File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?

Glenn Steen glenn.steen at gmail.com
Mon Feb 13 09:56:43 UTC 2017 

Hello Scott,

The values I have are in bytes, hence the huge values (they're just 6.5MB
and 3.6MB respectively... Which is quite enough for most spam, since
spammers tend to keep things "short and sweet"). This is due to some old
version of MailScanner not correctly understanding the SI multiple
indicators ("k", "M" etc)... And since that is sure to work, why change
it:-). Obvioulsy (from the log snippet you shared (adressed to Mark)), the
15000k specification doesnt work for you. Try putting the byte values in,
restart MS and see what gives! Oh, and allowing GB e-mail... I imagine
anything like that would be bounced pretty much from every other MTA on the
planet;-)

The Maximum Attachments Per Message would likely the interresting setting,
provided that actually is the problem... And since the warning message
indicates that it replaces "The whole message", that's likely not it (this
can happen in a range of situations, where different functions in
MailScanner detect something amiss with the body in it's entirety... MS
will the replace the body with the warning as stated, but since there is no
other text/body, that will be displayed as the actual body... Can be a bit
confusing at first, but is actually a good indicator:)).
Things that historically has had this effect on "the whole message" are
filetype rules, UU-decoding/disabling etc. This is why it would be very
valuable for you to actually quarantine the message, so that you can
inspect the message file in the quarantine.

The UUdecode stuff is very likely your culprit, since that tries to deduce
if "the whole message" is actually a UUencoded message and should be passed
through uudecode.... If this misfires, you might end up with a uudecode
that returns some astronomical amount of "attachments" and renders "the
whole message" suspect.

Another possibility would be if the e-mail has a problem with MIME
boundaries... Again, this would be easiest to see in the quarantined
message/queue file.

Cheers!
-- 
-- Glenn


2017-02-10 19:26 GMT+01:00 Paul Scott <sales at edenusa.com>:

> Hello Glenn,
>
>
>
> Thank you very much for your reply.  Here is the result:
>
>
>
> [root at mail MailScanner]# egrep "^Max" /etc/MailScanner/MailScanner.conf
>
> Max Children = 5
>
> Max Unscanned Bytes Per Scan = 100m
>
> Max Unsafe Bytes Per Scan = 50m
>
> Max Unscanned Messages Per Scan = 30
>
> Max Unsafe Messages Per Scan = 30
>
> Max Normal Queue Size = 30
>
> Maximum Processing Attempts = 10
>
> Maximum Attachments Per Message = 20
>
> Maximum Message Size = %rules-dir%/max.message.size.rules
>
> Maximum Attachment Size = -1
>
> Maximum Archive Depth = 0
>
> Max Spam List Timeouts = 10
>
> Max Spam Check Size = 15000k
>
> Max SpamAssassin Size = 40k
>
> Max SpamAssassin Timeouts = 90
>
> Max Custom Spam Scanner Size = 20000
>
> Max Custom Spam Scanner Timeouts = 10
>
> [root at mail MailScanner]#
>
>
>
> NOTE: Does using the “k” screw anything up?  That’s what was in there
> before, but it was “150k”, which was obviously too small.
>
>
>
> I see that your values are huge, but there is no “k” indicated:
>
>
>
> Max Spam Check Size = 6500000
> Max SpamAssassin Size = 3600000
>
>
>
>
>
>
>
> And this is the content of the max.message.size.rules file, which is
> setting a max for this particular client to 1GB, and 20MB for everyone else:
>
>
>
> #
>
> # The following line specifies the default result used when none of the
>
> # other rules match. In this example,
>
> # Maximum Message Size = 0
>
> # means that there is no limit to the size of the message.
>
> #
>
>
>
> To:     *@mp-eng.com            1000M
>
> From:   *@mp-eng.com          1000M
>
>
>
> FromOrTo: default                    20M
>
>
>
>
>
> Thank you again!
>
> Paul Scott
>
>
>
>
>
> *From:* MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.
> mailscanner.info] *On Behalf Of *Glenn Steen
> *Sent:* Friday, February 10, 2017 4:31 AM
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
>
> *Subject:* Re: File(name|type) rules - was hijacked: "Allow Script Tags"
> affects attachments?
>
>
>
> Scott,
>
> Could you please report the values for all your maximum settings? Do
> something like:
> egrep "^Max" /etc/MailScanner/MailScanner.conf
>
> There used to be a logical trap/bug in the setting of Maximum Spam Check
> Size and Maximum Spamassassin Size (both theese need be relatively "huge".
> or you'll mess up SpamAssassin results badly). With the latter a bit
> smaller than the former... I've got:
> Max Spam Check Size = 6500000
> Max SpamAssassin Size = 3600000
>
> Also, pay attention to the Spamassassin timout value.
>
> Further, a comment on your "I've turned everyting off" statement... This
> is sometimes easier said than done. There are a number of settings you need
> change, apart from the ones you mention. I suspect you would find more ...
> interresting... facts (and not alternative ones, at that) if you ensure
> that the failures actually do get quarantined. That way you can inspect the
> actual raw message/queue file for discrepacies.
>
> Cheers!
> --
>
> -- Glenn
>
>
>
> 2017-02-10 6:28 GMT+01:00 Paul Scott <sales at edenusa.com>:
>
> Hello Mark,
>
> I pretty much managed to get mailscanner to restart a bit better.  Still
> working on that, but I think I can nail it eventually.
>
> With regards to the attachments issue, I think I might finally be starting
> to get to the bottom of this.  Here is the entry from the log which
> corresponds to the generation of the odd message that my clients get when a
> sender sends an email with attachments:
>
> Feb  8 15:41:46 mail MailScanner[14031]: Message v18NfGNg014804 from
> 216.205.24.106 (betty.tran at ioausa.com) to mp-eng.com is too big for spam
> checks (1572191 > 150000 bytes)
>
> So, of course when an email has attachments, it is quite large.  This
> message is generated incorrectly, for two reasons:
>
> 1. It is not the NUMBER of attachments which is generating this message,
> but that is what the message says.
>
> 2. When the size of an email is too large for spam checks, it is supposed
> to be processed through without modification or error, as is indicated by
> this section of the MAILSCANNER.CONF file:
>
> # Spammers do not have the power to send out huge messages to everyone as
> # it costs them too much (more smaller messages makes more profit than less
> # very large messages). So if a message is bigger than a certain size, it
> # is highly unlikely to be spam. Limiting this saves a lot of time checking
> # huge messages.
> # Disable this option by setting it to a huge value.
> # This is measured in bytes.
> # This can also be the filename of a ruleset.
> Max Spam Check Size = 150k
>
>
> So there you have it.  This is exactly where the breakdown is.  Just
> because the message is too big for spam checks, the Mailscanner system is
> removing all of the attachments, and generating the bounce-back message to
> my clients.
>
> I suppose I could "Disable this option by setting it to a huge value", but
> eventually, the same thing will happen (e.g, when 10 large attachments are
> sent, which excess the new setting).  I honestly think there is a bug here
> somewhere, or something not right in the programming or configuration
> logic, or at the very least, the wrong message is being generated and the
> client is being penalized by their valid email being rejected.
>
> In addition, the file that the message claims to be attached
> (EdenUSAInc-Attachment-Warning.txt), does NOT exist anywhere on the
> server's HD.
>
> At any rate, something is just not right here.
>
> Please let me know.
>
> Thank you!
> Paul Scott
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.
> mailscanner.info] On Behalf Of Mark Sapiro
> Sent: Thursday, February 09, 2017 8:31 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags"
> affects attachments?
>
> On 02/08/2017 03:39 PM, Paul Scott wrote:
> >
> > Unfortunately, in the meantime, I also had another incident where a
> sender sending an attachment resulted in this bounce-back email again (I
> added those "--START OF MESSAGE-- and --END..." banners):
> >
> >
> > --START OF MESSAGE--
> > Warning: This message has had one or more attachments removed
> > Warning: (the entire message).
> > Warning: Please read the "EdenUSAInc-Attachment-Warning.txt"
> attachment(s) for more information.
> >
> > This is a message from the MailScanner E-Mail Virus Protection Service
> > ----------------------------------------------------------------------
> > The original e-mail attachment "the entire message"
> > was believed to be dangerous and/or infected by a virus and has been
> replaced by this warning message.
> >
> > Due to limitations placed on us by the Regulation of Investigatory
> Powers Act 2000, we were unable to keep a copy of the infected attachment.
> Please ask the sender of the message to disinfect their original version
> and send you a clean copy.
> >
> > At Wed Feb  8 07:28:11 2017 the scanner said:
> >    Too many attachments in message
> >
> > --
> > Postmaster
> > Eden USA, Inc.
> > www.edenitservices.com
> >
> > For all your IT requirements visit: http://www.transtec.co.uk --END OF
> > MESSAGE--
>
>
> I am unable to duplicate this exactly, so I can't help much, but in
> another post you said
>
> > 1. I already had the number of attachments allowed set to allow as many
> as a client wishes (the -1 setting).
>
>
> If you are thinking of "Maximum Attachment Size", thois is OK, but if you
> really mean "Maximum Attachments Per Message", there is no "unlimited"
> value, but '-1' might be interpreted as a very large, unsigned number, so
> it might be OK.
>
>
> > Also, where is that very last line coming from?  "For all your IT
> requirements visit: http://www.transteck.co.uk"
>
>
> From some ISP's MTA, either the sender or the recipient of the message.
>
>
> > I really need to get this fixed.  Do you have any more ideas?  I simply
> need to SHUT OFF all file attachment scanning, and tell MailScanner somehow
> to stop doing anything at all with attachments.  I just want to allow
> everything through, in terms of attachments.
>
>
> What does MailScanner log in the mail log for this message?
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
>
> --
>
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>


-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170213/1d6cce6c/attachment.html>

More information about the MailScanner mailing list