MailScanner ignoring some rules
Rick Cooper
rcooper at dwford.com
Fri Apr 4 23:26:31 IST 2008
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of Glenn Steen
> Sent: Friday, April 04, 2008 2:20 PM
> To: MailScanner discussion
> Subject: Re: MailScanner ignoring some rules
>
> Sorry all, for the top post... a bit too tipsy to really
> safely (snip)
> with even a virtual scissor...:-)
>
> That all _looks_ mostly OK... So, plan B... You've never used another
> system to edit the MailScanner.conf or rules file? Like crappy
> windoze? If so, there might be "non-printable" characters on the end
> of the line (like a spurious <CR>)... Then again, I thought
> the --lint
> would catch that... Oh well.
>
> Cheers
> -- Glenn
Hey, Glenn, 99.9% of the time I edit all my *nix files with a windows only
program. Boxer text editor. Been using it since it was a little dos pup.
It's a really nice editor geared primarily towards programming and it
handles DOS, Unix and MAC files as it sees them and I have the default save
mode set to unix. Since I haven't the luxury of choosing my primary desktop
OS I find boxer invaluable as all my servers (except 3 vendor managed
specialty servers) are Linux boxes and with it's built in ftp open/save and
projects I can't imagine living without it.
BTW: You have given me a great idea, instead of worrying about running out
of my Oxicotin, Percocet and vicodon I should just grab a bottle of Jack or
151 and I bet I can keep the pain down all weekend long without a single
pill! ;->)
>
> On 04/04/2008, TecnoWay Digital
> <mailscanner at tecnowaydigital.com.br> wrote:
> > MailScanner --lint
> >
> > Trying to setlogsock(unix)
> > Read 817 hostnames from the phishing whitelist
> > Read 5549 hostnames from the phishing blacklist
> > Config: calling custom init function SQLBlacklist
> > Starting up SQL Blacklist
> > Read 326 blacklist entries
> > Config: calling custom init function MailWatchLogging
> > Started SQL Logging child
> > Config: calling custom init function SQLWhitelist
> > Starting up SQL Whitelist
> > Read 40 whitelist entries
> > Checking version numbers...
> > Version number in MailScanner.conf (4.68.8) is correct.
> >
> > Your envelope_sender_header in spam.assassin.prefs.conf
> is correct.
> > MailScanner setting GID to (89)
> > MailScanner setting UID to (89)
> >
> > Checking for SpamAssassin errors (if you use it)...
> > SpamAssassin temporary working directory is
> > /var/spool/MailScanner/incoming/SpamAssassin-Temp
> > SpamAssassin temp dir =
> > /var/spool/MailScanner/incoming/SpamAssassin-Temp
> > Using SpamAssassin results cache
> > Connected to SpamAssassin cache database
> > SpamAssassin reported no errors.
> > Using locktype = posix
> > MailScanner.conf says "Virus Scanners = mcafee"
> > Found these virus scanners installed: clamav, mcafee
> >
> =============================================================
> ==============
> > Virus and Content Scanning: Starting
> > /1/eicar.com Found: EICAR test file NOT a virus.
> > Virus Scanning: McAfee found 1 infections
> > Infected message 1 came from 10.1.1.1
> > Virus Scanning: Found 1 viruses
> >
> =============================================================
> ==============
> > Virus Scanner test reports:
> > McAfee said "/1/eicar.com Found: EICAR test file
> NOT a virus."
> >
> > If any of your virus scanners (clamav,mcafee)
> > are not listed there, you should check that they are
> installed correctly
> > and that MailScanner is finding them correctly via its
> virus.scanners.conf.
> > Config: calling custom end function SQLBlacklist
> > Closing down by-domain spam blacklist
> > Config: calling custom end function MailWatchLogging
> > Config: calling custom end function SQLWhitelist
> > Closing down by-domain spam whitelist
> >
> --------------------------------------------------------------------
> >
> > My MailScanner.conf
> >
> > %org-name% = Silmaq
> > %org-long-name% = Silmaq S.A
> > %web-site% = www.silmaq.com.br
> > %etc-dir% = /etc/MailScanner
> > %report-dir% = /etc/MailScanner/reports/pt_br
> > %rules-dir% = /etc/MailScanner/rules
> > %mcp-dir% = /etc/MailScanner/mcp
> > Max Children = 5
> > Run As User = postfix
> > Run As Group = postfix
> > Queue Scan Interval = 6
> > Incoming Queue Dir = /var/spool/postfix/hold
> > Outgoing Queue Dir = /var/spool/postfix/incoming
> > Incoming Work Dir = /var/spool/MailScanner/incoming
> > Quarantine Dir = /var/spool/MailScanner/quarantine
> > PID file = /var/run/MailScanner.pid
> > Restart Every = 7200
> > MTA = postfix
> > Sendmail = /usr/sbin/sendmail
> > Sendmail2 = /usr/sbin/sendmail
> > Incoming Work User =
> > Incoming Work Group =
> > Incoming Work Permissions = 0600
> > Quarantine User = root
> > Quarantine Group = apache
> > Quarantine Permissions = 0660
> > Max Unscanned Bytes Per Scan = 100m
> > Max Unsafe Bytes Per Scan = 50m
> > Max Unscanned Messages Per Scan = 30
> > Max Unsafe Messages Per Scan = 30
> > Max Normal Queue Size = 800
> > Scan Messages = %rules-dir%/scan.messages.rules
> > Reject Message = no
> > Maximum Attachments Per Message = 200
> > Expand TNEF = yes
> > Use TNEF Contents = replace
> > Deliver Unparsable TNEF = no
> > TNEF Expander = /usr/bin/tnef --maxsize=100000000
> > TNEF Timeout = 120
> > File Command = /usr/bin/file
> > File Timeout = 20
> > Gunzip Command = /bin/gunzip
> > Gunzip Timeout = 50
> > Unrar Command = /usr/bin/unrar
> > Unrar Timeout = 50
> > Find UU-Encoded Files = no
> > Maximum Message Size = %rules-dir%/max.message.size.rules
> > Maximum Attachment Size = -1
> > Minimum Attachment Size = -1
> > Maximum Archive Depth = 0
> > Find Archives By Content = yes
> > Zip Attachments = no
> > Attachments Zip Filename = MessageAttachments.zip
> > Attachments Min Total Size To Zip = 100k
> > Attachment Extensions Not To Zip = .zip .rar .gz .tgz
> .jpg .jpeg .mpg .mpe
> > .mpeg .mp3 .rpm .htm .html .eml
> > Virus Scanning = yes
> > Virus Scanners = mcafee
> > Virus Scanner Timeout = 300
> > Deliver Disinfected Files = no
> > Silent Viruses = HTML-IFrame All-Viruses
> > Still Deliver Silent Viruses = no
> > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
> > Block Encrypted Messages = no
> > Block Unencrypted Messages = no
> > Allow Password-Protected Archives = no
> > Check Filenames In Password-Protected Archives = yes
> > Allowed Sophos Error Messages =
> > Sophos IDE Dir = /opt/sophos-av/lib/sav
> > Sophos Lib Dir = /opt/sophos-av/lib
> > Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide
> > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/*
> > /usr/local/share/clamav/*.cvd
> > ClamAVmodule Maximum Recursion Level = 8
> > ClamAVmodule Maximum Files = 1000
> > ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes)
> > ClamAVmodule Maximum Compression Ratio = 250
> > Clamd Port = 3310
> > Clamd Socket = /tmp/clamd
> > Clamd Lock File = # /var/lock/subsys/clamd
> > Clamd Use Threads = no
> > ClamAV Full Message Scan = yes
> > Fpscand Port = 10200
> > Dangerous Content Scanning = yes
> > Allow Partial Messages = no
> > Allow External Message Bodies = no
> > Find Phishing Fraud = yes
> > Also Find Numeric Phishing = yes
> > Use Stricter Phishing Net = yes
> > Highlight Phishing Fraud = yes
> > Phishing Safe Sites File =
> > %etc-dir%/phishing.safe.sites.conf
> > Phishing Bad Sites File =
> > %etc-dir%/phishing.bad.sites.conf
> > Country Sub-Domains List = %etc-dir%/country.domains.conf
> > Allow IFrame Tags = disarm
> > Allow Form Tags = disarm
> > Allow Script Tags = disarm
> > Allow WebBugs = disarm
> > Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap
> > Known Web Bug Servers = msgtag.com
> > Web Bug Replacement =
> > http://www.mailscanner.tv/1x1spacer.gif
> > Allow Object Codebase Tags = disarm
> > Convert Dangerous HTML To Text = no
> > Convert HTML To Text = no
> > Allow Filenames =
> > Deny Filenames =
> > Filename Rules = %etc-dir%/filename.regra.rules
> > Allow Filetypes =
> > Allow File MIME Types =
> > Deny Filetypes =
> > Deny File MIME Types =
> > Filetype Rules = %etc-dir%/filetype.rules.conf
> > Quarantine Infections = yes
> > Quarantine Silent Viruses = no
> > Quarantine Modified Body = no
> > Quarantine Whole Message = yes
> > Quarantine Whole Messages As Queue Files = no
> > Keep Spam And MCP Archive Clean = no
> > Language Strings = %report-dir%/languages.conf
> > Rejection Report = %report-dir%/rejection.report.txt
> > Deleted Bad Content Message Report =
> > %report-dir%/deleted.content.message.txt
> > Deleted Bad Filename Message Report =
> > %report-dir%/deleted.filename.message.txt
> > Deleted Virus Message Report =
> > %report-dir%/deleted.virus.message.txt
> > Deleted Size Message Report =
> > %report-dir%/deleted.size.message.txt
> > Stored Bad Content Message Report =
> > %report-dir%/stored.content.message.txt
> > Stored Bad Filename Message Report =
> > %report-dir%/stored.filename.message.txt
> > Stored Virus Message Report =
> > %report-dir%/stored.virus.message.txt
> > Stored Size Message Report =
> > %report-dir%/stored.size.message.txt
> > Disinfected Report = %report-dir%/disinfected.report.txt
> > Inline HTML Signature = %report-dir%/inline.sig.html
> > Inline Text Signature = %report-dir%/inline.sig.txt
> > Signature Image Filename = %report-dir%/sig.jpg
> > Signature Image <img> Filename = signature.jpg
> > Inline HTML Warning = %report-dir%/inline.warning.html
> > Inline Text Warning = %report-dir%/inline.warning.txt
> > Sender Content Report =
> > %report-dir%/sender.content.report.txt
> > Sender Error Report = %report-dir%/sender.error.report.txt
> > Sender Bad Filename Report =
> > %report-dir%/sender.filename.report.txt
> > Sender Virus Report = %report-dir%/sender.virus.report.txt
> > Sender Size Report = %report-dir%/sender.size.report.txt
> > Hide Incoming Work Dir = yes
> > Include Scanner Name In Reports = yes
> > Mail Header = X-%org-name%-MailScanner:
> > Spam Header = X-%org-name%-MailScanner-SpamCheck:
> > Spam Score Header = X-%org-name%-MailScanner-SpamScore:
> > Information Header = X-%org-name%-MailScanner-Information:
> > Add Envelope From Header = yes
> > Add Envelope To Header = no
> > Envelope From Header = X-%org-name%-MailScanner-From:
> > Envelope To Header = X-%org-name%-MailScanner-To:
> > Spam Score Character = s
> > SpamScore Number Instead Of Stars = no
> > Minimum Stars If On Spam List = 0
> > Clean Header Value = Found to be clean
> > Infected Header Value = Found to be infected
> > Disinfected Header Value = Disinfected
> > Information Header Value = Please contact the ISP for
> more information
> > Detailed Spam Report = yes
> > Include Scores In SpamAssassin Report = yes
> > Always Include SpamAssassin Report = no
> > Multiple Headers = append
> > Hostname = the %org-name% ($HOSTNAME) MailScanner
> > Sign Messages Already Processed = no
> > Sign Clean Messages = %rules-dir%/regras_assinatura.rules
> > Attach Image To Signature = no
> > Attach Image To HTML Message Only = yes
> > Mark Infected Messages = yes
> > Mark Unscanned Messages = yes
> > Unscanned Header Value = Not scanned: please contact your
> Internet E-Mail
> > Service Provider for details
> > Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2:
> > Deliver Cleaned Messages = yes
> > Notify Senders = yes
> > Notify Senders Of Viruses = no
> > Notify Senders Of Blocked Filenames Or Filetypes = yes
> > Notify Senders Of Blocked Size Attachments = no
> > Notify Senders Of Other Blocked Content = yes
> > Never Notify Senders Of Precedence = list bulk
> > Scanned Subject Text = {Scanned}
> > Virus Modify Subject = start
> > Virus Subject Text = {Virus?}
> > Filename Modify Subject = start
> > Filename Subject Text = {Filename?}
> > Content Modify Subject = start
> > Content Subject Text = {Dangerous Content?}
> > Size Modify Subject = start
> > Size Subject Text = {Size}
> > Disarmed Modify Subject = start
> > Disarmed Subject Text = {Disarmed}
> > Phishing Modify Subject = no
> > Phishing Subject Text = {Fraud?}
> > Spam Modify Subject = start
> > Spam Subject Text = {Spam?}
> > High Scoring Spam Modify Subject = start
> > High Scoring Spam Subject Text = {Spam?}
> > Warning Is Attachment = yes
> > Attachment Warning Filename =
> > %org-name%-Attachment-Warning.txt
> > Attachment Encoding Charset = ISO-8859-1
> > Archive Mail = %rules-dir%/copia-email.rules
> > Send Notices = no
> > Notices Include Full Headers = yes
> > Hide Incoming Work Dir in Notices = no
> > Notice Signature = -- \nMailScanner\nEmail Virus
> > Scanner\nwww.mailscanner.info
> > Notices From = teste
> > Notices To = postmaster
> > Local Postmaster = postmaster
> > Spam List Definitions = %etc-dir%/spam.lists.conf
> > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf
> > Spam Checks = yes
> > Spam Domain List =
> > Spam Lists To Be Spam = 1
> > Spam Lists To Reach High Score = 3
> > Spam List Timeout = 10
> > Max Spam List Timeouts = 7
> > Spam List Timeouts History = 10
> > Is Definitely Not Spam = &SQLWhitelist
> > Is Definitely Spam = &SQLBlacklist
> > Definite Spam Is High Scoring = no
> > Ignore Spam Whitelist If Recipients Exceed = 50
> > Max Spam Check Size = 200k
> > Use Watermarking = no
> > Add Watermark = yes
> > Check Watermarks With No Sender = yes
> > Treat Invalid Watermarks With No Sender as Spam = nothing
> > Check Watermarks To Skip Spam Checks = yes
> > Watermark Secret = %org-name%-Secret
> > Watermark Lifetime = 604800
> > Watermark Header = X-%org-name%-MailScanner-Watermark:
> > Use SpamAssassin = yes
> > Max SpamAssassin Size = 200k
> > Required SpamAssassin Score = 6
> > High SpamAssassin Score = 10
> > SpamAssassin Auto Whitelist = yes
> > SpamAssassin Timeout = 75
> > Max SpamAssassin Timeouts = 10
> > SpamAssassin Timeouts History = 30
> > Check SpamAssassin If On Spam List = yes
> > Include Binary Attachments In SpamAssassin = no
> > Spam Score = yes
> > Cache SpamAssassin Results = yes
> > SpamAssassin Cache Database File =
> > /var/spool/MailScanner/incoming/SpamAssassin.cache.db
> > Rebuild Bayes Every = 0
> > Wait During Bayes Rebuild = no
> > Use Custom Spam Scanner = no
> > Max Custom Spam Scanner Size = 20k
> > Custom Spam Scanner Timeout = 20
> > Max Custom Spam Scanner Timeouts = 10
> > Custom Spam Scanner Timeout History = 20
> > Spam Actions = store
> > High Scoring Spam Actions = store
> > Non Spam Actions = deliver header "X-Spam-Status: No"
> > SpamAssassin Rule Actions =
> > Sender Spam Report = %report-dir%/sender.spam.report.txt
> > Sender Spam List Report =
> > %report-dir%/sender.spam.rbl.report.txt
> > Sender SpamAssassin Report =
> > %report-dir%/sender.spam.sa.report.txt
> > Inline Spam Warning = %report-dir%/inline.spam.warning.txt
> > Recipient Spam Report =
> > %report-dir%/recipient.spam.report.txt
> > Enable Spam Bounce = %rules-dir%/bounce.rules
> > Bounce Spam As Attachment = no
> > Syslog Facility = mail
> > Log Speed = no
> > Log Spam = no
> > Log Non Spam = no
> > Log Permitted Filenames = no
> > Log Permitted Filetypes = no
> > Log Permitted File MIME Types = no
> > Log Silent Viruses = no
> > Log Dangerous HTML Tags = no
> > Log SpamAssassin Rule Actions = no
> > SpamAssassin Temporary Dir =
> > /var/spool/MailScanner/incoming/SpamAssassin-Temp
> > SpamAssassin User State Dir =
> > /var/spool/MailScanner/spamassassin
> > SpamAssassin Install Prefix =
> > SpamAssassin Site Rules Dir = /etc/mail/spamassassin
> > SpamAssassin Local Rules Dir =
> > SpamAssassin Default Rules Dir =
> > MCP Checks = yes
> > First Check = mcp
> > MCP Required SpamAssassin Score = 1
> > MCP High SpamAssassin Score = 10
> > MCP Error Score = 1
> > MCP Header = X-%org-name%-MailScanner-MCPCheck:
> > Non MCP Actions = deliver
> > MCP Actions = forward spam at silmaq.com.br
> > High Scoring MCP Actions = forward spam at silmaq.com.br
> > Bounce MCP As Attachment = no
> > MCP Modify Subject = start
> > MCP Subject Text = {Lista de Bloqueio}
> > High Scoring MCP Modify Subject = start
> > High Scoring MCP Subject Text = {Lista de Bloqueio}
> > Is Definitely MCP = no
> > Is Definitely Not MCP = no
> > Definite MCP Is High Scoring = no
> > Always Include MCP Report = no
> > Detailed MCP Report = yes
> > Include Scores In MCP Report = no
> > Log MCP = no
> > MCP Max SpamAssassin Timeouts = 20
> > MCP Max SpamAssassin Size = 100k
> > MCP SpamAssassin Timeout = 10
> > MCP SpamAssassin Prefs File =
> > %mcp-dir%/mcp.spam.assassin.prefs.conf
> > MCP SpamAssassin User State Dir =
> > MCP SpamAssassin Local Rules Dir = %mcp-dir%
> > MCP SpamAssassin Default Rules Dir = %mcp-dir%
> > MCP SpamAssassin Install Prefix = %mcp-dir%
> > Recipient MCP Report =
> > %report-dir%/recipient.mcp.report.txt
> > Sender MCP Report = %report-dir%/sender.mcp.report.txt
> > Use Default Rules With Multiple Recipients = no
> > Spam Score Number Format = %d
> > MailScanner Version Number = 4.68.8
> > SpamAssassin Cache Timings = 1800,300,10800,172800,600
> > Debug = no
> > Debug SpamAssassin = no
> > Run In Foreground = no
> > Always Looked Up Last = &MailWatchLogging
> > Always Looked Up Last After Batch = no
> > Deliver In Background = yes
> > Delivery Method = batch
> > Split Exim Spool = no
> > Lockfile Dir = /tmp
> > Custom Functions Dir =
> > /usr/lib/MailScanner/MailScanner/CustomFunctions
> > Lock Type =
> > Syslog Socket Type =
> > Automatic Syntax Check = yes
> > Minimum Code Status = supported
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ----- Original Message ----- From: "Glenn Steen"
> <glenn.steen at gmail.com>
> > To: "MailScanner discussion"
> > <mailscanner at lists.mailscanner.info>
> > Sent: Friday, April 04, 2008 5:09 AM
> > Subject: Re: MailScanner ignoring some rules
> >
> >
> >
> > >
> > > On 04/04/2008, TecnoWay Digital
> > <mailscanner at tecnowaydigital.com.br> wrote:
> > >
> > > > [root at firewall.silmaq.com.br ~]# ls -lu
> > > > /etc/MailScanner/rules/scan.messages.rules
> > > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38
> > > > /etc/MailScanner/rules/scan.messages.rules
> > > >
> > > (snip)
> > >
> > > > [root at firewall.silmaq.com.br ~]# ls -lu
> > > > /etc/MailScanner/rules/scan.messages.rules
> > > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38
> > > > /etc/MailScanner/rules/scan.messages.rules
> > > >
> > >
> > > So your rule file doesn't egt read at all... Have you
> shown us the
> > > snippet of your MailScanner.conf where you use it? Could
> you do so?
> > > Also, have you run a "MailScanner --lint" and shown us
> that output? Please
> > do...
> > >
> > > Cheers
> > > --
> > > -- Glenn
> > > email: glenn < dot > steen < at > gmail < dot > com
> > > work: glenn < dot > steen < at > ap1 < dot > se
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > >
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >
> > > Before posting, read http://wiki.mailscanner.info/posting
> > >
> > > Support MailScanner development - buy the book off the website!
> > >
> > >
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
>
>
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list