPM can be build deploying Unix::Syslog as backend deployment which would have the perl-Unix-Syslog dependency and everyone should live happy until ... just my 5 cents Any workarounds in the filter are going to be hacky. I think David's on the right track trying to have MIMEDefang detect them at run-time, but unless and until that happens, fixing the RPM is the right course of action here. Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang pgpLHx03CAAXN.pgp Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylisting - Too many open connections
On Fri, 2006-11-03 at 13:38 +, Carlton Thomas wrote: Hi, I have implemented greylisting in Mimedefang and all works well until the mail server gets very busy. When it gets busy there is a rapid increase in the number of Mimedefang, Sendmail and MySql processes. When the sendmail connections are examined, most of them are in the RCPT TO state, and they just hang around in that state for a long time. I am assuming that this is happening because sendmail has rejected the message but the client is still holding the connection open, either to attempt immediate retries or because it does not understand the TEMPFAIL. The call to the greylisting code is made in Filter_Recipient as per recommendations from various messages to this list. I have also searched the list archive to see whether others have had this problem but found only a couple of related posts but no solutions. Has anybody else managed to get sendmail to terminate the connection when a message is tempfailed from within the filter_recipient routine? If that is not possible, what have others been doing to get rid of the connection in order to minimise the number of active sendmail processes? I did see a message in which someone stated that tempfailing a message with the 421 code would cause sendmail to terminate the active connection. I have tried that but it does not seem to work for me and I have also seen others saying that it is not possible for a milter to force sendmail to terminate a connection. Any help or guidance on this subject woul be most appreciated. Hi Carlton, it's not possible to terminate the connection in filter_recipient, it has been on the list before (if you want to get in details), but try using sendmails connection handling/throttle in sendmail.mc define(`confBAD_RCPT_THROTTLE', `2')dnl define(`confCONNECTION_RATE_THROTTLE', `5')dnl FEATURE(`ratecontrol', `nodelay')dnl in access file # conns/timeunit ClientRate:127.0.0.10 # internalClients ClientRate:192.168.0.0 5 # default handling ClientRate: 2 # conns/total ClientConn:127.0.0.10 # internalClients ClientConn:192.168.0.0 5 # default handling ClientConn: 2 this settings can help you manage a large number of same/different Client connections to your MTA but will not help you getting the processes down, so maybe moving the SQL processes to another machine might be helpful too. Kind regards Michael Lang Regards ! -- Carlton = GIFFORD INTERNET SERVICES Bristol, United Kingdom Tel: 0845 868 2245 Fax: 0845 004 6843 Email: [EMAIL PROTECTED] = ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] IPrange based Filter checks, need help to get the point ...
Hi, i need your help to get my light on again ... i started switching my Mail Infrastructure to XEN, previously i noticed that when my one MTA send the other MTA (both XEN same LAN) no filter gets applied. (except Filtertime Logentry :) Okay in a different view this makes sence but isnt wanted ... i didnt find an entry in the manpages which states that same LanSegments dont get filters applied (its RFC1918 192.168 and 127.0.0.1 too). Remote Machines (different LanSegments) get filter applied like since ever. where do i miss the point ? or can it be a sendmail specific problem ? i'm using Srv_Feature,Conn/Rate Limits (Feature delay_checks) thanks for any hint Kind regards Michael Lang -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Retrieving SMTP AUTH info
On Fri, 2006-08-11 at 12:36 +0100, Dan Massey wrote: Hi All I am trying to retrieve the SMTP AUTH info from within the mimedefang-filter program, this is for custom logging and detecting violations of our SMTP AUTH policy with customers. I can get the sendmail message id with the $MsgID, but cannot find the SMTP AUTH. Can anybody help? i think the one you might be missing read_commands_file(); after the command you can use $SendmailMacros{'auth_authen'} Thanks in advance Dan ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Mon, 2006-07-10 at 09:17 -0500, Jim McCullars wrote: On Sun, 9 Jul 2006, Dirk the Daring wrote: Obviously, if I have sending hosts on my network that really did have non-routable addresses, this would be a possible problem (altho the simple I just reject when someone sends an IP address as a HELO, and it is not their actual IP address. In filter_sender(): i remember an exploit with negative Integers as helo name ... and as RFC 821 states This command is used to identify the sender-SMTP to the receiver-SMTP. The argument field contains the host name of the sender-SMTP. it should be the hostname of the remote MTA, so everthing in /^[a-z0-9\-\.]+/i would be valid, so if you want to be restrictive implement a FULL FQDN check for the helo, extending to prevent Spam/Virus Senders from abusing you MTA, you could add SPF checking and DUL strings in reverse FQDN as helo Strings are modifyable from within the Virus/Trojan. (I've already seen Zombie PC's sending Messages periodicaly after 10 minutes to get passed greylisting. but maybe it's easier to setup secured communication Channels with your MTA Peers ? like 'DENY ALL, ALLOW FROM ...' ;) Greetz mIke try adding these filter to your config but do logging only ;) sub filter_recipient{ ... if (check_dul($RealRelayHostname)) { md_syslog('warning', check_dul($RealRelayHostname)); } ... } ... sub check_dul($){ my $reverseFQDN = $_[0]; md_syslog('warning', Checking for MTAname $reverseFQDN); if ($reverseFQDN =~ /\d{1,3}[\.\-]\d{1,3}(|(\d{1,3}[\.\-]\d{1,3})|[\.\-]\d{1,3})/) { return ('TEMP', $reverseFQDN DUL like syntax); } elsif ($reverseFQDN =~ /\d{1,3}[\.\-]\d{1,3}[\.\-]\d{1,3}(|[\.\-]\d{1,3})/) { return ('TEMP', $reverseFQDN DUL like syntax); } elsif ($reverseFQDN =~ /(xsdl|adsl|pool|dial(in|up|-in|-up)|dynamic)/i) { return ('TEMP', $reverseFQDN DUL like syntax); } else {return;} } if ($helo =~ /^\d+\.\d+\.\d+\.\d+$/) { # looks like an IP if ($helo ne $ip) { return('REJECT', IP address $ip doesn't match helo string $helo); } } This is fairly effective, I grepped my syslog file on one of two email relays and since last Friday it stopped over 5000 email attempts. It has the added effect of stopping those who use *my* IP address as the HELO string. HTH... Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Non-routable addresses in HELO
On Mon, 2006-07-10 at 10:26 -0700, John Rudd wrote: On Jul 10, 2006, at 7:57 AM, Michael Lang wrote: If you're going to be a stickler about what the RFC says, in what you require about the sender, then it's probably a good idea to be a stickler about the RFC in how your server operates as well. Specifically, you may not refuse the message based upon the HELO argument. uupps .. maybe i pointed out this one, the wrong way ... what i meant was that, putting in your filter (oct.oct.oct.oct) today and tomorror the next, doesn't make sense. It's the wrong way of 'ALLOW ALL, DENY ...' My point being: Seems rather hypocritical to complain about the lack of merits of the client based upon lack of RFC compliance ... while advocating lack of RFC compliance in your server. in my filter RFC ignorant client Mails get additional SpamScore added, but as written above, i pointed it out wrong ... Kind regards Michael Lang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] $Sender without '' and ''
On Wed, 2006-07-05 at 08:14 +0200, Steffen Kaiser wrote: On Wed, 5 Jul 2006, Oliver Schulze L. wrote: when you check man mimedefang-filter, you'll find such sentence in the context of mail addresses: The address may or may not be surrounded by angle brackets. (This one is from the paragraphe filter_sender is passed four arguments:). additional to 'is this ok' you should never trust the Data you get supplyed by anyone :) Kind regards Michael Lang Bye, -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] no filtering happening, no errors to be seen - how to troubleshoot?
On Thu, 2006-06-29 at 16:54 +0200, Michael Lang wrote: On Wed, 2006-06-28 at 12:35 +0200, Steffen Kaiser wrote: ... the Filters are working correctly after the restart (spam gets classifed, headers get inserted, ... ) but thanks for taking a look, i know that's not a good problem description, but if i would have more informations it wouldnt be a problem :) maybe i can get a trace of the slaves next time it apears. as i can say, the mail gets stuffed into the Workdir, get's scanned by the Virus Scanner, and nothing more ... there's no Error from the Scanner (not in the Logs and not in the Trace) and the Scanner is accessable from commandline (clamdscan) and last but not least,restarting Mimedefang works ... *grml* as i'm not allowed to send plain/text attachments to the list :) 554 5.7.1 Message rejected because of unacceptable content. For help, please quote incident ID 78405. i post the link to the trace file http://www.jackal-net.at/mimedefang-notworking.txt Kind regards Michael Lang Kind regards Michael Lang Bye, -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] no filtering happening, no errors to be seen - how to troubleshoot?
On Wed, 2006-06-28 at 12:35 +0200, Steffen Kaiser wrote: On Wed, 28 Jun 2006, Michael Lang wrote: On Wed, 2006-06-28 at 09:46 +0200, Steffen Kaiser wrote: 1) E.g.: use md_syslog() in all your filter_* functions to log the information you care about in your filter. 2) Put a new header in your mail. BTW: Did you checked for the X-Scanned-By header in the mail? Are your multiplexor running with the correct settings? X-Scanned-By gets inserted but nothing else, no additional Headers (and the should be inserted on every mail) No Error in the Logs, looks like just exiting immediatly When you see the X-Scanned-By header (and the contents points toward MIMEDefang), MIMEDefang seems to work ;-) So, did you put md_syslog()'s into the particular functions? Did you added a new header _unconditionally_, e.g. in sub filter_begin()? yes, i change the SA User from MailAddress to an Uid what gets logged by 'md_syslog' Just to guess, did you modified /etc/mail/mimedefang-filter at all? yes, and everything works find for an uncounted period of time. restarting mimedefang as solution works, but isnt nice ... What do you mean with this sentence? What is working after restart? imean, that's not the it should be :) the Filters are working correctly after the restart (spam gets classifed, headers get inserted, ... ) but thanks for taking a look, i know that's not a good problem description, but if i would have more informations it wouldnt be a problem :) maybe i can get a trace of the slaves next time it apears. Kind regards Michael Lang Bye, -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Two Subject lines in header
On Thu, 2006-06-29 at 09:04 -0600, Chris Carey wrote: I received a spam message today that the subject line was not tagged. Investigating the header I found why. Subject was specified twice. MIMEDefang only modifed the first Subject line. MIMEDefang modified the *first* subject with [spam 15 hits], but the second remained unchanged. Mozilla Thunderbird chose to use the second unchanged subject line as the one to show. Having Subject twice in the email headers seems to be a way to get spam to arrive in someones inbox without client-side rules catching it.. So the obvious question - How to have MIMEDefang catch when Subject is specified twice (or more) in the header? so thats why you should never trust your input data. how to prevent ? remove existing X-Spam headers input your X-Spam header (Yes/No/Score...) filter on these lines ;) Kind regards Michael Lang -- Chris Carey ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] no filtering happening, no errors to be seen - how to troubleshoot?
On Wed, 2006-06-28 at 09:46 +0200, Steffen Kaiser wrote: On Tue, 27 Jun 2006, Kitione Lalakomacoi wrote: thanks for the reply. relaying and reception is not an issue, i recieve all e-mail (actually wish i wasn't, at least something would be happening). i saw the same behavior here, Did you checked if MIMEDefang is called at all? 1) E.g.: use md_syslog() in all your filter_* functions to log the information you care about in your filter. 2) Put a new header in your mail. BTW: Did you checked for the X-Scanned-By header in the mail? Are your multiplexor running with the correct settings? X-Scanned-By gets inserted but nothing else, no additional Headers (and the should be inserted on every mail) No Error in the Logs, looks like just exiting immediatly restarting mimedefang as solution works, but isnt nice ... Kind regards Michael Lang Bye, -- Michael Lang [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] BitDefender load average woes
[EMAIL PROTECTED] schrieb: I'm running BitDefender and ClamAV virus scanners through MIMEDefang. All of a sudden BitDefender started consuming a huge amount of CPU. My load average shot up from under 1 to between 6 and 15. Hi Matthew, can you 'reproduce' this behavior ? I've seen an even more strange CPU/Memory consuming *feature* from Kaspersky with all currently Scanners available which triggers your Machine into death. (5-10 Mails of 1.6MB size required) This DOS wasnt taken seriously from Kaspersky neither other 'Security related' sites. Its a tiking boomb waiting there. look for mails which cause such behavior, i will try the Kaspersky DOS on BitDefender as soon as i get time... Kind regards Michael Lang This happened on two servers simultaneously. I disabled BitDefender (delete $Features{Virus:BDC}) and the problems went away. Is anyone else having this problem? $ bdc --info BDC/Linux-Console v7.1 (build 2559) (i386) (Jul 6 2005 16:28:53) Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved. Engine signatures: 370654 Scan engines: 13 Archive engines: 39 Unpack engines: 4 Mail engines: 6 System engines: 0 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang and mailman
On Mon, 2006-02-20 at 17:22 +1030, Daniel O'Connor wrote: Hi, Hi Daniel, I am having some difficulty with spammers on my lists - I have switched to subscriber only posting but I still have to deal with a lot of crud each day. I would like to be able to do Bayes for the lists (as a global entity) - I wrote a script which runs sa-learn as the mailman user (and running spamassassin manually shows good results) but it doesn't appear to have any effect on messages going through the mail system.. I imagine this is because MIMEDefang can't infer what username to use - is there a way I can tell it? $ ~mailman/bin/list_members List all the members of a mailing list. Usage: bin/list_members [options] listname ... and sub filter_sender() { ... my 5 cents Kind regards Michael Lang Thanks. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] pgpk7zb8N5LTY.pgp Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] 40K+ emails a day and choking
On Tue, 2006-01-17 at 14:48 +, Nik Clayton wrote: David, David F. Skoll wrote: Stephen Ford wrote: I'm running Solaris 9 on a dual processor 220R with 2 gigs of ram and the box is having trouble keeping up with spam!?!? I hate to say this, but switch from SPARC to a commodity Intel box. Intel and AMD chips far outperform SPARC for the kind of processing MIMEDefang/SpamAssassin do. Even a mid-range dual Xeon at 2.4GHz with a couple of gigs of RAM can handle 40K emails/day with ease. at my last company we did with 4 machines, 3Mil/Day Messages without any problem. The machines where HP DL360 2G Ram 1 CPU ;) Are you aware of any relevant benchmarks in this area? N ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] pgpSyljeNxerz.pgp Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] 40K+ emails a day and choking
On Tue, 2006-01-17 at 08:20 -0800, Gary Funck wrote: From: Michael Lang Sent: Tuesday, January 17, 2006 7:50 AM [...] at my last company we did with 4 machines, 3Mil/Day Messages without any problem. The machines where HP DL360 2G Ram 1 CPU ;) With Mimedefang and SA? yes, complex filter (ldap lookups ...) and clamav and kaspersky ... ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] pgpuoLfa9DNRl.pgp Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Discard by $Subject
Quoting [EMAIL PROTECTED]: Hello List, Hello Meni, I have this iritating email keep getting through no matter how many times i put it through the sa-learn!!! My config is: Debian Sarge 3.1a with Sendmail 8.13 + mimedefang 2.51 (i know i should upgrade..but still) + sa 3.0.3 + clamd 0.87 So know i want to build a mimedefang rule to block this SPAM by its Subject, which never changes. Can any one offer a code?? (my perlish is a bit lame...;-) ) B.T.W. : you may have seen/recieved that spam...subject is: The Ultimate Online Pharmaceutical should be as simple as editing your 'mimedefang-filter' function called 'filter_begin' ... sub filter_begin() { # this will bounce it on SMTP Protocol if it matches exactly the line # you submitted aboveaction_bounce('put in your SMTP Message here', 554, '5.7.1') if ($Subject =~ /^The\sUltimate\sOnline\sPharmaceutical$/i); ... ... Thanks a 1 no prob, Greetz mIke Meni This message was sent using IMP, the Internet Messaging Program. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang Suessenbrunnerstrasse 64/9/13, 1220 Wien, Austria http://www.chester.at ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Mimedefang clamd
On Tue, 2005-09-20 at 14:11 +0100, Mack wrote: it would seem that it thinks Virus:ClamAV is there (at the topish of the list) but also not there Virus:ClamAV : yes (/usr/local/bin/clamdscan) Virus:CLAMAV : no I've not seen the top one, are you assigning this in your code (perhaps a case issue?) i think your config confuses mimedefang :) # mimedefang.pl -features MIMEDefang version 2.53 HTML::Parser : yes HTML::TokeParser : yes Net::DNS : yes Path:CONFDIR : yes (/etc/mail) Path:QUARANTINEDIR: yes (/var/spool/MD-Quarantine) Path:SENDMAIL : yes (/usr/sbin/sendmail) Path:SPOOLDIR : yes (/var/spool/MIMEDefang) SpamAssassin : yes Virus:CLAMD : yes should be Original not modifyed # grep CLAMD /usr/bin/mimedefang.pl $Features{'Virus:CLAMD'}= ('/bin/false' ne '/bin/false' ? '/bin/false' : 0); if ($Features{'Virus:CLAMD'}) { if ($Features{'Virus:CLAMAV'} ! $Features{'Virus:CLAMD'}) { # grep CLAMD /etc/mail/mimedefang-filter $Features{'Virus:CLAMD'}= 1; this should get your ClamAV to work with your MIMEDefang Kind regards Michael Lang -- Michael Lang [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_recipient
On Thu, 2004-11-11 at 17:08, scohen wrote: I wrote a subroutine using filter_recipient to whitelist. It reads /etc/mail/access, looks for OK or RELAY, and whitelists those entries. It works for $sender and $recipient but not for $rcpt_host. Using md_syslog I found that while I am getting values for $recipient, $sender, $ip, $hostname, $first, and $helo, I am not getting vaulues for $rcpt_mailer $rcpt_host or $rcpt_address. Nov 11 08:45:55 open1 mimedefang.pl[29791]: $rcpt_host is ? Nov 11 08:45:55 open1 mimedefang.pl[29791]: $rcpt_addr is ? Nov 11 08:45:55 open1 mimedefang.pl[29791]: $rcpt_mailer is ? I was wondering why this could be? I am assigning the variables just like the mimedefang-filter suggests: sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; what excatly are you trying to do ? if you already have 127.0.0.1 REJECT in your /etc/mail/access file your mail should never reach the filter :) maybe you should read mimedefang.pl to get the correct Names, $RelayAddr = ; $RealRelayAddr = ; $RelayHostname = ; $RealRelayHostname = ; Kind regards Michael Lang Thanks for the help, Steve Cohen ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Michael Lang [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] upgrade from 2.43 to 2.44
Hi everyone, ive upgraded mimedefang from 2.43 to the latest 2.44. Everything looks good aslong as i use the MimedefangNode (this machine) alone without a loadbalancer. Mail gets scanned filtered and so on. if i enable the node in the Cluster for the Loadbalancer, the log gets filled with these lines until i send a message, and reapear afterwards. any clue ? Aug 5 14:10:20 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1356477520]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:20 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1503335504]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:21 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1513825360]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:21 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1377457232]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:21 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1283048528]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:23 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1461376080]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:23 mimedefang02 mimedefang-multiplexor[9210]: Starting slave 5 (pid 9566) (6 running): About to perform scan Aug 5 14:10:24 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1545294928]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:24 mimedefang02 mimedefang-multiplexor[9210]: Starting slave 6 (pid 9570) (7 running): About to perform scan Aug 5 14:10:25 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1587254352]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:26 mimedefang02 clamd[20902]: /var/spool/MIMEDefang/mdefang-i75FAIIs004422/Work/msg-9232-12.txt: OK Aug 5 14:10:26 mimedefang02 mimedefang.pl[9232]: MDLOG,i75FAIIs004422,virus,Dialer.Global.AR,127.0.0.1,[EMAIL PROTECTED],[EMAIL PROTECTED],TESTING Aug 5 14:10:26 mimedefang02 clamd[20902]: /var/spool/MIMEDefang/mdefang-i75FAIIs004422/Work/msg-9232-13.AR: Dialer.Global.AR FOUND Aug 5 14:10:27 mimedefang02 mimedefang.pl[9232]: MDLOG,i75FAIIs004422,mail_in,,,[EMAIL PROTECTED],[EMAIL PROTECTED],TESTING Aug 5 14:10:27 mimedefang02 mimedefang.pl[9232]: filter: i75FAIIs004422: replace_with_warning=1 Aug 5 14:10:43 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1335497808]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:43 mimedefang02 last message repeated 2 times Aug 5 14:10:44 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1471865936]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:45 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1272558672]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:46 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1283048528]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:47 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1293538384]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:47 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1304028240]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:48 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1387947088]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:48 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1408926800]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:49 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1440396368]: 0x1f does not fulfill action requirements 0x3f Aug 5 14:10:49 mimedefang02 mimedefang[9224]: MIMEDefang-2.44: st_optionneg[-1461376080]: 0x1f does not fulfill action requirements 0x3f -- Michael Lang [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang