Glenn Steen glenn.steen at
Sat Sep 13 22:26:10 IST 2008

2008/9/13 Hugo van der Kooij <hvdkooij at>:
> Hash: SHA1
> Glenn Steen wrote:
>> 2008/9/13 Hugo van der Kooij <hvdkooij at>:
>>> Hash: SHA1
>>> Glenn Steen wrote:
>>>> 2008/9/13 Hugo van der Kooij <hvdkooij at>:
>>>>> Hash: SHA1
>>>>> Hugo van der Kooij wrote:
>>>>>> Hi,
>>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE.
>>>>>> Is anyone else seeing this too?
>>>>> I just had quite a bit of a discussion about malware that just walks
>>>>> past MailScanner with multiple AV scanners active.
>>>>> It seems that it might be related to postfix. Where MailScanner is
>>>>> trying to decode postfix queue files but not doing the right thing.
>>>>> My result on 3 sample queue files was 0% through MailScanner. But
>>>>> decoding them with postcat allowed me to hit 100% of the files.
>>>>> So the issue may require all postfix users to look very carefully into
>>>>> their messages and the ability to scan them properly.
>>>>> Hugo.
>>>> Can I get a sample, please? Send it off-list.
>>>> Do you do milters? Which milters? Version of postfix?
>>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5.
>>> Hugo.
>> Just to give a little update:
>> I've received queue files from Jules and Alex B. I've fed these
>> through both a testbed and our current production .... And they simply
>> worked as expected(!)... The zip-file they included got unpacked
>> nicely, the filename _and_ filetype got it into the quarantine, as
>> well as all my AVs firing like mad:-).
>> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner
>> 4.71.10 ... latest stable and beta are essentially the same, so ...
>> I'm leaning toward this being related to CentOS 5.2, possibly the
>> relevant perl modules.
> It seems you are using the perl interface to ClamAV and not clamd or
> anything else. That would at least have an impact on how things are
> called and how they are parsed in part.
Nope. I've just got the Mail::ClamAV module installed;-)... I'm using
clamd, and am very happy about it too;).
Actually, I tend to install _all_ the optional modules, regardless if
I use them or not. Sure, a maintenance overhead, but then ... they're
there when/if I decide to use a function that actually need 'em.

>> Further than that is pretty hard for me to check, since I cannot
>> reproduce the problem.
> If you can setup a Centos 5 virtual machine you could give it a spin.
> See if it is something obvious we are all overlooking.

I've been in shortly on Alex testbed... Nothing exactly stood out...
Apart from not working, it looked fine:-).
Did you get the "fixlet" Jules gave me and Alex? Seems to be
innefectual for Alex.
then again... Jules removed the mailscanner rpm, reinstalled it (via
rpm -Uvh) and copied in his MailScanner.conf ... and that seemed to
"cure" it for him. Which seems like a very very odd thing indeed.
What happens if you do similarly? (remember to save a copy of
/etc/MailScanner first;-).

> Hugo.

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list