Ruleset for Quarantine Infections
Pascal Maes
pascal.maes at elec.ucl.ac.be
Thu Dec 20 10:09:29 GMT 2007
Le 19-déc.-07 à 09:05, Glenn Steen a écrit :
> On 18/12/2007, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>> Hello,
>>
>>
>> This mail is related to the thread "MailScanner could not analyze
>> some
>> mails".
>>
>> As it seems that all the messages which cannot be analyzed come from
>> the same servers,
>> I try to create a ruleset for the Quanrantine Infections :
>>
>> Quarantine Infections = %rules-dir%/quarantine.rules # was yes
>>
>>
>> In the file quarantine.rules, I have :
>>
>> #
>> # Quarantine Infections
>> #
>>
>> # mail.register.be
>> #
>> From: 212.35.125. no
>> From: /e-zone\.net/ no
>>
>> FromOrTo: default yes
>>
>>
>>
>> But today, I still have a mail which has been put in quarantine.
>> The "postcat" of the file gives :
>>
>> # postcat 4B600EFB74
>> *** ENVELOPE RECORDS 4B600EFB74 ***
>> message_size: 3440 586
>> 1 0 3440
>> message_arrival_time: Tue Dec 18 12:17:17 2007
>> create_time: Tue Dec 18 12:17:17 2007
>> named_attribute: rewrite_context=local
>> sender:
>> named_attribute: log_client_name=localhost.localdomain
>> named_attribute: log_client_address=127.0.0.1
>> named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
>> named_attribute: log_helo_name=smtp4.sgsi.ucl.ac.be
>> named_attribute: log_protocol_name=ESMTP
>> named_attribute: client_name=localhost.localdomain
>> named_attribute: reverse_client_name=localhost.localdomain
>> named_attribute: client_address=127.0.0.1
>> named_attribute: helo_name=smtp4.sgsi.ucl.ac.be
>> named_attribute: client_address_type=2
>> named_attribute: dsn_orig_rcpt=rfc822;autenne at cpdr.ucl.ac.be
>> original_recipient: autenne at cpdr.ucl.ac.be
>> recipient: autenne at cpdr.ucl.ac.be
>> *** MESSAGE CONTENTS 4B600EFB74 ***
>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain
>> [127.0.0.1])
>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4B600EFB74
>> for <autenne at cpdr.ucl.ac.be>; Tue, 18 Dec 2007 12:17:17
>> +0100 (CET)
>> Received: from mail5.e-zone.net (unknown [212.35.125.179])
>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP
>> for <autenne at cpdr.ucl.ac.be>; Tue, 18 Dec 2007 12:17:17
>> +0100 (CET)
>> Message-Id: <B0079261542 at mail5.e-zone.net>
>> Date: Tue, 18 Dec 2007 12:17:05 +0100
>>
>>
>> What's wrong with the quarantine ruleset ?
>>
>> Thanks
> The ruleset works with the envelope information, not what happens to
> be in the (possibly forged) RFC822 message, so you should look above
> the "*** MESSAGE ..." line.
> As you can see there, it is seen as locally supplied. Is this perhaps
> a release from quarantine?
>
> Cheers
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
Hello,
I have followed the instructions from <http://www.mailscanner.info/postfix.html
>
bu we have also an before-queue filter (clamsmtp) that could explain
why the mail is coming from our server.
I have changed the way tat the message is re-inected into postfix from
clamsmtp.
Now we have :
# postcat 98B581C5CE2
*** ENVELOPE RECORDS 98B581C5CE2 ***
message_size: 2970 545
1 0 2970
message_arrival_time: Thu Dec 20 11:02:02 2007
create_time: Thu Dec 20 11:02:02 2007
named_attribute: rewrite_context=remote
sender:
named_attribute: log_client_address=212.35.125.182
named_attribute: log_message_origin=unknown[212.35.125.182]
named_attribute: log_helo_name=web3.e-zone.net
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost.localdomain
named_attribute: reverse_client_name=localhost.localdomain
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=smtp3.sgsi.ucl.ac.be
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;pascal.maes at uclouvain.be
original_recipient: pascal.maes at uclouvain.be
recipient: pascal.maes at uclouvain.be
*** MESSAGE CONTENTS 98B581C5CE2 ***
[...]
And the message is still put in quarantine !
Regards,
--
Pascal
More information about the MailScanner
mailing list