File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?

Fri Feb 10 10:59:02 UTC 2017

I typically bump this value up a bit.

On Fri, Feb 10, 2017 at 12:28 AM, Paul Scott <sales at edenusa.com> wrote:

> Hello Mark,
>
> I pretty much managed to get mailscanner to restart a bit better.  Still
> working on that, but I think I can nail it eventually.
>
> With regards to the attachments issue, I think I might finally be starting
> to get to the bottom of this.  Here is the entry from the log which
> corresponds to the generation of the odd message that my clients get when a
> sender sends an email with attachments:
>
> Feb  8 15:41:46 mail MailScanner[14031]: Message v18NfGNg014804 from
> 216.205.24.106 (betty.tran at ioausa.com) to mp-eng.com is too big for spam
> checks (1572191 > 150000 bytes)
>
> So, of course when an email has attachments, it is quite large.  This
> message is generated incorrectly, for two reasons:
>
> 1. It is not the NUMBER of attachments which is generating this message,
> but that is what the message says.
>
> 2. When the size of an email is too large for spam checks, it is supposed
> to be processed through without modification or error, as is indicated by
> this section of the MAILSCANNER.CONF file:
>
> # Spammers do not have the power to send out huge messages to everyone as
> # it costs them too much (more smaller messages makes more profit than less
> # very large messages). So if a message is bigger than a certain size, it
> # is highly unlikely to be spam. Limiting this saves a lot of time checking
> # huge messages.
> # Disable this option by setting it to a huge value.
> # This is measured in bytes.
> # This can also be the filename of a ruleset.
> Max Spam Check Size = 150k
>
>
> So there you have it.  This is exactly where the breakdown is.  Just
> because the message is too big for spam checks, the Mailscanner system is
> removing all of the attachments, and generating the bounce-back message to
> my clients.
>
> I suppose I could "Disable this option by setting it to a huge value", but
> eventually, the same thing will happen (e.g, when 10 large attachments are
> sent, which excess the new setting).  I honestly think there is a bug here
> somewhere, or something not right in the programming or configuration
> logic, or at the very least, the wrong message is being generated and the
> client is being penalized by their valid email being rejected.
>
> In addition, the file that the message claims to be attached
> (EdenUSAInc-Attachment-Warning.txt), does NOT exist anywhere on the
> server's HD.
>
> At any rate, something is just not right here.
>
> Please let me know.
>
> Thank you!
> Paul Scott
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.
> mailscanner.info] On Behalf Of Mark Sapiro
> Sent: Thursday, February 09, 2017 8:31 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags"
> affects attachments?
>
> On 02/08/2017 03:39 PM, Paul Scott wrote:
> >
> > Unfortunately, in the meantime, I also had another incident where a
> sender sending an attachment resulted in this bounce-back email again (I
> added those "--START OF MESSAGE-- and --END..." banners):
> >
> >
> > --START OF MESSAGE--
> > Warning: This message has had one or more attachments removed
> > Warning: (the entire message).
> > Warning: Please read the "EdenUSAInc-Attachment-Warning.txt"
> attachment(s) for more information.
> >
> > This is a message from the MailScanner E-Mail Virus Protection Service
> > ----------------------------------------------------------------------
> > The original e-mail attachment "the entire message"
> > was believed to be dangerous and/or infected by a virus and has been
> replaced by this warning message.
> >
> > Due to limitations placed on us by the Regulation of Investigatory
> Powers Act 2000, we were unable to keep a copy of the infected attachment.
> Please ask the sender of the message to disinfect their original version
> and send you a clean copy.
> >
> > At Wed Feb  8 07:28:11 2017 the scanner said:
> >    Too many attachments in message
> >
> > --
> > Postmaster
> > Eden USA, Inc.
> > www.edenitservices.com
> >
> > For all your IT requirements visit: http://www.transtec.co.uk --END OF
> > MESSAGE--
>
>
> I am unable to duplicate this exactly, so I can't help much, but in
> another post you said
>
> > 1. I already had the number of attachments allowed set to allow as many
> as a client wishes (the -1 setting).
>
>
> If you are thinking of "Maximum Attachment Size", thois is OK, but if you
> really mean "Maximum Attachments Per Message", there is no "unlimited"
> value, but '-1' might be interpreted as a very large, unsigned number, so
> it might be OK.
>
>
> > Also, where is that very last line coming from?  "For all your IT
> requirements visit: http://www.transteck.co.uk"
>
>
> From some ISP's MTA, either the sender or the recipient of the message.
>
>
> > I really need to get this fixed.  Do you have any more ideas?  I simply
> need to SHUT OFF all file attachment scanning, and tell MailScanner somehow
> to stop doing anything at all with attachments.  I just want to allow
> everything through, in terms of attachments.
>
>
> What does MailScanner log in the mail log for this message?
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170210/6855c594/attachment.html>