From nsnidanko at harperpowerproducts.com Mon Jan 3 20:34:30 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Mon Jan 3 20:34:43 2011 Subject: weird mailscanner clamd error Message-ID: <9453A32CAC9FFB4D8F59285E34B6A50610A9B2@hotc_exch.harperotc.com> I have weird stuff happening. When we put any file into ZIP archive created from Winzip or Winrar I get the following log in mail.log: Jan 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: Starting Jan 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. ERROR :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 infections Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 viruses Jan 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting File delivered after passing mailscanner to final destination. When I put the same file into ZIP archive using built-in Windows XP engine it works flawlessly and no error log is generated. No error is generated when same file is put within .rar archive either. I've tried different files anything from jpeg to pdf and end up with error described above. Can someone point me in the right direct how to troubleshoot this within mailscanner. System: Clamd 0.96.5 Ubuntu Server 10.04 MailScanner 4.82.3 Perl 5.10.1 Thank you, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110103/87a45c1d/attachment.html From ben at electricembers.net Mon Jan 3 22:46:56 2011 From: ben at electricembers.net (Benjamin) Date: Mon Jan 3 23:10:22 2011 Subject: Virus attachments not replaced with warning text References: <4C5BEB05.5050408@ecs.soton.ac.uk> Message-ID: > So it looks like the attachment is not being removed because it is > treated as a silent virus? > > My silent virus settings are: > > Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses = yes > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Zip-Password > > I guess "eicar" is matched (not sure if "Non-Forging Viruses" is > case-sensitive, or not) but the comments in the config file explicitly > say (for "Still Deliver Silent Viruses"): "Still deliver (after > cleaning) messages that contained viruses listed > # in the above option ("Silent Viruses") to the recipient?". But for > whatever reason the cleaning step is not done here. We too used to quarantine, clean, tag, and deliver the original messages without the viral attachments (and occasionally had folks write to have us release the stuff from quarantine!) But then we noticed we were actually just copying to quarantine, *not* cleaning (AKA removing) the attachments, tagging, and delivering the message *with* the viral attachment intact!? I don't see how based on our settings: Virus Scanning = yes Virus Scanners = clamd Deliver Disinfected Files = no Silent Viruses = HTML-IFrame HTML-Codebase All-Viruses Still Deliver Silent Viruses = %rules-dir%/virus.delivery.rules { no for a bunch of listserv addy's, To: default yes } Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ Quarantine Infections = yes Quarantine Silent Viruses = yes Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = yes Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Warning Is Attachment = yes Send Notices = no So I've changed to Silent Viruses = -which causes the viri to actually be cleaned. (Only now the Warning Is Attachment = yes setting seems to be ignored, as the message body is *replaced* with our warning message, inline.) Did the meaning of "Silent Viruses" change? Is something broken? Or am I missing something? How can I help? Thanks in advance! Running on FreeBSD 6.2-RELEASE This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.81.4 From mmcintosh at infowall.com Tue Jan 4 05:29:01 2011 From: mmcintosh at infowall.com (Mark McIntosh) Date: Tue Jan 4 05:29:20 2011 Subject: Images stripped out of signature on outgoing mail Message-ID: <4D22B01D.9030508@infowall.com> Hello All, I have a user whose image is stripped out of his outgoing mail. Many other users seem to have no issue of this type. It works if it is one of the domains whose mail I host but to outside servers this image is being stripped. I look through the archives and found multiple items concerning signature replication but nothing on this. If anyone has any ideas it would be appreciated. I hope everyone has had a good new year. Mark McIntosh From glenn.steen at gmail.com Tue Jan 4 10:40:03 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jan 4 10:40:13 2011 Subject: weird mailscanner clamd error In-Reply-To: <9453A32CAC9FFB4D8F59285E34B6A50610A9B2@hotc_exch.harperotc.com> References: <9453A32CAC9FFB4D8F59285E34B6A50610A9B2@hotc_exch.harperotc.com> Message-ID: On 3 January 2011 21:34, Naz Snidanko wrote: > I have weird stuff happening. When we put any file into ZIP archive created > from Winzip or Winrar I get the following log in mail.log: > > > > Jan? 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: Starting > > Jan? 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. ERROR > :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc > > Jan? 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 > infections > > Jan? 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 viruses > > Jan? 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting > > > > File delivered after passing mailscanner to final destination. > > > > When I put the same file into ZIP archive using built-in Windows XP engine > it works flawlessly and no error log is generated. No error is generated > when same file is put within .rar archive either. > > > > I?ve tried different files anything from jpeg to pdf and end up with error > described above. > > > > Can someone point me in the right direct how to troubleshoot this within > mailscanner. > > > > System: > > > > Clamd 0.96.5 > > Ubuntu Server 10.04 > > MailScanner 4.82.3 > > Perl 5.10.1 > > Check that both postfix and clamav (or whatever the users/groups are called) have relevant perms... Run As User/Group and 0660 perms in MailScanner.conf, correct perms on your incoming directory (perhaps /var/spool/MailScanner/incoming), Also check your clamd settings, of course. Perhaps the most crucial bit though... is to make sure that you have sane permissions on /tmp, and that they can create files/directories there as needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From nsnidanko at harperpowerproducts.com Tue Jan 4 15:07:22 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Tue Jan 4 15:07:37 2011 Subject: weird mailscanner clamd error Message-ID: <9453A32CAC9FFB4D8F59285E34B6A50610A9B9@hotc_exch.harperotc.com> Glenn, /tmp and incoming directories both have chmod 777. Also from my guess if it had something to do with permissions it would generate this error for all files, not just ZIP archives created by Winrar and Winzip programs. I also completely removed apparmor (even though it originally had rw permissions for clamd on incoming directory). Is there a module within MailScanner that does .zip file extracting before it goes for a clamd scan? Any help is much appreciated. Thank you, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com ------------------------------ Message: 4 Date: Tue, 4 Jan 2011 11:40:03 +0100 From: Glenn Steen Subject: Re: weird mailscanner clamd error To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=windows-1252 On 3 January 2011 21:34, Naz Snidanko wrote: > I have weird stuff happening. When we put any file into ZIP archive created > from Winzip or Winrar I get the following log in mail.log: > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: Starting > > Jan 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. ERROR > :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 > infections > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 viruses > > Jan 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting > > > > File delivered after passing mailscanner to final destination. > > > > When I put the same file into ZIP archive using built-in Windows XP engine > it works flawlessly and no error log is generated. No error is generated > when same file is put within .rar archive either. > > > > I've tried different files anything from jpeg to pdf and end up with error > described above. > > > > Can someone point me in the right direct how to troubleshoot this within > mailscanner. > > > > System: > > > > Clamd 0.96.5 > > Ubuntu Server 10.04 > > MailScanner 4.82.3 > > Perl 5.10.1 > > Check that both postfix and clamav (or whatever the users/groups are called) have relevant perms... Run As User/Group and 0660 perms in MailScanner.conf, correct perms on your incoming directory (perhaps /var/spool/MailScanner/incoming), Also check your clamd settings, of course. Perhaps the most crucial bit though... is to make sure that you have sane permissions on /tmp, and that they can create files/directories there as needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104/5c592166/attachment.html From mailscanner at cas.homelinux.org Tue Jan 4 17:10:10 2011 From: mailscanner at cas.homelinux.org (Chris Schanzle) Date: Tue Jan 4 17:10:57 2011 Subject: update_spamassassin leaking descriptor Message-ID: <4D235472.1050706@cas.homelinux.org> Hi, On Fedora 14, I am getting selinux warnings as to what appears to be /etc/cron.daily/update_spamassassin leaking a file descriptor. Before I realized that was a mailscanner cron job, I filed Fedora bugreport via sealert: . Please have a look, as they brought up a couple questions, first about closing the descriptor before the exec and second, using /tmp for a tempfile when the process runs as root is apparently discouraged. Given Fedora's spamassassin already has /etc/cron.d/sa-update (once a day), is the proper on a Fedora system to edit "Disabled=yes" in /etc/cron.daily/update_spamassassin? After doing so, 'rpm -V mailscanner' shows it as being a changed config file, so I think that change may stick through mailscanner upgrades. It might be preferable to move the code which sources /etc/sysconfig/update_spamassassin to the top, and check if it's disabled that way. Or should I disable Fedora's sa-update since it appears to be necessary (from /usr/sbin/update_spamassassin) to reload the MailScanner service after the sa-update? And a nit in /etc/cron.daily/update_spamassassin - comments to "spread virus updates" - should be "anti-virus", but not in a spamassassin rules update script. Looks like code+comments to pause random time was lifted from somewhere. Thanks! From rcooper at dwford.com Tue Jan 4 19:45:51 2011 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jan 4 19:46:06 2011 Subject: weird mailscanner clamd error In-Reply-To: <9453A32CAC9FFB4D8F59285E34B6A50610A9B9@hotc_exch.harperotc.com> References: <9453A32CAC9FFB4D8F59285E34B6A50610A9B9@hotc_exch.harperotc.com> Message-ID: <3AD1272E15D14A43BD27F7E3F3C17BD1@SAHOMELT> Have you attempted to manually scan an example file with clamscan or clamdscan? (preferably as the same user as would mailscanner). Have you tried sending with MailScanner running in debug mode? The error you are seeing is coming from clamd, _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Naz Snidanko Sent: Tuesday, January 04, 2011 10:07 AM To: mailscanner@lists.mailscanner.info Subject: Re: weird mailscanner clamd error Glenn, /tmp and incoming directories both have chmod 777. Also from my guess if it had something to do with permissions it would generate this error for all files, not just ZIP archives created by Winrar and Winzip programs. I also completely removed apparmor (even though it originally had rw permissions for clamd on incoming directory). Is there a module within MailScanner that does .zip file extracting before it goes for a clamd scan? Any help is much appreciated. Thank you, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com ------------------------------ Message: 4 Date: Tue, 4 Jan 2011 11:40:03 +0100 From: Glenn Steen Subject: Re: weird mailscanner clamd error To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=windows-1252 On 3 January 2011 21:34, Naz Snidanko wrote: > I have weird stuff happening. When we put any file into ZIP archive created > from Winzip or Winrar I get the following log in mail.log: > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: Starting > > Jan 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. ERROR > :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 > infections > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 viruses > > Jan 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting > > > > File delivered after passing mailscanner to final destination. > > > > When I put the same file into ZIP archive using built-in Windows XP engine > it works flawlessly and no error log is generated. No error is generated > when same file is put within .rar archive either. > > > > I've tried different files anything from jpeg to pdf and end up with error > described above. > > > > Can someone point me in the right direct how to troubleshoot this within > mailscanner. > > > > System: > > > > Clamd 0.96.5 > > Ubuntu Server 10.04 > > MailScanner 4.82.3 > > Perl 5.10.1 > > Check that both postfix and clamav (or whatever the users/groups are called) have relevant perms... Run As User/Group and 0660 perms in MailScanner.conf, correct perms on your incoming directory (perhaps /var/spool/MailScanner/incoming), Also check your clamd settings, of course. Perhaps the most crucial bit though... is to make sure that you have sane permissions on /tmp, and that they can create files/directories there as needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104/c3d769b6/attachment.html From nsnidanko at harperpowerproducts.com Wed Jan 5 14:47:00 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Wed Jan 5 14:47:12 2011 Subject: weird mailscanner clamd error References: <201101051200.p05C0MhO008128@safir.blacknight.ie> Message-ID: <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> MailScanner --lint was generating "found 2 viruses" instead of a proper "found 1 virus". So I got fed up, scrapped clamd and went with clamav. Clamav works as it should: --lint generates "found 1 virus" and no more errors with .ZIP archives. This is a small site and speed should not be a factor. Tons of thanks, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -----Original Message----- Date: Tue, 4 Jan 2011 14:45:51 -0500 From: "Rick Cooper" Subject: RE: weird mailscanner clamd error To: "'MailScanner discussion'" Message-ID: <3AD1272E15D14A43BD27F7E3F3C17BD1@SAHOMELT> Content-Type: text/plain; charset="us-ascii" Have you attempted to manually scan an example file with clamscan or clamdscan? (preferably as the same user as would mailscanner). Have you tried sending with MailScanner running in debug mode? The error you are seeing is coming from clamd, _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Naz Snidanko Sent: Tuesday, January 04, 2011 10:07 AM To: mailscanner@lists.mailscanner.info Subject: Re: weird mailscanner clamd error Glenn, /tmp and incoming directories both have chmod 777. Also from my guess if it had something to do with permissions it would generate this error for all files, not just ZIP archives created by Winrar and Winzip programs. I also completely removed apparmor (even though it originally had rw permissions for clamd on incoming directory). Is there a module within MailScanner that does .zip file extracting before it goes for a clamd scan? Any help is much appreciated. Thank you, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com ------------------------------ Message: 4 Date: Tue, 4 Jan 2011 11:40:03 +0100 From: Glenn Steen Subject: Re: weird mailscanner clamd error To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=windows-1252 On 3 January 2011 21:34, Naz Snidanko wrote: > I have weird stuff happening. When we put any file into ZIP archive created > from Winzip or Winrar I get the following log in mail.log: > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: Starting > > Jan 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. ERROR > :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 > infections > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 viruses > > Jan 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting > > > > File delivered after passing mailscanner to final destination. > > > > When I put the same file into ZIP archive using built-in Windows XP engine > it works flawlessly and no error log is generated. No error is generated > when same file is put within .rar archive either. > > > > I've tried different files anything from jpeg to pdf and end up with error > described above. > > > > Can someone point me in the right direct how to troubleshoot this within > mailscanner. > > > > System: > > > > Clamd 0.96.5 > > Ubuntu Server 10.04 > > MailScanner 4.82.3 > > Perl 5.10.1 > > Check that both postfix and clamav (or whatever the users/groups are called) have relevant perms... Run As User/Group and 0660 perms in MailScanner.conf, correct perms on your incoming directory (perhaps /var/spool/MailScanner/incoming), Also check your clamd settings, of course. Perhaps the most crucial bit though... is to make sure that you have sane permissions on /tmp, and that they can create files/directories there as needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104 /c3d769b6/attachment-0001.html ------------------------------ From prinbra at gmail.com Thu Jan 6 08:40:18 2011 From: prinbra at gmail.com (Curu Wong) Date: Thu Jan 6 08:40:27 2011 Subject: weird mailscanner clamd error In-Reply-To: <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> References: <201101051200.p05C0MhO008128@safir.blacknight.ie> <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> Message-ID: My system also has this problem. When a zip archive is scanned, I will always get clamd error like: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Jan 5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zbeyond3g.jpg Jan 5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zchi_button-02.jpg ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- all other attachent type, like rar, works fine. the files in ms incoming queue get removed after it finished processing, and I use this command to monitor file permissions under the incoming queue: while true; do ls -lR /var/spool/MailScanner/incoming/ >> file_list.txt; sleep 1;done Send an email with rar attachment: ======================================================= -rw-r----- 1 postfix www-data 4 2011-01-06 16:13 nmsg-24184-11.txt -rw-r----- 1 postfix www-data 1536750 2011-01-06 16:13 nPI2.3.2.rar -rw-r----- 1 postfix www-data 150576 2011-01-06 16:13 rPI2.3.2.pdf -rw-r----- 1 postfix www-data 2141878 2011-01-06 16:13 rPoisonIvy2.3.2.exe ======================================================= Send an email with zip attachment ================================================= -rw-r----- 1 postfix www-data 4 2011-01-06 15:57 nmsg-24198-1.txt -rw-r----- 1 postfix www-data 1665916 2011-01-06 15:57 ntest.zip -rw------- 1 postfix www-data 238 2010-10-15 18:58 zall-wcprops -rw------- 1 postfix www-data 23100 2010-10-15 18:58 zbeyond3g.jpg -rw------- 1 postfix www-data 26180 2010-10-15 18:58 zchi_button-02.jpg -rw------- 1 postfix www-data 2472 2010-10-15 23:33 zchi_button-reset.jpg -rw------- 1 postfix www-data 2478 2010-10-15 23:33 zchi_button-submit.jpg -rw------- 1 postfix www-data 6042 2010-10-18 15:34 zchi_edm.html -rw------- 1 postfix www-data 4345 2010-10-18 15:35 zchi_web.html ======================================================== And I have this settings in MailScanner.conf: Incoming Work Permissions = 0640 We can see that the test.zip file has the correct permissions, but its extracted files have wrong permission. In fact, even if I change Incoming Work Permissions to 0777, the file permissions is still rw------, so weird. Can anyone point out the problem? I think there maybe something wrong with the perl Archive::Zip module or MS itself. 2011/1/5 Naz Snidanko > MailScanner --lint was generating "found 2 viruses" instead of a proper > "found 1 virus". So I got fed up, scrapped clamd and went with clamav. > Clamav works as it should: --lint generates "found 1 virus" and no more > errors with .ZIP archives. This is a small site and speed should not be > a factor. > > Tons of thanks, > > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > -----Original Message----- > Date: Tue, 4 Jan 2011 14:45:51 -0500 > From: "Rick Cooper" > Subject: RE: weird mailscanner clamd error > To: "'MailScanner discussion'" > Message-ID: <3AD1272E15D14A43BD27F7E3F3C17BD1@SAHOMELT> > Content-Type: text/plain; charset="us-ascii" > > Have you attempted to manually scan an example file with clamscan or > clamdscan? (preferably as the same user as would mailscanner). Have you > tried sending with MailScanner running in debug mode? The error you are > seeing is coming from clamd, > > _____ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Naz > Snidanko > Sent: Tuesday, January 04, 2011 10:07 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: weird mailscanner clamd error > > > > Glenn, > > > > /tmp and incoming directories both have chmod 777. Also from my guess if > it > had something to do with permissions it would generate this error for > all > files, not just ZIP archives created by Winrar and Winzip programs. I > also > completely removed apparmor (even though it originally had rw > permissions > for clamd on incoming directory). > > > > Is there a module within MailScanner that does .zip file extracting > before > it goes for a clamd scan? > > Any help is much appreciated. > > Thank you, > > Naz Snidanko > > Desktop & Network Support > > Harper Power Products Inc. > > (p) 416 201- 7506 > > > nsnidanko@harperpowerproducts.com > > ------------------------------ > > > > Message: 4 > > Date: Tue, 4 Jan 2011 11:40:03 +0100 > > From: Glenn Steen > > Subject: Re: weird mailscanner clamd error > > To: MailScanner discussion > > Message-ID: > > > > > > Content-Type: text/plain; charset=windows-1252 > > > > On 3 January 2011 21:34, Naz Snidanko > > wrote: > > > I have weird stuff happening. When we put any file into ZIP archive > created > > > from Winzip or Winrar I get the following log in mail.log: > > > > > > > > > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: > Starting > > > > > > Jan 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. > ERROR > > > :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc > > > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 > > > infections > > > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 > viruses > > > > > > Jan 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting > > > > > > > > > > > > File delivered after passing mailscanner to final destination. > > > > > > > > > > > > When I put the same file into ZIP archive using built-in Windows XP > engine > > > it works flawlessly and no error log is generated. No error is > generated > > > when same file is put within .rar archive either. > > > > > > > > > > > > I've tried different files anything from jpeg to pdf and end up with > error > > > described above. > > > > > > > > > > > > Can someone point me in the right direct how to troubleshoot this > within > > > mailscanner. > > > > > > > > > > > > System: > > > > > > > > > > > > Clamd 0.96.5 > > > > > > Ubuntu Server 10.04 > > > > > > MailScanner 4.82.3 > > > > > > Perl 5.10.1 > > > > > > > > Check that both postfix and clamav (or whatever the users/groups are > > called) have relevant perms... Run As User/Group and 0660 perms in > > MailScanner.conf, correct perms on your incoming directory (perhaps > > /var/spool/MailScanner/incoming), Also check your clamd settings, of > > course. > > Perhaps the most crucial bit though... is to make sure that you have > > sane permissions on /tmp, and that they can create files/directories > > there as needed. > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104 > /c3d769b6/attachment-0001.html > > ------------------------------ > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110106/5f7f69b8/attachment.html From paul at tenfjord.net Thu Jan 6 08:58:23 2011 From: paul at tenfjord.net (Paul Tenfjord) Date: Thu Jan 6 08:58:32 2011 Subject: SQL Spam Action Rule CustomFuction? Message-ID: <1294304303.2186.24.camel@paul-laptop> Hello mailinglist! I'm configuring a couple of new MailScanner servers and I'm using SQLBlackWhiteList.pm to call SQLWhitelist and SQLBlacklist and MailWatch.pm to call &MailWatchLogging. I was wondering if anybody created a script for Spam Action Rules? I've been trying myself, but I found the CustomFuctions a bit to difficult for my programming skills. Some of my domains use "store", some "tag" and others "forward spamtrap at mydomaincom". I could of course share the script I tried to make, but I really don't think anyone would benefit from it :-) Right now I'm using a perl script to update the spam.action.rules file from SQL (I'd be happy to share the script if anyone interested). I also would like to ask for suggestions on how to best handle mailscanners quarantine folder when operating with two servers. I would like to use a common quarantine area, so that releasing would be easier. I could mount using sshfs, but if my main server crash then that folder would get unaccessible. Maybe rsync would be a better choice? Any ideas regarding this would be highly appreciable. Thanks to Julian and all contributers for a amazing product! Kind Regard Paul From prandal at HEREFORDSHIRE.GOV.UK Thu Jan 6 10:24:11 2011 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 6 10:24:41 2011 Subject: weird mailscanner clamd error In-Reply-To: References: <201101051200.p05C0MhO008128@safir.blacknight.ie> <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> The only workaround I've found is to run clamd as root. I've seen the same issue with MailScanner / sendmail on CentOS. Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Curu Wong Sent: 06 January 2011 08:40 To: MailScanner discussion Subject: Re: weird mailscanner clamd error My system also has this problem. When a zip archive is scanned, I will always get clamd error like: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Jan 5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zbeyond3g.jpg Jan 5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zchi_button-02.jpg ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- all other attachent type, like rar, works fine. the files in ms incoming queue get removed after it finished processing, and I use this command to monitor file permissions under the incoming queue: while true; do ls -lR /var/spool/MailScanner/incoming/ >> file_list.txt; sleep 1;done Send an email with rar attachment: ======================================================= -rw-r----- 1 postfix www-data 4 2011-01-06 16:13 nmsg-24184-11.txt -rw-r----- 1 postfix www-data 1536750 2011-01-06 16:13 nPI2.3.2.rar -rw-r----- 1 postfix www-data 150576 2011-01-06 16:13 rPI2.3.2.pdf -rw-r----- 1 postfix www-data 2141878 2011-01-06 16:13 rPoisonIvy2.3.2.exe ======================================================= Send an email with zip attachment ================================================= -rw-r----- 1 postfix www-data 4 2011-01-06 15:57 nmsg-24198-1.txt -rw-r----- 1 postfix www-data 1665916 2011-01-06 15:57 ntest.zip -rw------- 1 postfix www-data 238 2010-10-15 18:58 zall-wcprops -rw------- 1 postfix www-data 23100 2010-10-15 18:58 zbeyond3g.jpg -rw------- 1 postfix www-data 26180 2010-10-15 18:58 zchi_button-02.jpg -rw------- 1 postfix www-data 2472 2010-10-15 23:33 zchi_button-reset.jpg -rw------- 1 postfix www-data 2478 2010-10-15 23:33 zchi_button-submit.jpg -rw------- 1 postfix www-data 6042 2010-10-18 15:34 zchi_edm.html -rw------- 1 postfix www-data 4345 2010-10-18 15:35 zchi_web.html ======================================================== And I have this settings in MailScanner.conf: Incoming Work Permissions = 0640 We can see that the test.zip file has the correct permissions, but its extracted files have wrong permission. In fact, even if I change Incoming Work Permissions to 0777, the file permissions is still rw------, so weird. Can anyone point out the problem? I think there maybe something wrong with the perl Archive::Zip module or MS itself. 2011/1/5 Naz Snidanko > MailScanner --lint was generating "found 2 viruses" instead of a proper "found 1 virus". So I got fed up, scrapped clamd and went with clamav. Clamav works as it should: --lint generates "found 1 virus" and no more errors with .ZIP archives. This is a small site and speed should not be a factor. Tons of thanks, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -----Original Message----- Date: Tue, 4 Jan 2011 14:45:51 -0500 From: "Rick Cooper" > Subject: RE: weird mailscanner clamd error To: "'MailScanner discussion'" > Message-ID: <3AD1272E15D14A43BD27F7E3F3C17BD1@SAHOMELT> Content-Type: text/plain; charset="us-ascii" Have you attempted to manually scan an example file with clamscan or clamdscan? (preferably as the same user as would mailscanner). Have you tried sending with MailScanner running in debug mode? The error you are seeing is coming from clamd, _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Naz Snidanko Sent: Tuesday, January 04, 2011 10:07 AM To: mailscanner@lists.mailscanner.info Subject: Re: weird mailscanner clamd error Glenn, /tmp and incoming directories both have chmod 777. Also from my guess if it had something to do with permissions it would generate this error for all files, not just ZIP archives created by Winrar and Winzip programs. I also completely removed apparmor (even though it originally had rw permissions for clamd on incoming directory). Is there a module within MailScanner that does .zip file extracting before it goes for a clamd scan? Any help is much appreciated. Thank you, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com ------------------------------ Message: 4 Date: Tue, 4 Jan 2011 11:40:03 +0100 From: Glenn Steen > Subject: Re: weird mailscanner clamd error To: MailScanner discussion > Message-ID: > Content-Type: text/plain; charset=windows-1252 On 3 January 2011 21:34, Naz Snidanko > wrote: > I have weird stuff happening. When we put any file into ZIP archive created > from Winzip or Winrar I get the following log in mail.log: > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: Starting > > Jan 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. ERROR > :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 > infections > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 viruses > > Jan 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting > > > > File delivered after passing mailscanner to final destination. > > > > When I put the same file into ZIP archive using built-in Windows XP engine > it works flawlessly and no error log is generated. No error is generated > when same file is put within .rar archive either. > > > > I've tried different files anything from jpeg to pdf and end up with error > described above. > > > > Can someone point me in the right direct how to troubleshoot this within > mailscanner. > > > > System: > > > > Clamd 0.96.5 > > Ubuntu Server 10.04 > > MailScanner 4.82.3 > > Perl 5.10.1 > > Check that both postfix and clamav (or whatever the users/groups are called) have relevant perms... Run As User/Group and 0660 perms in MailScanner.conf, correct perms on your incoming directory (perhaps /var/spool/MailScanner/incoming), Also check your clamd settings, of course. Perhaps the most crucial bit though... is to make sure that you have sane permissions on /tmp, and that they can create files/directories there as needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104 /c3d769b6/attachment-0001.html ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110106/d09cbf2b/attachment.html From iulianld at gmail.com Thu Jan 6 11:04:38 2011 From: iulianld at gmail.com (Iulian L Dragomir) Date: Thu Jan 6 11:04:46 2011 Subject: weird mailscanner clamd error In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> References: <201101051200.p05C0MhO008128@safir.blacknight.ie> <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> <7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> Message-ID: On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil wrote: > The only workaround I?ve found is to run clamd as root. > > > > I?ve seen the same issue with MailScanner / sendmail on CentOS. If it is the same problem then try this: http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.html From nsnidanko at harperpowerproducts.com Thu Jan 6 14:11:36 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Thu Jan 6 14:11:50 2011 Subject: weird mailscanner clamd error References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> Message-ID: <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> I just checked: /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm I am using 4.82.3-1 and this modification is there. It does not solve the problem. I haven't tried running clamd under root since it would violate our security principles. Are you guys sure it is not a problem with clamd itself? Clamav doesn't get this error. Regards, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Iulian L Dragomir Sent: January 6, 2011 6:05 AM To: MailScanner discussion Subject: Re: weird mailscanner clamd error On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil wrote: > The only workaround I've found is to run clamd as root. > > > > I've seen the same issue with MailScanner / sendmail on CentOS. If it is the same problem then try this: http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht ml -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Thu Jan 6 16:13:18 2011 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jan 6 16:13:32 2011 Subject: weird mailscanner clamd error In-Reply-To: <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Message-ID: Naz Snidanko wrote: > I just checked: > > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm > > I am using 4.82.3-1 and this modification is there. It does not solve > the problem. I haven't tried running clamd under root since it would > violate our security principles. > > Are you guys sure it is not a problem with clamd itself? Clamav > doesn't get this error. > Is clamd running as the same user as the mailscanner user? In other words if your mailscanner user was postfix is the clamd.conf User parameter set to postfix as well (clamd would have to be started as root to drop privs) I suspect this would be the issue for Curu as the permissions he listed are readable by group www-data for the zip file but only readable by user postfix for the unzipped files. Clearly there is something amiss with the extracted permissions as one would think they would be the same as the original zip file. > Regards, > > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Iulian L Dragomir > Sent: January 6, 2011 6:05 AM > To: MailScanner discussion > Subject: Re: weird mailscanner clamd error > > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil > wrote: >> The only workaround I've found is to run clamd as root. >> >> >> >> I've seen the same issue with MailScanner / sendmail on CentOS. > > If it is the same problem then try this: > > http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht > ml > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Thu Jan 6 16:41:56 2011 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jan 6 16:42:11 2011 Subject: weird mailscanner clamd error In-Reply-To: References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> Message-ID: <891B4955ECD54BB491E0AC347BFF9F89@SAHOMELT> Julian would know more as to why this is set this way but in the latest (don't know how far back this goes) 4.81.4 version of Message.pm line 3349 is $member->unixFileAttributes(0600); what happens when you set this to $member->unixFileAttributes(0640); That is the only place I noticed where, during the unzip process, the file permissions apear to be set to 0600. clamav should work as it would be executed under the mailscanner user and there should not be an issue with the 0600 permissions. Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Curu Wong Sent: Thursday, January 06, 2011 3:40 AM To: MailScanner discussion Subject: Re: weird mailscanner clamd error My system also has this problem. When a zip archive is scanned, I will always get clamd error like: ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ----------------------------- Jan 5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zbeyond3g.jpg Jan 5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zchi_button-02.jpg ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ----------------------------- all other attachent type, like rar, works fine. the files in ms incoming queue get removed after it finished processing, and I use this command to monitor file permissions under the incoming queue: while true; do ls -lR /var/spool/MailScanner/incoming/ >> file_list.txt; sleep 1;done Send an email with rar attachment: ======================================================= -rw-r----- 1 postfix www-data 4 2011-01-06 16:13 nmsg-24184-11.txt -rw-r----- 1 postfix www-data 1536750 2011-01-06 16:13 nPI2.3.2.rar -rw-r----- 1 postfix www-data 150576 2011-01-06 16:13 rPI2.3.2.pdf -rw-r----- 1 postfix www-data 2141878 2011-01-06 16:13 rPoisonIvy2.3.2.exe ======================================================= Send an email with zip attachment ================================================= -rw-r----- 1 postfix www-data 4 2011-01-06 15:57 nmsg-24198-1.txt -rw-r----- 1 postfix www-data 1665916 2011-01-06 15:57 ntest.zip -rw------- 1 postfix www-data 238 2010-10-15 18:58 zall-wcprops -rw------- 1 postfix www-data 23100 2010-10-15 18:58 zbeyond3g.jpg -rw------- 1 postfix www-data 26180 2010-10-15 18:58 zchi_button-02.jpg -rw------- 1 postfix www-data 2472 2010-10-15 23:33 zchi_button-reset.jpg -rw------- 1 postfix www-data 2478 2010-10-15 23:33 zchi_button-submit.jpg -rw------- 1 postfix www-data 6042 2010-10-18 15:34 zchi_edm.html -rw------- 1 postfix www-data 4345 2010-10-18 15:35 zchi_web.html ======================================================== And I have this settings in MailScanner.conf: Incoming Work Permissions = 0640 We can see that the test.zip file has the correct permissions, but its extracted files have wrong permission. In fact, even if I change Incoming Work Permissions to 0777, the file permissions is still rw------, so weird. Can anyone point out the problem? I think there maybe something wrong with the perl Archive::Zip module or MS itself. 2011/1/5 Naz Snidanko MailScanner --lint was generating "found 2 viruses" instead of a proper "found 1 virus". So I got fed up, scrapped clamd and went with clamav. Clamav works as it should: --lint generates "found 1 virus" and no more errors with .ZIP archives. This is a small site and speed should not be a factor. Tons of thanks, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -----Original Message----- Date: Tue, 4 Jan 2011 14:45:51 -0500 From: "Rick Cooper" Subject: RE: weird mailscanner clamd error To: "'MailScanner discussion'" Message-ID: <3AD1272E15D14A43BD27F7E3F3C17BD1@SAHOMELT> Content-Type: text/plain; charset="us-ascii" Have you attempted to manually scan an example file with clamscan or clamdscan? (preferably as the same user as would mailscanner). Have you tried sending with MailScanner running in debug mode? The error you are seeing is coming from clamd, _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Naz Snidanko Sent: Tuesday, January 04, 2011 10:07 AM To: mailscanner@lists.mailscanner.info Subject: Re: weird mailscanner clamd error Glenn, /tmp and incoming directories both have chmod 777. Also from my guess if it had something to do with permissions it would generate this error for all files, not just ZIP archives created by Winrar and Winzip programs. I also completely removed apparmor (even though it originally had rw permissions for clamd on incoming directory). Is there a module within MailScanner that does .zip file extracting before it goes for a clamd scan? Any help is much appreciated. Thank you, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com ------------------------------ Message: 4 Date: Tue, 4 Jan 2011 11:40:03 +0100 From: Glenn Steen Subject: Re: weird mailscanner clamd error To: MailScanner discussion Message-ID: > Content-Type: text/plain; charset=windows-1252 On 3 January 2011 21:34, Naz Snidanko wrote: > I have weird stuff happening. When we put any file into ZIP archive created > from Winzip or Winrar I get the following log in mail.log: > > > > Jan 3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning: Starting > > Jan 3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied. ERROR > :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1 > infections > > Jan 3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1 viruses > > Jan 3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting > > > > File delivered after passing mailscanner to final destination. > > > > When I put the same file into ZIP archive using built-in Windows XP engine > it works flawlessly and no error log is generated. No error is generated > when same file is put within .rar archive either. > > > > I've tried different files anything from jpeg to pdf and end up with error > described above. > > > > Can someone point me in the right direct how to troubleshoot this within > mailscanner. > > > > System: > > > > Clamd 0.96.5 > > Ubuntu Server 10.04 > > MailScanner 4.82.3 > > Perl 5.10.1 > > Check that both postfix and clamav (or whatever the users/groups are called) have relevant perms... Run As User/Group and 0660 perms in MailScanner.conf, correct perms on your incoming directory (perhaps /var/spool/MailScanner/incoming), Also check your clamd settings, of course. Perhaps the most crucial bit though... is to make sure that you have sane permissions on /tmp, and that they can create files/directories there as needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104 /c3d769b6/attachment-0001.html ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110106/edb07082/attachment.html From rcooper at dwford.com Thu Jan 6 17:25:06 2011 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jan 6 17:25:20 2011 Subject: weird mailscanner clamd error In-Reply-To: <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Message-ID: Naz Snidanko wrote: > I just checked: > > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm > > I am using 4.82.3-1 and this modification is there. It does not solve > the problem. I haven't tried running clamd under root since it would > violate our security principles. > > Are you guys sure it is not a problem with clamd itself? Clamav > doesn't get this error. Actually the more I looked at this, I believe the code in Message.pm beginning at line 3348 that reads # Untaint member's attributes. $member->unixFileAttributes(0600); Should be # Untaint member's attributes. my $workperms = MailScanner::Config::Value('workperms') || '0600'; $member->unixFileAttributes($workperms); For some reason it appears Julian forced the extracted files to 0600 in the original code. The change I have listed above would set them to what ever the mailscanner config has for the work permissions or 600 if no value exists. Julian any comment? Rick > > Regards, > > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Iulian L Dragomir > Sent: January 6, 2011 6:05 AM > To: MailScanner discussion > Subject: Re: weird mailscanner clamd error > > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil > wrote: >> The only workaround I've found is to run clamd as root. >> >> >> >> I've seen the same issue with MailScanner / sendmail on CentOS. > > If it is the same problem then try this: > > http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht > ml > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nsnidanko at harperpowerproducts.com Thu Jan 6 17:58:40 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Thu Jan 6 17:58:58 2011 Subject: weird mailscanner clamd error References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk><9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Message-ID: <5C4A6241B56FDB48A0AC6AC13CA9FB05010AE0A9@tor_nt01.harperdda.com> No they all run as separate user. Clamd runs as clamav and MailScanner runs as postfix. Unfortunately, I cannot change clamd user since we use it for something else that doesn't have permissions for postfix. Thanks, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: January 6, 2011 11:13 AM To: 'MailScanner discussion' Subject: RE: weird mailscanner clamd error Naz Snidanko wrote: > I just checked: > > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm > > I am using 4.82.3-1 and this modification is there. It does not solve > the problem. I haven't tried running clamd under root since it would > violate our security principles. > > Are you guys sure it is not a problem with clamd itself? Clamav > doesn't get this error. > Is clamd running as the same user as the mailscanner user? In other words if your mailscanner user was postfix is the clamd.conf User parameter set to postfix as well (clamd would have to be started as root to drop privs) I suspect this would be the issue for Curu as the permissions he listed are readable by group www-data for the zip file but only readable by user postfix for the unzipped files. Clearly there is something amiss with the extracted permissions as one would think they would be the same as the original zip file. > Regards, > > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Iulian L Dragomir > Sent: January 6, 2011 6:05 AM > To: MailScanner discussion > Subject: Re: weird mailscanner clamd error > > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil > wrote: >> The only workaround I've found is to run clamd as root. >> >> >> >> I've seen the same issue with MailScanner / sendmail on CentOS. > > If it is the same problem then try this: > > http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht > ml > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Thu Jan 6 20:30:16 2011 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jan 6 20:30:33 2011 Subject: weird mailscanner clamd error In-Reply-To: <5C4A6241B56FDB48A0AC6AC13CA9FB05010AE0A9@tor_nt01.harperdda.com> References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk><9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> <5C4A6241B56FDB48A0AC6AC13CA9FB05010AE0A9@tor_nt01.harperdda.com> Message-ID: <1B7E529034414F76A48AE7C3B19E7CF7@SAHOMELT> Naz Snidanko wrote: > No they all run as separate user. Clamd runs as clamav and MailScanner > runs as postfix. Unfortunately, I cannot change clamd user since we > use it for something else that doesn't have permissions for postfix. > > Thanks, > Look at my last post and apply that and see if that doesn't fix your issue. If I had to guess Julian put that in there when he was fleshing out the code and forgot to fix it. Because of the way the code is written all the extracted files with have 0600 permissions and since your clamd user does not have user (I assume it does have group) access this is the reason you are getting that error. When using clamscan it will be running as the MailScanner user and will have user level access. The unrar is a similar situation the files are extracted via SafePipe without forcing permissions so they should end up with your default permissions and the clamd user can read them. Switch the code lines (as in my last post) and you should extract the zip files with the same permissions as the others and, if your clamd has the correct group perms your error should go away I don't know when this was introduced I am using 4.67.6 (don't ask) and those couple of lines do not exist. I wouldn't have noticed it anyway because I run clamd as root and use a local socket. Rick > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick > Cooper > Sent: January 6, 2011 11:13 AM > To: 'MailScanner discussion' > Subject: RE: weird mailscanner clamd error > > Naz Snidanko wrote: >> I just checked: >> >> /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm >> >> I am using 4.82.3-1 and this modification is there. It does not solve >> the problem. I haven't tried running clamd under root since it would >> violate our security principles. >> >> Are you guys sure it is not a problem with clamd itself? Clamav >> doesn't get this error. >> > > Is clamd running as the same user as the mailscanner user? In other > words if > your mailscanner user was postfix is the clamd.conf User parameter set > to > postfix as well (clamd would have to be started as root to drop privs) > > I suspect this would be the issue for Curu as the permissions he > listed are > readable by group www-data for the zip file but only readable by user > postfix for the unzipped files. Clearly there is something amiss with > the > extracted permissions as one would think they would be the same as the > original zip file. > > > > >> Regards, >> >> Naz Snidanko >> Desktop & Network Support >> Harper Power Products Inc. >> (p) 416 201- 7506 >> nsnidanko@harperpowerproducts.com >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Iulian L Dragomir Sent: January 6, 2011 6:05 AM >> To: MailScanner discussion >> Subject: Re: weird mailscanner clamd error >> >> On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil >> wrote: >>> The only workaround I've found is to run clamd as root. >>> >>> >>> >>> I've seen the same issue with MailScanner / sendmail on CentOS. >> >> If it is the same problem then try this: >> >> > http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht >> ml >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From prinbra at gmail.com Fri Jan 7 03:07:05 2011 From: prinbra at gmail.com (Curu Wong) Date: Fri Jan 7 03:07:14 2011 Subject: weird mailscanner clamd error In-Reply-To: References: <201101051200.p05C0MhO008128@safir.blacknight.ie> <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> <7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner_zip_permission.patch Type: application/octet-stream Size: 682 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110107/4b5ee115/mailscanner_zip_permission.obj From prinbra at gmail.com Fri Jan 7 03:15:15 2011 From: prinbra at gmail.com (Curu Wong) Date: Fri Jan 7 03:15:24 2011 Subject: weird mailscanner clamd error In-Reply-To: References: <201101051200.p05C0MhO008128@safir.blacknight.ie> <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> <7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Message-ID: Thank you Rick, the code you provided works. but I think the argument of unixFileAttributes() should be octal number, instead of string. so I modified the code a little. This finally works for my MailScanner version 4.81.4-1. after apply this patch, the permission is OK: Send an email with zip attachment ============================== =============================== /var/spool/MailScanner/incoming/18174/8E435803B9.AB3BB: total 3376 -rw-r----- 1 postfix www-data 4 2011-01-07 10:49 nmsg-18174-1.txt -rw-r----- 1 postfix www-data 1665916 2011-01-07 10:49 ntest.zip -rw-r----- 1 postfix www-data 238 2010-10-15 18:58 zall-wcprops -rw-r----- 1 postfix www-data 23100 2010-10-15 18:58 zbeyond3g.jpg -rw-r----- 1 postfix www-data 26180 2010-10-15 18:58 zchi_button-02.jpg -rw-r----- 1 postfix www-data 2472 2010-10-15 23:33 zchi_button-reset.jpg -rw-r----- 1 postfix www-data 2478 2010-10-15 23:33 zchi_button-submit.jpg -rw-r----- 1 postfix www-data 6042 2010-10-18 15:34 zchi_edm.html -rw-r----- 1 postfix www-data 4345 2010-10-18 15:35 zchi_web.html -rw-r----- 1 postfix www-data 890 2010-10-15 18:58 zcw.jpeg ============================================================== and there's no error message in maillog any more. mailscanner_zip_permission.patch =================================================================== --- MailScanner/Message.pm 2010-09-06 19:10:28.000000000 +0800 +++ ms/Message.pm 2011-01-07 10:41:19.107764413 +0800 @@ -3346,7 +3346,12 @@ next if $onlycheckencryption; # Untaint member's attributes. - $member->unixFileAttributes(0600); + #$member->unixFileAttributes(0600); + my $workperms = MailScanner::Config::Value('workperms') || '0600'; + #Make it octal with a leading zero if necessary + $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/; + $workperms = oct($workperms); # and back to decimal for chmod + $member->unixFileAttributes($workperms); $name = $member->fileName(); # Trim off any leading directory path ==================================================================== 2011/1/7 Rick Cooper > Naz Snidanko wrote: > > I just checked: > > > > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm > > > > I am using 4.82.3-1 and this modification is there. It does not solve > > the problem. I haven't tried running clamd under root since it would > > violate our security principles. > > > > Are you guys sure it is not a problem with clamd itself? Clamav > > doesn't get this error. > > Actually the more I looked at this, I believe the code in Message.pm > beginning at line 3348 that reads > > # Untaint member's attributes. > $member->unixFileAttributes(0600); > > Should be > > # Untaint member's attributes. > my $workperms = MailScanner::Config::Value('workperms') || '0600'; > $member->unixFileAttributes($workperms); > For some reason it appears Julian forced the extracted files to 0600 in the > original code. The change I have listed above would set them to what ever > the mailscanner config has for the work permissions or 600 if no value > exists. > > Julian any comment? > > > Rick > > > > > Regards, > > > > Naz Snidanko > > Desktop & Network Support > > Harper Power Products Inc. > > (p) 416 201- 7506 > > nsnidanko@harperpowerproducts.com > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Iulian L Dragomir > > Sent: January 6, 2011 6:05 AM > > To: MailScanner discussion > > Subject: Re: weird mailscanner clamd error > > > > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil > > wrote: > >> The only workaround I've found is to run clamd as root. > >> > >> > >> > >> I've seen the same issue with MailScanner / sendmail on CentOS. > > > > If it is the same problem then try this: > > > > http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht > > ml > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110107/7ee457f9/attachment.html From rcooper at dwford.com Fri Jan 7 14:04:08 2011 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jan 7 14:04:23 2011 Subject: weird mailscanner clamd error In-Reply-To: References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk><9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Message-ID: _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Curu Wong Sent: Thursday, January 06, 2011 10:15 PM To: MailScanner discussion Subject: Re: weird mailscanner clamd error Thank you Rick, the code you provided works. but I think the argument of unixFileAttributes() should be octal number, instead of string. so I modified the code a little. This finally works for my MailScanner version 4.81.4-1. [Rick Cooper] I just looked at the Archive::Zip documentation and it appears it that should have worked as is. The documentation states: unixFileAttributes( [$newAttributes] ) In any event that might explain the issues on other systems and hopefully Julian will make the changes for the next release. The person to thank is you, you are the one who caught the unexplained permission change on the extracted files, I just looked at the code that performs the action and unixFileAttributes(600) kind of stuck out like a sore thumb Rick after apply this patch, the permission is OK: Send an email with zip attachment ============================== =============================== /var/spool/MailScanner/incoming/18174/8E435803B9.AB3BB: total 3376 -rw-r----- 1 postfix www-data 4 2011-01-07 10:49 nmsg-18174-1.txt -rw-r----- 1 postfix www-data 1665916 2011-01-07 10:49 ntest.zip -rw-r----- 1 postfix www-data 238 2010-10-15 18:58 zall-wcprops -rw-r----- 1 postfix www-data 23100 2010-10-15 18:58 zbeyond3g.jpg -rw-r----- 1 postfix www-data 26180 2010-10-15 18:58 zchi_button-02.jpg -rw-r----- 1 postfix www-data 2472 2010-10-15 23:33 zchi_button-reset.jpg -rw-r----- 1 postfix www-data 2478 2010-10-15 23:33 zchi_button-submit.jpg -rw-r----- 1 postfix www-data 6042 2010-10-18 15:34 zchi_edm.html -rw-r----- 1 postfix www-data 4345 2010-10-18 15:35 zchi_web.html -rw-r----- 1 postfix www-data 890 2010-10-15 18:58 zcw.jpeg ============================================================== and there's no error message in maillog any more. mailscanner_zip_permission.patch =================================================================== --- MailScanner/Message.pm 2010-09-06 19:10:28.000000000 +0800 +++ ms/Message.pm 2011-01-07 10:41:19.107764413 +0800 @@ -3346,7 +3346,12 @@ next if $onlycheckencryption; # Untaint member's attributes. - $member->unixFileAttributes(0600); + #$member->unixFileAttributes(0600); + my $workperms = MailScanner::Config::Value('workperms') || '0600'; + #Make it octal with a leading zero if necessary + $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/; + $workperms = oct($workperms); # and back to decimal for chmod + $member->unixFileAttributes($workperms); $name = $member->fileName(); # Trim off any leading directory path ==================================================================== 2011/1/7 Rick Cooper Naz Snidanko wrote: > I just checked: > > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm > > I am using 4.82.3-1 and this modification is there. It does not solve > the problem. I haven't tried running clamd under root since it would > violate our security principles. > > Are you guys sure it is not a problem with clamd itself? Clamav > doesn't get this error. Actually the more I looked at this, I believe the code in Message.pm beginning at line 3348 that reads # Untaint member's attributes. $member->unixFileAttributes(0600); Should be # Untaint member's attributes. my $workperms = MailScanner::Config::Value('workperms') || '0600'; $member->unixFileAttributes($workperms); For some reason it appears Julian forced the extracted files to 0600 in the original code. The change I have listed above would set them to what ever the mailscanner config has for the work permissions or 600 if no value exists. Julian any comment? Rick > > Regards, > > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Iulian L Dragomir > Sent: January 6, 2011 6:05 AM > To: MailScanner discussion > Subject: Re: weird mailscanner clamd error > > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil > wrote: >> The only workaround I've found is to run clamd as root. >> >> >> >> I've seen the same issue with MailScanner / sendmail on CentOS. > > If it is the same problem then try this: > > http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht > ml > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110107/d210f97d/attachment.html From mejaz at cyberia.net.sa Sat Jan 8 22:32:02 2011 From: mejaz at cyberia.net.sa (Ejaz) Date: Sat Jan 8 22:34:49 2011 Subject: spam tag Message-ID: <47C6CADE5A254393944D51A5B0AF79C5@EJAZ> _____ From: Ejaz [mailto:mejaz@cyberia.net.sa] Sent: Saturday, January 08, 2011 4:29 PM To: 'mailscanner-bounces@lists.mailscanner.info' Subject: spam tag Hi all, I have mail solution with mailscanner/postfix/clamav and spamassasin, I did not understand why I am keep getting spam tag in my subject line for all the incoming messages Any one help will be highly appreciated, Regards, __________________ Mohammed Ejaz Sr,Systems Administrator Middle East Internet Company (CYBERIA) Riyadh, Saudi Arabia Phone: +966-1-4647114 Ext: 140 Mobile +966-562311787 Fax: +966-1-4654735 E-mail: mejaz@cyberia.net.sa -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110109/a7f9bd85/attachment.html From maxsec at gmail.com Mon Jan 10 06:36:45 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 10 06:36:54 2011 Subject: spam tag In-Reply-To: <47C6CADE5A254393944D51A5B0AF79C5@EJAZ> References: <47C6CADE5A254393944D51A5B0AF79C5@EJAZ> Message-ID: Put mailscanner Into debug mode for some clues - see the wiki for howto Martin On Saturday, 8 January 2011, Ejaz wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Ejaz > [mailto:mejaz@cyberia.net.sa] > Sent: Saturday, January 08, 2011 > 4:29 PM > To: > 'mailscanner-bounces@lists.mailscanner.info' > Subject: spam tag > > > > > > Hi all, > > > > I have mail solution with mailscanner/postfix/clamav and spamassasin, > ??I did not understand why I am keep getting spam tag in my subject > line for all the incoming messages > > > > Any one help will be highly appreciated, > > > > > > Regards, > __________________ > Mohammed Ejaz > Sr,Systems Administrator > Middle East Internet Company (CYBERIA) > Riyadh, Saudi Arabia > Phone: +966-1-4647114? Ext: 140 > Mobile +966-562311787 > Fax: +966-1-4654735 > E-mail: mejaz@cyberia.net.sa > > > > > > > > > -- -- Martin Hepworth Oxford, UK From hvdkooij at vanderkooij.org Mon Jan 10 14:24:59 2011 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jan 10 14:25:12 2011 Subject: spam tag In-Reply-To: <47C6CADE5A254393944D51A5B0AF79C5@EJAZ> References: <47C6CADE5A254393944D51A5B0AF79C5@EJAZ> Message-ID: <754d4965699a55baee35bbe7d5f0af0e@vps517.directvps.nl> On Sun, 9 Jan 2011 01:32:02 +0300, "Ejaz" wrote: I have mail solution with mailscanner/postfix/clamav and spamassasin, I did not understand why I am keep getting spam tag in my subject line for all the incoming messages The first thing to check is your headers. They should tell you why your message is tagged as spam. Hugo -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110110/8498684e/attachment.html From peter.ong at hypermediasystems.com Mon Jan 10 16:54:38 2011 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Jan 10 16:54:50 2011 Subject: SA and MS: use_auto_whitelist Message-ID: <1815213276.6571.1294678478186.JavaMail.root@mail021.dti> Hello Everyone, When I do a: MailScanner -D --lint 2>&1 | less I see this... config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": use_auto_whitelist 0 This is MailScanner version 4.82.3 SpamAssassin version 3.3.1 running on Perl version 5.8.8 Can anyone help? Thanks. Peter From hvdkooij at vanderkooij.org Mon Jan 10 19:28:51 2011 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jan 10 19:29:01 2011 Subject: SA and MS: use_auto_whitelist In-Reply-To: <1815213276.6571.1294678478186.JavaMail.root@mail021.dti> References: <1815213276.6571.1294678478186.JavaMail.root@mail021.dti> Message-ID: <4D2B5DF3.3040707@vanderkooij.org> On 10/01/11 17:54, Peter Ong wrote: > When I do a: > MailScanner -D --lint 2>&1 | less > > I see this... > config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": use_auto_whitelist 0 Can you share the section around that line with us? > > This is MailScanner version 4.82.3 > SpamAssassin version 3.3.1 > running on Perl version 5.8.8 Read http://wiki.apache.org/spamassassin/AutoWhitelist where it said: In 3.3, the plugin is not loaded by default. I guess you should be able to resolve the issue based on that information. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From peter.ong at hypermediasystems.com Mon Jan 10 19:40:49 2011 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Jan 10 19:40:59 2011 Subject: SA and MS: use_auto_whitelist In-Reply-To: <4D2B5DF3.3040707@vanderkooij.org> Message-ID: <705766437.6864.1294688449512.JavaMail.root@mail021.dti> > From: "Hugo van der Kooij" > To: "MailScanner discussion" > Sent: Monday, January 10, 2011 11:28:51 AM > Subject: Re: SA and MS: use_auto_whitelist > > On 10/01/11 17:54, Peter Ong wrote: > > > When I do a: > > MailScanner -D --lint 2>&1 | less > > > > I see this... > > config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": use_auto_whitelist 0 > > Can you share the section around that line with us? > > > > This is MailScanner version 4.82.3 > > SpamAssassin version 3.3.1 > > running on Perl version 5.8.8 > > Read http://wiki.apache.org/spamassassin/AutoWhitelist > where it said: > In 3.3, the plugin is not loaded by default. > > I guess you should be able to resolve the issue based on that > information. Hi Hugo, Thanks for that. I feel stupid. Some days I just can't get into the zone. Thanks again. p From mrm at medicine.wisc.edu Tue Jan 11 20:00:35 2011 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Jan 11 20:00:56 2011 Subject: Phishing detection behaviour Message-ID: <4D2C62830200003E0001E412@gwmail.medicine.wisc.edu> I'm trying to come up with a test to consistently trip the phishing detection system so that I will know whether future rules I write will work as intended. I can send an email from an outside account containing something simple like www.fake.com and the system detects it properly like it should and puts the proper warning in the body of the email. The problem is that the next time (and each subsequent time) I send the same email from that same account, the system doesn't detect the problem and lets it through without the phishing warning. If I change the URL's within the email it will detect the phish attempt again the first time those fake URL's are used, but not any subsequent times I reuse them. Is this how it's supposed to behave? I find that hard to believe. What setting could affect this? -Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110111/9b7356ac/attachment.html From nik_muhyyiddin at hotmail.com Thu Jan 13 09:19:58 2011 From: nik_muhyyiddin at hotmail.com (Nik Muhyyiddin) Date: Thu Jan 13 09:20:12 2011 Subject: High Scoring Spam Action Message-ID: Hi All, If I set the "High Scoring Spam Actions = store-spam" where will be the email being stored? Thanks for help. Nik -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110113/146a82d8/attachment.html From paul at tenfjord.net Thu Jan 13 09:38:57 2011 From: paul at tenfjord.net (Paul Arne Riksheim Tenfjord) Date: Thu Jan 13 09:39:06 2011 Subject: High Scoring Spam Action In-Reply-To: References: Message-ID: <1294911537.5781.10.camel@ift039177.klientdrift.uib.no> On Thu, 2011-01-13 at 17:19 +0800, Nik Muhyyiddin wrote: > Hi All, > > > > If I set the ?High Scoring Spam Actions = store-spam? where will be > the email being stored? > > > > Thanks for help. > > Nik > > > > > > Hello. >From MailScanner.conf : # store-spam - store the message in the spam quarantine My stored spam email is stored in: /var/spool/MailScanner/quarantine/spam which I belive is controlled by; in MailScanner.conf: Quarantine Dir = /var/spool/MailScanner/quarantine This folder should be owned by "Run As User = postfix" (from MailScanner.conf) Hope this helps. Regards, Paul From mailing at seveninternet.co.uk Thu Jan 13 11:06:32 2011 From: mailing at seveninternet.co.uk (Rich Walker) Date: Thu Jan 13 11:06:43 2011 Subject: mailscanner upgrade Message-ID: <3CD921AF2DC04B3D8C793F923354CEAE@sevenu6l0qf6zz> I've just been give the task of upgrading our mail servers ( version 4.69.9) and seen the wiki and I'm fine with that. I just wanted to know from the community if its a good idea upgrading to latest version or am I going to run into problems because of the big gap between version. Thanks Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110113/e84cbe2f/attachment.html From maxsec at gmail.com Thu Jan 13 15:19:52 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jan 13 15:20:02 2011 Subject: mailscanner upgrade In-Reply-To: <3CD921AF2DC04B3D8C793F923354CEAE@sevenu6l0qf6zz> References: <3CD921AF2DC04B3D8C793F923354CEAE@sevenu6l0qf6zz> Message-ID: should be fine - just review the changes so you make sensible changes to any new defaults for options in the intervening years (defaults should be fine for new options), but worth looking at incase you need to alter anything else (upgrade SA, clamav etc). -- Martin Hepworth Oxford, UK On 13 January 2011 11:06, Rich Walker wrote: > I've just been give the task of upgrading our mail servers ( version > 4.69.9) and seen the wiki and I'm fine with that. I just wanted to > know from the community if its a good idea upgrading to latest version or am > I going to run into problems because of the big gap between version. > > Thanks > > Rich > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110113/16120a50/attachment.html From peter.ong at hypermediasystems.com Thu Jan 13 15:31:22 2011 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Thu Jan 13 15:31:32 2011 Subject: mailscanner upgrade In-Reply-To: Message-ID: <345209293.9698.1294932682499.JavaMail.root@mail021.dti> I've done several upgrades now, although there hasn't been a huge version gap. But my guess is it should be fine. But in every case, I always made sure I had the latest perl and perl modules first. p ----- Original Message ----- > From: "Martin Hepworth" > To: "MailScanner discussion" > Sent: Thursday, January 13, 2011 7:19:52 AM > Subject: Re: mailscanner upgrade > > should be fine - just review the changes so you make sensible changes > to any new defaults for options in the intervening years (defaults > should be fine for new options), but worth looking at incase you need > to alter anything else (upgrade SA, clamav etc). > > -- > Martin Hepworth > Oxford, UK > > > > On 13 January 2011 11:06, Rich Walker < mailing@seveninternet.co.uk > > wrote: > > > > > > I've just been give the task of upgrading our mail servers ( version > 4.69.9) and seen the wiki and I'm fine with that. I just wanted to > know from the community if its a good idea upgrading to latest version > or am I going to run into problems because of the big gap between > version. > > Thanks > > Rich > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maxsec at gmail.com Thu Jan 13 16:30:30 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jan 13 16:30:40 2011 Subject: mailscanner upgrade In-Reply-To: <345209293.9698.1294932682499.JavaMail.root@mail021.dti> References: <345209293.9698.1294932682499.JavaMail.root@mail021.dti> Message-ID: latest perl modules etc can cause 'fun' so best to upgrade in stages to make sure you know what breaks when. the MS backout option it nice and easy anyway unlike many products. -- Martin Hepworth Oxford, UK On 13 January 2011 15:31, Peter Ong wrote: > I've done several upgrades now, although there hasn't been a huge version > gap. But my guess is it should be fine. But in every case, I always made > sure I had the latest perl and perl modules first. > > p > > ----- Original Message ----- > > > From: "Martin Hepworth" > > To: "MailScanner discussion" > > Sent: Thursday, January 13, 2011 7:19:52 AM > > Subject: Re: mailscanner upgrade > > > > should be fine - just review the changes so you make sensible changes > > to any new defaults for options in the intervening years (defaults > > should be fine for new options), but worth looking at incase you need > > to alter anything else (upgrade SA, clamav etc). > > > > -- > > Martin Hepworth > > Oxford, UK > > > > > > > > On 13 January 2011 11:06, Rich Walker < mailing@seveninternet.co.uk > > > wrote: > > > > > > > > > > > > I've just been give the task of upgrading our mail servers ( version > > 4.69.9) and seen the wiki and I'm fine with that. I just wanted to > > know from the community if its a good idea upgrading to latest version > > or am I going to run into problems because of the big gap between > > version. > > > > Thanks > > > > Rich > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110113/2d267903/attachment.html From MailScanner at ecs.soton.ac.uk Fri Jan 21 13:49:01 2011 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 21 13:49:24 2011 Subject: New BarricadeMX Plus Web interface References: <4D398ECD.9020508@ecs.soton.ac.uk> Message-ID: We are very pleased to announce the release of BarricadeMX Plus version 2.1. BarricadeMX Plus combines our very efficient and accurate SMTP filtering application, BarricadeMX with MailScanner and an advanced yet easy to navigate web interface. Key features of the web interface: * Three levels of authentication (Super Administrator, Domain Administrator and User) allow you to grant access to different administrative duties to different users. * Extensive configuration on a per-domain basis allows each domain to have different rules without affecting other domains. * Simple end-user interface to allow mailbox owners to classify and retrieve mail from quarantine and manage white/black lists. * Can authenticate users using your existing infrastructure allowing users to login with their existing credentials against POP3, IMAP, SMTP or Active Directory services. * Extensive reporting and real-time statistics. Key features of the engine: * High concurrency with denial-of-service protection. * Numerous anti-spam tests cleverly ordered to reject messages safely and as early as possible providing maximum efficiency. * Click Auto Whitelisting. Any SMTP rejection is sent with a clickable link allowing senders to whitelist themselves. * Outbound message watermarking. Eliminates backscatter and allows message replies to be automatically whitelisted. BarricadeMX Plus is designed to be extensible. It can easily scale from a single gateway to very large sites. From scanning for a single domain to scanning tens of thousands of domains, we have a solution that will fit your needs and your budget. You can test drive the software on our new demo system, download a 30 day trial or we can install and configure a test system for you. Simply visitwww.fsl.com for details. -- Steve Swaney CEO Fort Systems Ltd steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jeffrey at life.illinois.edu Fri Jan 21 19:36:21 2011 From: jeffrey at life.illinois.edu (Jeffrey Haas) Date: Fri Jan 21 19:36:32 2011 Subject: SpamAssassin custom headers Message-ID: <4D39E035.9060903@life.illinois.edu> Is it possible to ask SpamAssassin to create a custom header and have it appear in a message processed by MailScanner? I'd like to be able to view the detailed RBL report for a message to see which address triggered the RBL test by adding something like: add_header all RBL rbl=_RBL_ to MailScanner's etc/spam.assassin.prefs.conf file. Looks like MailScanner only includes its own headers by default. Is there a way to pull a header in from the SpamAssassin report? Thanks for any info. --jeff From sean.m.schipper at lawrence.edu Mon Jan 24 16:42:15 2011 From: sean.m.schipper at lawrence.edu (Sean M. Schipper) Date: Mon Jan 24 16:42:33 2011 Subject: limiting damage done by a compromised account Message-ID: <5E7A3482AFF64D4D8F069CB781397C411D8B78@MAIL2.lawrence.edu> Hi, I use Mailscanner ( v4.79 on RH Linux with spamassassin & Clam) in front of Exchange 2010. Occasionally at our university we'll have a student email in their login credentials in response to phishing email that got thru. We don't scan outgoing messages since I don't want to block outgoing emails except for this situation. I'm looking for advice on what to do to protect us from being a source of spam. We currently have a poor reputation on from senderbase which I've been unable to correct - any ideas on anything I can do to speed up this process would be welcome as well. Thanks, Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110124/0d2ce5cd/attachment.html From J.Ede at birchenallhowden.co.uk Mon Jan 24 16:58:17 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Jan 24 16:58:18 2011 Subject: limiting damage done by a compromised account In-Reply-To: <5E7A3482AFF64D4D8F069CB781397C411D8B78@MAIL2.lawrence.edu> References: <5E7A3482AFF64D4D8F069CB781397C411D8B78@MAIL2.lawrence.edu> Message-ID: Assuming you have some form of authentication for outgoing is that you can limit the from address for emails to that of the account. Also what about some form of rate limiting with alerting plugged in? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Sean M. Schipper Sent: 24 January 2011 16:42 To: mailscanner@lists.mailscanner.info Subject: limiting damage done by a compromised account Hi, I use Mailscanner ( v4.79 on RH Linux with spamassassin & Clam) in front of Exchange 2010. Occasionally at our university we'll have a student email in their login credentials in response to phishing email that got thru. We don't scan outgoing messages since I don't want to block outgoing emails except for this situation. I'm looking for advice on what to do to protect us from being a source of spam. We currently have a poor reputation on from senderbase which I've been unable to correct - any ideas on anything I can do to speed up this process would be welcome as well. Thanks, Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110124/598b7fa6/attachment.html From steve at fsl.com Mon Jan 24 18:02:56 2011 From: steve at fsl.com (Stephen Swaney) Date: Mon Jan 24 18:03:07 2011 Subject: limiting damage done by a compromised account In-Reply-To: References: <5E7A3482AFF64D4D8F069CB781397C411D8B78@MAIL2.lawrence.edu> Message-ID: Sean, take a look at rate-limiting by Anthony Howe of Snertsoft. I quote below from: http://www.snertsoft.com/sendmail/milter-limit/ This Sendmail mail filter aims to limit the number of messages by connecting client IP, sender, or recipient. Its intended to be a utility milter to control the flow of mail. It could be used on the outbound side like Hotmail's daily message limits to limit local user's consumption (particularly if they appear to be infected by a mass mailing worm); it could be used inbound as an alternative to grey-listing. It could be enabled and disabled as needed during periods of peak Internet activity such as during a virus outbreak or spam holiday season. It?s free. Our commercial products BarricadeMX and BarricadeMX Plus include a rate-limiting milter-limit feature and : ---------------------- smtp-strict-relay: (on or off) Only allow outbound messages from our specified relays and where the sender is from one of the domains we route email from. ---------------------- rate-throttle=(no of seconds, default = 30) # Overall client connections per second allowed before imposing a # one second delay. Specify zero (0) to disable. ---------------------- Concurrent-Connect:ip Concurrent-Connect:domain This is used to specify the maximum number of concurrent connections an SMTP client is permitted at any one time. Specify an integer or zero (0) to disable. The bare tag can be used to specify a global setting. If an SMTP client exceeds the allotted number of connections, then the incoming connection is dropped, while existing connections continue. ---------------------- Msg-Limit-Connect:ip Msg-Limit-Connect:domain Msg-Limit-From:mail Msg-Limit-To:mail Used to limit the number of messages a SMTP client, sender, or recipient can send/receive in a given time period. A message limit is given as: messages '/' time [unit] which is the number of messages per time interval. The time unit specifier can be one of week, day, hour, minute, or seconds (note only the first letter is significant). A negative number for messages will disable any limit. ---------------------- Please contact me off list if you need more information. Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available On Jan 24, 2011, at 12:58 PM, Jason Ede wrote: > Assuming you have some form of authentication for outgoing is that you can limit the from address for emails to that of the account. Also what about some form of rate limiting with alerting plugged in? > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Sean M. Schipper > Sent: 24 January 2011 16:42 > To: mailscanner@lists.mailscanner.info > Subject: limiting damage done by a compromised account > > Hi, > I use Mailscanner ( v4.79 on RH Linux with spamassassin & Clam) in front of Exchange 2010. Occasionally at our university we?ll have a student email in their login credentials in response to phishing email that got thru. We don?t scan outgoing messages since I don?t want to block outgoing emails except for this situation. I?m looking for advice on what to do to protect us from being a source of spam. We currently have a poor reputation on from senderbase which I?ve been unable to correct ? any ideas on anything I can do to speed up this process would be welcome as well. > > Thanks, > Sean > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From johnnyb at marlboro.edu Mon Jan 24 19:38:42 2011 From: johnnyb at marlboro.edu (John Baker) Date: Mon Jan 24 19:37:46 2011 Subject: limiting damage done by a compromised account In-Reply-To: <5E7A3482AFF64D4D8F069CB781397C411D8B78@MAIL2.lawrence.edu> References: <5E7A3482AFF64D4D8F069CB781397C411D8B78@MAIL2.lawrence.edu> Message-ID: <4D3DD542.2030609@marlboro.edu> I have also been struggling with this over the last year and have several pieces cobbled together. A key piece for me is that we use policyd greylisting and it has rate limiting as well. I believe that you can use rate limiting without greylisting. If you use SASL authentication for all mail you should be able to solve the problem with this. But if you don't or can't use SASL there are a few holes in it because you have to use envelope sender or ip instead and that can be fairly easily circumvented. MailScanner can help a lot with catching phishing attempts before they get to students as well. Scamnailer http://www.scamnailer.info/ tags almost all of them to begin with. I use MailScanners spam action rules with "attachment" to trigger a warning whenever something looks particularly suspiciously like a phishing attempt but isn't getting marked as spam. To trigger it I use ScamNailer, custom rules based on the attempts we have had, and a few RBL's. If you can let me know what you come up with. I'm still trying to perfect my system and am looking for more ideas. Sean M. Schipper wrote: > Hi, > I use Mailscanner ( v4.79 on RH Linux with spamassassin & Clam) in front of Exchange 2010. Occasionally at our university we'll have a student email in their login credentials in response to phishing email that got thru. We don't scan outgoing messages since I don't want to block outgoing emails except for this situation. I'm looking for advice on what to do to protect us from being a source of spam. We currently have a poor reputation on from senderbase which I've been unable to correct - any ideas on anything I can do to speed up this process would be welcome as well. > > Thanks, > Sean > > -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 Cell: 451-6748 From ka at pacific.net Mon Jan 24 20:24:48 2011 From: ka at pacific.net (Ken A) Date: Mon Jan 24 20:25:08 2011 Subject: limiting damage done by a compromised account In-Reply-To: References: <5E7A3482AFF64D4D8F069CB781397C411D8B78@MAIL2.lawrence.edu> Message-ID: <4D3DE010.2020804@pacific.net> +1 on milter-limit. It's free, easy to use, and can simply quarantine > x messages per day from any sender or relay. With quarantine, the mail is there for later inspection and possible whitelisting - if a certain sender needs to send a lot of mail. The sender might only notice a delay. Simple rules go into your access list: # exceptions milter-limit-From:sales@somewhere.not 5000/1d # default milter-limit-From: 500/1d Ken On 1/24/2011 12:02 PM, Stephen Swaney wrote: > Sean, > > take a look at rate-limiting by Anthony Howe of Snertsoft. I quote below from: > > http://www.snertsoft.com/sendmail/milter-limit/ > > This Sendmail mail filter aims to limit the number of messages by connecting client IP, sender, or recipient. Its intended to be a utility milter to control the flow of mail. It could be used on the outbound side like Hotmail's daily message limits to limit local user's consumption (particularly if they appear to be infected by a mass mailing worm); it could be used inbound as an alternative to grey-listing. It could be enabled and disabled as needed during periods of peak Internet activity such as during a virus outbreak or spam holiday season. > > It?s free. > > Our commercial products BarricadeMX and BarricadeMX Plus include a rate-limiting milter-limit feature and : > > ---------------------- > > smtp-strict-relay: (on or off) > > Only allow outbound messages from our specified relays and where the sender is from one of the domains we route email from. > ---------------------- > > rate-throttle=(no of seconds, default = 30) > > # Overall client connections per second allowed before imposing a > # one second delay. Specify zero (0) to disable. > ---------------------- > > Concurrent-Connect:ip > Concurrent-Connect:domain > > This is used to specify the maximum number of concurrent connections an SMTP client is permitted at any one time. Specify an integer or zero (0) to disable. The bare tag can be used to specify a global setting. If an SMTP client exceeds the allotted number of connections, then the incoming connection is dropped, while existing connections continue. > ---------------------- > > Msg-Limit-Connect:ip > Msg-Limit-Connect:domain > Msg-Limit-From:mail > Msg-Limit-To:mail > > Used to limit the number of messages a SMTP client, sender, or recipient can send/receive in a given time period. A message limit is given as: > messages '/' time [unit] > > which is the number of messages per time interval. The time unit specifier can be one of week, day, hour, minute, or seconds (note only the first letter is significant). A negative number for messages will disable any limit. > ---------------------- > > Please contact me off list if you need more information. > > Steve -- Ken Anderson Pacific Internet - http://www.pacific.net From prinbra at gmail.com Tue Jan 25 05:46:10 2011 From: prinbra at gmail.com (Curu Wong) Date: Tue Jan 25 05:46:20 2011 Subject: multi-volume RAR archive problem Message-ID: Strictly speaking, I am not sure if this is a problem. We can create multi-volume(split volume) RAR archive with the WinRAR, and send them out one by one via email. When one message arrives at MailScanner, it will try to unpack that volume(part of the complete archive), which should definitely fail. and then ms restart itself and try and fail and try and fail, then give up processing that message, block it. My question is, what's the better solution? can we tell if a RAR archive is multi-volumed and just skip processing it? Is it a good policy to restart ms itself(due to external failure) and do the exact same(should always fail) action toward the offending message? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110125/b863a217/attachment.html From maxsec at gmail.com Tue Jan 25 06:42:14 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jan 25 06:42:28 2011 Subject: multi-volume RAR archive problem In-Reply-To: References: Message-ID: What version is mailscanner? There has been work on these sort of things recently (from memory , best to check the changelog) On Tuesday, 25 January 2011, Curu Wong wrote: > Strictly speaking, I am not sure if this is a problem. > > We can create multi-volume(split volume) RAR archive with the WinRAR, and send them out one by one via email. When one message arrives at MailScanner, it will try to unpack that volume(part of the complete archive), which should definitely fail. and then ms restart itself and try and fail and try and fail, then give up processing that message, block it. > > My question is, what's the better solution? can we tell if a RAR archive is multi-volumed and just skip processing it? Is it a good policy to restart ms itself(due to external failure) and do the exact same(should always fail) action toward the offending message? > -- -- Martin Hepworth Oxford, UK From prinbra at gmail.com Tue Jan 25 07:08:56 2011 From: prinbra at gmail.com (Curu Wong) Date: Tue Jan 25 07:09:05 2011 Subject: multi-volume RAR archive problem In-Reply-To: References: Message-ID: I am using MailScanner v4.81.4, the latest stable release. On Tue, Jan 25, 2011 at 2:42 PM, Martin Hepworth wrote: > What version is mailscanner? There has been work on these sort of > things recently (from memory , best to check the changelog) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110125/e3afd3f0/attachment.html From achim+mailwatch at qustodium.net Tue Jan 25 10:41:05 2011 From: achim+mailwatch at qustodium.net (Achim J. Latz) Date: Tue Jan 25 10:41:24 2011 Subject: Fwd: Phishing detection behaviour Message-ID: <4D3EA8C1.2090407@qustodium.net> Hello Michael: Did you get any feedback on your post below? Your observations seem to indicate that the phishing behaviour is not working correctly. What version of Mailscanner are you using? Cheers, Achim -------- Original Message -------- Subject: Phishing detection behaviour Date: Tue, 11 Jan 2011 14:00:35 -0600 From: Michael Masse Reply-To: MailScanner discussion To: Newsgroups: gmane.mail.virus.mailscanner I'm trying to come up with a test to consistently trip the phishing detection system so that I will know whether future rules I write will work as intended. I can send an email from an outside account containing something simple like www.fake.com and the system detects it properly like it should and puts the proper warning in the body of the email. The problem is that the next time (and each subsequent time) I send the same email from that same account, the system doesn't detect the problem and lets it through without the phishing warning. If I change the URL's within the email it will detect the phish attempt again the first time those fake URL's are used, but not any subsequent times I reuse them. Is this how it's supposed to behave? I find that hard to believe. What setting could affect this? -Mike -------------- next part -------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From achim+mailwatch at qustodium.net Tue Jan 25 10:52:06 2011 From: achim+mailwatch at qustodium.net (Achim J. Latz) Date: Tue Jan 25 10:52:28 2011 Subject: Fwd: RE: weird mailscanner clamd error Message-ID: <4D3EAB56.3050301@qustodium.net> Hello Rick: Did Julian reply to your suggestion/bug fix? Perhaps it got lost in the depths of Christmas/New Year's traffic? Best regards, Achim -------- Original Message -------- Subject: RE: weird mailscanner clamd error Date: Thu, 6 Jan 2011 12:25:06 -0500 From: Rick Cooper Reply-To: MailScanner discussion To: 'MailScanner discussion' Newsgroups: gmane.mail.virus.mailscanner References: <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Naz Snidanko wrote: > I just checked: > > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm > > I am using 4.82.3-1 and this modification is there. It does not solve > the problem. I haven't tried running clamd under root since it would > violate our security principles. > > Are you guys sure it is not a problem with clamd itself? Clamav > doesn't get this error. Actually the more I looked at this, I believe the code in Message.pm beginning at line 3348 that reads # Untaint member's attributes. $member->unixFileAttributes(0600); Should be # Untaint member's attributes. my $workperms = MailScanner::Config::Value('workperms') || '0600'; $member->unixFileAttributes($workperms); For some reason it appears Julian forced the extracted files to 0600 in the original code. The change I have listed above would set them to what ever the mailscanner config has for the work permissions or 600 if no value exists. Julian any comment? Rick > > Regards, > > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Iulian L Dragomir > Sent: January 6, 2011 6:05 AM > To: MailScanner discussion > Subject: Re: weird mailscanner clamd error > > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil > wrote: >> The only workaround I've found is to run clamd as root. >> >> >> >> I've seen the same issue with MailScanner / sendmail on CentOS. > > If it is the same problem then try this: > > http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht > ml > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Achim J. Latz, Qustodium Internet Security achim.latz@qustodium.net ? http://www.qustodium.net Data Encryption ? Backup Automatisation ? E-Mail Protection From MailScanner at ecs.soton.ac.uk Tue Jan 25 11:16:19 2011 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 25 11:16:59 2011 Subject: Fwd: RE: weird mailscanner clamd error In-Reply-To: <4D3EAB56.3050301@qustodium.net> References: <4D3EAB56.3050301@qustodium.net> <4D3EB103.6000106@ecs.soton.ac.uk> Message-ID: Sounds perfect. Much better idea, you are quite right! :-) On 25/01/2011 10:52, Achim J. Latz wrote: > Hello Rick: > > Did Julian reply to your suggestion/bug fix? > > Perhaps it got lost in the depths of Christmas/New Year's traffic? > > Best regards, Achim > > -------- Original Message -------- > Subject: RE: weird mailscanner clamd error > Date: Thu, 6 Jan 2011 12:25:06 -0500 > From: Rick Cooper > Reply-To: MailScanner discussion > To: 'MailScanner discussion' > Newsgroups: gmane.mail.virus.mailscanner > References: > <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> > <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> > > Naz Snidanko wrote: >> I just checked: >> >> /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm >> >> I am using 4.82.3-1 and this modification is there. It does not solve >> the problem. I haven't tried running clamd under root since it would >> violate our security principles. >> >> Are you guys sure it is not a problem with clamd itself? Clamav >> doesn't get this error. > > Actually the more I looked at this, I believe the code in Message.pm > beginning at line 3348 that reads > > # Untaint member's attributes. > $member->unixFileAttributes(0600); > > Should be > > # Untaint member's attributes. > my $workperms = MailScanner::Config::Value('workperms') || '0600'; > $member->unixFileAttributes($workperms); > For some reason it appears Julian forced the extracted files to 0600 > in the > original code. The change I have listed above would set them to what ever > the mailscanner config has for the work permissions or 600 if no value > exists. > > Julian any comment? > > > Rick > >> >> Regards, >> >> Naz Snidanko >> Desktop & Network Support >> Harper Power Products Inc. >> (p) 416 201- 7506 >> nsnidanko@harperpowerproducts.com >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Iulian L Dragomir >> Sent: January 6, 2011 6:05 AM >> To: MailScanner discussion >> Subject: Re: weird mailscanner clamd error >> >> On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil >> wrote: >>> The only workaround I've found is to run clamd as root. >>> >>> >>> >>> I've seen the same issue with MailScanner / sendmail on CentOS. >> >> If it is the same problem then try this: >> >> http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht >> ml >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Tue Jan 25 11:26:03 2011 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Jan 25 11:26:56 2011 Subject: multi-volume RAR archive problem In-Reply-To: References: Message-ID: On Tue, 25 Jan 2011 13:46:10 +0800, Curu Wong wrote: My question is, what's the better solution? can we tell if a RAR archive is multi-volumed and just skip processing it? Is it a good policy to restart ms itself(due to external failure) and do the exact same(should always fail) action toward the offending message? >From a security standpoint it is unwise to allow such files. I could craft my malware to split the malicious code into multiple archives and avoid detection. >From my point of view one should supply an alternative method for exchanging files that can't comfortably fit into a sngle message. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110125/22295a3c/attachment.html From rcooper at dwford.com Tue Jan 25 15:26:00 2011 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jan 25 15:26:16 2011 Subject: weird mailscanner clamd error In-Reply-To: <4D3EAB56.3050301@qustodium.net> References: <4D3EAB56.3050301@qustodium.net> Message-ID: <9EE1719FF9F141F28367AB0C6FC0B943@SAHOMELT> Achim J. Latz wrote: > Hello Rick: > > Did Julian reply to your suggestion/bug fix? > > Perhaps it got lost in the depths of Christmas/New Year's traffic? No I have noticed anything from Julian on this issue but from experience it's not uncommon for him to look into something that has been addressed or or a patch suggested on the list, fix it and not mention it until the next update. If there is nothing in that change log then might want to bother him again. Rick > > Best regards, Achim > > -------- Original Message -------- > Subject: RE: weird mailscanner clamd error > Date: Thu, 6 Jan 2011 12:25:06 -0500 > From: Rick Cooper > Reply-To: MailScanner discussion > To: 'MailScanner discussion' > Newsgroups: gmane.mail.virus.mailscanner > References: > <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34 B6A5062F6F@hotc_exch.harperotc.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.here fordshire.gov.uk> > <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> > > Naz Snidanko wrote: >> I just checked: >> >> /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm >> >> I am using 4.82.3-1 and this modification is there. It does not solve >> the problem. I haven't tried running clamd under root since it would >> violate our security principles. >> >> Are you guys sure it is not a problem with clamd itself? Clamav >> doesn't get this error. > > Actually the more I looked at this, I believe the code in Message.pm > beginning at line 3348 that reads > > # Untaint member's attributes. > $member->unixFileAttributes(0600); > > Should be > > # Untaint member's attributes. > my $workperms = MailScanner::Config::Value('workperms') || '0600'; > $member->unixFileAttributes($workperms); > For some reason it appears Julian forced the extracted files to 0600 > in the original code. The change I have listed above would set them > to what ever the mailscanner config has for the work permissions or > 600 if no value exists. > > Julian any comment? > > > Rick > >> >> Regards, >> >> Naz Snidanko >> Desktop & Network Support >> Harper Power Products Inc. >> (p) 416 201- 7506 >> nsnidanko@harperpowerproducts.com >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Iulian L Dragomir Sent: January 6, 2011 6:05 AM >> To: MailScanner discussion >> Subject: Re: weird mailscanner clamd error >> >> On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil >> wrote: >>> The only workaround I've found is to run clamd as root. >>> >>> >>> >>> I've seen the same issue with MailScanner / sendmail on CentOS. >> >> If it is the same problem then try this: >> >> http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht >> ml -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > Achim J. Latz, Qustodium Internet Security > achim.latz@qustodium.net . http://www.qustodium.net > Data Encryption . Backup Automatisation . E-Mail Protection -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 25 15:37:46 2011 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 25 15:38:07 2011 Subject: weird mailscanner clamd error In-Reply-To: <9EE1719FF9F141F28367AB0C6FC0B943@SAHOMELT> References: <4D3EAB56.3050301@qustodium.net> <9EE1719FF9F141F28367AB0C6FC0B943@SAHOMELT> <4D3EEE4A.7090204@ecs.soton.ac.uk> Message-ID: It's in the ChangeLog and the code base already :-) On 25/01/2011 15:26, Rick Cooper wrote: > Achim J. Latz wrote: >> Hello Rick: >> >> Did Julian reply to your suggestion/bug fix? >> >> Perhaps it got lost in the depths of Christmas/New Year's traffic? > No I have noticed anything from Julian on this issue but from experience > it's not uncommon for him to look into something that has been addressed or > or a patch suggested on the list, fix it and not mention it until the next > update. If there is nothing in that change log then might want to bother him > again. > > Rick >> Best regards, Achim >> >> -------- Original Message -------- >> Subject: RE: weird mailscanner clamd error >> Date: Thu, 6 Jan 2011 12:25:06 -0500 >> From: Rick Cooper >> Reply-To: MailScanner discussion >> To: 'MailScanner discussion' >> Newsgroups: gmane.mail.virus.mailscanner >> References: >> > <201101051200.p05C0MhO008128@safir.blacknight.ie><9453A32CAC9FFB4D8F59285E34 > B6A5062F6F@hotc_exch.harperotc.com> TJCMA@mail.gmail.com><7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.here > fordshire.gov.uk> om> >> <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> >> >> Naz Snidanko wrote: >>> I just checked: >>> >>> /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm >>> >>> I am using 4.82.3-1 and this modification is there. It does not solve >>> the problem. I haven't tried running clamd under root since it would >>> violate our security principles. >>> >>> Are you guys sure it is not a problem with clamd itself? Clamav >>> doesn't get this error. >> Actually the more I looked at this, I believe the code in Message.pm >> beginning at line 3348 that reads >> >> # Untaint member's attributes. >> $member->unixFileAttributes(0600); >> >> Should be >> >> # Untaint member's attributes. >> my $workperms = MailScanner::Config::Value('workperms') || '0600'; >> $member->unixFileAttributes($workperms); >> For some reason it appears Julian forced the extracted files to 0600 >> in the original code. The change I have listed above would set them >> to what ever the mailscanner config has for the work permissions or >> 600 if no value exists. >> >> Julian any comment? >> >> >> Rick >> >>> Regards, >>> >>> Naz Snidanko >>> Desktop& Network Support >>> Harper Power Products Inc. >>> (p) 416 201- 7506 >>> nsnidanko@harperpowerproducts.com >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Iulian L Dragomir Sent: January 6, 2011 6:05 AM >>> To: MailScanner discussion >>> Subject: Re: weird mailscanner clamd error >>> >>> On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil >>> wrote: >>>> The only workaround I've found is to run clamd as root. >>>> >>>> >>>> >>>> I've seen the same issue with MailScanner / sendmail on CentOS. >>> If it is the same problem then try this: >>> >>> http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht >>> ml -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> -- >> Achim J. Latz, Qustodium Internet Security >> achim.latz@qustodium.net . http://www.qustodium.net >> Data Encryption . Backup Automatisation . E-Mail Protection > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Tue Jan 25 16:55:23 2011 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jan 25 16:55:38 2011 Subject: multi-volume RAR archive problem In-Reply-To: References: Message-ID: If this is causing an issue the fix would be in the unpackrar function to test if the file is part of a multi-volume archive and not try and extract the file. But this is the same as allowing multipart emails, I wouldn't do it because there is no way to virus test a multipart attachment. Of course there could be a new config option to allow multi-volume rar (or maybe archives in general?) files that was rule based so you could allow a file name pattern from your own users and disallow from all else. Testing for the multi-volume is fast and pretty easy. Command line would be : /path/unrar lv FileName Output would be either ---------------------------------------------------------------------------- --- 1 185500442 52428702 28% volume 1 ^ ^ ^ +-- Volume Number | | + ----------- The Word Volume | +---------------------------------------- The size of this file +----------------------------------------------------- Total size of combined volume or ---------------------------------------------------------------------------- --- 0 0 52428702 0% volume 2 The first number is 1 for the first part and zero for the others so if the file size is known a regex (with all white space truncated to one char, no leading or trailing) /^\d+\s\d+\s$FileSize\s\d+\%\svolume\s+$/, the file size part is just insurance we don't hit the string somewhere in the listing but really I think just adding another \d+ would suffice If this regex hit (and could probably just change the $FileSize to another \d+) you would know it was part of a multi-volume set. To me this is an overly complicated change to accommodate a one off situation. Can you not just enter pass in one of the file rules sets? I am looking at the unrar code and as I thought the lv is already used to check for password protection so changing the relevant part to: foreach $what (@test) { #print STDERR "Processing \"$what\"\n"; # If we haven't hit any ------- lines at all, and we are prompted for # a password, then the whole archive is password-protected. unless ($BeginInfo || $EndInfo) { if ($what =~ /^Encrypted file:/i && !$allowpasswords) { MailScanner::Log::WarnLog("Password Protected RAR Found"); return "password"; } if ($what =~ /^\s+\d+\s+\d+\s+\d+\s+\d+%\s+volume\s{0,}$/i) { MailScanner::Log::WarnLog("Multi-Volume RAR Found"); return "multivolume"; } } This would prevent MailScanner from attempting to unpack the file and if the return is multivolume MS could handle it according to a configured setting, or default to rejecting outright instead of trying until it hits maxfail and rejects it. Back to Julian Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Curu Wong Sent: Tuesday, January 25, 2011 12:46 AM To: MailScanner discussion Subject: multi-volume RAR archive problem Strictly speaking, I am not sure if this is a problem. We can create multi-volume(split volume) RAR archive with the WinRAR, and send them out one by one via email. When one message arrives at MailScanner, it will try to unpack that volume(part of the complete archive), which should definitely fail. and then ms restart itself and try and fail and try and fail, then give up processing that message, block it. My question is, what's the better solution? can we tell if a RAR archive is multi-volumed and just skip processing it? Is it a good policy to restart ms itself(due to external failure) and do the exact same(should always fail) action toward the offending message? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110125/c5536f1d/attachment.html From campbell at cnpapers.com Tue Jan 25 17:51:15 2011 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jan 25 17:51:52 2011 Subject: OT Trends of 64 bit Message-ID: <4D3F0D93.3040303@cnpapers.com> Just wondering - Is the trend for mail servers typically moving toward the 64 bit versions of Linux (or other OSs)? Are any using a 64 bit OS with MS and Clam? I'd just like to hear your issues since I might be getting some new servers this year. Steve Campbell From ecasarero at gmail.com Tue Jan 25 17:57:02 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Jan 25 17:57:36 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F0D93.3040303@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> Message-ID: 2011/1/25 Steve Campbell > Just wondering - > > Is the trend for mail servers typically moving toward the 64 bit versions > of Linux (or other OSs)? Are any using a 64 bit OS with MS and Clam? > > I'd just like to hear your issues since I might be getting some new servers > this year. > We are running MS & Clam on Slackware 64bits without problem. > > Steve Campbell > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110125/d77351b1/attachment.html From peter.ong at hypermediasystems.com Tue Jan 25 18:20:12 2011 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jan 25 18:20:22 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F0D93.3040303@cnpapers.com> Message-ID: <1497744670.2537.1295979612680.JavaMail.root@mail021.dti> > Is the trend for mail servers typically moving toward the 64 bit > versions of Linux (or other OSs)? Are any using a 64 bit OS with MS > and > Clam? > > I'd just like to hear your issues since I might be getting some new > servers this year. Sounds like an anthropological question with a calculus twist. If you look at Zimbra's site, it shows their 32-bit offerings are being phased out. If you have 32-bit systems and are thinking of upgrading, go with 64-bit on the destination platform. If you are going to buy new systems, make sure they're 64-bit. And now is the time to start thinking about migrating into 64. I know that Zimbra's open-source offering doesn't have a clean way of doing this so we're kind of in trouble. That's my anthropological take. >From a calculus pov, well, the technology is definitely trending towards 64. p From jaearick at colby.edu Tue Jan 25 18:22:32 2011 From: jaearick at colby.edu (Jeff Earickson) Date: Tue Jan 25 18:23:02 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F0D93.3040303@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> Message-ID: Steve, I ran MS and Clam on Solaris 10 Sparc (by definition 64-bit) for 6 or 7 years with no issues, other than being the oddball on this list who continued to use Solaris. This Fall I moved this setup to VMWare based 64-bit Redhat ES 5.5 (now 5.6) with no issues at all. I will be moving the setup to VMWare based Redhat ES 6.0, 64-bit, this Spring. This past summer we moved our email from an in-house mail system (the Solaris/MS/Clam/Sendmail frontend, with a Mirapoint email appliance backend) to Google Apps. So the MailScanner box handles far less email than it used to. It just acts as a mail relay for a few key servers behind our firewall(s), plus it acts as Google's "where to route it if I don't know who this person is" mail server. The Google route stuff supports email redirects and some legacy email aliases. As always, MailScanner continues to run just great. Jeff Earickson Colby College On Tue, Jan 25, 2011 at 12:51 PM, Steve Campbell wrote: > Just wondering - > > Is the trend for mail servers typically moving toward the 64 bit versions of > Linux (or other OSs)? Are any using a 64 bit OS with MS and Clam? > > I'd just like to hear your issues since I might be getting some new servers > this year. > > Steve Campbell > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jaearick at colby.edu Tue Jan 25 18:27:01 2011 From: jaearick at colby.edu (Jeff Earickson) Date: Tue Jan 25 18:27:31 2011 Subject: OT Trends of 64 bit In-Reply-To: <1497744670.2537.1295979612680.JavaMail.root@mail021.dti> References: <4D3F0D93.3040303@cnpapers.com> <1497744670.2537.1295979612680.JavaMail.root@mail021.dti> Message-ID: Steve, Here's another trend... Symantec/Veritas Netbackup only supports 64-bit UNIX OS'es as of release 7.0, which came out last Fall. This was *my* reason for scrapping 32-bit Redhat. Jeff Earickson Colby College On Tue, Jan 25, 2011 at 1:20 PM, Peter Ong wrote: >> Is the trend for mail servers typically moving toward the 64 bit >> versions of Linux (or other OSs)? Are any using a 64 bit OS with MS >> and >> Clam? >> >> I'd just like to hear your issues since I might be getting some new >> servers this year. > > Sounds like an anthropological question with a calculus twist. If you look at Zimbra's site, it shows their 32-bit offerings are being phased out. > > If you have 32-bit systems and are thinking of upgrading, go with 64-bit on the destination platform. If you are going to buy new systems, make sure they're 64-bit. And now is the time to start thinking about migrating into 64. I know that Zimbra's open-source offering doesn't have a clean way of doing this so we're kind of in trouble. That's my anthropological take. > > >From a calculus pov, well, the technology is definitely trending towards 64. > > p > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Tue Jan 25 18:29:22 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 25 18:29:38 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F0D93.3040303@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> Message-ID: on 1/25/2011 9:51 AM Steve Campbell spake the following: > Just wondering - > > Is the trend for mail servers typically moving toward the 64 bit versions of > Linux (or other OSs)? Are any using a 64 bit OS with MS and Clam? > > I'd just like to hear your issues since I might be getting some new servers > this year. > > Steve Campbell > I say go 64 or go home!!! LOL... Alas, my PHB's are forcing a move to Exchange..... Hopefully they will let me keep a MailScanner box in front of it. From campbell at cnpapers.com Tue Jan 25 18:56:43 2011 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jan 25 18:57:01 2011 Subject: OT Trends of 64 bit In-Reply-To: References: <4D3F0D93.3040303@cnpapers.com> Message-ID: <4D3F1CEB.5010003@cnpapers.com> Thanks all for the forceful, persuasive insight. Since I can't get these new servers for a few months, guess I'll just go home and wait on their arrival. steve On 1/25/2011 1:29 PM, Scott Silva wrote: > on 1/25/2011 9:51 AM Steve Campbell spake the following: >> Just wondering - >> >> Is the trend for mail servers typically moving toward the 64 bit versions of >> Linux (or other OSs)? Are any using a 64 bit OS with MS and Clam? >> >> I'd just like to hear your issues since I might be getting some new servers >> this year. >> >> Steve Campbell >> > I say go 64 or go home!!! LOL... Alas, my PHB's are forcing a move to > Exchange..... Hopefully they will let me keep a MailScanner box in front of it. > From campbell at cnpapers.com Tue Jan 25 18:58:55 2011 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jan 25 18:59:17 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F0D93.3040303@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> Message-ID: <4D3F1D6F.1000502@cnpapers.com> On 1/25/2011 12:51 PM, Steve Campbell wrote: > Just wondering - > > Is the trend for mail servers typically moving toward the 64 bit > versions of Linux (or other OSs)? Are any using a 64 bit OS with MS > and Clam? > > I'd just like to hear your issues since I might be getting some new > servers this year. > > Steve Campbell > BTW, forgot to mention MailWatch. Any takers on this one? steve From peter at farrows.org Tue Jan 25 19:05:37 2011 From: peter at farrows.org (Peter Farrow) Date: Tue Jan 25 19:05:48 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F0D93.3040303@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> Message-ID: <4D3F1F01.2020305@farrows.org> On 25/01/2011 17:51, Steve Campbell wrote: > Just wondering - > > Is the trend for mail servers typically moving toward the 64 bit > versions of Linux (or other OSs)? Are any using a 64 bit OS with MS > and Clam? > > I'd just like to hear your issues since I might be getting some new > servers this year. > > Steve Campbell > Personally I have been using 64bit Linux (and windoze) for several years now. Can't remember the last time I installed 32bit linux. P. From ssilva at sgvwater.com Tue Jan 25 19:13:23 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 25 19:13:35 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F1D6F.1000502@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> <4D3F1D6F.1000502@cnpapers.com> Message-ID: on 1/25/2011 10:58 AM Steve Campbell spake the following: > > > On 1/25/2011 12:51 PM, Steve Campbell wrote: >> Just wondering - >> >> Is the trend for mail servers typically moving toward the 64 bit versions of >> Linux (or other OSs)? Are any using a 64 bit OS with MS and Clam? >> >> I'd just like to hear your issues since I might be getting some new servers >> this year. >> >> Steve Campbell >> > BTW, forgot to mention MailWatch. Any takers on this one? > > steve > Mailwatch still runs... It needs some help, but the details are in the forums... Mostly with php5 in newer distros From john at tradoc.fr Tue Jan 25 19:15:52 2011 From: john at tradoc.fr (John Wilcock) Date: Tue Jan 25 19:16:07 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F1D6F.1000502@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> <4D3F1D6F.1000502@cnpapers.com> Message-ID: <4D3F2168.10306@tradoc.fr> Le 25/01/2011 19:58, Steve Campbell a ?crit : > BTW, forgot to mention MailWatch. Any takers on this one? Runs fine on 64 bit (gentoo in my case) - no reason why it shouldn't since apache/php run happily. John From prandal at herefordshire.gov.uk Tue Jan 25 21:32:42 2011 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jan 25 21:32:59 2011 Subject: OT Trends of 64 bit In-Reply-To: <4D3F0D93.3040303@cnpapers.com> References: <4D3F0D93.3040303@cnpapers.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B852CEA71CB@HC-EXMBX02.herefordshire.gov.uk> Been running MailScanner and MailWatch happily on CentOS 5.x x64 for quite some time. Only compatibility glitch I've had is with MailWatch and Firefox 4 beta. A quick find and replace of obsolete HTML "center" code with modern "style" equivalents and all was well again. Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Campbell Sent: 25 January 2011 17:51 To: mailscanner@lists.mailscanner.info Subject: OT Trends of 64 bit Just wondering - Is the trend for mail servers typically moving toward the 64 bit versions of Linux (or other OSs)? Are any using a 64 bit OS with MS and Clam? I'd just like to hear your issues since I might be getting some new servers this year. Steve Campbell -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From mark at msapiro.net Wed Jan 26 14:42:36 2011 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jan 26 14:42:45 2011 Subject: weird mailscanner clamd error In-Reply-To: References: <4D3EAB56.3050301@qustodium.net> <9EE1719FF9F141F28367AB0C6FC0B943@SAHOMELT> <4D3EEE4A.7090204@ecs.soton.ac.uk> Message-ID: <4D4032DC.6070305@msapiro.net> On 11:59 AM, Julian Field wrote: > It's in the ChangeLog and the code base already :-) Is there a publicly accessible change log other than . That one has nothing after the 13 November 2010 release of 4.82.3. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From nsnidanko at harperpowerproducts.com Wed Jan 26 18:15:40 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Wed Jan 26 18:15:55 2011 Subject: weird mailscanner clamd error References: <4D3EAB56.3050301@qustodium.net> <9EE1719FF9F141F28367AB0C6FC0B943@SAHOMELT> <4D3EEE4A.7090204@ecs.soton.ac.uk> <4D4032DC.6070305@msapiro.net> Message-ID: <5C4A6241B56FDB48A0AC6AC13CA9FB05010AE153@tor_nt01.harperdda.com> Good thing to see this resolved and included in the final release. Thanks for your help guys! Cheers, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: January 26, 2011 9:43 AM To: MailScanner discussion Subject: Re: Re: weird mailscanner clamd error On 11:59 AM, Julian Field wrote: > It's in the ChangeLog and the code base already :-) Is there a publicly accessible change log other than . That one has nothing after the 13 November 2010 release of 4.82.3. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From prinbra at gmail.com Thu Jan 27 02:16:18 2011 From: prinbra at gmail.com (Curu Wong) Date: Thu Jan 27 02:16:27 2011 Subject: multi-volume RAR archive problem In-Reply-To: References: Message-ID: I think this is indeed a better solution. 2011/1/26 Rick Cooper > If this is causing an issue the fix would be in the unpackrar function to > test if the file is part of a multi-volume archive and not try and extract > the file. But this is the same as allowing multipart emails, I wouldn't do > it because there is no way to virus test a multipart attachment. Of course > there could be a new config option to allow multi-volume rar (or > maybe archives in general?) files that was rule based so you could allow a > file name pattern from your own users and disallow from all else. > > Testing for the multi-volume is fast and pretty easy. Command line would be > : > /path/unrar lv FileName > Output would be either > > ------------------------------------------------------------------------------- > 1 185500442 52428702 28% volume 1 > ^ ^ ^ +-- > Volume Number > | | + ----------- > The Word Volume > | +---------------------------------------- > The size of this file > +----------------------------------------------------- > Total size of combined volume > or > > > ------------------------------------------------------------------------------- > 0 0 52428702 0% volume 2 > > The first number is 1 for the first part and zero for the others so if the > file size is known a regex (with all white space truncated to one char, no > leading or trailing) > /^\d+\s\d+\s$FileSize\s\d+\%\svolume\s+$/, the file size part is just > insurance we don't hit the string somewhere in the listing but really I > think just adding > another \d+ would suffice > If this regex hit (and could probably just change the $FileSize to another > \d+) you would know it was part of a multi-volume set. > To me this is an overly complicated change to accommodate a one off > situation. Can you not just enter pass in one of the file rules sets? > > I am looking at the unrar code and as I thought the lv is already used to > check for password protection so changing the relevant part to: > > foreach $what (@test) { > #print STDERR "Processing \"$what\"\n"; > # If we haven't hit any ------- lines at all, and we are prompted for > # a password, then the whole archive is password-protected. > unless ($BeginInfo || $EndInfo) { > if ($what =~ /^Encrypted file:/i && !$allowpasswords) { > MailScanner::Log::WarnLog("Password Protected RAR Found"); > return "password"; > } > if ($what =~ /^\s+\d+\s+\d+\s+\d+\s+\d+%\s+volume\s{0,}$/i) { > MailScanner::Log::WarnLog("Multi-Volume RAR Found"); > return "multivolume"; > } > > } > This would prevent MailScanner from attempting to unpack the file and if > the return is multivolume MS could handle it according to a configured > setting, or default to rejecting outright instead of trying until it hits > maxfail and rejects it. > > Back to Julian > > Rick > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110127/9ac96cd7/attachment.html From drew at drewmorris.com Thu Jan 27 14:19:37 2011 From: drew at drewmorris.com (Drew Morris) Date: Thu Jan 27 14:19:51 2011 Subject: Adding a "Has Attachment" header Message-ID: <8FC648F944354B1BBF6F907F5FA50B86@DREWLAP08> Hi All... I am working on a custom delivery script that is used after MailScanner has already run. The script uses many of the headers that MailScanner and Spamassassin insert to determing proper delivery (think procmail). I have the need to determine whether a message has attachments or if it is just simply text and html body parts without any attachments. I can use code like this to do it I believe: if ( $msg->isMultipart ) { foreach my $part ( $msg->parts ) { if ( $part->contentType eq 'text/html' ) { # and do a count because more than 1 means 1 is an attachment } elsif ( $part->contentType eq 'text/plain' ) { # and do a count because more than 1 means 1 is an attachment } else { # Means there are attachments right? } } } But it seems like an unneccessarily heavy approach since MailScanner has already parsed and analyzed the message prior to this step. The ideal solution for me would be to have a configuration line MailScanner.conf that would allow me to turn on "AddAttachmentsCheckToHeader" or something like that and MailScanner could add a header like: X-MailScanner-HasAttachments: Yes or something similar. I don't think this would take much to do and I don't think it would require much (if any) additional overhead for MailScanners processing since it already has the message parsed. Something like this would be very useful to a number of applications that custom deliver mail based on different attributes that they need to parse from the header so I don't think this is just something that would benefit my use-case. Any thoughts would be greatly appreciated and if there is already a way to do this that I am just missing... please let me know. Thanks, Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110127/55db4e97/attachment.html From rob at poeweb.com Thu Jan 27 19:59:45 2011 From: rob at poeweb.com (Rob Poe) Date: Thu Jan 27 20:00:15 2011 Subject: Mailscanner Message-ID: <4D41CEB1.709@poeweb.com> One of my users has a Sprint cell phone, and sends messages by authenticating (SMTP/POP) to our corporate messaging. He sends out an email to someone outside the org, and SpamAssassin is catching it and scoring it because it's on the BRBL (the Sprint IP pool) and that's in the header. I'd rather NOT scan any email that comes from my trusted MTA (the corporate messaging system). How would I accomplish that (i.e. whitelist any email from a certain MTA ip). r From ssilva at sgvwater.com Thu Jan 27 20:20:07 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jan 27 20:20:23 2011 Subject: Mailscanner In-Reply-To: <4D41CEB1.709@poeweb.com> References: <4D41CEB1.709@poeweb.com> Message-ID: on 1/27/2011 11:59 AM Rob Poe spake the following: > One of my users has a Sprint cell phone, and sends messages by authenticating > (SMTP/POP) to our corporate messaging. > > He sends out an email to someone outside the org, and SpamAssassin is catching > it and scoring it because it's on the BRBL (the Sprint IP pool) and that's in > the header. > > I'd rather NOT scan any email that comes from my trusted MTA (the corporate > messaging system). > > How would I accomplish that (i.e. whitelist any email from a certain MTA ip). > > r > > Look for a header value that only shows up in authenticated mail from your system and add a decent negative score for it. From steve at fsl.com Thu Jan 27 20:26:17 2011 From: steve at fsl.com (Stephen Swaney) Date: Thu Jan 27 20:26:31 2011 Subject: Mailscanner In-Reply-To: <4D41CEB1.709@poeweb.com> References: <4D41CEB1.709@poeweb.com> Message-ID: <3EE792B6-9AEE-4B9A-885B-AB5D03E792BF@fsl.com> I assume that you mean that you don?t want Mailscanner to scan for anything except viruses. If so, you need to setup rulesets in Mailscanner.conf for: Use Spamassassin = Dangerous Content Scanning = Filename Rules = Filetype Rules = That exempt messages originating from the IP of the mail hub from using these tests. I believe the Mailscanner List Archives has more specific instructions. Best regards, Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available On Jan 27, 2011, at 3:59 PM, Rob Poe wrote: > One of my users has a Sprint cell phone, and sends messages by authenticating (SMTP/POP) to our corporate messaging. > > He sends out an email to someone outside the org, and SpamAssassin is catching it and scoring it because it's on the BRBL (the Sprint IP pool) and that's in the header. > > I'd rather NOT scan any email that comes from my trusted MTA (the corporate messaging system). > > How would I accomplish that (i.e. whitelist any email from a certain MTA ip). > > r > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Thu Jan 27 22:53:17 2011 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jan 27 22:53:43 2011 Subject: Mailscanner In-Reply-To: <4D41CEB1.709@poeweb.com> References: <4D41CEB1.709@poeweb.com> Message-ID: <4D41F75D.6070802@fsl.com> On 27/01/11 19:59, Rob Poe wrote: > One of my users has a Sprint cell phone, and sends messages by > authenticating (SMTP/POP) to our corporate messaging. > > He sends out an email to someone outside the org, and SpamAssassin is > catching it and scoring it because it's on the BRBL (the Sprint IP pool) > and that's in the header. > > I'd rather NOT scan any email that comes from my trusted MTA (the > corporate messaging system). > > How would I accomplish that (i.e. whitelist any email from a certain MTA > ip). If SpamAssassin is scoring the message then you need to fix your Trust Path. See http://wiki.apache.org/spamassassin/TrustPath Kind regards, Steve. From rob at poeweb.com Fri Jan 28 06:15:57 2011 From: rob at poeweb.com (Rob Poe) Date: Fri Jan 28 06:16:38 2011 Subject: Mailscanner In-Reply-To: <4D41F75D.6070802@fsl.com> References: <4D41CEB1.709@poeweb.com> <4D41F75D.6070802@fsl.com> Message-ID: <000001cbbeb2$d3bfce50$7b3f6af0$@poeweb.com> Fixed this, thank you! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Thursday, January 27, 2011 4:53 PM To: MailScanner discussion Subject: Re: Mailscanner On 27/01/11 19:59, Rob Poe wrote: > One of my users has a Sprint cell phone, and sends messages by > authenticating (SMTP/POP) to our corporate messaging. > > He sends out an email to someone outside the org, and SpamAssassin is > catching it and scoring it because it's on the BRBL (the Sprint IP > pool) and that's in the header. > > I'd rather NOT scan any email that comes from my trusted MTA (the > corporate messaging system). > > How would I accomplish that (i.e. whitelist any email from a certain > MTA ip). If SpamAssassin is scoring the message then you need to fix your Trust Path. See http://wiki.apache.org/spamassassin/TrustPath Kind regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rob at poeweb.com Fri Jan 28 06:16:12 2011 From: rob at poeweb.com (Rob Poe) Date: Fri Jan 28 06:16:54 2011 Subject: Mailscanner In-Reply-To: <3EE792B6-9AEE-4B9A-885B-AB5D03E792BF@fsl.com> References: <4D41CEB1.709@poeweb.com> <3EE792B6-9AEE-4B9A-885B-AB5D03E792BF@fsl.com> Message-ID: <000101cbbeb2$dcaf6750$960e35f0$@poeweb.com> Implemented these as well as the SpamAssassin trust. Thank you! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Stephen Swaney Sent: Thursday, January 27, 2011 2:26 PM To: MailScanner discussion Subject: Re: Mailscanner I assume that you mean that you don't want Mailscanner to scan for anything except viruses. If so, you need to setup rulesets in Mailscanner.conf for: Use Spamassassin = Dangerous Content Scanning = Filename Rules = Filetype Rules = That exempt messages originating from the IP of the mail hub from using these tests. I believe the Mailscanner List Archives has more specific instructions. Best regards, Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available On Jan 27, 2011, at 3:59 PM, Rob Poe wrote: > One of my users has a Sprint cell phone, and sends messages by authenticating (SMTP/POP) to our corporate messaging. > > He sends out an email to someone outside the org, and SpamAssassin is catching it and scoring it because it's on the BRBL (the Sprint IP pool) and that's in the header. > > I'd rather NOT scan any email that comes from my trusted MTA (the corporate messaging system). > > How would I accomplish that (i.e. whitelist any email from a certain MTA ip). > > r > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lmachite at dir.iai.int Sat Jan 29 01:53:23 2011 From: lmachite at dir.iai.int (Luis Marcelo Achite) Date: Sat Jan 29 01:53:44 2011 Subject: Strange situation Message-ID: <4D437313.1080807@dir.iai.int> Hi, I have mailscanner configured with spamassassin and two anti-virus software. Some messages arriving are being classified as spam, but the strange part is the subject is changed for something like "{Spam not delivered}{Spam not delivered}{Spam not delivered}..." for several lines. Looks like that there is a loop cycle. Anybody from the group know why this is happening. Thanks for any info regard this problem. Marcelo -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Sat Jan 29 10:43:38 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Jan 29 10:43:47 2011 Subject: Strange situation In-Reply-To: <4D437313.1080807@dir.iai.int> References: <4D437313.1080807@dir.iai.int> Message-ID: What do the mailScanner logs say for these messages? Also if you can identify a message you can may be run one of these messages in debug mode if you're archiving the emails as queue files. -- Martin Hepworth Oxford, UK On 29 January 2011 01:53, Luis Marcelo Achite wrote: > Hi, > I have mailscanner configured with spamassassin and two anti-virus > software. Some messages arriving are being classified as spam, but the > strange part is the subject is changed for something like "{Spam not > delivered}{Spam not delivered}{Spam not delivered}..." for several lines. > Looks like that there is a loop cycle. Anybody from the group know why this > is happening. > Thanks for any info regard this problem. > Marcelo > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110129/fbac2c58/attachment.html From MailScanner at ecs.soton.ac.uk Sun Jan 30 12:51:23 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Jan 30 12:51:43 2011 Subject: New beta release References: <4D455ECB.3060407@ecs.soton.ac.uk> Message-ID: I have just released 4.82.4 beta, which contains a few more bug-fixes and 1 or 2 minor feature improvements. Download as usual from www.mailscanner.info where you will also find the Change Log detailing the changes in this release. While you're on teh interwebs, take a look at my other little project, "ZendTo" which is also totally free and you may find it a very useful way of getting files in and out of your organisation! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From postal.janitor at gmail.com Mon Jan 31 19:13:05 2011 From: postal.janitor at gmail.com (Adam Laye) Date: Mon Jan 31 19:13:14 2011 Subject: Fedora 12 MailScanner 477.10 RBL checks Not working Message-ID: Fedora 12 MailScanner 4.77.10 SpamAssassin 3.2.5 Postfix 2.6.2 I have scoured Google and Mailing list archives but cannot pin point the issue. I believe MailScanner Should be checking RBLs but can find not refference to them in my Log files. Additionally Server clearly listed are able to send to my servers. MailScanner config %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/en %rules-dir% = /etc/MailScanner/rules Spam List Definitions =%etc-dir%/spam.lists.conf ( I have also tried using the direct path) Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTP SORBS-WEB SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SORBS-DUL SORBS-RHSBL Spam Domain List = SORBS-BADCONF SORBS-NOMAIL Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 3 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = %rules-dir%/spam.blacklist.rules Read IP Address From Received Header = 2 MailScanner rocks! Thank you for any assitance you can offer, Please let me know if additional info should be posted. Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110131/fed4cbe8/attachment.html From maxsec at gmail.com Mon Jan 31 20:11:45 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 31 20:11:55 2011 Subject: Fedora 12 MailScanner 477.10 RBL checks Not working In-Reply-To: References: Message-ID: Hi What do the logs say about those emails? Also worth checking the whitelist isn't letting the emails through. If you have a look on the wiki theres some settings you can turn on so can can put alot more spam info into the headers after you've procesed the email which can help track down the issue I guess that's not the whole .conf file but just some relevant sections?? Martin On Monday, 31 January 2011, Adam Laye wrote: > Fedora 12 > MailScanner 4.77.10 > SpamAssassin 3.2.5 > Postfix 2.6.2 > > I have scoured?Google and?Mailing list archives?but cannot pin point the issue. I believe ?MailScanner?Should be checking?RBLs but can find not refference to them in my Log files. Additionally Server clearly listed are able to send to my servers. > > > MailScanner config > > %etc-dir% = /etc/MailScanner > %report-dir% = /etc/MailScanner/reports/en > %rules-dir% = /etc/MailScanner/rules > Spam List Definitions =%etc-dir%/spam.lists.conf? ( I have also tried using the direct path) > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf > Spam Checks = yes > Spam List = SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTP SORBS-WEB SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SORBS-DUL SORBS-RHSBL > > Spam Domain List = SORBS-BADCONF SORBS-NOMAIL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 3 > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > Is Definitely Spam = %rules-dir%/spam.blacklist.rules > Read IP Address From Received Header = 2 > > MailScanner rocks! Thank you for any assitance you can offer, Please let me know if additional info should be posted. > > Adam > > > > -- -- Martin Hepworth Oxford, UK