From gpapamichelakis at gmail.com Sat Dec 1 11:15:02 2018 From: gpapamichelakis at gmail.com (George Papamichelakis) Date: Sat, 1 Dec 2018 13:15:02 +0200 Subject: Bypass filtetype or filename blocking and quarantine In-Reply-To: References: <2ddf036c-aefa-1a64-dfd1-19fcc53cea97@gmail.com> <39dc97ba-cacb-5de4-8c44-51a580a5e5a1@msapiro.net> Message-ID: <3fbcbebd-3521-c4a2-f869-fcada8a3ded7@gmail.com> On 11/30/18 10:45 PM, Mark Sapiro wrote: > On 11/30/18 11:11 AM, George Papamichelakis wrote: > > > However, I was mistaken when I said you couldn't use the %...% notation > in a ruleset file. I have tested that and the %...% substitutions do > work in rules files. > I have repeated the checks, add my email to filename.rules (attached) and send one message from gmail account to subject server, this is an attachement zip file which was previous blocked by other user, the message stomped as I can see : Report: MailScanner: Attempt to hide real filename extension (55.TIP.pdf) MailScanner: Attempt to hide real filename extension (55.TIP.pdf) Attached also is the allowall rules file . In my conf.d setup file? I have : Filename Rules = %rules-dir%/filename.rules Filetype Rules = %rules-dir%/filetype.rules I also tried replacing? %etc-dir% and %rules-dir% with the actual path and got the same result. I'm using 5.0.2 mailscanner by the way if this rings any bell , I can't upgrade yet to current version due to other reasons. George -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- # This Ruleset will allow all attached files to pass allow .* - - -------------- next part -------------- # File to control which domains get filename checking # mail form or to noscan.com will not have filenames checked From: gpapamichelakis at gmail.com %etc-dir%/filename.rules.allowall.conf #Default FromOrTo: default %etc-dir%/filename.rules.conf From mark at msapiro.net Sun Dec 2 18:09:13 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 2 Dec 2018 10:09:13 -0800 Subject: Bypass filtetype or filename blocking and quarantine In-Reply-To: <3fbcbebd-3521-c4a2-f869-fcada8a3ded7@gmail.com> References: <2ddf036c-aefa-1a64-dfd1-19fcc53cea97@gmail.com> <39dc97ba-cacb-5de4-8c44-51a580a5e5a1@msapiro.net> <3fbcbebd-3521-c4a2-f869-fcada8a3ded7@gmail.com> Message-ID: <107f1422-438f-a196-0e7d-27ff77345fc5@msapiro.net> On 12/1/18 3:15 AM, George Papamichelakis wrote: > > > gmail account to subject server, this is an attachement zip file which > was previous blocked by other user, If it is a .zip (or other arvhive), the relevant setting for the ruleset for filenames within the archive is Archives: Filename Rules Filename Rules applies only to attachment filenames, not names within an attached archive. See the section beginning with # These are the equivalent of the settings above, except they apply to # files which are contained within "archives", as defined by the in MailScanner.conf. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From gpapamichelakis at gmail.com Mon Dec 3 08:55:54 2018 From: gpapamichelakis at gmail.com (George Papamichelakis) Date: Mon, 3 Dec 2018 10:55:54 +0200 Subject: Bypass filtetype or filename blocking and quarantine In-Reply-To: <107f1422-438f-a196-0e7d-27ff77345fc5@msapiro.net> References: <2ddf036c-aefa-1a64-dfd1-19fcc53cea97@gmail.com> <39dc97ba-cacb-5de4-8c44-51a580a5e5a1@msapiro.net> <3fbcbebd-3521-c4a2-f869-fcada8a3ded7@gmail.com> <107f1422-438f-a196-0e7d-27ff77345fc5@msapiro.net> Message-ID: On 12/2/18 8:09 PM, Mark Sapiro wrote: > On 12/1/18 3:15 AM, George Papamichelakis wrote: >> >> gmail account to subject server, this is an attachement zip file which >> was previous blocked by other user, > > If it is a .zip (or other arvhive), the relevant setting for the ruleset > for filenames within the archive is > > Archives: Filename Rules !! It never crossed my mind that archives? use a different setting !! Thanks for the tip , These are the relevant? settings in MaiScanner.conf : # These are the equivalent of the settings above, except they apply to # files which are contained within "archives", as defined by the # "Archives Are" setting at the top of this section. # They can all be rulesets. Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf I did something like the filename.rules previous mentioned and tested it and it works !! Thanks a lot !! George From nerijus at users.sourceforge.net Tue Dec 4 12:58:21 2018 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Tue, 4 Dec 2018 14:58:21 +0200 Subject: esets false positive In-Reply-To: References: Message-ID: Hello, I've got another similar problem. When scanning manually: name="message", threat="", action="", info="error reading archive" name="message ? MIME ? noname", threat="", action="", info="error reading archive" name="message ? MIME ? noname ? TNEF ? attachment.bin", threat="", action="", info="error reading archive" Could you please apply the following patch: --- SweepViruses.pm.orig 2018-10-26 13:46:13.000000000 +0300 +++ SweepViruses.pm 2018-12-04 14:56:24.659909451 +0200 @@ -1915,6 +1915,9 @@ # archive damaged return 0 if $line =~ m/archive damaged/i; + # error reading archive + return 0 if $line =~ m/error reading archive/i; + my ($a, $b, $c, $d) = split(/,/, $line); my ($filename) = $a =~ m/\"(.*)\"/; my ($threat) = $b =~ m/\"(.*)\"/; ? Thanks, Nerijus On Fri, 12 Oct 2018 15:31:43 +0300 Nerijus Baliunas wrote: > I got the file. Here is the output of a virus: > > # /opt/eset/esets/sbin/esets_scan . > ... > name="./eicar", threat="Eicar test file", action="cleaned by deleting", info="" > ... > # echo $? > 1 > > Output of false positive: > > # /opt/eset/esets/sbin/esets_scan . > ... > name="./test.zip", threat="", action="", info="archive damaged" > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._DIN-Black.zip", threat="", action="", info="archive damaged" > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._DIN-Black.zip ? ZIP ? ", threat="", action="", info="archive damaged" > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._Sanchez Light .zip", threat="", action="", info="archive damaged" > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._Sanchez Light .zip ? ZIP ? ", threat="", action="", info="archive damaged" > ... > # echo $? > 10 > > Archives are OK, I can view/extract them, so it is most probably a bug in esets scanner itself. > Empty threat (threat="") with info="archive damaged" should probably be allowed. > > On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner wrote: > > > That is most likely the esets wrapper and SweepViruses.pm function failing > > to parse the output of the virus scanner properly. > > > > I would start there and run a manual scan based on the parameters in the > > wrapper against a file that triggers the problem. I would then take a look > > at the ProcessEsetsOutput function and see if the regex in there make sense > > for the output. > > > > On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas < > > nerijus at users.sourceforge.net> wrote: > > > > > Hello, > > > > > > I use latest mailscanner 5.1.1-1 with esets. It works OK, but occasionally > > > it "detects" viruses in harmless files. For example: > > > > > > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1 messages, > > > 4623339 bytes > > > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning: > > > Starting > > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found 17 > > > infections > > > Oct 11 11:55:26 mail MailScanner[3063]: Infected message > > > 9231B2A14054.A15A2 came from 192.168.x.x > > > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17 viruses > > > > > > While a real virus output looks like this: > > > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1 messages, > > > 2104 bytes > > > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning: > > > Starting > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file > > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3 > > > infections > > > Oct 11 01:39:49 mail MailScanner[4184]: Infected message > > > EF7F72A14053.A770C came from 5.2.x.x > > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3 viruses > > > > > > How do I debug this? > > > > > > Regards, > > > Nerijus From bodik at cesnet.cz Wed Dec 5 15:49:18 2018 From: bodik at cesnet.cz (=?UTF-8?Q?Radoslav_Bod=c3=b3?=) Date: Wed, 5 Dec 2018 16:49:18 +0100 Subject: FixSubstringBoundaries errors Message-ID: <21a88546-52e1-140b-517f-59c9027a809a@cesnet.cz> Hello, after the latest upgrade of our server from MailScanner 4 to 5.1.2 we have identified that FixSubstringBoundaries is not working properly. Currently: * the function FixSubstringBoundaries(...) updates the body and headers in the processed $message structure, but final delivered message contains original non-updated Conten-Type boundary header * that renders updated messages unusable on the server/client side. In some cases the messages are just not properly displayed (roundcube), in some other cases might be deleted silently on the background by the client (thunderbird). * possibly corrupted messages can be identified from the logs by 'Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server' System affected: debian 9.5 stretch postfix 3.1.8-0+deb9u1 mailscanner 5.1.2-2 perl 5.24.1-3+deb9u4 libmime-tools-perl 5.508-1 The attachments of this message contains data for reproducing the issue: * mailboundary1.txt .. test message to reproduce * mailboundary1-corrupted.txt .. resulting message documenting the fail * sendmail.py .. testing helper cat /tmp/mailboundary1.txt | /tmp/sendmail.py --sender s at webmail-test.redacted --to s at webmail-test.redacted --raw The only workaround I've been able to come up is to disable the feature in the code by commenting out https://github.com/MailScanner/v5/blob/master/common/usr/share/MailScanner/perl/MailScanner/SweepContent.pm#L215 for the time being. I've tried to track down message processing down to https://github.com/MailScanner/v5/blob/master/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5348 but since my knowledge of mailscanner and postfix internals are poor I've got lost in DeliverModifiedBody(...) Any help or idea would be highly appreciated. Thank you bodik -------------- next part -------------- From: bodik at redacted.cz To: bodik at redacted.cz Subject: boundaryfix Content-Type: MULTIPART/MIXED; BOUNDARY="__2018124.A1000013DF4D.xxx.cz__" --__2018124.A1000013DF4D.xxx.cz__ Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="__2018124.A1000013DF4D.xxx.cz___2" --__2018124.A1000013DF4D.xxx.cz___2 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable xxx =A0 --__2018124.A1000013DF4D.xxx.cz___2 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable xxx --__2018124.A1000013DF4D.xxx.cz___2-- --__2018124.A1000013DF4D.xxx.cz__ Content-Type: image/gif; NAME="logo.gif" Content-Transfer-Encoding: BASE64 Content-Description: logo.gif Content-ID: R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== --__2018124.A1000013DF4D.xxx.cz__-- -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail.py Type: text/x-python Size: 2185 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From bodik at cesnet.cz Wed Dec 5 16:35:01 2018 From: bodik at cesnet.cz (=?UTF-8?Q?Radoslav_Bod=c3=b3?=) Date: Wed, 5 Dec 2018 17:35:01 +0100 Subject: FixSubstringBoundaries errors In-Reply-To: <21a88546-52e1-140b-517f-59c9027a809a@cesnet.cz> References: <21a88546-52e1-140b-517f-59c9027a809a@cesnet.cz> Message-ID: <62b16352-2a94-0703-2391-70976945010c@cesnet.cz> mailboundary1-corrupted.txt was missing in the original message bodik > The attachments of this message contains data for reproducing the issue: > > * mailboundary1.txt .. test message to reproduce > * mailboundary1-corrupted.txt .. resulting message documenting the fail > * sendmail.py .. testing helper -------------- next part -------------- Return-Path: Delivered-To: s at webmail-test.redacted Received: from mailtest.redacted by mailtest.redacted (Dovecot) with LMTP id XIonOo/wB1xDVgAAcfirZA for ; Wed, 05 Dec 2018 16:36:47 +0100 Received: from mailtest.redacted (localhost [127.0.0.1]) by mailtest.redacted (Postfix) with ESMTP id 9474840EF247 for ; Wed, 5 Dec 2018 16:36:46 +0100 (CET) From: bodik at branany.cz To: bodik at branany.cz Subject: boundaryfix Content-Type: MULTIPART/MIXED; BOUNDARY="__2018124.A1000013DF4D.xxx.cz__" Message-Id: <20181205153646.9474840EF247 at mailtest.redacted> Date: Wed, 5 Dec 2018 16:36:46 +0100 (CET) X-gcsystemcz-MailScanner-Information: Please contact the ISP for more information X-gcsystemcz-MailScanner-ID: 9474840EF247.A5DDB X-gcsystemcz-MailScanner: Found to be clean X-gcsystemcz-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=4.307, required 5, ALL_TRUSTED -1.00, BAYES_00 -1.00, FSL_BULK_SIG 0.00, HTML_MESSAGE 0.00, MIME_HEADER_CTYPE_ONLY 0.72, PYZOR_CHECK 1.39, SB_GIF_AND_NO_URIS 2.20, TO_NO_BRKTS_HTML_IMG 2.00) X-gcsystemcz-MailScanner-SpamScore: ssss X-gcsystemcz-MailScanner-From: s at webmail-test.redacted X-Spam-Flag: No --__MailScanner_found_Cyrus_boundary_substring_problem__ Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="__2018124.A1000013DF4D.xxx.cz___2" --__2018124.A1000013DF4D.xxx.cz___2 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable xxx =A0 --__2018124.A1000013DF4D.xxx.cz___2 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable xxx --__2018124.A1000013DF4D.xxx.cz___2-- --__MailScanner_found_Cyrus_boundary_substring_problem__ Content-Type: image/gif; NAME="logo.gif" Content-Transfer-Encoding: BASE64 Content-Description: logo.gif Content-ID: R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== --__MailScanner_found_Cyrus_boundary_substring_problem__-- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From iversons at rushville.k12.in.us Wed Dec 5 16:53:05 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 5 Dec 2018 11:53:05 -0500 Subject: FixSubstringBoundaries errors In-Reply-To: <21a88546-52e1-140b-517f-59c9027a809a@cesnet.cz> References: <21a88546-52e1-140b-517f-59c9027a809a@cesnet.cz> Message-ID: I'll take a deep dive hopefully tonight or tomorrow. I'm not sure that function is even relevant any more... On Wed, Dec 5, 2018 at 11:33 AM Radoslav Bod? wrote: > Hello, > > after the latest upgrade of our server from MailScanner 4 to 5.1.2 we > have identified that FixSubstringBoundaries is not working properly. > > > > Currently: > > * the function FixSubstringBoundaries(...) updates the body and headers > in the processed $message structure, but final delivered message > contains original non-updated Conten-Type boundary header > > * that renders updated messages unusable on the server/client side. In > some cases the messages are just not properly displayed (roundcube), in > some other cases might be deleted silently on the background by the > client (thunderbird). > > * possibly corrupted messages can be identified from the logs by > 'Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server' > > > > System affected: > > debian 9.5 stretch > postfix 3.1.8-0+deb9u1 > mailscanner 5.1.2-2 > perl 5.24.1-3+deb9u4 > libmime-tools-perl 5.508-1 > > > > The attachments of this message contains data for reproducing the issue: > > * mailboundary1.txt .. test message to reproduce > * mailboundary1-corrupted.txt .. resulting message documenting the fail > * sendmail.py .. testing helper > > cat /tmp/mailboundary1.txt | /tmp/sendmail.py --sender > s at webmail-test.redacted --to s at webmail-test.redacted --raw > > > > > > The only workaround I've been able to come up is to disable the feature > in the code by commenting out > > > https://github.com/MailScanner/v5/blob/master/common/usr/share/MailScanner/perl/MailScanner/SweepContent.pm#L215 > > for the time being. > > > > > I've tried to track down message processing down to > > > https://github.com/MailScanner/v5/blob/master/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5348 > > but since my knowledge of mailscanner and postfix internals are poor > I've got lost in DeliverModifiedBody(...) > > > > Any help or idea would be highly appreciated. > > Thank you > bodik > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Dec 10 13:15:25 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 10 Dec 2018 08:15:25 -0500 Subject: esets false positive In-Reply-To: References: Message-ID: Added patch for next release. On Tue, Dec 4, 2018 at 8:08 AM Nerijus Baliunas < nerijus at users.sourceforge.net> wrote: > Hello, > > I've got another similar problem. When scanning manually: > > name="message", threat="", action="", info="error reading archive" > name="message ? MIME ? noname", threat="", action="", info="error reading > archive" > name="message ? MIME ? noname ? TNEF ? attachment.bin", threat="", > action="", info="error reading archive" > > Could you please apply the following patch: > > --- SweepViruses.pm.orig 2018-10-26 13:46:13.000000000 +0300 > +++ SweepViruses.pm 2018-12-04 14:56:24.659909451 +0200 > @@ -1915,6 +1915,9 @@ > # archive damaged > return 0 if $line =~ m/archive damaged/i; > > + # error reading archive > + return 0 if $line =~ m/error reading archive/i; > + > my ($a, $b, $c, $d) = split(/,/, $line); > my ($filename) = $a =~ m/\"(.*)\"/; > my ($threat) = $b =~ m/\"(.*)\"/; > > ? > > Thanks, > Nerijus > > On Fri, 12 Oct 2018 15:31:43 +0300 Nerijus Baliunas < > nerijus at users.sourceforge.net> wrote: > > > I got the file. Here is the output of a virus: > > > > # /opt/eset/esets/sbin/esets_scan . > > ... > > name="./eicar", threat="Eicar test file", action="cleaned by deleting", > info="" > > ... > > # echo $? > > 1 > > > > Output of false positive: > > > > # /opt/eset/esets/sbin/esets_scan . > > ... > > name="./test.zip", threat="", action="", info="archive damaged" > > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._DIN-Black.zip", > threat="", action="", info="archive damaged" > > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._DIN-Black.zip ? ZIP ? ", > threat="", action="", info="archive damaged" > > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._Sanchez Light .zip", > threat="", action="", info="archive damaged" > > name="./test.zip ? ZIP ? __MACOSX/R/Typefaces/._Sanchez Light .zip ? ZIP > ? ", threat="", action="", info="archive damaged" > > ... > > # echo $? > > 10 > > > > Archives are OK, I can view/extract them, so it is most probably a bug > in esets scanner itself. > > Empty threat (threat="") with info="archive damaged" should probably be > allowed. > > > > On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner < > mailscanner at lists.mailscanner.info> wrote: > > > > > That is most likely the esets wrapper and SweepViruses.pm function > failing > > > to parse the output of the virus scanner properly. > > > > > > I would start there and run a manual scan based on the parameters in > the > > > wrapper against a file that triggers the problem. I would then take a > look > > > at the ProcessEsetsOutput function and see if the regex in there make > sense > > > for the output. > > > > > > On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas < > > > nerijus at users.sourceforge.net> wrote: > > > > > > > Hello, > > > > > > > > I use latest mailscanner 5.1.1-1 with esets. It works OK, but > occasionally > > > > it "detects" viruses in harmless files. For example: > > > > > > > > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1 > messages, > > > > 4623339 bytes > > > > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning: > > > > Starting > > > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED:: > > > > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found > 17 > > > > infections > > > > Oct 11 11:55:26 mail MailScanner[3063]: Infected message > > > > 9231B2A14054.A15A2 came from 192.168.x.x > > > > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17 > viruses > > > > > > > > While a real virus output looks like this: > > > > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1 > messages, > > > > 2104 bytes > > > > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning: > > > > Starting > > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test > file > > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test > file > > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test > file > > > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3 > > > > infections > > > > Oct 11 01:39:49 mail MailScanner[4184]: Infected message > > > > EF7F72A14053.A770C came from 5.2.x.x > > > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3 > viruses > > > > > > > > How do I debug this? > > > > > > > > Regards, > > > > Nerijus > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Dec 10 13:17:58 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 10 Dec 2018 08:17:58 -0500 Subject: FixSubstringBoundaries errors In-Reply-To: References: <21a88546-52e1-140b-517f-59c9027a809a@cesnet.cz> Message-ID: Removed FixSubstringBoundaries for next release. The problem has long since been resolved and this workaround is no longer necessary. I left the code commented for future reference. On Wed, Dec 5, 2018 at 11:53 AM Shawn Iverson wrote: > I'll take a deep dive hopefully tonight or tomorrow. I'm not sure that > function is even relevant any more... > > On Wed, Dec 5, 2018 at 11:33 AM Radoslav Bod? wrote: > >> Hello, >> >> after the latest upgrade of our server from MailScanner 4 to 5.1.2 we >> have identified that FixSubstringBoundaries is not working properly. >> >> >> >> Currently: >> >> * the function FixSubstringBoundaries(...) updates the body and headers >> in the processed $message structure, but final delivered message >> contains original non-updated Conten-Type boundary header >> >> * that renders updated messages unusable on the server/client side. In >> some cases the messages are just not properly displayed (roundcube), in >> some other cases might be deleted silently on the background by the >> client (thunderbird). >> >> * possibly corrupted messages can be identified from the logs by >> 'Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server' >> >> >> >> System affected: >> >> debian 9.5 stretch >> postfix 3.1.8-0+deb9u1 >> mailscanner 5.1.2-2 >> perl 5.24.1-3+deb9u4 >> libmime-tools-perl 5.508-1 >> >> >> >> The attachments of this message contains data for reproducing the issue: >> >> * mailboundary1.txt .. test message to reproduce >> * mailboundary1-corrupted.txt .. resulting message documenting the fail >> * sendmail.py .. testing helper >> >> cat /tmp/mailboundary1.txt | /tmp/sendmail.py --sender >> s at webmail-test.redacted --to s at webmail-test.redacted --raw >> >> >> >> >> >> The only workaround I've been able to come up is to disable the feature >> in the code by commenting out >> >> >> https://github.com/MailScanner/v5/blob/master/common/usr/share/MailScanner/perl/MailScanner/SweepContent.pm#L215 >> >> for the time being. >> >> >> >> >> I've tried to track down message processing down to >> >> >> https://github.com/MailScanner/v5/blob/master/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5348 >> >> but since my knowledge of mailscanner and postfix internals are poor >> I've got lost in DeliverModifiedBody(...) >> >> >> >> Any help or idea would be highly appreciated. >> >> Thank you >> bodik >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From qxh7 at bluewin.ch Fri Dec 21 11:05:27 2018 From: qxh7 at bluewin.ch (qxh7 at bluewin.ch) Date: Fri, 21 Dec 2018 12:05:27 +0100 (CET) Subject: Attachment extension Message-ID: <343973312.16400.1545390327595.JavaMail.webmail@bluewin.ch> Hello, I am using a quite old version of MailScanner (4.84.6-1) and I cannot update it for now because it has been massively patched. I couldnt find another trace of the bug I am facing (besides from https://github.com/MailScanner/v5/issues/21 ) so I report it but I am not sure this is still present in the current version. If a mail is sent with an attachment with parenthesis in the name, the detection for the file extension may break. For example, I had to rule to reject *.doc but a .docx was rejected. I tested the very same file with a name "b\(b\).docx" and "b.docx", the second one was correctly accepted while the first one was stopped and reported to be a .doc file. I also had a case of a mail where the attachment was containing chinese characters. If the name for that file was "directly in UTF8" in the headers (?.docx), everything went fine but if the name was encoded (eg =?UTF-8?b?5b635Zu9YmFie...?=), then the file was seen as .doc I made tests for .xlsx which ran into the same trouble to see the impact on our clients. I also sent attachement named .docsjfgsqjlgjqsglq which then were seen as doc. I didnt have enough time to run my tests with the current version of MailScanner, so please let me know if this is an old bug. Best regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Fri Dec 21 14:19:23 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 21 Dec 2018 09:19:23 -0500 Subject: Attachment extension In-Reply-To: <343973312.16400.1545390327595.JavaMail.webmail@bluewin.ch> References: <343973312.16400.1545390327595.JavaMail.webmail@bluewin.ch> Message-ID: I'll run some tests, but I believe that these are old bugs. On Fri, Dec 21, 2018 at 9:14 AM qxh7 at bluewin.ch wrote: > Hello, > > I am using a quite old version of MailScanner (4.84.6-1) and I cannot > update it for now because it has been massively patched. > I couldnt find another trace of the bug I am facing (besides from > https://github.com/MailScanner/v5/issues/21 ) so I report it but I am not > sure this is still present in the current version. > > If a mail is sent with an attachment with parenthesis in the name, the > detection for the file extension may break. For example, I had to rule to > reject *.doc but a .docx was rejected. > I tested the very same file with a name "b\(b\).docx" and "b.docx", the > second one was correctly accepted while the first one was stopped and > reported to be a .doc file. > > I also had a case of a mail where the attachment was containing chinese > characters. If the name for that file was "directly in UTF8" in the headers > (?.docx), everything went fine but if the name was encoded (eg > =?UTF-8?b?5b635Zu9YmFie...?=), then the file was seen as .doc > > I made tests for .xlsx which ran into the same trouble to see the impact > on our clients. > > I also sent attachement named .docsjfgsqjlgjqsglq which then were seen as > doc. > > I didnt have enough time to run my tests with the current version of > MailScanner, so please let me know if this is an old bug. > > Best regards, > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Fri Dec 28 13:19:30 2018 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Fri, 28 Dec 2018 13:19:30 +0000 Subject: About AntiVirus load time Message-ID: Hi everyone I found that antivirus scanning, 4 example clamscan, takes a long time and cpu to load it and less 4 scan file This is an example : time /usr/bin/clamscan --database /var/lib/clamav3 /var/spool/MailScanner/quarantine/20181214/nonspam/1595B20064.A5116 ----------- SCAN SUMMARY ----------- Known viruses: 6899927 Engine version: 0.100.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 15.838 sec (0 m 15 s) real 0m15.843s user 0m14.934s sys 0m0.905s So it takes 15 secs of cpu to do a scan of a single email, sigh If i scan entire dir it take a little bit more, so the time is spent to load libraries itself Is possible to have it in memory so we can do it faster and less cpu expensive ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Fri Dec 28 17:30:53 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 28 Dec 2018 12:30:53 -0500 Subject: About AntiVirus load time In-Reply-To: References: Message-ID: What do you get if you use clamd instead? On Fri, Dec 28, 2018 at 12:29 PM Nicola Piazzi wrote: > Hi everyone > > I found that antivirus scanning, 4 example clamscan, takes a long time and > cpu to load it and less 4 scan file > > This is an example : > > time /usr/bin/clamscan --database /var/lib/clamav3 > /var/spool/MailScanner/quarantine/20181214/nonspam/1595B20064.A5116 > ----------- SCAN SUMMARY ----------- > > Known viruses: 6899927 > > Engine version: 0.100.2 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 0.00 MB > > Data read: 0.00 MB (ratio 0.00:1) > > Time: 15.838 sec (0 m 15 s) > > > > real 0m15.843s > > user 0m14.934s > > sys 0m0.905s > > > > So it takes 15 secs of cpu to do a scan of a single email, sigh > If i scan entire dir it take a little bit more, so the time is spent to > load libraries itself > > Is possible to have it in memory so we can do it faster and less cpu > expensive ? > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Dec 28 17:33:03 2018 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 28 Dec 2018 09:33:03 -0800 Subject: About AntiVirus load time In-Reply-To: References: Message-ID: <09ae43ad-2aee-4500-7b5e-fb74415ff0d1@msapiro.net> On 12/28/18 5:19 AM, Nicola Piazzi wrote: > > I found that antivirus scanning, 4 example clamscan, takes a long time > and cpu to load it and less 4 scan file Set Virus Scanners = clamd -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Nicola.Piazzi at gruppocomet.it Sat Dec 29 08:26:05 2018 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Sat, 29 Dec 2018 08:26:05 +0000 Subject: R: About AntiVirus load time In-Reply-To: <09ae43ad-2aee-4500-7b5e-fb74415ff0d1@msapiro.net> References: <09ae43ad-2aee-4500-7b5e-fb74415ff0d1@msapiro.net> Message-ID: <0f61bbe3350647c7b7a2299a3ddd3ce5@gruppocomet.it> Thanks Mark In Virus Scanners section I have clamd, so when i do clamscan manually it take 15 seconds buti s not the same thing that mailscanner do Mailscanner use clamd daemon that already have databases in memory, it is ok I also use sophos that its free and also take 7 seconds to run Does someone have others free antivirus that works with mailscanner ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel.? +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.comet.it -----Messaggio originale----- Da: MailScanner Per conto di Mark Sapiro Inviato: venerd? 28 dicembre 2018 18:33 A: mailscanner at lists.mailscanner.info Oggetto: Re: About AntiVirus load time On 12/28/18 5:19 AM, Nicola Piazzi wrote: > > I found that antivirus scanning, 4 example clamscan, takes a long time > and cpu to load it and less 4 scan file Set Virus Scanners = clamd -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From mark at msapiro.net Sat Dec 29 17:06:24 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 29 Dec 2018 09:06:24 -0800 Subject: R: About AntiVirus load time In-Reply-To: <0f61bbe3350647c7b7a2299a3ddd3ce5@gruppocomet.it> References: <09ae43ad-2aee-4500-7b5e-fb74415ff0d1@msapiro.net> <0f61bbe3350647c7b7a2299a3ddd3ce5@gruppocomet.it> Message-ID: On 12/29/18 12:26 AM, Nicola Piazzi wrote: > Thanks Mark > In Virus Scanners section I have clamd, so when i do clamscan manually it take 15 seconds buti s not the same thing that mailscanner do > Mailscanner use clamd daemon that already have databases in memory, it is ok If your question is how to speed up command line scanning outside of MailScanner, use clamdscan instead of clamscan. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Nicola.Piazzi at gruppocomet.it Mon Dec 31 16:15:29 2018 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Mon, 31 Dec 2018 16:15:29 +0000 Subject: Doesnt more detect sophos Message-ID: Hi, I found that mailscanner doesn no more catch sophos virus, this in an existing installation and also in a fresh install Here maillog of a working message : 2018-12-03T01:13:17.634913+01:00 EFA42 MailScanner[4191]: >>> Virus 'Mal/DrodAce-A' found in file ./27176108233.AC1B9/201283765ref20181203_xls.ace 2018-12-03T01:13:17.635238+01:00 EFA42 MailScanner[4191]: Virus Scanning: Sophos found 1 infections 2018-12-03T01:13:17.635417+01:00 EFA42 MailScanner[4191]: Infected message 27176108233.AC1B9 came from 82.193.37.22 2018-12-03T01:13:17.635543+01:00 EFA42 MailScanner[4191]: Virus Scanning: Found 1 viruses Here maillog of a non working message : 2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus 'Mal/DrodAce-A' found in file /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060.ace 2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus Scanning: Sophos found 1 infections 2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected message var came from 2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus Scanning: Found 1 viruses NOTE Infected message "var" instead real file name !!! This is newest installed version [root at EFA41 sbin]# sweep --version SAVScan virus detection utility Copyright (c) 1989-2018 Sophos Limited. All rights reserved. System time 05:01:58 PM, System date 31 December 2018 Product version : 5.53.0 Engine version : 3.74.2 Virus data version : 5.58 User interface version : 2.03.074 Platform : Linux/AMD64 Released : 11 December 2018 Total viruses (with IDEs) : 28304428 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Mon Dec 31 19:50:26 2018 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 31 Dec 2018 11:50:26 -0800 Subject: Doesnt more detect sophos In-Reply-To: References: Message-ID: <65692dc7-3d9e-cfc8-d0d1-e59852666f44@msapiro.net> On 12/31/18 8:15 AM, Nicola Piazzi wrote: > > Here maillog of a non working message : > > 2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus > 'Mal/DrodAce-A' found in file > /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060.ace > > 2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus > Scanning: Sophos found 1 infections > > 2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected > message var came from > > 2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus > Scanning: Found 1 viruses > > ? > > NOTE Infected message ?var? instead real file name !!! Is there some issue besides this particular message? It appears that MailScanner is detecting the virus. Perhaps the Sophos report has changed in some way in the latest version. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan