Mailscanner attach scan problem

Ante Gulam ante.gulam at ri-ing.hr
Thu Dec 2 20:54:55 GMT 2010


Hi,

I've purged all packages.. clam, sa, mailscanner.. even postfix..
Putted it all together again from 0.. configured all again .. there is no
single error as i see.
--debug, MailScanner -lint, mail.log in var/log ... everything seems fine
considering logs.. 
BUT same thing is happening when some attach is sent.. there is no pattern
in jamming.. sometimes zip, pdf, pptx..
But seems to me only zip jammes every single time... other ones know to pass
now and then.. :)

Does anyone has idea what could this be? I'll write a script to clamd the
attach and mv it to incoming if passes scan :))) ROFL.. this has to go in
production next week and this is not giving me confidence in mailscanner..
what is strange
To me is that there is no pattern in all this.. proc sometimes goes
<defunct> and sometimes just goes Starting child... if i remember
correctly.. i'm going to dig more till i found some solution.. 

Thnx.. regards..
Ante

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
mailscanner-request at lists.mailscanner.info
Sent: Thursday, December 02, 2010 1:02 PM
To: mailscanner at lists.mailscanner.info
Subject: MailScanner Digest, Vol 60, Issue 2

Send MailScanner mailing list submissions to
	mailscanner at lists.mailscanner.info

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.mailscanner.info/mailman/listinfo/mailscanner
or, via email, send a message with subject or body 'help' to
	mailscanner-request at lists.mailscanner.info

You can reach the person managing the list at
	mailscanner-owner at lists.mailscanner.info

When replying, please edit your Subject line so it is more specific
than "Re: Contents of MailScanner digest..."


Today's Topics:

   1. Re: Problem with SQL config on MailScanner (Eduardo Casarero)
   2. Mailscanner attach scan problem (Ante Gulam)
   3. Re: Mailscanner attach scan problem (Jules Field)
   4. Re: Mailscanner attach scan problem (Glenn Steen)
   5. Re: Mailscanner attach scan problem (Alex Neuman van der Hans)
   6. Re: Mailscanner attach scan problem (Glenn Steen)
   7. new spam getting through (Jeff Mills)
   8. Re: new spam getting through (Gabor FUNK)
   9. Re: new spam getting through (peter at farrows.org)
  10. RE: new spam getting through (Jeff Mills)


----------------------------------------------------------------------

Message: 1
Date: Wed, 1 Dec 2010 10:46:14 -0300
From: Eduardo Casarero <ecasarero at gmail.com>
Subject: Re: Problem with SQL config on MailScanner
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
	<AANLkTi=dnMg890jVnb3b42SB5R5rPqwRcvBg9FFJZzdd at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

2010/12/1 Steve Freegard <steve.freegard at fsl.com>

> On 30/11/10 20:42, Eduardo Casarero wrote:
>
>> Hi everybody! Today i started playing with the sql config options for
>> MailScanner and i cant make it work.
>>
>> My "config" table definition:
>>
>> CREATE TABLE `config` (
>>   `id` int(11) NOT NULL auto_increment,
>>   `hostname` varchar(100) NOT NULL,
>>   `value` varchar(100) NOT NULL,
>>   `external` varchar(100) NOT NULL,
>>   `options` varchar(100) NOT NULL,
>>   PRIMARY KEY  (`id`)
>> ) ENGINE=MyISAM
>>
>> MailScanner.conf:
>>
>> DB DSN = DBI:mysql:dbname=mailscanner;host=localhost;port=3306
>> DB Username = root
>> DB Password = password
>> SQL Serial Number = SELECT value FROM config WHERE
>> options='confserialnumber'
>> SQL Quick Peek = SELECT value FROM config WHERE external=? AND hostname=?
>> SQL Config = SELECT options, value FROM config WHERE hostname=?
>> SQL Ruleset =
>> SQL SpamAssassin Config =
>> SQL Debug = yes
>>
>> this is the output i get:
>>
>> /opt/MailScanner/bin/MailScanner --debug --lint
>>
>> *Database functions disabled*
>> Trying to setlogsock(unix)
>>
>> Reading configuration file /opt/MailScanner/etc/MailScanner.conf
>> Read 865 hostnames from the phishing whitelist
>> Read 5278 hostnames from the phishing blacklists
>>
>> Checking version numbers...
>> Version number in MailScanner.conf (4.81.4) is correct.
>> (...)
>>
>> Does anybody have any idea of what i am doing wrong?
>>
>
> Looking at the code:
>
> + # Disable database functions if required data not present
> + if (!$dsn || !$db_user || !$db_pass) {
> +  $disabled = 1;
> +  print STDERR "Database functions disabled\n" if $debug;
> +  return undef;
> + }
>
> It would appear that the functions think that 'DB DSN', 'DB Username' or
> 'DB Password' fields evaluate to an empty value.
>
>
>
The problem was the empty password! thanks!



>  Also, if the line "include" is enable at the end of MailScanner.conf
>> with a valid config file all the DB config seems to dissapear, does
>> anybody knows what is the precedence between the include and the db?
>>
>
> Not sure on this myself; personally I thought the whole include argument
> was weak, so I've never used it myself and never tested it with the
database
> functions.  My advice would be to get the database functions working first
> by using MailScanner.conf only first.
>
> Regards,
> Steve.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/3c9
72347/attachment-0001.html

------------------------------

Message: 2
Date: Wed, 1 Dec 2010 15:47:48 +0100
From: "Ante Gulam" <ante.gulam at ri-ing.hr>
Subject: Mailscanner attach scan problem
To: <mailscanner at lists.mailscanner.info>
Message-ID: <013101cb9166$b8d50110$2a7f0330$@gulam at ri-ing.hr>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

 

So i've configured my linux machine to be an antispam filter between my
Fortinet GW firewall and my exchange 2010 in my local domain for incoming
emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10..
Releying in Postfix works fine.. Then i've installed mailscanner with clam,
spamassassin etc. (removing clamav ltr considering it as a troubler maker in
this situation).. turns out it's not it's fault! J 

 

So when i send mail from outside it goes cleanly to the Postfix.. I can see
it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and
mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip,
.exe or some other attach .. even .pptx..  (log, txt etc. passes with no
delay) the mailscanner proc goes bad..  it blocks on MailScanner: starting
child.. Sometimes iz goes <defunct>.. After that action no mails passing
through.. with or without attach. And files are filling in hold folder even
if i'm not getting any new mails from anyone.. ??? ie:

 

4 -rwx------  1 postfix postfix   2656 2010-12-01 15:28 D0D6F6CDCD*

  4 -rwx------  1 postfix postfix   3078 2010-12-01 15:08 DCE756CDCE*

  4 -rwx------  1 postfix postfix   3078 2010-12-01 15:08 C88226CDCC*

  4 -rwx------  1 postfix postfix    595 2010-12-01 15:07 CF3EB6CDB6*

416 -rwx------  1 postfix postfix 423997 2010-12-01 15:04 52D776CC10*

 

It's really important for me to solve this but i have no ideas anymore..
i've configured postfix to check header.. header puts it into hold

And mailscanner should take over after.. i dont see any complication to scan
the file and mv it to incoming.. Also a conf file acts wierd.. If i
uncomment

Any AV it gives me an error while restarting init.d/mailscanner ...

 

Interesting thing is: if i do mv * ../incoming/ in my hold folder after
some delay i get that email that was causing trouble and all the mail that
came after it was jammed..  and after that all seems working fine until same
thing happenes..  i have spamassassin and no AV currently installed.. no
amavis, sophos, clamd etc.

 

Please some quick advice to solve this manner..

Tnx 2 all.

 

Ps. If some snippet od conf is needed let me know! Tnx..

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/bef
325b0/attachment-0001.html

------------------------------

Message: 3
Date: Wed, 01 Dec 2010 15:58:36 +0000
From: Jules Field <MailScanner at ecs.soton.ac.uk>
Subject: Re: Mailscanner attach scan problem
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
	
<EMEW3|cff453fa40b7c175dd6085aea997f4f5mB0Fwh0bMailScanner|ecs.soton.ac.uk|4
CF670AC.30505 at ecs.soton.ac.uk>
	
Content-Type: text/plain; charset=windows-1252; format=flowed

Start off with a
MailScanner --lint
and see if that reports any errors.
Then get a single message into /var/spool/postfix/hold
and then
service MailScanner stop
MailScanner --debug
and see if you get one in the outgoing Postfix queue.
And then read your /var/log/maillog carefully, there may well be 
something of use in there.

Unfortunately your email doesn't tell us much more than that, so there's 
limited help I can provide.

Jules.

On 01/12/2010 14:47, Ante Gulam wrote:
>
> Hi,
>
> So i've configured my linux machine to be an antispam filter between 
> my Fortinet GW firewall and my exchange 2010 in my local domain for 
> incoming emails.. i've forwarded 25 out`inbound to linux and it 
> reley's it to EX10.. Releying in Postfix works fine.. Then i've 
> installed mailscanner with clam, spamassassin etc. (removing clamav 
> ltr considering it as a troubler maker in this situation).. turns out 
> it's not it's fault! J
>
> So when i send mail from outside it goes cleanly to the Postfix.. I 
> can see it in the /var/spool/postfix/hold folder.. mailscanner proc 
> analize it and mail goes to incoming folder with no mutch bother.. 
> BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, 
> txt etc. passes with no delay) the mailscanner proc goes bad.. it 
> blocks on MailScanner: starting child.. Sometimes iz goes <defunct>.. 
> After that action no mails passing through.. with or without attach. 
> And files are filling in hold folder even if i'm not getting any new 
> mails from anyone.. ??? ie:
>
> 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD*
>
> 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE*
>
> 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC*
>
> 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6*
>
> 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10*
>
> It's really important for me to solve this but i have no ideas 
> anymore.. i've configured postfix to check header.. header puts it 
> into hold
>
> And mailscanner should take over after.. i dont see any complication 
> to scan the file and mv it to incoming.. Also a conf file acts wierd.. 
> If i uncomment
>
> Any AV it gives me an error while restarting init.d/mailscanner ...
>
> Interesting thing is: if i do mv * ../incoming/ in my hold folder 
> after some delay i get that email that was causing trouble and all the 
> mail that came after it was jammed.. and after that all seems working 
> fine until same thing happenes.. i have spamassassin and no AV 
> currently installed.. no amavis, sophos, clamd etc.
>
> Please some quick advice to solve this manner..
>
> Tnx 2 all.
>
> Ps. If some snippet od conf is needed let me know! Tnx..
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



------------------------------

Message: 4
Date: Wed, 1 Dec 2010 18:58:19 +0100
From: Glenn Steen <glenn.steen at gmail.com>
Subject: Re: Mailscanner attach scan problem
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
	<AANLkTik_OdJau-HUZXxn+s3PYZRzhk3QZTn5o6EpGrV8 at mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

What version of mailscanner, postfix etc?
How did you install?

We might guess, but... Better if you tell us.

As to guesswork, my money would be equally split between real old
mailscanner version and a bad tnef exoander;-)

Cheers

Den 1 dec 2010 15.51, "Ante Gulam" <ante.gulam at ri-ing.hr> skrev:

 Hi,



So i've configured my linux machine to be an antispam filter between my
Fortinet GW firewall and my exchange 2010 in my local domain for incoming
emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10..
Releying in Postfix works fine.. Then i've installed mailscanner with clam,
spamassassin etc. (removing clamav ltr considering it as a troubler maker in
this situation).. turns out it's not it's fault! J



So when i send mail from outside it goes cleanly to the Postfix.. I can see
it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and
mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip,
.exe or some other attach .. even .pptx..  (log, txt etc. passes with no
delay) the mailscanner proc goes bad..  it blocks on MailScanner: starting
child.. Sometimes iz goes <defunct>.. After that action no mails passing
through.. with or without attach. And files are filling in hold folder even
if i'm not getting any new mails from anyone.. ??? ie:



4 -rwx------  1 postfix postfix   2656 2010-12-01 15:28 D0D6F6CDCD*

  4 -rwx------  1 postfix postfix   3078 2010-12-01 15:08 DCE756CDCE*

  4 -rwx------  1 postfix postfix   3078 2010-12-01 15:08 C88226CDCC*

  4 -rwx------  1 postfix postfix    595 2010-12-01 15:07 CF3EB6CDB6*

416 -rwx------  1 postfix postfix 423997 2010-12-01 15:04 52D776CC10*



It's really important for me to solve this but i have no ideas anymore..
i've configured postfix to check header.. header puts it into hold

And mailscanner should take over after.. i dont see any complication to scan
the file and mv it to incoming.. Also a conf file acts wierd.. If i
uncomment

Any AV it gives me an error while restarting init.d/mailscanner ...



Interesting thing is: if i do mv * ../incoming/ in my hold folder after
some delay i get that email that was causing trouble and all the mail that
came after it was jammed..  and after that all seems working fine until same
thing happenes..  i have spamassassin and no AV currently installed.. no
amavis, sophos, clamd etc.



Please some quick advice to solve this manner..

Tnx 2 all.



Ps. If some snippet od conf is needed let me know! Tnx..

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/f21
c549b/attachment-0001.html

------------------------------

Message: 5
Date: Wed, 1 Dec 2010 18:03:53 +0000
From: "Alex Neuman van der Hans" <alex at rtpty.com>
Subject: Re: Mailscanner attach scan problem
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID:
	
<986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271- at bd
a478.bisx.prod.on.blackberry>
	
Content-Type: text/plain

I would double that bet and say it's both at the same time!
-- 
Alex Neuman van der Hans
Reliant Technologies
+507 6781-9505
+507 832-6725
+1-440-253-9789 (USA)

Recuerda visitar http://vidadigital.com.pa/ 

BB PIN 20EA17C5
Twitter: @AlexNeuman - @VidaDigitalTV
http://facebook.com/vidadigital
Skype: alexneuman

-----Original Message-----
From: Glenn Steen <glenn.steen at gmail.com>
Sender: mailscanner-bounces at lists.mailscanner.info
Date: Wed, 1 Dec 2010 18:58:19 
To: MailScanner discussion<mailscanner at lists.mailscanner.info>
Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Mailscanner attach scan problem

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 




------------------------------

Message: 6
Date: Wed, 1 Dec 2010 22:18:44 +0100
From: Glenn Steen <glenn.steen at gmail.com>
Subject: Re: Mailscanner attach scan problem
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
	<AANLkTi=dpnJq97-0BgjqT98fKuchiGvQkH510wkDoLMV at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

:-D
... You might be right... We'll just have to wait for Ante to get back with
some facts...

Den 1 dec 2010 19.10, "Alex Neuman van der Hans" <alex at rtpty.com> skrev:

I would double that bet and say it's both at the same time!
--
Alex Neuman van der Hans
Reliant Technologies
+507 6781-9505
+507 832-6725
+1-440-253-9789 (USA)

Recuerda visitar http://vidadigital.com.pa/

BB PIN 20EA17C5
Twitter: @AlexNeuman - @VidaDigitalTV
http://facebook.com/vidadigital
Skype: alexneuman


-----Original Message-----
From: Glenn Steen <glenn.steen at gmail.com>
Sender: mailscanner-bounces at li...
--

MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/li...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/259
93332/attachment-0001.html

------------------------------

Message: 7
Date: Thu, 2 Dec 2010 16:56:07 +1100
From: Jeff Mills <Jeff.Mills at sydneytech.com.au>
Subject: new spam getting through
To: "mailscanner at lists.mailscanner.info"
	<mailscanner at lists.mailscanner.info>
Message-ID:
	<5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D at SERVER01.sts.local>
Content-Type: text/plain; charset="us-ascii"

Is anyone else having issues with some new very simple spam coming through
in the last 48 hours?
I'm having a lot of trouble blocking this stuff because the URL changes all
the time as well as the text.

Here is an example:
http://pastebin.com/kuAH2GUY


Has anyone managed to come up with anything to stop it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/f20
f67c8/attachment-0001.html

------------------------------

Message: 8
Date: Thu, 2 Dec 2010 10:55:40 +0100
From: "Gabor FUNK" <FUNK.Gabor at hunetkft.hu>
Subject: Re: new spam getting through
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID: <9F5B4C699954459C95E71FB252F725C9 at M2007>
Content-Type: text/plain; charset="iso-8859-1"

"x dot co" (url shortener registered in columbia, ~half a year ago) is
listed in URIBL as of DEC 01 22:31:08 GMT, anyone using it for blocking or
scoring should be ok now...

G.
  ----- Original Message ----- 
  From: Jeff Mills 
  To: mailscanner at lists.mailscanner.info 
  Sent: Thursday, December 02, 2010 6:56 AM
  Subject: new spam getting through


  Is anyone else having issues with some new very simple spam coming through
in the last 48 hours?

  I'm having a lot of trouble blocking this stuff because the URL changes
all the time as well as the text.

   

  Here is an example:

  http://pastebin.com/kuAH2GUY

   

   

  Has anyone managed to come up with anything to stop it?

   



----------------------------------------------------------------------------
--


  -- 
  MailScanner mailing list
  mailscanner at lists.mailscanner.info
  http://lists.mailscanner.info/mailman/listinfo/mailscanner

  Before posting, read http://wiki.mailscanner.info/posting

  Support MailScanner development - buy the book off the website! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/fa8
320bc/attachment-0001.html

------------------------------

Message: 9
Date: Thu, 2 Dec 2010 10:13:34 +0000
From: peter at farrows.org
Subject: Re: new spam getting through
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID:
	
<847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051- at b
28.c11.bise7.blackberry>
	
Content-Type: text/plain

Greylisting stop this for me.
------------------

-----Original Message-----
From: "Gabor FUNK" <FUNK.Gabor at hunetkft.hu>
Sender: mailscanner-bounces at lists.mailscanner.info
Date: Thu, 2 Dec 2010 10:55:40 
To: MailScanner discussion<mailscanner at lists.mailscanner.info>
Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Subject: Re: new spam getting through

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 




------------------------------

Message: 10
Date: Thu, 2 Dec 2010 22:14:38 +1100
From: Jeff Mills <Jeff.Mills at sydneytech.com.au>
Subject: RE: new spam getting through
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID:
	<5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69E at SERVER01.sts.local>
Content-Type: text/plain; charset="us-ascii"



> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of peter at farrows.org
> Sent: Thursday, 2 December 2010 9:14 PM
> To: MailScanner discussion
> Subject: Re: new spam getting through
> 
> Greylisting stop this for me.
> ------------------
> 

Strange. All of the ones that have been getting through to me have come from
hotmail servers, so greylisting has not stopped it.



------------------------------

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read the Wiki (http://wiki.mailscanner.info/).

Support MailScanner development - buy the book off the website! 


End of MailScanner Digest, Vol 60, Issue 2
******************************************
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.872 / Virus Database: 271.1.1/3290 - Release Date: 12/01/10
08:34:00



More information about the MailScanner mailing list