MailScanner ANNOUNCE: Stable release 4.74.12

Julian Field MailScanner at
Sat Jan 3 11:13:10 GMT 2009

I have just released the first version for 2009, 4.74.

The main fix this time is that all the symlink vulnerabilities have been 
fixed, though you were only ever vulnerable to these problems if you let 
users interactively login (using ssh, for example) to your MailScanner 
servers. If you restrict logins to system admins and other trusted 
users, you would never have had a problem anyway.

Other than that, the SpamAssassin Rule Actions have been improved 
slightly, in that the "header" action can now contain the magic word 
"_TO_" which will be replaced by a list of all the original message 
recipients, very useful if you don't deliver the message but instead 
forward it to someone else for checking.

TNEF had been upgraded to 1.4.5.

Download as usual from

The full Change Log is this:
* New Features and Improvements *
1 Patch added to ClamAV & SpamAssassin easy-to-install package to make
   Mail::ClamAV Perl module handle ClamAV 0.94 correctly.
   Thanks to Steve Barber for telling me about this fix.
7 Upgraded to tnef 1.4.5.
9 The Spam Actions and its pals may now contain the "header" action with the
   special keyword "_TO_" anywhere in the header value. This will be 
   by a comma-separated list of the original recipients of the message.
   I wrote this for when I divert a message to the postmaster when it's 
   as spam, for example. Then you can put
   Spam Actions = store forward postmaster at header 
ere: Sent to _TO_"
   I don't always want to include the list of recipients in the headers, as
   others object to their privacy being violated by everyone receiving 
the full
   list of recipients, so I can't use the "Add Envelope To Header". I *only*
   want to add this information to spam messages, so I know to whom they 
   originally addressed.
11 Another check to ensure it doesn't chmod /tmp on misconfigured systems.

* Fixes *
2 Major work on removing symlink attack vulnerabilities affecting 
   lock files.
   Note: This vulnerability only affected systems where normal 
interactive users
   could log in to the system, or create arbitrary symlinks in your 
   So the ISP-style setups were never vulnerable, as they didn't allow 
   users to login or allow people to arbitrarily create symlinks in the
2 Removed symlink attack vulnerabilities in SpamAssassin and tnef handlers.
6-2 Re-release to fix filesize problems.
7-2 Added missing "use" statement to
7-3 Added missing tnef to Other Unix tarball distribution.
     Linux distributions unchanged.
8 Minor fix in handling of complicated "SpamAssassin Rule Actions".
10 Fixes for Locks creation bugs from Jeff Earickson. Non-RPM distribution
    should work rather better now.
12 Tiny (but important) fix to mcafee-autoupdate so that it will work 


Julian Field MEng CITP CEng
Buy the MailScanner book at

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key:

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list