bug in Spear-Phishing script?

David Lee t.d.lee at durham.ac.uk
Fri Feb 27 14:59:29 GMT 2009


On Fri, 27 Feb 2009, Julian Field wrote:

> On 27/2/09 13:20, David Lee wrote:
>> [...]
>> But the spear-phishing script does a full restart of MailScanner, including 
>> of that outbound queue processor, every hour.  So there is considerable 
>> risk that some emails in the outbound queue may never be reached at all, 
>> because that outbound processor will be killed before those emails are ever 
>> reached.
> If you're running a big system, why are you using the same machine(s) to 
> deliver outbound mail as well as accept inbound mail? I split them into 2 
> separate jobs and use separate machines for each task. And you only need to 
> do the phishing stuff on the inbound machines.

Ah.  Point taken.  I see where you are coming from.  Our outbound and 
inbound are already separate in the normal case.

But this particular case involves emails being forwarded for a couple of 
affiliated domains, one of which is our major Alumni forwarding service, 
with some 27,000 entries.  So email comes in (to user "xxx at fwd.dom.ain") 
then the forwarding service (on this inbound machine) wings it back out to 
their respective hotmail/aol/yahoo/shudder/horror ISPs.  (Thus it is now
outbound from what is normally an inbound machine.)

So yes, we are "good", in the sense that we already keep inbound and 
outbound generally separate.  This case is about email that had been 
inbound now being reflected outbound.

Because it had been inbound, it is on a spear-phishing detection machine; 
because it has been turned around and is now outbound, it is potentially
victim to the hourly spear-phishing restart.


>> (I'm still not clear why the script needs to restart the entire email 
>> subsystem, including sendmail inbound/outbound, rather than simply doing a 
>> "service MailScanner reload".)
> Does a "reload" cause a re-compile of all the SpamAssassin rules? I don't 
> think so.  [...]

Don't know.

But I've just done a "service MailScanner reload";  that seems to leave 
sendmail alone to do its possibly lengthy work (so good from the 
perspective being discussed).  And it also seems to kill and restart 
MailScanner (isn't that also good? in that in restarts, not just reloads, 
MailScanner?)

So wouldn't a "service MailScanner reload" be just the ticket, because it 
is restarting (not just reloading) MailScanner?


> But a new "restartms" option would solve the problem, which just 
> restarted MailScanner and didn't touch the sendmail processes. How about I 
> add that to the init.d script?
>
> A pair of new init.d scripts are attached, one for the RedHat distribution 
> and the other for the SuSE distribution. I would be grateful if you could try 
> them out to check that "service MailScanner restartms" does what it is 
> supposed to.

I would be very happy to give test things a whirl for you.  Sure.

But does this problem actually need a revised MS init.d script?  Wouldn't 
a "service ... reload" (rather than restart) in the spear-phishing script 
be perfectly OK?  (Given that it appears to restart MailScanner anyway?)

(Of course, I may well have missed something...)

All the best.

-- 

:  David Lee                                I.T. Service          :
:  Senior Systems Programmer                Computer Centre       :
:  UNIX Team Leader                         Durham University     :
:                                           South Road            :
:  http://www.dur.ac.uk/t.d.lee/            Durham DH1 3LE        :
:  Phone: +44 191 334 2752                  U.K.                  :


More information about the MailScanner mailing list