Zip files checking

Rick Cooper rcooper at DWFORD.COM
Thu Apr 8 18:22:19 IST 2004


Your welcome, just keep ahold of that backup Message.pm there was some
freaky things going on in there and I want to make sure there is nothing
else affected. I found the problem but not the cause... I think you stumbled
on to an interesting bug.

Rick

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Roger Jochem
> Sent: Thursday, April 08, 2004 11:26 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Zip files checking
>
>
> It worked fine!
>
> Thanks for that...
>
> Regards
>
> Roger Jochem
>
> ----- Original Message -----
> From: "Rick Cooper" <rcooper at DWFORD.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Thursday, April 08, 2004 1:20 PM
> Subject: Re: Zip files checking
>
>
> > Roger,
> >
> > Try the attached patch. Copy it to your MailScanner/lib/MailScanner
> > directory and
> > make a backup of your current Message.pm file then run the command:
> >
> > patch Message.pm FixForwardZip.patch
> >
> > Give it a try and see if it solves your problem
> >
> > NOTE: I have tested this with every thing I could think of  and it works
> > fine, I have sent the code to Julian to look at and bless, so keep your
> > backup just in case he wants to do something else.
> >
> > Rick
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > Behalf Of Roger Jochem
> > > Sent: Thursday, April 08, 2004 5:30 AM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Zip files checking
> > >
> > >
> > > I had put the Outlook Express .eml files in my site. I imagine
> > > Rick's queue
> > > files are better for testing purposes...
> > >
> > > ----- Original Message -----
> > > From: "Rick Cooper" <rcooper at DWFORD.COM>
> > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > Sent: Thursday, April 08, 2004 7:27 AM
> > > Subject: Re: Zip files checking
> > >
> > >
> > > > You can look at them online at http://dwford.com/julian
> > > > or download all four (they are the same queue files as
> > > MailScanner found)
> > > > http://dwford.com/julian/Julian.tar.gz
> > > >
> > > > Thanks
> > > >
> > > > Rick
> > > >
> > > > > -----Original Message-----
> > > > > From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > > > Behalf Of Julian Field
> > > > > Sent: Thursday, April 08, 2004 3:07 AM
> > > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > > Subject: Re: Zip files checking
> > > > >
> > > > >
> > > > > Can you put the two messages on a web server somewhere and send me
> the
> > > URL
> > > > > please. Then I'll take a look at the problem.
> > > > >
> > > > > At 20:20 07/04/2004, you wrote:
> > > > > >I would say this is a problem. I looked my exim logs and
> > > > > everything was the
> > > > > >same for both files. I listed the MailScanner logs and you can
> > > > > see same/same
> > > > > >except for the unpacking and I also trapped both messages as they
> > > passed
> > > > > >into the MailScanner queue and copied them elsewhere to look at
> them
> > > and
> > > > > >there was nothing different about the two emails (Both were
> > > > > attachments to a
> > > > > >text only message). I tried the same thing sending a virus and
> > > > > it caught the
> > > > > >virus in the forwarded message. It's an odd ball thing but I
> > > > > won't have time
> > > > > >to trace it through MS until the weekend. I see no possible
> > > configuration
> > > > > >setting that should cause attachments to a forwarded message to
> > > > > be handled
> > > > > >differently than a normal message and neither the header or body
> > > > > parts had
> > > > > >any differences except what you would expect to see for a
> > > > > forwarded message
> > > > > >(Subject, MsgId, etc). My virus.scanning.rules during the
> > > > > forward test were
> > > > > >quite simple
> > > > > >
> > > > > >FromOrTo:       default                     yes
> > > > > >
> > > > > >the same as when I sent the zip normally and it was caught (as
> > > > > the log shows
> > > > > >they were only a second or so apart)
> > > > > >
> > > > > >Rick
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: MailScanner mailing list
> > > [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > > > > > Behalf Of Roger Jochem
> > > > > > > Sent: Wednesday, April 07, 2004 1:53 PM
> > > > > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > > > > Subject: Re: Zip files checking
> > > > > > >
> > > > > > >
> > > > > > > Then it is really a problem? Or some misconfiguration in both
> > > > > our systems?
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Rick Cooper" <rcooper at DWFORD.COM>
> > > > > > > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > > > > > > Sent: Wednesday, April 07, 2004 12:47 PM
> > > > > > > Subject: Re: Zip files checking
> > > > > > >
> > > > > > >
> > > > > > > > I did the same test, first one through with checking turned
> > > > > off for the
> > > > > > > host
> > > > > > > > I sent from so I could receive the zip with the exe in it.
> > > > > > > returned rules
> > > > > > > to
> > > > > > > > normal so all check would be on and it passed the forwarded
> exe
> > > > > > > in the zip
> > > > > > > > file. Then tried to send the same file to same
> address without
> > > > > > > forwarding
> > > > > > > > and it was blocked. My MailScanner log for the two events:
> > > > > > > >
> > > > > > > > Forwarded message:
> > > > > > > >
> > > > > > > > Apr  7 10:32:07 srv2 MailScanner[23024]: New Batch:
> > > > > Scanning 1 messages,
> > > > > > > > 974634 bytes
> > > > > > > > Apr  7 10:32:07 srv2 MailScanner[23024]: Spam
> Checks: Starting
> > > > > > > > Apr  7 10:32:09 srv2 MailScanner[23024]: Virus and Content
> > > Scanning:
> > > > > > > > Starting
> > > > > > > > Apr  7 10:32:13 srv2 MailScanner[23024]:
> Uninfected: Delivered
> 1
> > > > > > > > messagesNormal message:
> > > > > > > >
> > > > > > > > Normal Message:
> > > > > > > >
> > > > > > > > Apr  7 10:33:31 srv2 MailScanner[23120]: New Batch:
> > > > > Scanning 1 messages,
> > > > > > > > 974473 bytes
> > > > > > > > Apr  7 10:33:31 srv2 MailScanner[23120]: Spam
> Checks: Starting
> > > > > > > > Apr  7 10:33:32 srv2 MailScanner[23120]: Virus and Content
> > > Scanning:
> > > > > > > > Starting
> > > > > > > > Apr  7 10:33:37 srv2 MailScanner[23139]: MailScanner E-Mail
> > > > > > > Virus Scanner
> > > > > > > > version 4.29.7 starting...
> > > > > > > > Apr  7 10:33:38 srv2 MailScanner[23139]: Using
> Custom Function
> > > file
> > > > > > > >
> /opt/MailScanner/lib/MailScanner/CustomFunctions/MyExample.pm
> > > > > > > > Apr  7 10:33:40 srv2 MailScanner[23120]: Filename Checks:
> > > > > Windows/DOS
> > > > > > > > Executable (1BBF3B-00060P-9A McAfeestinger.exe)
> > > > > > > > Apr  7 10:33:40 srv2 MailScanner[23120]: Filetype Checks:
> > > > > No executables
> > > > > > > > (1BBF3B-00060P-9A McAfeestinger.exe)
> > > > > > > > Apr  7 10:33:40 srv2 MailScanner[23120]: Other Checks:
> > > > > Found 2 problems
> > > > > > > > Apr  7 10:33:40 srv2 MailScanner[23120]: Cleaned: Delivered
> > > > > 1 cleaned
> > > > > > > > messages
> > > > > > > > Apr  7 10:33:40 srv2 MailScanner[23120]: Notices:
> Warned about
> > > > > > > 1 messages
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: MailScanner mailing list
> > > > > [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > > > > > > > Behalf Of Julian Field
> > > > > > > > > Sent: Wednesday, April 07, 2004 8:48 AM
> > > > > > > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > > > > > > Subject: Re: Zip files checking
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Please can you double check this and your mail setup to
> > > > > ensure mail is
> > > > > > > > > taking the route you think it is. MailScanner neither
> > > > > knows nor cares
> > > > > > > > > whether a message is forwarded unless you are using
> > > > > rulesets on the
> > > > > > > > > relevant configuration options.
> > > > > > > > >
> > > > > > > > > At 20:49 06/04/2004, you wrote:
> > > > > > > > > >I'm sending this e-mail again because my configuration on
> > > > > > > the list was
> > > > > > > > > >incorrect, and I don't know if it already was sended or
> > > > > > > because of this
> > > > > > > > > >"misconfiguration" the email didn't gone at the first
> > > > > time.. (sorry)
> > > > > > > > > >
> > > > > > > > > >I found a strange problem in MailScanner. I just
> updated my
> > > > > > > > > MailScanner to
> > > > > > > > > >version 4.29-7, and now I was testing the zip file
> checking.
> > > > > > > > > >
> > > > > > > > > >I send an e-mail with an .exe file inside an
> .zip file, and
> > > > > > > mailscanner
> > > > > > > > > >blocked it. Great! It worked!
> > > > > > > > > >
> > > > > > > > > >And then I forwarded this .zip file, and this
> time the .zip
> > > > > > > file passet
> > > > > > > > > >through mailscanner.
> > > > > > > > > >
> > > > > > > > > >Then I made several other tests, and found out that every
> > > > > > > .zip file in
> > > > > > > > > >e-mails are checked and blocked, but if the e-mail is
> > > > > forwarded, the
> > > > > > > .zip
> > > > > > > > > >file always passes through.
> > > > > > > > > >
> > > > > > > > > >Any ideas to correct this problem?
> > > > > > > > > >
> > > > > > > > > >Roger Jochem
> > > > > > > > > >SBS - SC
> > > > > > > > > >Brazil
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Julian Field
> > > > > > > > > www.MailScanner.info
> > > > > > > > > Professional Support Services at www.MailScanner.biz
> > > > > > > > > MailScanner thanks transtec Computers for their support
> > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6
> > > 5947 1415 B654
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > This message has been scanned for viruses and
> > > > > > > > > dangerous content by MailScanner, and is
> > > > > > > > > believed to be clean.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > This message has been scanned for viruses and
> > > > > > > dangerous content by MailScanner, and is
> > > > > > > believed to be clean.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > > > --
> > > > > Julian Field
> > > > > www.MailScanner.info
> > > > > Professional Support Services at www.MailScanner.biz
> > > > > MailScanner thanks transtec Computers for their support
> > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > > >
> > > > > --
> > > > > This message has been scanned for viruses and
> > > > > dangerous content by MailScanner, and is
> > > > > believed to be clean.
> > > > >
> > > > >
> > > > >
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
> > >
> > >
> > >
> >
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>



More information about the MailScanner mailing list