Ruleset for Quarantine Infections

Glenn Steen glenn.steen at gmail.com
Wed Dec 19 08:05:28 GMT 2007 

On 18/12/2007, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> Hello,
>
>
> This mail is related to the thread "MailScanner could not analyze some
> mails".
>
> As it seems that all the messages which cannot be analyzed come from
> the same servers,
> I try to create a ruleset for the Quanrantine Infections :
>
> Quarantine Infections = %rules-dir%/quarantine.rules # was yes
>
>
> In the file quarantine.rules, I have :
>
> #
> # Quarantine Infections
> #
>
> # mail.register.be
> #
> From:           212.35.125.                     no
> From:           /e-zone\.net/                   no
>
> FromOrTo:       default                         yes
>
>
>
> But today, I still have a mail which has been put in quarantine.
> The "postcat" of the file gives :
>
> # postcat 4B600EFB74
> *** ENVELOPE RECORDS 4B600EFB74 ***
> message_size:            3440             586
> 1               0            3440
> message_arrival_time: Tue Dec 18 12:17:17 2007
> create_time: Tue Dec 18 12:17:17 2007
> named_attribute: rewrite_context=local
> sender:
> named_attribute: log_client_name=localhost.localdomain
> named_attribute: log_client_address=127.0.0.1
> named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
> named_attribute: log_helo_name=smtp4.sgsi.ucl.ac.be
> named_attribute: log_protocol_name=ESMTP
> named_attribute: client_name=localhost.localdomain
> named_attribute: reverse_client_name=localhost.localdomain
> named_attribute: client_address=127.0.0.1
> named_attribute: helo_name=smtp4.sgsi.ucl.ac.be
> named_attribute: client_address_type=2
> named_attribute: dsn_orig_rcpt=rfc822;autenne at cpdr.ucl.ac.be
> original_recipient: autenne at cpdr.ucl.ac.be
> recipient: autenne at cpdr.ucl.ac.be
> *** MESSAGE CONTENTS 4B600EFB74 ***
> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1])
>         by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4B600EFB74
>         for <autenne at cpdr.ucl.ac.be>; Tue, 18 Dec 2007 12:17:17 +0100 (CET)
> Received: from mail5.e-zone.net (unknown [212.35.125.179])
>         by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP
>         for <autenne at cpdr.ucl.ac.be>; Tue, 18 Dec 2007 12:17:17 +0100 (CET)
> Message-Id: <B0079261542 at mail5.e-zone.net>
> Date: Tue, 18 Dec 2007 12:17:05 +0100
>
>
> What's wrong with the quarantine ruleset ?
>
> Thanks
The ruleset works with the envelope information, not what happens to
be in the (possibly forged) RFC822 message, so you should look above
the "*** MESSAGE ..." line.
As you can see there, it is seen as locally supplied. Is this perhaps
a release from quarantine?

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list