File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?

Paul Scott sales at edenusa.com
Fri Feb 10 18:26:58 UTC 2017


Hello Glenn,

Thank you very much for your reply.  Here is the result:

[root at mail MailScanner]# egrep "^Max" /etc/MailScanner/MailScanner.conf
Max Children = 5
Max Unscanned Bytes Per Scan = 100m
Max Unsafe Bytes Per Scan = 50m
Max Unscanned Messages Per Scan = 30
Max Unsafe Messages Per Scan = 30
Max Normal Queue Size = 30
Maximum Processing Attempts = 10
Maximum Attachments Per Message = 20
Maximum Message Size = %rules-dir%/max.message.size.rules
Maximum Attachment Size = -1
Maximum Archive Depth = 0
Max Spam List Timeouts = 10
Max Spam Check Size = 15000k
Max SpamAssassin Size = 40k
Max SpamAssassin Timeouts = 90
Max Custom Spam Scanner Size = 20000
Max Custom Spam Scanner Timeouts = 10
[root at mail MailScanner]#

NOTE: Does using the “k” screw anything up?  That’s what was in there before, but it was “150k”, which was obviously too small.

I see that your values are huge, but there is no “k” indicated:

Max Spam Check Size = 6500000
Max SpamAssassin Size = 3600000



And this is the content of the max.message.size.rules file, which is setting a max for this particular client to 1GB, and 20MB for everyone else:

#
# The following line specifies the default result used when none of the
# other rules match. In this example,
# Maximum Message Size = 0
# means that there is no limit to the size of the message.
#

To:     *@mp-eng.com            1000M
From:   *@mp-eng.com          1000M

FromOrTo: default                    20M


Thank you again!
Paul Scott


From: MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.mailscanner.info] On Behalf Of Glenn Steen
Sent: Friday, February 10, 2017 4:31 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?

Scott,
Could you please report the values for all your maximum settings? Do something like:
egrep "^Max" /etc/MailScanner/MailScanner.conf
There used to be a logical trap/bug in the setting of Maximum Spam Check Size and Maximum Spamassassin Size (both theese need be relatively "huge". or you'll mess up SpamAssassin results badly). With the latter a bit smaller than the former... I've got:
Max Spam Check Size = 6500000
Max SpamAssassin Size = 3600000
Also, pay attention to the Spamassassin timout value.
Further, a comment on your "I've turned everyting off" statement... This is sometimes easier said than done. There are a number of settings you need change, apart from the ones you mention. I suspect you would find more ... interresting... facts (and not alternative ones, at that) if you ensure that the failures actually do get quarantined. That way you can inspect the actual raw message/queue file for discrepacies.
Cheers!
--
-- Glenn

2017-02-10 6:28 GMT+01:00 Paul Scott <sales at edenusa.com<mailto:sales at edenusa.com>>:
Hello Mark,

I pretty much managed to get mailscanner to restart a bit better.  Still working on that, but I think I can nail it eventually.

With regards to the attachments issue, I think I might finally be starting to get to the bottom of this.  Here is the entry from the log which corresponds to the generation of the odd message that my clients get when a sender sends an email with attachments:

Feb  8 15:41:46 mail MailScanner[14031]: Message v18NfGNg014804 from 216.205.24.106 (betty.tran at ioausa.com<mailto:betty.tran at ioausa.com>) to mp-eng.com<http://mp-eng.com> is too big for spam checks (1572191 > 150000 bytes)

So, of course when an email has attachments, it is quite large.  This message is generated incorrectly, for two reasons:

1. It is not the NUMBER of attachments which is generating this message, but that is what the message says.

2. When the size of an email is too large for spam checks, it is supposed to be processed through without modification or error, as is indicated by this section of the MAILSCANNER.CONF file:

# Spammers do not have the power to send out huge messages to everyone as
# it costs them too much (more smaller messages makes more profit than less
# very large messages). So if a message is bigger than a certain size, it
# is highly unlikely to be spam. Limiting this saves a lot of time checking
# huge messages.
# Disable this option by setting it to a huge value.
# This is measured in bytes.
# This can also be the filename of a ruleset.
Max Spam Check Size = 150k


So there you have it.  This is exactly where the breakdown is.  Just because the message is too big for spam checks, the Mailscanner system is removing all of the attachments, and generating the bounce-back message to my clients.

I suppose I could "Disable this option by setting it to a huge value", but eventually, the same thing will happen (e.g, when 10 large attachments are sent, which excess the new setting).  I honestly think there is a bug here somewhere, or something not right in the programming or configuration logic, or at the very least, the wrong message is being generated and the client is being penalized by their valid email being rejected.

In addition, the file that the message claims to be attached (EdenUSAInc-Attachment-Warning.txt), does NOT exist anywhere on the server's HD.

At any rate, something is just not right here.

Please let me know.

Thank you!
Paul Scott


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+sales<mailto:mailscanner-bounces%2Bsales>=edenusa.com at lists.mailscanner.info<mailto:edenusa.com at lists.mailscanner.info>] On Behalf Of Mark Sapiro
Sent: Thursday, February 09, 2017 8:31 AM
To: mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?
On 02/08/2017 03:39 PM, Paul Scott wrote:
>
> Unfortunately, in the meantime, I also had another incident where a sender sending an attachment resulted in this bounce-back email again (I added those "--START OF MESSAGE-- and --END..." banners):
>
>
> --START OF MESSAGE--
> Warning: This message has had one or more attachments removed
> Warning: (the entire message).
> Warning: Please read the "EdenUSAInc-Attachment-Warning.txt" attachment(s) for more information.
>
> This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail attachment "the entire message"
> was believed to be dangerous and/or infected by a virus and has been replaced by this warning message.
>
> Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the infected attachment. Please ask the sender of the message to disinfect their original version and send you a clean copy.
>
> At Wed Feb  8 07:28:11 2017 the scanner said:
>    Too many attachments in message
>
> --
> Postmaster
> Eden USA, Inc.
> www.edenitservices.com<http://www.edenitservices.com>
>
> For all your IT requirements visit: http://www.transtec.co.uk --END OF
> MESSAGE--


I am unable to duplicate this exactly, so I can't help much, but in another post you said

> 1. I already had the number of attachments allowed set to allow as many as a client wishes (the -1 setting).


If you are thinking of "Maximum Attachment Size", thois is OK, but if you really mean "Maximum Attachments Per Message", there is no "unlimited" value, but '-1' might be interpreted as a very large, unsigned number, so it might be OK.


> Also, where is that very last line coming from?  "For all your IT requirements visit: http://www.transteck.co.uk"


From some ISP's MTA, either the sender or the recipient of the message.


> I really need to get this fixed.  Do you have any more ideas?  I simply need to SHUT OFF all file attachment scanning, and tell MailScanner somehow to stop doing anything at all with attachments.  I just want to allow everything through, in terms of attachments.


What does MailScanner log in the mail log for this message?

--
Mark Sapiro <mark at msapiro.net<mailto:mark at msapiro.net>>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner



--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170210/a05b6717/attachment.html>


More information about the MailScanner mailing list