Discussion:
Whitelist and disarming
Laszlo Nagy
2009-11-17 14:34:33 UTC
Permalink
Hi All,

I would like to have Mailscanner do not change some emails, in any way.
I have added the source email address to whitelist.rules:

# pwd
/usr/local/etc/MailScanner/rules
# grep @ spam.whitelist.rules
From: *@some_domain.com yes


My problem is that these emails are disarmed. Their subject and content
is changed. It is a big problem beacuse these emails contain product
stock info updates from our partner, and we have programs that process
these emails. However, they cannot process the disarmed emails. I was
looking at the documentation but I could not find a way to do this. E.g.
configure mailscanner so that mails from "*@some_domain.com" are not
disarmed, subject, headers and body not changed. It would be ideal to
run virus scanning and spam filtering at the same time (and quarantine
spam/virus emails). How can I do this?

My system is FreeBSD 7 amd64. Mailscanner version is 4.78.9

Thanks,

Laszlo
Ralph Bornefeld-Ettmann
2009-11-17 16:43:26 UTC
Permalink
Post by Laszlo Nagy
Hi All,
I would like to have Mailscanner do not change some emails, in any way.
# pwd
/usr/local/etc/MailScanner/rules
My problem is that these emails are disarmed. Their subject and content
is changed. It is a big problem beacuse these emails contain product
stock info updates from our partner, and we have programs that process
these emails. However, they cannot process the disarmed emails. I was
looking at the documentation but I could not find a way to do this. E.g.
disarmed, subject, headers and body not changed. It would be ideal to
run virus scanning and spam filtering at the same time (and quarantine
spam/virus emails). How can I do this?
My system is FreeBSD 7 amd64. Mailscanner version is 4.78.9
Thanks,
Laszlo
I would handle it slightly different :

create /etc/MailScanner/rules/disarm.rules :

From: *@some_domain.com yes
FromOrTo: default disarm

replace "disarm" in /etc/MailScanner/MailScanner.conf with
"%rules-dir%/disarm.rules" where "disarm" is set (e.g. Allow IFrame
Tags, Allow Form Tags ....)

restart MailScanner

So mails is getting scanned and Spam and Virii will be detected but
header and body will not get disarmed.

HTH

Cheers
Ralph
Glenn Steen
2009-11-17 17:30:32 UTC
Permalink
?Hi All,
I would like ?to have Mailscanner do not change some emails, in any way. I
# pwd
/usr/local/etc/MailScanner/rules
My problem is that these emails are disarmed. Their subject and content is
changed. It is a big problem beacuse these emails contain product stock info
updates from our partner, and we have programs that process these emails.
However, they cannot process the disarmed emails. I was looking at the
documentation but I could not find a way to do this. E.g. configure
subject, headers and body not changed. It would be ideal to run virus
scanning and spam filtering at the same time (and quarantine spam/virus
emails). How can I do this?
My system is FreeBSD 7 amd64. Mailscanner version is 4.78.9
Thanks,
?Laszlo
FromOrTo: ? ? ? default ? ? ? ? disarm
replace "disarm" in /etc/MailScanner/MailScanner.conf with
"%rules-dir%/disarm.rules" where "disarm" is set (e.g. Allow IFrame Tags,
Allow Form Tags ....)
restart MailScanner
So mails is getting scanned and Spam and Virii will be detected but header
and body will not get disarmed.
HTH
Cheers
Ralph
A couple of notes:
- Lets be clear about why adding the stansa to spam.whitelist.rules
didn't work... It is only concerned with spam handling, not any other
(dangerous content) scanning at all... Hence the need for something
like what Ralph suggests.

- Use the sending servers IP address instead of a domain glob
pattern... Relying on something that easily forgeable (iow spoofable)
is not good. You should be able to find out which IPs are used and use
that for your whitelist.

- It isn't the brightest idea possible to build an automated system
like that, depending/relying on something that is inherently not that
reliable...;-). Although all messages are guaranteed to be handled,
either by a delivery or a rejection (leading to some type of
bounce/NDN/DSN/whatever), you have no guarantees about _when_ it will
happen. "Within the next few days" might not be good enough;-). If it
is something like index pricing information (MSCI has been known to
use this), it is a really _bad_ idea, since the info is likely not
that ... valid... after a few days delay. "Ok", you might be thinking,
"We'll solve it by setting 'High Priority', so it is guaranteed to go
through fast..." -> Nope. Only thing that does is to make it fail/give
up faster (and decorate your mail with a ghastly exclamation mark, or
similar). So that would only aggravate any problem, not solve it.
We've had this type of setup and are moving away from it as fast as
possible... To more sane things like FTP or, even better, SFTP.

Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
Laszlo Nagy
2009-11-17 18:32:15 UTC
Permalink
Post by Glenn Steen
FromOrTo: default disarm
replace "disarm" in /etc/MailScanner/MailScanner.conf with
"%rules-dir%/disarm.rules" where "disarm" is set (e.g. Allow IFrame Tags,
Allow Form Tags ....)
restart MailScanner
So mails is getting scanned and Spam and Virii will be detected but header
and body will not get disarmed.
Thank you, I dit it. I hope it will work.
Post by Glenn Steen
- Lets be clear about why adding the stansa to spam.whitelist.rules
didn't work... It is only concerned with spam handling, not any other
(dangerous content) scanning at all... Hence the need for something
like what Ralph suggests.
I see. Thanks. :-)
Post by Glenn Steen
- Use the sending servers IP address instead of a domain glob
pattern... Relying on something that easily forgeable (iow spoofable)
is not good. You should be able to find out which IPs are used and use
that for your whitelist.
I'm affraid that this company uses a widely used ISP to send out emails.
I guess I have to use the From: header. Or maybe both: From + sender ip,
but I'm not sure how to do that.
Post by Glenn Steen
- It isn't the brightest idea possible to build an automated system
like that, depending/relying on something that is inherently not that
reliable...;-). Although all messages are guaranteed to be handled,
either by a delivery or a rejection (leading to some type of
bounce/NDN/DSN/whatever), you have no guarantees about _when_ it will
happen.
Yes, I know. But these companies have their own systems. They send out
automatic emails, and we cannot ask them to send data feeds on FTP or
anything else. They insist on sending XLS and CSV files in emails. (Even
worse, some of them are sending PDF and word doc files...)
Post by Glenn Steen
"Within the next few days" might not be good enough;-).
But much better than never. In most cases, these emails actually arrive
within one minute, so in 99% of the cases, it works.
Post by Glenn Steen
If it
is something like index pricing information (MSCI has been known to
use this), it is a really _bad_ idea, since the info is likely not
that ... valid... after a few days delay. "Ok", you might be thinking,
"We'll solve it by setting 'High Priority', so it is guaranteed to go
through fast..." -> Nope. Only thing that does is to make it fail/give
up faster (and decorate your mail with a ghastly exclamation mark, or
similar). So that would only aggravate any problem, not solve it.
We've had this type of setup and are moving away from it as fast as
possible... To more sane things like FTP or, even better, SFTP.
Yes, that would be fabolous. But we cannot do that.

Thank you for the detailed explanation. It was a big help!

Laszlo

Hugo van der Kooij
2009-11-17 18:05:58 UTC
Permalink
I would like to have Mailscanner do not change some emails, in any way.
# pwd
/usr/local/etc/MailScanner/rules
I suggest you bypass mailscanner completely for these addresses. But how
you do that is up to the MTA you use.

But if you use postfix + the gold option you might learn a trick from:
http://hugo.vanderkooij.org/email/mailscanner.htm?lang=en#HOLD

Hugo.
Loading...