QuarantineReport

[My BSD]

On Mon, October 11, 2004 10:23 am, Steve Swaney said:
>> >> ...
>> >>
>> > ...
>> >
>>
>> With all due respect to the authors (unless I am missing something very
>> basic), these scripts, although they work as advertised (after some
>> tweaking) and very "cool", can also be very dangerous if improperly
>> used.
>>
>> There does not seem to be a way to "lock" quarantine messages that are
>> both spam and virus infected.  An unwitting user could release an
>> infected
>> message from the quarantine to him/herself with possibly resulting dire
>>
>> So unless consequences.
>> this "feature" can be disabled (or a warning message included in
>> the distribution) they should not be incorporated into SA.
>>
>
> Sorry for the late reply but I've been on vacation and am just now wading
> through the emails that piled up.
>
> When I get around to expanding the INSTALL documentation I do need to add
> a
> Security Notes section. There are several security issues with the scripts
> but the point raised above is not one of them if you've installed
> MailScanner to:
>
> 1) Use rule sets that skip "Spam Checks =", "Use SpamAssassin = " and File
> name and File type checks for messages which originate from the local host
> while
>
> 2) Virus checking ALL emails whether they originate on the local host or
> not.
>
> All releasing a message from quarantine does is to resend the message from
> the localhost. The message is again checked by MailScanner. If you don't
> skip the checks described in 1), the message will be quarantined again :(
> -
> for the same reason it was quarantined in the first place.
>
> If the message does contain a virus it WILL be quarantined again because
> it
> will again be run through the virus scanner. If your setup is correct, you
> should not be able to release a virus.
>
> Having said that, the scripts in their current state provide little
> security
> for viewing or releasing messages in quarantine.  If someone can guess the
> message ID of an email in quarantine it would be possible for them to
> release it - only to the original recipient or to view it using the web
> interface. There is also a major omission in the INSTALL documantation.
> The
> typical default httpd options for the spam directory directory should be
> changed to NOT show the Indexes of the spam directory:
>
> Putting a file spam.direcroty.conf in /etc/httpd/conf.d that contains:
>
>       # Don't show the content's of the spam viewing directory
>
>               <Directory "/var/www/html/spam">
>                Options FollowSymLinks
>               AllowOverride None
>               Order allow,deny
>               Allow from all
>
>       </Directory>
>
> Will require that the viewing link explicitly contain the message ID of
> the
> spam email to view.
>
> In the environment that the scripts were designed to be use in, this was
> not
> considered to be a major flaw.
>
> Hope this helps,
>
> Steve
>
> Steve Swaney
> President
> Fortress Systems Ltd.
> www.fsl.com
> steve.swaney at fsl.com
>

*********** REPLY SEPARATOR  ***********

Steve:

Thank you for your erudite reply to my comments.

As I understand it, your recommended set up is to scan all locally
generated mail for viruses only.

We run two instances of Postfix, one for inbound mail with MS scanning for
viruses and Spam with SA, and one for outbound and sendmail mail (which is
not scanned).

Because our small internal network is composed of only trusted users, we
do not feel compelled to scan outbound mail.  To do so would require a
policy decision which would have to take into account current resources,
trust philosophy, etc.

It appears then that we will not be able to use QR safely (to prevent
releasing Spam mail which is also virus infected) unless we start scanning
(at least) sendmail mail for viruses.

One last thing (I'll have to check the documentation), I believe that
there may be a MS setting to quarantine mail if it is found to be virus
infected without doing a subsequent Spam check.  This may work in our set
up because, as I understand it, the virus quarantine is separate from the
Spam quarantine.

Would this work if there is such a setting?

Thank you again!

--
My

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).