Reports about newest beta

Julian Field MailScanner at ecs.soton.ac.uk
Tue Aug 18 14:47:40 IST 2009 


On 18/08/2009 14:33, Jonas A. Larsen wrote:
>
> Hi Julian
>
> I’ve installed the newest beta(4.78.9) on 1 of my scanners and got 
> some feedback in that context.
>
> I got 2 issues:
>
> 1/
>
> This is the first install for me which has the mailscanner crash/dos 
> protection. And I just receved a couple of mails which apparently 
> would crash mailscanner.
>
> These mails seems to have been moved to 
> /var/spool/MailScanner/quarantine/20090818/
>
> Normally spam would have been moved to 
> /var/spool/MailScanner/quarantine/20090818/spam and ham to 
> /var/spool/MailScanner/quarantine/20090818/nonspam
>
> These 3 mails was each moved to 
> /var/spool/MailScanner/quarantine/20090818/ and a directory was 
> created for each mail named after the mail id, and inside was a file 
> called message with the mail content.
>
> Is this the normal designed behavior? If yes is it customizeable 
> somehow? As in can I control where the “kill mails” are stored.
>
They are put in the quarantine relying on the other quarantine settings 
in MailScanner.conf, such as storing the whole message and so on.
>
> /2
>
> My second issue is more of a problem, I’ve started using the new 
> virus-spam feature with great success (and I encourage everyone else 
> to as well if you can spare the extra cpu time).
>
> However in the conf it says:
>
> # Some virus scanners now use their signatures to detect spam as well as
>
> # viruses. These "viruses" are called "spam-viruses". When they are found
>
> # the following header will be added to your message before it is 
> passed to
>
> # SpamAssassin, listing all the "spam-viruses" that were found as a comma-
>
> # separated list.
>
> # This can also be the filename of a ruleset.
>
> Spam-Virus Header = X-%org-name%-SpamVirus-Report:
>
> # This defines which virus reports from your virus scanners are really the
>
> # names of "spam-viruses" as described in the "Spam-Virus Header" section
>
> # above. This is a space-separated list of strings which can contain "*"
>
> # wildcards to mean "any string of characters", and which will match the
>
> # whole name of the virus reported by your virus scanner. So for example
>
> # "HTML/*" will match all virus names which start with the string "HTML/".
>
> # The supplied example is suitable for F-Prot6 and the SaneSecurity
>
> # databases for ClamAV. The test is case-sensitive.
>
> # This cannot be a ruleset, it must be a simple value as described.
>
> Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/*
>
> I don’t understand how/why you would make Spam-Virus Header a ruleset? 
> What would u control with it?
>
People in different countries could have different header names so they 
make sense in different languages for example. Just because you don't 
want to make it selectable doesn't mean no-one does.
>
> But I do see why you would want a ruleset for the Virus Names Which 
> Are Spam option. This would allow me to deploy some of the databases 
> sanesecurity lables with a high chance of FP’s by assigning them 
> different headers and thus giving them fewer points in SA than the 
> more trusthworthy DB’s.
>
You can do that by assigning different SpamAssassin scores to the header 
values in SpamAssassin. The SpamVirus-Report header is passed to 
SpamAssassin, so you can have different rules triggering off different 
"spamvirus" names giving different scores for different types of 
spamvirus. So you can do this perfectly simply.
>
> Was there a technical reason why this option isn’t possible to set in 
> a ruleset, or did you just think it would be overkill?
>
A very good technical reason. And because it's totally unnecessary as 
you can already implement exactly the same thing better in a bunch of 
SpamAssassin rules. Take a look in the new spam.assassin.prefs.conf 
(right at the bottom) and you will see a very simple rule for assigning 
a spam score when this header is present. You can expand that rule into 
multiple rules triggering on different texts, assigning different scores 
to each one.

I explained all of this in the ChangeLog entry for 4.78, please read it.
>
> Overall the new beta seems to be running fine except for the mails 
> which appears to make it crash, I have not looked into detail about 
> the mails (it was actually test mails) but ile do that later on.
>
That's the whole point of the crash-protection system.
>
> Hope you survived my longish rant
>
I did, but I honestly don't know why I bothered...

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list