Trying to get MCP working

Glenn Steen glenn.steen at gmail.com
Fri Oct 30 10:10:04 GMT 2009


Don't use MCP. Use SA rule hit actions instead. If your version lack
that, then upgrade to one that has it...!
Cheers
-- 
-- Glenn

2009/10/29, Antony Stone <Antony.Stone at mailscanner.open.source.it>:
> Hi.
>
> I'm trying to get Message Content Protection working and failing miserably
> :(
>
> I'm using Debian Lenny, with MailScanner 4.74.16 installed from backports,
> SpamAssassin 3.2.5, and Exim 4.69 as the MTA.
>
> Mail delivery works, MailScanner is working, doing its internal tests, and
> is
> passing the email to SpamAssassin and ClamAV for checking.  Both a GTUBE and
> an EICAR email get detected and processed correctly.
>
> However, I can't for the life of me get MCP performing any tests.
>
> I've posted the relevant section of MailScanner.conf below, as well as the
> test which I'm using as an example rule.  When email goes through the
> machine, I get the following entries in /var/log/mail.log (I've removed the
> hostname for anonymity and to keep the lines shorter):
>
> Firstly, an email with the GTUBE spam signature in it:
>
> Oct 29 18:47:41 MailScanner[26202]: New Batch: Scanning 1 messages, 1064
> bytes
> Oct 29 18:47:41 MailScanner[26202]: Saved archive copies of 1N3a27-0006op-Mw
> Oct 29 18:47:42 MailScanner[26202]: Spam Checks: Found 1 spam messages
> Oct 29 18:47:42 MailScanner[26202]: MCP Checks: Starting
> Oct 29 18:47:42 MailScanner[26202]: Virus and Content Scanning: Starting
> Oct 29 18:47:45 MailScanner[26202]: Uninfected: Delivered 1 messages
>
> Headers on the received mail include:
>
> X-MailScanner-MCPCheck: MCP-Clean, MCP-Checker (score=0,
>     required 1)
> X-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
>     score=1001.459, required 6, ALL_TRUSTED -1.44, GTUBE 1000.00,
>     TVD_SPACE_RATIO 2.90)
>
> Now, an email which should match my MCP rule:
>
> Oct 29 18:48:15 MailScanner[26202]: New Batch: Scanning 1 messages, 1064
> bytes
> Oct 29 18:48:15 MailScanner[26202]: Saved archive copies of 1N3a2d-0006p2-6u
> Oct 29 18:48:16 MailScanner[26202]: MCP Checks: Starting
> Oct 29 18:48:16 MailScanner[26202]: Virus and Content Scanning: Starting
> Oct 29 18:48:18 MailScanner[26202]: Uninfected: Delivered 1 messages
>
> Headers on the received mail include:
>
> X-MailScanner-MCPCheck: MCP-Clean, MCP-Checker (score=0,
>     required 1)
> X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
>     score=1.459, required 6, ALL_TRUSTED -1.44, TVD_SPACE_RATIO 2.90)
>
> I created my MCP test by taking the GTUBE test from SpamAssassin's
> 20_body_tests.cf, renaming it to NYLON, and replacing the letters G T U B E
> in the middle of the search pattern with N Y L O N.  Here is the content
> of /etc/MailScanner/mcp/20_body_tests.cf (I didn't change the filename in
> case I was missing something subtle about the required format for these):
>
> body
> NYLON
> /XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*NYLON-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X/
> describe NYLON          Generic Test for Message Content Protection
> tflags NYLON            userconf noautolearn
> score NYLON             42
>
> (Yes, the first line of the file does correctly have "body NYLON /XJS\*...."
> all on one line - it's simply wrapped here in my mail client.)
>
> So, SpamAssassin is working when called for spam checks, but not when called
> for MCP checks.
>
> What have I missed, or how can I debug this further, please?
>
> I've seen several postings in list archives saying that people have found
> "First Check = spam" to work, and "First Check = mcp" not to work, however I
> have left mine as the default "spam" as you can see below.
>
> Here's the entire MCP section of my MailScanner.conf:
>
> -------
> MCP Checks = yes
>
> # Do the spam checks first, or the MCP checks first?
> # This cannot be the filename of a ruleset, only a fixed value.
> First Check = spam
>
> # The rest of these options are clones of the equivalent spam options
> MCP Required SpamAssassin Score = 1
> MCP High SpamAssassin Score = 10
> MCP Error Score = 1
>
> MCP Header = X-%org-name%-MailScanner-MCPCheck:
> Non MCP Actions = deliver header "X-MCP-Status: No"
> MCP Actions = deliver header "X-MCP-Status: Yes"
> High Scoring MCP Actions = deliver header "X-MCP-Status: Yes"
> Bounce MCP As Attachment = no
>
> MCP Modify Subject = start
> MCP Subject Text = {MCP?}
> High Scoring MCP Modify Subject = start
> High Scoring MCP Subject Text = {MCP?}
>
> Is Definitely MCP = no
> Is Definitely Not MCP = no
> Definite MCP Is High Scoring = no
> Always Include MCP Report = yes
> Detailed MCP Report = yes
> Include Scores In MCP Report = yes
> Log MCP = yes
>
> MCP Max SpamAssassin Timeouts = 20
> MCP Max SpamAssassin Size = 100k
> MCP SpamAssassin Timeout = 10
>
> MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
> MCP SpamAssassin User State Dir =
> MCP SpamAssassin Local Rules Dir = %mcp-dir%
> MCP SpamAssassin Default Rules Dir = %mcp-dir%
> MCP SpamAssassin Install Prefix = %mcp-dir%
> Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
> Sender MCP Report = %report-dir%/sender.mcp.report.txt
> -------
>
> If I can supply any further config files or debug output to help diagnose
> this, please let me know what's needed.
>
> Many thanks - I hope someone knows how to get MCP working!
>
>
> Regards,
>
>
> Antony Stone.
>
> --
> "It would appear we have reached the limits of what it is possible to
> achieve
> with computer technology, although one should be careful with such
> statements; they tend to sound pretty silly in five years."
>
>  - John von Neumann (1949)
>
>                                                      Please reply to the
> list;
>                                                            please don't CC
> me.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

-- 
Skickat från min mobila enhet

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list