From Johan at double-l.nl Wed Jul 4 11:31:25 2012 From: Johan at double-l.nl (Johan Hendriks) Date: Wed, 4 Jul 2012 10:31:25 +0000 Subject: tnef leftovers in /var/spool/postfix/hold. Message-ID: <23D04C868D0C0349AAF928DCEE9C62E806C9FFCC@SRV01.neuteboom.local> Hello all. My system seems to unpack the tnef files in the hold dir from postfix. Is there a way i can tell the system to do it in /var/spool/MailScanner/incoming. I have all these messages. Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzUwzPu: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef6tMSaE: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefDVEwIz: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef5rx4X7: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefATGL1A: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefas99Jg: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefu8KzxG: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefbMU6hy: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef4IxytK: uid 100: not a regular file Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzeaRuQ: uid 100: not a regular file Thank you for your time regards Johan Hendriks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120704/bcf12f13/attachment.html From lnhaig at gmail.com Sat Jul 14 18:23:21 2012 From: lnhaig at gmail.com (Lance.Haig) Date: Sat, 14 Jul 2012 18:23:21 +0100 Subject: Howto guide? Message-ID: <5001AB09.7070701@gmail.com> Hi All, I have not installed an MS server for a long time and I was wondering if any of you know of a server install guide I could use that will help with the install of an MS server with postfix and the new mailwatch. I would want to try keep clear of the normal install method as I hit perl hell with my old system. Any help would be appreciated. Thanks Lance From MailScanner at ecs.soton.ac.uk Mon Jul 16 09:48:53 2012 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon, 16 Jul 2012 09:48:53 +0100 Subject: Test post References: <5003D575.3050001@ecs.soton.ac.uk> Message-ID: Does this get through? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'It's okay to live without all the answers' - Charlie Eppes, 2011 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lhaig at haigmail.com Mon Jul 16 11:40:28 2012 From: lhaig at haigmail.com (Lance Haig) Date: Mon, 16 Jul 2012 11:40:28 +0100 Subject: Howto guide? In-Reply-To: <5001AB09.7070701@gmail.com> References: <5001AB09.7070701@gmail.com> Message-ID: <5003EF9C.6080807@haigmail.com> Looks like my mail has come through :-) Please ignore this mail Lance On 14/07/12 18:23, Lance.Haig wrote: > Hi All, > > I have not installed an MS server for a long time and I was wondering if > any of you know of a server install guide I could use that will help > with the install of an MS server with postfix and the new mailwatch. > > I would want to try keep clear of the normal install method as I hit > perl hell with my old system. > > Any help would be appreciated. > > Thanks > > Lance -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com From juliano.giannerini at norsul.com Fri Jul 6 14:50:05 2012 From: juliano.giannerini at norsul.com (Juliano Giannerini) Date: Fri, 6 Jul 2012 10:50:05 -0300 Subject: RES: MailScanner Digest, Vol 78, Issue 20 References: <201206291100.q5TB0SUX019684@safir.blacknight.ie> Message-ID: Hello everybody. Someone knows how to block a email message which the Field "from" is equal to Field "to". I've received a bulk of messages that spammers masquerade from with the same email of the user Who is receving the message, like: From: 123 at test.com To: 123 at test.com I got the message in mailscanner: If you could help me I appreciate very much. Regards, Juliano -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 186 bytes Desc: image001.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0007.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 181 bytes Desc: image002.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0008.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 180 bytes Desc: image003.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0009.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 186 bytes Desc: image004.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0010.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 170 bytes Desc: image005.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0011.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 199 bytes Desc: image006.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0012.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 165 bytes Desc: image007.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0013.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 181591 bytes Desc: image008.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120706/a1965db9/attachment-0001.jpe From jaearick at colby.edu Mon Jul 16 11:55:19 2012 From: jaearick at colby.edu (Jeff Earickson) Date: Mon, 16 Jul 2012 06:55:19 -0400 Subject: Test post In-Reply-To: References: <5003D575.3050001@ecs.soton.ac.uk> Message-ID: Jules, Glad to know that you are still alive. Got this. Jeff Earickson Colby College On Mon, Jul 16, 2012 at 4:48 AM, Julian Field wrote: > Does this get through? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > 'All programs have a desire to be useful' - Tron, 1982 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Mon Jul 16 12:16:58 2012 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon, 16 Jul 2012 13:16:58 +0200 Subject: Test post In-Reply-To: References: <5003D575.3050001@ecs.soton.ac.uk> Message-ID: Yes. Den 16 jul 2012 12:40 skrev "Julian Field" : > Does this get through? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > 'All programs have a desire to be useful' - Tron, 1982 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/4b1d2fe0/attachment.html From adelgadom at wanadoo.es Mon Jul 16 12:32:42 2012 From: adelgadom at wanadoo.es (adelgadom at wanadoo.es) Date: Mon, 16 Jul 2012 13:32:42 +0200 Subject: "RE:Test post" Message-ID: <201207161229.q6GCTIMD014527@listserver.mailscanner.info> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/b1e1fea9/attachment.html From lists at tatorz.com Mon Jul 16 12:34:30 2012 From: lists at tatorz.com (Mail Lists) Date: Mon, 16 Jul 2012 07:34:30 -0400 Subject: Test post In-Reply-To: References: <5003D575.3050001@ecs.soton.ac.uk> Message-ID: <5003FC46.8040100@Tatorz.com> On 07/16/2012 04:48 AM, Julian Field wrote: > Does this get through? > > Jules > Yes it does Julian. -- Brian ----- Get the latest Fremont, OH Weather http://www.Fremont-OH-Weather.com From bonivart at opencsw.org Mon Jul 16 13:20:25 2012 From: bonivart at opencsw.org (Peter Bonivart) Date: Mon, 16 Jul 2012 14:20:25 +0200 Subject: MailScanner Digest, Vol 78, Issue 20 In-Reply-To: References: <201206291100.q5TB0SUX019684@safir.blacknight.ie> Message-ID: On Fri, Jul 6, 2012 at 3:50 PM, Juliano Giannerini wrote: > > Hello everybody. > > Someone knows how to block a email message which the Field "from" is equal > to Field "to". > > I've received a bulk of messages that spammers masquerade from with the > same email of the user Who is receving the message, like: Take a look at this post: http://spamassassin.1065346.n5.nabble.com/How-to-reject-spam-where-sender-receiver-td65361.html It has a tiny SA plugin that does what you want. Note though that legit mailing lists also often put yourself as sender so don't go crazy with the scores. /peter From maxsec at gmail.com Mon Jul 16 13:11:45 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 16 Jul 2012 13:11:45 +0100 Subject: MailScanner Digest, Vol 78, Issue 20 In-Reply-To: References: <201206291100.q5TB0SUX019684@safir.blacknight.ie> Message-ID: Well something has triggered that as spam somewhere along the lines. I'd make sure you're running the latest version of SpamAssassin ( and clamav, I notice you're a couple of minor releases off the latest of clamav). I'd also make sure you're not trusting any other spam headers and log each message for what SA rules do hit with the following alterations to the MailScanner.conf file Spam Score Number Format = %5.2f Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score Number Format = %5.2f And make sure you're not whitelistomg your own domain. -- Martin Hepworth, CISSP Oxford, UK On 6 July 2012 14:50, Juliano Giannerini wrote: > Hello everybody.**** > > ** ** > > Someone knows how to block a email message which the Field "from" is equal > to Field "to".**** > > I've received a bulk of messages that spammers masquerade from with the > same email of the user Who is receving the message, like:**** > > ** ** > > From: 123 at test.com**** > > To: 123 at test.com**** > > ** ** > > I got the message in mailscanner:**** > > ** ** > > ************************************************ > > ** ** > > ** ** > > If you could help me I appreciate very much.**** > > ** ** > > Regards,**** > > Juliano**** > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 181591 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0001.jpe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0007.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0008.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 170 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0009.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 199 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0010.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 180 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0011.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 165 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0012.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 181 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/1befe8e7/attachment-0013.png From roedie at roedie.nl Mon Jul 16 14:17:32 2012 From: roedie at roedie.nl (Sander Klein) Date: Mon, 16 Jul 2012 15:17:32 +0200 Subject: Maybe fixed: Taint bug Message-ID: <82d1a99ea3a5629b6ea44c1b287aee88@roedie.nl> Hi All, I think I've found and fixed the taint bug which is in the mailscanner releases. The problem is in the PFDiskStore.pm file. The routine giving the problems is: sub CopyEntireMessage { my $this = shift; my($message, $targetdir, $targetfile, $uid, $gid, $changeowner) = @_; #print STDERR "Copying to $targetdir $targetfile\n"; if (MailScanner::Config::Value('storeentireasdfqf')) { #print STDERR "Copying to dir $targetdir\n"; return ($this->CopyToDir($targetdir, $targetfile, $uid, $gid, $changeowner)); } else { #print STDERR "Copying to file $targetdir/$targetfile\n"; my $target = new IO::File "$targetdir/$targetfile", "w"; MailScanner::Log::WarnLog("writing to $targetdir/$targetfile: $!") if not defined $target; $this->WriteEntireMessage($message, $target); return $targetdir . '/' . $targetfile; } } Here $targetfile is still tainted and will result in failure. Changing te routine to: sub CopyEntireMessage { my $this = shift; my($message, $targetdir, $targetfile, $uid, $gid, $changeowner) = @_; $targetfile =~/([\w\d]{10}.[\w\d]{5})/; $targetfile = $1; #print STDERR "Copying to $targetdir $targetfile\n"; if (MailScanner::Config::Value('storeentireasdfqf')) { #print STDERR "Copying to dir $targetdir\n"; return ($this->CopyToDir($targetdir, $targetfile, $uid, $gid, $changeowner)); } else { #print STDERR "Copying to file $targetdir/$targetfile\n"; my $target = new IO::File "$targetdir/$targetfile", "w"; MailScanner::Log::WarnLog("writing to $targetdir/$targetfile: $!") if not defined $target; $this->WriteEntireMessage($message, $target); return $targetdir . '/' . $targetfile; } } fixes the problem. To make this change perfect it probably would be better to check if $targetfile isn't empty after setting $1. This is just my own POC to see if the change works. Greets, Sander From vmiszczak at ankama.com Mon Jul 16 14:38:01 2012 From: vmiszczak at ankama.com (Vincent Miszczak) Date: Mon, 16 Jul 2012 15:38:01 +0200 Subject: Archives filenames not being checked Message-ID: <7AFA66599AC41847AD8E021A1DBB9D14264D5CFDF8@pandore.ankama.com> Hello guys, We have one feature not working at all : Archives: Filename Rules Our configuration use the default mailscanner setting, ie it uses archives.filename.rules.conf However, files that should be denied (like .chm extension) are not. All settings regarding archives are default ones. Is this a bug ? How do I get this feature working as expected ? Regards, Vinz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/89a08fec/attachment.html From Sampson at p2sol.com Mon Jul 16 16:44:27 2012 From: Sampson at p2sol.com (Sampson, Aaron) Date: Mon, 16 Jul 2012 15:44:27 +0000 Subject: Scanning by Subject Message-ID: <4ACB6FBB6E06074DA18D653BD3155A663A855B@COMM1.p2sol.com> I have an e-mail getting through the system that is coming from different addresses but has the same subject matter. Has anyone run into this and created a rule or made a change to their conf file? Trying to figure out the best way to combat this, I was thinking that scan.messages.rules file would be the place for it but it appears that it focuses more on the to from instead of subject. Sampson IT Department -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/e4630a43/attachment.html From vmiszczak at ankama.com Mon Jul 16 16:46:54 2012 From: vmiszczak at ankama.com (Vincent Miszczak) Date: Mon, 16 Jul 2012 17:46:54 +0200 Subject: Archives filenames not being checked Message-ID: <7AFA66599AC41847AD8E021A1DBB9D14264D5CFF54@pandore.ankama.com> Hi, I have figured out the origin of the problem : "dangerous content scanning" was set to no... After enabling it, job is done. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/ac371385/attachment.html From jgao at veecall.com Mon Jul 16 17:32:53 2012 From: jgao at veecall.com (J Gao) Date: Mon, 16 Jul 2012 09:32:53 -0700 Subject: How to allow double extension file? Message-ID: <50044235.9040804@veecall.com> Hello, We have a client send us email with zipped attachment. It contain files like: file1.shp.xml file2.kmz.kml I added two lines on the bottom of the filename.rules.conf: allow \.shp\.xml$ - - allow \.kmz\.kml$ - - But the MailScanner still detect them as "Bad Filename" and drop them into quarantine: MessageID: 5482680A2.A554E Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml) How can I let MailScanner know these are safe file name and let them pass through? Thanks Gao -- From Denis.Beauchemin at usherbrooke.ca Mon Jul 16 18:12:37 2012 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Mon, 16 Jul 2012 17:12:37 +0000 Subject: How to allow double extension file? In-Reply-To: <50044235.9040804@veecall.com> References: <50044235.9040804@veecall.com> Message-ID: Gao, Try putting your lines at the start of the file instead. This might resolve your problem. Denis PS: Don't forget to restart MS afterwards. ______________________________ Denis Beauchemin Architecte technologique - Infrastructure des serveurs Service des technologies de l?information Universit? de Sherbrooke T?l.?: 819 821-8000, poste 62252 Courriel?: Denis.Beauchemin at USherbrooke.ca > -----Message d'origine----- > De?: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner- > bounces at lists.mailscanner.info] De la part de J Gao > Envoy??: 16 juillet 2012 12:52 > ??: mailscanner at lists.mailscanner.info > Objet?: How to allow double extension file? > > Hello, > > We have a client send us email with zipped attachment. It contain files > like: > file1.shp.xml > file2.kmz.kml > > I added two lines on the bottom of the filename.rules.conf: > allow \.shp\.xml$ - - > allow \.kmz\.kml$ - - > > But the MailScanner still detect them as "Bad Filename" and drop them into > quarantine: > > MessageID: 5482680A2.A554E > Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > Report: MailScanner: Attempt to hide real filename extension > (aral.shp.xml) > > > > How can I let MailScanner know these are safe file name and let them pass > through? > > Thanks > > Gao > > -- > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mikea at mikea.ath.cx Mon Jul 16 18:17:11 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Mon, 16 Jul 2012 12:17:11 -0500 Subject: How to allow double extension file? In-Reply-To: <50044235.9040804@veecall.com> References: <50044235.9040804@veecall.com> Message-ID: <20120716171711.GB56428@mikea.ath.cx> On Mon, Jul 16, 2012 at 09:32:53AM -0700, J Gao wrote: > Hello, > > We have a client send us email with zipped attachment. It contain files > like: > file1.shp.xml > file2.kmz.kml > > I added two lines on the bottom of the filename.rules.conf: > allow \.shp\.xml$ - - > allow \.kmz\.kml$ - - > > But the MailScanner still detect them as "Bad Filename" and drop them > into quarantine: > > MessageID: 5482680A2.A554E > Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml) > > > > How can I let MailScanner know these are safe file name and let them > pass through? Move those two lines from the bottom, after all the "deny" rules, up before the "deny" rules -- or at least before any "deny" rules which might match the filenames and cause detection as a bad filename. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From axisml at gmail.com Mon Jul 16 18:31:27 2012 From: axisml at gmail.com (Chris Stone) Date: Mon, 16 Jul 2012 11:31:27 -0600 Subject: How to allow double extension file? In-Reply-To: <50044235.9040804@veecall.com> References: <50044235.9040804@veecall.com> Message-ID: On Mon, Jul 16, 2012 at 10:32 AM, J Gao wrote: > Hello, > > I added two lines on the bottom of the filename.rules.conf: > allow \.shp\.xml$ - - > allow \.kmz\.kml$ - - > > But the MailScanner still detect them as "Bad Filename" and drop them > into quarantine: > > MessageID: 5482680A2.A554E > Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > Report: MailScanner: Attempt to hide real filename extension > (aral.shp.xml) > Trying making sure to add it above the line: # Deny all other double file extensions. This catches any hidden filenames. allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to possibly hide real filename extension Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/7bcce832/attachment.html From bonivart at opencsw.org Mon Jul 16 18:36:22 2012 From: bonivart at opencsw.org (Peter Bonivart) Date: Mon, 16 Jul 2012 19:36:22 +0200 Subject: Scanning by Subject In-Reply-To: <4ACB6FBB6E06074DA18D653BD3155A663A855B@COMM1.p2sol.com> References: <4ACB6FBB6E06074DA18D653BD3155A663A855B@COMM1.p2sol.com> Message-ID: On Mon, Jul 16, 2012 at 5:44 PM, Sampson, Aaron wrote: > I have an e-mail getting through the system that is coming from different > addresses but has the same subject matter. Has anyone run into this and > created a rule or made a change to their conf file? Trying to figure out > the best way to combat this, I was thinking that scan.messages.rules file > would be the place for it but it appears that it focuses more on the to from > instead of subject. You need to learn to write your own SA rules: http://wiki.apache.org/spamassassin/WritingRules /peter From bonivart at opencsw.org Mon Jul 16 18:37:31 2012 From: bonivart at opencsw.org (Peter Bonivart) Date: Mon, 16 Jul 2012 19:37:31 +0200 Subject: How to allow double extension file? In-Reply-To: <50044235.9040804@veecall.com> References: <50044235.9040804@veecall.com> Message-ID: On Mon, Jul 16, 2012 at 6:32 PM, J Gao wrote: > Hello, > > We have a client send us email with zipped attachment. It contain files > like: > file1.shp.xml > file2.kmz.kml > > I added two lines on the bottom of the filename.rules.conf: > allow \.shp\.xml$ - - > allow \.kmz\.kml$ - - > > But the MailScanner still detect them as "Bad Filename" and drop them > into quarantine: > > MessageID: 5482680A2.A554E > Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml) > > > > How can I let MailScanner know these are safe file name and let them > pass through? By placing them _above_ the double extension rule. /peter From ka at pacific.net Mon Jul 16 19:00:36 2012 From: ka at pacific.net (Ken A) Date: Mon, 16 Jul 2012 13:00:36 -0500 Subject: Scanning by Subject In-Reply-To: <4ACB6FBB6E06074DA18D653BD3155A663A855B@COMM1.p2sol.com> References: <4ACB6FBB6E06074DA18D653BD3155A663A855B@COMM1.p2sol.com> Message-ID: <500456C4.2060707@pacific.net> You'd do this in SA. See rules in /etc/mail/spamassassin/ and /usr/share/spamassassin for some examples Ken On 7/16/2012 10:44 AM, Sampson, Aaron wrote: > I have an e-mail getting through the system that is coming from different addresses but has the same subject matter. Has anyone run into this and created a rule or made a change to their conf file? Trying to figure out the best way to combat this, I was thinking that scan.messages.rules file would be the place for it but it appears that it focuses more on the to from instead of subject. > > > Sampson > IT Department > > > > -- Ken Anderson Pacific Internet - http://www.pacific.net Latest Pacific.Net Status - http://twitter.com/pacnetstatus From maxsec at gmail.com Mon Jul 16 19:03:43 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 16 Jul 2012 19:03:43 +0100 Subject: How to allow double extension file? In-Reply-To: References: <50044235.9040804@veecall.com> Message-ID: Put the rules at the top so they get hit first. Dont forget to restart mailscanner afterwards Martin On Monday, 16 July 2012, Chris Stone wrote: > > On Mon, Jul 16, 2012 at 10:32 AM, J Gao > > wrote: > >> Hello, >> >> I added two lines on the bottom of the filename.rules.conf: >> allow \.shp\.xml$ - - >> allow \.kmz\.kml$ - - >> >> But the MailScanner still detect them as "Bad Filename" and drop them >> into quarantine: >> >> MessageID: 5482680A2.A554E >> Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E >> Report: MailScanner: Attempt to hide real filename extension >> (aral.shp.xml) >> > > Trying making sure to add it above the line: > > # Deny all other double file extensions. This catches any hidden filenames. > allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding Attempt to possibly hide real filename > extension > > > Chris > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/090a8882/attachment.html From jgao at veecall.com Mon Jul 16 19:59:00 2012 From: jgao at veecall.com (J Gao) Date: Mon, 16 Jul 2012 11:59:00 -0700 Subject: How to allow double extension file? In-Reply-To: References: <50044235.9040804@veecall.com> Message-ID: <50046474.6020907@veecall.com> On 12-07-16 10:37 AM, Peter Bonivart wrote: > By placing them_above_ the double extension rule. > > /peter > -- Well, I tried all you guys suggestion and I still get trouble when I test the rule. I restarted MailScanner every time after modify the file. Here I put a tiny test file online. This zip file contain a single .sha.xml file. (This is generated by some program in Windows). Anyway you can see that just a flat XML file but just with a double extension file name: http://dl.dropbox.com/u/3442771/test.zip BTW, even I enable (although I don't like the idea): # Deny all other double file extensions. This catches any hidden filenames. allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding It's still block my test.zip file! Could someone can test is with my test.zip file above and let me know the solution? Thanks a lot. Gao -- From mailscanner at joolee.nl Mon Jul 16 19:59:20 2012 From: mailscanner at joolee.nl (Joolee) Date: Mon, 16 Jul 2012 20:59:20 +0200 Subject: Howto guide? In-Reply-To: <5003EF9C.6080807@haigmail.com> References: <5001AB09.7070701@gmail.com> <5003EF9C.6080807@haigmail.com> Message-ID: Google for Spamsnake. On 16 July 2012 12:40, Lance Haig wrote: > Looks like my mail has come through :-) > > Please ignore this mail > > Lance > > > On 14/07/12 18:23, Lance.Haig wrote: > > Hi All, > > > > I have not installed an MS server for a long time and I was wondering if > > any of you know of a server install guide I could use that will help > > with the install of an MS server with postfix and the new mailwatch. > > > > I would want to try keep clear of the normal install method as I hit > > perl hell with my old system. > > > > Any help would be appreciated. > > > > Thanks > > > > Lance > > > > -- > This message was scanned by Better Hosted and is believed to be clean. > http://www.betterhosted.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120716/d83d3179/attachment.html From Sampson at p2sol.com Mon Jul 16 20:11:15 2012 From: Sampson at p2sol.com (Sampson, Aaron) Date: Mon, 16 Jul 2012 19:11:15 +0000 Subject: Scanning by Subject In-Reply-To: References: <4ACB6FBB6E06074DA18D653BD3155A663A855B@COMM1.p2sol.com> Message-ID: <4ACB6FBB6E06074DA18D653BD3155A663A8782@COMM1.p2sol.com> Thank you, I found that website to be very helpful in how to write my own rules, I will take a look at it and try it out and see if that will take care of this issue. -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Bonivart Sent: Monday, July 16, 2012 12:36 PM To: MailScanner discussion Subject: Re: Scanning by Subject On Mon, Jul 16, 2012 at 5:44 PM, Sampson, Aaron wrote: > I have an e-mail getting through the system that is coming from > different addresses but has the same subject matter. Has anyone run > into this and created a rule or made a change to their conf file? > Trying to figure out the best way to combat this, I was thinking that > scan.messages.rules file would be the place for it but it appears that > it focuses more on the to from instead of subject. You need to learn to write your own SA rules: http://wiki.apache.org/spamassassin/WritingRules /peter -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jgao at veecall.com Mon Jul 16 20:13:51 2012 From: jgao at veecall.com (J Gao) Date: Mon, 16 Jul 2012 12:13:51 -0700 Subject: How to allow double extension file? In-Reply-To: <50044235.9040804@veecall.com> References: <50044235.9040804@veecall.com> Message-ID: <500467EF.1090503@veecall.com> On 12-07-16 09:32 AM, J Gao wrote: > Hello, > > We have a client send us email with zipped attachment. It contain files > like: > file1.shp.xml > file2.kmz.kml > > I added two lines on the bottom of the filename.rules.conf: > allow \.shp\.xml$ - - > allow \.kmz\.kml$ - - > > But the MailScanner still detect them as "Bad Filename" and drop them > into quarantine: > > MessageID: 5482680A2.A554E > Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml) > > > > How can I let MailScanner know these are safe file name and let them > pass through? > > Thanks > > Gao > Well, I tried all you guys suggestion and I still get trouble when I test the rule. I restarted MailScanner every time after modify the file. Here I put a tiny test file online. This zip file contain a single .shp.xml file. (This is generated by some program in Windows). Anyway you can see that just a flat XML file but just with a double extension file name: http://dl.dropbox.com/u/3442771/test.zip BTW, even I enable (although I don't like the idea): # Deny all other double file extensions. This catches any hidden filenames. allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding It's still block my test.zip file! Could someone can test is with my test.zip file above and let me know the solution? Thanks a lot. Gao [UPDATE] I just tried to put the rule on the very beginning of the conf file: test result: 1. zip file still get blocked! 2. BUT if I attach the .shp.xml file without zip it, it passed! So there is something going on with the unzip/scan ? Gao -- From jgao at veecall.com Mon Jul 16 20:22:21 2012 From: jgao at veecall.com (J Gao) Date: Mon, 16 Jul 2012 12:22:21 -0700 Subject: How to allow double extension file? In-Reply-To: References: <50044235.9040804@veecall.com> Message-ID: <500469ED.3090307@veecall.com> On 12-07-16 11:03 AM, Martin Hepworth wrote: > Put the rules at the top so they get hit first. > > Dont forget to restart mailscanner afterwards > > Martin > > On Monday, 16 July 2012, Chris Stone wrote: > > > On Mon, Jul 16, 2012 at 10:32 AM, J Gao > wrote: > > Hello, > > I added two lines on the bottom of the filename.rules.conf: > allow \.shp\.xml$ - - > allow \.kmz\.kml$ - - > > But the MailScanner still detect them as "Bad Filename" and drop > them > into quarantine: > > MessageID: 5482680A2.A554E > Quarantine: > /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > Report: MailScanner: Attempt to hide real filename > extension (aral.shp.xml) > > > Trying making sure to add it above the line: > > # Deny all other double file extensions. This catches any hidden > filenames. > allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible > filename hiding Attempt to possibly hide > real filename extension > > > Chris > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > > I replied but my mail doesn't shows. ??? I include a URL for the test.zip file in dropbox, so it's been filtered out? [UPDATE] I just tried to put the rule on the very beginning of the conf file: test result: 1. zip file still get blocked! 2. BUT if I attach the .shp.xml file without zip it, it passed! So there is something going on with the unzip/scan ? Gao -- From stephencoxmail at gmail.com Tue Jul 17 08:54:02 2012 From: stephencoxmail at gmail.com (Stephen Cox) Date: Tue, 17 Jul 2012 09:54:02 +0200 Subject: Maybe fixed: Taint bug In-Reply-To: <82d1a99ea3a5629b6ea44c1b287aee88@roedie.nl> References: <82d1a99ea3a5629b6ea44c1b287aee88@roedie.nl> Message-ID: On Mon, Jul 16, 2012 at 3:17 PM, Sander Klein wrote: > Hi All, > > I think I've found and fixed the taint bug which is in the mailscanner > releases. The problem is in the PFDiskStore.pm file. > > The routine giving the problems is: > > sub CopyEntireMessage { > my $this = shift; > my($message, $targetdir, $targetfile, $uid, $gid, $changeowner) = @_; > > #print STDERR "Copying to $targetdir $targetfile\n"; > if (MailScanner::Config::Value('storeentireasdfqf')) { > #print STDERR "Copying to dir $targetdir\n"; > return ($this->CopyToDir($targetdir, $targetfile, $uid, $gid, > $changeowner)); > } else { > #print STDERR "Copying to file $targetdir/$targetfile\n"; > my $target = new IO::File "$targetdir/$targetfile", "w"; > MailScanner::Log::WarnLog("writing to $targetdir/$targetfile: $!") > if not defined $target; > $this->WriteEntireMessage($message, $target); > return $targetdir . '/' . $targetfile; > } > } > > Here $targetfile is still tainted and will result in failure. Changing > te routine to: > > sub CopyEntireMessage { > my $this = shift; > my($message, $targetdir, $targetfile, $uid, $gid, $changeowner) = @_; > > $targetfile =~/([\w\d]{10}.[\w\d]{5})/; > $targetfile = $1; > > #print STDERR "Copying to $targetdir $targetfile\n"; > if (MailScanner::Config::Value('storeentireasdfqf')) { > #print STDERR "Copying to dir $targetdir\n"; > return ($this->CopyToDir($targetdir, $targetfile, $uid, $gid, > $changeowner)); > } else { > #print STDERR "Copying to file $targetdir/$targetfile\n"; > my $target = new IO::File "$targetdir/$targetfile", "w"; > MailScanner::Log::WarnLog("writing to $targetdir/$targetfile: $!") > if not defined $target; > $this->WriteEntireMessage($message, $target); > return $targetdir . '/' . $targetfile; > } > } > > fixes the problem. To make this change perfect it probably would be > better to check if $targetfile isn't empty after setting $1. This is > just my own POC to see if the change works. > You are welcome to open a pull request on github @ https://github.com/MailScanner/MailScanner > Greets, > > Sander > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Stephen Cox From mailscanner at joolee.nl Tue Jul 17 08:56:18 2012 From: mailscanner at joolee.nl (Joolee) Date: Tue, 17 Jul 2012 09:56:18 +0200 Subject: How to allow double extension file? In-Reply-To: <500467EF.1090503@veecall.com> References: <50044235.9040804@veecall.com> <500467EF.1090503@veecall.com> Message-ID: filename.rules.conf filetype.rules.conf *archives.filename.rules.conf* archives.filetype.rules.conf Which one were you editing? On 16 July 2012 21:13, J Gao wrote: > On 12-07-16 09:32 AM, J Gao wrote: > > Hello, > > > > We have a client send us email with zipped attachment. It contain files > > like: > > file1.shp.xml > > file2.kmz.kml > > > > I added two lines on the bottom of the filename.rules.conf: > > allow \.shp\.xml$ - - > > allow \.kmz\.kml$ - - > > > > But the MailScanner still detect them as "Bad Filename" and drop them > > into quarantine: > > > > MessageID: 5482680A2.A554E > > Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > > Report: MailScanner: Attempt to hide real filename extension > (aral.shp.xml) > > > > > > > > How can I let MailScanner know these are safe file name and let them > > pass through? > > > > Thanks > > > > Gao > > > > Well, I tried all you guys suggestion and I still get trouble when I > test the rule. I restarted MailScanner every time after modify the file. > > Here I put a tiny test file online. This zip file contain a single > .shp.xml file. (This is generated by some program in Windows). Anyway > you can see that just a flat XML file but just with a double extension > file name: > http://dl.dropbox.com/u/3442771/test.zip > > BTW, even I enable (although I don't like the idea): > > # Deny all other double file extensions. This catches any hidden filenames. > allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding > > It's still block my test.zip file! > > Could someone can test is with my test.zip file above and let me know > the solution? > > Thanks a lot. > > Gao > > > > [UPDATE] > > I just tried to put the rule on the very beginning of the conf file: > > test result: > 1. zip file still get blocked! > 2. BUT if I attach the .shp.xml file without zip it, it passed! > > So there is something going on with the unzip/scan ? > > Gao > > > > > -- > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120717/de20b298/attachment.html From goetz.reinicke at filmakademie.de Tue Jul 17 10:21:47 2012 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Tue, 17 Jul 2012 11:21:47 +0200 Subject: I lost an e-mail :/ Message-ID: <50052EAB.5090600@filmakademie.de> Hi, we run a sendmail - mailscanner - spamassasin - clamav Redhat server and I recently 'lost' an email :/ I can see, that it is send the day before yesterday from an external account to two users at our system. both get that message. The same external user sent the same message yesterday to her account at our system and did not receive it. In the sendmail log I see, that the mail comes from:<.....> but I do not get an to=..... for that message. To me it looks like our sendmail 'lost' that mail somewhere ... I restarted mailscanner/sendmail and searched the filesystem without success.... Ant if one message get's lost, may be there are more. Anny suggestion/ideas? thanks . G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5174 bytes Desc: S/MIME Kryptografische Unterschrift Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120717/ae201597/attachment.bin From maxsec at gmail.com Tue Jul 17 12:54:12 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 17 Jul 2012 12:54:12 +0100 Subject: I lost an e-mail :/ In-Reply-To: <50052EAB.5090600@filmakademie.de> References: <50052EAB.5090600@filmakademie.de> Message-ID: maybe the other end broke...the connection. Very unusual for sendmail/postfix to break halfway through the connection -- Martin Hepworth, CISSP Oxford, UK On 17 July 2012 10:21, G?tz Reinicke wrote: > Hi, > > we run a sendmail - mailscanner - spamassasin - clamav Redhat server and > I recently 'lost' an email :/ > > I can see, that it is send the day before yesterday from an external > account to two users at our system. both get that message. > > The same external user sent the same message yesterday to her account at > our system and did not receive it. > > In the sendmail log I see, that the mail comes from:<.....> but I do not > get an to=..... for that message. > > To me it looks like our sendmail 'lost' that mail somewhere ... > > I restarted mailscanner/sendmail and searched the filesystem without > success.... > > Ant if one message get's lost, may be there are more. > > Anny suggestion/ideas? thanks . G?tz > -- > G?tz Reinicke > IT-Koordinator > > Tel. +49 7141 969 82 420 > Fax +49 7141 969 55 420 > E-Mail goetz.reinicke at filmakademie.de > > Filmakademie Baden-W?rttemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > > Vorsitzender des Aufsichtsrats: > J?rgen Walter MdL > Staatssekret?r im Ministerium f?r Wissenschaft, > Forschung und Kunst Baden-W?rttemberg > > Gesch?ftsf?hrer: > Prof. Thomas Schadt > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120717/d53f545a/attachment.html From jgao at veecall.com Tue Jul 17 23:09:33 2012 From: jgao at veecall.com (J Gao) Date: Tue, 17 Jul 2012 15:09:33 -0700 Subject: How to allow double extension file? In-Reply-To: References: <50044235.9040804@veecall.com> <500467EF.1090503@veecall.com> Message-ID: <5005E29D.5080405@veecall.com> On 12-07-17 12:56 AM, Joolee wrote: > filename.rules.conf > filetype.rules.conf > *archives.filename.rules.conf* > archives.filetype.rules.conf > > Which one were you editing? > > On 16 July 2012 21:13, J Gao > wrote: > > On 12-07-16 09:32 AM, J Gao wrote: > > Hello, > > > > We have a client send us email with zipped attachment. It contain > files > > like: > > file1.shp.xml > > file2.kmz.kml > > > > I added two lines on the bottom of the filename.rules.conf: > > allow \.shp\.xml$ - - > > allow \.kmz\.kml$ - - > > > > But the MailScanner still detect them as "Bad Filename" and drop them > > into quarantine: > > > > MessageID: 5482680A2.A554E > > Quarantine: > /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E > > Report: MailScanner: Attempt to hide real filename > extension (aral.shp.xml) > > > > > > > > How can I let MailScanner know these are safe file name and let them > > pass through? > > > > Thanks > > > > Gao > > > > Well, I tried all you guys suggestion and I still get trouble when I > test the rule. I restarted MailScanner every time after modify the file. > > Here I put a tiny test file online. This zip file contain a single > .shp.xml file. (This is generated by some program in Windows). Anyway > you can see that just a flat XML file but just with a double extension > file name: > http://dl.dropbox.com/u/3442771/test.zip > > BTW, even I enable (although I don't like the idea): > > # Deny all other double file extensions. This catches any hidden > filenames. > allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding > > It's still block my test.zip file! > > Could someone can test is with my test.zip file above and let me know > the solution? > > Thanks a lot. > > Gao > > > > [UPDATE] > > I just tried to put the rule on the very beginning of the conf file: > > test result: > 1. zip file still get blocked! > 2. BUT if I attach the .shp.xml file without zip it, it passed! > > So there is something going on with the unzip/scan ? > > Gao > > > > > -- > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > Thanks > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > Thanks a lot. I got it works. I need configure both file. Gao -- From dlee.aus at gmail.com Wed Jul 18 01:22:09 2012 From: dlee.aus at gmail.com (David Lee) Date: Wed, 18 Jul 2012 09:52:09 +0930 Subject: tnef leftovers in /var/spool/postfix/hold. Message-ID: > Hello all. > My system seems to unpack the tnef files in the hold dir from postfix. > > Is there a way i can tell the system to do it in /var/spool/MailScanner/incoming. > I have all these messages. > > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzUwzPu: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef6tMSaE: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefDVEwIz: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef5rx4X7: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefATGL1A: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefas99Jg: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefu8KzxG: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefbMU6hy: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef4IxytK: uid 100: not a regular file > Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzeaRuQ: uid 100: not a regular file > > Thank you for your time > > Regards > Johan Hendriks I've just built a new Mailscanner server on a Red Hat 6.3 system and also noticed the creation of these files in the Postfix hold directory. After having a bit of a look at the code, I think I have found the problem. The problem lies in the 'ExternalDecoder' subroutine of the TNEF.pm module. Two temporary directories are created there (one using 'tempdir', the other by 'mkdir'), but only one is deleted (the one created using 'mkdir'). It appears that the TNEF files are being unpacked into the '/var/spool/MailScanner/incoming' directory as specified. I suspect these temporary hold queue directories eventually get removed when the associated MailScanner process that created them is killed and restarted. -- David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120718/c0bb8aac/attachment.html From stephencoxmail at gmail.com Wed Jul 18 06:26:48 2012 From: stephencoxmail at gmail.com (Stephen Cox) Date: Wed, 18 Jul 2012 07:26:48 +0200 Subject: tnef leftovers in /var/spool/postfix/hold. In-Reply-To: References: Message-ID: On Wed, Jul 18, 2012 at 2:22 AM, David Lee wrote: >> Hello all. >> My system seems to unpack the tnef files in the hold dir from postfix. >> >> Is there a way i can tell the system to do it in >> /var/spool/MailScanner/incoming. >> I have all these messages. >> >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzUwzPu: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef6tMSaE: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefDVEwIz: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef5rx4X7: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefATGL1A: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefas99Jg: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefu8KzxG: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefbMU6hy: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef4IxytK: uid >> 100: not a regular file >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzeaRuQ: uid >> 100: not a regular file >> >> Thank you for your time >> >> Regards >> Johan Hendriks > > I've just built a new Mailscanner server on a Red Hat 6.3 system and also > noticed the creation of these files in the Postfix hold directory. After > having a bit of a look at the code, I think I have found the problem. > The problem lies in the 'ExternalDecoder' subroutine of the TNEF.pm module. > Two temporary directories are created there (one using 'tempdir', the other > by 'mkdir'), but only one is deleted (the one created using 'mkdir'). It > appears that the TNEF files are being unpacked into the > '/var/spool/MailScanner/incoming' directory as specified. > I suspect these temporary hold queue directories eventually get removed when > the associated MailScanner process that created them is killed and > restarted. David, Can you please report the issue at https://github.com/MailScanner/MailScanner/issues?state=open Stephen > > -- > David > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dlee.aus at gmail.com Wed Jul 18 07:41:56 2012 From: dlee.aus at gmail.com (David Lee) Date: Wed, 18 Jul 2012 16:11:56 +0930 Subject: tnef leftovers in /var/spool/postfix/hold. In-Reply-To: References: Message-ID: On Wed, Jul 18, 2012 at 2:56 PM, Stephen Cox wrote: > On Wed, Jul 18, 2012 at 2:22 AM, David Lee wrote: > >> Hello all. > >> My system seems to unpack the tnef files in the hold dir from postfix. > >> > >> Is there a way i can tell the system to do it in > >> /var/spool/MailScanner/incoming. > >> I have all these messages. > >> > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzUwzPu: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef6tMSaE: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefDVEwIz: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef5rx4X7: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefATGL1A: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefas99Jg: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefu8KzxG: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefbMU6hy: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnef4IxytK: uid > >> 100: not a regular file > >> Jul 4 00:00:06 ms03 postfix/showq[71821]: warning: hold/tnefzeaRuQ: uid > >> 100: not a regular file > >> > >> Thank you for your time > >> > >> Regards > >> Johan Hendriks > > > > I've just built a new Mailscanner server on a Red Hat 6.3 system and also > > noticed the creation of these files in the Postfix hold directory. After > > having a bit of a look at the code, I think I have found the problem. > > The problem lies in the 'ExternalDecoder' subroutine of the TNEF.pm > module. > > Two temporary directories are created there (one using 'tempdir', the > other > > by 'mkdir'), but only one is deleted (the one created using 'mkdir'). It > > appears that the TNEF files are being unpacked into the > > '/var/spool/MailScanner/incoming' directory as specified. > > I suspect these temporary hold queue directories eventually get removed > when > > the associated MailScanner process that created them is killed and > > restarted. > > David, > > Can you please report the issue at > https://github.com/MailScanner/MailScanner/issues?state=open > > Stephen > > Done. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120718/12a615bc/attachment.html From rlopezcnm at gmail.com Thu Jul 19 21:53:50 2012 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu, 19 Jul 2012 14:53:50 -0600 Subject: Consequences of increasing email size from 16M to 25M Message-ID: We recently outsourced student email to a service that allows an email size up to 25 Mbytes. Our email gateways run postfix + MailScanner + SpamAssassin + clamd. They now direct employee email to an internal Exchange system and student email out to the service. Currently postfix has "message_size_limit = 16777216" and I believe I cannot simply change this to 26214400 without adversely affecting MailScanner, clamd, and especially SpamAssassin. I am most concerned about changing MailScanner.conf parameters such as TNEF Expander maxsize, ClamAVmodule Maximum File Size, Max Spam Check Size, Max SpamAssassin Size, etc. that are all now at default MailScanner values. Any suggestions of what would be best practice are solicited. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From dave at KD0YU.COM Thu Jul 19 23:20:02 2012 From: dave at KD0YU.COM (Dave Helton) Date: Thu, 19 Jul 2012 17:20:02 -0500 Subject: Consequences of increasing email size from 16M to 25M In-Reply-To: References: Message-ID: <77F23E6E4DE9084BA33755BA403E53FCF006A05397@S8.KD0YU.COM> I just gotta chime in on this, !!!!!!!!!!! email is NOT a file transfer system !!!!!!!! if I were in your shoes... 1) you have a 25m ceiling imposed by the outsourced entity, fine. 2) 15 to 20 meg seems to be the defacto standard, varies according to who's server your email goes through. (it's a courtesy thing) 3) your students have to send mail through your systems before they go anywhere, impose YOUR limit. bottom line... IMNSHO ... don't change a thing! --Dave Helton, KD0YU > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner- > bounces at lists.mailscanner.info] On Behalf Of Robert Lopez > Sent: Thursday, July 19, 2012 3:54 PM > To: MailScanner discussion > Subject: Consequences of increasing email size from 16M to 25M > > We recently outsourced student email to a service that allows an email size > up to 25 Mbytes. > Our email gateways run postfix + MailScanner + SpamAssassin + clamd. > They now direct employee email to an internal Exchange system and student > email out to the service. > > Currently postfix has "message_size_limit = 16777216" and I believe > I cannot simply change this to 26214400 without adversely affecting > MailScanner, clamd, and especially SpamAssassin. > > I am most concerned about changing MailScanner.conf parameters such as > TNEF Expander maxsize, ClamAVmodule Maximum File Size, Max Spam > Check Size, Max SpamAssassin Size, etc. that are all now at default > MailScanner values. > > Any suggestions of what would be best practice are solicited. > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner at KD0YU.COM, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. From dave at KD0YU.COM Thu Jul 19 23:30:05 2012 From: dave at KD0YU.COM (Dave Helton) Date: Thu, 19 Jul 2012 17:30:05 -0500 Subject: Consequences of increasing email size from 16M to 25M In-Reply-To: References: Message-ID: <77F23E6E4DE9084BA33755BA403E53FCF006A05398@S8.KD0YU.COM> I should also mention a nice piece of software I run for my clients... A file transfer system based 'around' email... http://freecode.com/projects/fffex --Dave > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner- > bounces at lists.mailscanner.info] On Behalf Of Robert Lopez > Sent: Thursday, July 19, 2012 3:54 PM > To: MailScanner discussion > Subject: Consequences of increasing email size from 16M to 25M > > We recently outsourced student email to a service that allows an email size > up to 25 Mbytes. -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. From maxsec at gmail.com Fri Jul 20 06:36:18 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 20 Jul 2012 06:36:18 +0100 Subject: Consequences of increasing email size from 16M to 25M In-Reply-To: <77F23E6E4DE9084BA33755BA403E53FCF006A05398@S8.KD0YU.COM> References: <77F23E6E4DE9084BA33755BA403E53FCF006A05398@S8.KD0YU.COM> Message-ID: Or look at a zend.to install which can be integrated into mailscanner to strip out the attachments Martin On Thursday, 19 July 2012, Dave Helton wrote: > I should also mention a nice piece of software I run for my clients... > A file transfer system based 'around' email... > http://freecode.com/projects/fffex > > --Dave > > > -----Original Message----- > > From: mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner- > > bounces at lists.mailscanner.info ] On Behalf Of Robert Lopez > > Sent: Thursday, July 19, 2012 3:54 PM > > To: MailScanner discussion > > Subject: Consequences of increasing email size from 16M to 25M > > > > We recently outsourced student email to a service that allows an email > size > > up to 25 Mbytes. > > -- > This message has been scanned for viruses and dangerous content > by MailScanner at KD0YU.COM, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120720/08c69f84/attachment.html From pinemail11 at gmail.com Fri Jul 20 12:29:24 2012 From: pinemail11 at gmail.com (Mail Admin) Date: Fri, 20 Jul 2012 16:59:24 +0530 Subject: mails sent in Japanese character are getting in special character Message-ID: Hi, We have configured MailScanner-4.84.3-1 in Centos 5.6. When we receive mails from japanese character it is getting converted to special character and not in readable format after scanned through Mailscanner. Kindly advice how to fix this. Thanks, Regards, PineMail11 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120720/485095f7/attachment.html From Denis.Beauchemin at usherbrooke.ca Fri Jul 20 13:11:18 2012 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Fri, 20 Jul 2012 12:11:18 +0000 Subject: Consequences of increasing email size from 16M to 25M In-Reply-To: References: Message-ID: Robert, Increasing the size of incoming messages will have no impact on your MS/Clam/SA setup. Go ahead and accept bigger emails in Postfix and all the rest will continue to work just fine. Denis ______________________________ Denis Beauchemin Architecte technologique - Infrastructure des serveurs Service des technologies de l?information Universit? de Sherbrooke > -----Message d'origine----- > De?: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner- > bounces at lists.mailscanner.info] De la part de Robert Lopez > Envoy??: 19 juillet 2012 17:08 > ??: MailScanner discussion > Objet?: Consequences of increasing email size from 16M to 25M > > We recently outsourced student email to a service that allows an email size > up to 25 Mbytes. > Our email gateways run postfix + MailScanner + SpamAssassin + clamd. > They now direct employee email to an internal Exchange system and student > email out to the service. > > Currently postfix has "message_size_limit = 16777216" and I believe > I cannot simply change this to 26214400 without adversely affecting > MailScanner, clamd, and especially SpamAssassin. > > I am most concerned about changing MailScanner.conf parameters such as > TNEF Expander maxsize, ClamAVmodule Maximum File Size, Max Spam > Check Size, Max SpamAssassin Size, etc. that are all now at default > MailScanner values. > > Any suggestions of what would be best practice are solicited. > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailinglists at tbits.net Fri Jul 20 15:42:03 2012 From: mailinglists at tbits.net (Mailingliste TBits.net GmbH) Date: Fri, 20 Jul 2012 16:42:03 +0200 Subject: MailScanner with sendmail logs bad Return-Path Message-ID: <20120720164203.12035x6w7w2f0h8o@kolab.tbits.net> Hello, we have some problems with the Return-Path Header of incoming Mails. We are using CentOS release 5.5 (Final), MailScanner version 4.84.5 with Perl version 5.008008 (5.8.8), and our MTA is sendmail. All Mails has the same entry in the Message Headers: "Return-Path: " The config of sendmail is almost default. If we comment out the line 612 in our sendmail.cf (H?P?Return-Path: <$g>) for the sqi there will no Return-Path Header in the Message Headers logged. I think this is a Problem between MailScanner and Sendmail. How can I let MailScanner log the right Return-Path? Thanks, Daniel Hintermeier, TBits.net GmbH ---------------------------------------------------------------- Diese Nachricht wurde versandt mit Webmail von www.tbits.net. This message was sent using webmail of www.tbits.net. From rlopezcnm at gmail.com Fri Jul 20 16:50:28 2012 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri, 20 Jul 2012 09:50:28 -0600 Subject: Consequences of increasing email size from 16M to 25M In-Reply-To: References: Message-ID: Thank you to every one who replied. Dave and Martin, We do have a file transfer system. Denis, Thank you, I will trust you are correct and proceed to build a test system and verify. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From maxsec at gmail.com Fri Jul 20 17:40:38 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 20 Jul 2012 17:40:38 +0100 Subject: mails sent in Japanese character are getting in special character In-Reply-To: References: Message-ID: Do you have an example with the before and after headers. ? Martin On Friday, 20 July 2012, Mail Admin wrote: > Hi, > > We have configured MailScanner-4.84.3-1 in Centos 5.6. > > When we receive mails from japanese character it is getting converted to > special character and not in readable format after scanned through > Mailscanner. > > Kindly advice how to fix this. > > Thanks, > Regards, > PineMail11 > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120720/9f4ef798/attachment.html From uxbod at splatnix.net Tue Jul 24 16:53:03 2012 From: uxbod at splatnix.net (Phil Daws) Date: Tue, 24 Jul 2012 16:53:03 +0100 (BST) Subject: Excessive temporary files Message-ID: <1292766954.23176.1343145183595.JavaMail.root@splatnix.net> Hello all, am running MailScanner-4.84.5-2 and have found that under /var/spool/MailScanner/incoming/SpamAssassin-Temp there is a huge build up of tmp.??????? and MailScanner.????? files. The later I have resolved by changing /usr/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm line 34 from: my($tmpfh, $tmpfilename) = tempfile("MailScanner.XXXXXX", TMPDIR => 1, UNLINK => 0); to: my($tmpfh, $tmpfilename) = tempfile("MailScanner.XXXXXX", TMPDIR => 1, UNLINK => 1); which means that if the daemon dies it will clean up the temporary file. Any thoughts on the tmp.??????? ones as I have scanned the code for tempfile() calls plus tmpfile() and cannot find where they are generated. I think they may be coming from SA.pm. -- Thanks, Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120724/a2ff4f37/attachment.html From vincent at pearleyes.org Wed Jul 25 15:16:39 2012 From: vincent at pearleyes.org (Vincent =?iso-8859-1?Q?Na=EFnemoutou?=) Date: Wed, 25 Jul 2012 16:16:39 +0200 Subject: MS don't process or filter/quarantine attachments anymore.] Message-ID: Hi everybody, I am vincent and run MS on my mail gateways for years with satisfaction, and have acquired good level of knowledge until now. I move my current mail gateways, to new machines and new version, and noticed that MS does not quarantine attachment anymore. Nothing in the quarantine directory for days confirmed by specific tests. I tried several configuration options with the filename.rules.conf and also denying directly in the "Deny Filenames" parameter without any success, and also checked permissions on directories, etc. Attachment are just going through and are delivered. My config is : Centos 6.2, postfix-2.8.9, MailScanner-4.84.5-2, clamav-0.97.4-1, Mail-SpamAssassin-3.3.2 . I have been carefull at installation time and checked all the output including for perl modules. There are no serious differences between the new MailScanner.conf file and the older on except the new MS parameters. I have checked everything (I think) on the configuration files, all related file type, file name rules, read again the book :), and search a lot on the web and can't identify any similarity. Except the version numbers, what is different in my install, ist hat I won't be able to get the whole working, using the SA-Clamav tarball, probably due to the perl bug even with the last MS version. I have finally installed SpamAssassin from the source package, and Clamav from the RPM package. BTW, they both are working fine. I have 2 mail gateways with the same configuration, the same behaviour. I installed one from scratch, and my colleague did the other one also from scratch, but with the document i wrote. My next step are : - To clone one the gateways and run MS in debug mode, so that I can see what is happening. - Run MS with perl -U !? - Restore the old version :( In the meanwhile do you have any idea ? Thank you in advance for any suggestion. Cheers, and sorry for this log email. --Vincent N Some data : (Some information have been anonymised) Logs for big file : Attachment name : vntest2.pps Jul 25 13:30:42 malgw10 MailScanner[29373]: Message A99FA86A820.ACB13 from 217.117.157.120 (vincent at p.o) to l.c is too big for spam checks (903414 > 400000 bytes) Log for small file: Attachment name : test2.pps Jul 25 15:33:56 mailgw9 MailScanner[14148]: Message B057EB06382.ABB8F from 217.117.157.120 (vincent at p.o) to l.c is n'est pas un polluriel, SpamAssassin (not cached, score=-1.9, requis 3, autolearn=not spam, BAYES_00 -1.90) # MailScanner -lint =========================================== Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 869 hostnames from the phishing whitelist Read 6572 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.84.5) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (500) MailScanner setting UID to (500) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf filename.rules.conf ======================== ..... # regardless of the final extension. deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages # JKF 10/08/2007 Adobe Acrobat nastiness # JKF 04/01/2005 More Microsoft security vulnerabilities deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows #deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows ..... deny \.pls$ Unauthorized files Unauthorized multimedia file deny \.pps$ Unauthorized files Unauthorized multimedia file deny \.qt$ Unauthorized files Unauthorized multimedia file deny \.qtx$ Unauthorized files Unauthorized multimedia file ..... MailScanner.conf =============================== ... Max Children = 10 Run As User = postfix Run As Group = postfix Queue Scan Interval = 6 Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 7200 MTA = postfix Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = Quarantine Group = apache Quarantine Permissions = 0660 Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = yes Reject Message = no Maximum Processing Attempts = 6 Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 120 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/local/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = 20 Find Archives By Content = yes Unpack Microsoft Documents = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Add Text Of Doc = no Antiword = /usr/bin/antiword -f Antiword Timeout = 50 Unzip Maximum Files Per Archive = 0 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain Virus Scanning = yes Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = no ... Convert HTML To Text = no Archives Are = zip rar ole Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf Default Rename Pattern = __FILENAME__.disarmed Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no .... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120725/51522136/attachment.html From richard.coombe at taffhousing.co.uk Thu Jul 26 10:00:41 2012 From: richard.coombe at taffhousing.co.uk (Richard Coombe) Date: Thu, 26 Jul 2012 09:00:41 +0000 Subject: Odd atachment blocking issue Message-ID: <0427164E24A7BE458A5A26E2F4EA7357037576D0@taff-mail2.taffhousing.local> Hi, Got an issue whereby if Sender1 sends a mail with attachment to Recipient1 the attachment is blocked, with the message: This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "winmail.dat" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Thu Jul 19 09:50:02 2012 the virus scanner said: Could not parse Outlook Rich Text attachment Note to Help Desk: Look on the Taff () MailScanner in /var/spool/MailScanner/quarantine/20120719 (message AC4EA81B55.A3BA3). But the message is CCed to Recipient2 and the attachment gets through. This behaviour is consistent when Sender1 sends emails to Recipient1 and then forwards the failed message or CCs to Recipient2. The blocked attachment in is showing up as MIME Type: application/ms-tnef but on the CC'd the email it's MIME Type: application/vnd.ms-excel Any thoughts on where to start looking for problems? I can sort of see what's happening but I can't figure out why the behaviour is different from one recipient to the next. Mailscanner - 4.74.16 (yeah yeah, I know, but I'm using Ubuntu packages) Postfix - 2.8.5-2~build0.10.04 TNEF - 1.4.9 Cheers, Richard IT Manager Cyfeiriad Address Alexandra House 307-315 Cowbridge Road East Cardiff CF5 1JD Ffon Phone 02920259182 07966807318 Ffacs Fax 02920259199 Safle We Web [http://www.taffhousing.co.uk/sites/default/files/taff/twitter.jpg] [http://www.taffhousing.co.uk/sites/default/files/taff/fb.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/www.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/wag.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/pad.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/sw.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/iipg.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/gptw11.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/gptw.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/gd.gif] [http://www.taffhousing.co.uk/sites/default/files/taff/iipg_w.gif] MEDDYLIWCH CYN I CHI ARGRAFFU! - THINK BEFORE YOU PRINT! ________________________________ This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120726/83074e97/attachment.html