Zip files checking

Rick Cooper rcooper at DWFORD.COM
Wed Apr 7 20:20:24 IST 2004 

I would say this is a problem. I looked my exim logs and everything was the
same for both files. I listed the MailScanner logs and you can see same/same
except for the unpacking and I also trapped both messages as they passed
into the MailScanner queue and copied them elsewhere to look at them and
there was nothing different about the two emails (Both were attachments to a
text only message). I tried the same thing sending a virus and it caught the
virus in the forwarded message. It's an odd ball thing but I won't have time
to trace it through MS until the weekend. I see no possible configuration
setting that should cause attachments to a forwarded message to be handled
differently than a normal message and neither the header or body parts had
any differences except what you would expect to see for a forwarded message
(Subject, MsgId, etc). My virus.scanning.rules during the forward test were
quite simple

FromOrTo:       default                     yes

the same as when I sent the zip normally and it was caught (as the log shows
they were only a second or so apart)

Rick

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Roger Jochem
> Sent: Wednesday, April 07, 2004 1:53 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Zip files checking
>
>
> Then it is really a problem? Or some misconfiguration in both our systems?
>
> ----- Original Message -----
> From: "Rick Cooper" <rcooper at DWFORD.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Wednesday, April 07, 2004 12:47 PM
> Subject: Re: Zip files checking
>
>
> > I did the same test, first one through with checking turned off for the
> host
> > I sent from so I could receive the zip with the exe in it.
> returned rules
> to
> > normal so all check would be on and it passed the forwarded exe
> in the zip
> > file. Then tried to send the same file to same address without
> forwarding
> > and it was blocked. My MailScanner log for the two events:
> >
> > Forwarded message:
> >
> > Apr  7 10:32:07 srv2 MailScanner[23024]: New Batch: Scanning 1 messages,
> > 974634 bytes
> > Apr  7 10:32:07 srv2 MailScanner[23024]: Spam Checks: Starting
> > Apr  7 10:32:09 srv2 MailScanner[23024]: Virus and Content Scanning:
> > Starting
> > Apr  7 10:32:13 srv2 MailScanner[23024]: Uninfected: Delivered 1
> > messagesNormal message:
> >
> > Normal Message:
> >
> > Apr  7 10:33:31 srv2 MailScanner[23120]: New Batch: Scanning 1 messages,
> > 974473 bytes
> > Apr  7 10:33:31 srv2 MailScanner[23120]: Spam Checks: Starting
> > Apr  7 10:33:32 srv2 MailScanner[23120]: Virus and Content Scanning:
> > Starting
> > Apr  7 10:33:37 srv2 MailScanner[23139]: MailScanner E-Mail
> Virus Scanner
> > version 4.29.7 starting...
> > Apr  7 10:33:38 srv2 MailScanner[23139]: Using Custom Function file
> > /opt/MailScanner/lib/MailScanner/CustomFunctions/MyExample.pm
> > Apr  7 10:33:40 srv2 MailScanner[23120]: Filename Checks: Windows/DOS
> > Executable (1BBF3B-00060P-9A McAfeestinger.exe)
> > Apr  7 10:33:40 srv2 MailScanner[23120]: Filetype Checks: No executables
> > (1BBF3B-00060P-9A McAfeestinger.exe)
> > Apr  7 10:33:40 srv2 MailScanner[23120]: Other Checks: Found 2 problems
> > Apr  7 10:33:40 srv2 MailScanner[23120]: Cleaned: Delivered 1 cleaned
> > messages
> > Apr  7 10:33:40 srv2 MailScanner[23120]: Notices: Warned about
> 1 messages
> >
> >
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > Behalf Of Julian Field
> > > Sent: Wednesday, April 07, 2004 8:48 AM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Zip files checking
> > >
> > >
> > > Please can you double check this and your mail setup to ensure mail is
> > > taking the route you think it is. MailScanner neither knows nor cares
> > > whether a message is forwarded unless you are using rulesets on the
> > > relevant configuration options.
> > >
> > > At 20:49 06/04/2004, you wrote:
> > > >I'm sending this e-mail again because my configuration on
> the list was
> > > >incorrect, and I don't know if it already was sended or
> because of this
> > > >"misconfiguration" the email didn't gone at the first time.. (sorry)
> > > >
> > > >I found a strange problem in MailScanner. I just updated my
> > > MailScanner to
> > > >version 4.29-7, and now I was testing the zip file checking.
> > > >
> > > >I send an e-mail with an .exe file inside an .zip file, and
> mailscanner
> > > >blocked it. Great! It worked!
> > > >
> > > >And then I forwarded this .zip file, and this time the .zip
> file passet
> > > >through mailscanner.
> > > >
> > > >Then I made several other tests, and found out that every
> .zip file in
> > > >e-mails are checked and blocked, but if the e-mail is forwarded, the
> .zip
> > > >file always passes through.
> > > >
> > > >Any ideas to correct this problem?
> > > >
> > > >Roger Jochem
> > > >SBS - SC
> > > >Brazil
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > Professional Support Services at www.MailScanner.biz
> > > MailScanner thanks transtec Computers for their support
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
> > >
> > >
> > >
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>

More information about the MailScanner mailing list