File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?
Paul Scott
sales at edenusa.com
Fri Feb 10 19:12:14 UTC 2017
Hello Glen,
What do you set your Spamassissin timeout value to?
Mine is set to 90 seconds.
Thank you very much!
Paul Scott
From: MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.mailscanner.info] On Behalf Of Glenn Steen
Sent: Friday, February 10, 2017 4:31 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?
Scott,
Could you please report the values for all your maximum settings? Do something like:
egrep "^Max" /etc/MailScanner/MailScanner.conf
There used to be a logical trap/bug in the setting of Maximum Spam Check Size and Maximum Spamassassin Size (both theese need be relatively "huge". or you'll mess up SpamAssassin results badly). With the latter a bit smaller than the former... I've got:
Max Spam Check Size = 6500000
Max SpamAssassin Size = 3600000
Also, pay attention to the Spamassassin timout value.
Further, a comment on your "I've turned everyting off" statement... This is sometimes easier said than done. There are a number of settings you need change, apart from the ones you mention. I suspect you would find more ... interresting... facts (and not alternative ones, at that) if you ensure that the failures actually do get quarantined. That way you can inspect the actual raw message/queue file for discrepacies.
Cheers!
--
-- Glenn
2017-02-10 6:28 GMT+01:00 Paul Scott <sales at edenusa.com<mailto:sales at edenusa.com>>:
Hello Mark,
I pretty much managed to get mailscanner to restart a bit better. Still working on that, but I think I can nail it eventually.
With regards to the attachments issue, I think I might finally be starting to get to the bottom of this. Here is the entry from the log which corresponds to the generation of the odd message that my clients get when a sender sends an email with attachments:
Feb 8 15:41:46 mail MailScanner[14031]: Message v18NfGNg014804 from 216.205.24.106 (betty.tran at ioausa.com<mailto:betty.tran at ioausa.com>) to mp-eng.com<http://mp-eng.com> is too big for spam checks (1572191 > 150000 bytes)
So, of course when an email has attachments, it is quite large. This message is generated incorrectly, for two reasons:
1. It is not the NUMBER of attachments which is generating this message, but that is what the message says.
2. When the size of an email is too large for spam checks, it is supposed to be processed through without modification or error, as is indicated by this section of the MAILSCANNER.CONF file:
# Spammers do not have the power to send out huge messages to everyone as
# it costs them too much (more smaller messages makes more profit than less
# very large messages). So if a message is bigger than a certain size, it
# is highly unlikely to be spam. Limiting this saves a lot of time checking
# huge messages.
# Disable this option by setting it to a huge value.
# This is measured in bytes.
# This can also be the filename of a ruleset.
Max Spam Check Size = 150k
So there you have it. This is exactly where the breakdown is. Just because the message is too big for spam checks, the Mailscanner system is removing all of the attachments, and generating the bounce-back message to my clients.
I suppose I could "Disable this option by setting it to a huge value", but eventually, the same thing will happen (e.g, when 10 large attachments are sent, which excess the new setting). I honestly think there is a bug here somewhere, or something not right in the programming or configuration logic, or at the very least, the wrong message is being generated and the client is being penalized by their valid email being rejected.
In addition, the file that the message claims to be attached (EdenUSAInc-Attachment-Warning.txt), does NOT exist anywhere on the server's HD.
At any rate, something is just not right here.
Please let me know.
Thank you!
Paul Scott
-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+sales<mailto:mailscanner-bounces%2Bsales>=edenusa.com at lists.mailscanner.info<mailto:edenusa.com at lists.mailscanner.info>] On Behalf Of Mark Sapiro
Sent: Thursday, February 09, 2017 8:31 AM
To: mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?
On 02/08/2017 03:39 PM, Paul Scott wrote:
>
> Unfortunately, in the meantime, I also had another incident where a sender sending an attachment resulted in this bounce-back email again (I added those "--START OF MESSAGE-- and --END..." banners):
>
>
> --START OF MESSAGE--
> Warning: This message has had one or more attachments removed
> Warning: (the entire message).
> Warning: Please read the "EdenUSAInc-Attachment-Warning.txt" attachment(s) for more information.
>
> This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail attachment "the entire message"
> was believed to be dangerous and/or infected by a virus and has been replaced by this warning message.
>
> Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the infected attachment. Please ask the sender of the message to disinfect their original version and send you a clean copy.
>
> At Wed Feb 8 07:28:11 2017 the scanner said:
> Too many attachments in message
>
> --
> Postmaster
> Eden USA, Inc.
> www.edenitservices.com<http://www.edenitservices.com>
>
> For all your IT requirements visit: http://www.transtec.co.uk --END OF
> MESSAGE--
I am unable to duplicate this exactly, so I can't help much, but in another post you said
> 1. I already had the number of attachments allowed set to allow as many as a client wishes (the -1 setting).
If you are thinking of "Maximum Attachment Size", thois is OK, but if you really mean "Maximum Attachments Per Message", there is no "unlimited" value, but '-1' might be interpreted as a very large, unsigned number, so it might be OK.
> Also, where is that very last line coming from? "For all your IT requirements visit: http://www.transteck.co.uk"
From some ISP's MTA, either the sender or the recipient of the message.
> I really need to get this fixed. Do you have any more ideas? I simply need to SHUT OFF all file attachment scanning, and tell MailScanner somehow to stop doing anything at all with attachments. I just want to allow everything through, in terms of attachments.
What does MailScanner log in the mail log for this message?
--
Mark Sapiro <mark at msapiro.net<mailto:mark at msapiro.net>> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170210/b935db9e/attachment-0001.html>
More information about the MailScanner
mailing list