Kevin Miller | 23 Jan 22:31 2015

filename/filetype not working properly

Recently, someone tried to send one of my users an MS Office document which was blocked due to a disallowed
file (0000.dat).  It turns out that we likely ran afoul of Microsoft's once again forgetting their not the
only kid in the sandbox.  See:
https://social.technet.microsoft.com/Forums/sharepoint/en-US/287650b5-293c-48bc-90ec-9e13a61a46a6/office365-word-document-docx-banned-from-mailer-if-you-edit-properties-online-bug-

(talk about an ugly URL!)

I'm not sure why 0000.dat would be flagged as executable.  The message wasn't quarantined - it was just
dropped - so I can't examine it.  Regardless, I expect we'll see this issue more in the future so I made the
following changes in MailScanner.conf:

Allow Filenames = [0-9a-f]{4}.dat$
Allow Filetypes =   executable

The verbiage above the "Allow Filenames" indicates that it's an "and" operation - that is, the filename has
to match, *and* I need to allow executable filetypes.  To test this, I copied /bin/grep, knowing it's an
executable file that will otherwise be rejected, then sent it to myself with various filenames.

The results of the test are as follows:

grep		allowed
grep.exe	blocked
0000.abc	allowed
0000.dat	allowed
0000.dot	allowed
0000.com	blocked
0000.pdf	allowed
1234.abc	allowed

My understanding of the comments in MailScanner.conf is that both rules have to match for the attachment to
(Continue reading)

Peter Nitschke | 19 Jan 06:07 2015
Picon

Happy new year

Hi,

Happy new year.

Just testing to see if the list is still working.

Cheers,

Peter

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

The Doctor | 27 Dec 22:44 2014
Picon

Help

Get my perl working , however, I get

ktrace check_mailscanner
Starting MailScanner...Can't locate object method "bootstrap" via package "DBI" at
/usr/contrib/lib/perl5/site_perl/5.18.2/i386-bsdos/DBI.pm line 277.
BEGIN failed--compilation aborted at /usr/contrib/lib/perl5/site_perl/5.18.2/i386-bsdos/DBI.pm
line 284.
Compilation failed in require at /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
BEGIN failed--compilation aborted at /opt/MailScanner/lib/MailScanner/ConfigSQL.pm line 36.
Compilation failed in require at /opt/MailScanner/lib/Config.pm line 47.
Compilation failed in require at /usr/libdata/perl5/5.18.2/i386-bsdos/DynaLoader.pm line 22.
BEGIN failed--compilation aborted at /usr/libdata/perl5/5.18.2/i386-bsdos/DynaLoader.pm line 22.
Compilation failed in require at
/usr/contrib/lib/perl5/site_perl/5.18.2/i386-bsdos/Time/HiRes.pm line 7.
Compilation failed in require at /opt/MailScanner/bin/MailScanner line 90.
BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner line 90.
 Failed.
You have new mail in /var/mail/doctor
doctor.nl2k.ab.ca/~$ kdump
  8702 ktrace   RET   ktrace 0
  8702 ktrace   CALL  execve(0x8047168,0x8047630,0x8047638)
  8702 ktrace   NAMI  "./check_mailscanner"
  8702 ktrace   RET   execve -1 errno 2 No such file or directory
  8702 ktrace   CALL  execve(0x8047168,0x8047630,0x8047638)
  8702 ktrace   NAMI  "./check_mailscanner"
  8702 ktrace   RET   execve -1 errno 2 No such file or directory
  8702 ktrace   CALL  execve(0x8047168,0x8047630,0x8047638)
  8702 ktrace   NAMI  "/root/bin/check_mailscanner"
  8702 ktrace   RET   execve -1 errno 2 No such file or directory
  8702 ktrace   CALL  execve(0x8047168,0x8047630,0x8047638)
(Continue reading)

Steve Freegard | 24 Dec 12:40 2014

Re: Mailscanner process mail too slow

On 24/12/14 02:48, Carlos R Laguna wrote:
> i am not sure if the change to clamd work or not.

The speed difference between the two is huge:

[root <at> mail1-ec2 ~]# clamdscan -c /etc/clamd.d/scan.conf  /tmp/test.eml
/tmp/test.eml: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.016 sec (0 m 0 s)

.vs.

[root <at> mail1-ec2 ~]# clamscan /tmp/test.eml
/tmp/test.eml: OK

----------- SCAN SUMMARY -----------
Known viruses: 4687566
Engine version: 0.98.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 18.914 sec (0 m 18 s)

So 18.9 seconds .vs. 0.016 seconds.

That would allow MailScanner to scan only 3000 messages per hour (with 
(Continue reading)

Steve Freegard | 23 Dec 23:07 2014

Re: Mailscanner process mail too slow

On 23/12/14 21:32, Carlos R Laguna wrote:

> Any hint will be great*
>
> MailScanner.conf says "Virus Scanners = clamav"
> Found these virus scanners installed: clamav

clamscan is *really* slow.  You should be using clamd; it's massively 
faster.

Regards,
Steve.
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Carlos R Laguna | 23 Dec 22:32 2014
Picon

Mailscanner process mail too slow

Hi everyone, i am having some issue here, but can't figure out what is 
it, my current box is mailscanner 4.86.6-1 ubuntu 12.04.5.
The symptoms are:
mail processing too slow
in queue are over 15k mail on hold
almost no clamscan process

mailscanner log http://paste.desdelinux.net/5097

Any hint will be great*

MailScanner --lint output **(connecting to SpamAssassin cache db take up 
to 15s)

Reading configuration file /opt/MailScanner/etc/MailScanner.conf
Reading configuration file /opt/MailScanner/etc/conf.d/baruwa.conf
Read 876 hostnames from the phishing whitelist
Read 5890 hostnames from the phishing blacklists
Config: calling custom init function BaruwaLowScore
Baruwa: Populating spam score settings
Baruwa: Read 20 spam score settings
Config: calling custom init function BaruwaShouldScan
Baruwa: Starting scanning settings
Baruwa: Read 21 settings
Config: calling custom init function BaruwaBlacklist
Baruwa: Starting blacklists
Baruwa: Read 0 blacklist items
Baruwa: Ip blocks blacklisted:
Config: calling custom init function BaruwaSQL
Baruwa: Starting SQL logger
(Continue reading)

Nerijus Baliunas | 23 Dec 14:11 2014
Picon

archiving rules

Hello,

I have Non Spam Actions = %rules-dir%/archive-nonspam.rules
and archive-nonspam.rules is:

To:         * <at> domain.lt      deliver header "X-Spam-Status: No" forward _TOUSER_ <at> backup.domain.lt
From:       * <at> domain.lt      deliver header "X-Spam-Status: No" forward _FROMUSER_.Sent <at> backup.domain.lt
FromOrTo:   default       deliver header "X-Spam-Status: No"

Messages are archived correctly. The problem is, when the message is sent like this:
To: user1 <at> externaldomain.lt
Cc: user2 <at> domain.lt

The message is sent to both user1 <at> backup.domain.lt and user2 <at> backup.domain.lt.
Is it possible _TOUSER_ in above rule to be used only if recipient domain is local, i.e. domain.lt?

Regards,
Nerijus
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Vlad Mazek | 16 Dec 19:21 2014

MailScanner seems to be skipping messages

Im running  4.81.4 with sendmail.

I'm starting to see messages not going through MailScanner, is there any scenario you guys would think would cause a message to not be scanned. This is something that is sporadic.

Maillogs dont show any entries for these message IDs, which in the past may have been attributed to cached scoring. But I'm not seeing the MailScanner header inserts at all.
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Ugo Vasi | 15 Dec 18:05 2014
Picon

TNEF in postfix hold path

Hi all,
in a recent installation (debian 7 + mailscanner 4.84.5-4~wheezy + 
postfix   2.9.6-2) I see this warnings in mail.log:

Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnefwaSOJu: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnef0R36P5: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnefTBC2pw: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnefvBgPij: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnef9a5yNc: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnef2XEO6H: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnefceRLQ7: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnefFF_uw1: uid 
102: not a regular file
Dec 15 17:57:23 mail postfix/showq[18891]: warning: hold/tnefq6wleV: uid 
102: not a regular file

Infact, in the /var/spool/postfix/hold folder, I see these "tnef*" 
folders that are deleted after a while.

I suspect that MailScanner use the TNEF Eìexpander (/usr/bin/tnef) in 
the postfix's hold directory.

It seems that this does not create problems to the email flow but it is 
strange...

Who can help me to find a solution?

Thanks

-- 

   U g o   V a s i    <ugo.vasi <at> procne.it>
   P r o c n e  s.r.l    >)
   via Cotonificio 45  33010 Tavagnacco IT
   phone: +390432486523 fax: +390432486523

Le informazioni contenute in questo messaggio sono riservate e
confidenziali ed è vietata la diffusione in qualunque modo eseguita.
Qualora Lei non fosse la persona a cui il presente messaggio è
destinato, La invitiamo ad eliminarlo e a non leggerlo, dandocene
gentilmente comunicazione.
Per qualsiasi informazione si prega di contattare support <at> procne.it .
Rif. D.L. 196/2003

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
t dara | 15 Dec 03:24 2014
Picon

Have problem with MailScanner 4.84.6 Cannot Add inline signature

Hello,

I have problem with MailScanner 4.84.6 Cannot Add inline signature.
I see in config file, By default it should be add inline signature. I already to try restart MailScanner and didn't see any error message.

Here is my configration
Inline HTML Signature = %report-dir%/inline.sig.html
Inline Text Signature = %report-dir%/inline.sig.txt
Sign Clean Messages = yes

Thanks for your help,
Sovandara
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Mohammed Ejaz | 11 Dec 14:30 2014
Picon

Email-bounce.

 

 

 

hello,

 

some of my user receiving the below error  when sending their emails, would you please shed some light what could be the reason for it. thanks in advance

 

Ejaz

 

 

 

 

Our virus detector failed to completely analyse a message you sent:-

  To: irene.gorget <at> lactalis.com.ua

  Subject: RE: current result versus B2015 - UFIC

  Date: Thu Dec 11 14:59:29 2014

Any parts of the message that could not be analysed will not have been delivered.

 

If you are using Microsoft Outlook, we strongly recommend you change your outgoing message format from "Rich Text" to "HTML" or "Plain Text".

 

1) Click on the "Tools" menu and choose "Options..."

2) Go to the "Mail Format" tab

3) For message format, select "HTML" or "Plain text"

4) Click OK

 

The virus detector said this about the message:

Report: Report: MailScanner: Message attempted to kill MailScanner

 

 

--

MailScanner

Email Virus Scanner

Your Organisation Name Here

www.your-organisation.com

 

For all your IT requirements visit: http://www.transtec.co.uk

 

Please don't print this e-mail unless you really need to. Save

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

Gmane