Re: [Mimedefang] SA scores
Jeff Grossman wrote: It appears there is a '--update-dir' command line switch for sa-update which you can tell it where to place those newer files. I have not tried it yet, but it might do what we need with MIMEDefang. Jeff I use 'sa-update --update-dir=/etc/mail/spamassassin'which seems to work for me given that mimedefang uses /etc/mail/spamassassin as it's SA directory. Cheers, Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: SARE and RJD (was RE: [Mimedefang] Seeing a lot of these lately)
- Original Message - From: -ray [EMAIL PROTECTED] I would like to ask the list members who all uses SARE rulesets with RDJ. And which rule sets do you enable? I'd like to start using them, so just a quick survey on which rule sets are 'no brainers, definitely you should use these' and which ones might be a little more iffy or questionable. Thanks for any info. My Current list is: TRUSTED_RULESETS=BOGUSVIRUS TRIPWIRE ANTIDRUG EVILNUMBERS SARE_RANDOM SARE_SPECIFIC SARE_HEADER0 SARE_HTML0 SARE_BAYES_POISON_NXM SARE_ADULT SARE_OEM SARE_SPOOF SARE_FRAUD SARE_STOCKS I fell into the trap initially when using RDJ, of putting some of the LARGE rulesets in the list and SpamAssassin's Memory consumption went skyhigh, bringing my gateway to it's knees. So be warned! :) Cheers, Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Syslog problems on Solaris 8?
- Original Message - From: Fernando Gleiser [EMAIL PROTECTED] I've installed mimedefang-2.56 from source on a Solaris 8 system. Perl's version is 5.6.1 from sunfreeware. It seems to be working fine, except for one little detail: it doesn't log anything to syslog. the md_graphdefang_log_enable('mail', 1); line in mimedefan-filter is enabled and syslogd is runing, but in /var/log/syslog I only see sendmail's messages. I even tried manually setting setlogsock('inet'); by hand on /usr/local/bin/mimedefang.pl and restarting mimedefang, but that didn't solve it. Any hints/pointers? I'm starting to run out of ideas. You have enabled the mimedefang-milter call in from sendmail and restarted it? For sendmail.m4 use something like INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=C:15m;S:5m;R:5m;E:15m') And if you edit sendmail.cf by hand O InputMailFilters=mimedefang Xmimedefang, S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=C:15m;S:5m;R:5m;E:15m Cheers Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Greylist Exclusions
Hi, I have been running a Mimedefang Integrated MySQL variation of greylisting now for the past 3-4 months, which has dropped the amount of SPAM we have to reject after the DATA phase by 3 quarters! However, I am getting requests from users who want to have particular sender domains excluded from the greylisting. Does anyone have any ideas as to the best way to go about this? I know I could do a sub filter_sender { if $sender =~ /[EMAIL PROTECTED]?$/i { $NO_GREYLISTING_FOR_THIS_MSG = 1; } But is there a better way of bypassing greylisting for selected sending domains? Thanks Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slaves dying unexpectedly with signal 14
- Original Message - Thanks Jan for your response. I inserted this code in near the start, and in the global section, of my mimedefang-filter, and got the error: snip Jan 18 22:27:48 hosta mimedefang-multiplexor[6491]: Slave 5 stderr: Argument at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Loc... isn't numeric in alarm at /etc/mail/mimedefang-filter line 95. Wow, that's very brave. I said UNTESTED and I meant it. I just typed this in as an example... Hey, I did eyeball it to to make sure it wasn't going to recreate my filesystem or turn my MX into a SPAM zombie :) Hmm... it could also be that perl somehow forgot to install the SIGALRM handler... I suddenly recall that that was the case last time this came up. Quick check is: is it solved if you disable embedded perl? If it is, then you can either leave embedded perl off, send a bug report to spamassassin, or try to debug it yourself... Which might get tricky. I turned the embedded perl off on one of my gateways, after a period of time, I started getting the spurious SIGNAL 14's showing up on the MX where I was still running MD with embedded perl, but not the one where embedded perl was turned off. Typically, an email was being processed by one MX which started the SIGNAL 14 errors and tempfailed the message. The email would then try the other MX which would result in the SIGNAL 14's happening on that machine too. My guess, as suggested, is that SpamAssassin and/or one of it's cronies has an issue with signalling and this is perhaps being caused, or exasperated by the use of embedded perl with MD. I will run with embedded perl turned off until the next Spamassassin release. Thanks everyone for your help. Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slaves dying unexpectedly with signal 14
- Original Message - From: Jan Pieter Cornet [EMAIL PROTECTED] I assume signal 14 is a SIGALRM. If kill -l on your system doesn't show 14) SIGALRM in the output somewhere, then the below is invalid. Yes 14 is SIGALRM If it's a perl module that uses alarm() and then fails to unset it, you might be able to trace it by inserting something like this (UNTESTED) use Carp qw(longmess); my $buzz; my $mess; *CORE::GLOBAL::alarm = sub { my $arg = shift || $_; CORE::alarm($arg); if ( $arg == 0 ) { undef $buzz; } else { $buzz = time + $arg; $mess = longmess; } }; Thanks Jan for your response. I inserted this code in near the start, and in the global section, of my mimedefang-filter, and got the error: snip Jan 18 22:27:48 hosta mimedefang-multiplexor[6491]: Slave 5 stderr: Argument at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Loc... isn't numeric in alarm at /etc/mail/mimedefang-filter line 95. /snip When I added an 'md_syslog('info',alarm=$arg);' right after the 'CORE::alarm($arg);' statement, I got: snip alarm= at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker/Flock.pm line 78 eval {...} called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker/Flock.pm line 73 Mail::SpamAssassin::Locker::Flock::safe_lock('Mail::SpamAssassin::Locker::Fl ock=HASH(0xb0617a0)','/home/cyrus/.spamassassin/auto-whitelist',30,640) called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/DBBasedAddrList.pm line 72 Mail::SpamAssassin::DBBasedAddrList::new_checker('Mail::SpamAssassin::DBBase dAddrList=HASH(0xc287378)','Mail::SpamAssassin=HASH(0x9fe2044)') called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/AutoWhitelist.pm line 95 Mail::SpamAssassin::AutoWhitelist::new('Mail::SpamAssassin::AutoWhitelist',' Mail::SpamAssassin=HASH(0x9fe2044)') called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/AWL.pm line 352 eval {...} called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/AWL.pm line 351 Mail::SpamAssassin::Plugin::AWL::check_from_in_auto_whitelist('Mail /snip Any ideas what could be changed in your sample code to avoid this error? Thanks Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Slaves dying unexpectedly with signal 14
Hi All, I posted an email some time back asking about MD slaves that were unexpectedly terminating with a signal 14. David Skoll mentioned at the time that it was possibly a perl module generating this signal 14 which was somehow not being handled and was causing the slaves to die. At the time, I upgraded a few of the perl modules, and the problem seemed to go away. Unfortunately, it is back. Once the errors start occuring, a restart seems to stop it happening for a time, but eventually, it returns. This error is occuring on two seperate mail exchangers (Which are running the same software versions). I am running mimedefang 2.53 under CentOS linux 3.6 Can anyone give me any pointers at all as to how I can go about further tracking down what is generating these signal 14's?? Can I arm some sort of signal handler in my filter and generate some sort of trace back? Any sort of help would be appreciated. The log messages I am getting are as follows: snip Jan 18 19:00:57 hosta mimedefang-multiplexor[6464]: Slave 4 died prematurely -- check your filter rules Jan 18 19:00:57 hosta mimedefang-multiplexor[6464]: Reap: Idle slave 4 (pid 10634) exited due to signal 14 (SLAVE DIED UNEXPECTEDLY) Jan 18 19:00:57 hosta mimedefang-multiplexor[6464]: Slave 4 resource usage: req=44, scans=8, user=14.830, sys=1.360, nswap=0, majflt=10062, minflt=111990, maxrss=0, bi=0, bo=0 Jan 18 19:00:57 hosta mimedefang[6477]: Error from multiplexor: ERR No response from slave /snip Thanks Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Pre-Emptive Greylist entries
Hi all, I have implemented a fiddled version of John Kirkland's MySQL MD-Greylist code (Thanks to Gary Funk for sending me the code), which is reducing SPAM, but producing complaints from users that some important customer emails are being delayed. One idea I had was to try and create a whitelist entry in the database for emails sent from within my network to customers, to try and reduce delays for initial replies from said customers. Ie. When one of my users sends an email from [EMAIL PROTECTED] to [EMAIL PROTECTED], I lookup custnet.com in DNS, get the IP's of the highest priority MX's and create a whitelist entry so that it decreases the chance that a reply from [EMAIL PROTECTED] to [EMAIL PROTECTED] gets delayed by the greylist code. What do you think about this idea? Does anyone have any suggestions for improvements? Thanks Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Greylist with shared data
Hi, I notice that a number of people have implemented John Kirkland's MySQL greylist implementation from http://www.bl.org/~jpk/md-greylist, but his website appears to be no longer available?? Does anyone on this list have a mimedefang filter based greylist implementation that allows me to share greylist data between multiple mail exchangers (either using a shared DB or some other mechanism), that they would be happy to post to the list? Thanks Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist with shared data
- Original Message - From: Gary Funck [EMAIL PROTECTED] I notice that a number of people have implemented John Kirkland's MySQL greylist implementation from http://www.bl.org/~jpk/md-greylist, but his website appears to be no longer available?? Try again. Seems to be working just now. - Gary Still no good for me :( I have not been able to connect to this website for sometime now. I always seem to get a Connection timed out error. I have tried two seperate ISP's and still no joy. I wonder if this is a location specific problem? I am in New Zealand, can anyone else on this list who is in New Zealand connect to this website? Failing that, can anyone post a copy of John's implementation or similar somewhere else (Or perhaps email a copy to me directly?). Cheers, Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Debugging slaves that die
Hi All, I am running mimedefang-2.53 under CentOS 3.6 with clamav-0.87.1 and spamassassing-3.1.0. I am occasionally getting the following errors in my log: snip Nov 24 09:26:14 cnwchcm16 mimedefang-multiplexor[9330]: Slave 0 died prematurely -- check your filter rules Nov 24 09:26:14 cnwchcm16 mimedefang-multiplexor[9330]: Reap: Idle slave 0 (pid 21967) exited due to signal 14 (SLAVE DIED UNEXPECTEDLY) /snip There doesn't appear to be any indication as to exactly what is causing this problem. It may be an issue with my mimedefang-filter,. but if so, I can't really tell whereabouts the problem is occuring? Can give me some pointers as to how I can go about finding exactly why my slaves are dying? Thanks Roland ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Copying emails to another server
Hi, I am running mimedefang-2.51 and I have a requirement to copy selected emails that traverse my mail gateway, onto a seperate archive mail server. I know I could just do an add_recipient('[EMAIL PROTECTED]'), but I need to store the list of original recipients in the email I am archiving. If I do an action_add_header(X-Orig-Rcpts, join(, , @Recipients)), then all recipients of the email will be able to see any Bcc recipients by viewing the mail headers, which is undesirable. If I call resend_message('[EMAIL PROTECTED]') I don't have the option of adding an X-Orig-Rcpts type header because it resends the original, unmodified message. Any ideas how I can work this? Thanks Roland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] for mcafee lovers
- Original Message - From: Joseph Brennan [EMAIL PROTECTED] We run no AV scanners, because we reject mail with executable file attachments and zip files. To my knowledge we have accepted absolutely zero email viruses in the two years or so since we implemented this. Mimedefang made this possible. You would need to reject HTML email too to prevent HTML exploits (Unless you are using text only mail readers). And I guess Phishing attacks are not strictly viruses, even though many AV vendors block them. Roland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Anyone using File::Scan?
- Original Message - From: Arthur Corliss [EMAIL PROTECTED] On Tue, 15 Feb 2005, David F. Skoll wrote: Does anyone use File::Scan with MIMEDefang? It seems to cause a lot of problems with false positives. I haven't reviewed any of the hits it gets, but I do use, and over the past year or two I haven't gotten any complaints about it. I use it, but mostly because it was recommended as the fastest initial line of defence against Viri when using MIMEDefang. The only times I have had false positives that I am aware of were bought to my attention by users. In both these cases, I was completely ignored by the File::Scan author when I contacted him via email with a sample of the offending code. David, if you say File::Scan is dubious, then I would stop using it if mimedefang stopped enabling it by default. Roland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist DB addition fails silently?
- Original Message - From: Justin [EMAIL PROTECTED] I have modified Steven Rocha's implementation (http://lists.roaringpenguin.com/pipermail/mimedefang/2004-February/020126.h tml) which I believe is a modification of Jonas' implementation. My modified version uses a PostgreSQL database in place of Berkley DB and allows you to specify action to take (white/black/grey) based on cidr/host address, using subnet 0/0 as the default action. I will clean it up and post if there's interest. -Justin I would be very interested in a copy of this as I have wanted to use greylists, but needed to have a shared DB as I have multiple MX's. Roland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Sendmail Defers when CLAMD scans take too long
Hi, I am running MD 2.41 on RedHat 9 with sendmail 8.12.8 (Plus security patches) and ClamAV 0.68. This is running on a Pentium III 1.2GHZ with 1Gb of ram. I am running /var/spool/MIMEDefang on a ramdisk. When a user sends an email with a 13 Mb (encoded), word document attachement, CLAMD starts using 100% of the processor for a time, until eventually (After a minute or so), Mimedefang returns a Milter (mimedefang): timeout before data read error. I eventually got the email to go through by changing the timeout settings on the Milter config line in sendmail.mc from: INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:10m') to INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:3m;R:3m;E:10m') Should these values be even higher and should the milter be timeing out like this while waiting for a virus scan to finish? Also, would you expect CLAMD to use so much processor for such a long time on a file that isnt really that big? Thanks Roland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang