Ruleset for Quarantine Infections

Glenn Steen glenn.steen at gmail.com
Thu Dec 20 13:34:40 GMT 2007


On 20/12/2007, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>
> Le 19-déc.-07 à 09:05, Glenn Steen a écrit :
>
> > On 18/12/2007, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >> Hello,
> >>
> >>
> >> This mail is related to the thread "MailScanner could not analyze
> >> some
> >> mails".
> >>
> >> As it seems that all the messages which cannot be analyzed come from
> >> the same servers,
> >> I try to create a ruleset for the Quanrantine Infections :
> >>
> >> Quarantine Infections = %rules-dir%/quarantine.rules # was yes
> >>
> >>
> >> In the file quarantine.rules, I have :
> >>
> >> #
> >> # Quarantine Infections
> >> #
> >>
> >> # mail.register.be
> >> #
> >> From:           212.35.125.                     no
> >> From:           /e-zone\.net/                   no
> >>
> >> FromOrTo:       default                         yes
> >>
> >>
> >>
> >> But today, I still have a mail which has been put in quarantine.
> >> The "postcat" of the file gives :
> >>
> >> # postcat 4B600EFB74
> >> *** ENVELOPE RECORDS 4B600EFB74 ***
> >> message_size:            3440             586
> >> 1               0            3440
> >> message_arrival_time: Tue Dec 18 12:17:17 2007
> >> create_time: Tue Dec 18 12:17:17 2007
> >> named_attribute: rewrite_context=local
> >> sender:
> >> named_attribute: log_client_name=localhost.localdomain
> >> named_attribute: log_client_address=127.0.0.1
> >> named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
> >> named_attribute: log_helo_name=smtp4.sgsi.ucl.ac.be
> >> named_attribute: log_protocol_name=ESMTP
> >> named_attribute: client_name=localhost.localdomain
> >> named_attribute: reverse_client_name=localhost.localdomain
> >> named_attribute: client_address=127.0.0.1
> >> named_attribute: helo_name=smtp4.sgsi.ucl.ac.be
> >> named_attribute: client_address_type=2
> >> named_attribute: dsn_orig_rcpt=rfc822;autenne at cpdr.ucl.ac.be
> >> original_recipient: autenne at cpdr.ucl.ac.be
> >> recipient: autenne at cpdr.ucl.ac.be
> >> *** MESSAGE CONTENTS 4B600EFB74 ***
> >> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain
> >> [127.0.0.1])
> >>        by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4B600EFB74
> >>        for <autenne at cpdr.ucl.ac.be>; Tue, 18 Dec 2007 12:17:17
> >> +0100 (CET)
> >> Received: from mail5.e-zone.net (unknown [212.35.125.179])
> >>        by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP
> >>        for <autenne at cpdr.ucl.ac.be>; Tue, 18 Dec 2007 12:17:17
> >> +0100 (CET)
> >> Message-Id: <B0079261542 at mail5.e-zone.net>
> >> Date: Tue, 18 Dec 2007 12:17:05 +0100
> >>
> >>
> >> What's wrong with the quarantine ruleset ?
> >>
> >> Thanks
> > The ruleset works with the envelope information, not what happens to
> > be in the (possibly forged) RFC822 message, so you should look above
> > the "*** MESSAGE ..." line.
> > As you can see there, it is seen as locally supplied. Is this perhaps
> > a release from quarantine?
> >
> > Cheers
> > --
> > -- Glenn
> > email: glenn < dot > steen < at > gmail < dot > com
> > work: glenn < dot > steen < at > ap1 < dot > se
>
> Hello,
>
>
> I have followed the instructions from <http://www.mailscanner.info/postfix.html
>  >
> bu we have also an before-queue filter (clamsmtp) that could explain
> why the mail is coming from our server.
>
> I have changed the way tat the message is re-inected into postfix from
> clamsmtp.
> Now we have :
>
> # postcat 98B581C5CE2
> *** ENVELOPE RECORDS 98B581C5CE2 ***
> message_size:            2970             545
> 1               0            2970
> message_arrival_time: Thu Dec 20 11:02:02 2007
> create_time: Thu Dec 20 11:02:02 2007
> named_attribute: rewrite_context=remote
> sender:
> named_attribute: log_client_address=212.35.125.182
> named_attribute: log_message_origin=unknown[212.35.125.182]
> named_attribute: log_helo_name=web3.e-zone.net
> named_attribute: log_protocol_name=ESMTP
> named_attribute: client_name=localhost.localdomain
> named_attribute: reverse_client_name=localhost.localdomain
> named_attribute: client_address=127.0.0.1
> named_attribute: helo_name=smtp3.sgsi.ucl.ac.be
> named_attribute: client_address_type=2
> named_attribute: dsn_orig_rcpt=rfc822;pascal.maes at uclouvain.be
> original_recipient: pascal.maes at uclouvain.be
> recipient: pascal.maes at uclouvain.be
> *** MESSAGE CONTENTS 98B581C5CE2 ***
> [...]
>
Looking good so far:-).

>
> And the message is still put in quarantine !

What reason is given? The same?

If you try the setting with the MailScanner command, does it return
the expected result?
MailScanner --value=quarantineinfections --ip=212.35.125.182
... or similar, what do you get?

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list