Virus scanning questions

Julian Field mailscanner at ecs.soton.ac.uk
Thu May 6 18:06:44 IST 2004


At 17:33 06/05/2004, you wrote:
>Hello all,
>
>         This bugs me for almost the entire morning. Appreciate some help.
>
>Problems:
>---------
>         I intend to notify senders of viruses.

As someone else has already said, please do *not* do this. Virtually every
virus around now forges the sender address, so you will be spamming people
who never sent you anything.

This greatly damages the reputation of MailScanner and directly causes me
extra work, explaining to these poor innocent people that there are still
badly-maintained installations out there sending warnings to people who
never sent anything in the first place.

If you need to send warnings to people who are within your own company,
that's another matter. In that case, use a ruleset (well documented in the
MAQ and the new Manual).

>  I checked the log files (posted below), the clamav does the scanning and
> logged that it found viruses. However, sender never gets notified. The
> recipient still receives the message (w/ virus attachment) unaltered in
> anyway.

That is because you failed to read the comment just above the "Incoming
Work Dir" setting.
To quote (from your own copy of the file)
# NOTE: The path given here must not include any links at all,
# NOTE: but must be the absolute path to the directory.
Your setting uses the "current" link in the middle of the path, which is
not where the real directory is.

>         The header of the received message contradicts the log message.
> The log message says that it has detected a virus, but the header says
> that it's clean.
>
>         Header of the scanned message:
>         X-greenapple.com-MailScanner-Information: Please contact the ISP
> for more information
>         X-greenapple.com-MailScanner: Found to be clean
>
>         My entire etc/ config can be found at
> www.greenapple.com/~rrobin/mailscanner/etc [.dist files are the
> unmodified original config files ]

Another consequence of your "Incoming Work Dir" setting.


>Platform
>--------
>Sendmail 8.12.10
>MailScanner v. 4.30.3
>Clamav 0.70
>Fedora
>
>
>Related MailScanner.conf
>------------------------
>Virus Scanning = yes
>Virus Scanners = clamav
>Deliver Disinfected Files = no
>Notify Senders = yes
>Notify Senders Of Viruses = yes
>Scanned Modify Subject = no # end
>Scanned Subject Text = {Scanned}
>Virus Modify Subject = yes
>Virus Subject Text = {Virus?}
>[ filename checking is disabled, both set to empty string ]
>Filename Rules =
>Filetype Rules =
>
>
>--- Related Log--
>May  6 12:23:19 mailtest MailScanner[1895]: New Batch: Scanning 1
>messages, 1576 bytes
>May  6 12:23:22 mailtest MailScanner[1895]: Virus and Content Scanning:
>Starting
>May  6 12:23:27 mailtest MailScanner[1909]: MailScanner E-Mail Virus
>Scanner version 4.30.3 starting...
>May  6 12:23:29 mailtest MailScanner[1897]: Using locktype = flock
>May  6 12:23:31 mailtest MailScanner[1895]:
>/usr/local/MailScanner/4.30.3/var/spool/incoming/1895/./i46GNG2o001896/eicar.com:
>Eicar-Test-Signature FOUND
>May  6 12:23:32 mailtest MailScanner[1895]: Virus Scanning: ClamAV found 1
>infections
>May  6 12:23:32 mailtest MailScanner[1895]: Virus Scanning: Found 1 viruses
>May  6 12:23:33 mailtest MailScanner[1895]: Uninfected: Delivered 1 messages
>May  6 12:23:33 mailtest sendmail[1912]: gethostbyaddr(192.168.186.200)
>failed: 1
>May  6 12:23:38 mailtest MailScanner[1909]: Using locktype = flock
>-----------------
>
>         What went wrong ?
>
>Thanks,
>Rob
>
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list