Sophos issues

Scott Adkins adkinss at OHIO.EDU
Mon Jan 27 17:59:58 GMT 2003


--On Monday, January 27, 2003 4:34 PM +0000 Julian Field 
<mailscanner at ECS.SOTON.AC.UK> wrote:

>>   The files are already
>> "corrupt" by the time that Sophos sees it (basically, it can't see both
>> the start of the file and the end of the file, is what I was told).  I
>> asked about the RAR archives, and she said that Sophos currently can't
>> scan RAR version 3 archives, but that will be available in the next
>> release.  She suggested that I quarantine messages and release the files
>> that get labeled corrupted, or in the case of the RAR files, maybe put
>> the file extension on a whitelist, basically.
>
> When it finds a file is corrupt, MailScanner removes it, right?

Actually no... It looks like the attachments come through okay, though,
the files are indeed corrupted.  I am still trying to get the original
fines from the authors to see if they started that way or not... So, I
can't know for sure what happens, but the attachment doesn't appear to be
removed, just a warning message inserted into the body of the message
indicating that the file is corrupted.

> Is it happening often enough that you could archive all mail for a little
> while until it happens? If so, we can actually get a test case together
> to prove exactly what is happening to the message. Until I can get my
> hands on a test case, it is very difficult to work out what is happening.

I don't think so... We get several hundred emails going through our system
a minute... We have enough problems trying to stay afloat with CPU load and
(especially) disk I/O.  When we turned on quarantining for about a 10 hour
time period, we had about 1.5GB of disk space consumed... so, it makes me
a bit afraid to do anything on our production server like that :-)

> Are they suggesting that the file put into the quarantine is actually
> okay, but the file being scanned is not? That would be a neat trick...

That is a good point... My concern was with regards of a message coming
in that was fine and somehow MailScanner or Sophos was corrupting the
message and that was what got put into the attachment... but that seems
a bit less likely at this point, and I feel like the file is starting out
corrupt.  If I had to guess right now, Sophos is expecting documents to
be exactly compliant with those document standard formats (i.e. DOC files
must follow Microsoft Word Document format, PDF files follow Adobe PDF
file formats etc).  There doesn't appear to be much room in the way of
flexibility.  I have seen other programs, like Star Office, write their
documents that are mostly compliant, but not quite, and maybe those would
be flagged by Sophos as being corrupted.  Anyways, those are guesses.

>> What would be really helpful, at this point, is a way for me to set an
>> option to allow corrupted files to pass through MailScanner without being
>> flagged as viruses and without being touched.  The same goes for scanning
>> of external MIME attachments (which is another thread).  There should be
>> an option to not flag those as viruses and to allow the messages to pass
>> through untouched.  Both of these issues are generated support calls for
>> us right now.
>
> The "external bodies" switch will be in the next version. I'll have to
> take a look at how easy it would be to add a switch for the other bit.

Great!  I will let the users know about this (the external bodies thing).

> How come this is only happening with Sophos? No-one else is reporting any
> problems, only the people using Sophos.

That is a good point... If I knew our system could support another virus
scanner, such as ClamV or something like that, I would put it on.... as is,
we are now running without spam checking just so we can get some benefit
of MailScanner doing virus checking on messages... when we start to fall
behind in the mail queues, even that gets turned off.

On average, we get several hundred messages a minute.  When we get spammed
(usually by our own university departments), we get way more than that :)

Scott
-- 
 +-----------------------------------------------------------------------+
      Scott W. Adkins                http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                  mailto:adkinss at ohio.edu
        ICQ 7626282                 Work (740)593-9478 Fax (740)593-1944
 +-----------------------------------------------------------------------+
     PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/adae3551/attachment.bin


More information about the MailScanner mailing list