On Fri, 5 Mar 2004, Michael Sims wrote:
> Another solution is to build a virtusertable db on your MX which contains a
> list of all your valid usernames and reject anyone that isn't in it with an
> unknown user error. This virtusertable can be updated periodically via a
> combination of cron, ssh
Les Mikesell wrote:
> The only real problem is that if the outside gateway is unaware of
> legitimate user names it will accept everything, then when the
> inside mailer rejects the unknown users the outside box must
> construct and return the bounce message.
[...]
> The best solution here is proba
On Fri, 2004-03-05 at 14:27, Stephen Smoogen wrote:
> I am working through the SPEC file from 2.38 and 2.40 to use 2.40 here
> and to sponsor it at Fedora.us.
>
> Here are my questions:
>
> What are the versions of the perl modules that should be used. There are
> the ones on the mimedefang websi
Les Mikesell wrote:
The best solution here is probably to put the users in LDAP and
configure the outside mailer to use it but I haven't done that
myself yet. I just periodically grep the logs for the rejections
and stick the frequent ones into sendmail's access list with a
REJECT on the outside
On Fri, 2004-03-05 at 15:00, Jason Williams wrote:
> I'm setting up a mail gateway server for our company that is going to have
> the following:
>
> FreeBSD 4.9
> Sendmail 8.12.11
> Latest versionof MIMEDefang
>
> Sole purpose is to scan all incoming mails for the company, clean them,
> then p
Jason Williams wrote:
Hello everyone.
I'm setting up a mail gateway server for our company that is going to
have the following:
FreeBSD 4.9
Sendmail 8.12.11
Latest versionof MIMEDefang
Sole purpose is to scan all incoming mails for the company, clean them,
then pass them off to the internal ma
I am working through the SPEC file from 2.38 and 2.40 to use 2.40 here
and to sponsor it at Fedora.us.
Here are my questions:
What are the versions of the perl modules that should be used. There are
the ones on the mimedefang website, but several have newer versions than
that. Should I look at th
Hi everyone
I new on this
What can I do to block a message with a determinated subject with
mimedefang ???
Regards
Hernan Dario Arredondo
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
htt
Hello everyone.
I'm setting up a mail gateway server for our company that is going to have
the following:
FreeBSD 4.9
Sendmail 8.12.11
Latest versionof MIMEDefang
Sole purpose is to scan all incoming mails for the company, clean them,
then pass them off to the internal mail server.
I wanted to
Hi everyone
I new on this
What can I do to block a message with a determinated subject with
mimedefang ???
Regards
Hernan Dario Arredondo
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
htt
On Fri, 5 Mar 2004, Aaron Paetznick wrote:
> Maybe. I'm a perl fanatic myself, but even I would guess that a deamon
> written in C might scan faster then a perl module. I don't have any
> hard numbers, so I defer to others experience.
I don't think it's critical. Most e-mail doesn't contain a
On Fri, 5 Mar 2004, Paul Whittney wrote:
> I don't have the "Authority" to tell the client what they should, and should
> not use (thats a problem in itself ;-). I assume then many people add to the
> bad extensions list
> $bad_exts = ... |htm|html|...;
If you want to block HTML, you need to look
On Fri, Mar 05, 2004 at 02:08:58PM -0500, David F. Skoll wrote:
> > I'm also concerned that this will escalate into "Block all htm/html
> > files",
>
> And why would that be a problem?
>
> HTML is bad enough. If you allow your mail clients to run
> JavaScript, then server-side mail filters would
On Fri, 2004-03-05 at 12:37, Josh Kelley wrote:
> David F. Skoll wrote:
>
> >On Fri, 5 Mar 2004, Josh Kelley wrote:
> >
> >>he mimedefang-filter manpage still recommends using action_bounce
> >>rather than action_discard. Is action_bounce no longer recommended?
> >>
> >>
> >Right. I should f
Aaron Paetznick wrote:
initialize_virus_scanner_routines() defines a certain order of scanners,
with File::Scan being first. For people who run ClamAV, it might be
slightly more efficient to list clamd first before File::Scan, and the
impact to non-ClamAV users would be zero. Thoughts?
Since
On Fri, 5 Mar 2004, Josh Kelley wrote:
> The mimedefang-filter manpage still recommends using action_bounce
> rather than action_discard. Is action_bounce no longer recommended?
Right. I should fix the man page.
Regards,
David.
___
Visit http://www.
Maybe. I'm a perl fanatic myself, but even I would guess that a deamon
written in C might scan faster then a perl module. I don't have any
hard numbers, so I defer to others experience.
--Aaron
Royce Williams wrote:
Aaron Paetznick wrote:
initialize_virus_scanner_routines() defines a certa
David F. Skoll wrote:
On Fri, 5 Mar 2004, Josh Kelley wrote:
he mimedefang-filter manpage still recommends using action_bounce
rather than action_discard. Is action_bounce no longer recommended?
Right. I should fix the man page.
I'm sure that this topic has come up many times on the list
David F. Skoll wrote:
* Default action for viruses (in the sample filter) is now discard.
The mimedefang-filter manpage still recommends using action_bounce
rather than action_discard. Is action_bounce no longer recommended?
Josh Kelley
___
Visit h
Jim McCullars wrote:
>That is the standard sendmail reply when a MTA does a command like
> this:
>
> RCPT TO: <>
Gahh.. Thought that was referring to the sender, not the recipient.
Must be time for a weekend.
-kgd
--
"Sendmail administration is not black magic. There are legitima
--On Friday, March 5, 2004 1:54 PM -0500 Paul Whittney
<[EMAIL PROTECTED]> wrote:
I've recently seen an email (only one though, which is odd), with spam
in it, but hidden inside a javascript message. The email body seems very
light, just a simple subject, and simple "you file attached" in it.
On Fri, 5 Mar 2004, Paul Whittney wrote:
> What concerns me, is that the email script could use randow variable
> words, so just scoring on words may miss it.
Yes.
> I'm also concerned that this will escalate into "Block all htm/html
> files",
And why would that be a problem?
HTML is bad enoug
> From: Paul Whittney [mailto:[EMAIL PROTECTED]
...
> this will escalate into "Block all htm/html files", which seems to be
> heading towards the mentality of "block every attachment", I
> would zip
> it, but people have decided they are bad too..
Not all that strange of an idea. I've been bloc
> From: Jim Hatfield [mailto:[EMAIL PROTECTED]
> I'm not clear whether filter_recipient() is called once for
> each envelope recipient, or just once. The implication is
> that it's called for each but I'd like to be sure.
...
> In the following transaction:
>
> mail from:<>
> rcpt to:<[EMAIL PROTE
I've recently seen an email (only one though, which is odd), with spam
in it, but hidden inside a javascript message. The email body seems very
light, just a simple subject, and simple "you file attached" in it.
The javascript creates two arrays, one about 800 items long, and a
second 100 or so el
initialize_virus_scanner_routines() defines a certain order of scanners,
with File::Scan being first. For people who run ClamAV, it might be
slightly more efficient to list clamd first before File::Scan, and the
impact to non-ClamAV users would be zero. Thoughts?
--Aaron
__
Chris,
Some observations:
1. You don't check the size of Zip members before uncompressing them, which can
lead to denial of service attacks. To demonstrate this, on Linux/*nix, try:
dd if=/dev/zero bs=1024 count=8 | zip test.zip -
What you get is a 80Kb file which uncompress
On Fri, 5 Mar 2004, Rob wrote:
> I used to mount /tmp noexec but got bit by that. On FreeBSD upgrading the
> OS requires that you run temporary binaries in /tmp. I suspect other
> versions of *nix may suffer a similar problem.
RPM works OK with /tmp mounted noexec, but some badly-behaved instal
On Fri, 5 Mar 2004, Jim Hatfield wrote:
> I'm not clear whether filter_recipient() is called once for
> each envelope recipient, or just once.
Once for each.
> Also, does a return of REJECT reject just that recipient?
Yes.
Regards,
David.
___
Visit
On Fri, 5 Mar 2004, Kris Deugau wrote:
> "Delahunty, Mark" wrote:
> > .ucc.ie [143.239.1.30], reject=553 5.0.0 <>... User address required
> ^^^
> Quite aside from the problem you're asking about, it looks like the
> internal server is a little misconfig
On Fri, 5 Mar 2004, Jim Hatfield wrote:
> I'm not clear whether filter_recipient() is called once for
> each envelope recipient, or just once. The implication is
> that it's called for each but I'd like to be sure.
You're right - it's called once per recipient.
> Also, does a return of REJE
You all rock for answering the question. This let me implement zip blocking
at sites that may get the occasional good zip and work at a slower pace to
combat all these darn virii.
Regards,
KAM
- Original Message -
From: "SRAR Mail Administrator" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]
Hi All,
Thought I ought to post my solution to the zip
blocking problem seeing as I got most of the code from
the list.
It only copes with blocking and problematic zips and
does no call to virus checkers. It could block if:
- error reading file i.e. it's corrupt or not a zip
- number of files
I get a Sophos return code of 2 for encrypted .zip files. I use this in my
filter's entity_contains_virus() and message_contains_virus() for rejecting
likely Bagle infected messages.
What would be the easiest way to do the same in 2.40?
thanks
Mark
> From: David F. Skoll [mailto:[EMAIL PROTEC
On Fri, 5 Mar 2004, Delahunty, Mark wrote:
> BTW does anyone know if this approach is safe, e.g. when the mailbox server
> is down or rejecting SMTP due to load?
The worst that should happen is that the message would get tempfailed.
Hopefully the sending MTA will try later.
Jim
__
--On Friday, March 5, 2004 11:10 AM -0500 Paul Whittney
<[EMAIL PROTECTED]> wrote:
I can see a point where the emails come in saying:
"You need to run the file we have sent, please save this file to disk,
rename setup.txt to setup.zip, double click on it, enter the password
12345, and run setup
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of David F. Skoll
>
> At some point, we will have to secure our desktops, and that basically
> means trashing Windoze. Even on Linux/UNIX, we'll have to mount /home
> and /tmp noexec to protect novice
I'm not clear whether filter_recipient() is called once for
each envelope recipient, or just once. The implication is
that it's called for each but I'd like to be sure.
Also, does a return of REJECT reject just that recipient?
In the following transaction:
mail from:<>
rcpt to:<[EMAIL PROTECTED]
On Mar 4, 2004, at 7:11 AM, David F. Skoll wrote:
On Thu, 4 Mar 2004, Kevin A. McGrail wrote:
Is there a quick trick (probably something crazy with formail) that
you can
run on ENTIRE_MESSAGE to turn it into an mbox with the correct first
line so
I can view it with mutt and determine whether to
Michael Sims wrote:
> A properly behaved MUA will send read and delivery receipts (aka
> Message Disposition Notifications) with a null envelope sender. This
> is required by RFC's 2298 and 2821. From 2298:
>
> The envelope sender address (i.e., SMTP MAIL FROM) of the MDN MUST
> be null (<>)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
MIMEDefang 2.40 is at http://www.mimedefang.org/node.php?id=1
Major changes:
* If multiple virus scanners are installed, they are all used.
* Default action for viruses (in the sample filter) is now discard.
* Added a new "notification" facili
Jon,
> Using MD 2.39.
>
> As some recent worms have been nearly making it through our
> AV scanners, we added ZIP files to the bad filenames list and
> quarantine such files for manual examination. However, with
> the latest worms, we have seen several instances where the
> ZIP (or PIF) file
"Delahunty, Mark" wrote:
> .ucc.ie [143.239.1.30], reject=553 5.0.0 <>... User address required
^^^
Quite aside from the problem you're asking about, it looks like the
internal server is a little misconfigured...
-kgd
--
"Sendmail administration is not bl
On Fri, 5 Mar 2004, Delahunty, Mark wrote:
> BTW does anyone know if this approach is safe, e.g. when the mailbox server
> is down or rejecting SMTP due to load?
If the mail server is down, then MIMEDefang will tempfail the mail.
If the mail server is rejecting the mail, then MIMEDefang simply pa
Lucas Albers said:
>As near as I unerstand from the clamav list.
>Clam cannot detect encrypted virus's.
>I believe this is a flaw in clamav, that cannot be easily remedied. >
>This is "To the best of my knowldege."
>You have some options.
>Add in another virus scanner.
>Bounce password protected
Jim,
Well spotted - that was the problem. That'll teach me to cut and paste too
enthusiasically.
BTW does anyone know if this approach is safe, e.g. when the mailbox server
is down or rejecting SMTP due to load?
Thanks
Mark
> From: Jim McCullars [mailto:[EMAIL PROTECTED]
> Sent: 05 March 200
On Fri, 5 Mar 2004, Paul Whittney wrote:
> I can see a point where the emails come in saying:
> "You need to run the file we have sent, please save this file to disk,
> rename setup.txt to setup.zip, double click on it, enter the password
> 12345, and run setup.exe".
Right. The amount of social
Just some comments; I hope these come across as polite thoughts, as I'm
not trying to shoot down the idea.
On Fri, Mar 05, 2004 at 02:42:27PM -, Clayton, Nik [IT] wrote:
> In re using Archive::Zip for zip file scanning.
>
> I got the necessary sign off today, so here are the changes I've
> go
David,
thanks for your reply
there are lots of these in maillog on the internal (student) server.
Mar 5 15:23:01 student sendmail[1964]: i25FN1Mk001964: ruleset=check_rcpt,
arg1=<>, relay=mail0
.ucc.ie [143.239.1.30], reject=553 5.0.0 <>... User address required
Mar 5 15:23:01 student sendma
On Fri, 5 Mar 2004, Delahunty, Mark wrote:
>my @rec_chk = md_check_against_smtp_server($sender, $recip,
> $thishost, "student.MYDOMAIN.EDU") ;
I think you need to change $recip to $recipient.
HTH...
Jim McCullars
University of Alabama in Huntsville
___
On Fri, 5 Mar 2004, Delahunty, Mark wrote:
> REJECT:<>... User address required:553:5.0.0
What do the log files on the internal server reveal? Try doing a tcpdump
to capture the traffic.
--
David.
___
Visit http://www.mimedefang.org and http://www.can
Larry Starr said:
> I have been seeing a number of messages containing Password Protected
".zip"
> files,
I was trying to determine how to just block encrypted zip files.
My code does not work so far, but here is a nice starting place:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Janu
Les Mikesell said:
> Since the real problem is outlook and the way it abuses 'open'
> to mean 'execute', I'm thinking of setting up alternate mailboxes
> for my users that can only be accessed through a web mail interface
> and tossing anything questionable there. Has anyone tried this
> approach
you mean extesion pif or pif inside a zip?
Joseph Brennan said:
> To stop most variants of netsky, refuse mail with pif files. We
> did that many months ago. No complaints at all. Do it.
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State
David F. Skoll said:
> On Wed, 3 Mar 2004, Graham Dunn wrote:
>
>> I vaguely remember some mention that this version supported scanning
>> using multiple engines, rather than the "first found" approach.
>
> No; the latest beta has it, though.
>
> Regards,
it's easy to setup for earlier versions, ju
I passed along that info about looking at the checksum of the file in
the zip and got this reply...
From: "Diego d'Ambra" (the guy that did the latest clamav pattern
update)
Thank for the info, but currently ClamAV contains no "engine" that
allows retrieval of th
Dirk Mueller said:
> On Tuesday 02 March 2004 21:50, David Prestwich wrote:
>
>> I'm using clamav and thought that there
>> was a way to force it to scan password protected files.
>
> Yes, via the supersecrect --ignore-encryption option to unzip.
As near as I unerstand from the clamav list.
Clam ca
> My server respones is too slow every morning when most of my
> clients are
> checking mail.
Do your clients have reverse dns for their host ips? I dont think this is
really a mimedefang issue, but DNS issues are always where I look first when
things take a long time to get moving or least long
Hi all,
Using MD 2.39.
As some recent worms have been nearly making it through our AV scanners, we added ZIP
files to the bad filenames list and quarantine such files for manual examination.
However, with the latest worms, we have seen several instances where the ZIP (or PIF)
files were neste
On Fri, 5 Mar 2004, John Nemeth wrote:
> I think a
> small change to the histo feature would be nice, which is to right
> justify the slave number, so that the second column lines up.
A one-character change to the source code. :-)
> Secondly, I would like to renew my request to have rawstat
In re using Archive::Zip for zip file scanning.
> Just started doing this here (well, I'll be testing it next
> week). I might be able to send you proof of concept code if
> I can get the necessary sign off.
I got the necessary sign off today, so here are the changes I've
got planned. Comme
On Thu, 4 Mar 2004, Steve Pfister wrote:
> I'd really like to get mimedefang working under Redhat Linux 9, but I'm
> about ready to give up. I've tried installing a couple of times, but every
> time I run it, I get
>
> Mar 4 18:30:31 colima mimedefang-multiplexor: Reap: Idle slave 0 (pid
> 21943
Apologies if this has been covered already.
I can't get md_check_against_smtp_server to return "OK" for a valid user
Here's the relevant bit from mimedefang-filter
sub filter_recipient {
my ($recipient, $sender, $ip, $hostname, $first, $helo) = @_;
my $thishost = "mail7.MYDOMAIN.EDU" ;
On Jun 19, 8:41pm, "David F. Skoll" wrote:
}
} MIMEDefang 2.40-BETA-3 is at http://www.mimedefang.org/node.php?id=1
I've been meaning to submit a patch, but I've been so busy that
I'm way behind on my e-mail, so I'll just toss out my idea. I think a
small change to the histo feature would
Hi folks, I wrote a small and simple patch to get Kaspersky Antivirus version 5
working with MIMEDefang. It simply defines 3 new subroutines,
message_contains_virus_avp5, entity_contains_virus_avp5 and interpret_avp5_code
to deal with the new Kaspersky version binaries (aveclient) and the slightly
Kenneth Porter <[EMAIL PROTECTED]> writes:
> Argument "AZ_OK" isn't numeric in numeric eq (==) at /usr/bin/mimedefang.pl
> line 1997.
>
> Yet I see up at line 78 that you're including ERROR_CODES, so I don't
> understand why I'm getting the error.
For whatever reason, this happens when 'use' is h
66 matches
Mail list logo