Mismatch between report and actions

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jul 1 09:15:00 IST 2009



On 30/06/2009 15:17, Robert Lopez wrote:
> On Tue, Jun 30, 2009 at 2:49 AM, Glenn Steen<glenn.steen at gmail.com>  wrote:
>    
>> 2009/6/29 Robert Lopez<rlopezcnm at gmail.com>:
>>      
>>> On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen<glenn.steen at gmail.com>  wrote:
>>>        
>>>> 2009/6/29 Robert Lopez<rlopezcnm at gmail.com>:
>>>>          
>>>>> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen<glenn.steen at gmail.com>  wrote:
>>>>>            
>>>>>> 2009/6/29 Robert Lopez<rlopezcnm at gmail.com>:
>>>>>>              
>>>>>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen<glenn.steen at gmail.com>  wrote:
>>>>>>>                
>>>>>>>> 2009/6/26 Robert Lopez<rlopezcnm at gmail.com>:
>>>>>>>>                  
>>>>>>>>> HP Prolient DL360 G5
>>>>>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz
>>>>>>>>> 8 G RAM
>>>>>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009
>>>>>>>>> x86_64 GNU/Linux
>>>>>>>>> Ubuntu 9.04 (jaunty)
>>>>>>>>> MailScanner version 4.74.16
>>>>>>>>> Postfix version 2.5.5
>>>>>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0
>>>>>>>>> (I know there are newer versions. These are Ubuntu apt-get...)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                    
>>>>>> (snip error...)
>>>>>>              
>>>>>>>>>                    
>>>>>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well.
>>>>>>>> If this means leaving the Ubunto/apt thing behind, then so be it.
>>>>>>>> If you still observe the same behavior... Then we'll look at other things:-).
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>                  
>>>>>> (snip)
>>>>>>              
>>>>>>> Thank you Glenn,
>>>>>>>
>>>>>>> Changing from Ubuntu is not my decision to make. My current project is
>>>>>>> comparing a system built with RHEL and files from Julians site to this
>>>>>>> one.
>>>>>>>
>>>>>>>                
>>>>>> I didn't say "ditch Ubuntu", just the ubuntu packaging of
>>>>>> MailScanner;-). You could probably live pritty well with the source
>>>>>> tarball, for example.
>>>>>>
>>>>>> Cheers
>>>>>> --
>>>>>> -- Glenn
>>>>>> email: glenn<  dot>  steen<  at>  gmail<  dot>  com
>>>>>> work: glenn<  dot>  steen<  at>  ap1<  dot>  se
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>              
>>>>> Again, Thank you Glenn.
>>>>>
>>>>> I have to attend to the root cause of the problem I wrote about. The
>>>>> issue you reply to is a policy issue upon which I have no influence. I
>>>>> was very happy with the test system built with tar files. My
>>>>> management is not.
>>>>>
>>>>>            
>>>> Why? They will just get an added delay and no real benefit (stability
>>>> or otherwise) from sticking to more or less outdated "debianized"
>>>> packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot
>>>> fight bleeding edge malware/spam with trailing edge, or even sometimes
>>>> moderately modern (like this problem instance;), protection systems.
>>>>
>>>> Cheers
>>>> --
>>>> -- Glenn
>>>> email: glenn<  dot>  steen<  at>  gmail<  dot>  com
>>>> work: glenn<  dot>  steen<  at>  ap1<  dot>  se
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>          
>>> Glenn I totally agree with you. But your comments are not helpful. I
>>> have stated I have no control over institutional policies.
>>>
>>>        
>> That being the case, I'm not entirely sure we will be able to help
>> you. My prompting you to upgrade isn't just the semi-unhelpful comment
>> it may seem. There were some changes to the Postfix handling (mostly
>> when used with milters, true) recently, as well as some other
>> important fixes (IIRC there were some problems with the MIME tools
>> perl module... I might remeber wrong, but I don't think I do:-). Also,
>> since you use the Ubuntu packaging, you are likely to be using the
>> perl modules from the same source... I'm not sure, but I rather
>> suspect that that may be as bad as mixing the "MailScanner perl
>> modules" from certain other distros into the brew...
>> Going to a "source" install (as you've obviously tried) would take
>> some of the uncertanties out of the picture, as well as enabling you
>> to use the latest/greatest of MailScanner (at your own discretion, of
>> course)... So that you decide when you need upgrade, not some
>> packager. Usually, the latter is norm for most distros, and frankly
>> the sane thing to do. But not with system like MailScanner, IMO.
>>
>> Anyway, that is neither here nor there. If you can't change what beta
>> you are using, that is the way it is.
>> Back to the original message then... Hmm.
>>
>> This wouldn't be stored as spam, it would likely be stored in a
>> directory named like the queue file ID + the random bit... so did you
>> find for a file specifically? it should all be there in the
>> /var/spool/MailScanner/quarantine/20090626/E0CE312F.5E6C5 directory.
>>
>> I suppose that if the mime explosion didn't go well, for some reason,
>> you might see some strange results... Hmm.
>>
>> What are your settings in MailScanner.conf for
>> Deliver Disinfected Files
>> Silent Viruses
>> Still Deliver Silent Viruses
>> Non-Forging Viruses
>> ClamAV Full Message Scan
>> That the message got requeued and delivered suggest some rather not
>> that wise settings here, perhaps:-)
>>
>> Cheers
>> --
>> -- Glenn
>> email: glenn<  dot>  steen<  at>  gmail<  dot>  com
>> work: glenn<  dot>  steen<  at>  ap1<  dot>  se
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>      
> Thank you Glenn. Please understand I was very happy with the RHEL
> system built from source but it does not meet some policies over which
> I have not control.
>
> > From my original posting:
>    
>> Situation: Testing Eicar, external site to internal via gateway.
>> Problem:   Mismatch between reported information and actions.
>>
>> Email content says:
>> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s)
>> for more information."
>>
>> Action was:
>> Appended the text into the body of email instead of an attachment.
>>      
> This is a case of not confusing Outlook users who expect an "attachment" to be
> separate from the body of the email. It is now solved.
> I have written a post-install script to change from  "Warning: Please read the
>   'CNM-Attachment-Warning.txt' attachment(s)  for more information."
>   to say "...read the appended information..." in
> /usr/share/MailScanner/reports/en/inline.warning.txt
>
>    
>> Email content says:
>> "Note to Help Desk: Look on the CNM () MailScanner in
>> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)."
>>      
> The eicar data was NOT delivered. It was discarded as desired. The problem is
> the statement the content was quarantined and the help desk can find it.
> I would be happy to have all the statements about the help desk
> finding it removed.
> But as there are many files to modify I am not certain I would be
> doing the right thing.
>    
I would create your own "language" directory under 
/etc/MailScanner/reports specific for your own site. Base the contents 
on the ones in "en" but customise away to your heart's content. For 
example, all my site's reports are in /etc/MailScanner/reports/ECS.

The initial contents of those files is there for a few reasons
a) it saves most people a hell of a lot of work writing such stuff
b) it contains content that demonstrates all the available "$variables" 
in each report
c) it contains the text that I wanted when I first wrote it for myself.

The whole point is that you should change those files so they match your 
site's policy and setup.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list