MailScanner Internals

Sat Apr 17 14:41:37 IST 2004

Clive Eisen wrote:

> Rick Cooper wrote:
>
>>> -----Original Message-----
>>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>> Behalf Of Clive Eisen
>>> Sent: Friday, April 16, 2004 3:54 PM
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: Re: MailScanner Internals
>>>
>>>
>>> Rick Cooper wrote:
>>>
>>>
>>>
>>>>> -----Original Message-----
>>>>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>>>> Behalf Of Clive Eisen
>>>>> Sent: Friday, April 16, 2004 11:49 AM
>>>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>>>> Subject: Re: MailScanner Internals
>>>>>
>>>>>
>>>>> Rick Cooper wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: MailScanner mailing list
>>>>>>> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>>>>>> Behalf Of Clive Eisen
>>>>>>> Sent: Friday, April 16, 2004 10:20 AM
>>>>>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>>> Subject: Re: MailScanner Internals
>>>>>>>
>>>>>>>
>>>>>>> Rick Cooper wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> <snip
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>> Note that MessageBatch.pm sets $message->{virusinfected} =
>>>>>>>>>>
>>>>>>>>>>
>>> 0; in sub
>>>
>>>
>>>>>>>>>> DisinfectAndDeliver
>>>>>>>>>> so it seems it would not still be set if used as an
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> alwayslookuplast last
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>> since it appears that call is made in bin/MailScanner after
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> all the other
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>> processing. What are you trying to do in the custom function?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> It might be
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>> you need to patch a call in from somewhere else to achieve what
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>> You don't see what your looking for because you need to catch it
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> before it's
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> unset
>>>>>>
>>>>>>
>>>>>> <snip>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Cheers - I'll give it a whirl - I still don't really understand
>>>>>>> why I
>>>>>>> never get anything set in $message{virusinfected} though.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Bear in mind that you need to save the patch, repatch and fix the
>>>>>> language.conf every time you update MS
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> OK I've done some more investigation and it looks like the line
>>>>> that is
>>>>> supposed to set virusinfected never runs - so it's not set in the
>>>>> first
>>>>> place!
>>>>>
>>>>> in SweepViruses.pm in MergeReports
>>>>> the second InfoLog is never run
>>>>> The first one reports
>>>>> Apr 16 17:46:12 message1 MailScanner[12661]: Report merging for ""
>>>>> and
>>>>> "HASH(0x9db87d8)"
>>>>> That is- the message id is missing so the 'next' is executed.....
>>>>>
>>>>>
>>>>> while (($id, $reports) = each %$Reports) {
>>>>>   MailScanner::Log::InfoLog("Report merging for \"$id\" and
>>>>> \"$reports\"\n");
>>>>>   #print STDERR "Report merging for \"$id\" and \"$reports\"\n";
>>>>>   next unless $id && $reports;
>>>>>   my $message = $batch->{messages}{"$id"};
>>>>>   #print STDERR "Message is $message\n";
>>>>> MailScanner::Log::InfoLog("VirusInfected being set
>>>>> **************************");
>>>>>   $message->{virusinfected} = 1;
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I would think, then, they you are not sending the virus reports.
>>>>
>>>>
>>> What is the
>>>
>>>
>>>> setting, currently, for Send Notices = ? (next unless $id && $reports)
>>>>
>>>>
>>>>
>>>>
>>> Send Notices = yes
>>> I'm looking at this and ATM I suspect that Reports is not set up - as
>>> there is no id in the while loop
>>>
>>> sheesh Julian there is a lot of code in here :-)
>>>
>>>
>>>
>>
>> When you send your self a virus do you get an administrative alert? What
>> appears to be happening is the while (($id, $reports) = each
>> %$Reports)  is
>> iterating once because the list items are assigned null values and
>> when it
>> hits the next unless $id && $reports; line it comes back to the top and
>> there is not another reports value/dimension to work with. So reports
>> is not
>> unset but it has no real data (I assume that is why the unless $id... is
>> there) kind of like if($A = $B) will always succeed. I suspect this
>> has to
>> do with the reporting setups if Send Notices = yes , and you get admin
>> warnings upon virus events this seems odd indeed.
>>
>> Rick
>>
>>
> indeed I do - Odd ain't the word - BTW I really appreciate your help
> here......
>
> The following e-mail messages were found to have viruses in them:
>
>    Sender: tester at testvirus.org
> IP Address: 12.5.19.157
> Recipient: clive at serendipita.com
>   Subject: Virus Scanner Test #11
> MessageID: 25451
>    Report: MailScanner: Executable DOS/Windows programs are dangerous
> in email (EICAR.COM)
>    Report: MailScanner: Executable DOS/Windows programs are dangerous
> in email (EICAR.COM)
>
> Full headers are:
>
> Received: (qmail 16391 invoked by uid 0); 16 Apr 2004 21:59:03 -0000
> Received: from crc2.excedent.us (HELO mail01.excedent.us)
> (12.5.19.157) by
> 146.101.136.67 with SMTP; 16 Apr 2004 21:59:03 -0000
> X-Originating-Ip: 82.68.157.177
> Message-Id: <426682. at testvirus.org>
> Date: Fri, 16 Apr 2004 18:07:13 -0500
> From: "TESTVIRUS.org" <tester at testvirus.org>
> To: <clive at serendipita.com>
> Subject: Virus Scanner Test #11
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="=====================_804689079==_"
>
> Email Virus Scanner

Got it - and appologies to all, especially you Rick - this is a
consequence of ignoring the warnings and having the Incoming Work Dir
as a  symlink - sigh

Sorry - someone had been erm 'tidying up'

--
Clive