Question about ordering in rulesets

Mark Sapiro mark at msapiro.net
Fri Apr 24 01:21:08 IST 2009 

In MailScanner.conf, I have:

Scan Messages = %rules-dir%/scan.messages.rules

In %rules-dir%/scan.messages.rules I have:

1  # Rules to scan or skip MailScanner altogether.
2  #
3  # Exempt locally generated mail
4  #
5  # localhost
6  From: 127.0.0.1 no
7  # sbh16.songbird.com
8  From: 72.52.113.16 no
9  # ms2.msapiro.net sbh34.songbird.com
10 From: 72.52.113.34 no
11 # grizz.org, etc. sbh35.songbird.com
12 From: 72.52.113.35 no
13 # abriz.org, etc. sbh36.songbird.com
14 From: 72.52.113.36 no
15 # sbh37.songbird.com
16 From: 72.52.113.37 no
17 # sbh38.songbird.com
18 From: 72.52.113.38 no
19 #
20 # Rules to not scan messages to abuse or postmaster
21 #
22 # but first scan all abriz mail
23 #
24 To: /[@.]abriz.(org|net)$/ yes
25 #
26 To: /^(abuse|postmaster)[+@]/ no
26 #
28 # Don't scan messages to membership from paypal.com as we break
domain keys
29 # signatures and at least if the recipient is
sbcglobal/yahoo/prodigy, they
30 # call it spam
31 #
32 # from *.den.paypal.com
33 To: /^membership at grizz[^.]*\.org$/ and From: 216.113.188.0/24 no
34 # from *.phx.paypal.com
35 To: /^membership at grizz[^.]*\.org$/ and From: 66.211.168.0/24 no
36 #
37 # Finally
38 #
39 FromOrTo: default yes


The idea is I want to scan mail by default, but I have several rules to
not scan and one specific rule to scan at line 24.

It was my assumption that these rules would be checked in order and the
first one to hit would be the one that determined yes or no. In
particular, the rule at line 26 is intended to not scan mail to abuse
or postmaster, but the rule at line 24 is intended to scan all mail to
the abriz.org and abriz.net domains including mail to abuse and
postmaster as it comes before line 26.

I had a situation today that makes me question my ordering assumption.

A message arrived from IP 72.52.113.36 [1] which had four recipients,
one of whom was in the abriz.net domain. The message was scanned by
MailScanner and an attachment removed because of a filename rule [2],
in spite of the fact that it matched the

From: 72.52.113.36 no

rule at line 14, I would have thought, before matching the

To: /[@.]abriz.(org|net)$/ yes

rule at line 24.

So is my assumption about ordering wrong? If so, is there a way to
accomplish what I thought I was accomplishing with this ordering?

[1]
The message arrived via an ssh tunnel from a remote machine to IP
72.52.113.36, but Postfix saw it as coming from IP 72.52.113.36.

Apr 23 12:08:48 sbh16 postfix/smtpd[17061]: connect from
abriz.net[72.52.113.36]
Apr 23 12:08:49 sbh16 postfix/smtpd[17061]: 18C1E6900A5:
client=abriz.net[72.52.113.36]
Apr 23 12:08:49 sbh16 postfix/cleanup[17770]: 18C1E6900A5: hold: header
Received: from chaos.abriz.net (abriz.net [72.52.113.36])??(using
TLSv1 with cipher ADH-AES256-SHA (256/256 bits))??(No client
certificate requested)??by sbh16.songbird.com (Postfix) with ESMTP id
18C from abriz.net[72.52.113.36]; from=<xxxx at abriz.net>
to=<xxxxxx at abriz.net> proto=ESMTP helo=<chaos.abriz.net>
Apr 23 12:08:49 sbh16 postfix/cleanup[17770]: 18C1E6900A5:
message-id=<20090423190848.GA17095 at abriz.net>
Apr 23 12:08:49 sbh16 postfix/smtpd[17061]: disconnect from
abriz.net[72.52.113.36]


[2]
Apr 23 12:08:49 sbh16 MailScanner[16883]: New Batch: Scanning 1
messages, 9291 bytes
Apr 23 12:08:51 sbh16 MailScanner[16883]: Filename Checks: Possible
malicious batch file script (18C1E6900A5.0258A azs.bat)
Apr 23 12:08:51 sbh16 MailScanner[16883]: Other Checks: Found 1 problems
Apr 23 12:08:51 sbh16 MailScanner[16883]: Virus and Content Scanning:
Starting
Apr 23 12:08:51 sbh16 MailScanner[16883]: Saved infected "azs.bat" to
/var/spool/MailScanner/quarantine/20090423/18C1E6900A5.0258A
Apr 23 12:08:51 sbh16 MailScanner[16883]: Saved infected
"sp500-zsj.zip" to
/var/spool/MailScanner/quarantine/20090423/18C1E6900A5.0258A
Apr 23 12:08:51 sbh16 MailScanner[16883]: Requeue: 18C1E6900A5.0258A to
3D47E690188
Apr 23 12:08:51 sbh16 MailScanner[16883]: Cleaned: Delivered 1 cleaned
messages

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list