Tiago Eduardo Zacarias
2014-02-28 15:00:24 UTC
My policy in mailscanner does not block file types .exe , someone has
gone through this problem, I use postfix + mailscanner + clamd?
gone through this problem, I use postfix + mailscanner + clamd?
Send MailScanner mailing list submissions to
mailscanner at lists.mailscanner.info
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.mailscanner.info/mailman/listinfo/mailscanner
or, via email, send a message with subject or body 'help' to
mailscanner-request at lists.mailscanner.info
You can reach the person managing the list at
mailscanner-owner at lists.mailscanner.info
When replying, please edit your Subject line so it is more specific
than "Re: Contents of MailScanner digest..."
1. Re: Rules for letters with attachments (Steve Basford)
2. Re: Rules for letters with attachments (Valentin Laskov)
3. RE: Treat Invalid Watermarks with No Sender as Spam
(Shawn Iverson)
4. RE: Treat Invalid Watermarks with No Sender as Spam (Kevin Miller)
----------------------------------------------------------------------
Message: 1
Date: Thu, 27 Feb 2014 12:10:18 -0000
From: "Steve Basford" <steveb_clamav at sanesecurity.com>
Subject: Re: Rules for letters with attachments
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
<c50ad2d425a5584902e83abcebe458bb.squirrel at sirius.servers.eqx.misp.co.uk>
Content-Type: text/plain;charset=iso-8859-1
http://sanesecurity.com/usage/linux-scripts/
http://sanesecurity.com/foxhole-databases/
If you want to discuss, off-list...
Cheers,
Steve
Sanesecurity.com
------------------------------
Message: 2
Date: Thu, 27 Feb 2014 15:27:31 +0200
From: "Valentin Laskov" <it at festa.bg>
Subject: Re: Rules for letters with attachments
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID: <58117357EE8F4C56BE929973D4D6CA13 at festa.bg>
Content-Type: text/plain; charset="ISO-8859-1"
Hi Jerry, Hi Steve,
First of all, thank you for your answers!
Jerry, in this case I don't care for senders and yes, in my MailScanner.conf
Notify Senders Of Viruses = no
I can set
Notify Senders Of Blocked Filenames Or Filetypes = yes
to NO but this is not my aim. I would like to protect recipients of unnecessary letters.
MailScanner and Clamd work well and other files are detected as viruses.
Steve, I'm using the official ClamAV signatures only. I looked at the descriptions of Foxhole databases, but their action if I'm not
wrong, covers the operation of MailScanner or are not intended for new .exe viruses.
I attached a Bad Filename Detected report below.
Cheers,
Valentin
The following e-mails were found to have: Bad Filename Detected
Sender: brunchskt1 at gmail.com
IP Address: 71.59.80.26
Recipient: kkkkk at festa.bg
Subject: image Id 942349204-PicL7674 TYPE==MMS
MessageID: s1RDGcHS022468
Quarantine: /var/spool/MailScanner/quarantine/20140227/s1RDGcHS022468
Report: MailScanner: Executable DOS/Windows programs are dangerous in email (IMG000006371.exe)
No programs allowed (IMG000006371.exe)
Report: MailScanner: Executable DOS/Windows programs are dangerous in email (IMG000006371.exe)
No programs allowed (IMG000006371.exe)
Return-Path: <g>
Received: from c-71-59-80-26.hsd1.nj.comcast.net (c-71-59-80-26.hsd1.nj.comcast.net [71.59.80.26])
by mail.festa.bg (8.14.1/8.14.1) with ESMTP id s1RDGcHS022468
for <kkkkk at festa.bg>; Thu, 27 Feb 2014 15:16:40 +0200
Received: from apache by leebenbbgnccfghb. with local (Exim 4.63)
(envelope-from <gearkff3 at yahoo.com>)
id 1EKF1Z-S649PO-22
for <kkkkk at festa.bg>; Thu, 27 Feb 2014 08:16:39 -0500
To: <kkkkk at festa.bg>
Subject: image Id 942349204-PicL7674 TYPE==MMS
Date: Thu, 27 Feb 2014 08:16:39 -0500
From: mms.service9105 at mms.Vodafone.co.uk
Message-ID: <07DB53C2B8DB8357FB60848BC4946124 at leebenbbgnccfghb.>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------01050100901040406020602"
------------------------------
Message: 3
Date: Thu, 27 Feb 2014 10:11:51 -0500
From: "Shawn Iverson" <IversonS at rushville.k12.in.us>
Subject: RE: Treat Invalid Watermarks with No Sender as Spam
To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>
Message-ID: <530F0F67020000D50004E267 at mail.rushville.k12.in.us>
Content-Type: text/plain; charset="us-ascii"
Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through.
I will make a feature request, though.
It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not.
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Just set a numeric...will observe and see what happens.
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
What happens when you assign it a numeric value?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
mailscanner at lists.mailscanner.info
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.mailscanner.info/mailman/listinfo/mailscanner
or, via email, send a message with subject or body 'help' to
mailscanner-request at lists.mailscanner.info
You can reach the person managing the list at
mailscanner-owner at lists.mailscanner.info
When replying, please edit your Subject line so it is more specific
than "Re: Contents of MailScanner digest..."
1. Re: Rules for letters with attachments (Steve Basford)
2. Re: Rules for letters with attachments (Valentin Laskov)
3. RE: Treat Invalid Watermarks with No Sender as Spam
(Shawn Iverson)
4. RE: Treat Invalid Watermarks with No Sender as Spam (Kevin Miller)
----------------------------------------------------------------------
Message: 1
Date: Thu, 27 Feb 2014 12:10:18 -0000
From: "Steve Basford" <steveb_clamav at sanesecurity.com>
Subject: Re: Rules for letters with attachments
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
<c50ad2d425a5584902e83abcebe458bb.squirrel at sirius.servers.eqx.misp.co.uk>
Content-Type: text/plain;charset=iso-8859-1
Hi all,
Recently my mail servers receive many emails with .exe files attached.
These files are actually viruses but ClamAV still does not
recognize them.
Are you using the official signatures only on ClamAV or Third-Party onesRecently my mail servers receive many emails with .exe files attached.
These files are actually viruses but ClamAV still does not
recognize them.
http://sanesecurity.com/usage/linux-scripts/
http://sanesecurity.com/foxhole-databases/
If you want to discuss, off-list...
Cheers,
Steve
Sanesecurity.com
------------------------------
Message: 2
Date: Thu, 27 Feb 2014 15:27:31 +0200
From: "Valentin Laskov" <it at festa.bg>
Subject: Re: Rules for letters with attachments
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID: <58117357EE8F4C56BE929973D4D6CA13 at festa.bg>
Content-Type: text/plain; charset="ISO-8859-1"
Hi Jerry, Hi Steve,
First of all, thank you for your answers!
Jerry, in this case I don't care for senders and yes, in my MailScanner.conf
Notify Senders Of Viruses = no
I can set
Notify Senders Of Blocked Filenames Or Filetypes = yes
to NO but this is not my aim. I would like to protect recipients of unnecessary letters.
MailScanner and Clamd work well and other files are detected as viruses.
Steve, I'm using the official ClamAV signatures only. I looked at the descriptions of Foxhole databases, but their action if I'm not
wrong, covers the operation of MailScanner or are not intended for new .exe viruses.
I attached a Bad Filename Detected report below.
Cheers,
Valentin
The following e-mails were found to have: Bad Filename Detected
Sender: brunchskt1 at gmail.com
IP Address: 71.59.80.26
Recipient: kkkkk at festa.bg
Subject: image Id 942349204-PicL7674 TYPE==MMS
MessageID: s1RDGcHS022468
Quarantine: /var/spool/MailScanner/quarantine/20140227/s1RDGcHS022468
Report: MailScanner: Executable DOS/Windows programs are dangerous in email (IMG000006371.exe)
No programs allowed (IMG000006371.exe)
Report: MailScanner: Executable DOS/Windows programs are dangerous in email (IMG000006371.exe)
No programs allowed (IMG000006371.exe)
Return-Path: <g>
Received: from c-71-59-80-26.hsd1.nj.comcast.net (c-71-59-80-26.hsd1.nj.comcast.net [71.59.80.26])
by mail.festa.bg (8.14.1/8.14.1) with ESMTP id s1RDGcHS022468
for <kkkkk at festa.bg>; Thu, 27 Feb 2014 15:16:40 +0200
Received: from apache by leebenbbgnccfghb. with local (Exim 4.63)
(envelope-from <gearkff3 at yahoo.com>)
id 1EKF1Z-S649PO-22
for <kkkkk at festa.bg>; Thu, 27 Feb 2014 08:16:39 -0500
To: <kkkkk at festa.bg>
Subject: image Id 942349204-PicL7674 TYPE==MMS
Date: Thu, 27 Feb 2014 08:16:39 -0500
From: mms.service9105 at mms.Vodafone.co.uk
Message-ID: <07DB53C2B8DB8357FB60848BC4946124 at leebenbbgnccfghb.>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------01050100901040406020602"
------------------------------
Message: 3
Date: Thu, 27 Feb 2014 10:11:51 -0500
From: "Shawn Iverson" <IversonS at rushville.k12.in.us>
Subject: RE: Treat Invalid Watermarks with No Sender as Spam
To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>
Message-ID: <530F0F67020000D50004E267 at mail.rushville.k12.in.us>
Content-Type: text/plain; charset="us-ascii"
Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through.
I will make a feature request, though.
It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not.
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
"Shawn Iverson" <IversonS at rushville.k12.in.us> 2/26/2014 7:02 PM >>>
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 6:48 PM >>>
When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine....Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357