<div dir="ltr"><div><div><div><div><div><div><div>Hello Scott,<br><br></div>The values I have are in bytes, hence the huge values (they're just 6.5MB and 3.6MB respectively... Which is quite enough for most spam, since spammers tend to keep things "short and sweet"). This is due to some old version of MailScanner not correctly understanding the SI multiple indicators ("k", "M" etc)... And since that is sure to work, why change it:-). Obvioulsy (from the log snippet you shared (adressed to Mark)), the 15000k specification doesnt work for you. Try putting the byte values in, restart MS and see what gives! Oh, and allowing GB e-mail... I imagine anything like that would be bounced pretty much from every other MTA on the planet;-)<br><br></div>The Maximum Attachments Per Message would likely the interresting setting, provided that actually is the problem... And since the warning message indicates that it replaces "The whole message", that's likely not it (this can happen in a range of situations, where different functions in MailScanner detect something amiss with the body in it's entirety... MS will the replace the body with the warning as stated, but since there is no other text/body, that will be displayed as the actual body... Can be a bit confusing at first, but is actually a good indicator:)).<br></div>Things that historically has had this effect on "the whole message" are filetype rules, UU-decoding/disabling etc. This is why it would be very valuable for you to actually quarantine the message, so that you can inspect the message file in the quarantine.<br><br></div>The UUdecode stuff is very likely your culprit, since that tries to deduce if "the whole message" is actually a UUencoded message and should be passed through uudecode.... If this misfires, you might end up with a uudecode that returns some astronomical amount of "attachments" and renders "the whole message" suspect.<br><br></div>Another possibility would be if the e-mail has a problem with MIME boundaries... Again, this would be easiest to see in the quarantined message/queue file.<br><br></div>Cheers!<br>-- <br></div>-- Glenn<br><div><div><div><div><div><div><br></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-10 19:26 GMT+01:00 Paul Scott <span dir="ltr"><<a href="mailto:sales@edenusa.com" target="_blank">sales@edenusa.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div class="m_6768211126068096116WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hello Glenn,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thank you very much for your reply. Here is the result:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">[root@mail MailScanner]# egrep "^Max" /etc/MailScanner/MailScanner.<wbr>conf
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Children = 5<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Unscanned Bytes Per Scan = 100m<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Unsafe Bytes Per Scan = 50m<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Unscanned Messages Per Scan = 30<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Unsafe Messages Per Scan = 30<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Normal Queue Size = 30<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Maximum Processing Attempts = 10<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Maximum Attachments Per Message = 20<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Maximum Message Size = %rules-dir%/max.message.size.<wbr>rules<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Maximum Attachment Size = -1<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Maximum Archive Depth = 0<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Spam List Timeouts = 10<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Spam Check Size = 15000k<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max SpamAssassin Size = 40k<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max SpamAssassin Timeouts = 90<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Custom Spam Scanner Size = 20000<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Max Custom Spam Scanner Timeouts = 10<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">[root@mail MailScanner]#<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">NOTE: Does using the “k” screw anything up? That’s what was in there before, but it was “150k”, which was obviously too small.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I see that your values are huge, but there is no “k” indicated:<u></u><u></u></span></p><span class="">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal">Max Spam Check Size = 6500000<br>
Max SpamAssassin Size = 3600000<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
</span><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">And this is the content of the max.message.size.rules file, which is setting a max for this particular client to 1GB, and 20MB for everyone else:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">#<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"># The following line specifies the default result used when none of the<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"># other rules match. In this example,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"># Maximum Message Size = 0<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"># means that there is no limit to the size of the message.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">#<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">To: *@<a href="http://mp-eng.com" target="_blank">mp-eng.com</a> 1000M<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From: *@<a href="http://mp-eng.com" target="_blank">mp-eng.com</a> 1000M<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">FromOrTo: default 20M<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thank you again!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Paul Scott<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> MailScanner [mailto:<a href="mailto:mailscanner-bounces%2Bsales" target="_blank">mailscanner-bounces+<wbr>sales</a>=<a href="mailto:edenusa.com@lists.mailscanner.info" target="_blank">edenusa.com@lists.<wbr>mailscanner.info</a>]
<b>On Behalf Of </b>Glenn Steen<br>
<b>Sent:</b> Friday, February 10, 2017 4:31 AM<br>
<b>To:</b> MailScanner Discussion <<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.<wbr>mailscanner.info</a>></span></p><div><div class="h5"><br>
<b>Subject:</b> Re: File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?<u></u><u></u></div></div><p></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Scott,<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Could you please report the values for all your maximum settings? Do something like:<br>
egrep "^Max" /etc/MailScanner/MailScanner.<wbr>conf <u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">There used to be a logical trap/bug in the setting of Maximum Spam Check Size and Maximum Spamassassin Size (both theese need be relatively "huge". or you'll mess up SpamAssassin results badly). With the latter
a bit smaller than the former... I've got:<br>
Max Spam Check Size = 6500000<br>
Max SpamAssassin Size = 3600000<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Also, pay attention to the Spamassassin timout value.<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Further, a comment on your "I've turned everyting off" statement... This is sometimes easier said than done. There are a number of settings you need change, apart from the ones you mention. I suspect you would
find more ... interresting... facts (and not alternative ones, at that) if you ensure that the failures actually do get quarantined. That way you can inspect the actual raw message/queue file for discrepacies.<u></u><u></u></p>
</div>
<p class="MsoNormal">Cheers!<br>
-- <u></u><u></u></p>
</div>
<p class="MsoNormal">-- Glenn<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">2017-02-10 6:28 GMT+01:00 Paul Scott <<a href="mailto:sales@edenusa.com" target="_blank">sales@edenusa.com</a>>:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal" style="margin-bottom:12.0pt">Hello Mark,<br>
<br>
I pretty much managed to get mailscanner to restart a bit better. Still working on that, but I think I can nail it eventually.<br>
<br>
With regards to the attachments issue, I think I might finally be starting to get to the bottom of this. Here is the entry from the log which corresponds to the generation of the odd message that my clients get when a sender sends an email with attachments:<br>
<br>
Feb 8 15:41:46 mail MailScanner[14031]: Message v18NfGNg014804 from 216.205.24.106 (<a href="mailto:betty.tran@ioausa.com" target="_blank">betty.tran@ioausa.com</a>) to
<a href="http://mp-eng.com" target="_blank">mp-eng.com</a> is too big for spam checks (1572191 > 150000 bytes)<br>
<br>
So, of course when an email has attachments, it is quite large. This message is generated incorrectly, for two reasons:<br>
<br>
1. It is not the NUMBER of attachments which is generating this message, but that is what the message says.<br>
<br>
2. When the size of an email is too large for spam checks, it is supposed to be processed through without modification or error, as is indicated by this section of the MAILSCANNER.CONF file:<br>
<br>
# Spammers do not have the power to send out huge messages to everyone as<br>
# it costs them too much (more smaller messages makes more profit than less<br>
# very large messages). So if a message is bigger than a certain size, it<br>
# is highly unlikely to be spam. Limiting this saves a lot of time checking<br>
# huge messages.<br>
# Disable this option by setting it to a huge value.<br>
# This is measured in bytes.<br>
# This can also be the filename of a ruleset.<br>
Max Spam Check Size = 150k<br>
<br>
<br>
So there you have it. This is exactly where the breakdown is. Just because the message is too big for spam checks, the Mailscanner system is removing all of the attachments, and generating the bounce-back message to my clients.<br>
<br>
I suppose I could "Disable this option by setting it to a huge value", but eventually, the same thing will happen (e.g, when 10 large attachments are sent, which excess the new setting). I honestly think there is a bug here somewhere, or something not right
in the programming or configuration logic, or at the very least, the wrong message is being generated and the client is being penalized by their valid email being rejected.<br>
<br>
In addition, the file that the message claims to be attached (EdenUSAInc-Attachment-<wbr>Warning.txt), does NOT exist anywhere on the server's HD.<br>
<br>
At any rate, something is just not right here.<br>
<br>
Please let me know.<br>
<br>
Thank you!<br>
<span class="m_6768211126068096116hoenzb"><span style="color:#888888">Paul Scott</span></span><span style="color:#888888"><br>
</span><br>
<br>
<span class="m_6768211126068096116im">-----Original Message-----</span><br>
<span class="m_6768211126068096116im">From: MailScanner [mailto:<a href="mailto:mailscanner-bounces%2Bsales" target="_blank">mailscanner-bounces+<wbr>sales</a>=<a href="mailto:edenusa.com@lists.mailscanner.info" target="_blank">edenusa.com@lists.<wbr>mailscanner.info</a>] On Behalf Of Mark Sapiro</span><br>
<span class="m_6768211126068096116im">Sent: Thursday, February 09, 2017 8:31 AM</span><br>
<span class="m_6768211126068096116im">To: <a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.<wbr>info</a></span><br>
<span class="m_6768211126068096116im">Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">On 02/08/2017 03:39 PM, Paul Scott wrote:<br>
><br>
> Unfortunately, in the meantime, I also had another incident where a sender sending an attachment resulted in this bounce-back email again (I added those "--START OF MESSAGE-- and --END..." banners):<br>
><br>
><br>
> --START OF MESSAGE--<br>
> Warning: This message has had one or more attachments removed<br>
> Warning: (the entire message).<br>
> Warning: Please read the "EdenUSAInc-Attachment-<wbr>Warning.txt" attachment(s) for more information.<br>
><br>
> This is a message from the MailScanner E-Mail Virus Protection Service<br>
> ------------------------------<wbr>------------------------------<wbr>----------<br>
> The original e-mail attachment "the entire message"<br>
> was believed to be dangerous and/or infected by a virus and has been replaced by this warning message.<br>
><br>
> Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the infected attachment. Please ask the sender of the message to disinfect their original version and send you a clean copy.<br>
><br>
> At Wed Feb 8 07:28:11 2017 the scanner said:<br>
> Too many attachments in message<br>
><br>
> --<br>
> Postmaster<br>
> Eden USA, Inc.<br>
> <a href="http://www.edenitservices.com" target="_blank">www.edenitservices.com</a><br>
><br>
> For all your IT requirements visit: <a href="http://www.transtec.co.uk" target="_blank">
http://www.transtec.co.uk</a> --END OF<br>
> MESSAGE--<br>
<br>
<br>
I am unable to duplicate this exactly, so I can't help much, but in another post you said<br>
<br>
> 1. I already had the number of attachments allowed set to allow as many as a client wishes (the -1 setting).<br>
<br>
<br>
If you are thinking of "Maximum Attachment Size", thois is OK, but if you really mean "Maximum Attachments Per Message", there is no "unlimited" value, but '-1' might be interpreted as a very large, unsigned number, so it might be OK.<br>
<br>
<br>
> Also, where is that very last line coming from? "For all your IT requirements visit:
<a href="http://www.transteck.co.uk" target="_blank">http://www.transteck.co.uk</a>"<br>
<br>
<br>
>From some ISP's MTA, either the sender or the recipient of the message.<br>
<br>
<br>
> I really need to get this fixed. Do you have any more ideas? I simply need to SHUT OFF all file attachment scanning, and tell MailScanner somehow to stop doing anything at all with attachments. I just want to allow everything through, in terms of attachments.<br>
<br>
<br>
What does MailScanner log in the mail log for this message?<br>
<br>
--<br>
Mark Sapiro <<a href="mailto:mark@msapiro.net" target="_blank">mark@msapiro.net</a>> The highway is for gamblers,<br>
San Francisco Bay Area, California better use your sense - B. Dylan<br>
<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.<wbr>info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><br>
<br>
<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.<wbr>info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <u></u><u></u></p>
<div>
<p class="MsoNormal">-- Glenn<br>
email: glenn < dot > steen < at > gmail < dot > com<br>
work: glenn < dot > steen < at > ap1 < dot > se<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
<br><br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.<wbr>info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">-- Glenn<br>email: glenn < dot > steen < at > gmail < dot > com<br>work: glenn < dot > steen < at > ap1 < dot > se</div>
</div>