"Virus Scanning" ruleset being ignored?

Andrew Hodges ahodges at phenom-networks.com
Wed Jan 3 18:49:43 CET 2007


Also please be aware that unless you split your mail messages in the incomming queue you could end up sending a virus to a user that should be scanned. 


E.g.

Your scan.rules file reads as follows

To: somebody at somewhere.com no
FromOrTo: default yes


If you also receive email for domain @here.com and someone sends a mail addressed to both someone at somewhere.com and someone at here.com then it will react on the first rule that matches. i.e. someone at somewhere.com no

Then someone at here.com receives the infected file...

Even if you added a rule for someone at here.com yes above the @somewhere.com rule then the email would be based on the here.com rule and get scanned.

I can provide a link to splitting messages to a max 1 recipient in sendmail, don't know whether it is any use to you...
I have this in place on my system and it does not give me a big performance hit, though I currently only scan ~3000 emails a day.


Andy Hodges

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Andrew Hodges
Sent: 03 January 2007 17:20
To: MailScanner discussion
Subject: RE: "Virus Scanning" ruleset being ignored?

I think I read somewhere that it will still physically scan the item, it just ignores the virus if it meets a scanning rule that states no...

Believe it is easier to scan all and change what you do with infections than look at scanning only cetain items.

Andy Hodges  

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of martinh at solidstatelogic.com
Sent: 03 January 2007 16:49
To: MailScanner discussion
Subject: RE: "Virus Scanning" ruleset being ignored?

Daniel

I'd run this in debug mode....looks like somethings going wrong somewhere....!


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner- 
> bounces at lists.mailscanner.info] On Behalf Of Daniel Maher
> Sent: 03 January 2007 16:38
> To: MailScanner discussion
> Subject: RE: "Virus Scanning" ruleset being ignored?
>
> Thanks for the reply,
>
> I agree with your statement; however, that does not explain why files
are
> still scanned for viruses if the ruleset is:
> FromOrTo:   default                       no
>
> Interestingly enough, with that set, the I see this in the logs when
the
> email is processed by MailScanner:
> Jan  3 11:25:41 ad-postfix MailScanner[28089]: Virus and Content
Scanning:
> Starting
> Jan  3 11:25:44 ad-postfix MailScanner[28089]:
>
/var/spool/MailScanner/incoming/28089/./C62F81A65DB.211F7/eicar_com.zip:
> Eicar-Test-Signature FOUND
> Jan  3 11:25:44 ad-postfix MailScanner[28089]: Virus Scanning: ClamAV 
> found 1 infections Jan  3 11:25:44 ad-postfix MailScanner[28089]:
> Virus Scanning: Found 1 viruses Jan  3 11:25:44 ad-postfix
> MailScanner[28089]: Filename Checks:
Allowing
> C62F81A65DB.211F7 eicar_com.zip
>
> However, in the headers for the email once it has been received, I see
> this:
> X-Ubisoft-MailScanner: Not scanned: please contact your Internet
E-Mail
> Service Provider for details
>
> So what's the deal?  Is it being scanned, or isn't it?  The output
from
> MailScanner appears to be suggesting both. :P
>
> --
>   _
>  °v°  Daniel Maher
> /(_)\ Administrateur Système Unix
>  ^ ^  Unix System Administrator
>
> SMASH '5' FOR VICTORY!
>
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-
> > bounces at lists.mailscanner.info] On Behalf Of Martin.Hepworth
> > Sent: January 3, 2007 10:42 AM
> > To: MailScanner discussion
> > Subject: RE: "Virus Scanning" ruleset being ignored?
> >
> > Daniel
> >
> > Depends on the actual envelope-from in the email not the 'From:'
line
> >
> > Check on the Post MailScanner email. There should be a
> > X-MailScanner-From: header line
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> > > -----Original Message-----
> > > From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-
> > > bounces at lists.mailscanner.info] On Behalf Of Daniel Maher
> > > Sent: 03 January 2007 15:35
> > > To: MailScanner discussion
> > > Subject: "Virus Scanning" ruleset being ignored?
> > >
> > > Hello all,
> > >
> > >
> > >
> > > I am attempting to set up a very simple ruleset for the "Virus
> > Scanning"
> > > directive.  In this ruleset, there is one From address for which
virus
> > > scanning is disabled, followed by a default of yes.  I then
pointed
> > the
> > > directive in MailScanner.conf to the path and filename of the
ruleset.
> > > Unfortunately, the ruleset is apparently being ignored.
> > >
> > >
> > >
> > > MailScanner.conf:
> > >
> > > ...
> > >
> > > Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules
> > >
> > > ...
> > >
> > >
> > >
> > > virus.scanning.rules:
> > >
> > > From:       somebody at somewhere.org        no
> > >
> > > From:       default                       yes
> > >
> > >
> > >
> > > Mail from "somebody at somewhere.org" will still be scanned for
viruses,
> > > however.  Following this attempt, I decided to see if the
following
> > simple
> > > ruleset would have any effect:
> > >
> > > FromOrTo:   default                       no
> > >
> > >
> > >
> > > This was also ignored, as all mail was still scanned.  The only
way
> > that I
> > > could manage any effect whatsoever was to set the following in
> > > MailScanner.conf:
> > >
> > > Virus Scanning = no
> > >
> > >
> > >
> > > This did exactly what it's supposed to do - though it's hardly the 
> > > solution I'm looking for. :P
> > >
> > >
> > >
> > > The permissions on path and filename for the ruleset are fine; in
> > fact,
> > > I'm using another ruleset for a different directive already, in
the
> > same
> > > format (and it works properly).  Any ideas on why the new one
doesn't
> > > appear to have any effect would be greatly appreciated.  Thank
you!
> > >
> > >
> > >
> > > --
> > >
> > >   _
> > >  °v°  Daniel Maher
> > > /(_)\ Administrateur Système Unix
> > >  ^ ^  Unix System Administrator
> > >
> > >
> > >
> > > SMASH '5' FOR VICTORY!
> > >
> > >
> >
> >
> >
> >
> >
> >
**********************************************************************
> >
> > This email and any files transmitted with it are confidential and 
> > intended solely for the use of the individual or entity to whom they 
> > are addressed. If you have received this email in error please
notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept for 
> > the presence of computer viruses and is believed to be clean.
> >
> >
**********************************************************************
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!




**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.



More information about the MailScanner mailing list