Problems with MCP (can't find EOCD signature)
Simon Annetts
simon at ateb.co.uk
Thu May 25 11:18:20 IST 2006
Ok, I spoke too soon.
It fixes the problem with MCP checks but now breaks the virus checking.
If I send a message containing the eicar excerpt on its own it is detected as a virus and blocked.
If I send a message containing profanity, then the message is marked as profane and delivered.
If I send a message containing profanity and the eicar excerpt then the profanity is detected but the virus is ignored and the
message is sent containing the virus. Here's the log extract:
May 25 12:37:25 mailhub1 MailScanner[24739]: New Batch: Scanning 1 messages, 1127 bytes
May 25 12:37:25 mailhub1 MailScanner[24739]: Spam Checks: Starting
May 25 12:37:28 mailhub1 MailScanner[24739]: MCP Checks: Starting
May 25 12:37:29 mailhub1 MailScanner[24739]: Message 1FjE9d-0006WH-3y from 10.4.4.20 (simon at ateb.co.uk) to marteg.com is MCP,
MCP-Checker (score=10, required 1, PROFANITY2 10.00)
May 25 12:37:29 mailhub1 MailScanner[24739]: MCP Checks: Found 1 MCP messages
May 25 12:37:29 mailhub1 MailScanner[24739]: MCP Actions: message 1FjE9d-0006WH-3y actions are deliver
May 25 12:37:29 mailhub1 MailScanner[24739]: Virus and Content Scanning: Starting
May 25 12:37:30 mailhub1 MailScanner[24739]: Uninfected: Delivered 1 messages
May 25 12:37:30 mailhub1 MailScanner[24739]: Batch (1 message) processed in 5.51 seconds
It seems to me that once mcp has had the message it passes it on to the next stage blank, so breaking any further analysis?
Regards
Simon
----- Original Message -----
From: "Simon Annetts" <simon at ateb.co.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Thursday, May 25, 2006 11:04 AM
Subject: Re: Problems with MCP (can't find EOCD signature)
Thanks!
That fixes it, but it is a work around. It would of course be better to reject profane mail before virus and spam checking to reduce
overheads, but I can live with this for now. If I get time I'll dig into to the code to see why the mcp part fails to deliver or
pass on the message to the next check.
Thanks again for your prompt reply, I've only just joined the list so missed the previous post.
Kind regards
Simon
----- Original Message -----
From: "Dhawal Doshy" <dhawal at netmagicsolutions.com>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Thursday, May 25, 2006 10:43 AM
Subject: Re: Problems with MCP (can't find EOCD signature)
Simon Annetts wrote:
> Hi
> I've just got mailscanner 4.54.4 working and I am trying to get mcp to work.
>
> I'm using it with exim with two queues and two configs.
> All works fine for virus and spam scanning.
> However now mcp is enabled if a profane email arrives and is caught by
> mcp it never reaches the exim out queue it just disappears into a black
> hole.
The EOCD error is a harmless one and can be safely ignored.. as for the
MCP thing a few days back it was suggested to use this:
First Check = spam
HTH,
- dhawal
> spamassassin -C ./mcp.spam.assassin.prefs.conf --lint
> shows no errors
>
> maillog shows the message being correctly detected:
>
> May 24 19:30:11 mailhub1 MailScanner[30746]: New Batch: Scanning 1 messages, 1054 bytes
> May 24 19:30:11 mailhub1 MailScanner[30746]: MCP Checks: Starting
> May 24 19:30:12 mailhub1 MailScanner[30746]: Message 1Fiy7X-00082t-0U from 10.4.4.20 (simon at ateb.co.uk) to marteg.com is MCP,
> ecker (score=10, required 1, PROFANITY2 10.00)
> May 24 19:30:12 mailhub1 MailScanner[30746]: MCP Checks: Found 1 MCP messages
> May 24 19:30:12 mailhub1 MailScanner[30746]: MCP Actions: message 1Fiy7X-00082t-0U actions are deliver
> May 24 19:30:12 mailhub1 MailScanner[30746]: Spam Checks: Starting
> May 24 19:30:19 mailhub1 MailScanner[30746]: Virus and Content Scanning: Starting
> May 24 19:30:21 mailhub1 MailScanner[30746]: Uninfected: Delivered 1 messages
> May 24 19:30:21 mailhub1 MailScanner[30746]: Batch (1 message) processed in 9.55 seconds
>
> but exim main.log just shows:
>
> 2006-05-24 19:30:11 1Fiy7X-00082t-0U <= simon at ateb.co.uk H=purple.marteg.com (purple) [10.4.4.20] P=smtp S=718 id=025101c67f4
> a70$1404040a at purple
> 2006-05-24 19:30:21 1Fiy7X-00082t-0U Completed
>
> instead of the usual in <= and out => parts of the message delivery.
>
> There is nothing in quarantine.
>
> I've done a find / -name "1Fiy7X-00082t-0U*" and the message is nowhere
> on the disk!
> If I run mailscanner in debug mode I get the following excerpt which
> seems to indicate the mcp check died with the error 'format error: can't
> find EOCD signature'
>
> What does this mean and how do I fix it??
>
> [23556] dbg: message: decoding other encoding type (7bit), ignoring
> [23556] dbg: check: running tests for priority: 0
> [23556] dbg: rules: running header regexp tests; score so far=0
> [23556] dbg: rules: running body-text per-line regexp tests; score so far=0
> [23556] dbg: rules: ran body rule PROFANITY2 ======> got hit: "w*nk"
> [23556] dbg: uri: running uri tests; score so far=10
> [23556] dbg: rules: running raw-body-text per-line regexp tests; score so far=10
> [23556] dbg: rules: running full-text regexp tests; score so far=10
> [23556] dbg: check: is spam? score=10 required=5
> [23556] dbg: check: tests=PROFANITY2
> [23556] dbg: check: subtests=
> Ignore errors about failing to find EOCD signature
> format error: can't find EOCD signature
> at /usr/sbin/MailScanner line 781
> Stopping now as you are debugging me.
> [ OK ]
>
>
> Thanks in advance
> Simon
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list