{Disarmed} Re: dangerous content

Julian Field MailScanner at ecs.soton.ac.uk
Tue Sep 18 14:39:43 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your virus scanning is screwed up for starters. Run "MailScanner --lint" 
and post the output. Also please tell us the content of "Virus Scanners 
= " in MailScanner.conf, and your virus.scanners.conf file.

You need to set
TNEF Expander = internal
in MailScanner.conf to get rid of the TNEF error you previously posted.

infolistas listas wrote:
> Another log this time user1 sending to me, I didnt get the dangerous 
> content message nor the Corrupt TNEF winmail.dat that cannot be 
> analysed in message AF5657FF98.75B99
>
> Sep 18 10:23:01 mailbeta MailScanner[31952]: Message BFF1F7FF98.052FB 
> from *MailScanner warning: numerical links are often malicious:* 
> 10.10.10.49 <http://10.10.10.49> ( user1 at mydomain.com.br 
> <mailto:user1 at mydomain.com.br>) to mfplan.com.br 
> <http://mfplan.com.br> is not spam, SpamAssassin (not cached, 
> score=-103.754, required 3, autolearn=not spam, ALL_TRUSTED -1.80, AWL 
> 0.53, BAYES_00 -2.60, HTML_90_100 0.11, HTML_MESSAGE 0.00, 
> USER_IN_WHITELIST -100.00)
> Sep 18 10:23:01 mailbeta MailScanner[31952]: Spam Checks completed at 
> 3791 bytes per second
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Virus and Content 
> Scanning: Starting
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --unzip
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --jar
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --tar
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --tgz
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --deb
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --max-ratio
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --tempdir
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --recursive (-r)
> Sep 18 10:23:02 mailbeta MailScanner[31952]: WARNING: Ignoring option 
> --unrar
> Sep 18 10:23:02 mailbeta MailScanner[31952]: 
> /var/spool/MailScanner/incoming/31952/.: lstat() failed. ERROR
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Filename Checks: Allowing 
> BFF1F7FF98.052FB msg-31952-4.txt
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Filename Checks: Allowing 
> BFF1F7FF98.052FB msg-31952-5.html (no rule matched)
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Filename Checks: Allowing 
> BFF1F7FF98.052FB COMUNICA%%C7%%C3O IN.doc (no rule matched)
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Filetype Checks: Allowing 
> BFF1F7FF98.052FB msg-31952-5.html
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Filetype Checks: Allowing 
> BFF1F7FF98.052FB msg-31952-4.txt
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Filetype Checks: Allowing 
> BFF1F7FF98.052FB COMUNICA%%C7%%C3O IN.doc (no match found)
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Virus Scanning completed 
> at 172635 bytes per second
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Requeue: BFF1F7FF98.052FB 
> to D0A537FF9B
> Sep 18 10:23:02 mailbeta postfix/qmgr[31781]: D0A537FF9B: 
> from=<user1 at mydomain.com.br <mailto:user1 at mydomain.com.br> >, 
> size=46994, nrcpt=2 (queue active)
> Sep 18 10:23:02 mailbeta postfix/virtual[32275]: D0A537FF9B: 
> to=<getall at mydomain.com.br <mailto:getall at mydomain.com.br>>, 
> relay=virtual, delay=13, delays=13/0.02/0/0.08, dsn= 2.0.0, 
> status=sent (delivered to maildir)
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Uninfected: Delivered 1 
> messages
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Virus Processing 
> completed at 96012 bytes per second
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Batch completed at 3562 
> bytes per second (45049 / 12)
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Batch (1 message) 
> processed in 12.65 seconds
> Sep 18 10:23:02 mailbeta MailScanner[31952]: New Batch: Scanning 1 
> messages, 32156 bytes
> Sep 18 10:23:02 mailbeta MailScanner[31952]: Spam Checks: Starting
> Sep 18 10:23:02 mailbeta postfix/virtual[32277]: D0A537FF9B: 
> to=<teste at mydomain.com.br <mailto:teste at mydomain.com.br>>, 
> relay=virtual, delay=13, delays=13/0.08/0/0.07, dsn= 2.0.0, 
> status=sent (delivered to maildir)
> Sep 18 10:23:02 mailbeta postfix/qmgr[31781]: D0A537FF9B: removed
>
> 2007/9/18, infolistas listas < grupolistas at gmail.com 
> <mailto:grupolistas at gmail.com>>:
>
>     I was viewing the log I hope its usefull
>
>     ---
>
>     Sep 18 09:34:44 mailbeta MailScanner[30405]: Message
>     AF5657FF98.75B99 from *MailScanner warning: numerical links are
>     often malicious:* 10.10.10.49 <http://10.10.10.49> (
>     user1 at mydomain.com.br <mailto:user1 at mydomain.com.br>) to
>     mfplan.com.br <http://mfplan.com.br> is not spam, SpamAssassin
>     (not cached, score=-102.971, required 3, autolearn=not spam,
>     ALL_TRUSTED - 1.80, AWL -0.38, BAYES_00 -2.60, BLANK_LINES_70_80
>     1.80, USER_IN_WHITELIST - 100.00)
>     Sep 18 09:34:44 mailbeta MailScanner[30405]: Spam Checks completed
>     at 3925 bytes per second
>     Sep 18 09:34:44 mailbeta MailScanner[30405]: Expanding TNEF
>     archive at
>     /var/spool/MailScanner/incoming/30405/AF5657FF98.75B99/winmail.dat
>     Sep 18 09:34:44 mailbeta MailScanner[30836]: TNEF decoder failed
>     with real error: Can't run tnef decoder: Arquivo ou diretório
>     inexistente at /usr/share/MailScanner/MailScanner/TNEF.pm line 238.
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Corrupt TNEF
>     winmail.dat that cannot be analysed in message AF5657FF98.75B99
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Virus and Content
>     Scanning: Starting
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --unzip
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --jar
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --tar
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --tgz
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --deb
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --max-ratio
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --tempdir
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --recursive (-r)
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: WARNING: Ignoring
>     option --unrar
>     Sep 18 09:34:45 mailbeta MailScanner[30405]:
>     /var/spool/MailScanner/incoming/30405/.: lstat() failed. ERROR
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Filename Checks:
>     Allowing AF5657FF98.75B99 msg-30405-6.txt
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Filename Checks:
>     Allowing AF5657FF98.75B99 winmail.dat (no rule matched)
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Filename Checks:
>     Allowing AF5657FF98.75B99 msg-30405-5.txt
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Filetype Checks:
>     Allowing AF5657FF98.75B99 winmail.dat (no match found)
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Filetype Checks:
>     Allowing AF5657FF98.75B99 msg-30405-6.txt
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Filetype Checks:
>     Allowing AF5657FF98.75B99 msg-30405-5.txt
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Virus Scanning
>     completed at 161675 bytes per second
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Requeue:
>     AF5657FF98.75B99 to 8FBF77FF99
>     Sep 18 09:34:45 mailbeta postfix/qmgr[30480]: 8FBF77FF99: from=<
>     user1 at mydomain.com.br <mailto:user1 at mydomain.com.br> >, size=2922,
>     nrcpt=2 (queue active)
>     Sep 18 09:34:45 mailbeta MailScanner[30405]: Cleaned: Delivered 1
>     cleaned messages
>     Sep 18 09:34:45 mailbeta postfix/virtual[30737]: 8FBF77FF99: to=<
>     user2 at mydomain.com.br <mailto:user2 at mydomain.com.br>>,
>     relay=virtual, delay=17, delays=17/0.01/0/0.02, dsn=2.0.0,
>     status=sent (delivered to maildir)
>     Sep 18 09:34:45 mailbeta postfix/virtual[30739]: 8FBF77FF99: to=<
>     getall at mydomain.com.br <mailto:getall at mydomain.com.br>>,
>     relay=virtual, delay=17, delays=17/0.01/0/0.02, dsn=2.0.0,
>     status=sent (delivered to maildir)
>     Sep 18 09:34:45 mailbeta postfix/qmgr[30480]: 8FBF77FF99: removed
>     Sep 18 09:34:45 mailbeta postfix[30846]: error: to submit mail,
>     use the Postfix sendmail command
>     Sep 18 09:34:45 mailbeta postfix[30846]: fatal: the postfix
>     command is reserved for the superuser
>     Sep 18 09:34:45 mailbeta imapd: Connection,
>     ip=[::ffff:*MailScanner warning: numerical links are often
>     malicious:* 10.10.10.29 <http://10.10.10.29>]
>
>     2007/9/18, infolistas listas <grupolistas at gmail.com
>     <mailto:grupolistas at gmail.com>>:
>
>         That user isnt sending anything more than is set on the rules.
>         ( atachments of all type are  allowed to be send). Only 9
>         users are allowed to send attachments outside,all attachments
>         are allowed inside domain,  that user is one of them, the
>         problem is only with her and another specific user, thats from
>         our own domain.
>         how do I turn the dangerous content checking out? will it
>         interfeer with the incoming checking of outside domain?
>         How can I make an exception for only one user?
>         I couldnt find anything, that pointed to the problem , the
>         only thing strange is that the messages coming from that user
>         to the other specific user where requeued, nor mailscanner nor
>         spamassassin pointed anything diferent.
>         Do you need logs?
>         Thanks
>
>         2007/9/17, Scott Silva <ssilva at sgvwater.com
>         <mailto:ssilva at sgvwater.com>>:
>
>             infolistas listas spake the following on 9/17/2007 4:16 PM:
>             > Hi all,
>             > I'm getting a problem from a specific user,
>             > when this users send an email to another specific user
>             the mail arrives
>             > with the { dangerous content} flag.
>             > How can I solve this?
>             >
>             >
>             1) Tell user to stop sending dangerous content.
>             2) Write ruleset to exempt the user from dangerous content
>             rules.
>             3) Turn off dangerous content checking.
>
>             You gave very limited info in your question, so I had to
>             give a very general
>             answer.
>
>             --
>
>             MailScanner is like deodorant...
>             You hope everybody uses it, and
>             you notice quickly if they don't!!!!
>
>             --
>             MailScanner mailing list
>             mailscanner at lists.mailscanner.info
>             <mailto:mailscanner at lists.mailscanner.info>
>             http://lists.mailscanner.info/mailman/listinfo/mailscanner
>             <http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>
>             Before posting, read http://wiki.mailscanner.info/posting
>
>             Support MailScanner development - buy the book off the
>             website!
>
>
>
>

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFG79UfEfZZRxQVtlQRAuGWAJ415dyInWiK0+qXiKhZ6xxQCOQUqwCeOzoG
Xx7wXWv9tpUDGPdWkKfoYHU=
=4Bh6
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list