MailScanner ignoring some rules
Glenn Steen
glenn.steen at gmail.com
Fri Apr 4 19:20:18 IST 2008
Sorry all, for the top post... a bit too tipsy to really safely (snip)
with even a virtual scissor...:-)
That all _looks_ mostly OK... So, plan B... You've never used another
system to edit the MailScanner.conf or rules file? Like crappy
windoze? If so, there might be "non-printable" characters on the end
of the line (like a spurious <CR>)... Then again, I thought the --lint
would catch that... Oh well.
Cheers
-- Glenn
On 04/04/2008, TecnoWay Digital <mailscanner at tecnowaydigital.com.br> wrote:
> MailScanner --lint
>
> Trying to setlogsock(unix)
> Read 817 hostnames from the phishing whitelist
> Read 5549 hostnames from the phishing blacklist
> Config: calling custom init function SQLBlacklist
> Starting up SQL Blacklist
> Read 326 blacklist entries
> Config: calling custom init function MailWatchLogging
> Started SQL Logging child
> Config: calling custom init function SQLWhitelist
> Starting up SQL Whitelist
> Read 40 whitelist entries
> Checking version numbers...
> Version number in MailScanner.conf (4.68.8) is correct.
>
> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
> MailScanner setting GID to (89)
> MailScanner setting UID to (89)
>
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temporary working directory is
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = mcafee"
> Found these virus scanners installed: clamav, mcafee
> ===========================================================================
> Virus and Content Scanning: Starting
> /1/eicar.com Found: EICAR test file NOT a virus.
> Virus Scanning: McAfee found 1 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 1 viruses
> ===========================================================================
> Virus Scanner test reports:
> McAfee said "/1/eicar.com Found: EICAR test file NOT a virus."
>
> If any of your virus scanners (clamav,mcafee)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its virus.scanners.conf.
> Config: calling custom end function SQLBlacklist
> Closing down by-domain spam blacklist
> Config: calling custom end function MailWatchLogging
> Config: calling custom end function SQLWhitelist
> Closing down by-domain spam whitelist
> --------------------------------------------------------------------
>
> My MailScanner.conf
>
> %org-name% = Silmaq
> %org-long-name% = Silmaq S.A
> %web-site% = www.silmaq.com.br
> %etc-dir% = /etc/MailScanner
> %report-dir% = /etc/MailScanner/reports/pt_br
> %rules-dir% = /etc/MailScanner/rules
> %mcp-dir% = /etc/MailScanner/mcp
> Max Children = 5
> Run As User = postfix
> Run As Group = postfix
> Queue Scan Interval = 6
> Incoming Queue Dir = /var/spool/postfix/hold
> Outgoing Queue Dir = /var/spool/postfix/incoming
> Incoming Work Dir = /var/spool/MailScanner/incoming
> Quarantine Dir = /var/spool/MailScanner/quarantine
> PID file = /var/run/MailScanner.pid
> Restart Every = 7200
> MTA = postfix
> Sendmail = /usr/sbin/sendmail
> Sendmail2 = /usr/sbin/sendmail
> Incoming Work User =
> Incoming Work Group =
> Incoming Work Permissions = 0600
> Quarantine User = root
> Quarantine Group = apache
> Quarantine Permissions = 0660
> Max Unscanned Bytes Per Scan = 100m
> Max Unsafe Bytes Per Scan = 50m
> Max Unscanned Messages Per Scan = 30
> Max Unsafe Messages Per Scan = 30
> Max Normal Queue Size = 800
> Scan Messages = %rules-dir%/scan.messages.rules
> Reject Message = no
> Maximum Attachments Per Message = 200
> Expand TNEF = yes
> Use TNEF Contents = replace
> Deliver Unparsable TNEF = no
> TNEF Expander = /usr/bin/tnef --maxsize=100000000
> TNEF Timeout = 120
> File Command = /usr/bin/file
> File Timeout = 20
> Gunzip Command = /bin/gunzip
> Gunzip Timeout = 50
> Unrar Command = /usr/bin/unrar
> Unrar Timeout = 50
> Find UU-Encoded Files = no
> Maximum Message Size = %rules-dir%/max.message.size.rules
> Maximum Attachment Size = -1
> Minimum Attachment Size = -1
> Maximum Archive Depth = 0
> Find Archives By Content = yes
> Zip Attachments = no
> Attachments Zip Filename = MessageAttachments.zip
> Attachments Min Total Size To Zip = 100k
> Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe
> .mpeg .mp3 .rpm .htm .html .eml
> Virus Scanning = yes
> Virus Scanners = mcafee
> Virus Scanner Timeout = 300
> Deliver Disinfected Files = no
> Silent Viruses = HTML-IFrame All-Viruses
> Still Deliver Silent Viruses = no
> Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
> Block Encrypted Messages = no
> Block Unencrypted Messages = no
> Allow Password-Protected Archives = no
> Check Filenames In Password-Protected Archives = yes
> Allowed Sophos Error Messages =
> Sophos IDE Dir = /opt/sophos-av/lib/sav
> Sophos Lib Dir = /opt/sophos-av/lib
> Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide
> Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/*
> /usr/local/share/clamav/*.cvd
> ClamAVmodule Maximum Recursion Level = 8
> ClamAVmodule Maximum Files = 1000
> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes)
> ClamAVmodule Maximum Compression Ratio = 250
> Clamd Port = 3310
> Clamd Socket = /tmp/clamd
> Clamd Lock File = # /var/lock/subsys/clamd
> Clamd Use Threads = no
> ClamAV Full Message Scan = yes
> Fpscand Port = 10200
> Dangerous Content Scanning = yes
> Allow Partial Messages = no
> Allow External Message Bodies = no
> Find Phishing Fraud = yes
> Also Find Numeric Phishing = yes
> Use Stricter Phishing Net = yes
> Highlight Phishing Fraud = yes
> Phishing Safe Sites File =
> %etc-dir%/phishing.safe.sites.conf
> Phishing Bad Sites File =
> %etc-dir%/phishing.bad.sites.conf
> Country Sub-Domains List = %etc-dir%/country.domains.conf
> Allow IFrame Tags = disarm
> Allow Form Tags = disarm
> Allow Script Tags = disarm
> Allow WebBugs = disarm
> Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap
> Known Web Bug Servers = msgtag.com
> Web Bug Replacement =
> http://www.mailscanner.tv/1x1spacer.gif
> Allow Object Codebase Tags = disarm
> Convert Dangerous HTML To Text = no
> Convert HTML To Text = no
> Allow Filenames =
> Deny Filenames =
> Filename Rules = %etc-dir%/filename.regra.rules
> Allow Filetypes =
> Allow File MIME Types =
> Deny Filetypes =
> Deny File MIME Types =
> Filetype Rules = %etc-dir%/filetype.rules.conf
> Quarantine Infections = yes
> Quarantine Silent Viruses = no
> Quarantine Modified Body = no
> Quarantine Whole Message = yes
> Quarantine Whole Messages As Queue Files = no
> Keep Spam And MCP Archive Clean = no
> Language Strings = %report-dir%/languages.conf
> Rejection Report = %report-dir%/rejection.report.txt
> Deleted Bad Content Message Report =
> %report-dir%/deleted.content.message.txt
> Deleted Bad Filename Message Report =
> %report-dir%/deleted.filename.message.txt
> Deleted Virus Message Report =
> %report-dir%/deleted.virus.message.txt
> Deleted Size Message Report =
> %report-dir%/deleted.size.message.txt
> Stored Bad Content Message Report =
> %report-dir%/stored.content.message.txt
> Stored Bad Filename Message Report =
> %report-dir%/stored.filename.message.txt
> Stored Virus Message Report =
> %report-dir%/stored.virus.message.txt
> Stored Size Message Report =
> %report-dir%/stored.size.message.txt
> Disinfected Report = %report-dir%/disinfected.report.txt
> Inline HTML Signature = %report-dir%/inline.sig.html
> Inline Text Signature = %report-dir%/inline.sig.txt
> Signature Image Filename = %report-dir%/sig.jpg
> Signature Image <img> Filename = signature.jpg
> Inline HTML Warning = %report-dir%/inline.warning.html
> Inline Text Warning = %report-dir%/inline.warning.txt
> Sender Content Report =
> %report-dir%/sender.content.report.txt
> Sender Error Report = %report-dir%/sender.error.report.txt
> Sender Bad Filename Report =
> %report-dir%/sender.filename.report.txt
> Sender Virus Report = %report-dir%/sender.virus.report.txt
> Sender Size Report = %report-dir%/sender.size.report.txt
> Hide Incoming Work Dir = yes
> Include Scanner Name In Reports = yes
> Mail Header = X-%org-name%-MailScanner:
> Spam Header = X-%org-name%-MailScanner-SpamCheck:
> Spam Score Header = X-%org-name%-MailScanner-SpamScore:
> Information Header = X-%org-name%-MailScanner-Information:
> Add Envelope From Header = yes
> Add Envelope To Header = no
> Envelope From Header = X-%org-name%-MailScanner-From:
> Envelope To Header = X-%org-name%-MailScanner-To:
> Spam Score Character = s
> SpamScore Number Instead Of Stars = no
> Minimum Stars If On Spam List = 0
> Clean Header Value = Found to be clean
> Infected Header Value = Found to be infected
> Disinfected Header Value = Disinfected
> Information Header Value = Please contact the ISP for more information
> Detailed Spam Report = yes
> Include Scores In SpamAssassin Report = yes
> Always Include SpamAssassin Report = no
> Multiple Headers = append
> Hostname = the %org-name% ($HOSTNAME) MailScanner
> Sign Messages Already Processed = no
> Sign Clean Messages = %rules-dir%/regras_assinatura.rules
> Attach Image To Signature = no
> Attach Image To HTML Message Only = yes
> Mark Infected Messages = yes
> Mark Unscanned Messages = yes
> Unscanned Header Value = Not scanned: please contact your Internet E-Mail
> Service Provider for details
> Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2:
> Deliver Cleaned Messages = yes
> Notify Senders = yes
> Notify Senders Of Viruses = no
> Notify Senders Of Blocked Filenames Or Filetypes = yes
> Notify Senders Of Blocked Size Attachments = no
> Notify Senders Of Other Blocked Content = yes
> Never Notify Senders Of Precedence = list bulk
> Scanned Subject Text = {Scanned}
> Virus Modify Subject = start
> Virus Subject Text = {Virus?}
> Filename Modify Subject = start
> Filename Subject Text = {Filename?}
> Content Modify Subject = start
> Content Subject Text = {Dangerous Content?}
> Size Modify Subject = start
> Size Subject Text = {Size}
> Disarmed Modify Subject = start
> Disarmed Subject Text = {Disarmed}
> Phishing Modify Subject = no
> Phishing Subject Text = {Fraud?}
> Spam Modify Subject = start
> Spam Subject Text = {Spam?}
> High Scoring Spam Modify Subject = start
> High Scoring Spam Subject Text = {Spam?}
> Warning Is Attachment = yes
> Attachment Warning Filename =
> %org-name%-Attachment-Warning.txt
> Attachment Encoding Charset = ISO-8859-1
> Archive Mail = %rules-dir%/copia-email.rules
> Send Notices = no
> Notices Include Full Headers = yes
> Hide Incoming Work Dir in Notices = no
> Notice Signature = -- \nMailScanner\nEmail Virus
> Scanner\nwww.mailscanner.info
> Notices From = teste
> Notices To = postmaster
> Local Postmaster = postmaster
> Spam List Definitions = %etc-dir%/spam.lists.conf
> Virus Scanner Definitions = %etc-dir%/virus.scanners.conf
> Spam Checks = yes
> Spam Domain List =
> Spam Lists To Be Spam = 1
> Spam Lists To Reach High Score = 3
> Spam List Timeout = 10
> Max Spam List Timeouts = 7
> Spam List Timeouts History = 10
> Is Definitely Not Spam = &SQLWhitelist
> Is Definitely Spam = &SQLBlacklist
> Definite Spam Is High Scoring = no
> Ignore Spam Whitelist If Recipients Exceed = 50
> Max Spam Check Size = 200k
> Use Watermarking = no
> Add Watermark = yes
> Check Watermarks With No Sender = yes
> Treat Invalid Watermarks With No Sender as Spam = nothing
> Check Watermarks To Skip Spam Checks = yes
> Watermark Secret = %org-name%-Secret
> Watermark Lifetime = 604800
> Watermark Header = X-%org-name%-MailScanner-Watermark:
> Use SpamAssassin = yes
> Max SpamAssassin Size = 200k
> Required SpamAssassin Score = 6
> High SpamAssassin Score = 10
> SpamAssassin Auto Whitelist = yes
> SpamAssassin Timeout = 75
> Max SpamAssassin Timeouts = 10
> SpamAssassin Timeouts History = 30
> Check SpamAssassin If On Spam List = yes
> Include Binary Attachments In SpamAssassin = no
> Spam Score = yes
> Cache SpamAssassin Results = yes
> SpamAssassin Cache Database File =
> /var/spool/MailScanner/incoming/SpamAssassin.cache.db
> Rebuild Bayes Every = 0
> Wait During Bayes Rebuild = no
> Use Custom Spam Scanner = no
> Max Custom Spam Scanner Size = 20k
> Custom Spam Scanner Timeout = 20
> Max Custom Spam Scanner Timeouts = 10
> Custom Spam Scanner Timeout History = 20
> Spam Actions = store
> High Scoring Spam Actions = store
> Non Spam Actions = deliver header "X-Spam-Status: No"
> SpamAssassin Rule Actions =
> Sender Spam Report = %report-dir%/sender.spam.report.txt
> Sender Spam List Report =
> %report-dir%/sender.spam.rbl.report.txt
> Sender SpamAssassin Report =
> %report-dir%/sender.spam.sa.report.txt
> Inline Spam Warning = %report-dir%/inline.spam.warning.txt
> Recipient Spam Report =
> %report-dir%/recipient.spam.report.txt
> Enable Spam Bounce = %rules-dir%/bounce.rules
> Bounce Spam As Attachment = no
> Syslog Facility = mail
> Log Speed = no
> Log Spam = no
> Log Non Spam = no
> Log Permitted Filenames = no
> Log Permitted Filetypes = no
> Log Permitted File MIME Types = no
> Log Silent Viruses = no
> Log Dangerous HTML Tags = no
> Log SpamAssassin Rule Actions = no
> SpamAssassin Temporary Dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin User State Dir =
> /var/spool/MailScanner/spamassassin
> SpamAssassin Install Prefix =
> SpamAssassin Site Rules Dir = /etc/mail/spamassassin
> SpamAssassin Local Rules Dir =
> SpamAssassin Default Rules Dir =
> MCP Checks = yes
> First Check = mcp
> MCP Required SpamAssassin Score = 1
> MCP High SpamAssassin Score = 10
> MCP Error Score = 1
> MCP Header = X-%org-name%-MailScanner-MCPCheck:
> Non MCP Actions = deliver
> MCP Actions = forward spam at silmaq.com.br
> High Scoring MCP Actions = forward spam at silmaq.com.br
> Bounce MCP As Attachment = no
> MCP Modify Subject = start
> MCP Subject Text = {Lista de Bloqueio}
> High Scoring MCP Modify Subject = start
> High Scoring MCP Subject Text = {Lista de Bloqueio}
> Is Definitely MCP = no
> Is Definitely Not MCP = no
> Definite MCP Is High Scoring = no
> Always Include MCP Report = no
> Detailed MCP Report = yes
> Include Scores In MCP Report = no
> Log MCP = no
> MCP Max SpamAssassin Timeouts = 20
> MCP Max SpamAssassin Size = 100k
> MCP SpamAssassin Timeout = 10
> MCP SpamAssassin Prefs File =
> %mcp-dir%/mcp.spam.assassin.prefs.conf
> MCP SpamAssassin User State Dir =
> MCP SpamAssassin Local Rules Dir = %mcp-dir%
> MCP SpamAssassin Default Rules Dir = %mcp-dir%
> MCP SpamAssassin Install Prefix = %mcp-dir%
> Recipient MCP Report =
> %report-dir%/recipient.mcp.report.txt
> Sender MCP Report = %report-dir%/sender.mcp.report.txt
> Use Default Rules With Multiple Recipients = no
> Spam Score Number Format = %d
> MailScanner Version Number = 4.68.8
> SpamAssassin Cache Timings = 1800,300,10800,172800,600
> Debug = no
> Debug SpamAssassin = no
> Run In Foreground = no
> Always Looked Up Last = &MailWatchLogging
> Always Looked Up Last After Batch = no
> Deliver In Background = yes
> Delivery Method = batch
> Split Exim Spool = no
> Lockfile Dir = /tmp
> Custom Functions Dir =
> /usr/lib/MailScanner/MailScanner/CustomFunctions
> Lock Type =
> Syslog Socket Type =
> Automatic Syntax Check = yes
> Minimum Code Status = supported
>
>
>
>
>
>
>
>
>
> ----- Original Message ----- From: "Glenn Steen" <glenn.steen at gmail.com>
> To: "MailScanner discussion"
> <mailscanner at lists.mailscanner.info>
> Sent: Friday, April 04, 2008 5:09 AM
> Subject: Re: MailScanner ignoring some rules
>
>
>
> >
> > On 04/04/2008, TecnoWay Digital
> <mailscanner at tecnowaydigital.com.br> wrote:
> >
> > > [root at firewall.silmaq.com.br ~]# ls -lu
> > > /etc/MailScanner/rules/scan.messages.rules
> > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38
> > > /etc/MailScanner/rules/scan.messages.rules
> > >
> > (snip)
> >
> > > [root at firewall.silmaq.com.br ~]# ls -lu
> > > /etc/MailScanner/rules/scan.messages.rules
> > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38
> > > /etc/MailScanner/rules/scan.messages.rules
> > >
> >
> > So your rule file doesn't egt read at all... Have you shown us the
> > snippet of your MailScanner.conf where you use it? Could you do so?
> > Also, have you run a "MailScanner --lint" and shown us that output? Please
> do...
> >
> > Cheers
> > --
> > -- Glenn
> > email: glenn < dot > steen < at > gmail < dot > com
> > work: glenn < dot > steen < at > ap1 < dot > se
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> >
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> >
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list