ANNOUNCE: Beta 4.25-7 released

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Fri Nov 14 18:54:27 GMT 2003 

Julian,

This patch works OK here too.

As for my disarming problems, here is what I conclude: 
- emails with IFrame tags in the body (not an attachment) go unnoticed
(no mention of an IFrame tag in my maillog)
- emails with IFrame tags in an attachment are noticed (logged) but are
not disarmed (Uninfected: Delivered 1 messages)

Am I the only one testing the disarming code?

I am running on Fedora Core 1 (upgraded from RH9).

Denis
PS: I removed clam from my virus scanners for these tests.

Le ven 14/11/2003 à 11:33, Julian Field a écrit :
> And for good measure, because I screwed up that patch, add this one
> afterwards as well:
> 
> --- Quarantine.pm.old      2003-11-14 16:28:17.000000000 +0000
> +++ Quarantine.pm       2003-11-14 16:31:02.000000000 +0000
> @@ -192,7 +192,8 @@
>         MailScanner::Config::Value('quarantinewholemessage',$this) =~ /1/) {
>       #print STDERR "Saving entire message to $msgdir\n";
>       MailScanner::Log::InfoLog("Saved entire message to $msgdir");
> -    $message->{store}->CopyEntireMessage($message, $msgdir, 'message');
> +    $message->{store}->CopyEntireMessage($message, $msgdir, 'message',
> +                                         $uid, $gid, $changeowner);
>       push @chownlist, "$msgdir/message" if -f "$msgdir/message";
>     }
> 
> Should actually work this time!
> Oh how I love Friday afternoons. Time to go home...
> 
> At 16:24 14/11/2003, you wrote:
> >Try this patch to Quarantine.pm
> >
> >--- Quarantine.pm.old      2003-11-07 12:30:39.000000000 +0000
> >+++ Quarantine.pm       2003-11-14 16:23:55.000000000 +0000
> >@@ -158,7 +158,7 @@
> >    my $this = shift;
> >    my($message) = @_;
> >
> >-  my($qdir, $todaydir, $msgdir, $uid, $gid, $changeowner);
> >+  my($qdir, $todaydir, $msgdir, $uid, $gid, $changeowner, @chownlist);
> >
> >    # Create today's directory if necessary
> >    #$todaydir = $this->{dir} . '/' . TodayDir();
> >@@ -193,10 +193,11 @@
> >      #print STDERR "Saving entire message to $msgdir\n";
> >      MailScanner::Log::InfoLog("Saved entire message to $msgdir");
> >      $message->{store}->CopyEntireMessage($message, $msgdir, 'message');
> >+    push @chownlist, "$msgdir/message" if -f "$msgdir/message";
> >    }
> >
> >    # Now just quarantine the infected attachment files.
> >-  my($indir, $attachment, $report, @chownlist);
> >+  my($indir, $attachment, $report);
> >    $indir = $global::MS->{work}->{dir} . '/' . $message->{id};
> >    while(($attachment, $report) = each %{$message->{allreports}}) {
> >      # Skip reports pertaining to entire message, we've done those.
> >
> >At 15:36 14/11/2003, you wrote:
> >>Hi Julian,
> >>
> >>Think I've found the problem.
> >>
> >>I've added a InfoLog near the end of the constructor in Quarantine.pm which
> >>displays $this-> uid, gid, fileumask and dirumask, in the logs I get:
> >>
> >>Nov 14 15:11:24 mailscanner MailScanner[27337]: Quarantine File/Dir
> >>Permissions:  uid=48 gid=48 fileumask=79, dirumask=7
> >>
> >>I sent myself a blocked attachment from home - here is what I get:
> >>
> >>/var/spool/MailScanner/quarantine/20031114
> >>  drwxrwx---    2 apache   apache       4096 Nov 14 15:21 hAEFL1VN028041
> >>
> >>/var/spool/MailScanner/quarantine/20031114/hAEFL1VN028041
> >>  -rw-rw----    1 root     root         1328 Nov 14 15:21 message  <---
> >>Incorrect
> >>  -rw-rw----    1 apache   apache          0 Nov 14 15:21 test.trap.crap.vbs
> >>
> >>The same thing seems to happen to spam messages as well - I've had a good
> >>look through Message.pm but I really can't work out why it's isn't working
> >>on the message/rfc822 message files.
> >>
> >>Kind regards,
> >>Steve.
> >>
> >>-----Original Message-----
> >>From: Steve Freegard [mailto:steve.freegard at LBSLTD.CO.UK]
> >>Sent: 14 November 2003 14:55
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: ANNOUNCE: Beta 4.25-7 released
> >>
> >>
> >>Hi Julian,
> >>
> >>I've changed 'Quarantine User = apache' and restarted MailScanner, I'm still
> >>getting:
> >>
> >>-rw-rw----    1 root     root         2108 Nov 14 14:44 hxxxxxxxxxxxxx
> >>
> >>I'll add some debug to see if I can find out what it going on.
> >>
> >>Regards,
> >>Steve.
> >>
> >>
> >>-----Original Message-----
> >>From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> >>Sent: 14 November 2003 14:16
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: ANNOUNCE: Beta 4.25-7 released
> >>
> >>
> >>At 12:58 14/11/2003, you wrote:
> >> >One final thing - I'm trying to get the new Quarantine Permissions
> >> >features to work with MailWatch.
> >> >
> >> >I've set:
> >> >
> >> >Run As User: root
> >> >Run As Group: root
> >> >Quarantine User: root
> >> >Quarantine Group: apache
> >> >Quarantine Permissions: 0660
> >> >
> >> >And I get:
> >> >
> >> >-rw-rw----    1 root     root         2057 Nov 14 12:36 hxxxxxxxxxxxxx
> >> >                                  ^^^^
> >> >
> >> >Bug? - or have I done something wrong?
> >>
> >>I've just tried it here with the same settings and it works fine. Can you
> >>change the Quarantine User at all?
> >>
> >>
> >>
> >> >Kind regards,
> >> >Steve.
> >> >
> >> >-----Original Message-----
> >> >From: Steve Freegard [mailto:steve.freegard at LBSLTD.CO.UK]
> >> >Sent: 14 November 2003 12:42
> >> >To: MAILSCANNER at JISCMAIL.AC.UK
> >> >Subject: Re: ANNOUNCE: Beta 4.25-7 released
> >> >
> >> >
> >> >Further to this:
> >> >
> >> >I should've mentioned that I upgraded to clamav-0.65 at the same time
> >> >and installed the Mail::ClamAV module as well.
> >> >
> >> >So after upgrading I had:
> >> >
> >> >Virus Scanners = sophossavi clamavmodule
> >> >
> >> >Which is when I started to get the log messages as below - reverting
> >> >back to using the 'clamav' command-line scanner seems to fix the
> >> >problem and get the messages delivered.
> >> >
> >> >Kind regards,
> >> >Steve.
> >> >
> >> >-----Original Message-----
> >> >From: Steve Freegard [mailto:steve.freegard at LBSLTD.CO.UK]
> >> >Sent: 14 November 2003 12:37
> >> >To: MAILSCANNER at JISCMAIL.AC.UK
> >> >Subject: Re: ANNOUNCE: Beta 4.25-7 released
> >> >
> >> >
> >> >Hi Julian,
> >> >
> >> >Just upgraded - bit of a problem now - keep seeing this in the log:
> >> >
> >> >Nov 14 12:33:42 mailscanner MailScanner[14138]: Your
> >> >virus.scanners.conf file does not  have 3 words on each line. See if
> >> >you  have an old one left over by mistake.
> >> >
> >> >/etc/MailScanner/virus.scanners.conf:
> >> >
> >> >antivir         /usr/lib/MailScanner/antivir-wrapper    /usr/lib/AntiVir
> >> >bitdefender     /usr/lib/MailScanner/bitdefender-wrapper /usr/local/bd7
> >> >clamav          /usr/lib/MailScanner/clamav-wrapper     /usr/local
> >> >command         /usr/lib/MailScanner/command-wrapper    /usr
> >> >etrust          /usr/lib/MailScanner/etrust-wrapper
> >>/opt/eTrustAntivirus
> >> >f-prot          /usr/lib/MailScanner/f-prot-wrapper     /usr/local/f-prot
> >> >f-secure        /usr/lib/MailScanner/f-secure-wrapper   /opt/f-secure/fsav
> >> ><<snip>>
> >> >
> >> >And nothing is being delivered!!
> >> >
> >> >Kind regards,
> >> >Steve.
> >> >
> >> >
> >> >-----Original Message-----
> >> >From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> >> >Sent: 14 November 2003 11:49
> >> >To: MAILSCANNER at JISCMAIL.AC.UK
> >> >Subject: ANNOUNCE: Beta 4.25-7 released
> >> >
> >> >
> >> >Morning all,
> >> >
> >> >I've just released the latest beta/unstable version 4.25-7.
> >> >
> >> >Main addition since the last beta is the addition of support for the
> >> >ClamAV perl module, which means no external programs have to be started
> >> >every time ClamAV is invoked. Should be noticeably faster.
> >> >
> >> >There also a whole bunch of other fixes and additions, which are
> >> >detailed in the ChangeLog included below.
> >> >
> >> >Expect a stable release soon, but please do test this version and check
> >> >that it works okay. Thanks!
> >> >
> >> >Download as usual from www.mailscanner.info
> >> >
> >> >ChangeLog for 4.25:
> >> >
> >> >* New Features and Improvements *
> >> >- Panda version 7.0 supported.
> >> >- Added dependency on Net::CIDR module so could add support for more
> >> >ways
> >>of
> >> >    specifying IP ranges in rulesets. Can now do all of:
> >> >          152.78.
> >> >          /^152\.78/
> >> >          152.78.0.0/16
> >> >          152.78.0.0-152.78.255.255
> >> >- Added support for "disarm" option on all HTML tag detectors, which will
> >> >    disarm those tags while leaving the rest of the HTML intact.
> >> >- Added support for retrieving configuration from LDAP.
> >> >- Changed SpamAssassin timeout handler to kill processes and not
> >> >process group.
> >> >- Added support for changing uid, gid and permissions of both Incoming Work
> >> >    Dir and Quarantine Dir.
> >> >- Improved ClamAV parser to handle errors printed when processing viruses
> >> >    containing corrupted zip files.
> >> >- Improved documentation in virus.scanners.conf.
> >> >- Improved documentation of "disarm" configuration settings.
> >> >- Added optimisation to LDAP ruleset compiler that identifies 1-line
> >> >rulesets
> >> >    which hold the default value.
> >> >- Added support for Mail::ClamAV perl module, enabling ClamAV to scan
> >> >without
> >> >    having to call any external programs at all.
> >> >
> >> >* Fixes*
> >> >- RPM distribution install.sh script now checks and creates pod2text
> >> >properly.
> >> >- Fixed bug whereby the same message files could be deleted more than once,
> >> >    which could delete unprocessed messages using MTAs that name files
> >>after
> >> >    the inode and not the time.
> >> >- Syslogging should now start successfully on all versions of Solaris
> >> >and IRIX.
> >> >- Bug fix in Postfix file handling code from Stefan Baltus which will
> >> >    hopefully patch up the last Solaris Postfix problem.
> >> >- Fixed bug that broke rulesets in earlier betas.
> >> >
> >> >
> >> >
> >> >--
> >> >Julian Field
> >> >www.MailScanner.info
> >> >MailScanner thanks transtec Computers for their support
> >> >
> >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654
> >> >
> >> >--
> >> >This email and any files transmitted with it are confidential and
> >> >intended solely for the use of the individual or entity to whom they
> >> >are addressed. If you have received this email in error please notify
> >> >the sender and delete the message from your mailbox.
> >> >
> >> >This footnote also confirms that this email message has been swept by
> >> >MailScanner (www.mailscanner.info) for the presence of computer
> >> >viruses.
> >> >
> >> >--
> >> >This email and any files transmitted with it are confidential and
> >> >intended solely for the use of the individual or entity to whom they
> >> >are addressed. If you have received this email in error please notify
> >> >the sender and delete the message from your mailbox.
> >> >
> >> >This footnote also confirms that this email message has been swept by
> >> >MailScanner (www.mailscanner.info) for the presence of computer
> >> >viruses.
> >> >
> >> >--
> >> >This email and any files transmitted with it are confidential and
> >> >intended solely for the use of the individual or entity to whom they
> >> >are addressed. If you have received this email in error please notify
> >> >the sender and delete the message from your mailbox.
> >> >
> >> >This footnote also confirms that this email message has been swept by
> >> >MailScanner (www.mailscanner.info) for the presence of computer
> >> >viruses.
> >>
> >>--
> >>Julian Field
> >>www.MailScanner.info
> >>MailScanner thanks transtec Computers for their support
> >>
> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654
> >>
> >>--
> >>This email and any files transmitted with it are confidential and intended
> >>solely for the use of the individual or entity to whom they are addressed.
> >>If you have received this email in error please notify the sender and delete
> >>the message from your mailbox.
> >>
> >>This footnote also confirms that this email message has been swept by
> >>MailScanner (www.mailscanner.info) for the presence of computer viruses.
> >>
> >>--
> >>This email and any files transmitted with it are confidential and
> >>intended solely for the use of the individual or entity to whom they
> >>are addressed. If you have received this email in error please notify
> >>the sender and delete the message from your mailbox.
> >>
> >>This footnote also confirms that this email message has been swept by
> >>MailScanner (www.mailscanner.info) for the presence of computer viruses.
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654
> 
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list