"Banned Content" question - a related problem

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jan 12 11:31:44 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Can you capture a message (in its complete version) that suffers the
problem consistently?

Quentin Campbell wrote:

>Julian
>
>Thanks for the response.
>
>That is unlikely to be the problem as I recently checked all the mail
>gateways to ensure that MailScanner invocations were not re-processing
>the same message. This had been happening on one of the 8 gateways but
>it turned out that this system had an old RH AS 3 kernel and this was
>responsible for the locking problem.
>
>All the systems are now up2date as far as RH AS 3 patches are concerned.
>All the systems use the Sendmail that comes with these system; the last
>time they were updated this was Sendmail 8.12.11. I use the default
>locking in MailScanner.
>
>Quentin
>---
>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                           University of Newcastle,
>                           Newcastle upon Tyne,
>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>------------------------------------------------------------------------
>"Any opinion expressed above is mine. The University can get its own."
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>Sent: 12 January 2005 10:27
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: "Banned Content" question - a related problem
>>
>>Check you are using the correct "Lock Type" in MailScanner.conf. If
>>running sendmail 8.13 or later, you need Lock Type = posix.
>>
>>Quentin Campbell wrote:
>>
>>
>>
>>>We are seeing on our MailScanner-4.35.11-1 gateways a curious problem.
>>>It seems to have appeared sometime after I installed 4.35.11-1.
>>>
>>>Some of the mail that passes through them is being delivered with an
>>>empty or corrupted body. In all cases the messages seem to be
>>>
>>>
>>multipart
>>
>>
>>>MIME. Most often the HTML part is corrupt or empty but the
>>>
>>>
>>text part is
>>
>>
>>>OK. However sometimes that may be empty as well. The only
>>>
>>>
>>common factors
>>
>>
>>>are:
>>>
>>>1. The original messages was probably sent as RTF format, and
>>>2. I see in the logs for each failed message the MailScanner warning:
>>>
>>>"Content Checks: Detected and will disarm HTML message in
>>>
>>>
>>jBAtTRU022337"
>>
>>
>>>This can only apply to WebBugs that are detected since that
>>>
>>>
>>is the only
>>
>>
>>>time I use the "disarm" action. But there should be _no_ web bugs
>>>present in these messages since most of the empty messages are from
>>>colleagues who sent a one/two line message. They have all used
>>>Outlook/Exchange to send theses messages.
>>>
>>>We know that the messages are the correct size and format when they
>>>reach the mail gateways. I suspect that a problem with RTF format
>>>messages is at the heart of this beaviour but have not
>>>
>>>
>>collected enough
>>
>>
>>>consistent evidence yet.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: MailScanner mailing list
>>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>>>Sent: 11 January 2005 15:34
>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>Subject: Re: "Banned Content" question
>>>>
>>>>If you have told it to disarm web bugs, it has to search the
>>>>message for
>>>>them, at which point it will also disarm them. I think that's how it
>>>>works... :-)
>>>>
>>>>Quentin Campbell wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Julian
>>>>>
>>>>>If the only thing I have told MailScanner to "disarm" are web
>>>>>
>>>>>
>>>>>
>>>>>
>>>>bugs, then
>>>>
>>>>
>>>>
>>>>
>>>>>why is it apparently finding web bugs in mail that contain no
>>>>>
>>>>>
>>>>>
>>>>>
>>>><Img> tags
>>>>
>>>>
>>>>
>>>>
>>>>>in the HTML?
>>>>>
>>>>>The mail in question probably orginates as RTF from Outlook clients.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: MailScanner mailing list
>>>>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>>>>>Sent: 11 January 2005 15:15
>>>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>>Subject: Re: "Banned Content" question
>>>>>>
>>>>>>It will disarm those features you told it to. The "disarm
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>HTML" in the
>>>>
>>>>
>>>>
>>>>
>>>>>>message means it will be trying to disarm the requested bits of the
>>>>>>HTML. If you didn't specify "disarm" then it won't do it, it
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>will only
>>>>
>>>>
>>>>
>>>>
>>>>>>disarm the bits you told it to.
>>>>>>
>>>>>>Hope that answers your question. Given a question "a or b"
>>>>>>
>>>>>>
>>the answer
>>
>>
>>>>>>cannot easily be "yes" :-)
>>>>>>
>>>>>>Quentin Campbell wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Most of the "dangerous content" checks that I carry out with
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>MailScanner
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>are controlled via rules files. In all cases the actions of
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>the rules is
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>to either "deliver", "delete", "striphtml" or "attachment".
>>>>>>>
>>>>>>>I do not use "disarm" with one exception. In
>>>>>>>
>>>>>>>
>>MailScanner.conf I have
>>
>>
>>>>>>>Allow WebBugs = disarm
>>>>>>>
>>>>>>>If I see in the logs "Content Checks: Detected and will
>>>>>>>
>>>>>>>
>>disarm HTML
>>
>>
>>>>>>>message in jBAtTRU022337" does this _only_ refer to the
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>"disarming" of
>>>>
>>>>
>>>>
>>>>
>>>>>>>web bugs or can it also refer to actions taken over other
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>content which
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>did not involve the specific "disarm" action?
>>>>>>>
>>>>>>>Looking at the log records for other "dangerous content"
>>>>>>>
>>>>>>>
>>actions the
>>
>>
>>>>>>>empirical answer to the above question is "yes". Could this
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>be confirmed
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>please.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>--
>>Julian Field
>>www.MailScanner.info
>>Buy the MailScanner book at www.MailScanner.info/store
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list