File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?

Glenn Steen glenn.steen at gmail.com
Mon Feb 13 10:00:43 UTC 2017


It needs be so huge it most likely will never trigger (at least if you
employ expiry on lagre volumes of data... If you have slow (filebased)
expiry of your bayes data, a low value will never let you complete and
expiry... amongst other things:-)). I have it set to:
SpamAssassin Timeout = 600

Cheers!
-- 
-- Glenn

2017-02-10 20:12 GMT+01:00 Paul Scott <sales at edenusa.com>:

> Hello Glen,
>
>
>
> What do you set your Spamassissin timeout value to?
>
>
>
> Mine is set to 90 seconds.
>
>
>
> Thank you very much!
>
>
>
> Paul Scott
>
>
>
>
>
> *From:* MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.
> mailscanner.info] *On Behalf Of *Glenn Steen
> *Sent:* Friday, February 10, 2017 4:31 AM
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
>
> *Subject:* Re: File(name|type) rules - was hijacked: "Allow Script Tags"
> affects attachments?
>
>
>
> Scott,
>
> Could you please report the values for all your maximum settings? Do
> something like:
> egrep "^Max" /etc/MailScanner/MailScanner.conf
>
> There used to be a logical trap/bug in the setting of Maximum Spam Check
> Size and Maximum Spamassassin Size (both theese need be relatively "huge".
> or you'll mess up SpamAssassin results badly). With the latter a bit
> smaller than the former... I've got:
> Max Spam Check Size = 6500000
> Max SpamAssassin Size = 3600000
>
> Also, pay attention to the Spamassassin timout value.
>
> Further, a comment on your "I've turned everyting off" statement... This
> is sometimes easier said than done. There are a number of settings you need
> change, apart from the ones you mention. I suspect you would find more ...
> interresting... facts (and not alternative ones, at that) if you ensure
> that the failures actually do get quarantined. That way you can inspect the
> actual raw message/queue file for discrepacies.
>
> Cheers!
> --
>
> -- Glenn
>
>
>
> 2017-02-10 6:28 GMT+01:00 Paul Scott <sales at edenusa.com>:
>
> Hello Mark,
>
> I pretty much managed to get mailscanner to restart a bit better.  Still
> working on that, but I think I can nail it eventually.
>
> With regards to the attachments issue, I think I might finally be starting
> to get to the bottom of this.  Here is the entry from the log which
> corresponds to the generation of the odd message that my clients get when a
> sender sends an email with attachments:
>
> Feb  8 15:41:46 mail MailScanner[14031]: Message v18NfGNg014804 from
> 216.205.24.106 (betty.tran at ioausa.com) to mp-eng.com is too big for spam
> checks (1572191 > 150000 bytes)
>
> So, of course when an email has attachments, it is quite large.  This
> message is generated incorrectly, for two reasons:
>
> 1. It is not the NUMBER of attachments which is generating this message,
> but that is what the message says.
>
> 2. When the size of an email is too large for spam checks, it is supposed
> to be processed through without modification or error, as is indicated by
> this section of the MAILSCANNER.CONF file:
>
> # Spammers do not have the power to send out huge messages to everyone as
> # it costs them too much (more smaller messages makes more profit than less
> # very large messages). So if a message is bigger than a certain size, it
> # is highly unlikely to be spam. Limiting this saves a lot of time checking
> # huge messages.
> # Disable this option by setting it to a huge value.
> # This is measured in bytes.
> # This can also be the filename of a ruleset.
> Max Spam Check Size = 150k
>
>
> So there you have it.  This is exactly where the breakdown is.  Just
> because the message is too big for spam checks, the Mailscanner system is
> removing all of the attachments, and generating the bounce-back message to
> my clients.
>
> I suppose I could "Disable this option by setting it to a huge value", but
> eventually, the same thing will happen (e.g, when 10 large attachments are
> sent, which excess the new setting).  I honestly think there is a bug here
> somewhere, or something not right in the programming or configuration
> logic, or at the very least, the wrong message is being generated and the
> client is being penalized by their valid email being rejected.
>
> In addition, the file that the message claims to be attached
> (EdenUSAInc-Attachment-Warning.txt), does NOT exist anywhere on the
> server's HD.
>
> At any rate, something is just not right here.
>
> Please let me know.
>
> Thank you!
> Paul Scott
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.
> mailscanner.info] On Behalf Of Mark Sapiro
> Sent: Thursday, February 09, 2017 8:31 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags"
> affects attachments?
>
> On 02/08/2017 03:39 PM, Paul Scott wrote:
> >
> > Unfortunately, in the meantime, I also had another incident where a
> sender sending an attachment resulted in this bounce-back email again (I
> added those "--START OF MESSAGE-- and --END..." banners):
> >
> >
> > --START OF MESSAGE--
> > Warning: This message has had one or more attachments removed
> > Warning: (the entire message).
> > Warning: Please read the "EdenUSAInc-Attachment-Warning.txt"
> attachment(s) for more information.
> >
> > This is a message from the MailScanner E-Mail Virus Protection Service
> > ----------------------------------------------------------------------
> > The original e-mail attachment "the entire message"
> > was believed to be dangerous and/or infected by a virus and has been
> replaced by this warning message.
> >
> > Due to limitations placed on us by the Regulation of Investigatory
> Powers Act 2000, we were unable to keep a copy of the infected attachment.
> Please ask the sender of the message to disinfect their original version
> and send you a clean copy.
> >
> > At Wed Feb  8 07:28:11 2017 the scanner said:
> >    Too many attachments in message
> >
> > --
> > Postmaster
> > Eden USA, Inc.
> > www.edenitservices.com
> >
> > For all your IT requirements visit: http://www.transtec.co.uk --END OF
> > MESSAGE--
>
>
> I am unable to duplicate this exactly, so I can't help much, but in
> another post you said
>
> > 1. I already had the number of attachments allowed set to allow as many
> as a client wishes (the -1 setting).
>
>
> If you are thinking of "Maximum Attachment Size", thois is OK, but if you
> really mean "Maximum Attachments Per Message", there is no "unlimited"
> value, but '-1' might be interpreted as a very large, unsigned number, so
> it might be OK.
>
>
> > Also, where is that very last line coming from?  "For all your IT
> requirements visit: http://www.transteck.co.uk"
>
>
> From some ISP's MTA, either the sender or the recipient of the message.
>
>
> > I really need to get this fixed.  Do you have any more ideas?  I simply
> need to SHUT OFF all file attachment scanning, and tell MailScanner somehow
> to stop doing anything at all with attachments.  I just want to allow
> everything through, in terms of attachments.
>
>
> What does MailScanner log in the mail log for this message?
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
>
> --
>
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>


-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170213/b06cd8c4/attachment.html>


More information about the MailScanner mailing list