Error with EMTPY_MESSAGE

Glenn Steen glenn.steen at gmail.com
Sat Sep 13 19:16:38 IST 2008


2008/9/13 Glenn Steen <glenn.steen at gmail.com>:
> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Glenn Steen wrote:
>>> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hugo van der Kooij wrote:
>>>>> Hi,
>>>>>
>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE.
>>>>>
>>>>> Is anyone else seeing this too?
>>>> I just had quite a bit of a discussion about malware that just walks
>>>> past MailScanner with multiple AV scanners active.
>>>>
>>>> It seems that it might be related to postfix. Where MailScanner is
>>>> trying to decode postfix queue files but not doing the right thing.
>>>>
>>>> My result on 3 sample queue files was 0% through MailScanner. But
>>>> decoding them with postcat allowed me to hit 100% of the files.
>>>>
>>>> So the issue may require all postfix users to look very carefully into
>>>> their messages and the ability to scan them properly.
>>>>
>>>> Hugo.
>>>>
>>> Can I get a sample, please? Send it off-list.
>>> Do you do milters? Which milters? Version of postfix?
>>
>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5.
>>
>> Hugo.
>>
> Just to give a little update:
>
> I've received queue files from Jules and Alex B. I've fed these
> through both a testbed and our current production .... And they simply
> worked as expected(!)... The zip-file they included got unpacked
> nicely, the filename _and_ filetype got it into the quarantine, as
> well as all my AVs firing like mad:-).
> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner
> 4.71.10 ... latest stable and beta are essentially the same, so ...
>
> I'm leaning toward this being related to CentOS 5.2, possibly the
> relevant perl modules.
> Further than that is pretty hard for me to check, since I cannot
> reproduce the problem.
> I might get onto Alexs' testbed, to do some further debuging... But I
> do suggest that you who have a CentOS 5.2 box and are affected by the
> "non-unpacking" (should be easily determined... look for "Your
> internet access is going to get suspended" subjects that are either
> improperly unpacked (in the quarantine) or that slip by entirely...
> grab one and start feeding it through your system, varying your perl
> modules (mainly MIME-Tools related stuff, I'd guess).
>
BTW... I've not seen the EMPTY_MESSAGE rule firing at all... Other
than a few truly empty messages...

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list