MCP & quarantine

Thu Jul 21 14:28:59 IST 2005

Steve

Thanks for that. It is now working. Serves me right for not checking the
MailScanner.conf file for the correct action string.  :-(

However what confused the issue is that MS does not object to the use of
"quarantine" in MailScanner.conf as an "action". 

After changing "High Scoring MCP Actions = delete" to "High Scoring MCP
Actions = quarantine" and restarting MS, the logs said 

"Jul 21 13:21:19 cheviot7 MailScanner[29834]: MCP Actions: message
j6LCLGBi011126 actions are quarantine"

This appears to be a bug in 4.43.2. I would expect MailScanner to have
objected to an invalid action (quarantine) in MailScanner.conf when it
was restarted after the change described above. 

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Stephen Swaney
>Sent: 21 July 2005 13:53
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: MCP & quarantine
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>> Behalf Of Quentin Campbell
>> Sent: Thursday, July 21, 2005 8:27 AM
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: MCP & quarantine
>> 
>> I don't normally use the MailScanner quarantine feature 
>here. Am looking
>> for some pointers to enable me to quarantine messages caught my MCP.
>> 
>> We are using MCP to recognise and block what looks like a 
>new MyDoom or
>> similar virus/worm that arrives as a zipped attachment in a socially
>> engineered message that looks like it was sent by this site.
>> 
>> When the MCP action is "delete" that is working OK. However 
>I would like
>> to capture some of these messages to be better able to study their
>> content and characteristics.
>> 
>> To that end I changed the MCP action from "delete" to 
>"quarantine". The
>> logs indicate that the action is now "quarantine" but I am seeing
>> nothing under /var/spool/MailScanner/quarantine.
>
>Quentin,
>
>I think you want "store" not "quarantine"
>
>Steve
>
>Stephen Swaney
>Fort Systems Ltd.
>stephen.swaney at fsl.com
>www.fsl.com
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!