Normal mail in quarantine
Julian Field
MailScanner at ecs.soton.ac.uk
Fri Mar 31 14:06:42 IST 2006
On 31 Mar 2006, at 13:34, Plant, Dean wrote:
> Julian Field wrote:
>> On 31 Mar 2006, at 11:52, Plant, Dean wrote:
>>
>>> I have just gone live with an upgraded MailScanner server and
>>> noticed
>>> that some non spam & non dangerous mail is being stored in
>>> quarantine. Any idea's to what I may have configured incorrectly.
>>
>> Take a look at this option:
>>
>> # Do you want to stop any virus-infected spam getting into the spam
>> or MCP
>> # archives? If you have a system where users can release messages
>> from the
>> # spam or MCP archives, then you probably want to stop them being
>> able to
>> # release any infected messages, so set this to yes.
>> # It is set to no by default as it causes a small hit in performance,
>> and
>> # many people don't allow users to access the spam quarantine, so
>> don't # need it.
>> # This can also be the filename of a ruleset.
>> Keep Spam And MCP Archive Clean = no
>
> I'm not sure if I am understanding that option or I have not clearly
> worded my question. My problem is that I am intermittingly getting
> email
> that is clean of viruses with spam scores below 5 (i.e. clean
> messages)
> stored in quarantine. These mails should be passing through the relay
> and not be stored at all.
>
> My Non Spam Actions is set to deliver only. The messages being wrongly
> stored are going into /var/spool/MailScanner/quarantine/20060331
In which case it's not the non-spam actions causing the problem. I
would check in your logs to see what MailScanner thought of some of
the messages which you think haven't got viruses in them, the message
id is always logged against the report.
>
>
> My MailScanner.conf
>
> %org-name% = roke.co.uk
> %org-long-name% = RSYS002X\nRoke Manor Research Ltd
> %web-site% = www.roke.co.uk
> %etc-dir% = /etc/MailScanner
> %report-dir% = /etc/MailScanner/reports/en
> %rules-dir% = /etc/MailScanner/rules
> %mcp-dir% = /etc/MailScanner/mcp
> Max Children = 5
> Run As User =
> Run As Group =
> Queue Scan Interval = 5
> Incoming Queue Dir = /var/spool/mqueue.in
> Outgoing Queue Dir = /var/spool/mqueue
> Incoming Work Dir = /var/spool/MailScanner/incoming
> Quarantine Dir = /var/spool/MailScanner/quarantine
> PID file = /var/run/MailScanner.pid
> Restart Every = 14400
> MTA = sendmail
> Sendmail = /usr/sbin/sendmail
> Sendmail2 = /usr/sbin/sendmail
> Incoming Work User =
> Incoming Work Group =
> Incoming Work Permissions = 0600
> Quarantine User = root
> Quarantine Group = apache
> Quarantine Permissions = 0660
> Max Unscanned Bytes Per Scan = 100000000
> Max Unsafe Bytes Per Scan = 50000000
> Max Unscanned Messages Per Scan = 30
> Max Unsafe Messages Per Scan = 30
> Max Normal Queue Size = 1000
> Scan Messages = yes
> Reject Message = no
> Maximum Attachments Per Message = 200
> Expand TNEF = yes
> Use TNEF Contents = replace
> Deliver Unparsable TNEF = yes
> TNEF Expander = /usr/bin/tnef --maxsize=100000000
> TNEF Timeout = 120
> File Command =
> File Timeout = 20
> Unrar Command =# /usr/bin/unrar
> Unrar Timeout = 50
> Find UU-Encoded Files = no
> Maximum Message Size = 0
> Maximum Attachment Size = -1
> Minimum Attachment Size = -1
> Maximum Archive Depth = 4
> Find Archives By Content = yes
> Virus Scanning = %rules-dir%/virus.rules
> Virus Scanners = clamavmodule
> Virus Scanner Timeout = 300
> Deliver Disinfected Files = no
> Silent Viruses = All-Viruses
> Still Deliver Silent Viruses = no
> Non-Forging Viruses = Zip-Password
> Block Encrypted Messages = no
> Block Unencrypted Messages = no
> Allow Password-Protected Archives = yes
> Allowed Sophos Error Messages =
> Sophos IDE Dir = /usr/local/Sophos/ide
> Sophos Lib Dir = /usr/local/Sophos/lib
> Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip
> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd
> ClamAVmodule Maximum Recursion Level = 8
> ClamAVmodule Maximum Files = 1000
> ClamAVmodule Maximum File Size = 100000000 # (100 Mbytes)
> ClamAVmodule Maximum Compression Ratio = 0
> Dangerous Content Scanning = yes
> Allow Partial Messages = no
> Allow External Message Bodies = %rules-dir%/ext.message.rules
> Find Phishing Fraud = yes
> Also Find Numeric Phishing = yes
> Highlight Phishing Fraud = yes
> Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
> Allow IFrame Tags = disarm
> Allow Form Tags = disarm
> Allow Script Tags = disarm
> Allow WebBugs = disarm
> Allow Object Codebase Tags = disarm
> Convert Dangerous HTML To Text = %rules-dir%/dangerous.html.rules
> Convert HTML To Text = no
> Allow Filenames =
> Deny Filenames =
> Filename Rules = %rules-dir%/filename.rules
> Allow Filetypes =
> Deny Filetypes =
> Filetype Rules = %etc-dir%/filetype.rules.conf
> Quarantine Infections = yes
> Quarantine Silent Viruses = yes
> Quarantine Modified Body = yes
> Quarantine Whole Message = yes
> Quarantine Whole Messages As Queue Files = no
> Keep Spam And MCP Archive Clean = no
> Language Strings = %report-dir%/languages.conf
> Rejection Report = %report-dir%/rejection.report.txt
> Deleted Bad Content Message Report =
> %report-dir%/deleted.content.message.txt
> Deleted Bad Filename Message Report =
> %report-dir%/deleted.filename.message.txt
> Deleted Virus Message Report =
> %report-dir%/deleted.virus.message.txt
> Stored Bad Content Message Report =
> %report-dir%/stored.content.message.txt
> Stored Bad Filename Message Report =
> %report-dir%/stored.filename.message.txt
> Stored Virus Message Report =
> %report-dir%/stored.virus.message.txt
> Disinfected Report = %report-dir%/disinfected.report.txt
> Inline HTML Signature = %rules-dir%/sig.html.rules
> Inline Text Signature = %rules-dir%/sig.txt.rules
> Inline HTML Warning = %report-dir%/inline.warning.html
> Inline Text Warning = %report-dir%/inline.warning.txt
> Sender Content Report = %report-dir%/sender.content.report.txt
> Sender Error Report = %report-dir%/sender.error.report.txt
> Sender Bad Filename Report = %report-dir%/sender.filename.report.txt
> Sender Virus Report = %report-dir%/sender.virus.report.txt
> Hide Incoming Work Dir = yes
> Include Scanner Name In Reports = yes
> Mail Header = X-MailScanner-%org-name%:
> Spam Header = X-MailScanner-%org-name%-SpamCheck:
> Spam Score Header = X-MailScanner-%org-name%-SpamScore:
> Add Envelope From Header = yes
> Add Envelope To Header = no
> Envelope From Header = X-MailScanner-From:
> Envelope To Header = X-MailScanner-To:
> Spam Score Character = s
> SpamScore Number Instead Of Stars = no
> Minimum Stars If On Spam List = 0
> Clean Header Value = Found to be clean
> Infected Header Value = Found to be infected
> Disinfected Header Value = Disinfected
> Detailed Spam Report = yes
> Include Scores In SpamAssassin Report = yes
> Always Include SpamAssassin Report = yes
> Multiple Headers = append
> Hostname = the MailScanner
> Sign Messages Already Processed = no
> Sign Clean Messages = %rules-dir%/signing.rules
> Mark Infected Messages = yes
> Mark Unscanned Messages = yes
> Unscanned Header Value = Not scanned: please contact your Internet
> E-Mail Service Provider for details
> Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2:
> Deliver Cleaned Messages = %rules-dir%/deliver.cleaned.rules
> Notify Senders = %rules-dir%/notify.senders.rules
> Notify Senders Of Viruses = yes
> Notify Senders Of Blocked Filenames Or Filetypes = yes
> Notify Senders Of Other Blocked Content = yes
> Never Notify Senders Of Precedence = list bulk
> Scanned Modify Subject = no # end
> Scanned Subject Text = {Scanned}
> Virus Modify Subject = yes
> Virus Subject Text = {Roke Identified Virus}
> Filename Modify Subject = yes
> Filename Subject Text = {Roke Rejected Filename}
> Content Modify Subject = yes
> Content Subject Text = {Roke Blocked Content}
> Disarmed Modify Subject = yes
> Disarmed Subject Text = {Roke Disarmed Contect}
> Phishing Modify Subject = no
> Phishing Subject Text = {{Roke Identified Fraud}
> Spam Modify Subject = yes
> Spam Subject Text = {Roke Identified Spam}
> High Scoring Spam Modify Subject = yes
> High Scoring Spam Subject Text = {Roke High Spam _SCORE_ }
> Warning Is Attachment = yes
> Attachment Warning Filename = RokeVirusWarning.txt
> Attachment Encoding Charset = us-ascii
> Archive Mail =
> Send Notices = yes
> Notices Include Full Headers = no
> Hide Incoming Work Dir in Notices = no
> Notice Signature = -- \nMailScanner\nEmail Virus Scanner
> Notices From = MailScanner
> Notices To = viruswarnings at roke.co.uk
> Local Postmaster = postmaster
> Spam List Definitions = /etc/MailScanner/spam.lists.conf
> Virus Scanner Definitions = /etc/MailScanner/virus.scanners.conf
> Spam Checks = /etc/MailScanner/rules/spam.check.rules
> Spam List = # ORDB-RBL # Infinite-Monkeys # MAPS-RBL+ costs money
> (except .ac.uk)
> Spam Domain List =
> Spam Lists To Be Spam = 1
> Spam Lists To Reach High Score = 5
> Spam List Timeout = 20
> Max Spam List Timeouts = 7
> Spam List Timeouts History = 10
> Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules
> Is Definitely Spam = %rules-dir%/spam.blacklist.rules
> Definite Spam Is High Scoring = %rules-dir%/spam.blacklist.high.rules
> Ignore Spam Whitelist If Recipients Exceed = 20
> Use SpamAssassin = %rules-dir%/spam.check.rules
> Max SpamAssassin Size = 90000
> Required SpamAssassin Score = 5
> High SpamAssassin Score = 10
> SpamAssassin Auto Whitelist = no
> SpamAssassin Timeout = 120
> Max SpamAssassin Timeouts = 20
> SpamAssassin Timeouts History = 30
> Check SpamAssassin If On Spam List = yes
> Spam Score = yes
> Cache SpamAssassin Results = yes
> SpamAssassin Cache Database File =
> /var/spool/MailScanner/incoming/SpamAssassin.cache.db
> Rebuild Bayes Every = 7200
> Wait During Bayes Rebuild = yes
> Use Custom Spam Scanner = no
> Max Custom Spam Scanner Size = 20000
> Custom Spam Scanner Timeout = 20
> Max Custom Spam Scanner Timeouts = 10
> Custom Spam Scanner Timeout History = 20
> Spam Actions = store attachment deliver
> High Scoring Spam Actions = forward spamcheck at roke.co.uk
> Non Spam Actions = deliver
> Sender Spam Report = %report-dir%/sender.spam.report.txt
> Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt
> Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt
> Inline Spam Warning = %report-dir%/inline.spam.warning.txt
> Recipient Spam Report = %report-dir%/recipient.spam.report.txt
> Enable Spam Bounce = %rules-dir%/bounce.rules
> Bounce Spam As Attachment = no
> Syslog Facility = mail
> Log Speed = yes
> Log Spam = no
> Log Non Spam = no
> Log Permitted Filenames = no
> Log Permitted Filetypes = no
> Log Silent Viruses = no
> Log Dangerous HTML Tags = no
> SpamAssassin User State Dir =
> SpamAssassin Install Prefix =
> SpamAssassin Site Rules Dir = /etc/mail/spamassassin
> SpamAssassin Local Rules Dir =
> SpamAssassin Default Rules Dir =
> MCP Checks = no
> First Check = mcp
> MCP Required SpamAssassin Score = 1
> MCP High SpamAssassin Score = 10
> MCP Error Score = 1
> MCP Header = X-%org-name%-MailScanner-MCPCheck:
> Non MCP Actions = deliver
> MCP Actions = deliver
> High Scoring MCP Actions = deliver
> Bounce MCP As Attachment = no
> MCP Modify Subject = yes
> MCP Subject Text = {MCP?}
> High Scoring MCP Modify Subject = yes
> High Scoring MCP Subject Text = {MCP?}
> Is Definitely MCP = no
> Is Definitely Not MCP = no
> Definite MCP Is High Scoring = no
> Always Include MCP Report = no
> Detailed MCP Report = yes
> Include Scores In MCP Report = no
> Log MCP = no
> MCP Max SpamAssassin Timeouts = 20
> MCP Max SpamAssassin Size = 100000
> MCP SpamAssassin Timeout = 10
> MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
> MCP SpamAssassin User State Dir =
> MCP SpamAssassin Local Rules Dir = %mcp-dir%
> MCP SpamAssassin Default Rules Dir = %mcp-dir%
> MCP SpamAssassin Install Prefix = %mcp-dir%
> Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
> Sender MCP Report = %report-dir%/sender.mcp.report.txt
> Use Default Rules With Multiple Recipients = no
> Spam Score Number Format = %d
> MailScanner Version Number = 4.51.6
> SpamAssassin Cache Timings = 1800,300,10800,172800,600
> Debug = no
> Debug SpamAssassin = no
> Run In Foreground = no
> Always Looked Up Last = &MailWatchLogging
> Always Looked Up Last After Batch = no
> Deliver In Background = yes
> Delivery Method = batch
> Split Exim Spool = no
> Lockfile Dir = /tmp
> Custom Functions Dir = /usr/lib/MailScanner/MailScanner/
> CustomFunctions
> Lock Type = posix
> Minimum Code Status = supported
>
> Dean
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list