Search found 44 matches

by thewomble
25 Jul 2017 13:17
Forum: Discussion
Topic: Pyzor Questions
Replies: 25
Views: 5852

Pyzor Questions

I noticed that the Pyzor on the latest EFA is version 0.7, while version 1.0 is available.

Do you know of a reason to not move to 1.0?

Also where are of the configuration files, I was looking add "pyzor.scrolloutf1.com:24441" as another server to the default.
by thewomble
25 Jul 2017 12:22
Forum: How-to
Topic: Multiple Domains, Mailservers, different user verification, Cluster
Replies: 2
Views: 1459

Re: Multiple Domains, Mailservers, different user verification, Cluster

RavioliKing If I am reading you correct you want to create a list of valid recipients email addresses and reject unknown ones, and these list will come from multiple servers, is this multiple AD's? I have two different AD domains, I extract all valid emails addresses from the two AD, merge the files...
by thewomble
13 Jun 2017 21:57
Forum: How-to
Topic: DHL Spam
Replies: 3
Views: 2020

Re: DHL Spam

if your code works, go with I am not an expert on SA coding. I was suggesting an alternative to the problem, since I added "reject_non_fqdn_sender" I very rarely get DHL spam anymore. I also force inbound TLS for common delivery company like dhl.com get rid the spoofed, zombie PCs tend not to do TLS...
by thewomble
13 Jun 2017 15:49
Forum: How-to
Topic: DHL Spam
Replies: 3
Views: 2020

Re: DHL Spam

Is this mail from somebodies home PC? If so, I find adding this to my main.cf (reject_non_fqdn_sender) smtpd_sender_restrictions = ...... reject_non_fqdn_sender, ..... other rules The reason is the majority of PC's are normally standalone and they are not joined to a domain, so they do not have an F...
by thewomble
12 Jun 2017 13:12
Forum: How-to
Topic: Excluding email originator from the internet headers
Replies: 2
Views: 1363

Re: Excluding email originator from the internet headers

In headers_check in /etc/postfix add below in, change ExchangeServer to what name your internal server is. You need to put a # in front of the line "/^Message-ID:/ HOLD" /^Received:/ HOLD /^Received: from ExchangeServer/ IGNORE /^Received: from 127.0.0.1/ IGNORE Then issue postmap /etc/postfix/heade...
by thewomble
12 Jun 2017 13:05
Forum: How-to
Topic: the unknown phishing link
Replies: 4
Views: 1449

Re: the unknown phishing link

I did end up using this rawbody WOMBLE_FREEWEB /tripod\.com|freewebs\.com|wix\.com|ukit\.com/ score WOMBLE_FREEWEB 4.00 describe WOMBLE_FREEWEB Body contains hyperlink to free website hosting domain (phishing?) low security At least the message is tagged as spam, if it fails other test it can quite ...
by thewomble
12 Jun 2017 13:01
Forum: How-to
Topic: the unknown phishing link
Replies: 4
Views: 1449

Re: the unknown phishing link

I did do both of those. I did some more reading and found another example that used rawbody I changed body TRIPOD1 /\.tripod\.com/ to rawbody TRIPOD1 /\.tripod\.com/ and compiled and restarted MailScanner, it did not work, I went to bed, and went to have a look the following day and found it was wor...
by thewomble
09 Jun 2017 13:02
Forum: How-to
Topic: the unknown phishing link
Replies: 4
Views: 1449

the unknown phishing link

Just like virus there are also zero day phishing links that have not filtering into any urbl list. I am trying to get Mailscanner/SA as part of a spam check to add urls is certain free hosting web-sites to be given a score. In local.cf I have added body WOMBLE_FREEWEB /tripod\.com|freewebs\.com/ sco...
by thewomble
14 Feb 2017 23:18
Forum: Discussion
Topic: Sophos and the flag Dangerous?
Replies: 2
Views: 1219

Re: Sophos and the flag Dangerous?

SOLUTION BELOW: in MailScanner.conf by default for AV scanning you have Virus Scanners = clamd When I installed sophos I added Virus Scanners = clamd sophos What I did was swop them round, the email is quarantined, the user can see it, but cannot release it, problem solved. Virus Scanners = sophos c...
by thewomble
13 Feb 2017 12:19
Forum: Discussion
Topic: Sophos and the flag Dangerous?
Replies: 2
Views: 1219

Sophos and the flag Dangerous?

I used the instructions to install from another poster https://forum.efa-project.org/viewtopic.php?f=14&t=1329&p=7288&hilit=sophos#p7288 I have noticed since installing SOPHOS has detected a number of ransomware viruses based on the double extension. All good, however on the MailWatch screen it show...
by thewomble
06 Feb 2017 11:37
Forum: How-to
Topic: Notification of some viruses
Replies: 0
Views: 932

Notification of some viruses

My top virus on my system is reported as "YARA.possible_includes_base64_packed_functions.UNOFFICIAL", with just 1.4% daily of all messages being logged as virus infected. I am using the default unofficial ones, plus a securiteinfo.com subscription. I have had a report from one of my users that they ...
by thewomble
23 Jan 2017 21:45
Forum: Discussion
Topic: PCI Compliance Scan results
Replies: 5
Views: 3028

Re: PCI Compliance Scan results

I noticed one of the domains we force TLS to and from had changed their TLS settings to high, and mail was not being delivered, it was OK on low. On analyzing the MTA logs, it was found we was getting an error similar to below. postfix/smtp[<pid>]: warning: TLS library problem: error:1407741A: SSL r...
by thewomble
20 Jan 2017 11:00
Forum: How-to
Topic: using surbl.org or uribl.com professional datafeeds in spamassassin
Replies: 1
Views: 1148

Re: using surbl.org or uribl.com professional datafeeds in spamassassin

just incase anybody else is going to do this, this is the HOW TO. In the /etc/unbound/conf.d/forwarders.conf I added the following lines, x.x.x.x is the local DNS that as the zone replication. forward-zone: name: "multi.surbl.org" forward-addr: x.x.x.x forward-addr: x.x.x.x Also # Use SBL from your ...
by thewomble
20 Jan 2017 10:54
Forum: Discussion
Topic: email disclaimer
Replies: 3
Views: 1763

Re: email disclaimer

Thanks for the pointer I will give that a go.
by thewomble
18 Jan 2017 11:54
Forum: How-to
Topic: using surbl.org or uribl.com professional datafeeds in spamassassin
Replies: 1
Views: 1148

using surbl.org or uribl.com professional datafeeds in spamassassin

I am using the stock build of EFA version 3.0.1.7. I am getting URIBL_BLOCKED The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. I have access to access to non-public/professional data feed for SURBL and URIBL (http://www.surbl.or...
by thewomble
17 Jan 2017 20:23
Forum: Discussion
Topic: email disclaimer
Replies: 3
Views: 1763

email disclaimer

I have my existing mail gateway which I am looking to replace with EFA over the next few months so I am looking to try and get as much as possible the same. The system adds disclaimers to email (as does EFA) but the disclaimer is dynamic, where the disclaimers uses variables such as date/time the se...
by thewomble
17 Jan 2017 19:46
Forum: Discussion
Topic: Upgrading to later version of EFA.
Replies: 1
Views: 940

Upgrading to later version of EFA.

I recently installed by first EFA Vm.

I have noticed point release .8 is now out, think I was on 5 or 6 when I built it, now on 7. I have made some changes in the main.cf file, if I upgrade to .8 will any of the configuration files be replaced?
by thewomble
17 Jan 2017 19:44
Forum: Introduction
Topic: Hello EFA
Replies: 1
Views: 1355

Hello EFA

Hello, While looking to building a email gateway to front my exchange I found first, Mailscanner then EFA. Very easy to build and setup. I am still playing with it and there seems to a lot that been built in over the years. What is enabled by default, and what do you need to be tweaked for an effect...
by thewomble
17 Jan 2017 12:59
Forum: Discussion
Topic: Not able to release items from quarantine
Replies: 3
Views: 1858

Re: Not able to release items from quarantine

webguyz I am having the same issue, what do I need to add 127.0.0.1 to?