Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS

Jerry Benton jerry.benton at mailborder.com
Mon Jun 16 00:58:29 IST 2014 

Did you add the -U option to your /usr/sbin/MailScanner?

#!/usr/bin/perl -U -I/usr/share/MailScanner/

-
Jerry Benton
www.mailborder.com



On Jun 16, 2014, at 1:17 AM, Martijn <mailinglist at mindconnect.nl> wrote:

> I'm running tests for upgrading a system to a newer version of Ubuntu 
> LTS, and during my tests I found a difference in behaviour between the 
> MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS.
> 
> The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS 
> install. MailScanner version is: 4.84.5 from the apt.baruwa.org 
> repository, both before and after the upgrade.
> 
> The MailScanner configuration between the two systems is completely 
> identical. MailScanner --debug --lint shows no issues.
> 
> 
> I've found two seperate issues:
> 
> Issue #1: The install on 10.04 doesn't send blocked filename 
> notifications but the install on 12.04 does.
> 
> Deny Filenames list is configured as:
> Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$ 
> \.scr$ \.dll$ \.reg$
> 
> And:
> Notify Senders Of Blocked Filenames Or Filetypes = yes
> 
> On 10.04, when sending an eicar test file, the mail is considered to 
> contain a virus and therefor deleted. No notification mail is sent, 
> although the configuration would suggest it should. The logs say this:
> 
> New Batch: Scanning 1 messages, 1965 bytes
> Virus and Content Scanning: Starting
> Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/
> Virus Scanning: Clamd found 1 infections
> Infected message DECEF36C443.ACC6F came from 195.241.145.230
> Virus Scanning: Found 1 viruses
> Virus Scanning completed at 10980 bytes per second
> Saved entire message to 
> /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F
> Spam Checks: Starting
> Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext) 
> to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228, 
> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00 
> -1.90)
> Spam Checks completed at 271 bytes per second
> Cleaned: Delivered 1 cleaned messages
> Deleted 1 messages from processing-database
> Batch completed at 264 bytes per second (1965 / 7)
> Batch (1 message) processed in 7.42 seconds
> 
> After upgrading to 12.04, the difference in behaviour is that 
> MailScanner now suddenly DOES sends a notification message to notify of 
> a deleted attachment. The log now has this:
> 
> New Batch: Scanning 1 messages, 1841 bytes
> Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com)
> Other Checks: Found 1 problems
> Virus and Content Scanning: Starting
> Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/
> Virus Scanning: Clamd found 1 infections
> Infected message 7CE27442AE.AFD34 came from 10.0.3.2
> Virus Scanning: Found 1 viruses
> Virus Scanning completed at 2784 bytes per second
> Saved entire message to 
> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
> Saved infected "eicar.com" to 
> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
> Spam Checks: Starting
> Expired 1 records from the SpamAssassin cache
> Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext) to 
> testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, 
> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12)
> Spam Checks completed at 209 bytes per second
> Requeue: 7CE27442AE.AFD34 to 0BD61442B7
> Cleaned: Delivered 1 cleaned messages
> Virus Processing completed at 3872 bytes per second
> Deleted 1 messages from processing-database
> Batch completed at 185 bytes per second (1841 / 9)
> Batch (1 message) processed in 9.92 seconds
> 
> Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 
> eicar.com)". This notice wasn't there on 10.04 LTS.
> 
> Question: does anyone know what the cause of this difference in 
> behaviour is, as the MailScanner version and configuration are the same?
> 
> Issue #2:
> So, notifications are sent on 12.04, but:
> The option called "Notify Senders Of Blocked Filenames Or Filetypes" 
> doesn't send a notification to the sender. It sends the notification to 
> the _receiver_ of the message.
> 
> Questions: Is this expected behaviour and should all those options 
> actually be called 'Notify Recipient *' or am I missing something here ;-)
> 
> Thanks,
> - Martijn
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140616/9be0dab1/attachment.html

More information about the MailScanner mailing list