MailScanner Internals

Clive Eisen clive at SERENDIPITA.COM
Fri Apr 16 23:02:05 IST 2004


Rick Cooper wrote:

>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Clive Eisen
>>Sent: Friday, April 16, 2004 3:54 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: MailScanner Internals
>>
>>
>>Rick Cooper wrote:
>>
>>
>>
>>>>-----Original Message-----
>>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>>>Behalf Of Clive Eisen
>>>>Sent: Friday, April 16, 2004 11:49 AM
>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>Subject: Re: MailScanner Internals
>>>>
>>>>
>>>>Rick Cooper wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>-----Original Message-----
>>>>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>>>>>Behalf Of Clive Eisen
>>>>>>Sent: Friday, April 16, 2004 10:20 AM
>>>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>>Subject: Re: MailScanner Internals
>>>>>>
>>>>>>
>>>>>>Rick Cooper wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>><snip
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>Note that MessageBatch.pm sets $message->{virusinfected} =
>>>>>>>>>
>>>>>>>>>
>>0; in sub
>>
>>
>>>>>>>>>DisinfectAndDeliver
>>>>>>>>>so it seems it would not still be set if used as an
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>alwayslookuplast last
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>since it appears that call is made in bin/MailScanner after
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>all the other
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>processing. What are you trying to do in the custom function?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>It might be
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>you need to patch a call in from somewhere else to achieve what
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>You don't see what your looking for because you need to catch it
>>>>>
>>>>>
>>>>>
>>>>>
>>>>before it's
>>>>
>>>>
>>>>
>>>>
>>>>>unset
>>>>>
>>>>>
>>>>><snip>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Cheers - I'll give it a whirl - I still don't really understand why I
>>>>>>never get anything set in $message{virusinfected} though.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>Bear in mind that you need to save the patch, repatch and fix the
>>>>>language.conf every time you update MS
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>OK I've done some more investigation and it looks like the line that is
>>>>supposed to set virusinfected never runs - so it's not set in the first
>>>>place!
>>>>
>>>>in SweepViruses.pm in MergeReports
>>>>the second InfoLog is never run
>>>>The first one reports
>>>>Apr 16 17:46:12 message1 MailScanner[12661]: Report merging for "" and
>>>>"HASH(0x9db87d8)"
>>>>That is- the message id is missing so the 'next' is executed.....
>>>>
>>>>
>>>> while (($id, $reports) = each %$Reports) {
>>>>   MailScanner::Log::InfoLog("Report merging for \"$id\" and
>>>>\"$reports\"\n");
>>>>   #print STDERR "Report merging for \"$id\" and \"$reports\"\n";
>>>>   next unless $id && $reports;
>>>>   my $message = $batch->{messages}{"$id"};
>>>>   #print STDERR "Message is $message\n";
>>>>MailScanner::Log::InfoLog("VirusInfected being set
>>>>**************************");
>>>>   $message->{virusinfected} = 1;
>>>>
>>>>
>>>>
>>>>
>>>>
>>>I would think, then, they you are not sending the virus reports.
>>>
>>>
>>What is the
>>
>>
>>>setting, currently, for Send Notices = ? (next unless $id && $reports)
>>>
>>>
>>>
>>>
>>Send Notices = yes
>>I'm looking at this and ATM I suspect that Reports is not set up - as
>>there is no id in the while loop
>>
>>sheesh Julian there is a lot of code in here :-)
>>
>>
>>
>
>When you send your self a virus do you get an administrative alert? What
>appears to be happening is the while (($id, $reports) = each %$Reports)  is
>iterating once because the list items are assigned null values and when it
>hits the next unless $id && $reports; line it comes back to the top and
>there is not another reports value/dimension to work with. So reports is not
>unset but it has no real data (I assume that is why the unless $id... is
>there) kind of like if($A = $B) will always succeed. I suspect this has to
>do with the reporting setups if Send Notices = yes , and you get admin
>warnings upon virus events this seems odd indeed.
>
>Rick
>
>
indeed I do - Odd ain't the word - BTW I really appreciate your help
here......

The following e-mail messages were found to have viruses in them:

    Sender: tester at testvirus.org
IP Address: 12.5.19.157
 Recipient: clive at serendipita.com
   Subject: Virus Scanner Test #11
 MessageID: 25451
    Report: MailScanner: Executable DOS/Windows programs are dangerous in email (EICAR.COM)
    Report: MailScanner: Executable DOS/Windows programs are dangerous in email (EICAR.COM)

Full headers are:

 Received: (qmail 16391 invoked by uid 0); 16 Apr 2004 21:59:03 -0000
 Received: from crc2.excedent.us (HELO mail01.excedent.us) (12.5.19.157) by
 146.101.136.67 with SMTP; 16 Apr 2004 21:59:03 -0000
 X-Originating-Ip: 82.68.157.177
 Message-Id: <426682. at testvirus.org>
 Date: Fri, 16 Apr 2004 18:07:13 -0500
 From: "TESTVIRUS.org" <tester at testvirus.org>
 To: <clive at serendipita.com>
 Subject: Virus Scanner Test #11
 MIME-Version: 1.0
 Content-Type: multipart/mixed; boundary="=====================_804689079==_"

Email Virus Scanner



More information about the MailScanner mailing list