quarantine notify in CreatePostmasterNotice?

Julian Field MailScanner at ecs.soton.ac.uk
Sat Mar 12 16:09:34 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Undo those last changes and apply the attached patches to Message.pm and 
Quarantine.pm.

Jeff A. Earickson wrote:

> Julian,
>    I tried this on a slow Saturday morning so it took a while for
> something to come along.  Attached are:
>
> * "diff -c" for Message.pm that I modified (version 4.39.6)
> * What the portion of the postmaster notifiy report looked like
>   (no quarantine info)
> * What the syslog for the message was.
>
> The miscreant *was* quarantined.  typo?  What happens if it wasn't
> quarantined?
>
> Jeff Earickson
>
> On Sat, 12 Mar 2005, Julian Field wrote:
>
>> Date: Sat, 12 Mar 2005 14:04:57 +0000
>> From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: quarantine notify in CreatePostmasterNotice?
>>
>> Easy.
>>
>> In Message.pm around line 3782, add 1 line of code:
>>
>> my $reportword = MailScanner::Config::LanguageValue($this, "report");
>> my $id   = $this->{id};
>> my $from = $this->{from};
>> #my $to   = join(', ', @{$this->{to}});
>> my $subj = $this->{subject};
>> my $rept = join("    $reportword: ", @everyrept);
>> my $quarantine = join(", ", (grep /\//, @{$this->{archiveplaces}})); 
>> # <<<<<<
>> my $ip   = $this->{clientip};
>> #print STDERR "Rept is\n$rept\n";
>>
>> And then use $quarantine in the notice report, by adding 1 line 
>> around line 3810:
>>
>> my $reportspaces = 10 - length($reportword);
>> $reportword = ' ' x $reportspaces . $reportword if $reportspaces>0;
>> $result = "\n" .
>>           "    Sender: $from\n" .
>>           "IP Address: $ip\n" .
>>           " Recipient: $to\n" .
>>           "   Subject: $subj\n" .
>>           " MessageID: $id\n" .
>>           "Quarantine: $quarantine\n" . # <<<<<<<<
>>           "$reportword: $rept\n";
>>
>> Please let me know if it works okay. My main test server has died, 
>> and needs 2Gb of RAM to get it back to life again. So I cannot easily 
>> test stuff at the moment.
>>
>> If it works, I will put it in the next release.
>>
>> Jeff A. Earickson wrote:
>>
>>> Julian,
>>>
>>> Would it be possible to modify CreatePostmasterNotice in Message.pm
>>> to add a note about whether or not a message was quarantined, eg:
>>>
>>>     Sender: personalbanking at erms-02.wamu.com
>>> IP Address: 200.30.141.86
>>>  Recipient: xxx at colby.edu
>>>    Subject: Washington Mutual eCare® Customer Service.Security 
>>> measures.
>>>  MessageID: j2B50MI1013489
>>> Quarantine: /var/spool/MailScanner/quarantine/20050311/j2B50MI1013489
>>>     Report: ClamAV Module: msg-14263-3.html was infected: 
>>> HTML.Phishing.Bank-78
>>>
>>> If the virus isn't quarantined, just leave the line out, or say "no"
>>> instead of the path.  Thanks.
>>>
>>> Jeff Earickson
>>> Colby College
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>
>>
>>
>> -- 
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> Professional Support Services at www.MailScanner.biz
>> MailScanner thanks transtec Computers for their support
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>------------------------------------------------------------------------
>
>*** Message.pm.orig    Sat Mar 12 09:34:40 2005
>--- Message.pm Sat Mar 12 09:38:25 2005
>***************
>*** 3494,3499 ****
>--- 3494,3500 ----
>    #my $to   = join(', ', @{$this->{to}});
>    my $subj = $this->{subject};
>    my $rept = join("    $reportword: ", @everyrept);
>+   my $quarantine = join(", ", (grep /\//, @{$this->{archiveplaces}}));
>    my $ip   = $this->{clientip};
>  
>    # Build unique list of recipients. Avoids Postfix problem which has
>***************
>*** 3521,3526 ****
>--- 3522,3528 ----
>              " Recipient: $to\n" .
>              "   Subject: $subj\n" .
>              " MessageID: $id\n" .
>+                      "Quarantine: $quarantine\n" .
>              "$reportword: $rept\n";
>  
>    if (MailScanner::Config::Value('noticefullheaders', $this)) {
>  
>
>------------------------------------------------------------------------
>
>    Sender: sentto-8326429-270-1110639345-xxx=colby.edu at returns.groups.yahoo.com
>IP Address: 66.94.237.24
> Recipient: xxx at colby.edu
>   Subject: [corkpagans] JOIN THE MILLION VOICE CHOIR, 3/13/2005, 3:00 pm
> MessageID: j2CEtjKg010584
>Quarantine: 
>    Report: MailScanner: Found dangerous IFrame tag in HTML message
>
>
>  
>
>------------------------------------------------------------------------
>
>Mar 12 09:55:53 basalt sendmail[10584]: [ID 801593 mail.info] j2CEtjKg010584: from=<sentto-8326429-270-1110639345-cjfindei=colby.edu at returns.groups.yahoo.com>, size=9465, class=-60, nrcpts=1, msgid=<1110639343.19.38905.m24 at yahoogroups.com>, proto=SMTP, daemon=MTA, relay=n13a.bulk.scd.yahoo.com [66.94.237.24]
>Mar 12 09:56:00 basalt <20>MailScanner[8111]: Content Checks: Detected HTML-specific exploits in j2CEtjKg010584
>Mar 12 09:56:00 basalt <22>MailScanner[8111]: Content Checks: Detected and have disarmed HTML message in j2CEtjKg010584 from sentto-8326429-270-1110639345-cjfindei=colby.edu at returns.groups.yahoo.com
>Mar 12 09:56:00 basalt <22>MailScanner[8111]: Saved entire message to /var/spool/MailScanner/quarantine/20050312/j2CEtjKg010584
>Mar 12 09:56:00 basalt <22>MailScanner[8111]: Saved infected "msg-8111-15.html" to /var/spool/MailScanner/quarantine/20050312/j2CEtjKg010584
>  
>

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2: "Attached Text" ]

--- Quarantine.pm.old   2003-11-14 16:35:30.000000000 +0000
+++ Quarantine.pm       2005-03-12 16:05:36.459923482 +0000
@@ -160,6 +160,8 @@

   my($qdir, $todaydir, $msgdir, $uid, $gid, $changeowner, @chownlist);

+  #print STDERR "In StoreInfections\n";
+
   # Create today's directory if necessary
   #$todaydir = $this->{dir} . '/' . TodayDir();
   $qdir = MailScanner::Config::Value('quarantinedir', $message);
@@ -195,6 +197,9 @@
     $message->{store}->CopyEntireMessage($message, $msgdir, 'message',
                                          $uid, $gid, $changeowner);
     push @chownlist, "$msgdir/message" if -f "$msgdir/message";
+    # Remember where we archived it, so we can put it in postmaster notice
+    push @{$message->{quarantineplaces}}, $msgdir;
+    #print STDERR "1 Added $msgdir to quarantine\n";
   }

   # Now just quarantine the infected attachment files.
@@ -215,6 +220,9 @@
       #system($global::cp . " -p \"$indir/$attachment\" \"$msgdir/$attachment\"");
       copy("$indir/$attachment", "$msgdir/$attachment");
       push @chownlist, "$msgdir/$attachment";
+      # Remember where we archived it, so we can put it in postmaster notice
+      push @{$message->{quarantineplaces}}, $msgdir;
+      #print STDERR "2 Added $msgdir to quarantine\n";
     }
   }
   chown $uid, $gid, @chownlist if @chownlist && $changeowner;

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 3: "Attached Text" ]

--- Message.pm.old      2005-03-12 15:48:42.351163335 +0000
+++ Message.pm  2005-03-12 15:57:42.161904226 +0000
@@ -81,6 +81,7 @@
 # $scanme              set by NeedsScanning (from MsgBatch constructor)
 # $workarea            set by new
 # @archiveplaces       set by new (addresses and dirs)
+# @quarantineplaces    set by Quarantine.pm
 # $spamwhitelisted      set by IsSpam
 # $spamblacklisted      set by IsSpam
 # $isspam               set by IsSpam
@@ -171,8 +172,9 @@
   #print STDERR "Creating message $id\n";

   $this->{id} = $id;
-  @{$this->{archiveplaces}} = (); # Hope this syntax is right!
-  @{$this->{spamarchive}}   = (); # Hope this syntax is right!
+  @{$this->{archiveplaces}}    = ();
+  @{$this->{spamarchive}}      = ();
+  @{$this->{quarantineplaces}} = ();

   # Create somewhere to store the message
   $this->{store} = new MailScanner::SMDiskStore($id, $queuedirname);
@@ -3779,7 +3781,9 @@
   #my $to   = join(', ', @{$this->{to}});
   my $subj = $this->{subject};
   my $rept = join("    $reportword: ", @everyrept);
-  my $quarantine = join(", ", (grep /\//, @{$this->{archiveplaces}}));
+  my @quarantines = grep /\//, @{$this->{archiveplaces}};
+  push @quarantines, grep /\//, @{$this->{quarantineplaces}};
+  my $quarantine = join(", ", @quarantines);
   my $ip   = $this->{clientip};
   #print STDERR "Rept is\n$rept\n";


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list