From shawniverson at summitgrid.com Mon Sep 5 19:06:21 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 5 Sep 2022 15:06:21 -0400 Subject: "Spam Actions" setting containing attachment and deliver not encapsulating message In-Reply-To: References: <8372a21e-7d12-62fe-dde0-20ba1cbafbf2@summitgrid.com> Message-ID: <5df9eb23-1dde-6c52-da18-96bf86f01a9d@summitgrid.com> Confirmed unexpected behavior, more debugging and testing in progress. On 8/30/22 08:50, Ricky Boone wrote: > Thank you, Shawn, for the quick response.? If there's anything I can > do to help with either the research and/or troubleshooting around > this, please let me know.? I am by no means a competent Perl dev, but > my management is very interested in getting this working properly (not > meaning to add any pressure or assume expectations), and I'm a bit > stuck at the moment. > > On Tue, Aug 23, 2022 at 4:22 PM Shawn Iverson via MailScanner > wrote: > > That doesn't seem desirable. This should be reproduceable,? so > give me some time to lab this up and see what I can find out. It > wouldn't be the first time we've found interesting things lurking > in the perl mines. > > On 8/23/22 14:34, Ricky Boone wrote: >> >> *Warning: This message originated from outside the organization. >> Use caution when following links or opening attachments.* >> >> I'm troubleshooting an issue with a setting change we're trying >> to test in our environment to provide users with notifications >> that a message was flagged as spam, and why, as well as to attach >> the original message to that notification. >> >> Based on the configuration docs and previous conversations, this >> should be handled by including 'attachment' in the Spam Actions >> setting (though some references note 'attachment' along with >> 'deliver'). What I'm seeing, however, is that it is not behaving >> as described.? When the rule only includes 'attachment', no >> message is fully delivered.? When it includes 'attachment' and >> 'deliver' (regardless of order, understanding that it shouldn't >> matter), I get the message with the '{Spam?}' subject prefix, but >> otherwise not encapsulated and not including a notification >> message.? When attempting with 'attachment' and 'notify', I only >> get the notification, and if 'attachment', 'deliver', and >> 'notify' are included, I get both the non-encapsulated spam >> message and the notification without an attachment. >> >> Prior to opening an issue in the GitHub project, I just want to >> be sure I'm not doing something incorrectly. >> >> For reference, I'm currently running MailScanner 5.3.3 (aware >> that there are newer versions, but none that appear to be >> relevant to address this issue based on the changelog) on CentOS >> 7 with postfix as the MTA, along with MailWatch 1.2.15.? Spam >> Actions points to a custom rules file with a default (FromOrTo) >> action set to 'store notify header "X-Spam-Status: Yes"', but I >> have a To email address for testing with 'store attachment >> deliver header "X-Spam-Status: Yes"' (though I've tried this >> without deliver, removing store and header, with notify, etc.). >> >> The logs seem to reflect my settings, depending on what I've >> saved and reloaded.? For example, if I have attachment and >> deliver set, I see this in the logs: >> >> Aug 23 14:03:37 MailScanner[24433]: Delivery of spam: message >> 0BD1220625B0.AB434 from [removed] to [removed]?with subject Re: >> Test message >> Aug 23 14:03:37 MailScanner[24433]: Spam Actions: message >> 0BD1220625B0.AB434 actions are attachment,store,deliver,header >> Aug 23 14:03:39 MailScanner[24433]: Requeue: 0BD1220625B0.AB434 >> to E965720625AA >> >> And if I have only attachment set: >> >> Aug 23 11:57:15 MailScanner[22466]: Non-delivery of spam: message >> 8225F206258E.AB9CA from [removed]?to?[removed]?with subject Test >> message >> Aug 23 11:57:15 MailScanner[22466]: Spam Actions: message >> 8225F206258E.AB9CA actions are attachment,store,header >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Mon Sep 5 19:23:59 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 5 Sep 2022 15:23:59 -0400 Subject: "Spam Actions" setting containing attachment and deliver not encapsulating message In-Reply-To: <5df9eb23-1dde-6c52-da18-96bf86f01a9d@summitgrid.com> References: <8372a21e-7d12-62fe-dde0-20ba1cbafbf2@summitgrid.com> <5df9eb23-1dde-6c52-da18-96bf86f01a9d@summitgrid.com> Message-ID: <24f94243-8535-d211-2f16-7df0ea10aacd@summitgrid.com> Interesting, apparently the client is interacting with the way MailScanner is encapsulating the message. The raw message is encapsulated, but my client (Thunderbird) is ignoring it and parsing just the inner MIME tree. On 9/5/22 15:06, Shawn Iverson via MailScanner wrote: > Confirmed unexpected behavior, more debugging and testing in progress. > > On 8/30/22 08:50, Ricky Boone wrote: >> Thank you, Shawn, for the quick response.? If there's anything I can >> do to help with either the research and/or troubleshooting around >> this, please let me know.? I am by no means a competent Perl dev, but >> my management is very interested in getting this working properly >> (not meaning to add any pressure or assume expectations), and I'm a >> bit stuck at the moment. >> >> On Tue, Aug 23, 2022 at 4:22 PM Shawn Iverson via MailScanner >> wrote: >> >> That doesn't seem desirable. This should be reproduceable,? so >> give me some time to lab this up and see what I can find out. It >> wouldn't be the first time we've found interesting things lurking >> in the perl mines. >> >> On 8/23/22 14:34, Ricky Boone wrote: >>> >>> *Warning: This message originated from outside the organization. >>> Use caution when following links or opening attachments.* >>> >>> I'm troubleshooting an issue with a setting change we're trying >>> to test in our environment to provide users with notifications >>> that a message was flagged as spam, and why, as well as to >>> attach the original message to that notification. >>> >>> Based on the configuration docs and previous conversations, this >>> should be handled by including 'attachment' in the Spam Actions >>> setting (though some references note 'attachment' along with >>> 'deliver').? What I'm seeing, however, is that it is not >>> behaving as described.? When the rule only includes >>> 'attachment', no message is fully delivered.? When it includes >>> 'attachment' and 'deliver' (regardless of order, understanding >>> that it shouldn't matter), I get the message with the '{Spam?}' >>> subject prefix, but otherwise not encapsulated and not including >>> a notification message.? When attempting with 'attachment' and >>> 'notify', I only get the notification, and if 'attachment', >>> 'deliver', and 'notify' are included, I get both the >>> non-encapsulated spam message and the notification without an >>> attachment. >>> >>> Prior to opening an issue in the GitHub project, I just want to >>> be sure I'm not doing something incorrectly. >>> >>> For reference, I'm currently running MailScanner 5.3.3 (aware >>> that there are newer versions, but none that appear to be >>> relevant to address this issue based on the changelog) on CentOS >>> 7 with postfix as the MTA, along with MailWatch 1.2.15.? Spam >>> Actions points to a custom rules file with a default (FromOrTo) >>> action set to 'store notify header "X-Spam-Status: Yes"', but I >>> have a To email address for testing with 'store attachment >>> deliver header "X-Spam-Status: Yes"' (though I've tried this >>> without deliver, removing store and header, with notify, etc.). >>> >>> The logs seem to reflect my settings, depending on what I've >>> saved and reloaded.? For example, if I have attachment and >>> deliver set, I see this in the logs: >>> >>> Aug 23 14:03:37 MailScanner[24433]: Delivery of spam: message >>> 0BD1220625B0.AB434 from [removed] to [removed]?with subject Re: >>> Test message >>> Aug 23 14:03:37 MailScanner[24433]: Spam Actions: message >>> 0BD1220625B0.AB434 actions are attachment,store,deliver,header >>> Aug 23 14:03:39 MailScanner[24433]: Requeue: 0BD1220625B0.AB434 >>> to E965720625AA >>> >>> And if I have only attachment set: >>> >>> Aug 23 11:57:15 MailScanner[22466]: Non-delivery of spam: >>> message 8225F206258E.AB9CA from [removed]?to?[removed]?with >>> subject Test message >>> Aug 23 11:57:15 MailScanner[22466]: Spam Actions: message >>> 8225F206258E.AB9CA actions are attachment,store,header >>> >>> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Mon Sep 5 19:32:43 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 5 Sep 2022 15:32:43 -0400 Subject: "Spam Actions" setting containing attachment and deliver not encapsulating message In-Reply-To: <24f94243-8535-d211-2f16-7df0ea10aacd@summitgrid.com> References: <8372a21e-7d12-62fe-dde0-20ba1cbafbf2@summitgrid.com> <5df9eb23-1dde-6c52-da18-96bf86f01a9d@summitgrid.com> <24f94243-8535-d211-2f16-7df0ea10aacd@summitgrid.com> Message-ID: <2856f8a0-8d1d-62b8-54aa-3b842e92062c@summitgrid.com> Ahh, the header still has the old boundary. That is a problem. On 9/5/22 15:23, Shawn Iverson via MailScanner wrote: > > Interesting, apparently the client is interacting with the way > MailScanner is encapsulating the message. The raw message is > encapsulated, but my client (Thunderbird) is ignoring it and parsing > just the inner MIME tree. > > > On 9/5/22 15:06, Shawn Iverson via MailScanner wrote: > >> Confirmed unexpected behavior, more debugging and testing in progress. >> >> On 8/30/22 08:50, Ricky Boone wrote: >>> Thank you, Shawn, for the quick response.? If there's anything I can >>> do to help with either the research and/or troubleshooting around >>> this, please let me know.? I am by no means a competent Perl dev, >>> but my management is very interested in getting this working >>> properly (not meaning to add any pressure or assume expectations), >>> and I'm a bit stuck at the moment. >>> >>> On Tue, Aug 23, 2022 at 4:22 PM Shawn Iverson via MailScanner >>> wrote: >>> >>> That doesn't seem desirable. This should be reproduceable,? so >>> give me some time to lab this up and see what I can find out. It >>> wouldn't be the first time we've found interesting things >>> lurking in the perl mines. >>> >>> On 8/23/22 14:34, Ricky Boone wrote: >>>> >>>> *Warning: This message originated from outside the >>>> organization. Use caution when following links or opening >>>> attachments.* >>>> >>>> I'm troubleshooting an issue with a setting change we're trying >>>> to test in our environment to provide users with notifications >>>> that a message was flagged as spam, and why, as well as to >>>> attach the original message to that notification. >>>> >>>> Based on the configuration docs and previous conversations, >>>> this should be handled by including 'attachment' in the Spam >>>> Actions setting (though some references note 'attachment' along >>>> with 'deliver').? What I'm seeing, however, is that it is not >>>> behaving as described.? When the rule only includes >>>> 'attachment', no message is fully delivered.? When it includes >>>> 'attachment' and 'deliver' (regardless of order, understanding >>>> that it shouldn't matter), I get the message with the '{Spam?}' >>>> subject prefix, but otherwise not encapsulated and not >>>> including a notification message.? When attempting with >>>> 'attachment' and 'notify', I only get the notification, and if >>>> 'attachment', 'deliver', and 'notify' are included, I get both >>>> the non-encapsulated spam message and the notification without >>>> an attachment. >>>> >>>> Prior to opening an issue in the GitHub project, I just want to >>>> be sure I'm not doing something incorrectly. >>>> >>>> For reference, I'm currently running MailScanner 5.3.3 (aware >>>> that there are newer versions, but none that appear to be >>>> relevant to address this issue based on the changelog) on >>>> CentOS 7 with postfix as the MTA, along with MailWatch 1.2.15.? >>>> Spam Actions points to a custom rules file with a default >>>> (FromOrTo) action set to 'store notify header "X-Spam-Status: >>>> Yes"', but I have a To email address for testing with 'store >>>> attachment deliver header "X-Spam-Status: Yes"' (though I've >>>> tried this without deliver, removing store and header, with >>>> notify, etc.). >>>> >>>> The logs seem to reflect my settings, depending on what I've >>>> saved and reloaded.? For example, if I have attachment and >>>> deliver set, I see this in the logs: >>>> >>>> Aug 23 14:03:37 MailScanner[24433]: Delivery of spam: message >>>> 0BD1220625B0.AB434 from [removed] to [removed]?with subject Re: >>>> Test message >>>> Aug 23 14:03:37 MailScanner[24433]: Spam Actions: message >>>> 0BD1220625B0.AB434 actions are attachment,store,deliver,header >>>> Aug 23 14:03:39 MailScanner[24433]: Requeue: 0BD1220625B0.AB434 >>>> to E965720625AA >>>> >>>> And if I have only attachment set: >>>> >>>> Aug 23 11:57:15 MailScanner[22466]: Non-delivery of spam: >>>> message 8225F206258E.AB9CA from? [removed]?to?[removed]?with >>>> subject Test message >>>> Aug 23 11:57:15 MailScanner[22466]: Spam Actions: message >>>> 8225F206258E.AB9CA actions are attachment,store,header >>>> >>>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Mon Sep 5 20:25:01 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 5 Sep 2022 16:25:01 -0400 Subject: "Spam Actions" setting containing attachment and deliver not encapsulating message In-Reply-To: <2856f8a0-8d1d-62b8-54aa-3b842e92062c@summitgrid.com> References: <8372a21e-7d12-62fe-dde0-20ba1cbafbf2@summitgrid.com> <5df9eb23-1dde-6c52-da18-96bf86f01a9d@summitgrid.com> <24f94243-8535-d211-2f16-7df0ea10aacd@summitgrid.com> <2856f8a0-8d1d-62b8-54aa-3b842e92062c@summitgrid.com> Message-ID: <5ae0f6bc-6050-65ba-2a88-120d1c30ea9b@summitgrid.com> https://github.com/MailScanner/v5/issues/607 On 9/5/22 15:32, Shawn Iverson via MailScanner wrote: > > Ahh, the header still has the old boundary. That is a problem. > > On 9/5/22 15:23, Shawn Iverson via MailScanner wrote: >> >> Interesting, apparently the client is interacting with the way >> MailScanner is encapsulating the message. The raw message is >> encapsulated, but my client (Thunderbird) is ignoring it and parsing >> just the inner MIME tree. >> >> >> On 9/5/22 15:06, Shawn Iverson via MailScanner wrote: >> >>> Confirmed unexpected behavior, more debugging and testing in progress. >>> >>> On 8/30/22 08:50, Ricky Boone wrote: >>>> Thank you, Shawn, for the quick response.? If there's anything I >>>> can do to help with either the research and/or troubleshooting >>>> around this, please let me know.? I am by no means a competent Perl >>>> dev, but my management is very interested in getting this working >>>> properly (not meaning to add any pressure or assume expectations), >>>> and I'm a bit stuck at the moment. >>>> >>>> On Tue, Aug 23, 2022 at 4:22 PM Shawn Iverson via MailScanner >>>> wrote: >>>> >>>> That doesn't seem desirable. This should be reproduceable,? so >>>> give me some time to lab this up and see what I can find out. >>>> It wouldn't be the first time we've found interesting things >>>> lurking in the perl mines. >>>> >>>> On 8/23/22 14:34, Ricky Boone wrote: >>>>> >>>>> *Warning: This message originated from outside the >>>>> organization. Use caution when following links or opening >>>>> attachments.* >>>>> >>>>> I'm troubleshooting an issue with a setting change we're >>>>> trying to test in our environment to provide users with >>>>> notifications that a message was flagged as spam, and why, as >>>>> well as to attach the original message to that notification. >>>>> >>>>> Based on the configuration docs and previous conversations, >>>>> this should be handled by including 'attachment' in the Spam >>>>> Actions setting (though some references note 'attachment' >>>>> along with 'deliver').? What I'm seeing, however, is that it >>>>> is not behaving as described.? When the rule only includes >>>>> 'attachment', no message is fully delivered. When it includes >>>>> 'attachment' and 'deliver' (regardless of order, understanding >>>>> that it shouldn't matter), I get the message with the >>>>> '{Spam?}' subject prefix, but otherwise not encapsulated and >>>>> not including a notification message.? When attempting with >>>>> 'attachment' and 'notify', I only get the notification, and if >>>>> 'attachment', 'deliver', and 'notify' are included, I get both >>>>> the non-encapsulated spam message and the notification without >>>>> an attachment. >>>>> >>>>> Prior to opening an issue in the GitHub project, I just want >>>>> to be sure I'm not doing something incorrectly. >>>>> >>>>> For reference, I'm currently running MailScanner 5.3.3 (aware >>>>> that there are newer versions, but none that appear to be >>>>> relevant to address this issue based on the changelog) on >>>>> CentOS 7 with postfix as the MTA, along with MailWatch >>>>> 1.2.15.? Spam Actions points to a custom rules file with a >>>>> default (FromOrTo) action set to 'store notify header >>>>> "X-Spam-Status: Yes"', but I have a To email address for >>>>> testing with 'store attachment deliver header "X-Spam-Status: >>>>> Yes"' (though I've tried this without deliver, removing store >>>>> and header, with notify, etc.). >>>>> >>>>> The logs seem to reflect my settings, depending on what I've >>>>> saved and reloaded.? For example, if I have attachment and >>>>> deliver set, I see this in the logs: >>>>> >>>>> Aug 23 14:03:37 MailScanner[24433]: Delivery of spam: message >>>>> 0BD1220625B0.AB434 from [removed] to [removed]?with subject >>>>> Re: Test message >>>>> Aug 23 14:03:37 MailScanner[24433]: Spam Actions: message >>>>> 0BD1220625B0.AB434 actions are attachment,store,deliver,header >>>>> Aug 23 14:03:39 MailScanner[24433]: Requeue: >>>>> 0BD1220625B0.AB434 to E965720625AA >>>>> >>>>> And if I have only attachment set: >>>>> >>>>> Aug 23 11:57:15 MailScanner[22466]: Non-delivery of spam: >>>>> message 8225F206258E.AB9CA from? [removed]?to?[removed]?with >>>>> subject Test message >>>>> Aug 23 11:57:15 MailScanner[22466]: Spam Actions: message >>>>> 8225F206258E.AB9CA actions are attachment,store,header >>>>> >>>>> >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dean at guenthers.us Mon Sep 5 15:46:25 2022 From: dean at guenthers.us (Dean guenther) Date: Mon, 5 Sep 2022 08:46:25 -0700 Subject: missing ms-init script in MailScanner 5.4.4 Message-ID: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> I'm in the process of moving from my old MailScanner 4.85.2 installation on CentOS 6.7 to a fresh install of MailScanner 5.4.4 on ubuntu 20.04. I've run the MailScanner install.sh on ubuntu but the ms-init script is missing from /etc/init.d so I can't start MailScanner. At least thats where I was presuming I should find ms-init. Being new to ubuntu, things may be different to what I'm used to with CentOS. I have already installed dovecot and ClamAV from the default ubuntu repository. And the MailScanner 5.4.4 install.sh did put the MailScanner config files into /etc/MailScanner as expected. So I've modified the /etc/MailScanner configs to pretty much match the options I had set under the old MailScanner 4.85.2. But now I can't start MailScanner because the /etc/init.d/ms-init is missing. I considered copying ms-init out of the build directory usr/lib/MailScanner/init but I'm wondering even if I do that, are there other things that did not get copied with the install.sh because ms-init is missing? When I did the install-sh it went through filling dependencies just fine. With one exception it was unable to build Mail::ClamAV. I posted at github and @shawniverson mentioned that Mail::ClamAV is no longer needed by MailScanner so it may not be a concern. After running install.sh I also did a /usr/sbin/ms-perl-check and there were no missing dependencies that I could see other than Mail::ClamAV. There was also a warning when I ran install.sh it said cp: cannot stat './var': No such file or directory But there is no var in the build directory. Perhaps its just a warning?? So, how do I safely copy ms-init to /etc/init.d and also, how do I know if there are other things missing that the install.sh did not copy? thanks - Dean Guenther -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at 118119.se Tue Sep 6 21:34:57 2022 From: mailscanner at 118119.se (mailscanner at 118119.se) Date: Tue, 6 Sep 2022 23:34:57 +0200 Subject: Highlight Phishing Fraud Message-ID: <3215AE99-3C16-4C3A-B7D9-CEFF87EB2202@118119.se> Hi, I've been testing the settings for Find Phishing Fraud and Highlight Phishing Fraud but can't really understand what the different settings do. I use a domain from phishing.bad.sites.conf included in my test e-mail to trigger the phishing filter. All other settings regarding filtering are set to default / standard MailScanner.conf. If I use these settings, the e-mail gets through with inline HTML added to the link and "{Disarmed}" in the subject line. Find Phishing Fraud = yes Highlight Phishing Fraud = yes Phishing Modify Subject = start Phishing Subject Text = {Fraud?} And when changing to these settings instead, the mail gets through with unaltered body and subject. I can't find any "Content Checks"-lines in the logs. Find Phishing Fraud = yes Highlight Phishing Fraud = No Phishing Modify Subject = start Phishing Subject Text = {Fraud?} It seems like both Find Phishing Fraud and Highlight Phishing Fraud has to be set to "yes" for the phishing filter to be activated at all? And I can't get the Phishing Subject Text to appear at all. I've only seen "{Disarmed}" added to the subject. I would like for the e-mail either be blocked in total or just have the subject line altered. Is any of that possible? Best regards, Jonas From shawniverson at summitgrid.com Sat Sep 10 12:53:29 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Sat, 10 Sep 2022 08:53:29 -0400 Subject: missing ms-init script in MailScanner 5.4.4 In-Reply-To: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> References: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> Message-ID: <17516cf0-3475-e8a5-a146-116e8b13d8ef@summitgrid.com> You should use the debian-based deb file, run /usr/sbin/ms-configure, and modify /etc/MailScanner/defaults and related configs instead. Ubuntu 20.04 will rely upon systemd instead of init such as: systemctl status mailscanner On 9/5/22 11:46, Dean guenther wrote: > I'm in the process of moving from my old MailScanner 4.85.2 installation on CentOS > 6.7 to a fresh install of MailScanner 5.4.4 on ubuntu 20.04. > I've run the MailScanner install.sh on ubuntu but the ms-init script is missing from > /etc/init.d so I can't start MailScanner. At least thats where I was presuming I should find ms-init. > Being new to ubuntu, things may be different to what I'm used to with CentOS. > > I have already installed dovecot and ClamAV from the default ubuntu repository. And > the MailScanner 5.4.4 install.sh did put the MailScanner config files into > /etc/MailScanner as expected. So I've modified the /etc/MailScanner configs to > pretty much match the options I had set under the old MailScanner 4.85.2. > > But now I can't start MailScanner because the /etc/init.d/ms-init is missing. I > considered copying ms-init out of the build directory > usr/lib/MailScanner/init but I'm wondering even if I do that, are there other things > that did not get copied with the install.sh because ms-init is missing? > > When I did the install-sh it went through filling dependencies just fine. With one > exception it was unable to build Mail::ClamAV. I posted at github and > @shawniverson mentioned that Mail::ClamAV is no longer needed by MailScanner so it may not > be a concern. > > After running install.sh I also did a /usr/sbin/ms-perl-check and there were no missing > dependencies that I could see other than Mail::ClamAV. > > There was also a warning when I ran install.sh it said > > cp: cannot stat './var': No such file or directory > > But there is no var in the build directory. Perhaps its just a warning?? > > So, how do I safely copy ms-init to /etc/init.d > and also, how do I know if there are other things missing that the install.sh did > not copy? > > thanks - Dean Guenther > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Sat Sep 10 12:57:56 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Sat, 10 Sep 2022 08:57:56 -0400 Subject: Highlight Phishing Fraud In-Reply-To: <3215AE99-3C16-4C3A-B7D9-CEFF87EB2202@118119.se> References: <3215AE99-3C16-4C3A-B7D9-CEFF87EB2202@118119.se> Message-ID: <6be98d0a-ca92-a24d-522d-ed567bd7d4bb@summitgrid.com> I would expect the second options to just leave the body alone and modify the subject, so I will run some tests and see why that is not happening. On 9/6/22 17:34, mailscanner at 118119.se wrote: > Hi, > I've been testing the settings for Find Phishing Fraud and Highlight Phishing Fraud but can't really understand what the different settings do. I use a domain from phishing.bad.sites.conf included in my test e-mail to trigger the phishing filter. All other settings regarding filtering are set to default / standard MailScanner.conf. > > If I use these settings, the e-mail gets through with inline HTML added to the link and "{Disarmed}" in the subject line. > Find Phishing Fraud = yes > Highlight Phishing Fraud = yes > Phishing Modify Subject = start > Phishing Subject Text = {Fraud?} > > And when changing to these settings instead, the mail gets through with unaltered body and subject. I can't find any "Content Checks"-lines in the logs. > Find Phishing Fraud = yes > Highlight Phishing Fraud = No > Phishing Modify Subject = start > Phishing Subject Text = {Fraud?} > > It seems like both Find Phishing Fraud and Highlight Phishing Fraud has to be set to "yes" for the phishing filter to be activated at all? And I can't get the Phishing Subject Text to appear at all. I've only seen "{Disarmed}" added to the subject. > I would like for the e-mail either be blocked in total or just have the subject line altered. Is any of that possible? > > Best regards, Jonas > > From shawniverson at summitgrid.com Sat Sep 10 20:57:30 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Sat, 10 Sep 2022 16:57:30 -0400 Subject: missing ms-init script in MailScanner 5.4.4 In-Reply-To: References: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> <17516cf0-3475-e8a5-a146-116e8b13d8ef@summitgrid.com> Message-ID: <82970e2e-1f7b-042d-0c51-0740a1a8944c@summitgrid.com> You used the tarball package to install MailScanner, which does not include those items and requires a lot of manual effort to get MailScanner going. Use the debian package instead. https://github.com/MailScanner/v5/releases/download/5.4.4-1/MailScanner-5.4.4-1.noarch.deb On 9/10/22 16:31, Dean Guenther wrote: > Hi Shawn, Thanks for the help. > I checked and I do not have a /usr/sbin/ms-configure installed. > So I checked my MailScanner 5.4.4 build directory and I do not have a > ms-configure in the build directory either. would it be helpful to include > the mailscanner-install.log? - Dean > > From mailscanner at barendse.to Tue Sep 20 14:26:58 2022 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Tue, 20 Sep 2022 16:26:58 +0200 (CEST) Subject: missing ms-init script in MailScanner 5.4.4 In-Reply-To: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> References: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> Message-ID: I did the same migration. If you are interested, I copied / paste'd each and every command that was needed for the install into a script based on installations others on and off the list published. I wouldn't run it blindly as a script but it might save you a ton of time trying to find out where everything is. It took me several weeks to figure it all out. On Mon, 5 Sep 2022, Dean guenther wrote: > > I'm in the process of moving from my old MailScanner 4.85.2 installation on CentOS > 6.7 to a fresh install of MailScanner 5.4.4 on ubuntu 20.04. > I've run the MailScanner install.sh on ubuntu but the ms-init script is missing from > /etc/init.d so I can't start MailScanner. At least thats where I was presuming I should find ms-init. > Being new to ubuntu, things may be different to what I'm used to with CentOS. > > I have already installed dovecot and ClamAV from the default ubuntu repository. And > the MailScanner 5.4.4 install.sh did put the MailScanner config files into > /etc/MailScanner as expected. So I've modified the /etc/MailScanner configs to > pretty much match the options I had set under the old MailScanner 4.85.2. > > But now I can't start MailScanner because the /etc/init.d/ms-init is missing. I > considered copying ms-init out of the build directory > usr/lib/MailScanner/init but I'm wondering even if I do that, are there other things > that did not get copied with the install.sh because ms-init is missing? > > When I did the install-sh it went through filling dependencies just fine. With one > exception it was unable to build Mail::ClamAV. I posted at github and > @shawniverson mentioned that Mail::ClamAV is no longer needed by MailScanner so it may not > be a concern. > > After running install.sh I also did a /usr/sbin/ms-perl-check and there were no missing > dependencies that I could see other than Mail::ClamAV. > > There was also a warning when I ran install.sh it said > > cp: cannot stat './var': No such file or directory > > But there is no var in the build directory. Perhaps its just a warning?? > > So, how do I safely copy ms-init to /etc/init.d > and also, how do I know if there are other things missing that the install.sh did > not copy? > > thanks - Dean Guenther > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From dean at guenthers.us Tue Sep 20 16:32:33 2022 From: dean at guenthers.us (dean guenther) Date: Tue, 20 Sep 2022 09:32:33 -0700 Subject: missing ms-init script in MailScanner 5.4.4 In-Reply-To: References: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> Message-ID: <71c71238-7384-c90d-1645-a8318c3781f4@guenthers.us> I would be interested. I did get the clue from Shawn to use the debian download which worked. Still cleaning up a few details so I would appreciate the steps you took so I can compare to what I've done. thanks - Dean Guenther On 9/20/22 7:26 AM, mailscanner at barendse.to wrote: > I did the same migration. If you are interested, I copied / paste'd > each and every command that was needed for the install into a script > based on installations others on and off the list published. I > wouldn't run it blindly as a script but it might save you a ton of > time trying to find out where everything is. It took me several weeks > to figure it all out. > > On Mon, 5 Sep 2022, Dean guenther wrote: > >> >> I'm in the process of moving from my old MailScanner 4.85.2 >> installation on CentOS >> 6.7 to a fresh install of MailScanner 5.4.4 on ubuntu 20.04. I've run >> the MailScanner install.sh on ubuntu but the ms-init script is >> missing from >> /etc/init.d so I can't start MailScanner. At least thats where I was >> presuming I should find ms-init. >> Being new to ubuntu, things may be different to what I'm used to with >> CentOS. >> >> I have already installed dovecot and ClamAV from the default ubuntu >> repository. And >> the MailScanner 5.4.4 install.sh did put the MailScanner config files >> into >> /etc/MailScanner as expected. So I've modified the /etc/MailScanner >> configs to >> pretty much match the options I had set under the old MailScanner >> 4.85.2. >> But now I can't start MailScanner because the /etc/init.d/ms-init is >> missing. I >> considered copying ms-init out of the build directory >> usr/lib/MailScanner/init but I'm wondering even if I do that, are >> there other things >> that did not get copied with the install.sh because ms-init is missing? >> >> When I did the install-sh it went through filling dependencies just >> fine. With one >> exception it was unable to build Mail::ClamAV. I posted at github and >> @shawniverson mentioned that Mail::ClamAV is no longer needed by >> MailScanner so it may not >> be a concern. >> >> After running install.sh I also did a /usr/sbin/ms-perl-check and >> there were no missing >> dependencies that I could see other than Mail::ClamAV. >> >> There was also a warning when I ran install.sh it said >> >> cp: cannot stat './var': No such file or directory >> >> But there is no var in the build directory. Perhaps its just a warning?? >> >> So, how do I safely copy ms-init to /etc/init.d and also, how do I >> know if there are other things missing that the install.sh did >> not copy? >> >> thanks - Dean Guenther >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From danita at caledonia.net Thu Sep 22 09:39:52 2022 From: danita at caledonia.net (=?UTF-8?Q?Danita_Zanr=c3=a8?=) Date: Thu, 22 Sep 2022 11:39:52 +0200 Subject: Allow this type of password protected file Message-ID: Hello everyone.? Can someone remind? me of what I would need to do to allow these files through, or just whitelist this particular sender?? I believe this is probably a "Sophos" issue, but you are my go-to group for solving these issues! Sophos: Password protected file /data/MailScanner/incoming/27332/8AA72173CF1.A944B/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.zip/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.PDF Thanks for any help here! Danita -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.farrow at togethia.net Thu Sep 22 09:43:44 2022 From: peter.farrow at togethia.net (Peter Farrow) Date: Thu, 22 Sep 2022 10:43:44 +0100 Subject: Allow this type of password protected file In-Reply-To: References: Message-ID: Dear Danita, You should NEVER allow password-protected files. A would be attacker sends a password-protected file, then sends the password and the victim opens the file and any malicious content gets let into the network "just like that". Whitelisting the sender means your network security relies on their network security.? Its not an issue it is "by design". Pete Peter Farrow BEng(Hons) BBC ETSI Office: 01249 736180 | Mobile: +44 (0) 7799605617 Email: peter.farrow at togethia.net Website: www.togethia.it On 22/09/2022 10:39, Danita Zanr? wrote: > Hello everyone.? Can someone remind? me of what I would need to do to > allow these files through, or just whitelist this particular sender?? > I believe this is probably a "Sophos" issue, but you are my go-to > group for solving these issues! > > Sophos: Password protected file > /data/MailScanner/incoming/27332/8AA72173CF1.A944B/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.zip/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.PDF > > Thanks for any help here! > > Danita > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x67CA5C7785A4003A.asc Type: application/pgp-keys Size: 2456 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From danita at caledonia.net Thu Sep 22 10:06:40 2022 From: danita at caledonia.net (=?UTF-8?Q?Danita_Zanr=c3=a8?=) Date: Thu, 22 Sep 2022 12:06:40 +0200 Subject: Allow this type of password protected file In-Reply-To: References:

Message-ID: Hi Peter, Yeah - I know - but this is a bank in the Netherlands who insists on sending these password protected files. I'm not sure how to get the files to the intended recipient otherwise. This passes through to another entity's email system (so it's unlikely to harm my own network), so I'm trying to make them happy.? I could simply tell them to have the bank "change their policies" for them only, but you know what the likely outcome is to that request. Danita Peter Farrow via MailScanner wrote on 9/22/22 11:43: > > Dear Danita, > > You should NEVER allow password-protected files. > > A would be attacker sends a password-protected file, then sends the > password and the victim opens the file and any malicious content gets > let into the network "just like that". > > Whitelisting the sender means your network security relies on their > network security.? Its not an issue it is "by design". > > Pete > > > Peter Farrow BEng(Hons) BBC ETSI > Office: 01249 736180 | > Mobile: +44 (0) 7799605617 > Email: peter.farrow at togethia.net > Website: www.togethia.it > > > On 22/09/2022 10:39, Danita Zanr? wrote: >> Hello everyone.? Can someone remind? me of what I would need to do to >> allow these files through, or just whitelist this particular sender?? >> I believe this is probably a "Sophos" issue, but you are my go-to >> group for solving these issues! >> >> Sophos: Password protected file >> /data/MailScanner/incoming/27332/8AA72173CF1.A944B/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.zip/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.PDF >> >> Thanks for any help here! >> >> Danita >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Thu Sep 22 12:04:59 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Thu, 22 Sep 2022 08:04:59 -0400 Subject: Allow this type of password protected file In-Reply-To: References:

Message-ID: <32b339ab-957e-a8d3-98f1-50fc22326be8@summitgrid.com> To do this just for that sender: MailScanner.conf: (Typically in /etc/MailScanner) Allow Password-Protected Archives = %rules-dir%/password.rules In password.rules in your %rules-dir% (Typically in /etc/MailScanner/rules), tab separated: From: sender at example.org??? yes FromOrTo:??? default???? no On 9/22/22 06:06, Danita Zanr? wrote: > > *Warning: This message originated from outside the organization. Use > caution when following links or opening attachments.* > > Hi Peter, > > Yeah - I know - but this is a bank in the Netherlands who insists on > sending these password protected files. I'm not sure how to get the > files to the intended recipient otherwise. This passes through to > another entity's email system (so it's unlikely to harm my own > network), so I'm trying to make them happy.? I could simply tell them > to have the bank "change their policies" for them only, but you know > what the likely outcome is to that request. > > Danita > > > Peter Farrow via MailScanner wrote on 9/22/22 11:43: >> >> Dear Danita, >> >> You should NEVER allow password-protected files. >> >> A would be attacker sends a password-protected file, then sends the >> password and the victim opens the file and any malicious content gets >> let into the network "just like that". >> >> Whitelisting the sender means your network security relies on their >> network security.? Its not an issue it is "by design". >> >> Pete >> >> >> Peter Farrow BEng(Hons) BBC ETSI >> Office: 01249 736180 | >> Mobile: +44 (0) 7799605617 >> Email: *MailScanner has detected a possible fraud attempt from >> "mail:peter.farrow at togethia.net" claiming to be* >> peter.farrow at togethia.net >> Website: www.togethia.it >> >> >> On 22/09/2022 10:39, Danita Zanr? wrote: >>> Hello everyone.? Can someone remind? me of what I would need to do >>> to allow these files through, or just whitelist this particular >>> sender?? I believe this is probably a "Sophos" issue, but you are my >>> go-to group for solving these issues! >>> >>> Sophos: Password protected file >>> /data/MailScanner/incoming/27332/8AA72173CF1.A944B/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.zip/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.PDF >>> >>> Thanks for any help here! >>> >>> Danita >>> >>> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Thu Sep 22 12:08:29 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Thu, 22 Sep 2022 08:08:29 -0400 Subject: Allow this type of password protected file In-Reply-To: <32b339ab-957e-a8d3-98f1-50fc22326be8@summitgrid.com> References:

<32b339ab-957e-a8d3-98f1-50fc22326be8@summitgrid.com> Message-ID: <8e36f763-4fdf-479c-9de9-3539bb09c570@summitgrid.com> I missed this was Sophos flagging the email. That will have to be adjusted in that A/V engine. I'm not sure where that setting is. On 9/22/22 08:04, Shawn Iverson via MailScanner wrote: > > *Warning: This message originated from outside the organization. Use > caution when following links or opening attachments.* > > To do this just for that sender: > > MailScanner.conf: (Typically in /etc/MailScanner) > > Allow Password-Protected Archives = %rules-dir%/password.rules > > In password.rules in your %rules-dir% (Typically in > /etc/MailScanner/rules), tab separated: > > From: sender at example.org??? yes > > FromOrTo:??? default???? no > > > On 9/22/22 06:06, Danita Zanr? wrote: >> >> *Warning: This message originated from outside the organization. Use >> caution when following links or opening attachments.* >> >> Hi Peter, >> >> Yeah - I know - but this is a bank in the Netherlands who insists on >> sending these password protected files. I'm not sure how to get the >> files to the intended recipient otherwise. This passes through to >> another entity's email system (so it's unlikely to harm my own >> network), so I'm trying to make them happy.? I could simply tell them >> to have the bank "change their policies" for them only, but you know >> what the likely outcome is to that request. >> >> Danita >> >> >> Peter Farrow via MailScanner wrote on 9/22/22 11:43: >>> >>> Dear Danita, >>> >>> You should NEVER allow password-protected files. >>> >>> A would be attacker sends a password-protected file, then sends the >>> password and the victim opens the file and any malicious content >>> gets let into the network "just like that". >>> >>> Whitelisting the sender means your network security relies on their >>> network security.? Its not an issue it is "by design". >>> >>> Pete >>> >>> >>> Peter Farrow BEng(Hons) BBC ETSI >>> Office: 01249 736180 | >>> Mobile: +44 (0) 7799605617 >>> Email: *MailScanner has detected a possible fraud attempt from >>> "mail:peter.farrow at togethia.net" claiming to be* *MailScanner has >>> detected a possible fraud attempt from >>> "mail:peter.farrow at togethia.net" claiming to be* *MailScanner has >>> detected a possible fraud attempt from >>> "mail:peter.farrow at togethia.net" claiming to be* >>> peter.farrow at togethia.net >>> Website: www.togethia.it >>> >>> >>> On 22/09/2022 10:39, Danita Zanr? wrote: >>>> Hello everyone.? Can someone remind? me of what I would need to do >>>> to allow these files through, or just whitelist this particular >>>> sender?? I believe this is probably a "Sophos" issue, but you are >>>> my go-to group for solving these issues! >>>> >>>> Sophos: Password protected file >>>> /data/MailScanner/incoming/27332/8AA72173CF1.A944B/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.zip/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.PDF >>>> >>>> Thanks for any help here! >>>> >>>> Danita >>>> >>>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danita at caledonia.net Thu Sep 22 15:03:08 2022 From: danita at caledonia.net (=?UTF-8?Q?Danita_Zanr=c3=a8?=) Date: Thu, 22 Sep 2022 17:03:08 +0200 Subject: Allow this type of password protected file In-Reply-To: <8e36f763-4fdf-479c-9de9-3539bb09c570@summitgrid.com> References:

<32b339ab-957e-a8d3-98f1-50fc22326be8@summitgrid.com> <8e36f763-4fdf-479c-9de9-3539bb09c570@summitgrid.com> Message-ID: <781d0500-fc8e-2530-6ffd-c5160364bd60@caledonia.net> Yeah, me neither - I'll have to ask some Sophos crowd :-) Thanks anyway! Danita Shawn Iverson via MailScanner wrote on 9/22/22 14:08: > > I missed this was Sophos flagging the email. That will have to be > adjusted in that A/V engine. I'm not sure where that setting is. > > On 9/22/22 08:04, Shawn Iverson via MailScanner wrote: >> >> *Warning: This message originated from outside the organization. Use >> caution when following links or opening attachments.* >> >> To do this just for that sender: >> >> MailScanner.conf: (Typically in /etc/MailScanner) >> >> Allow Password-Protected Archives = %rules-dir%/password.rules >> >> In password.rules in your %rules-dir% (Typically in >> /etc/MailScanner/rules), tab separated: >> >> From: sender at example.org??? yes >> >> FromOrTo:??? default???? no >> >> >> On 9/22/22 06:06, Danita Zanr? wrote: >>> >>> *Warning: This message originated from outside the organization. Use >>> caution when following links or opening attachments.* >>> >>> Hi Peter, >>> >>> Yeah - I know - but this is a bank in the Netherlands who insists on >>> sending these password protected files. I'm not sure how to get the >>> files to the intended recipient otherwise. This passes through to >>> another entity's email system (so it's unlikely to harm my own >>> network), so I'm trying to make them happy.? I could simply tell >>> them to have the bank "change their policies" for them only, but you >>> know what the likely outcome is to that request. >>> >>> Danita >>> >>> >>> Peter Farrow via MailScanner wrote on 9/22/22 11:43: >>>> >>>> Dear Danita, >>>> >>>> You should NEVER allow password-protected files. >>>> >>>> A would be attacker sends a password-protected file, then sends the >>>> password and the victim opens the file and any malicious content >>>> gets let into the network "just like that". >>>> >>>> Whitelisting the sender means your network security relies on their >>>> network security.? Its not an issue it is "by design". >>>> >>>> Pete >>>> >>>> >>>> Peter Farrow BEng(Hons) BBC ETSI >>>> Office: 01249 736180 | >>>> Mobile: +44 (0) 7799605617 >>>> Email: *MailScanner has detected a possible fraud attempt from >>>> "mail:peter.farrow at togethia.net" claiming to be* *MailScanner has >>>> detected a possible fraud attempt from >>>> "mail:peter.farrow at togethia.net" claiming to be* *MailScanner has >>>> detected a possible fraud attempt from >>>> "mail:peter.farrow at togethia.net" claiming to be* *MailScanner has >>>> detected a possible fraud attempt from >>>> "mail:peter.farrow at togethia.net" claiming to be* >>>> peter.farrow at togethia.net >>>> Website: www.togethia.it >>>> >>>> >>>> On 22/09/2022 10:39, Danita Zanr? wrote: >>>>> Hello everyone.? Can someone remind? me of what I would need to do >>>>> to allow these files through, or just whitelist this particular >>>>> sender?? I believe this is probably a "Sophos" issue, but you are >>>>> my go-to group for solving these issues! >>>>> >>>>> Sophos: Password protected file >>>>> /data/MailScanner/incoming/27332/8AA72173CF1.A944B/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.zip/HKB_TA1142P1_2022090918190400000709_EM_Stmt_01_20220909_000190.PDF >>>>> >>>>> Thanks for any help here! >>>>> >>>>> Danita >>>>> >>>>> >>>> >>>> >>> >>> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at barendse.to Fri Sep 23 08:55:11 2022 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Fri, 23 Sep 2022 10:55:11 +0200 (CEST) Subject: missing ms-init script in MailScanner 5.4.4 In-Reply-To: <71c71238-7384-c90d-1645-a8318c3781f4@guenthers.us> References: <1cc09567-12fb-23ab-0456-1ead779bdd1a@guenthers.us> <71c71238-7384-c90d-1645-a8318c3781f4@guenthers.us> Message-ID: <3a11a338-032-182a-3836-be233a8afd30@barendse.to> Attached is my install script. I never actually tested it as fully automated install but it will prepare a lot of the config files If you find anything that doesn't work, is not correct or could be improved, please do let me know. Thanks!! On Tue, 20 Sep 2022, dean guenther wrote: > I would be interested. I did get the clue from Shawn to use the debian > download which worked. Still cleaning up a few details so I would appreciate > the steps you took so I can compare to what I've done. thanks - Dean Guenther > > On 9/20/22 7:26 AM, mailscanner at barendse.to wrote: >> I did the same migration. If you are interested, I copied / paste'd each >> and every command that was needed for the install into a script based on >> installations others on and off the list published. I wouldn't run it >> blindly as a script but it might save you a ton of time trying to find out >> where everything is. It took me several weeks to figure it all out. >> >> On Mon, 5 Sep 2022, Dean guenther wrote: >> >>> >>> I'm in the process of moving from my old MailScanner 4.85.2 installation >>> on CentOS >>> 6.7 to a fresh install of MailScanner 5.4.4 on ubuntu 20.04. I've run the >>> MailScanner install.sh on ubuntu but the ms-init script is missing from >>> /etc/init.d so I can't start MailScanner. At least thats where I was >>> presuming I should find ms-init. >>> Being new to ubuntu, things may be different to what I'm used to with >>> CentOS. >>> >>> I have already installed dovecot and ClamAV from the default ubuntu >>> repository. And >>> the MailScanner 5.4.4 install.sh did put the MailScanner config files into >>> /etc/MailScanner as expected. So I've modified the /etc/MailScanner >>> configs to >>> pretty much match the options I had set under the old MailScanner 4.85.2. >>> But now I can't start MailScanner because the /etc/init.d/ms-init is >>> missing. I >>> considered copying ms-init out of the build directory >>> usr/lib/MailScanner/init but I'm wondering even if I do that, are there >>> other things >>> that did not get copied with the install.sh because ms-init is missing? >>> >>> When I did the install-sh it went through filling dependencies just fine. >>> With one >>> exception it was unable to build Mail::ClamAV. I posted at github and >>> @shawniverson mentioned that Mail::ClamAV is no longer needed by >>> MailScanner so it may not >>> be a concern. >>> >>> After running install.sh I also did a /usr/sbin/ms-perl-check and there >>> were no missing >>> dependencies that I could see other than Mail::ClamAV. >>> >>> There was also a warning when I ran install.sh it said >>> >>> cp: cannot stat './var': No such file or directory >>> >>> But there is no var in the build directory. Perhaps its just a warning?? >>> >>> So, how do I safely copy ms-init to /etc/init.d and also, how do I know if >>> there are other things missing that the install.sh did >>> not copy? >>> >>> thanks - Dean Guenther >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >> >> > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- #!/bin/sh # Script to install and configure MailScanner + postfix on Ubuntu 20.04 # Remco Barendse Updated 22-SEP-2022 - Inspired on instructions from : # https://vanderboon.net/2021/06/01/installing-mailscanner-5-4-with-postfix-on-ubuntu-20-04-lts/ # https://sites.google.com/site/wikirolanddelepper/mailscanner/configure-postfix-for-mailscanner # https://serverfault.com/questions/280585/how-do-i-configure-postfix-to-deliver-mail-for-specified-domains-to-another-host # http://www.postfix.org/ADDRESS_VERIFICATION_README.html # Test with : mailx -r 'klaus.mustermann at example.com' -s 'Subject Line' -S 'smtp=' 'validuser at myemailonexchange.com' < /dev/null # To do : Install : postscreen,SPF, DKIM, DANE, DMARC, BIFI, CAA # https://serverfault.com/questions/895242/dcc-plugin-to-spamassassin-does-not-get-loaded-on-debian-9 # https://kura.gg/2011/09/22/spamassassin-razor-pyzor/ # Dkim : https://github.com/thctlo/debian-scripts/blob/master/setup-opendkim-postfix.sh # Should still work, try reading the script a bit, it shows what it does. # https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix # Simple test on how your server is setup : https://www.internet.nl/mail/ # This uses the recommended settings by dutch government. tput reset if [ $# -ne 3 ] ; then echo ' ' echo 'Usage: $0 ' echo ' ' echo 'Example : ./mailscanner-postfix.sh gw1 mynicedomain.com 10.1.0.22' echo ' ' exit 1 fi HOSTNAME=$1 MYDN=$2 EXCHANGEIP=$3 FQDN=$HOSTNAME.$MYDN MSHOSTNAME=$( echo ${FQDN} | tr -d '.' ) # If needed add disk to store MailScanner archive : sudo mkfs.ext4 /dev/vdb -L /archive tput reset echo "Installing $FQDN with MailScanner name : $MSHOSTNAME" echo 'Install postfix - When asked choose ?No configuration' echo 'Add additional domains to receive mail for to relay_domains=' ; sleep 5 sudo apt -y install postfix postfix-pcre # Example postfix (main.cf) : /usr/share/postfix/main.cf.debian # To view Postfix configuration values, see postconf(1). sudo touch /etc/postfix/header_checks sudo echo "/^Received:/ HOLD" > /etc/postfix/header_checks sudo touch /etc/postfix/access sudo touch /etc/postfix/relay_recipients sudo touch /etc/postfix/transport sudo touch /etc/postfix/virtual sudo touch /etc/postfix/helo_access sudo mkdir -p /var/spool/MailScanner/incoming sudo mkdir /var/spool/MailScanner/quarantine sudo chown postfix. /var/spool/postfix/hold sudo chown postfix. /var/spool/postfix/incoming sudo chown postfix. /var/spool/MailScanner/incoming sudo chown postfix. /var/spool/MailScanner/quarantine sudo cat main.cf > /etc/postfix/main.cf #echo "$FQDN" > /etc/mailname sudo sed -i "s/mail.yourdomain.com/$FQDN/g" /etc/postfix/main.cf sudo sed -i "s/10.0.0.0\/24/10.0.0.0\/8/g" /etc/postfix/main.cf #sudo sed -i "s/mydestination = $myhostname, localhost.$mydomain, localhost/mydestination = $$HOSTNAME, localhost.$$MYDN, localhost/g" /etc/postfix/main.cf sudo sed -i "s/relay_domains = yourdomain.com yourotherdomain.com yourveryfantasticdomain.com/relay_domains = $MYDN/g" /etc/postfix/main.cf echo "$MYDN smtp:[$EXCHANGEIP]" >> /etc/postfix/transport # Remove Sensitive Data and Internal Network Information from Postfix Headers from outgoing mail sudo echo " " >> /etc/postfix/main.cf sudo echo "# Remove Sensitive Data and Internal Network Information from Postfix Headers from outgoing mail" >> /etc/postfix/main.cf sudo echo "smtp_header_checks = regexp:/etc/postfix/smtp_header_checks" >> /etc/postfix/main.cf touch /etc/postfix/smtp_header_checks sudo echo "/^X-Mailer:/ IGNORE" >> /etc/postfix/smtp_header_checks sudo echo "/^Received:/ IGNORE" >> /etc/postfix/smtp_header_checks sudo echo "/^X-Original-IP:/ IGNORE" >> /etc/postfix/smtp_header_checks sudo echo "/^User-Agent:/ IGNORE" >> /etc/postfix/smtp_header_checks sudo echo "/^X-Mailer-Type:/ IGNORE" >> /etc/postfix/smtp_header_checks # For external clients that submit mail : https://serverfault.com/a/998993 # https://serverfault.com/questions/413533/remove-hide-client-sender-ip-from-postfix # Regularly postmap sudo echo '#!/bin/sh' > /etc/cron.hourly/postfix-db sudo echo 'cd /etc/postfix' >> /etc/cron.hourly/postfix-db sudo echo 'newaliases' >> /etc/cron.hourly/postfix-db sudo echo '/usr/sbin/postmap /etc/postfix/virtual' >> /etc/cron.hourly/postfix-db sudo echo '/usr/sbin/postmap /etc/postfix/transport' >> /etc/cron.hourly/postfix-db sudo echo '/usr/sbin/postmap /etc/postfix/access' >> /etc/cron.hourly/postfix-db sudo echo '/usr/sbin/postmap /etc/postfix/relay_recipients' >> /etc/cron.hourly/postfix-db sudo echo '/usr/sbin/postmap /etc/postfix/helo_access' >> /etc/cron.hourly/postfix-db sudo chmod a+x /etc/cron.hourly/postfix-db echo 'Install ClamAV' ; sleep 5 sudo apt install -y clamav clamav-daemon sudo systemctl enable clamav-daemon sudo systemctl enable clamav-freshclam sudo systemctl stop clamav-daemon sudo sed -i 's/LocalSocketGroup clamav/LocalSocketGroup mtagroup/g' /etc/clamav/clamd.conf # Optional: Extra ClamAV signatures # It does not cost much and gives you a load of extra protection: the 4.000.000 virus/malware signatures of securiteinfo.com. # https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml # SpamAssassin # Debug with : spamassassin -D --lint 2>&1 | less echo 'SpamAssassin install' ; sleep 5 sudo apt -y install spamassassin apt-get -y install s-nail libyaml-perl libtest-manifest-perl libbusiness-isbn-data-perl libbusiness-isbn-perl libtest-pod-perl libmodule-build-perl libinline-perl libencode-detect-perl libnet-ldap-perl libnet-cidr-lite-perl libio-string-perl libnet-dns-resolver-programmable-perl libmail-spf-perl # antiword libmail-imapclient-perl p7zip p7zip-full geoip-database libgeo-ip-perl libgeoip1 libnet-patricia-perl arj lhasa liblhasa0 cabextract nomarch pax rar zip libmail-milter-perl libdb-dev libdb5.3-dev libtest-deep-perl libdigest-sha-perl #Extra rulesets for SpamAssassin sudo wget -O /etc/mail/spamassassin/KAM.cf https://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf sudo wget -O /etc/mail/spamassassin/nonKAMrules.cf https://mcgrail.com/downloads/nonKAMrules.cf sudo wget -O /etc/cron.hourly/KAM.cf.sh https://dutchspamassassinrules.nl/DSR/contrib/KAM.cf.sh sudo chmod a+x /etc/cron.hourly/KAM.cf.sh sudo wget -O /etc/mail/spamassassin/DSR.cf https://dutchspamassassinrules.nl/DSR/DSR.cf sudo wget -O /etc/cron.hourly/DSR.cf.sh https://dutchspamassassinrules.nl/DSR/DSR.cf.sh sudo chmod a+x /etc/cron.hourly/DSR.cf.sh # MailScanner install # Debug with MailScanner --debug # Kill all mailscanner processes : killall -I -r mailscanner echo 'MailScanner install' ; sleep 5 sudo wget -O /tmp/MailScanner.noarch.deb https://github.com/MailScanner/v5/releases/download/5.4.4-1/MailScanner-5.4.4-1.noarch.deb sudo apt -y install /tmp/MailScanner.noarch.deb sudo sed -i "s/yoursite/$MSHOSTNAME/g" /etc/MailScanner/MailScanner.conf sudo sed -i "s/YOURDOMAIN-COM/$MSHOSTNAME/g" /etc/MailScanner/spamassassin.conf sudo sed -i "s/yoursite/$MSHOSTNAME/g" /etc/MailScanner/spamassassin.conf sudo echo "Run As User = postfix" > /etc/MailScanner/conf.d/10-postfix.conf sudo echo "Run As Group = postfix" >> /etc/MailScanner/conf.d/10-postfix.conf sudo echo "Incoming Queue Dir = /var/spool/postfix/hold" >> /etc/MailScanner/conf.d/10-postfix.conf sudo echo "Outgoing Queue Dir = /var/spool/postfix/incoming" >> /etc/MailScanner/conf.d/10-postfix.conf sudo echo "MTA = postfix" >> /etc/MailScanner/conf.d/10-postfix.conf sudo echo "Clamd Socket = /var/run/clamav/clamd.ctl" >> /etc/MailScanner/conf.d/10-postfix.conf sudo echo "SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin" >> /etc/MailScanner/conf.d/10-postfix.conf sudo chown -R postfix.mtagroup /etc/clamav sudo usermod -a -G mtagroup postfix sudo usermod -a -G mtagroup clamav sudo systemctl restart clamav-daemon #Complete config of PostFix + MailScanner, then sudo mkdir -p /var/spool/MailScanner/spamassassin sudo chown postfix.mtagroup /var/spool/MailScanner/spamassassin sudo mkdir -p /var/spool/MailScanner/archive sudo chown postfix:mtagroup /var/spool/MailScanner/archive ms-configure sudo /etc/cron.hourly/postfix-db sudo systemctl enable postfix sudo systemctl restart postfix # Get path for SpamAssassin (credits L.P.H. van Belle) : getent passwd |grep spamd|awk -F: '{ print $6 } # Usually /var/lib/spamassassin # razor http://razor.sourceforge.net/docs/install.php #sudo apt -y install razor sudo mkdir /var/lib/spamassassin/.razor sudo razor-admin -home=/var/lib/spamassassin/.razor -register sudo razor-admin -home=/var/lib/spamassassin/.razor -create sudo razor-admin -home=/var/lib/spamassassin/.razor -discover #chown -R debian-spamd:debian-spamd /var/lib/spamassassin/.razor sudo chown -R postfix:mtagroup /var/lib/spamassassin/.razor sudo chmod 775 /var/lib/spamassassin/.razor sudo echo 'razor_config /var/lib/spamassassin/.razor/razor-agent.conf' >> /etc/spamassassin/local.cf sudo echo 'use_razor2 1' >> /etc/spamassassin/local.cf #sudo apt -y install pyzor sudo mkdir /var/lib/spamassassin/.pyzor # The pyzor discover command has been removed in version 0.6, back in 2010 (commit 50f2bf5aa47ed863de78c413ff7114f5e54f5a9b), and pyzor works out of the box now. #echo "chown -R $(getent passwd |grep spamd|awk -F: '{ print $3":"$4 }') /var/lib/spamassassin/.pyzor/" # or #echo "chown -R $(getent passwd |grep spamd|awk -F: '{ print $1":"$1 }') /var/lib/spamassassin/.pyzor/" #sudo chown -R debian-spamd:debian-spamd /var/lib/spamassassin/.pyzor/ sudo chown -R postfix:mtagroup /var/lib/spamassassin/.pyzor sudo chmod 775 /var/lib/spamassassin/.pyzor sudo echo 'pyzor_options --homedir /var/lib/spamassassin' >> /etc/spamassassin/local.cf sudo echo 'use_pyzor 1' >> /etc/spamassassin/local.cf # Install DCC sudo wget -O /tmp/dcc.tar.Z 'https://www.dcc-servers.net/src/dcc/dcc.tar.Z' cd /tmp tar xvzf dcc.tar.Z cd dcc-* sudo ./configure && sudo make && sudo make install sudo echo 'use_dcc 1' >> /etc/spamassassin/local.cf sudo echo 'dcc_timeout 8' >> /etc/spamassassin/local.cf sudo echo 'dcc_home /var/dcc/' >> /etc/spamassassin/local.cf sudo echo 'dcc_path /usr/local/bin/dccproc' >> /etc/spamassassin/local.cf sudo echo 'add_header all DCC _DCCB_: _DCCR_' >> /etc/spamassassin/local.cf sed -i '/::DCC/s/^#//g' /etc/spamassassin/v310.pre sudo echo ' ' >> /etc/fail2ban/jail.local sudo echo '[postfix]' >> /etc/fail2ban/jail.local sudo echo 'enabled = true' >> /etc/fail2ban/jail.local sudo echo 'maxretry = 3' >> /etc/fail2ban/jail.local sudo echo 'bantime = 1h' >> /etc/fail2ban/jail.local sudo echo 'filter = postfix[mode=aggressive]' >> /etc/fail2ban/jail.local sudo echo 'logpath = /var/log/mail.log' >> /etc/fail2ban/jail.local sudo systemctl restart fail2ban sudo sed -i 's/run_mailscanner=0/run_mailscanner=1/g' /etc/MailScanner/defaults sudo systemctl enable mailscanner sudo systemctl start mailscanner sudo ufw allow smtp sudo ufw allow submission sudo ufw allow submissions useradd -u 960 -g postfix -s /sbin/nologin spam useradd -u 961 -g postfix -s /sbin/nologin spam sudo echo 'verkoop: spam' >> /etc/aliases sudo echo '01 * * * * root /usr/local/bin/learn-spam.sh' >> /etc/crontab # Check mtagroup !!!! # # find / -group 1001 -exec chgrp -h mtagroup {} \; # dovecot https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot #sudo ufw allow 80,443,465,587,993/tcp #sudo apt install -y certbot python3-certbot-apache #sudo nano /etc/apache2/sites-available/$FQDN.conf #sudo a2ensite $FQDN.conf #sudo a2dissite 000-default #sudo systemctl reload apache2 #sudo certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp --email myemal at somewhere.com -d $FQDN # crontab @daily certbot renew --quiet && systemctl reload postfix dovecot apache2 # sudo apt install dovecot-core dovecot-imapd # sudo adduser dovecot mail # chmod 02775 /var/mail ; chown root:mail /var/spool/mail # Install additional utilities # Extract attachments out of MIME encoded emails #apt install ripmime #MS Exchange user lookup (to be completed) #sudo apt install -y ldap-utils From adrian at pa0rda.nl Sat Sep 24 15:20:54 2022 From: adrian at pa0rda.nl (Adrian van Bloois) Date: Sat, 24 Sep 2022 17:20:54 +0200 Subject: Beta label In-Reply-To: References: Message-ID: <20220924152054.GA31654@pa0rda.nl> Hi, How long is that label beta going to stay on MailScanner 5.4.5-1? Adrian -- Adri P. van Bloois It's never too late for early music!!! From mailscanner at barendse.to Mon Sep 26 08:28:06 2022 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Mon, 26 Sep 2022 10:28:06 +0200 (CEST) Subject: shtml attachment files ? In-Reply-To: <8ac146ba-2ac0-985c-e174-6e8d66fd129a@summitgrid.com> References: <22c2082b-3241-30fc-7502-f41fdeef57e9@msapiro.net> <8ac146ba-2ac0-985c-e174-6e8d66fd129a@summitgrid.com> Message-ID: On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote: > It is happening during the mime parsing operation when the mime is split into > text and html parts. It assigns a name msg-.html to the html mime part. Is there any way to avoid that, can we assign a different name, other than .html ? The number of .html attachments with links to a partial virus payload and that are slipping through undetected is increasing and it's worrying. I have a pretty decent proxy/filter but......... > On 7/28/22 11:21, Mark Sapiro wrote: >> On 7/28/22 05:14, mailscanner at barendse.to wrote: >>> Hi list >>> >>> I tried blocking \.htm$ and \.html$ in my filename.rules.conf before but >>> found that this effectively blocked nearly each and every email that was >>> coming in so I have to allow that for as long as MailScanner cannot >>> differentiate between an attached .html file or html text in the mail >>> itself >> >> This is curious. Most common MUAs tend to be configured to compose >> multipart/alternative mail with text/plain and text/html alternative parts, >> but the text/html part does not have a `name` parameter in the >> Content-Type: header nor does it have a Content-Disposition: header at all. >> So where is MailScanner getting a *.html filename for these parts? >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From shawniverson at summitgrid.com Mon Sep 26 11:11:55 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 26 Sep 2022 07:11:55 -0400 Subject: shtml attachment files ? In-Reply-To: References: <22c2082b-3241-30fc-7502-f41fdeef57e9@msapiro.net> <8ac146ba-2ac0-985c-e174-6e8d66fd129a@summitgrid.com> Message-ID: No.? The code that does this isn't even MailScanner itself. It is MIME::Parser when the Explode* methods are called.? Changing this behavior would mean mostly likely rewriting that perl module. The problem you are running into is that the filename blocking is not MIME-aware and doesn't look at the email but rather the files that are exploded in the working directory.? The distinction here is that these html files you are fighting are likely attachments and not the html mime part of the email. You have a few options: 1) Block any html file that doesn't conform to msg-.html in your filename rules: allow??? msg-.*\.html$??? HTML part of email message??? HTML part of email message deny??? \.html$??? HTML not part of email message??? HTML not part of email message 2) Use SpamAssassin to examine the mimeheaders and score appropriately mimeheader??? Content-Disposition =~ /attachment; filename=\".*\.html\"/ describe??? HTML attachment, not safe! score??? ??? 10.0 On 9/26/22 04:28, mailscanner at barendse.to wrote: > > > On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote: > >> It is happening during the mime parsing operation when the mime is >> split into text and html parts. It assigns a name msg-.html to >> the html mime part. > > > Is there any way to avoid that, can we assign a different name, other > than .html ? > > The number of .html attachments with links to a partial virus payload > and that are slipping through undetected is increasing and it's > worrying. I have a pretty decent proxy/filter but......... > > >> > > From shawniverson at summitgrid.com Mon Sep 26 11:18:15 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 26 Sep 2022 07:18:15 -0400 Subject: shtml attachment files ? In-Reply-To: References: <22c2082b-3241-30fc-7502-f41fdeef57e9@msapiro.net> <8ac146ba-2ac0-985c-e174-6e8d66fd129a@summitgrid.com>

Message-ID: Got in a hurry...left off the rule name... mimeheader??? MYHTMLRULE??? Content-Disposition =~ /attachment; filename=\".*\.html\"/ describe??? MYHTMLRULE??? HTML attachment, not safe! score??? ??? MYHTMLRULE??? 10.0 On 9/26/22 07:11, Shawn Iverson via MailScanner wrote: > > No.? The code that does this isn't even MailScanner itself. It is > MIME::Parser when the Explode* methods are called.? Changing this > behavior would mean mostly likely rewriting that perl module. > > The problem you are running into is that the filename blocking is not > MIME-aware and doesn't look at the email but rather the files that are > exploded in the working directory.? The distinction here is that these > html files you are fighting are likely attachments and not the html > mime part of the email. > > You have a few options: > > 1) Block any html file that doesn't conform to msg-.html in your > filename rules: > > allow??? msg-.*\.html$??? HTML part of email message??? HTML part of > email message > > deny??? \.html$??? HTML not part of email message??? HTML not part of > email message > > 2) Use SpamAssassin to examine the mimeheaders and score appropriately > > mimeheader??? Content-Disposition =~ /attachment; filename=\".*\.html\"/ > > describe??? HTML attachment, not safe! > > score??? ??? 10.0 > > On 9/26/22 04:28, mailscanner at barendse.to wrote: >> >> >> On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote: >> >>> It is happening during the mime parsing operation when the mime is >>> split into text and html parts. It assigns a name msg-.html to >>> the html mime part. >> >> >> Is there any way to avoid that, can we assign a different name, other >> than .html ? >> >> The number of .html attachments with links to a partial virus payload >> and that are slipping through undetected is increasing and it's >> worrying. I have a pretty decent proxy/filter but......... >> >> >>> >> >> > > From mailscanner at barendse.to Mon Sep 26 14:12:21 2022 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Mon, 26 Sep 2022 16:12:21 +0200 (CEST) Subject: shtml attachment files ? In-Reply-To: References: <22c2082b-3241-30fc-7502-f41fdeef57e9@msapiro.net> <8ac146ba-2ac0-985c-e174-6e8d66fd129a@summitgrid.com>

Message-ID: <79cd85e1-b0a6-6e4e-473f-a763b2d4133a@barendse.to> Thanks Shawn! I made a typo somewhere and sa-compile didn't complete, during google search I found a similar post from someone trying to block .7z and copy/pasted the rules together, this is what I have now : mimeheader NO_HTML_ATTACH01 Content-Disposition =~ /attachment; filename=\".*\.html\"/ describe NO_HTML_ATTACH01 HTML attachment, not safe! score NO_HTML_ATTACH01 10.0 rawbody NO_HTML_ATTACH02 /Content-Disposition: attachment; filename=.+.html/i describe NO_HTML_ATTACH02 email contains a html inline attachment score NO_HTML_ATTACH02 10.0 Hope this is correct, sadly I only have production servers to test/fiddle around with Thanks again! On Mon, 26 Sep 2022, Shawn Iverson via MailScanner wrote: > Got in a hurry...left off the rule name... > > mimeheader??? MYHTMLRULE??? Content-Disposition =~ /attachment; > filename=\".*\.html\"/ > describe??? MYHTMLRULE??? HTML attachment, not safe! > score??? ??? MYHTMLRULE??? 10.0 > > > On 9/26/22 07:11, Shawn Iverson via MailScanner wrote: >> >> No.? The code that does this isn't even MailScanner itself. It is >> MIME::Parser when the Explode* methods are called.? Changing this >> behavior would mean mostly likely rewriting that perl module. >> >> The problem you are running into is that the filename blocking is not >> MIME-aware and doesn't look at the email but rather the files that are >> exploded in the working directory.? The distinction here is that these >> html files you are fighting are likely attachments and not the html >> mime part of the email. >> >> You have a few options: >> >> 1) Block any html file that doesn't conform to msg-.html in your >> filename rules: >> >> allow??? msg-.*\.html$??? HTML part of email message??? HTML part of >> email message >> >> deny??? \.html$??? HTML not part of email message??? HTML not part of >> email message >> >> 2) Use SpamAssassin to examine the mimeheaders and score appropriately >> >> mimeheader??? Content-Disposition =~ /attachment; filename=\".*\.html\"/ >> >> describe??? HTML attachment, not safe! >> >> score??? ??? 10.0 >> >> On 9/26/22 04:28, mailscanner at barendse.to wrote: >>> >>> >>> On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote: >>> >>>> It is happening during the mime parsing operation when the mime is >>>> split into text and html parts. It assigns a name msg-.html to >>>> the html mime part. >>> >>> >>> Is there any way to avoid that, can we assign a different name, other >>> than .html ? >>> >>> The number of .html attachments with links to a partial virus payload >>> and that are slipping through undetected is increasing and it's >>> worrying. I have a pretty decent proxy/filter but......... >>> >>> >>>> >>> >>> >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >