Mailscanner does not identify attachment in mail

Julian Field MailScanner at ecs.soton.ac.uk
Fri May 5 14:02:58 IST 2006 

On 5 May 2006, at 09:33, Koopmann, Jan-Peter wrote:

> On Thursday, May 04, 2006 12:38 PM Julian Field wrote:
>
>> It should have found the uu-encoded file. Have you got that feature
>> switched on?
>> Look for "uu" or "UU" in MailScanner.conf.
>
> Well I upgraded to 4.53.7 on that box and today the next one came  
> in. It
> again was identified as spam.
>
> May  5 10:00:40 proxy-hb MailScanner[98493]: New Batch: Scanning 1  
> messages,
> 35159 bytes
> May  5 10:00:40 proxy-hb MailScanner[98493]: Saved archive copies of
> 1FbvEk-0002FH-GK
> May  5 10:00:40 proxy-hb MailScanner[98493]: MCP Checks: Starting
> May  5 10:00:40 proxy-hb MailScanner[98493]: Spam Checks: Starting
> May  5 10:00:52 proxy-hb MailScanner[98493]: Spam Checks: Found 1 spam
> messages
> May  5 10:00:52 proxy-hb MailScanner[98493]: Spam Actions: message
> 1FbvEk-0002FH-GK actions are store
> May  5 10:00:53 proxy-hb MailScanner[98493]: Virus and Content  
> Scanning:
> Starting
> May  5 10:00:53 proxy-hb MailScanner[98493]: Scan started at Fri  
> May  5
> 10:00:53 2006
> May  5 10:00:53 proxy-hb MailScanner[98493]: Database version:  
> 2006-05-05_01
> May  5 10:00:53 proxy-hb MailScanner[98493]: Scan ended at Fri May  5
> 10:00:53 2006
> May  5 10:00:53 proxy-hb MailScanner[98493]: 3 files scanned
> May  5 10:00:55 proxy-hb MailScanner[98493]: Batch (1 message)  
> processed in
> 15.31 seconds
> May  5 10:00:55 proxy-hb MailScanner[98493]: "Always Looked Up  
> Last" took
> 0.02 seconds
>
>
> Two problems/questions:
>
> 1. Is the uuencoded file now identified as such by MailScanner? It  
> says 3
> files scanned so I would assume so but I am not sure. I have Find  
> UU-Encoded
> Files = yes in MailScanner.conf. The attachment is a virus free pdf  
> so it is
> ok that no alarms pop up.

Yes, it should be identified as a uu-encoded file by MailScanner.

> 2. Why does Spamassassin identify it as spam? Clearly it does not  
> recognize
> the uuencoded file as such and therefore hits strange rules (like  
> BAYES_99,
> SARE_URI_EUQALS etc.) pushing it over the High Scoring Spam limit.  
> Is this a
> SpamAssassin or a MailScanner problem? In MIME-Mails SA does recognize
> attachments does it not and exclude it from scanning, does it not=

The difference is that uu-encoding is usually just done within a text/ 
plain part of the message, it's not a separate MIME entity like every  
other attachment. The only way of finding them is to hunt through all  
the plain text parts of the message, looking for the signature line  
at the start of a uu-encoded file, and try to process the following  
text into a file. This is what MailScanner does, and has for a long  
time. The "MyParty" virus appeared years ago which exploited this  
loophole in most commercial virus scanners. It's always a good test  
of a commercial email virus scanner, just uuencode eicar and put it  
into a plain text (not MIME at all) message and see if it gets caught.

It is possible that SpamAssassin does not do these checks, resulting  
in false positives. I'm sure Matt will correct me if I'm wrong :-)

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the MailScanner mailing list