report txt being quarantined

Matthew baker m at WHERES.CO.UK
Wed Nov 26 14:40:19 GMT 2003


Hi all,
        I am having the same issue with report messages being quarantined
instead of the original message body as reported by Phil Kendall
(original message to list pasted below (taken from list archives). This
does not happen all the time. Most messages marked as {Dangerous
Content?} does have it's html attachment quarantined, we then make this
available to the original recipient via a perl script which can display
the message body in a browser if they decide to do so.

Does anyone have any clues to what combinations of configuration cause
this. My config for this section:

Allow Partial Messages = no
Allow External Message Bodies = no
Allow IFrame Tags = yes
Log IFrame Tags = %rules-dir%/iframe.log
Allow Form Tags = %rules-dir%/content.whitelist.rules
Allow Object Codebase Tags = no
Convert Dangerous HTML To Text = no
Convert HTML To Text = no
Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf
Quarantine Infections = yes
Quarantine Whole Message = no
Quarantine Whole Messages As Queue Files = no

I'm using version 4.24-5.

thx,

Matt

> Date:         Mon, 1 Sep 2003 17:41:14 +0100
> Reply-To:     MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> Sender:       MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> From:         Phil Kendall <philk at TCP.NET.UK>
> Subject:      Question about quarentining dangerous content?
> Content-Type: multipart/alternative;
>
>
> We upgraded to from 4.20-3 to 4.24.11 today.
>
> The following mail was picked up as having dangerous content:
>
> Sep 1 17:10:27 MailScanner[18581]: Content Checks: Detected
> HTML-specific exploits in h81GANmM026123
> Sep 1 17:10:27 MailScanner[18581]: Saved infected "msg-18581-834.html"
> to /var/spool/MailScanner/quarantine/20030901/h81GANmM026123
>
> The file that was quarantined was not the original message but the in
> fact the stored.content.message.txt
>
> We have Quarantine Infections = yes & Quarantine Whole Message = no set
> in the MailScanner.conf file.
>
> Is this the behaviour we should expect?
>
> Is it possible to have it so that dangerous content is quarantined &
> infected attachments without having to quartine the entire message?
>
>
> Phil Kendall
> Technical Systems Administrator
> TCP - Europacom.net
>
>



More information about the MailScanner mailing list