Problems with MCP (can't find EOCD signature)
Simon Annetts
simon at ateb.co.uk
Thu May 25 12:21:06 IST 2006
Here is the section of the config file. I hope its not me setting something wrongly :-)
MCP Checks = yes
# Do the spam checks first, or the MCP checks first?
# This cannot be the filename of a ruleset, only a fixed value.
#First Check = mcp
First Check = spam
# The rest of these options are clones of the equivalent spam options
MCP Required SpamAssassin Score = 1
MCP High SpamAssassin Score = 10
MCP Error Score = 1
MCP Header = X-Marteg-MailScanner-MCPCheck:
Non MCP Actions = deliver
MCP Actions = deliver
High Scoring MCP Actions = deliver
Bounce MCP As Attachment = no
MCP Modify Subject = yes
MCP Subject Text = {Profanity?}
High Scoring MCP Modify Subject = yes
High Scoring MCP Subject Text = {Profanity?}
Is Definitely MCP = no
Is Definitely Not MCP = no
Definite MCP Is High Scoring = no
Always Include MCP Report = yes
Detailed MCP Report = yes
Include Scores In MCP Report = yes
Log MCP = yes
MCP Max SpamAssassin Timeouts = 20
MCP Max SpamAssassin Size = 100k
MCP SpamAssassin Timeout = 10
MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
MCP SpamAssassin User State Dir =
MCP SpamAssassin Local Rules Dir = %mcp-dir%
MCP SpamAssassin Default Rules Dir = %mcp-dir%
MCP SpamAssassin Install Prefix = %mcp-dir%
Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
Sender MCP Report = %report-dir%/sender.mcp.report.txt
Regards
Simon
----- Original Message -----
From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Thursday, May 25, 2006 11:57 AM
Subject: Re: Problems with MCP (can't find EOCD signature)
What are your MCP settings in your MailScanner.conf?
On 25 May 2006, at 11:18, Simon Annetts wrote:
> Ok, I spoke too soon.
> It fixes the problem with MCP checks but now breaks the virus
> checking.
>
> If I send a message containing the eicar excerpt on its own it is
> detected as a virus and blocked.
>
> If I send a message containing profanity, then the message is
> marked as profane and delivered.
>
> If I send a message containing profanity and the eicar excerpt then
> the profanity is detected but the virus is ignored and the
> message is sent containing the virus. Here's the log extract:
>
>
> May 25 12:37:25 mailhub1 MailScanner[24739]: New Batch: Scanning 1
> messages, 1127 bytes
> May 25 12:37:25 mailhub1 MailScanner[24739]: Spam Checks: Starting
> May 25 12:37:28 mailhub1 MailScanner[24739]: MCP Checks: Starting
> May 25 12:37:29 mailhub1 MailScanner[24739]: Message
> 1FjE9d-0006WH-3y from 10.4.4.20 (simon at ateb.co.uk) to marteg.com is
> MCP,
> MCP-Checker (score=10, required 1, PROFANITY2 10.00)
> May 25 12:37:29 mailhub1 MailScanner[24739]: MCP Checks: Found 1
> MCP messages
> May 25 12:37:29 mailhub1 MailScanner[24739]: MCP Actions: message
> 1FjE9d-0006WH-3y actions are deliver
> May 25 12:37:29 mailhub1 MailScanner[24739]: Virus and Content
> Scanning: Starting
> May 25 12:37:30 mailhub1 MailScanner[24739]: Uninfected: Delivered
> 1 messages
> May 25 12:37:30 mailhub1 MailScanner[24739]: Batch (1 message)
> processed in 5.51 seconds
>
>
> It seems to me that once mcp has had the message it passes it on to
> the next stage blank, so breaking any further analysis?
>
> Regards
> Simon
>
>
>
> ----- Original Message -----
> From: "Simon Annetts" <simon at ateb.co.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, May 25, 2006 11:04 AM
> Subject: Re: Problems with MCP (can't find EOCD signature)
>
>
> Thanks!
> That fixes it, but it is a work around. It would of course be
> better to reject profane mail before virus and spam checking to reduce
> overheads, but I can live with this for now. If I get time I'll dig
> into to the code to see why the mcp part fails to deliver or
> pass on the message to the next check.
> Thanks again for your prompt reply, I've only just joined the list
> so missed the previous post.
>
> Kind regards
> Simon
>
>
> ----- Original Message -----
> From: "Dhawal Doshy" <dhawal at netmagicsolutions.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, May 25, 2006 10:43 AM
> Subject: Re: Problems with MCP (can't find EOCD signature)
>
>
> Simon Annetts wrote:
>> Hi
>> I've just got mailscanner 4.54.4 working and I am trying to get
>> mcp to work.
>>
>> I'm using it with exim with two queues and two configs.
>> All works fine for virus and spam scanning.
>> However now mcp is enabled if a profane email arrives and is
>> caught by
>> mcp it never reaches the exim out queue it just disappears into a
>> black
>> hole.
>
> The EOCD error is a harmless one and can be safely ignored.. as for
> the
> MCP thing a few days back it was suggested to use this:
>
> First Check = spam
>
> HTH,
> - dhawal
>
>> spamassassin -C ./mcp.spam.assassin.prefs.conf --lint
>> shows no errors
>>
>> maillog shows the message being correctly detected:
>>
>> May 24 19:30:11 mailhub1 MailScanner[30746]: New Batch: Scanning 1
>> messages, 1054 bytes
>> May 24 19:30:11 mailhub1 MailScanner[30746]: MCP Checks: Starting
>> May 24 19:30:12 mailhub1 MailScanner[30746]: Message
>> 1Fiy7X-00082t-0U from 10.4.4.20 (simon at ateb.co.uk) to marteg.com
>> is MCP,
>> ecker (score=10, required 1, PROFANITY2 10.00)
>> May 24 19:30:12 mailhub1 MailScanner[30746]: MCP Checks: Found 1
>> MCP messages
>> May 24 19:30:12 mailhub1 MailScanner[30746]: MCP Actions: message
>> 1Fiy7X-00082t-0U actions are deliver
>> May 24 19:30:12 mailhub1 MailScanner[30746]: Spam Checks: Starting
>> May 24 19:30:19 mailhub1 MailScanner[30746]: Virus and Content
>> Scanning: Starting
>> May 24 19:30:21 mailhub1 MailScanner[30746]: Uninfected: Delivered
>> 1 messages
>> May 24 19:30:21 mailhub1 MailScanner[30746]: Batch (1 message)
>> processed in 9.55 seconds
>>
>> but exim main.log just shows:
>>
>> 2006-05-24 19:30:11 1Fiy7X-00082t-0U <= simon at ateb.co.uk
>> H=purple.marteg.com (purple) [10.4.4.20] P=smtp S=718 id=025101c67f4
>> a70$1404040a at purple
>> 2006-05-24 19:30:21 1Fiy7X-00082t-0U Completed
>>
>> instead of the usual in <= and out => parts of the message delivery.
>>
>> There is nothing in quarantine.
>>
>> I've done a find / -name "1Fiy7X-00082t-0U*" and the message is
>> nowhere
>> on the disk!
>> If I run mailscanner in debug mode I get the following excerpt which
>> seems to indicate the mcp check died with the error 'format error:
>> can't
>> find EOCD signature'
>>
>> What does this mean and how do I fix it??
>>
>> [23556] dbg: message: decoding other encoding type (7bit), ignoring
>> [23556] dbg: check: running tests for priority: 0
>> [23556] dbg: rules: running header regexp tests; score so far=0
>> [23556] dbg: rules: running body-text per-line regexp tests; score
>> so far=0
>> [23556] dbg: rules: ran body rule PROFANITY2 ======> got hit: "w*nk"
>> [23556] dbg: uri: running uri tests; score so far=10
>> [23556] dbg: rules: running raw-body-text per-line regexp tests;
>> score so far=10
>> [23556] dbg: rules: running full-text regexp tests; score so far=10
>> [23556] dbg: check: is spam? score=10 required=5
>> [23556] dbg: check: tests=PROFANITY2
>> [23556] dbg: check: subtests=
>> Ignore errors about failing to find EOCD signature
>> format error: can't find EOCD signature
>> at /usr/sbin/MailScanner line 781
>> Stopping now as you are debugging me.
>> [ OK ]
>>
>>
>> Thanks in advance
>> Simon
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by *MailScanner* <http://www.mailscanner.info/>,
>> and is
>> believed to be clean.
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list