(change request) Infected message <foo> came from <bar>

Julian Field mailscanner at ecs.soton.ac.uk
Wed Dec 3 09:06:50 GMT 2003


SpamAssassin will check all the Received: headers, MailScanner doesn't.
So just use the RBL rules within SpamAssassin, rather than the "Spam List"
setting in MailScanner.conf.
You might want to increase the scores on SA rules that are RBL checks, to
make it behave more like using the "Spam List" setting.

At 22:14 02/12/2003, you wrote:
>ClamAV gives me the following for each hit:
>
>(stuff deleted) Virus Scanning: ClamAV found 1 infections
>(stuff deleted) Infected message hB2LXjks045635 came from 192.149.244.18
>
>which is well and good, as far as that goes: I got an infected message
>in the inbound mail, and ClamAV told MailScanner to quarantine it. I
>_love_ that.
>
>But my MailScanner box is fed by our firewall's SMTP proxy, rather
>than seeing the other end of the SMTP conversation directly, and so
>the offending IP number always is the same, and I don't get to see
>who the real offender is.
>
>Is there a handle that can be tweaked to run backwards down the chain
>of "Received:" headers, or the IP addresses in them, at this point? I
>see that the message is generated in MergeReports, which is called by
>ScanBatch after all the AV scanners have run, but I haven't dug deep
>enough into the code to see what handles are available at this time.
>I really need to go one "Received:" header back in the chain, to the
>one that set up the SMTP session with our SMTP proxy.
>
>If possible, I'd _love_ to see something like
>: Infected message hB2LXjks045635 came from 192.149.244.18
>:                         which got it from 12.24.199.207
>:                         which got it from 42.140.77.222
>:                         which got it from 24.12.44.139
>all the way back through all the "Received:" headers, but I can see
>how that might be _very_ difficult.
>
><fx type="singing", text_nature="praises">
>
>Oh, and I updated to MailScanner-4.25-13 today. It Just Works. But
>I've been saying that about MailScanner all along.
>
>Thanks for a great product, Julian!
>
>--
>Mike Andrews
>mikea at mikea.ath.cx
>Tired old sysadmin

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654



More information about the MailScanner mailing list