Zip files checking

Julian Field mailscanner at ecs.soton.ac.uk
Thu Apr 8 09:07:00 IST 2004


Can you put the two messages on a web server somewhere and send me the URL
please. Then I'll take a look at the problem.

At 20:20 07/04/2004, you wrote:
>I would say this is a problem. I looked my exim logs and everything was the
>same for both files. I listed the MailScanner logs and you can see same/same
>except for the unpacking and I also trapped both messages as they passed
>into the MailScanner queue and copied them elsewhere to look at them and
>there was nothing different about the two emails (Both were attachments to a
>text only message). I tried the same thing sending a virus and it caught the
>virus in the forwarded message. It's an odd ball thing but I won't have time
>to trace it through MS until the weekend. I see no possible configuration
>setting that should cause attachments to a forwarded message to be handled
>differently than a normal message and neither the header or body parts had
>any differences except what you would expect to see for a forwarded message
>(Subject, MsgId, etc). My virus.scanning.rules during the forward test were
>quite simple
>
>FromOrTo:       default                     yes
>
>the same as when I sent the zip normally and it was caught (as the log shows
>they were only a second or so apart)
>
>Rick
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Roger Jochem
> > Sent: Wednesday, April 07, 2004 1:53 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Zip files checking
> >
> >
> > Then it is really a problem? Or some misconfiguration in both our systems?
> >
> > ----- Original Message -----
> > From: "Rick Cooper" <rcooper at DWFORD.COM>
> > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > Sent: Wednesday, April 07, 2004 12:47 PM
> > Subject: Re: Zip files checking
> >
> >
> > > I did the same test, first one through with checking turned off for the
> > host
> > > I sent from so I could receive the zip with the exe in it.
> > returned rules
> > to
> > > normal so all check would be on and it passed the forwarded exe
> > in the zip
> > > file. Then tried to send the same file to same address without
> > forwarding
> > > and it was blocked. My MailScanner log for the two events:
> > >
> > > Forwarded message:
> > >
> > > Apr  7 10:32:07 srv2 MailScanner[23024]: New Batch: Scanning 1 messages,
> > > 974634 bytes
> > > Apr  7 10:32:07 srv2 MailScanner[23024]: Spam Checks: Starting
> > > Apr  7 10:32:09 srv2 MailScanner[23024]: Virus and Content Scanning:
> > > Starting
> > > Apr  7 10:32:13 srv2 MailScanner[23024]: Uninfected: Delivered 1
> > > messagesNormal message:
> > >
> > > Normal Message:
> > >
> > > Apr  7 10:33:31 srv2 MailScanner[23120]: New Batch: Scanning 1 messages,
> > > 974473 bytes
> > > Apr  7 10:33:31 srv2 MailScanner[23120]: Spam Checks: Starting
> > > Apr  7 10:33:32 srv2 MailScanner[23120]: Virus and Content Scanning:
> > > Starting
> > > Apr  7 10:33:37 srv2 MailScanner[23139]: MailScanner E-Mail
> > Virus Scanner
> > > version 4.29.7 starting...
> > > Apr  7 10:33:38 srv2 MailScanner[23139]: Using Custom Function file
> > > /opt/MailScanner/lib/MailScanner/CustomFunctions/MyExample.pm
> > > Apr  7 10:33:40 srv2 MailScanner[23120]: Filename Checks: Windows/DOS
> > > Executable (1BBF3B-00060P-9A McAfeestinger.exe)
> > > Apr  7 10:33:40 srv2 MailScanner[23120]: Filetype Checks: No executables
> > > (1BBF3B-00060P-9A McAfeestinger.exe)
> > > Apr  7 10:33:40 srv2 MailScanner[23120]: Other Checks: Found 2 problems
> > > Apr  7 10:33:40 srv2 MailScanner[23120]: Cleaned: Delivered 1 cleaned
> > > messages
> > > Apr  7 10:33:40 srv2 MailScanner[23120]: Notices: Warned about
> > 1 messages
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > > Behalf Of Julian Field
> > > > Sent: Wednesday, April 07, 2004 8:48 AM
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Re: Zip files checking
> > > >
> > > >
> > > > Please can you double check this and your mail setup to ensure mail is
> > > > taking the route you think it is. MailScanner neither knows nor cares
> > > > whether a message is forwarded unless you are using rulesets on the
> > > > relevant configuration options.
> > > >
> > > > At 20:49 06/04/2004, you wrote:
> > > > >I'm sending this e-mail again because my configuration on
> > the list was
> > > > >incorrect, and I don't know if it already was sended or
> > because of this
> > > > >"misconfiguration" the email didn't gone at the first time.. (sorry)
> > > > >
> > > > >I found a strange problem in MailScanner. I just updated my
> > > > MailScanner to
> > > > >version 4.29-7, and now I was testing the zip file checking.
> > > > >
> > > > >I send an e-mail with an .exe file inside an .zip file, and
> > mailscanner
> > > > >blocked it. Great! It worked!
> > > > >
> > > > >And then I forwarded this .zip file, and this time the .zip
> > file passet
> > > > >through mailscanner.
> > > > >
> > > > >Then I made several other tests, and found out that every
> > .zip file in
> > > > >e-mails are checked and blocked, but if the e-mail is forwarded, the
> > .zip
> > > > >file always passes through.
> > > > >
> > > > >Any ideas to correct this problem?
> > > > >
> > > > >Roger Jochem
> > > > >SBS - SC
> > > > >Brazil
> > > >
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > Professional Support Services at www.MailScanner.biz
> > > > MailScanner thanks transtec Computers for their support
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > >
> > > > --
> > > > This message has been scanned for viruses and
> > > > dangerous content by MailScanner, and is
> > > > believed to be clean.
> > > >
> > > >
> > > >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list