"Virus Scanning" ruleset being ignored?
Daniel Maher
daniel.maher at ubisoft.com
Wed Jan 3 17:38:14 CET 2007
Thanks for the reply,
I agree with your statement; however, that does not explain why files are still scanned for viruses if the ruleset is:
FromOrTo: default no
Interestingly enough, with that set, the I see this in the logs when the email is processed by MailScanner:
Jan 3 11:25:41 ad-postfix MailScanner[28089]: Virus and Content Scanning: Starting
Jan 3 11:25:44 ad-postfix MailScanner[28089]: /var/spool/MailScanner/incoming/28089/./C62F81A65DB.211F7/eicar_com.zip: Eicar-Test-Signature FOUND
Jan 3 11:25:44 ad-postfix MailScanner[28089]: Virus Scanning: ClamAV found 1 infections
Jan 3 11:25:44 ad-postfix MailScanner[28089]: Virus Scanning: Found 1 viruses
Jan 3 11:25:44 ad-postfix MailScanner[28089]: Filename Checks: Allowing C62F81A65DB.211F7 eicar_com.zip
However, in the headers for the email once it has been received, I see this:
X-Ubisoft-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
So what's the deal? Is it being scanned, or isn't it? The output from MailScanner appears to be suggesting both. :P
--
_
°v° Daniel Maher
/(_)\ Administrateur Système Unix
^ ^ Unix System Administrator
SMASH '5' FOR VICTORY!
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Martin.Hepworth
> Sent: January 3, 2007 10:42 AM
> To: MailScanner discussion
> Subject: RE: "Virus Scanning" ruleset being ignored?
>
> Daniel
>
> Depends on the actual envelope-from in the email not the 'From:' line
>
> Check on the Post MailScanner email. There should be a
> X-MailScanner-From: header line
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> > bounces at lists.mailscanner.info] On Behalf Of Daniel Maher
> > Sent: 03 January 2007 15:35
> > To: MailScanner discussion
> > Subject: "Virus Scanning" ruleset being ignored?
> >
> > Hello all,
> >
> >
> >
> > I am attempting to set up a very simple ruleset for the "Virus
> Scanning"
> > directive. In this ruleset, there is one From address for which virus
> > scanning is disabled, followed by a default of yes. I then pointed
> the
> > directive in MailScanner.conf to the path and filename of the ruleset.
> > Unfortunately, the ruleset is apparently being ignored.
> >
> >
> >
> > MailScanner.conf:
> >
> > ...
> >
> > Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules
> >
> > ...
> >
> >
> >
> > virus.scanning.rules:
> >
> > From: somebody at somewhere.org no
> >
> > From: default yes
> >
> >
> >
> > Mail from "somebody at somewhere.org" will still be scanned for viruses,
> > however. Following this attempt, I decided to see if the following
> simple
> > ruleset would have any effect:
> >
> > FromOrTo: default no
> >
> >
> >
> > This was also ignored, as all mail was still scanned. The only way
> that I
> > could manage any effect whatsoever was to set the following in
> > MailScanner.conf:
> >
> > Virus Scanning = no
> >
> >
> >
> > This did exactly what it's supposed to do - though it's hardly the
> > solution I'm looking for. :P
> >
> >
> >
> > The permissions on path and filename for the ruleset are fine; in
> fact,
> > I'm using another ruleset for a different directive already, in the
> same
> > format (and it works properly). Any ideas on why the new one doesn't
> > appear to have any effect would be greatly appreciated. Thank you!
> >
> >
> >
> > --
> >
> > _
> > °v° Daniel Maher
> > /(_)\ Administrateur Système Unix
> > ^ ^ Unix System Administrator
> >
> >
> >
> > SMASH '5' FOR VICTORY!
> >
> >
>
>
>
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list