Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS

Jerry Benton jerry.benton at mailborder.com
Mon Jun 16 12:28:15 IST 2014 

It is after 5.10.

http://lists.mailscanner.info/pipermail/mailscanner/2011-May/097870.html




On Mon, Jun 16, 2014 at 11:45 AM, Martijn <mailinglist at mindconnect.nl>
wrote:

> For the record:
> This install of MailScanner on Ubuntu 10.04 LTS has been functioning
> without any noticable problems (except for the notification mails) or
> errors in the logs for about 2 years now, and that is without the perl
> -U switch.
>
> Should I've noticed anything else with this parameter missing? This may
> lead to me writing more tests to ensure proper functioning.
>
> Thanks,
> - Martijn
>
> On 16-6-2014 1:58, Jerry Benton wrote:
> > Did you add the -U option to your /usr/sbin/MailScanner?
> >
> > #!/usr/bin/perl -U -I/usr/share/MailScanner/
> >
> > -
> > Jerry Benton
> > www.mailborder.com <http://www.mailborder.com>
> >
> >
> >
> > On Jun 16, 2014, at 1:17 AM, Martijn <mailinglist at mindconnect.nl
> > <mailto:mailinglist at mindconnect.nl>> wrote:
> >
> >> I'm running tests for upgrading a system to a newer version of Ubuntu
> >> LTS, and during my tests I found a difference in behaviour between the
> >> MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS.
> >>
> >> The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS
> >> install. MailScanner version is: 4.84.5 from the apt.baruwa.org
> >> <http://apt.baruwa.org>
> >> repository, both before and after the upgrade.
> >>
> >> The MailScanner configuration between the two systems is completely
> >> identical. MailScanner --debug --lint shows no issues.
> >>
> >>
> >> I've found two seperate issues:
> >>
> >> Issue #1: The install on 10.04 doesn't send blocked filename
> >> notifications but the install on 12.04 does.
> >>
> >> Deny Filenames list is configured as:
> >> Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$
> >> \.scr$ \.dll$ \.reg$
> >>
> >> And:
> >> Notify Senders Of Blocked Filenames Or Filetypes = yes
> >>
> >> On 10.04, when sending an eicar test file, the mail is considered to
> >> contain a virus and therefor deleted. No notification mail is sent,
> >> although the configuration would suggest it should. The logs say this:
> >>
> >> New Batch: Scanning 1 messages, 1965 bytes
> >> Virus and Content Scanning: Starting
> >> Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/
> >> Virus Scanning: Clamd found 1 infections
> >> Infected message DECEF36C443.ACC6F came from 195.241.145.230
> >> Virus Scanning: Found 1 viruses
> >> Virus Scanning completed at 10980 bytes per second
> >> Saved entire message to
> >> /var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F
> >> Spam Checks: Starting
> >> Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext
> >> <mailto:victim at testdomain.ext>)
> >> to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228,
> >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00
> >> -1.90)
> >> Spam Checks completed at 271 bytes per second
> >> Cleaned: Delivered 1 cleaned messages
> >> Deleted 1 messages from processing-database
> >> Batch completed at 264 bytes per second (1965 / 7)
> >> Batch (1 message) processed in 7.42 seconds
> >>
> >> After upgrading to 12.04, the difference in behaviour is that
> >> MailScanner now suddenly DOES sends a notification message to notify of
> >> a deleted attachment. The log now has this:
> >>
> >> New Batch: Scanning 1 messages, 1841 bytes
> >> Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com
> >> <http://eicar.com>)
> >> Other Checks: Found 1 problems
> >> Virus and Content Scanning: Starting
> >> Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/
> >> Virus Scanning: Clamd found 1 infections
> >> Infected message 7CE27442AE.AFD34 came from 10.0.3.2
> >> Virus Scanning: Found 1 viruses
> >> Virus Scanning completed at 2784 bytes per second
> >> Saved entire message to
> >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
> >> Saved infected "eicar.com <http://eicar.com>" to
> >> /var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
> >> Spam Checks: Starting
> >> Expired 1 records from the SpamAssassin cache
> >> Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext
> >> <mailto:victim at testdomain.ext>) to
> >> testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879,
> >> required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12)
> >> Spam Checks completed at 209 bytes per second
> >> Requeue: 7CE27442AE.AFD34 to 0BD61442B7
> >> Cleaned: Delivered 1 cleaned messages
> >> Virus Processing completed at 3872 bytes per second
> >> Deleted 1 messages from processing-database
> >> Batch completed at 185 bytes per second (1841 / 9)
> >> Batch (1 message) processed in 9.92 seconds
> >>
> >> Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34
> >> eicar.com <http://eicar.com>)". This notice wasn't there on 10.04 LTS.
> >>
> >> Question: does anyone know what the cause of this difference in
> >> behaviour is, as the MailScanner version and configuration are the same?
> >>
> >> Issue #2:
> >> So, notifications are sent on 12.04, but:
> >> The option called "Notify Senders Of Blocked Filenames Or Filetypes"
> >> doesn't send a notification to the sender. It sends the notification to
> >> the _receiver_ of the message.
> >>
> >> Questions: Is this expected behaviour and should all those options
> >> actually be called 'Notify Recipient *' or am I missing something here
> ;-)
> >>
> >> Thanks,
> >> - Martijn
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> <mailto:mailscanner at lists.mailscanner.info>
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >
> >
> >
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 

--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140616/58ade3e9/attachment.html

More information about the MailScanner mailing list