Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS

Martijn mailinglist at mindconnect.nl
Mon Jun 16 10:45:10 IST 2014 

For the record:
This install of MailScanner on Ubuntu 10.04 LTS has been functioning 
without any noticable problems (except for the notification mails) or 
errors in the logs for about 2 years now, and that is without the perl 
-U switch.

Should I've noticed anything else with this parameter missing? This may 
lead to me writing more tests to ensure proper functioning.

Thanks,
- Martijn

On 16-6-2014 1:58, Jerry Benton wrote:
> Did you add the -U option to your /usr/sbin/MailScanner?
>
> #!/usr/bin/perl -U -I/usr/share/MailScanner/
>
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com>
>
>
>
> On Jun 16, 2014, at 1:17 AM, Martijn <mailinglist at mindconnect.nl
> <mailto:mailinglist at mindconnect.nl>> wrote:
>
>> I'm running tests for upgrading a system to a newer version of Ubuntu
>> LTS, and during my tests I found a difference in behaviour between the
>> MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS.
>>
>> The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS
>> install. MailScanner version is: 4.84.5 from the apt.baruwa.org
>> <http://apt.baruwa.org>
>> repository, both before and after the upgrade.
>>
>> The MailScanner configuration between the two systems is completely
>> identical. MailScanner --debug --lint shows no issues.
>>
>>
>> I've found two seperate issues:
>>
>> Issue #1: The install on 10.04 doesn't send blocked filename
>> notifications but the install on 12.04 does.
>>
>> Deny Filenames list is configured as:
>> Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$
>> \.scr$ \.dll$ \.reg$
>>
>> And:
>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>>
>> On 10.04, when sending an eicar test file, the mail is considered to
>> contain a virus and therefor deleted. No notification mail is sent,
>> although the configuration would suggest it should. The logs say this:
>>
>> New Batch: Scanning 1 messages, 1965 bytes
>> Virus and Content Scanning: Starting
>> Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/
>> Virus Scanning: Clamd found 1 infections
>> Infected message DECEF36C443.ACC6F came from 195.241.145.230
>> Virus Scanning: Found 1 viruses
>> Virus Scanning completed at 10980 bytes per second
>> Saved entire message to
>> /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F
>> Spam Checks: Starting
>> Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext
>> <mailto:victim at testdomain.ext>)
>> to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228,
>> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00
>> -1.90)
>> Spam Checks completed at 271 bytes per second
>> Cleaned: Delivered 1 cleaned messages
>> Deleted 1 messages from processing-database
>> Batch completed at 264 bytes per second (1965 / 7)
>> Batch (1 message) processed in 7.42 seconds
>>
>> After upgrading to 12.04, the difference in behaviour is that
>> MailScanner now suddenly DOES sends a notification message to notify of
>> a deleted attachment. The log now has this:
>>
>> New Batch: Scanning 1 messages, 1841 bytes
>> Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com
>> <http://eicar.com>)
>> Other Checks: Found 1 problems
>> Virus and Content Scanning: Starting
>> Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/
>> Virus Scanning: Clamd found 1 infections
>> Infected message 7CE27442AE.AFD34 came from 10.0.3.2
>> Virus Scanning: Found 1 viruses
>> Virus Scanning completed at 2784 bytes per second
>> Saved entire message to
>> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
>> Saved infected "eicar.com <http://eicar.com>" to
>> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
>> Spam Checks: Starting
>> Expired 1 records from the SpamAssassin cache
>> Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext
>> <mailto:victim at testdomain.ext>) to
>> testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879,
>> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12)
>> Spam Checks completed at 209 bytes per second
>> Requeue: 7CE27442AE.AFD34 to 0BD61442B7
>> Cleaned: Delivered 1 cleaned messages
>> Virus Processing completed at 3872 bytes per second
>> Deleted 1 messages from processing-database
>> Batch completed at 185 bytes per second (1841 / 9)
>> Batch (1 message) processed in 9.92 seconds
>>
>> Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34
>> eicar.com <http://eicar.com>)". This notice wasn't there on 10.04 LTS.
>>
>> Question: does anyone know what the cause of this difference in
>> behaviour is, as the MailScanner version and configuration are the same?
>>
>> Issue #2:
>> So, notifications are sent on 12.04, but:
>> The option called "Notify Senders Of Blocked Filenames Or Filetypes"
>> doesn't send a notification to the sender. It sends the notification to
>> the _receiver_ of the message.
>>
>> Questions: Is this expected behaviour and should all those options
>> actually be called 'Notify Recipient *' or am I missing something here ;-)
>>
>> Thanks,
>> - Martijn
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>
>
>

More information about the MailScanner mailing list