Error with EMTPY_MESSAGE
Hugo van der Kooij
hvdkooij at vanderkooij.org
Sun Sep 14 10:52:51 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Glenn Steen wrote:
> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Glenn Steen wrote:
>>> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hugo van der Kooij wrote:
>>>>> Hi,
>>>>>
>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE.
>>>>>
>>>>> Is anyone else seeing this too?
>>>> I just had quite a bit of a discussion about malware that just walks
>>>> past MailScanner with multiple AV scanners active.
>>>>
>>>> It seems that it might be related to postfix. Where MailScanner is
>>>> trying to decode postfix queue files but not doing the right thing.
>>>>
>>>> My result on 3 sample queue files was 0% through MailScanner. But
>>>> decoding them with postcat allowed me to hit 100% of the files.
>>>>
>>>> So the issue may require all postfix users to look very carefully into
>>>> their messages and the ability to scan them properly.
>>>>
>>>> Hugo.
>>>>
>>> Can I get a sample, please? Send it off-list.
>>> Do you do milters? Which milters? Version of postfix?
>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5.
>>
>> Hugo.
>>
> Just to give a little update:
>
> I've received queue files from Jules and Alex B. I've fed these
> through both a testbed and our current production .... And they simply
> worked as expected(!)... The zip-file they included got unpacked
> nicely, the filename _and_ filetype got it into the quarantine, as
> well as all my AVs firing like mad:-).
> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner
> 4.71.10 ... latest stable and beta are essentially the same, so ...
>
> I'm leaning toward this being related to CentOS 5.2, possibly the
> relevant perl modules.
> Further than that is pretty hard for me to check, since I cannot
> reproduce the problem.
> I might get onto Alexs' testbed, to do some further debuging... But I
> do suggest that you who have a CentOS 5.2 box and are affected by the
> "non-unpacking" (should be easily determined... look for "Your
> internet access is going to get suspended" subjects that are either
> improperly unpacked (in the quarantine) or that slip by entirely...
> grab one and start feeding it through your system, varying your perl
> modules (mainly MIME-Tools related stuff, I'd guess).
I have only seen the issue with queue files from Alex. And the odd
EMPTY_MESSAGE report I found myself.
I shoot down almost all other stuff on non FQDN issues and blacklisting
dialup networks based on keywords in their hostname in postfix itself.
So I can not recall to have seen messages sneak past with attachments in
them.
The attachment thing might be a combined thing of a new postfix building
queue files slightly differently. But beyond the test messages I have
never seen that issue arise.
But if a beta version can be created that allows one to use postcat
instead of a native MailScanner parser of the raw queue file just to see
if it is a factor then I can test that as my MailScanner server is
pretty low in traffic.
Hugo.
- --
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFIzN7xBvzDRVjxmYERAlOdAKCgYBH+AJv2Q1AwNuaSAzD+ECHUNQCePPbG
09dq9O9VarfSUJryJ6l1Wcs=
=Mz1W
-----END PGP SIGNATURE-----
More information about the MailScanner
mailing list