Mailscanner does not identify attachment in mail
Adri Koppes
adrik at salesmanager.nl
Fri May 5 14:11:21 IST 2006
Julian,
I also spent some time looking in SA bugs list etc.
It seems SA doesn't want to alter the plain text of an email message.
Therefore it only strips MIME attachments before processing the message
body.
UUEncoded attachments seems to stay in place and are processed,
resulting in undesirable side-effects!
This problem has appeared a few times on the SA list and the general
consensus of the developers seems to be 'Don't fix', since it appears
rarely in normal email and everybody should be MIME compliant.
I might not agree with this, but I think there won't be a quick solution
from SpamAssassin.
Adri.
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> Of Julian Field
> Sent: vrijdag 5 mei 2006 15:03
> To: MailScanner discussion
> Subject: Re: Mailscanner does not identify attachment in mail
>
>
> On 5 May 2006, at 09:33, Koopmann, Jan-Peter wrote:
>
> > On Thursday, May 04, 2006 12:38 PM Julian Field wrote:
> >
> >> It should have found the uu-encoded file. Have you got
> that feature
> >> switched on?
> >> Look for "uu" or "UU" in MailScanner.conf.
> >
> > Well I upgraded to 4.53.7 on that box and today the next
> one came in.
> > It again was identified as spam.
> >
> > May 5 10:00:40 proxy-hb MailScanner[98493]: New Batch: Scanning 1
> > messages,
> > 35159 bytes
> > May 5 10:00:40 proxy-hb MailScanner[98493]: Saved archive
> copies of
> > 1FbvEk-0002FH-GK May 5 10:00:40 proxy-hb MailScanner[98493]: MCP
> > Checks: Starting May 5 10:00:40 proxy-hb MailScanner[98493]: Spam
> > Checks: Starting May 5 10:00:52 proxy-hb MailScanner[98493]: Spam
> > Checks: Found 1 spam messages May 5 10:00:52 proxy-hb
> > MailScanner[98493]: Spam Actions: message 1FbvEk-0002FH-GK
> actions are
> > store May 5 10:00:53 proxy-hb MailScanner[98493]: Virus and Content
> > Scanning:
> > Starting
> > May 5 10:00:53 proxy-hb MailScanner[98493]: Scan started
> at Fri May
> > 5
> > 10:00:53 2006
> > May 5 10:00:53 proxy-hb MailScanner[98493]: Database version:
> > 2006-05-05_01
> > May 5 10:00:53 proxy-hb MailScanner[98493]: Scan ended at
> Fri May 5
> > 10:00:53 2006
> > May 5 10:00:53 proxy-hb MailScanner[98493]: 3 files scanned May 5
> > 10:00:55 proxy-hb MailScanner[98493]: Batch (1 message) processed in
> > 15.31 seconds
> > May 5 10:00:55 proxy-hb MailScanner[98493]: "Always Looked
> Up Last"
> > took
> > 0.02 seconds
> >
> >
> > Two problems/questions:
> >
> > 1. Is the uuencoded file now identified as such by MailScanner? It
> > says 3 files scanned so I would assume so but I am not sure. I have
> > Find UU-Encoded Files = yes in MailScanner.conf. The
> attachment is a
> > virus free pdf so it is ok that no alarms pop up.
>
> Yes, it should be identified as a uu-encoded file by MailScanner.
>
> > 2. Why does Spamassassin identify it as spam? Clearly it does not
> > recognize the uuencoded file as such and therefore hits
> strange rules
> > (like BAYES_99, SARE_URI_EUQALS etc.) pushing it over the
> High Scoring
> > Spam limit.
> > Is this a
> > SpamAssassin or a MailScanner problem? In MIME-Mails SA
> does recognize
> > attachments does it not and exclude it from scanning, does it not=
>
> The difference is that uu-encoding is usually just done
> within a text/ plain part of the message, it's not a separate
> MIME entity like every other attachment. The only way of
> finding them is to hunt through all the plain text parts of
> the message, looking for the signature line at the start of a
> uu-encoded file, and try to process the following text into a
> file. This is what MailScanner does, and has for a long time.
> The "MyParty" virus appeared years ago which exploited this
> loophole in most commercial virus scanners. It's always a
> good test of a commercial email virus scanner, just uuencode
> eicar and put it into a plain text (not MIME at all) message
> and see if it gets caught.
>
> It is possible that SpamAssassin does not do these checks,
> resulting in false positives. I'm sure Matt will correct me
> if I'm wrong :-)
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store PGP
> footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> MailScanner thanks transtec Computers for their support.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
More information about the MailScanner
mailing list