"Virus Scanning" ruleset being ignored?

Daniel Maher daniel.maher at ubisoft.com
Wed Jan 3 17:38:14 CET 2007


Thanks for the reply,

I agree with your statement; however, that does not explain why files are still scanned for viruses if the ruleset is:
FromOrTo:   default                       no

Interestingly enough, with that set, the I see this in the logs when the email is processed by MailScanner:
Jan  3 11:25:41 ad-postfix MailScanner[28089]: Virus and Content Scanning: Starting
Jan  3 11:25:44 ad-postfix MailScanner[28089]: /var/spool/MailScanner/incoming/28089/./C62F81A65DB.211F7/eicar_com.zip: Eicar-Test-Signature FOUND
Jan  3 11:25:44 ad-postfix MailScanner[28089]: Virus Scanning: ClamAV found 1 infections
Jan  3 11:25:44 ad-postfix MailScanner[28089]: Virus Scanning: Found 1 viruses
Jan  3 11:25:44 ad-postfix MailScanner[28089]: Filename Checks: Allowing C62F81A65DB.211F7 eicar_com.zip

However, in the headers for the email once it has been received, I see this:
X-Ubisoft-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details

So what's the deal?  Is it being scanned, or isn't it?  The output from MailScanner appears to be suggesting both. :P

--
  _
 °v°  Daniel Maher
/(_)\ Administrateur Système Unix
 ^ ^  Unix System Administrator
 
SMASH '5' FOR VICTORY!

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Martin.Hepworth
> Sent: January 3, 2007 10:42 AM
> To: MailScanner discussion
> Subject: RE: "Virus Scanning" ruleset being ignored?
> 
> Daniel
> 
> Depends on the actual envelope-from in the email not the 'From:' line
> 
> Check on the Post MailScanner email. There should be a
> X-MailScanner-From: header line
> 
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
> 
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> > bounces at lists.mailscanner.info] On Behalf Of Daniel Maher
> > Sent: 03 January 2007 15:35
> > To: MailScanner discussion
> > Subject: "Virus Scanning" ruleset being ignored?
> >
> > Hello all,
> >
> >
> >
> > I am attempting to set up a very simple ruleset for the "Virus
> Scanning"
> > directive.  In this ruleset, there is one From address for which virus
> > scanning is disabled, followed by a default of yes.  I then pointed
> the
> > directive in MailScanner.conf to the path and filename of the ruleset.
> > Unfortunately, the ruleset is apparently being ignored.
> >
> >
> >
> > MailScanner.conf:
> >
> > ...
> >
> > Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules
> >
> > ...
> >
> >
> >
> > virus.scanning.rules:
> >
> > From:       somebody at somewhere.org        no
> >
> > From:       default                       yes
> >
> >
> >
> > Mail from "somebody at somewhere.org" will still be scanned for viruses,
> > however.  Following this attempt, I decided to see if the following
> simple
> > ruleset would have any effect:
> >
> > FromOrTo:   default                       no
> >
> >
> >
> > This was also ignored, as all mail was still scanned.  The only way
> that I
> > could manage any effect whatsoever was to set the following in
> > MailScanner.conf:
> >
> > Virus Scanning = no
> >
> >
> >
> > This did exactly what it's supposed to do - though it's hardly the
> > solution I'm looking for. :P
> >
> >
> >
> > The permissions on path and filename for the ruleset are fine; in
> fact,
> > I'm using another ruleset for a different directive already, in the
> same
> > format (and it works properly).  Any ideas on why the new one doesn't
> > appear to have any effect would be greatly appreciated.  Thank you!
> >
> >
> >
> > --
> >
> >   _
> >  °v°  Daniel Maher
> > /(_)\ Administrateur Système Unix
> >  ^ ^  Unix System Administrator
> >
> >
> >
> > SMASH '5' FOR VICTORY!
> >
> >
> 
> 
> 
> 
> 
> **********************************************************************
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> 
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
> 
> **********************************************************************
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!


More information about the MailScanner mailing list