MS Doesn't completely block spam with faulty attachments

Joolee mailscanner at joolee.nl
Fri Sep 16 16:00:30 IST 2011


I've found out what the problem is. It wasn't because MailScanner doesn't
run the message through Spamassassin when there is an attachment error
because it actually does. (Maybe someone can still add an option to skip
extra checks when a file name rule is hit for Glenn Steen that thinks of it
as "not a problem, it's a feature... And a much needed one at that!" )



The problem is that Mailscanner throws a timeout when Spamassassin is run
and sets the score to 0.0 Now the mail is recognized as having "Bad Content"
but because the spam score is 0, the mail gets cleaned, a warning is added
and the mail is forwarded to the recipient.



As for the Spamassassin timeout, I think this is caused by the headers that
identify one of the attachments in the mails.

This is:

>
>
>     ------=_NextPart_000_0006_01CC51AC.63F30F00
>
>     Content-Type: ;
>
>             name="report_1609.pdf.zip"
>
>     Content-Transfer-Encoding: base64
>
>     Content-Disposition: attachment;
>
>             filename="report_1609.pdf.zip"
>




I think that because of the empty "Content-Type" header, the attachment is
decoded and used for byasian learning. This takes somewhere between 90 and
200 seconds, exceeding the timeout configured in MailScanner (I already
changed that to 150 seconds but a batch of 25 mails can now effectively stop
message processing for more than an hour and some messages get through)



I've come to this conclusion because when running a manual Spamassassin scan
on a message, the following lines are very time consuming:

> Sep 16 15:07:12.279 [8264] dbg: bayes: Using userid: 1 0.0004
>
> Sep 16 15:08:48.746 [8264] dbg: bayes: seen
> (bf76e190b8121487c91051758a402dd20b18eaa6 at sa_generated) put
> 96.46636
>
While that only takes +-4 ms for other mails.



When I run sa-learn manually, the timeout is seen in the following lines:

> Sep 16 15:34:12.786 [18308] dbg: message: decoding base64
>
> Forgot tokens from 1 message(s) (1 message(s) examined)
>
> Sep 16 15:35:49.764 [18308] dbg: plugin:
> Mail::SpamAssassin::Plugin::Bayes=HASH(0x3891ba0) implements
> 'learner_close', priority 0
>


I'll file a bug report for Spamassassin. In the meantime, I'll just set the
timeout to 300 seconds and keep an eye on the Mailscnner queue with collectd
or disable autolearning altogether.


On 2 September 2011 14:58, Rick Cooper <rcooper at dwford.com> wrote:

> **
>
>
>  ------------------------------
> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Joolee
> *Sent:* Friday, September 02, 2011 6:20 AM
>
> *To:* MailScanner discussion
> *Subject:* Re: MS Doesn't completely block spam with faulty attachments
>
>  A feature that i would like to be able to disable ;)
>
> "Why would you want to spend precious resources on a meaningless check,
> when you already decided to stop the offending attachment?!"
> To inform my paying user why the contract he's been waiting for was
> blocked.
>
> I think I already made quite clear why it's not an option for me to
> completely block them. I can't see why other users can't be bothered by it,
> maybe they just accept that they can't solve it? (Not my way of handling
> problems)
> [Rick Cooper]
>
>
> Seems like you need to modify your multiple extension rules to include
> dangerous extensions and ignore the rest. for instance a rule like
> /\.(exe|com|bat|vbs)\..+$/
>
> would allow "something.good.doc.pdf" but would catch
> "something.bad.doc.exe.pdf". Of course you would want (exe|vbs|com|bat) to
> include extensions that you feel should be blocked in the multiple extension
> rule. I had to change mine long ago because there are a *lot* of people who
> create files names like "something.good.09.01.2011.doc". The default rules
> are there for out of the box functionality but you can modify them as
> required for your given situation and clearly you need to pass multiple
> extensions that are not likely to be malware. With MailScanner you can
> generally solve any issues without accepting the default rules, or asking
> for something else to be added either. There has been discussion in the past
> regarding being able to define the order in which the processing events take
> place but this would require a HUGE change in the core of MailScanner and
> Julian does have a job that puts food on the table. Unless MailScanner
> evolves into a programming team or group that is not likely to ever happen.
>
>
> On 1 September 2011 23:07, Glenn Steen <glenn.steen at gmail.com> wrote:
>
>> That's not a problem, it's a feature... And a much needed one at that!
>> Why would you want to spend precious resources on a meaningless check,
>> when you already decided to stop the offending attachment?!
>> Don't deliver it at all, if it bothers you;-)
>>
>> Cheers
>> --
>> -- Glenn
>> Den 1 sep 2011 19:12 skrev "Joolee" <mailscanner at joolee.nl>:
>>
>> > The problem with the current spam is that they're blocked for containing
>> exe
>> > files, not double file extensions (Although they woul've hit that one if
>> > exe's were not clocked.)
>> >
>> > Only quick temporary solution is to disable all file-name validation
>> because
>> > this can occur with more than just exe files and double extensions. This
>> is
>> > no final solution though.
>> >
>> > On 1 September 2011 18:40, Kevin Miller <Kevin_Miller at ci.juneau.ak.us
>> >wrote:
>> >
>> >> **
>> >> Easiest thing to do in that case is to comment out the line in
>> >> filename.rules.conf that disallows double extensions. The message will
>> be
>> >> accepted as normal and go through the additional tests (is it an
>> executable,
>> >> is it a virus, is it spam, etc.)
>> >>
>> >>
>> >> ...Kevin
>> >> --
>> >> Kevin Miller Registered Linux User No: 307357
>> >> CBJ MIS Dept. Network Systems Admin., Mail Admin.
>> >> 155 South Seward Street ph: (907) 586-0242
>> >> Juneau, Alaska 99801 fax: (907 586-4500
>> >>
>> >>
>> >> ------------------------------
>> >> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
>> >> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Joolee
>> >> *Sent:* Thursday, September 01, 2011 7:32 AM
>> >> *To:* MailScanner discussion
>> >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments
>> >>
>> >> I agree that it isn't a good idea to notify the sender of a spam or
>> virus
>> >> message I'm not planning to do that, I know the troubles of
>> backscatter.
>> >>
>> >> What I've configured is that if a user sends a completely normal
>> >> (non-virus, non-spam) E-mail but with, for instance, a file named
>> >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers).
>> The
>> >> server sends out a warning to sender and the original message stripped
>> of
>> >> it's attachment to the recipient of the message. Notifying the sender
>> is not
>> >> strictly necessary but if this is only done for such non-virus,
>> non-spam
>> >> message, it isn't a problem either.
>> >>
>> >> The situation that bugs me is when some spam message with a file named
>> >> "CurriculumVitae.doc.pdf" is received. The message hits the filename
>> rule
>> >> and* isn't processed any further to check if its a spam message*.
>> Because
>> >> it isn't processed any further, the warning messages are send out to
>> both
>> >> sender and original recipient.
>> >>
>> >> As I stated before, I can disable the sender notification. What I can't
>> do
>> >> is tell my customers (the recipients) that such wrongly named files,
>> most
>> >> containing important documents, are silently discarded. Sending spam to
>> my
>> >> customers that could have been recognized isn't an option either.
>> >>
>> >> The simplest solution, I think, would be to *continue processing* the
>> >> message after a file name rule is hit, decide if the E-mail is HAM and
>> in
>> >> that case, send out the notifications. If the E-mail is spam, silently
>> >> discard it.
>> >> It would add a bit of load to the server but stopping spam is what it's
>> all
>> >> about, isn't it? :P
>> >>
>> >> On 1 September 2011 16:34, Julian Field <MailScanner at ecs.soton.ac.uk
>> >wrote:
>> >>
>> >>> He's probably switched on some "Notify Senders" options. Bad idea :-(
>> >>>
>> >>>
>> >>> On 01/09/2011 12:32, Martin Hepworth wrote:
>> >>>
>> >>>> what version of MS?
>> >>>>
>> >>>> I never inform the sender of junk as you end up with fake messages
>> sent
>> >>>> out.
>> >>>>
>> >>>> --
>> >>>> Martin Hepworth
>> >>>> Oxford, UK
>> >>>>
>> >>>>
>> >>>> On 1 September 2011 08:17, Joolee <mailscanner at joolee.nl <mailto:
>> >>>> mailscanner at joolee.nl>**> wrote:
>> >>>>
>> >>>> Hallo Everybody,
>> >>>>
>> >>>> I've experienced a small flood of virus E-mails. These E-mails
>> >>>> (subj.: "ACH Payment *random number* Canceled") contain
>> >>>> attachments named like: "report_082011-65.pdf.exe"
>> >>>> They obviously get blocked by the "no executables" and "No double
>> >>>> file extensions" rules. The problem is that after blocking them,
>> >>>> an automated E-mail is send to the original recipient and the
>> >>>> (faked) sender of the message, informing them of the blocked
>> >>>> attachment.
>> >>>>
>> >>>> Had the E-mails been processed further, they would've probably hit
>> >>>> the virusscanner (not tested) or spamassassin (gives a score of 27
>> >>>> when tested) and the E-mail would've silently been discarded as a
>> >>>> virus / spam / phishing.
>> >>>>
>> >>>> Is it possible to let the MailScanner continue it's processing
>> >>>> when hitting the file name rules and / or running the filename
>> >>>> rule at a later time?
>> >>>> --
>> >>>> MailScanner mailing list
>> >>>> mailscanner at lists.mailscanner.**info<
>> mailscanner at lists.mailscanner.info>
>> >>>> <mailto:mailscanner at lists.**mailscanner.info<
>> mailscanner at lists.mailscanner.info>>
>> >>>>
>> >>>>
>> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>> >>>>
>> >>>> Before posting, read http://wiki.mailscanner.info/**posting<
>> http://wiki.mailscanner.info/posting>
>>
>> >>>>
>> >>>> Support MailScanner development - buy the book off the website!
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> Jules
>> >>>>
>> >>>> --
>> >>>> Julian Field MEng CITP CEng
>> >>>> www.MailScanner.info
>> >>>>
>> >>>> Buy the MailScanner book at www.MailScanner.info/store
>> >>>> Need help customising MailScanner? Contact me!
>> >>>>
>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> >>>> Follow me at twitter.com/JulesFM
>> >>>>
>> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011
>> >>>> 'All programs have a desire to be useful' - Tron, 1982
>> >>>>
>> >>>
>> >>> --
>> >>> This message has been scanned for viruses and
>> >>> dangerous content by MailScanner, and is
>> >>> believed to be clean.
>> >>>
>> >>> --
>> >>> MailScanner mailing list
>> >>> mailscanner at lists.mailscanner.**info <
>> mailscanner at lists.mailscanner.info>
>> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>> >>>
>> >>> Before posting, read http://wiki.mailscanner.info/**posting<
>> http://wiki.mailscanner.info/posting>
>>
>> >>>
>> >>> Support MailScanner development - buy the book off the website!
>> >>>
>> >>
>> >>
>> >> --
>> >> MailScanner mailing list
>> >> mailscanner at lists.mailscanner.info
>> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >>
>> >> Before posting, read http://wiki.mailscanner.info/posting
>> >>
>> >> Support MailScanner development - buy the book off the website!
>> >>
>> >>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110916/1df1ef60/attachment.html


More information about the MailScanner mailing list