Question about ordering in rulesets

Steve Freegard steve.freegard at fsl.com
Fri Apr 24 09:42:54 IST 2009


Mark,

See http://www.mailscanner.info/MailScanner.conf.index.html#Scan%20Messages

Ruleset Type for this option is "All Match":

"All Match" rulesets work through every recipient, concatenating all the
results. "All Match" rulesets are usually used when you want to check if
any of the recipient addresses match. For example, when evaluating a
"Yes/No" option with an "All Matches" ruleset, the result is taken as a
"Yes" if any of the addresses match at all.

Regards,
Steve.

Mark Sapiro wrote:
> In MailScanner.conf, I have:
> 
> Scan Messages = %rules-dir%/scan.messages.rules
> 
> In %rules-dir%/scan.messages.rules I have:
> 
> 1  # Rules to scan or skip MailScanner altogether.
> 2  #
> 3  # Exempt locally generated mail
> 4  #
> 5  # localhost
> 6  From: 127.0.0.1 no
> 7  # sbh16.songbird.com
> 8  From: 72.52.113.16 no
> 9  # ms2.msapiro.net sbh34.songbird.com
> 10 From: 72.52.113.34 no
> 11 # grizz.org, etc. sbh35.songbird.com
> 12 From: 72.52.113.35 no
> 13 # abriz.org, etc. sbh36.songbird.com
> 14 From: 72.52.113.36 no
> 15 # sbh37.songbird.com
> 16 From: 72.52.113.37 no
> 17 # sbh38.songbird.com
> 18 From: 72.52.113.38 no
> 19 #
> 20 # Rules to not scan messages to abuse or postmaster
> 21 #
> 22 # but first scan all abriz mail
> 23 #
> 24 To: /[@.]abriz.(org|net)$/ yes
> 25 #
> 26 To: /^(abuse|postmaster)[+@]/ no
> 26 #
> 28 # Don't scan messages to membership from paypal.com as we break
> domain keys
> 29 # signatures and at least if the recipient is
> sbcglobal/yahoo/prodigy, they
> 30 # call it spam
> 31 #
> 32 # from *.den.paypal.com
> 33 To: /^membership at grizz[^.]*\.org$/ and From: 216.113.188.0/24 no
> 34 # from *.phx.paypal.com
> 35 To: /^membership at grizz[^.]*\.org$/ and From: 66.211.168.0/24 no
> 36 #
> 37 # Finally
> 38 #
> 39 FromOrTo: default yes
> 
> 
> The idea is I want to scan mail by default, but I have several rules to
> not scan and one specific rule to scan at line 24.
> 
> It was my assumption that these rules would be checked in order and the
> first one to hit would be the one that determined yes or no. In
> particular, the rule at line 26 is intended to not scan mail to abuse
> or postmaster, but the rule at line 24 is intended to scan all mail to
> the abriz.org and abriz.net domains including mail to abuse and
> postmaster as it comes before line 26.
> 
> I had a situation today that makes me question my ordering assumption.
> 
> A message arrived from IP 72.52.113.36 [1] which had four recipients,
> one of whom was in the abriz.net domain. The message was scanned by
> MailScanner and an attachment removed because of a filename rule [2],
> in spite of the fact that it matched the
> 
> From: 72.52.113.36 no
> 
> rule at line 14, I would have thought, before matching the
> 
> To: /[@.]abriz.(org|net)$/ yes
> 
> rule at line 24.
> 
> So is my assumption about ordering wrong? If so, is there a way to
> accomplish what I thought I was accomplishing with this ordering?
> 
> [1]
> The message arrived via an ssh tunnel from a remote machine to IP
> 72.52.113.36, but Postfix saw it as coming from IP 72.52.113.36.
> 
> Apr 23 12:08:48 sbh16 postfix/smtpd[17061]: connect from
> abriz.net[72.52.113.36]
> Apr 23 12:08:49 sbh16 postfix/smtpd[17061]: 18C1E6900A5:
> client=abriz.net[72.52.113.36]
> Apr 23 12:08:49 sbh16 postfix/cleanup[17770]: 18C1E6900A5: hold: header
> Received: from chaos.abriz.net (abriz.net [72.52.113.36])??(using
> TLSv1 with cipher ADH-AES256-SHA (256/256 bits))??(No client
> certificate requested)??by sbh16.songbird.com (Postfix) with ESMTP id
> 18C from abriz.net[72.52.113.36]; from=<xxxx at abriz.net>
> to=<xxxxxx at abriz.net> proto=ESMTP helo=<chaos.abriz.net>
> Apr 23 12:08:49 sbh16 postfix/cleanup[17770]: 18C1E6900A5:
> message-id=<20090423190848.GA17095 at abriz.net>
> Apr 23 12:08:49 sbh16 postfix/smtpd[17061]: disconnect from
> abriz.net[72.52.113.36]
> 
> 
> [2]
> Apr 23 12:08:49 sbh16 MailScanner[16883]: New Batch: Scanning 1
> messages, 9291 bytes
> Apr 23 12:08:51 sbh16 MailScanner[16883]: Filename Checks: Possible
> malicious batch file script (18C1E6900A5.0258A azs.bat)
> Apr 23 12:08:51 sbh16 MailScanner[16883]: Other Checks: Found 1 problems
> Apr 23 12:08:51 sbh16 MailScanner[16883]: Virus and Content Scanning:
> Starting
> Apr 23 12:08:51 sbh16 MailScanner[16883]: Saved infected "azs.bat" to
> /var/spool/MailScanner/quarantine/20090423/18C1E6900A5.0258A
> Apr 23 12:08:51 sbh16 MailScanner[16883]: Saved infected
> "sp500-zsj.zip" to
> /var/spool/MailScanner/quarantine/20090423/18C1E6900A5.0258A
> Apr 23 12:08:51 sbh16 MailScanner[16883]: Requeue: 18C1E6900A5.0258A to
> 3D47E690188
> Apr 23 12:08:51 sbh16 MailScanner[16883]: Cleaned: Delivered 1 cleaned
> messages
> 



More information about the MailScanner mailing list