quarantine notify in CreatePostmasterNotice?

Jeff A. Earickson jaearick at COLBY.EDU
Sat Mar 12 15:08:43 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian,
    I tried this on a slow Saturday morning so it took a while for
something to come along.  Attached are:

* "diff -c" for Message.pm that I modified (version 4.39.6)
* What the portion of the postmaster notifiy report looked like
   (no quarantine info)
* What the syslog for the message was.

The miscreant *was* quarantined.  typo?  What happens if it wasn't
quarantined?

Jeff Earickson

On Sat, 12 Mar 2005, Julian Field wrote:

> Date: Sat, 12 Mar 2005 14:04:57 +0000
> From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: quarantine notify in CreatePostmasterNotice?
> 
> Easy.
>
> In Message.pm around line 3782, add 1 line of code:
>
> my $reportword = MailScanner::Config::LanguageValue($this, "report");
> my $id   = $this->{id};
> my $from = $this->{from};
> #my $to   = join(', ', @{$this->{to}});
> my $subj = $this->{subject};
> my $rept = join("    $reportword: ", @everyrept);
> my $quarantine = join(", ", (grep /\//, @{$this->{archiveplaces}})); # 
> <<<<<<
> my $ip   = $this->{clientip};
> #print STDERR "Rept is\n$rept\n";
>
> And then use $quarantine in the notice report, by adding 1 line around line 
> 3810:
>
> my $reportspaces = 10 - length($reportword);
> $reportword = ' ' x $reportspaces . $reportword if $reportspaces>0;
> $result = "\n" .
>           "    Sender: $from\n" .
>           "IP Address: $ip\n" .
>           " Recipient: $to\n" .
>           "   Subject: $subj\n" .
>           " MessageID: $id\n" .
>           "Quarantine: $quarantine\n" . # <<<<<<<<
>           "$reportword: $rept\n";
>
> Please let me know if it works okay. My main test server has died, and needs 
> 2Gb of RAM to get it back to life again. So I cannot easily test stuff at the 
> moment.
>
> If it works, I will put it in the next release.
>
> Jeff A. Earickson wrote:
>
>> Julian,
>> 
>> Would it be possible to modify CreatePostmasterNotice in Message.pm
>> to add a note about whether or not a message was quarantined, eg:
>> 
>>     Sender: personalbanking at erms-02.wamu.com
>> IP Address: 200.30.141.86
>>  Recipient: xxx at colby.edu
>>    Subject: Washington Mutual eCare® Customer Service.Security measures.
>>  MessageID: j2B50MI1013489
>> Quarantine: /var/spool/MailScanner/quarantine/20050311/j2B50MI1013489
>>     Report: ClamAV Module: msg-14263-3.html was infected: 
>> HTML.Phishing.Bank-78
>> 
>> If the virus isn't quarantined, just leave the line out, or say "no"
>> instead of the path.  Thanks.
>> 
>> Jeff Earickson
>> Colby College
>> 
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>> 
>> Support MailScanner development - buy the book off the website!
>
>
> -- 
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!
    [ Part 2, ""  Text/PLAIN (Name: "Message.pm.diffs")  18 lines. ]
    [ Unable to print this part. ]


    [ Part 3, ""  Text/PLAIN (Name: "quar.results")  8 lines. ]
    [ Unable to print this part. ]


    [ Part 4, ""  Text/PLAIN (Name: "syslog.results")  20 lines. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list