seperating recipient based whitelisting for virus and spam checks

Jan Brinkmann lucky at the-luckyduck.de
Thu Apr 20 09:24:25 IST 2006 

On Tue, Apr 18, 2006 at 04:11:14PM +0200, Jan Brinkmann wrote:
> Hi,
> 
> Jules told me a few days ago how to enable / disable spam checking for
> certain recipients. I wrote a custom function (DoWeScan) which checks an sql
> database based on the 'todomain' field in the message. In the MailScanner.conf,
> the Scan Messages setting calls this function. This works fine,
> but it enables or disables all checks based on the settings in the
> database. Now, I tried to go one step further to make it possible to
> give users more options to select from. I tried to go the way Jules
> recommended (i.e. I wrote two more custom functions), for the 'Virus Scanning' and 
> 'Spam Checks' settings, but it doesnt work as expected. I tried the
> following things:
> 
> - Scan Messages = no
>   Virus Scanning = &DoWeVirusScan
>   Spam Checks = &DoWeSpamScan
> 
> Result: No messages are scanned at all.
> 
> - Scan Messages = yes
> 
> Result: no matter what i set in the database for spam or virus checks,
>   every message gets scanned
> 
> - Scan Messages = &DoWeScan , where DoWeScan checks if either the
>   spamfilter, the virusscanner or both features should be enabled.
>   
> Result: if one of these things is active, both checks are enabled. this is
>   because the DoWeScan function contains an inclusive or logic. 
> 
> 
> My question now is, can I enable / disable spam and virus checks
> indepently?

Ok,

once again. Yesterday Jules told me that if 'Scan Messages' ist set to
yes and all mails still get virus scanned, my DoWeVirusScan function
always returns 1. I tested everything, and changed something in
DoWeSpamScan. That worked, as I told Jules. Now, DoWeVirusScan still
doesnt work. I also tried to add 'return 0' , so DoWeVirusScan
statically returns 0, but still the same behaviour. All mails get virus
scanned. The only way to stop this, is to add 'Virus Scanning = no' into
the MailScanner.conf. I dont know where the problem is, maybe someone
else does?:

DoWeVirusScan.pm:
-----------------

package MailScanner::CustomConfig;

use DBI;
use DBD::mysql;

use strict 'vars';
use strict 'refs';
no  strict 'subs'; # Allow bare words for parameter %'s

use vars qw($VERSION);

### The package version, both in 1.23 style *and* usable by MakeMaker:
$VERSION = substr q$Revision: 1.1.2.1 $, 10;

my ($dsn, $dbh, $sth);

sub InitDoWeVirusScan {
}

sub EndDoWeVirusScan {
}

#
sub DoWeVirusScan {
        MailScanner::Log::InfoLog("DoWeVirusScan start");

        $dsn = "DBI:mysql:database=kundencenter;host=localhost";
        $dbh = DBI->connect($dsn, "root", "xxxxx") or die("Couldn't connect");

        my($message) = @_;

        my @td = @{$message->{todomain}};
        my $todomain = $td[0];

        $sth = $dbh->prepare("SELECT virusfilter FROM mailscanner_dowescan WHERE id like ?");
        $sth->bind_param(1,$todomain);
        $sth->execute();

        my $virusfilter;
        $sth->bind_columns(undef, \$virusfilter);

        my $ret = 0;

        while ( $sth->fetch ) {
                if ( $virusfilter eq 1 ) {
                        $ret = 1;
                }
        }

        $sth->finish();

        $dbh->disconnect();

        MailScanner::Log::InfoLog("Return $ret");
        MailScanner::Log::InfoLog("DoWeVirusScan end");

        return $ret;
}

1;



The related settings in the MailScanner.conf:
---------------------------------------------

Scan Messages = yes
Virus Scanning = &DoWeVirusScan





As you can see in the following log, DoWeVirusScan returns 0 for this message:
------------------------------------------------------------------------------

Apr 20 10:15:09 linux MailScanner[14202]: DoWeVirusScan start
Apr 20 10:15:09 linux MailScanner[14202]: Return 0
Apr 20 10:15:09 linux MailScanner[14202]: DoWeVirusScan end


Now, the related maillog entries, when i'm receiving a mail with an eicar.com test signature:

Apr 20 10:15:08 linux postfix/smtpd[14295]: B124318AC01B: client=the-luckyduck.de[217.160.134.226]
Apr 20 10:15:08 linux postfix/cleanup[14072]: B124318AC01B: hold: header Received: from the-luckyduck.de (the-luckyduck.de [217.160.134.226])??(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by dagobert.vegasystems.de (Postfi from the-luckyduck.de[217.160.134.226]; from=<lucky at the-luckyduck.de> to=<postmaster at trans-it.de> proto=ESMTP helo=<the-luckyduck.de>
Apr 20 10:15:08 linux postfix/cleanup[14072]: B124318AC01B: hold: header Received: from host-80-70-179-83.vegasystems.de (localhost) [80.70.179.83]by the-luckyduck.dewith esmtpsa(tls_cipher TLSv1:DHE-RSA-AES256-SHA:256)(Exim 4.54 #1 (Gentoo Linux 1.4))id 1FWURU-0002iF-Cb;  from the-luckyduck.de[217.160.134.226]; from=<lucky at the-luckyduck.de> to=<postmaster at trans-it.de> proto=ESMTP helo=<the-luckyduck.de>
Apr 20 10:15:08 linux postfix/cleanup[14072]: B124318AC01B: message-id=<20060420081438.GP4220 at luckyduck.tux>
Apr 20 10:15:08 linux postfix/smtpd[14295]: disconnect from the-luckyduck.de[217.160.134.226]
Apr 20 10:15:09 linux MailScanner[14202]: DoWeVirusScan start
Apr 20 10:15:09 linux MailScanner[14202]: Return 0
Apr 20 10:15:09 linux MailScanner[14202]: DoWeVirusScan end
Apr 20 10:15:09 linux MailScanner[14202]: New Batch: Scanning 1 messages, 1609 bytes
Apr 20 10:15:09 linux MailScanner[14202]: Virus and Content Scanning: Starting
Apr 20 10:15:11 linux MailScanner[14202]: Scan started at Thu Apr 20 10:15:11 2006
Apr 20 10:15:11 linux MailScanner[14202]: Database version: 2006-04-20_01
Apr 20 10:15:11 linux MailScanner[14202]: ./B124318AC01B.86252/eicar.com: Infected: EICAR_Test_File [Libra]
Apr 20 10:15:11 linux MailScanner[14202]: Virus Scanning: F-Secure found virus EICAR_Test_File
Apr 20 10:15:11 linux MailScanner[14202]: ./B124318AC01B.86252/eicar.com: Infected: EICAR Test File [Orion]
Apr 20 10:15:11 linux MailScanner[14202]: Virus Scanning: F-Secure found virus EICAR Test File
Apr 20 10:15:11 linux MailScanner[14202]: ./B124318AC01B.86252/eicar.com: Infected: EICAR-Test-File [AVP]
Apr 20 10:15:11 linux MailScanner[14202]: Virus Scanning: F-Secure found virus EICAR-Test-File
Apr 20 10:15:11 linux MailScanner[14202]: Scan ended at Thu Apr 20 10:15:11 2006
Apr 20 10:15:11 linux MailScanner[14202]: 3 files scanned
Apr 20 10:15:11 linux MailScanner[14202]: 1 file infected
Apr 20 10:15:11 linux MailScanner[14202]: Virus Scanning: F-Secure found 1 infections
Apr 20 10:15:11 linux MailScanner[14202]: ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./B124318AC01B.86252/eicar.com
Apr 20 10:15:11 linux MailScanner[14202]: Virus Scanning: ClamAV Module found 1 infections
Apr 20 10:15:11 linux MailScanner[14202]: DoWeVirusScan start
Apr 20 10:15:11 linux MailScanner[14202]: Return 0
Apr 20 10:15:11 linux MailScanner[14202]: DoWeVirusScan end
Apr 20 10:15:11 linux MailScanner[14202]: Virus Scanning: Found 1 viruses
Apr 20 10:15:11 linux MailScanner[14202]: Filename Checks: Windows/DOS Executable (B124318AC01B.86252 eicar.com)
Apr 20 10:15:11 linux MailScanner[14202]: Other Checks: Found 1 problems
Apr 20 10:15:11 linux MailScanner[14202]: Requeue: B124318AC01B.86252 to E6EB418AC02C
Apr 20 10:15:11 linux MailScanner[14202]: Cleaned: Delivered 1 cleaned messages
Apr 20 10:15:11 linux MailScanner[14202]: Batch (1 message) processed in 2.58 seconds
Apr 20 10:15:11 linux postfix/qmgr[10607]: E6EB418AC02C: from=<lucky at the-luckyduck.de>, size=2497, nrcpt=1 (queue active)
Apr 20 10:15:11 linux postfix/pipe[14085]: E6EB418AC02C: to=<postmaster at trans-it.de>, relay=maildrop, delay=5, status=sent (trans-it.de)
Apr 20 10:15:11 linux postfix/qmgr[10607]: E6EB418AC02C: removed


And that's the hole problem. Looking at the return value (0), the mail shouldnt get scanned for viruses. I also tried to return 'no', 
and 0 statically, but all mails still get virus scanned as long as I put Virus Scanning = &DoWeVirusScan into the MailScanner.conf. I'm using 
Mailscanner 4.52.2. Thanks a lot for any feedback.

More information about the MailScanner mailing list