Beta release 4.39.4

Adri Koppes adrik at SALESMANAGER.NL
Wed Mar 2 14:25:04 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian,

If you have time, it would be nice to integrate the UnpackRar functions.
I get quite a few rar files as attachments and can't automatically scan them
for executable content, bad file types etc.
My current solution is far from elegant. I just block the .rar extension. I
never found out why it wouldn't block on filetype, eventhough I have added
the type to filetype.rules.conf as:

deny    RAR             No RAR Archives         No RAR Archives allowed

The blocked messages+attachtments are then quarantined and I can manually
check before relasing them to the user, if he requests them.

Best regards,

Adri.


> -----Original Message-----
> From: Julian Field [mailto:MailScanner at ECS.SOTON.AC.UK]
> Sent: 02 March, 2005 15:18
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Beta release 4.39.4
>
>
> I always try to at least reply, but good ideas do get lost sometimes.
> The unrar code would require another timeout wrapper round it, which I
> would have to copy from elsewhere, so it isn't trivial.
> I can't remember if I came up with a solution to the duplicated
> filenames problem or not, it was quite a long time ago.
>
> Rick Cooper wrote:
>
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >>Behalf Of Adri Koppes
> >>Sent: Wednesday, March 02, 2005 8:29 AM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: Beta release 4.39.4
> >>
> >>
> >>Rick,
> >>
> >>Have you send you patches of to Julian??
> >>There might be more people interested to have unrar functionality in
> >>MailScanner.
> >>
> >>Adri.
> >>
> >>
> >>
> >
> >Yes, I sent several last year (you will see part of the
> Unrar code commented
> >out in Message.pm) and he used a few but did not use (I sent
> five or six):
> >
> >        Logging the actual recipient(s) in the log (standard
> does host only), as
> >well as the subject in a fairly easy
> >        to parse format, all the new stuff is placed at the
> end of the standard log
> >line.
> >
> >        UnpackRar code that function does the same as the
> UnPackZip function does.
> >Is used if unrar is
> >        somewhere on your path, skipped if it is not. This
> also allows the
> >filename/type checks to work
> >        the same as with zip files
> >
> >        Code to handle archives with duplicate file names as
> the archive (nested
> >also). I am not sure if Julian
> >        ever worked this out himself or not, I never saw
> mention of it again after
> >I pointed out the MS would
> >        skip this condition. For instance if an attachment
> File.Zip contains a file
> >named File.Zip MS will skip
> >        it and not unpack it (because it thinks it already
> did). My work around is
> >not elegant
> >        (I prepend a time stamp to the file name). The
> problem with this approach
> >is it would break some file
> >        name checks, if they are very specific, but it gets
> the file checked at
> >least.
> >
> >I also wrote a patch that allows you to have different file name/type
> >rules/rulesets for files contained within archives as opposed to just
> >disabling unpacking and checking archives if you need to
> pass certain files
> >in archives that you do not pass raw.
> >
> >I can understand why he skipped the logging thing, it
> changes the entire
> >format of the spam logging line, but with that information I
> can send myself
> >reports of what was tagged as spam that include the sender,
> recipients,
> >scoring information and subject, and ninety out of a hundred
> times I don't
> >have to bother looking at the message to determine if it
> truly is spam or
> >not.
> >
> >I also know he is not in favor of having two sets of file
> name/type rules,
> >one for raw and one for archives, because he fears it would be to
> >complicated for some admins... So I understand that one.
> >
> >I can understand the code to handle file names that are
> duplicated within an
> >archive (the file name/type checks) but it seems a big hole
> in security to
> >me.
> >
> >I never heard why he didn't use the Unpack Rar code, and I
> never understood
> >why it wasn't used.
> >
> >So I just make new patches every time a new release comes
> out, I apply them
> >and propagate the patched version to all my mail servers.
> Kind of sucks when
> >there are a lot of major changes though. I wish they were
> all in there so I
> >didn't have to mess with it, but I think Julian has pretty
> good vision so I
> >am sure there is a good reason why they didn't "make the
> cut", perhaps they
> >are just to specific to my needs/wants
> >
> >Rick
> >
> >
> >
> >>>-----Original Message-----
> >>>From: Rick Cooper [mailto:rcooper at DWFORD.COM]
> >>>Sent: 02 March, 2005 14:24
> >>>To: MAILSCANNER at JISCMAIL.AC.UK
> >>>Subject: Re: Beta release 4.39.4
> >>>
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >>>>Behalf Of Martin Hepworth
> >>>>Sent: Tuesday, March 01, 2005 4:12 AM
> >>>>To: MAILSCANNER at JISCMAIL.AC.UK
> >>>>Subject: Re: Beta release 4.39.4
> >>>>
> >>>>
> >>>>Does it do rar extraction by default???? Looking at the
> docs I'm not
> >>>>sure it does.
> >>>>
> >>>>
> >>>>--
> >>>>Martin Hepworth
> >>>>Snr Systems Administrator
> >>>>Solid State Logic
> >>>>Tel: +44 (0)1865 842300
> >>>>
> >>>>
> >>>>
> >>>It's important to note that ClamAV only supports RAR v2, so
> >>>the answer is:
> >>>
> >>>        Uncomment the ScanRar line in the config file
> >>>
> >>>but pass the --unrar[=FULLPATH] option (and of course have
> >>>the latest unrar)
> >>>if you really want to handle rar files because v2 is quite
> old and not
> >>>likely to be used much anymore. If you are using
> clamavmodule then you
> >>>cannot use the external unrar (which is why I patch my MS
> >>>versions with
> >>>specific unrar code/function every release).
> >>>
> >>>Rick
> >>>
> >>>
> >>>--
> >>>This message has been scanned for viruses and
> >>>dangerous content by MailScanner, and is
> >>>believed to be clean.
> >>>
> >>>------------------------ MailScanner list ------------------------
> >>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>'leave mailscanner' in the body of the email.
> >>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>
> >>>Support MailScanner development - buy the book off the website!
> >>>
> >>>
> >>>
> >>------------------------ MailScanner list ------------------------
> >>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>'leave mailscanner' in the body of the email.
> >>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>
> >>Support MailScanner development - buy the book off the website!
> >>
> >>--
> >>This message has been scanned for viruses and
> >>dangerous content by MailScanner, and is
> >>believed to be clean.
> >>
> >>
> >>
> >>
> >>
> >
> >
> >--
> >This message has been scanned for viruses and
> >dangerous content by MailScanner, and is
> >believed to be clean.
> >
> >------------------------ MailScanner list ------------------------
> >To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >'leave mailscanner' in the body of the email.
> >Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> >Support MailScanner development - buy the book off the website!
> >
> >
> >
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> Buy the MailScanner book at www.MailScanner.info/store
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list