MS Doesn't completely block spam with faulty attachments

Glenn Steen glenn.steen at gmail.com
Fri Sep 16 17:18:54 IST 2011


Short prose, since from phone:
Old problem variant (gmane old ml archive for sa timeouts, bayes expiry
etc). I set that t/o even higher... It's there in ms to detect hangs, and is
by default way to low.

Cheers!
Den 16 sep 2011 17:07 skrev "Joolee" <mailscanner at joolee.nl>:
> I've found out what the problem is. It wasn't because MailScanner doesn't
> run the message through Spamassassin when there is an attachment error
> because it actually does. (Maybe someone can still add an option to skip
> extra checks when a file name rule is hit for Glenn Steen that thinks of
it
> as "not a problem, it's a feature... And a much needed one at that!" )
>
>
>
> The problem is that Mailscanner throws a timeout when Spamassassin is run
> and sets the score to 0.0 Now the mail is recognized as having "Bad
Content"
> but because the spam score is 0, the mail gets cleaned, a warning is added
> and the mail is forwarded to the recipient.
>
>
>
> As for the Spamassassin timeout, I think this is caused by the headers
that
> identify one of the attachments in the mails.
>
> This is:
>
>>
>>
>> ------=_NextPart_000_0006_01CC51AC.63F30F00
>>
>> Content-Type: ;
>>
>> name="report_1609.pdf.zip"
>>
>> Content-Transfer-Encoding: base64
>>
>> Content-Disposition: attachment;
>>
>> filename="report_1609.pdf.zip"
>>
>
>
>
>
> I think that because of the empty "Content-Type" header, the attachment is
> decoded and used for byasian learning. This takes somewhere between 90 and
> 200 seconds, exceeding the timeout configured in MailScanner (I already
> changed that to 150 seconds but a batch of 25 mails can now effectively
stop
> message processing for more than an hour and some messages get through)
>
>
>
> I've come to this conclusion because when running a manual Spamassassin
scan
> on a message, the following lines are very time consuming:
>
>> Sep 16 15:07:12.279 [8264] dbg: bayes: Using userid: 1 0.0004
>>
>> Sep 16 15:08:48.746 [8264] dbg: bayes: seen
>> (bf76e190b8121487c91051758a402dd20b18eaa6 at sa_generated) put
>> 96.46636
>>
> While that only takes +-4 ms for other mails.
>
>
>
> When I run sa-learn manually, the timeout is seen in the following lines:
>
>> Sep 16 15:34:12.786 [18308] dbg: message: decoding base64
>>
>> Forgot tokens from 1 message(s) (1 message(s) examined)
>>
>> Sep 16 15:35:49.764 [18308] dbg: plugin:
>> Mail::SpamAssassin::Plugin::Bayes=HASH(0x3891ba0) implements
>> 'learner_close', priority 0
>>
>
>
> I'll file a bug report for Spamassassin. In the meantime, I'll just set
the
> timeout to 300 seconds and keep an eye on the Mailscnner queue with
collectd
> or disable autolearning altogether.
>
>
> On 2 September 2011 14:58, Rick Cooper <rcooper at dwford.com> wrote:
>
>> **
>>
>>
>> ------------------------------
>> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
>> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Joolee
>> *Sent:* Friday, September 02, 2011 6:20 AM
>>
>> *To:* MailScanner discussion
>> *Subject:* Re: MS Doesn't completely block spam with faulty attachments
>>
>> A feature that i would like to be able to disable ;)
>>
>> "Why would you want to spend precious resources on a meaningless check,
>> when you already decided to stop the offending attachment?!"
>> To inform my paying user why the contract he's been waiting for was
>> blocked.
>>
>> I think I already made quite clear why it's not an option for me to
>> completely block them. I can't see why other users can't be bothered by
it,
>> maybe they just accept that they can't solve it? (Not my way of handling
>> problems)
>> [Rick Cooper]
>>
>>
>> Seems like you need to modify your multiple extension rules to include
>> dangerous extensions and ignore the rest. for instance a rule like
>> /\.(exe|com|bat|vbs)\..+$/
>>
>> would allow "something.good.doc.pdf" but would catch
>> "something.bad.doc.exe.pdf". Of course you would want (exe|vbs|com|bat)
to
>> include extensions that you feel should be blocked in the multiple
extension
>> rule. I had to change mine long ago because there are a *lot* of people
who
>> create files names like "something.good.09.01.2011.doc". The default
rules
>> are there for out of the box functionality but you can modify them as
>> required for your given situation and clearly you need to pass multiple
>> extensions that are not likely to be malware. With MailScanner you can
>> generally solve any issues without accepting the default rules, or asking
>> for something else to be added either. There has been discussion in the
past
>> regarding being able to define the order in which the processing events
take
>> place but this would require a HUGE change in the core of MailScanner and
>> Julian does have a job that puts food on the table. Unless MailScanner
>> evolves into a programming team or group that is not likely to ever
happen.
>>
>>
>> On 1 September 2011 23:07, Glenn Steen <glenn.steen at gmail.com> wrote:
>>
>>> That's not a problem, it's a feature... And a much needed one at that!
>>> Why would you want to spend precious resources on a meaningless check,
>>> when you already decided to stop the offending attachment?!
>>> Don't deliver it at all, if it bothers you;-)
>>>
>>> Cheers
>>> --
>>> -- Glenn
>>> Den 1 sep 2011 19:12 skrev "Joolee" <mailscanner at joolee.nl>:
>>>
>>> > The problem with the current spam is that they're blocked for
containing
>>> exe
>>> > files, not double file extensions (Although they woul've hit that one
if
>>> > exe's were not clocked.)
>>> >
>>> > Only quick temporary solution is to disable all file-name validation
>>> because
>>> > this can occur with more than just exe files and double extensions.
This
>>> is
>>> > no final solution though.
>>> >
>>> > On 1 September 2011 18:40, Kevin Miller <Kevin_Miller at ci.juneau.ak.us
>>> >wrote:
>>> >
>>> >> **
>>> >> Easiest thing to do in that case is to comment out the line in
>>> >> filename.rules.conf that disallows double extensions. The message
will
>>> be
>>> >> accepted as normal and go through the additional tests (is it an
>>> executable,
>>> >> is it a virus, is it spam, etc.)
>>> >>
>>> >>
>>> >> ...Kevin
>>> >> --
>>> >> Kevin Miller Registered Linux User No: 307357
>>> >> CBJ MIS Dept. Network Systems Admin., Mail Admin.
>>> >> 155 South Seward Street ph: (907) 586-0242
>>> >> Juneau, Alaska 99801 fax: (907 586-4500
>>> >>
>>> >>
>>> >> ------------------------------
>>> >> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
>>> >> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Joolee
>>> >> *Sent:* Thursday, September 01, 2011 7:32 AM
>>> >> *To:* MailScanner discussion
>>> >> *Subject:* Re: MS Doesn't completely block spam with faulty
attachments
>>> >>
>>> >> I agree that it isn't a good idea to notify the sender of a spam or
>>> virus
>>> >> message I'm not planning to do that, I know the troubles of
>>> backscatter.
>>> >>
>>> >> What I've configured is that if a user sends a completely normal
>>> >> (non-virus, non-spam) E-mail but with, for instance, a file named
>>> >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers).
>>> The
>>> >> server sends out a warning to sender and the original message
stripped
>>> of
>>> >> it's attachment to the recipient of the message. Notifying the sender
>>> is not
>>> >> strictly necessary but if this is only done for such non-virus,
>>> non-spam
>>> >> message, it isn't a problem either.
>>> >>
>>> >> The situation that bugs me is when some spam message with a file
named
>>> >> "CurriculumVitae.doc.pdf" is received. The message hits the filename
>>> rule
>>> >> and* isn't processed any further to check if its a spam message*.
>>> Because
>>> >> it isn't processed any further, the warning messages are send out to
>>> both
>>> >> sender and original recipient.
>>> >>
>>> >> As I stated before, I can disable the sender notification. What I
can't
>>> do
>>> >> is tell my customers (the recipients) that such wrongly named files,
>>> most
>>> >> containing important documents, are silently discarded. Sending spam
to
>>> my
>>> >> customers that could have been recognized isn't an option either.
>>> >>
>>> >> The simplest solution, I think, would be to *continue processing* the
>>> >> message after a file name rule is hit, decide if the E-mail is HAM
and
>>> in
>>> >> that case, send out the notifications. If the E-mail is spam,
silently
>>> >> discard it.
>>> >> It would add a bit of load to the server but stopping spam is what
it's
>>> all
>>> >> about, isn't it? :P
>>> >>
>>> >> On 1 September 2011 16:34, Julian Field <MailScanner at ecs.soton.ac.uk
>>> >wrote:
>>> >>
>>> >>> He's probably switched on some "Notify Senders" options. Bad idea
:-(
>>> >>>
>>> >>>
>>> >>> On 01/09/2011 12:32, Martin Hepworth wrote:
>>> >>>
>>> >>>> what version of MS?
>>> >>>>
>>> >>>> I never inform the sender of junk as you end up with fake messages
>>> sent
>>> >>>> out.
>>> >>>>
>>> >>>> --
>>> >>>> Martin Hepworth
>>> >>>> Oxford, UK
>>> >>>>
>>> >>>>
>>> >>>> On 1 September 2011 08:17, Joolee <mailscanner at joolee.nl <mailto:
>>> >>>> mailscanner at joolee.nl>**> wrote:
>>> >>>>
>>> >>>> Hallo Everybody,
>>> >>>>
>>> >>>> I've experienced a small flood of virus E-mails. These E-mails
>>> >>>> (subj.: "ACH Payment *random number* Canceled") contain
>>> >>>> attachments named like: "report_082011-65.pdf.exe"
>>> >>>> They obviously get blocked by the "no executables" and "No double
>>> >>>> file extensions" rules. The problem is that after blocking them,
>>> >>>> an automated E-mail is send to the original recipient and the
>>> >>>> (faked) sender of the message, informing them of the blocked
>>> >>>> attachment.
>>> >>>>
>>> >>>> Had the E-mails been processed further, they would've probably hit
>>> >>>> the virusscanner (not tested) or spamassassin (gives a score of 27
>>> >>>> when tested) and the E-mail would've silently been discarded as a
>>> >>>> virus / spam / phishing.
>>> >>>>
>>> >>>> Is it possible to let the MailScanner continue it's processing
>>> >>>> when hitting the file name rules and / or running the filename
>>> >>>> rule at a later time?
>>> >>>> --
>>> >>>> MailScanner mailing list
>>> >>>> mailscanner at lists.mailscanner.**info<
>>> mailscanner at lists.mailscanner.info>
>>> >>>> <mailto:mailscanner at lists.**mailscanner.info<
>>> mailscanner at lists.mailscanner.info>>
>>> >>>>
>>> >>>>
>>> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>>> >>>>
>>> >>>> Before posting, read http://wiki.mailscanner.info/**posting<
>>> http://wiki.mailscanner.info/posting>
>>>
>>> >>>>
>>> >>>> Support MailScanner development - buy the book off the website!
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> Jules
>>> >>>>
>>> >>>> --
>>> >>>> Julian Field MEng CITP CEng
>>> >>>> www.MailScanner.info
>>> >>>>
>>> >>>> Buy the MailScanner book at www.MailScanner.info/store
>>> >>>> Need help customising MailScanner? Contact me!
>>> >>>>
>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>> >>>> Follow me at twitter.com/JulesFM
>>> >>>>
>>> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011
>>> >>>> 'All programs have a desire to be useful' - Tron, 1982
>>> >>>>
>>> >>>
>>> >>> --
>>> >>> This message has been scanned for viruses and
>>> >>> dangerous content by MailScanner, and is
>>> >>> believed to be clean.
>>> >>>
>>> >>> --
>>> >>> MailScanner mailing list
>>> >>> mailscanner at lists.mailscanner.**info <
>>> mailscanner at lists.mailscanner.info>
>>> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>>> >>>
>>> >>> Before posting, read http://wiki.mailscanner.info/**posting<
>>> http://wiki.mailscanner.info/posting>
>>>
>>> >>>
>>> >>> Support MailScanner development - buy the book off the website!
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> MailScanner mailing list
>>> >> mailscanner at lists.mailscanner.info
>>> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >>
>>> >> Before posting, read http://wiki.mailscanner.info/posting
>>> >>
>>> >> Support MailScanner development - buy the book off the website!
>>> >>
>>> >>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110916/c941aabd/attachment.html


More information about the MailScanner mailing list