SOLVED Re: Mismatch between report and actions
Robert Lopez
rlopezcnm at gmail.com
Wed Jul 1 15:27:12 IST 2009
On Wed, Jul 1, 2009 at 2:15 AM, Julian Field<MailScanner at ecs.soton.ac.uk> wrote:
>
>
> On 30/06/2009 15:17, Robert Lopez wrote:
>>
>> On Tue, Jun 30, 2009 at 2:49 AM, Glenn Steen<glenn.steen at gmail.com>
>> wrote:
>>
>>>
>>> 2009/6/29 Robert Lopez<rlopezcnm at gmail.com>:
>>>
>>>>
>>>> On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen<glenn.steen at gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> 2009/6/29 Robert Lopez<rlopezcnm at gmail.com>:
>>>>>
>>>>>>
>>>>>> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen<glenn.steen at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>> 2009/6/29 Robert Lopez<rlopezcnm at gmail.com>:
>>>>>>>
>>>>>>>>
>>>>>>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen<glenn.steen at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2009/6/26 Robert Lopez<rlopezcnm at gmail.com>:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> HP Prolient DL360 G5
>>>>>>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz
>>>>>>>>>> 8 G RAM
>>>>>>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009
>>>>>>>>>> x86_64 GNU/Linux
>>>>>>>>>> Ubuntu 9.04 (jaunty)
>>>>>>>>>> MailScanner version 4.74.16
>>>>>>>>>> Postfix version 2.5.5
>>>>>>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0
>>>>>>>>>> (I know there are newer versions. These are Ubuntu apt-get...)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>
>>>>>>> (snip error...)
>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as
>>>>>>>>> well.
>>>>>>>>> If this means leaving the Ubunto/apt thing behind, then so be it.
>>>>>>>>> If you still observe the same behavior... Then we'll look at other
>>>>>>>>> things:-).
>>>>>>>>>
>>>>>>>>> Cheers
>>>>>>>>>
>>>>>>>
>>>>>>> (snip)
>>>>>>>
>>>>>>>>
>>>>>>>> Thank you Glenn,
>>>>>>>>
>>>>>>>> Changing from Ubuntu is not my decision to make. My current project
>>>>>>>> is
>>>>>>>> comparing a system built with RHEL and files from Julians site to
>>>>>>>> this
>>>>>>>> one.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> I didn't say "ditch Ubuntu", just the ubuntu packaging of
>>>>>>> MailScanner;-). You could probably live pritty well with the source
>>>>>>> tarball, for example.
>>>>>>>
>>>>>>> Cheers
>>>>>>> --
>>>>>>> -- Glenn
>>>>>>> email: glenn< dot> steen< at> gmail< dot> com
>>>>>>> work: glenn< dot> steen< at> ap1< dot> se
>>>>>>> --
>>>>>>> MailScanner mailing list
>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>
>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>
>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Again, Thank you Glenn.
>>>>>>
>>>>>> I have to attend to the root cause of the problem I wrote about. The
>>>>>> issue you reply to is a policy issue upon which I have no influence. I
>>>>>> was very happy with the test system built with tar files. My
>>>>>> management is not.
>>>>>>
>>>>>>
>>>>>
>>>>> Why? They will just get an added delay and no real benefit (stability
>>>>> or otherwise) from sticking to more or less outdated "debianized"
>>>>> packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot
>>>>> fight bleeding edge malware/spam with trailing edge, or even sometimes
>>>>> moderately modern (like this problem instance;), protection systems.
>>>>>
>>>>> Cheers
>>>>> --
>>>>> -- Glenn
>>>>> email: glenn< dot> steen< at> gmail< dot> com
>>>>> work: glenn< dot> steen< at> ap1< dot> se
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>
>>>> Glenn I totally agree with you. But your comments are not helpful. I
>>>> have stated I have no control over institutional policies.
>>>>
>>>>
>>>
>>> That being the case, I'm not entirely sure we will be able to help
>>> you. My prompting you to upgrade isn't just the semi-unhelpful comment
>>> it may seem. There were some changes to the Postfix handling (mostly
>>> when used with milters, true) recently, as well as some other
>>> important fixes (IIRC there were some problems with the MIME tools
>>> perl module... I might remeber wrong, but I don't think I do:-). Also,
>>> since you use the Ubuntu packaging, you are likely to be using the
>>> perl modules from the same source... I'm not sure, but I rather
>>> suspect that that may be as bad as mixing the "MailScanner perl
>>> modules" from certain other distros into the brew...
>>> Going to a "source" install (as you've obviously tried) would take
>>> some of the uncertanties out of the picture, as well as enabling you
>>> to use the latest/greatest of MailScanner (at your own discretion, of
>>> course)... So that you decide when you need upgrade, not some
>>> packager. Usually, the latter is norm for most distros, and frankly
>>> the sane thing to do. But not with system like MailScanner, IMO.
>>>
>>> Anyway, that is neither here nor there. If you can't change what beta
>>> you are using, that is the way it is.
>>> Back to the original message then... Hmm.
>>>
>>> This wouldn't be stored as spam, it would likely be stored in a
>>> directory named like the queue file ID + the random bit... so did you
>>> find for a file specifically? it should all be there in the
>>> /var/spool/MailScanner/quarantine/20090626/E0CE312F.5E6C5 directory.
>>>
>>> I suppose that if the mime explosion didn't go well, for some reason,
>>> you might see some strange results... Hmm.
>>>
>>> What are your settings in MailScanner.conf for
>>> Deliver Disinfected Files
>>> Silent Viruses
>>> Still Deliver Silent Viruses
>>> Non-Forging Viruses
>>> ClamAV Full Message Scan
>>> That the message got requeued and delivered suggest some rather not
>>> that wise settings here, perhaps:-)
>>>
>>> Cheers
>>> --
>>> -- Glenn
>>> email: glenn< dot> steen< at> gmail< dot> com
>>> work: glenn< dot> steen< at> ap1< dot> se
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> Thank you Glenn. Please understand I was very happy with the RHEL
>> system built from source but it does not meet some policies over which
>> I have not control.
>>
>> > From my original posting:
>>
>>>
>>> Situation: Testing Eicar, external site to internal via gateway.
>>> Problem: Mismatch between reported information and actions.
>>>
>>> Email content says:
>>> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s)
>>> for more information."
>>>
>>> Action was:
>>> Appended the text into the body of email instead of an attachment.
>>>
>>
>> This is a case of not confusing Outlook users who expect an "attachment"
>> to be
>> separate from the body of the email. It is now solved.
>> I have written a post-install script to change from "Warning: Please read
>> the
>> 'CNM-Attachment-Warning.txt' attachment(s) for more information."
>> to say "...read the appended information..." in
>> /usr/share/MailScanner/reports/en/inline.warning.txt
>>
>>
>>>
>>> Email content says:
>>> "Note to Help Desk: Look on the CNM () MailScanner in
>>> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)."
>>>
>>
>> The eicar data was NOT delivered. It was discarded as desired. The problem
>> is
>> the statement the content was quarantined and the help desk can find it.
>> I would be happy to have all the statements about the help desk
>> finding it removed.
>> But as there are many files to modify I am not certain I would be
>> doing the right thing.
>>
>
> I would create your own "language" directory under /etc/MailScanner/reports
> specific for your own site. Base the contents on the ones in "en" but
> customise away to your heart's content. For example, all my site's reports
> are in /etc/MailScanner/reports/ECS.
>
> The initial contents of those files is there for a few reasons
> a) it saves most people a hell of a lot of work writing such stuff
> b) it contains content that demonstrates all the available "$variables" in
> each report
> c) it contains the text that I wanted when I first wrote it for myself.
>
> The whole point is that you should change those files so they match your
> site's policy and setup.
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
Jules I totally agree. I have started doing this. I am good on this issue now.
So far in my comparison of your files from your site on RHEL to the
Ubuntu available files I also agree with you assessments of changes
made in the Ubuntu packages.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
More information about the MailScanner
mailing list