"Banned Content" question - a related problem

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Wed Jan 12 11:26:16 GMT 2005 

Julian

Thanks for the response.

That is unlikely to be the problem as I recently checked all the mail
gateways to ensure that MailScanner invocations were not re-processing
the same message. This had been happening on one of the 8 gateways but
it turned out that this system had an old RH AS 3 kernel and this was
responsible for the locking problem.

All the systems are now up2date as far as RH AS 3 patches are concerned.
All the systems use the Sendmail that comes with these system; the last
time they were updated this was Sendmail 8.12.11. I use the default
locking in MailScanner.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 12 January 2005 10:27
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: "Banned Content" question - a related problem
>
>Check you are using the correct "Lock Type" in MailScanner.conf. If
>running sendmail 8.13 or later, you need Lock Type = posix.
>
>Quentin Campbell wrote:
>
>>We are seeing on our MailScanner-4.35.11-1 gateways a curious problem.
>>It seems to have appeared sometime after I installed 4.35.11-1.
>>
>>Some of the mail that passes through them is being delivered with an
>>empty or corrupted body. In all cases the messages seem to be 
>multipart
>>MIME. Most often the HTML part is corrupt or empty but the 
>text part is
>>OK. However sometimes that may be empty as well. The only 
>common factors
>>are:
>>
>>1. The original messages was probably sent as RTF format, and
>>2. I see in the logs for each failed message the MailScanner warning:
>>
>>"Content Checks: Detected and will disarm HTML message in 
>jBAtTRU022337"
>>
>>This can only apply to WebBugs that are detected since that 
>is the only
>>time I use the "disarm" action. But there should be _no_ web bugs
>>present in these messages since most of the empty messages are from
>>colleagues who sent a one/two line message. They have all used
>>Outlook/Exchange to send theses messages.
>>
>>We know that the messages are the correct size and format when they
>>reach the mail gateways. I suspect that a problem with RTF format
>>messages is at the heart of this beaviour but have not 
>collected enough
>>consistent evidence yet.
>>
>>
>>
>>
>>>-----Original Message-----
>>>From: MailScanner mailing list
>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>>Sent: 11 January 2005 15:34
>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>Subject: Re: "Banned Content" question
>>>
>>>If you have told it to disarm web bugs, it has to search the
>>>message for
>>>them, at which point it will also disarm them. I think that's how it
>>>works... :-)
>>>
>>>Quentin Campbell wrote:
>>>
>>>
>>>
>>>>Julian
>>>>
>>>>If the only thing I have told MailScanner to "disarm" are web
>>>>
>>>>
>>>bugs, then
>>>
>>>
>>>>why is it apparently finding web bugs in mail that contain no
>>>>
>>>>
>>><Img> tags
>>>
>>>
>>>>in the HTML?
>>>>
>>>>The mail in question probably orginates as RTF from Outlook clients.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: MailScanner mailing list
>>>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>>>>Sent: 11 January 2005 15:15
>>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>Subject: Re: "Banned Content" question
>>>>>
>>>>>It will disarm those features you told it to. The "disarm
>>>>>
>>>>>
>>>HTML" in the
>>>
>>>
>>>>>message means it will be trying to disarm the requested bits of the
>>>>>HTML. If you didn't specify "disarm" then it won't do it, it
>>>>>
>>>>>
>>>will only
>>>
>>>
>>>>>disarm the bits you told it to.
>>>>>
>>>>>Hope that answers your question. Given a question "a or b" 
>the answer
>>>>>cannot easily be "yes" :-)
>>>>>
>>>>>Quentin Campbell wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Most of the "dangerous content" checks that I carry out with
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>MailScanner
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>are controlled via rules files. In all cases the actions of
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>the rules is
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>to either "deliver", "delete", "striphtml" or "attachment".
>>>>>>
>>>>>>I do not use "disarm" with one exception. In 
>MailScanner.conf I have
>>>>>>
>>>>>>Allow WebBugs = disarm
>>>>>>
>>>>>>If I see in the logs "Content Checks: Detected and will 
>disarm HTML
>>>>>>message in jBAtTRU022337" does this _only_ refer to the
>>>>>>
>>>>>>
>>>"disarming" of
>>>
>>>
>>>>>>web bugs or can it also refer to actions taken over other
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>content which
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>did not involve the specific "disarm" action?
>>>>>>
>>>>>>Looking at the log records for other "dangerous content" 
>actions the
>>>>>>empirical answer to the above question is "yes". Could this
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>be confirmed
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>please.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list