MailScanner Digest, Vol 98, Issue 16

Tiago Eduardo Zacarias tiago at tiagoti.com.br
Fri Feb 28 15:00:24 GMT 2014 

My policy in mailscanner does not block file types .exe , someone has 
gone through this problem, I use postfix + mailscanner + clamd?


Em 28-02-2014 09:00, mailscanner-request at lists.mailscanner.info escreveu:
> Send MailScanner mailing list submissions to
> 	mailscanner at lists.mailscanner.info
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.mailscanner.info/mailman/listinfo/mailscanner
> or, via email, send a message with subject or body 'help' to
> 	mailscanner-request at lists.mailscanner.info
>
> You can reach the person managing the list at
> 	mailscanner-owner at lists.mailscanner.info
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MailScanner digest..."
>
>
> Today's Topics:
>
>     1. Re: Rules for letters with attachments (Steve Basford)
>     2. Re: Rules for letters with attachments (Valentin Laskov)
>     3. RE: Treat Invalid Watermarks with No Sender as Spam
>        (Shawn Iverson)
>     4. RE: Treat Invalid Watermarks with No Sender as Spam (Kevin Miller)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 27 Feb 2014 12:10:18 -0000
> From: "Steve Basford" <steveb_clamav at sanesecurity.com>
> Subject: Re: Rules for letters with attachments
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Message-ID:
> 	<c50ad2d425a5584902e83abcebe458bb.squirrel at sirius.servers.eqx.misp.co.uk>
> 	
> Content-Type: text/plain;charset=iso-8859-1
>
>
>> Hi all,
>>
>> Recently my mail servers receive many emails with .exe files attached.
>> These files are actually viruses but ClamAV still does not
>> recognize them.
> Are you using the official signatures only on ClamAV or Third-Party ones
> as well:
>
> http://sanesecurity.com/usage/linux-scripts/
> http://sanesecurity.com/foxhole-databases/
>
> If you want to discuss, off-list...
>
> Cheers,
>
> Steve
> Sanesecurity.com
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 27 Feb 2014 15:27:31 +0200
> From: "Valentin Laskov" <it at festa.bg>
> Subject: Re: Rules for letters with attachments
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Message-ID: <58117357EE8F4C56BE929973D4D6CA13 at festa.bg>
> Content-Type: text/plain;	charset="ISO-8859-1"
>
> Hi Jerry, Hi Steve,
>
> First of all, thank you for your answers!
>
> Jerry, in this case I don't care for senders and yes, in my MailScanner.conf
> Notify Senders Of Viruses = no
> I can set
> Notify Senders Of Blocked Filenames Or Filetypes = yes
> to NO but this is not my aim. I would like to protect recipients of unnecessary letters.
> MailScanner and Clamd work well and other files are detected as viruses.
>
> Steve, I'm using the official ClamAV signatures only. I looked at the descriptions of Foxhole databases, but their action if I'm not
> wrong, covers the operation of MailScanner or are not intended for new .exe viruses.
>
> I attached a Bad Filename Detected report below.
>
> Cheers,
> Valentin
>
> The following e-mails were found to have: Bad Filename Detected
>
>      Sender: brunchskt1 at gmail.com
> IP Address: 71.59.80.26
>   Recipient: kkkkk at festa.bg
>     Subject: image Id 942349204-PicL7674 TYPE==MMS
>   MessageID: s1RDGcHS022468
> Quarantine: /var/spool/MailScanner/quarantine/20140227/s1RDGcHS022468
>      Report: MailScanner: Executable DOS/Windows programs are dangerous in email (IMG000006371.exe)
>              No programs allowed (IMG000006371.exe)
>      Report: MailScanner: Executable DOS/Windows programs are dangerous in email (IMG000006371.exe)
>              No programs allowed (IMG000006371.exe)
>
> Full headers are:
>
>   Return-Path: <g>
>   Received: from c-71-59-80-26.hsd1.nj.comcast.net (c-71-59-80-26.hsd1.nj.comcast.net [71.59.80.26])
>    by mail.festa.bg (8.14.1/8.14.1) with ESMTP id s1RDGcHS022468
>    for <kkkkk at festa.bg>; Thu, 27 Feb 2014 15:16:40 +0200
>   Received: from apache by leebenbbgnccfghb. with local (Exim 4.63)
>    (envelope-from <gearkff3 at yahoo.com>)
>    id 1EKF1Z-S649PO-22
>    for <kkkkk at festa.bg>; Thu, 27 Feb 2014 08:16:39 -0500
>   To: <kkkkk at festa.bg>
>   Subject: image Id 942349204-PicL7674 TYPE==MMS
>   Date: Thu, 27 Feb 2014 08:16:39 -0500
>   From: mms.service9105 at mms.Vodafone.co.uk
>   Message-ID: <07DB53C2B8DB8357FB60848BC4946124 at leebenbbgnccfghb.>
>   X-Priority: 3
>   X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
>   MIME-Version: 1.0
>   Content-Type: multipart/alternative;
>    boundary="------------01050100901040406020602"
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 27 Feb 2014 10:11:51 -0500
> From: "Shawn Iverson" <IversonS at rushville.k12.in.us>
> Subject: RE: Treat Invalid Watermarks with No Sender as Spam
> To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>
> Message-ID: <530F0F67020000D50004E267 at mail.rushville.k12.in.us>
> Content-Type: text/plain; charset="us-ascii"
>
> Setting to a low score has helped immensely.  Messages are still getting caught by the other algorithms while allowing legit emails through.
>   
> I will make a feature request, though.
>   
> It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted.  This is taking precedence over whitelisting/blacklisting and probably should not.
>
>   
> Shawn Iverson
> Rush County Schools
> District Technology Coordinator
> iversons at rushville.k12.in.us
>>>> "Shawn Iverson" <IversonS at rushville.k12.in.us> 2/26/2014 7:02 PM >>>
> Just set a numeric...will observe and see what happens.
>
>   
> Shawn Iverson
> Rush County Schools
> District Technology Coordinator
> iversons at rushville.k12.in.us
>>>> Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 6:48 PM >>>
>> When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.
> What happens when you assign it a numeric value?
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500
> Registered Linux User No: 307357
>
>

More information about the MailScanner mailing list