Mismatch between report and actions

Robert Lopez rlopezcnm at gmail.com
Tue Jun 30 15:17:37 IST 2009 

On Tue, Jun 30, 2009 at 2:49 AM, Glenn Steen<glenn.steen at gmail.com> wrote:
> 2009/6/29 Robert Lopez <rlopezcnm at gmail.com>:
>> On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen<glenn.steen at gmail.com> wrote:
>>> 2009/6/29 Robert Lopez <rlopezcnm at gmail.com>:
>>>> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen<glenn.steen at gmail.com> wrote:
>>>>> 2009/6/29 Robert Lopez <rlopezcnm at gmail.com>:
>>>>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen<glenn.steen at gmail.com> wrote:
>>>>>>> 2009/6/26 Robert Lopez <rlopezcnm at gmail.com>:
>>>>>>>> HP Prolient DL360 G5
>>>>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz
>>>>>>>> 8 G RAM
>>>>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009
>>>>>>>> x86_64 GNU/Linux
>>>>>>>> Ubuntu 9.04 (jaunty)
>>>>>>>> MailScanner version 4.74.16
>>>>>>>> Postfix version 2.5.5
>>>>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0
>>>>>>>> (I know there are newer versions. These are Ubuntu apt-get...)
>>>>>>>>
>>>>>>>>
>>>>> (snip error...)
>>>>>>>>
>>>>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well.
>>>>>>> If this means leaving the Ubunto/apt thing behind, then so be it.
>>>>>>> If you still observe the same behavior... Then we'll look at other things:-).
>>>>>>>
>>>>>>> Cheers
>>>>> (snip)
>>>>>>
>>>>>> Thank you Glenn,
>>>>>>
>>>>>> Changing from Ubuntu is not my decision to make. My current project is
>>>>>> comparing a system built with RHEL and files from Julians site to this
>>>>>> one.
>>>>>>
>>>>> I didn't say "ditch Ubuntu", just the ubuntu packaging of
>>>>> MailScanner;-). You could probably live pritty well with the source
>>>>> tarball, for example.
>>>>>
>>>>> Cheers
>>>>> --
>>>>> -- Glenn
>>>>> email: glenn < dot > steen < at > gmail < dot > com
>>>>> work: glenn < dot > steen < at > ap1 < dot > se
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>
>>>> Again, Thank you Glenn.
>>>>
>>>> I have to attend to the root cause of the problem I wrote about. The
>>>> issue you reply to is a policy issue upon which I have no influence. I
>>>> was very happy with the test system built with tar files. My
>>>> management is not.
>>>>
>>> Why? They will just get an added delay and no real benefit (stability
>>> or otherwise) from sticking to more or less outdated "debianized"
>>> packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot
>>> fight bleeding edge malware/spam with trailing edge, or even sometimes
>>> moderately modern (like this problem instance;), protection systems.
>>>
>>> Cheers
>>> --
>>> -- Glenn
>>> email: glenn < dot > steen < at > gmail < dot > com
>>> work: glenn < dot > steen < at > ap1 < dot > se
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>
>> Glenn I totally agree with you. But your comments are not helpful. I
>> have stated I have no control over institutional policies.
>>
> That being the case, I'm not entirely sure we will be able to help
> you. My prompting you to upgrade isn't just the semi-unhelpful comment
> it may seem. There were some changes to the Postfix handling (mostly
> when used with milters, true) recently, as well as some other
> important fixes (IIRC there were some problems with the MIME tools
> perl module... I might remeber wrong, but I don't think I do:-). Also,
> since you use the Ubuntu packaging, you are likely to be using the
> perl modules from the same source... I'm not sure, but I rather
> suspect that that may be as bad as mixing the "MailScanner perl
> modules" from certain other distros into the brew...
> Going to a "source" install (as you've obviously tried) would take
> some of the uncertanties out of the picture, as well as enabling you
> to use the latest/greatest of MailScanner (at your own discretion, of
> course)... So that you decide when you need upgrade, not some
> packager. Usually, the latter is norm for most distros, and frankly
> the sane thing to do. But not with system like MailScanner, IMO.
>
> Anyway, that is neither here nor there. If you can't change what beta
> you are using, that is the way it is.
> Back to the original message then... Hmm.
>
> This wouldn't be stored as spam, it would likely be stored in a
> directory named like the queue file ID + the random bit... so did you
> find for a file specifically? it should all be there in the
> /var/spool/MailScanner/quarantine/20090626/E0CE312F.5E6C5 directory.
>
> I suppose that if the mime explosion didn't go well, for some reason,
> you might see some strange results... Hmm.
>
> What are your settings in MailScanner.conf for
> Deliver Disinfected Files
> Silent Viruses
> Still Deliver Silent Viruses
> Non-Forging Viruses
> ClamAV Full Message Scan
> That the message got requeued and delivered suggest some rather not
> that wise settings here, perhaps:-)
>
> Cheers
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

Thank you Glenn. Please understand I was very happy with the RHEL
system built from source but it does not meet some policies over which
I have not control.

>From my original posting:
> Situation: Testing Eicar, external site to internal via gateway.
> Problem:   Mismatch between reported information and actions.
>
> Email content says:
> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s)
> for more information."
>
> Action was:
> Appended the text into the body of email instead of an attachment.

This is a case of not confusing Outlook users who expect an "attachment" to be
separate from the body of the email. It is now solved.
I have written a post-install script to change from  "Warning: Please read the
 'CNM-Attachment-Warning.txt' attachment(s)  for more information."
 to say "...read the appended information..." in
/usr/share/MailScanner/reports/en/inline.warning.txt

> Email content says:
> "Note to Help Desk: Look on the CNM () MailScanner in
> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)."

The eicar data was NOT delivered. It was discarded as desired. The problem is
the statement the content was quarantined and the help desk can find it.
I would be happy to have all the statements about the help desk
finding it removed.
But as there are many files to modify I am not certain I would be
doing the right thing.

>
> Action was:
> "/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam".
> "/var/spool/MailScanner/quarantine/20090626/spam" has one file which
> is "3A59B34D.274DC" and it contains a discarded gtube test.
> Find says there is no E0CE312F.5E6C5 file on disks.

As there is just not much on this system, I did a find / ... for the
file and it was not found.

In the case of virus, discarding the file, as has been done, is
perfectly acceptable.
In the case of spam, it would be good to be able to recover any false positives.
So the actions being taken are as desired.
It is just the report texts which are not precisely matching the actions.
I am preparing to modify all the stored.xxxxx.message.test files
if that action does not cover up any other problem I should be addressing.


> What are your settings in MailScanner.conf for
> Deliver Disinfected Files
Deliver Cleaned Messages = yes
Deliver Disinfected Files = no
> Silent Viruses
Silent Viruses = HTML-IFrame All-Viruses
> Still Deliver Silent Viruses
Still Deliver Silent Viruses = no
> Non-Forging Viruses
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
> ClamAV Full Message Scan
ClamAV Full Message Scan = yes

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

More information about the MailScanner mailing list