From kevin.chege at gmail.com Wed Jan 6 07:01:01 2021 From: kevin.chege at gmail.com (Kevin G. Chege) Date: Wed, 6 Jan 2021 10:01:01 +0300 Subject: Help with MailScanner and remote clamd In-Reply-To: <01a301d6d2a5$0fc76190$2f5624b0$@gmail.com> References: <01a301d6d2a5$0fc76190$2f5624b0$@gmail.com> Message-ID: Hi, I have MailScanner installed and works ok with a locally available clamd socket configuration. But when I try to use a remote Clamd socket (an IP address of another jail on the system) with this configuration in MailScanner.conf: Virus Scanners = clamd Clamd Port = 3310 Clamd Socket = 127.0.0.87 I get the following error: MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: No such file or directory. ERROR :: /var/spool/MailScanner/incoming/16761 Virus Scanning: Clamd found 1 infections Virus Scanning: Found 1 viruses =========================================================================== I have checked and indeed "/var/spool/MailScanner/incoming/16761" does not exist. On the machine with Clamd running on an IP and port, this is the message in ClamAV log file: WARNING: lstat() failed on: /var/spool/MailScanner/incoming/16761 The permissions look ok to me since with a local Clamd, it is working well. Could someone help with the appropriate config for MailScanner and a remote Clam anitvirus? -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Wed Jan 6 11:38:40 2021 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Wed, 6 Jan 2021 06:38:40 -0500 Subject: Help with MailScanner and remote clamd In-Reply-To: References: <01a301d6d2a5$0fc76190$2f5624b0$@gmail.com> Message-ID: <4359c0fc-993a-779d-7555-cbf17389d895@summitgrid.com> I'm afraid what you are trying to do is not possible. MailScanner does not send the files to the socket for scanning. It merely calls clamd to scan the files locally via the socket. On 1/6/21 2:01 AM, Kevin G. Chege wrote: > Hi, > > I have MailScanner installed and works ok with a locally available > clamd socket configuration. But when I try to use a remote Clamd > socket (an IP address of another jail on the system) with this > configuration in MailScanner.conf: > > Virus Scanners = clamd > > Clamd Port = 3310 > > Clamd Socket = 127.0.0.87 > > > I get the following error: > > MailScanner.conf says "Virus Scanners = clamd" > > Found these virus scanners installed: clamd > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com ) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: No such file or > directory. ERROR :: /var/spool/MailScanner/incoming/16761 > > Virus Scanning: Clamd found 1 infections > > Virus Scanning: Found 1 viruses > > =========================================================================== > > > > I have checked and indeed "/var/spool/MailScanner/incoming/16761" does > not exist. > > > On the machine with Clamd running on an IP and port, this is the > message in ClamAV log file: > > WARNING: lstat() failed on: /var/spool/MailScanner/incoming/16761 > > > > The permissions look ok to me since with a local Clamd, it is working > well. Could someone help with the appropriate config for MailScanner > and a remote Clam anitvirus? > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.chege at gmail.com Thu Jan 7 18:29:12 2021 From: kevin.chege at gmail.com (Kevin G. Chege) Date: Thu, 7 Jan 2021 21:29:12 +0300 Subject: Help with MailScanner and remote clamd In-Reply-To: <4359c0fc-993a-779d-7555-cbf17389d895@summitgrid.com> References: <01a301d6d2a5$0fc76190$2f5624b0$@gmail.com> <4359c0fc-993a-779d-7555-cbf17389d895@summitgrid.com> Message-ID: ok thanks Shawn. I will try something else like a dedicated MailScanner + ClamAV instance to route mail through Kevin On Wed, Jan 6, 2021 at 2:38 PM Shawn Iverson via MailScanner < mailscanner at lists.mailscanner.info> wrote: > I'm afraid what you are trying to do is not possible. MailScanner does > not send the files to the socket for scanning. It merely calls clamd to > scan the files locally via the socket. > On 1/6/21 2:01 AM, Kevin G. Chege wrote: > > Hi, > > I have MailScanner installed and works ok with a locally available clamd > socket configuration. But when I try to use a remote Clamd socket (an IP > address of another jail on the system) with this configuration in > MailScanner.conf: > > Virus Scanners = clamd > > Clamd Port = 3310 > > Clamd Socket = 127.0.0.87 > > I get the following error: > > MailScanner.conf says "Virus Scanners = clamd" > > Found these virus scanners installed: clamd > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: No such file or > directory. ERROR :: /var/spool/MailScanner/incoming/16761 > > Virus Scanning: Clamd found 1 infections > > Virus Scanning: Found 1 viruses > > =========================================================================== > > > > I have checked and indeed "/var/spool/MailScanner/incoming/16761" does not > exist. > > > On the machine with Clamd running on an IP and port, this is the message > in ClamAV log file: > > WARNING: lstat() failed on: /var/spool/MailScanner/incoming/16761 > > > > The permissions look ok to me since with a local Clamd, it is working > well. Could someone help with the appropriate config for MailScanner and a > remote Clam anitvirus? > > > > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Mon Jan 11 16:18:03 2021 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Mon, 11 Jan 2021 16:18:03 +0000 Subject: mailscanner virus scanning rule doesnt work Message-ID: <8274a7ce8598475da9beccac8ec42b31@gruppocomet.it> MailScanner version 5.3.4 In MailScanner.Conf i put directive to use default rule file : Virus Scanning = %rules-dir%/scan.messages.virus.rules This file contains 10. That is prefix of mailserver that send mail to mailscanner, no other clients are sending mail to this mailscanner at now ! /etc/MailScanner/rules/scan.messages.virus.rules From: 10. no FromOrTo: default yes In this way mailscanner must bypass scanning of email of myserver that is 10.1.1.126 (I tried also "From: 10.1.1.126 no" and I tried also fixed path rule file) I put clamd to log also clean files and tail to see message working : /etc/clamd.d/scan.conf LogClean yes [root at EFA42 ~]# tail -f /var/log/clamd.scan /var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn/nmsg-22415-15.txt: OK /var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn.header: OK /var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn/nmsg-22415-16.txt: OK /var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn/nwinmail.dat: OK Etc etc As you can see clamd scan incoming mail from 10.1.1.126 ignoiring rule file directives same as putting directly "Virus Scanning = Yes" in MailScanner.Conf If i put "Virus Scanning = No" clamd bypass correctly every message Nicola Piazzi Sistemi Informativi [Nuova immagine bitmap] COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 347.5027273 www.comet.it www.gruppocomet.it -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: image001.png URL: From mark at msapiro.net Mon Jan 11 20:53:53 2021 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 11 Jan 2021 12:53:53 -0800 Subject: mailscanner virus scanning rule doesnt work In-Reply-To: <8274a7ce8598475da9beccac8ec42b31@gruppocomet.it> References: <8274a7ce8598475da9beccac8ec42b31@gruppocomet.it> Message-ID: <9af073c8-2721-1721-13a7-5332931bf7dd@msapiro.net> On 1/11/21 8:18 AM, Nicola Piazzi via MailScanner wrote: > > This file contains 10. That is prefix of mailserver that send mail to > mailscanner, no other clients are sending mail to this mailscanner at now ! Are you sure that is the IP that MailScanner sees. What does the MTA log show for the from IP? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Nicola.Piazzi at gruppocomet.it Tue Jan 12 07:29:24 2021 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 12 Jan 2021 07:29:24 +0000 Subject: R: mailscanner virus scanning rule doesnt work In-Reply-To: <9af073c8-2721-1721-13a7-5332931bf7dd@msapiro.net> References: <8274a7ce8598475da9beccac8ec42b31@gruppocomet.it> <9af073c8-2721-1721-13a7-5332931bf7dd@msapiro.net> Message-ID: <6197a06cedb44f74b5b9019ab6d4ef1a@gruppocomet.it> I tries also FromOrTo: default no And it scans everything Nicola Piazzi Sistemi Informativi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel.? +39 051.6079.293 Cell. +39 347.5027273 www.comet.it www.gruppocomet.it -----Messaggio originale----- Da: MailScanner Per conto di Mark Sapiro Inviato: luned? 11 gennaio 2021 21:54 A: mailscanner at lists.mailscanner.info Oggetto: Re: mailscanner virus scanning rule doesnt work Priorit?: Bassa On 1/11/21 8:18 AM, Nicola Piazzi via MailScanner wrote: > > This file contains 10. That is prefix of mailserver that send mail to > mailscanner, no other clients are sending mail to this mailscanner at now ! Are you sure that is the IP that MailScanner sees. What does the MTA log show for the from IP? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From Nicola.Piazzi at gruppocomet.it Tue Jan 12 08:54:42 2021 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 12 Jan 2021 08:54:42 +0000 Subject: Deep test virus scan rule that doesnt work Message-ID: [In the MailScanner.conf i put Virus Scanning directive so it use a fixed path file so i am sure that is not wrong] vi /etc/MailScanner/MailScanner.conf Virus Scanning = /mio/mio.rule [In the file i put only negate scan by default] vi /mio/mio.rule FromOrTo: Default No [chmod dir and file to ensure access] chmod 777 /mio;chmod 777 /mio/mio.rule [restart mailscanner] systemctl stop mailscanner;sleep 2;systemctl start mailscanner [but clamd still scan incoming mail] # tail -f /var/log/clamd.scan /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage003.png: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage002.png: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage006.jpg: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage004.png: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage005.png: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY.header: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nmsg-9751-4.txt: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nmsg-9751-6.txt: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nmsg-9751-5.html: OK /var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY.message: OK /var/spool/MailScanner/incoming/9751/4DFPPb6C85zlfdyp/nmsg-9751-7.txt: OK [The only way to stop clamd scan email is to put "Virus Scanning = No" in MailScanner.conf, Using a rule is the same of "Virus Scanning = Yes", it doesnt watch rule contants] -------------- next part -------------- An HTML attachment was scrubbed... URL: From it at festa.bg Tue Jan 12 09:26:07 2021 From: it at festa.bg (Valentin Laskov) Date: Tue, 12 Jan 2021 11:26:07 +0200 Subject: Deep test virus scan rule that doesnt work In-Reply-To: References: Message-ID: <43c61d91-3f31-283e-431e-fd2fd6cb9d2e@festa.bg> ?? 12.01.2021 ? 10:54, Nicola Piazzi via MailScanner ??????: > FromOrTo: Default No Are the fields separated by Tab ? Or space ? Must be tab separated. Regards! Valentin -- ????????! ???????? ?????? ???????? ????????????? "????? ???????" ?? ???. "??. ?????????" 48 9000 ??. ????? ???.: +359 52 669137 GSM: +359 888 669137 Fax: +359 52 669110 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nicola.Piazzi at gruppocomet.it Tue Jan 12 09:59:40 2021 From: Nicola.Piazzi at gruppocomet.it (Nicola Piazzi) Date: Tue, 12 Jan 2021 09:59:40 +0000 Subject: R: Deep test virus scan rule that doesnt work In-Reply-To: <43c61d91-3f31-283e-431e-fd2fd6cb9d2e@festa.bg> References: <43c61d91-3f31-283e-431e-fd2fd6cb9d2e@festa.bg> Message-ID: <06850f18d3e143af8fc771ec34729a4c@gruppocomet.it> Valentin, I tried everything but is the same Nicola Piazzi Sistemi Informativi [Nuova immagine bitmap] COMET s.p.a. Via Michelino, 105 - 40127 Bologna ? Italia Tel. +39 051.6079.293 Cell. +39 347.5027273 www.comet.it www.gruppocomet.it Da: MailScanner Per conto di Valentin Laskov Inviato: marted? 12 gennaio 2021 10:26 A: mailscanner at lists.mailscanner.info Oggetto: Re: Deep test virus scan rule that doesnt work Priorit?: Bassa ?? 12.01.2021 ? 10:54, Nicola Piazzi via MailScanner ??????: FromOrTo: Default No Are the fields separated by Tab ? Or space ? Must be tab separated. Regards! Valentin -- ????????! ???????? ?????? ???????? ????????????? "????? ???????" ?? ???. "??. ?????????" 48 9000 ??. ????? ???.: +359 52 669137 GSM: +359 888 669137 Fax: +359 52 669110 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: image001.png URL: From shawniverson at summitgrid.com Tue Jan 12 17:15:04 2021 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Tue, 12 Jan 2021 12:15:04 -0500 Subject: R: Deep test virus scan rule that doesnt work In-Reply-To: <06850f18d3e143af8fc771ec34729a4c@gruppocomet.it> References: <43c61d91-3f31-283e-431e-fd2fd6cb9d2e@festa.bg> <06850f18d3e143af8fc771ec34729a4c@gruppocomet.it> Message-ID: <4f0d7fe0-bc28-c9a3-4e41-1496708f4cd9@summitgrid.com> I'll run a test this evening on my instance and see if there is something up with the codebase... On 1/12/21 4:59 AM, Nicola Piazzi via MailScanner wrote: > > Valentin, I tried everything but is the same > > *Nicola Piazzi* > Sistemi Informativi > Nuova immagine bitmap > COMET s.p.a. > Via Michelino, 105 - 40127 Bologna ? Italia > Tel.? +39 051.6079.293 > Cell. +39 347.5027273 > www.comet.it > www.gruppocomet.it > > *Da:*MailScanner > *Per > conto di *Valentin Laskov > *Inviato:* marted? 12 gennaio 2021 10:26 > *A:* mailscanner at lists.mailscanner.info > *Oggetto:* Re: Deep test virus scan rule that doesnt work > *Priorit?:* Bassa > > ?? 12.01.2021 ? 10:54, Nicola Piazzi via MailScanner ??????: > > FromOrTo: Default No > > Are the fields separated by Tab ? Or space ? > > Must be tab separated. > > Regards! > Valentin > > -- > ????????! > ???????? ?????? > ???????? ????????????? > "????? ???????" ?? > ???. "??. ?????????" 48 > 9000 ??. ????? > ???.:?? +359 52 669137 > GSM: +359 888 669137 > Fax:?? +359 52 669110 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: not available URL: From shawniverson at summitgrid.com Wed Jan 13 03:40:43 2021 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Tue, 12 Jan 2021 22:40:43 -0500 Subject: R: Deep test virus scan rule that doesnt work In-Reply-To: <4f0d7fe0-bc28-c9a3-4e41-1496708f4cd9@summitgrid.com> References: <43c61d91-3f31-283e-431e-fd2fd6cb9d2e@festa.bg> <06850f18d3e143af8fc771ec34729a4c@gruppocomet.it> <4f0d7fe0-bc28-c9a3-4e41-1496708f4cd9@summitgrid.com> Message-ID: <5c41f4d3-83a6-e7f5-6bb8-95ef310dc138@summitgrid.com> This is working, and here's the explanation... I built a virus scanning ruleset as you described.? This result happened, which is normal.? Messages are always virus scanned as a batch. Even though the virus is found, it is not counted against the message and the message is sent anyway and marked as clean in MailWatch. In fact, in this case Google sees the EICAR test and rejects the message. Jan 12 22:30:43 smtp MailScanner[226819]: Virus and Content Scanning: Starting Jan 12 22:30:43 smtp MailScanner[226819]: Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtJ14q8Fz7g2sY/ Jan 12 22:30:43 smtp MailScanner[226819]: Clamd::INFECTED:: {HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtJ14q8Fz7g2sY/msg-226819-3.txt Jan 12 22:30:43 smtp MailScanner[226819]: Virus Scanning: Clamd found 2 infections Jan 12 22:30:43 smtp MailScanner[226819]: Virus Scanning: Found 2 viruses Jan 12 22:30:43 smtp MailScanner[226819]: Spam Checks: Starting Jan 12 22:30:43 smtp MailScanner[226819]: Requeue: 4DFtJ14q8Fz7g2sY to 4DFtJ34gZPz0c34 Jan 12 22:30:43 smtp postfix/qmqpd[226995]: connect from localhost[127.0.0.1] Jan 12 22:30:43 smtp postfix/qmqpd[226995]: 4DFtJ34h5tz7g2sY: client=localhost[127.0.0.1] Jan 12 22:30:43 smtp opendmarc[6361]: ignoring connection from localhost Jan 12 22:30:43 smtp postfix/cleanup[226982]: 4DFtJ34h5tz7g2sY: message-id=<09fca5f0-f6d3-be52-55e0-97ba9bfa67a3 at summitgrid.com> Jan 12 22:30:43 smtp opendkim[6362]: 4DFtJ34h5tz7g2sY: DKIM-Signature field added (s=default, d=summitgrid.com) Jan 12 22:30:43 smtp postfix/qmgr[2173]: 4DFtJ34h5tz7g2sY: from=, size=2427, nrcpt=1 (queue active) Jan 12 22:30:43 smtp postfix/qmqpd[226995]: disconnect from localhost[127.0.0.1] Jan 12 22:30:43 smtp MailScanner[226819]: Uninfected: Delivered 1 messages Jan 12 22:30:43 smtp MailScanner[226819]: Deleted 1 messages from processing-database Jan 12 22:30:43 smtp MailScanner[226819]: MailWatch: Logging message 4DFtJ14q8Fz7g2sY to SQL Jan 12 22:30:44 smtp postfix/smtp[226998]: 4DFtJ34h5tz7g2sY: to=, relay=gmail-smtp-in.l.google.com[172.253.119.26]:25, delay=0.92, delays=0.06/0/0.43/0.44, dsn=5.7.0, status=bounced (host gmail-smtp-in.l.google.com[172.253.119.26] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. x13si356045iov.16 - gsmtp (in reply to end of DATA command)) When I remove the ruleset and scan everything, this happens. You can see it still finds the infection, but this time the message is marked as infected and the message is not sent. Jan 12 22:34:40 smtp MailScanner[227999]: New Batch: Scanning 1 messages, 2015 bytes Jan 12 22:34:40 smtp MailScanner[227999]: Virus and Content Scanning: Starting Jan 12 22:34:40 smtp MailScanner[227999]: Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtNZ31Mwz7g2sY/ Jan 12 22:34:40 smtp MailScanner[227999]: Clamd::INFECTED:: {HEX}EICAR.TEST.3.UNOFFICIAL :: ./4DFtNZ31Mwz7g2sY/msg-227999-1.txt Jan 12 22:34:40 smtp MailScanner[227999]: Virus Scanning: Clamd found 2 infections Jan 12 22:34:40 smtp MailScanner[227999]: Infected message 4DFtNZ31Mwz7g2sY came from 198.100.154.215 Jan 12 22:34:40 smtp MailScanner[227999]: Virus Scanning: Found 2 viruses Jan 12 22:34:40 smtp MailScanner[227999]: Viruses marked as silent: Clamd:? message was infected: {HEX}EICAR.TEST.3.UNOFFICIAL, Clamd: msg-227999-1.txt was infected: {HEX}EICAR.TEST.3.UNOFFICIAL Jan 12 22:34:40 smtp MailScanner[227999]: Saved entire message to /var/spool/MailScanner/quarantine/20210112/4DFtNZ31Mwz7g2sY Jan 12 22:34:40 smtp MailScanner[227999]: Saved infected "msg-227999-1.txt" to /var/spool/MailScanner/quarantine/20210112/4DFtNZ31Mwz7g2sY On 1/12/21 12:15 PM, Shawn Iverson via MailScanner wrote: > > I'll run a test this evening on my instance and see if there is > something up with the codebase... > > On 1/12/21 4:59 AM, Nicola Piazzi via MailScanner wrote: >> >> Valentin, I tried everything but is the same >> >> *Nicola Piazzi* >> Sistemi Informativi >> Nuova immagine bitmap >> COMET s.p.a. >> Via Michelino, 105 - 40127 Bologna ? Italia >> Tel.? +39 051.6079.293 >> Cell. +39 347.5027273 >> www.comet.it >> www.gruppocomet.it >> >> *Da:*MailScanner >> *Per >> conto di *Valentin Laskov >> *Inviato:* marted? 12 gennaio 2021 10:26 >> *A:* mailscanner at lists.mailscanner.info >> *Oggetto:* Re: Deep test virus scan rule that doesnt work >> *Priorit?:* Bassa >> >> ?? 12.01.2021 ? 10:54, Nicola Piazzi via MailScanner ??????: >> >> FromOrTo: Default No >> >> Are the fields separated by Tab ? Or space ? >> >> Must be tab separated. >> >> Regards! >> Valentin >> >> -- >> ????????! >> ???????? ?????? >> ???????? ????????????? >> "????? ???????" ?? >> ???. "??. ?????????" 48 >> 9000 ??. ????? >> ???.:?? +359 52 669137 >> GSM: +359 888 669137 >> Fax:?? +359 52 669110 >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6129 bytes Desc: not available URL: From indrajith at sltidc.lk Tue Jan 19 11:57:55 2021 From: indrajith at sltidc.lk (Chaminda Indrajith) Date: Tue, 19 Jan 2021 17:27:55 +0530 Subject: Block executable files which is compressed using gzip Message-ID: <000001d6ee5a$552e18c0$ff8a4a40$@sltidc.lk> Hi, Could you let me know how to block executable files which is compressed using gzip. One of the Mail contains attachment which compressed using gzip. When I strip the attachment it contains a "Pdf 00231145 Swift Copy.gz" file. [root at mail msg-1611056831-18887-0]# ls msg-18887-1.txt msg-18887-2.html Pdf 00231145 Swift Copy.gz When I unzip it using gunzip, it is just a file without an extension. But it is an executable file. [root at mail msg-1611056831-18887-0]# gunzip Pdf\ 00231145\ Swift\ Copy.gz [root at mail msg-1611056831-18887-0]# ls msg-18887-1.txt msg-18887-2.html "Pdf 00231145 Swift Copy" [root at mail msg-1611056831-18887-0]# file Pdf\ 00231145\ Swift\ Copy Pdf 00231145 Swift Copy: gzip compressed data, was "Pdf 00231145 Swift Copy.exe", from FAT filesystem (MS-DOS, OS/2, NT), last modified: Mon Jan 18 05:25:12 2021 This file contains a Virus. So, how can I block such files (executable files types without any extension) in MailScanner Thanks Chaminda Indrajith -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefano.antonelli at cnaf.infn.it Tue Jan 19 18:17:37 2021 From: stefano.antonelli at cnaf.infn.it (antonelli@cnaf) Date: Tue, 19 Jan 2021 19:17:37 +0100 Subject: Free space in Mailscanner archive directory Message-ID: <4a7fe3a9-1fdf-97b9-e278-8e8789cc49ba@cnaf.infn.it> Hello everyone, sorry for the silly question but I'm not able to find this topic in documentation or mailing list. To free some space in /var/spool/Mailscanner/archive dir can I simply remove files or is there any connection with database and must I use a particular command (MailScanner 5.3.3)? Thank you regards Stefano From mark at msapiro.net Tue Jan 19 20:14:06 2021 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 19 Jan 2021 12:14:06 -0800 Subject: Free space in Mailscanner archive directory In-Reply-To: <4a7fe3a9-1fdf-97b9-e278-8e8789cc49ba@cnaf.infn.it> References: <4a7fe3a9-1fdf-97b9-e278-8e8789cc49ba@cnaf.infn.it> Message-ID: On 1/19/21 10:17 AM, antonelli at cnaf wrote: > > To free some space in /var/spool/Mailscanner/archive dir can I simply > remove files or is there any connection with database and must I use a > particular command (MailScanner 5.3.3)? You can just remove the files. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ricky.boone at gmail.com Tue Jan 19 21:58:52 2021 From: ricky.boone at gmail.com (Ricky Boone) Date: Tue, 19 Jan 2021 16:58:52 -0500 Subject: Yahoo and "Filename contains lots of white space" rule Message-ID: Hello everyone, I was seeing a disproportionate number of messages from legitimate @ yahoo.com senders hitting our environment that, when they have an attachment with a long name with spaces, they hit the "Filename contains lots of white space" rule in filename.rules.conf. Upon deeper inspection, it appears it may be something with Yahoo and how they handle spaces when generating the Content-Disposition header in the message. In most cases, when the file name went past a certain number of characters, it was wrapped to the next line, but with 5-10 blank characters padded to it. I adjusted the regex in the rule from 10 spaces to 12, but just wanted to bounce this off the mailing list to see if anyone else had seen similar behavior. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Jan 19 22:47:54 2021 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 19 Jan 2021 14:47:54 -0800 Subject: Yahoo and "Filename contains lots of white space" rule In-Reply-To: References: Message-ID: <94dcec40-2b68-b3ff-dfc7-02e5ca633a71@msapiro.net> On 1/19/21 1:58 PM, Ricky Boone wrote: > Hello everyone, > > I was seeing a disproportionate number of messages from legitimate > @yahoo.com senders hitting our environment that, when > they have an attachment with a long name with spaces, they hit the > "Filename contains lots of white space" rule in filename.rules.conf.? > Upon deeper inspection, it appears it may be something with Yahoo and > how they handle spaces when generating?the Content-Disposition header in > the message.? In most cases, when the file name went past a certain > number of characters, it was wrapped to the next line, but with 5-10 > blank characters padded to it. See Note that the filename= parameter in a Content-Disposition is a structured field and should not be folded - try telling Yahoo that. Are you saying that Yahoo is folding by inserting more than just a CRLF, i.e. a CRLF and a TAB or multiple spaces. In that case, Yahoo is again non-conformant. However, none of that is helpful to you. There may be a MailScanner issue if Yahoo is folding by inserting CRLF TAB and MailScanner is considering the TAB to be multiple spaces. Is that the case? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From it at festa.bg Wed Jan 20 07:42:17 2021 From: it at festa.bg (Valentin Laskov) Date: Wed, 20 Jan 2021 09:42:17 +0200 Subject: Block executable files which is compressed using gzip In-Reply-To: <000001d6ee5a$552e18c0$ff8a4a40$@sltidc.lk> References: <000001d6ee5a$552e18c0$ff8a4a40$@sltidc.lk> Message-ID: <3c18fc08-7de1-30b8-6332-80021837b2aa@festa.bg> Hi, Take a look at Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf in MailScanner.conf file. Also, in my config I have File Command = /usr/local/bin/file-wrapper and cat /usr/local/bin/file-wrapper #!/bin/bash # # /usr/bin/file --mime-type "$1" Regards! Valentin From ricky.boone at gmail.com Wed Jan 20 14:42:15 2021 From: ricky.boone at gmail.com (Ricky Boone) Date: Wed, 20 Jan 2021 09:42:15 -0500 Subject: Yahoo and "Filename contains lots of white space" rule In-Reply-To: <94dcec40-2b68-b3ff-dfc7-02e5ca633a71@msapiro.net> References: <94dcec40-2b68-b3ff-dfc7-02e5ca633a71@msapiro.net> Message-ID: Thanks, that was what I thought. The examples I'm seeing do not include TAB characters after the break in the file name. They all start with a LF control character, then a series of space characters (0x20), then the rest of the file name. The amount of spaces seems to be variable. I'm finding some that go above 20, some that are around 10... I can't discern a pattern, and I can't fully prove that this is Yahoo that is doing it, though it would seem odd to have that many senders doing the same thing on their own in this way. I don't think this is a MailScanner issue, just that a rule in MailScanner is potentially exposing RFC breaking behavior. I do see another commonality, and that is the X-Mailer header containing the following information (or similar): X-Mailer: WebService/1.1.17501 YahooMailIosMobile Yahoo%20Mail/52372 CFNetwork/1209 Darwin/20.2.0 Every single example that I've seen so far indicates that these are being sent potentially from the same type of email client (with some variations on version strings, etc.). If I have time I'll see if there are any non @ yahoo.com examples that might indicate a commonality (iOS/macOS, etc.). On Tue, Jan 19, 2021 at 5:48 PM Mark Sapiro wrote: > On 1/19/21 1:58 PM, Ricky Boone wrote: > > Hello everyone, > > > > I was seeing a disproportionate number of messages from legitimate > > @yahoo.com senders hitting our environment that, when > > they have an attachment with a long name with spaces, they hit the > > "Filename contains lots of white space" rule in filename.rules.conf. > > Upon deeper inspection, it appears it may be something with Yahoo and > > how they handle spaces when generating the Content-Disposition header in > > the message. In most cases, when the file name went past a certain > > number of characters, it was wrapped to the next line, but with 5-10 > > blank characters padded to it. > > > See > > Note that the filename= parameter in a Content-Disposition is a > structured field and should not be folded - try telling Yahoo that. > > Are you saying that Yahoo is folding by inserting more than just a CRLF, > i.e. a CRLF and a TAB or multiple spaces. In that case, Yahoo is again > non-conformant. > > However, none of that is helpful to you. There may be a MailScanner > issue if Yahoo is folding by inserting CRLF TAB and MailScanner is > considering the TAB to be multiple spaces. Is that the case? > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bfebrian at gmail.com Wed Jan 27 17:12:43 2021 From: bfebrian at gmail.com (Budi F) Date: Thu, 28 Jan 2021 00:12:43 +0700 Subject: Eset EFS v7 not working in MailScanner 5.3.3 Message-ID: Hi, I'm not sure what happened, I installed clamd and eset, but it seem eset never scan emails as it supposed to, I only see clamd that do the virus scan I notice this problem as some email with virus able to get through to users, but luckily esets desktop able to scan the virus [MailScanner]# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 1500 hostnames from the phishing whitelist Read 5545 hostnames from the phishing blacklists Config: calling custom init function MailWatchLogging MailWatch: Started MailWatch SQL Logging child Checking version numbers... Version number in MailScanner.conf (5.3.3) is correct. Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd esets" Found these virus scanners installed: esets, clamd =========================================================================== Filename Checks: Blocked Filename Detected (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED::Win.Test.EICAR_HDB-1 :: ./1/ Virus Scanning: Clamd found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== If any of your virus scanners (esets,clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Wed Jan 27 19:53:26 2021 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Wed, 27 Jan 2021 14:53:26 -0500 Subject: Eset EFS v7 not working in MailScanner 5.3.3 In-Reply-To: References: Message-ID: <1c3167d1-7874-5bc3-4334-e1a418dccf10@summitgrid.com> What is the entry in your virus.scanners.conf? On 1/27/21 12:12 PM, Budi F wrote: > Hi, > > I'm not sure what happened, I installed clamd and eset, but it seem > eset never scan emails as it supposed to, I only?see clamd that do the > virus scan > > I notice this problem as some email with virus able to get through to > users, but luckily esets desktop able to scan the virus > > [MailScanner]# MailScanner --lint > Trying to setlogsock(unix) > > Reading configuration file /etc/MailScanner/MailScanner.conf > Reading configuration file /etc/MailScanner/conf.d/README > Read 1500 hostnames from the phishing whitelist > Read 5545 hostnames from the phishing blacklists > Config: calling custom init function MailWatchLogging > MailWatch: Started MailWatch SQL Logging child > > Checking version numbers... > Version number in MailScanner.conf (5.3.3) is correct. > > Your envelope_sender_header in spamassassin.conf is correct. > MailScanner setting GID to ?(89) > MailScanner setting UID to ?(89) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 0 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamd esets" > Found these virus scanners installed: esets, clamd > =========================================================================== > Filename Checks: Blocked Filename Detected (1 eicar.com > ) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED::Win.Test.EICAR_HDB-1 :: ./1/ > Virus Scanning: Clamd found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > =========================================================================== > > If any of your virus scanners (esets,clamd) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > Config: calling custom end function MailWatchLogging > > -------------- next part -------------- An HTML attachment was scrubbed... URL: