Minor issue to fix in spec.

Aug 25 13:40:47 smtp systemd: Configuration file /usr/lib/systemd/system/mailscanner.service is marked executable. Please remove executable permission bits. Proceeding anyway.

Hi,

"Long queue IDs in Postfix #15" issue is closed but I've seen that Postfix can generate queue IDs longer than 15 chars (due the inode), so 2 regular expressions need to be changed:

Postfix.pm (line 280):

if ($file =~ /-[A-Za-z0-9]{15}.[A-Za-z0-9]{5}$/) {
if ($file =~ /-[A-Za-z0-9]{15,20}.[A-Za-z0-9]{5}$/) {
PFDiskStore.pm (line 90):

if ($this->{hdname} =~ /[A-Za-z0-9]{15}$/) {
if ($this->{hdname} =~ /[A-Za-z0-9]{15,20}$/) {
to support longer queue IDs.
I attach these 2 files modified.
ms-patch3.tar.gz

From @ShaneOfMacquarie on April 7, 2016 3:59

I was receiving blank message bodies after enabling clamd's OLE2BlockMacros option and adding 'Heuristics.OLE2.ContainsMacros' to the 'Non-Forging Viruses' MailScanner option. I tracked it down to having the 'ClamAV Full Message Scan' option set to yes and noted that the logs showed 2 lots of infection for the single attachment. Expected behavior is similar to that of banned file-names - recipient receives a cleaned message, with body intact, along with an attachment removed notice.

Setting 'ClamAV Full Message Scan' to no fixes the problem, but I suspect this is not the intended behavior and may have a wider impact. Could there be a bug in SweepViruses.pm sub ClamdScan() - lines 2043-2050 that is incorrectly flagging an infection outside of message headers as afflicting the whole message and not just the infected attachment?

I'm hoping someone familiar with the code can comment. Without knowing where header and message come from, I'm thinking '|message' might be an issue?:

  if ($childname =~ /\.(?:header|message)$/ && $filename =~ /\sFOUND$/) {
    $rest = $filename;
    $filename = '';
    $childname =~ s/\.(?:header|message)$//;

Copied from original issue: MailScanner/v4#62

When releasing a quarantined message, a message indicating that the email could not be queue is shown, rejected on the fact that "localhost" is not an FQDN.

Within /lib/pear/Mail/smtp.php there are a number of hard-coded "localhost" values.

Ideally, these values should be populated from the actual host configuration, perhaps even trying to resolve them via gethostbyname() or via configuration.

Hello how can I achieve that the sa score in the subject shown something like 8.32 instead of just 8?

What happened to AV support for mcafee6?

Moving the mcafee6 wrapper from a 4.84 release to the new /usr/lib/MailScanner/mcafee6-wrapper folder and editing virus.scanners.conf file doesn't seem to do the trick. I've listed mcafee6 within the MailScanner.conf as one of the Virus Scanners.

When issuing MailScanner --lint only clam AV is invoked.

Hi,

I've enabled long_queue_ids in Postfix (with hash_queue_depth disabled) and MailScanner works fine, but when it requeues the message, it creates one message with a short queue ID format:

MailScanner[14209]: Requeue: 3sK7N64rr3zJX5T.A6FFB to D74D7218040

The HDOutFileName function generates it in Postfix.pm:

$file = sprintf("%05X%lX", int(rand 1000000)+1, (stat($file))[1]);

that should be in a long format.
There's some info about how the long queue id format is generated:

http://postfix.1071664.n5.nabble.com/long-non-repeating-queue-ID-support-td41746.html

Thanks.

Found possible bug in the Filename Check inside Archive.

Software versions:
MailScanner Version:4.84.6
MailWatch Version:1.2.0 - RC2
ClamAV Version:0.99.2
SpamAssassin Version:3.3.1

I use config with these deny:
Filename Deny .._exe$ ...
Archive Filename Deny .._exe$ ...

You can reproduce the behavior doing so:

1. Crate a dummy c.exe file
2. Compress c.exe in a c.zip
3. Compress c.zip in a c1.zip
4. Compress c1.zip in a c2.zip

Send a test mail with all 4 files in attach: c.exe c.zip c1.zip c2.zip

c.exe OK: is correctly blocked by Filename Deny (warning is send with alert on c.exe blocket)
c.zip OK: is correctly blocked by Filename Deny in Archive (BUG: no warning is sent for this attach, as file disappears)
c1.zip BUG: erroneously is not blocked so attach passed check (naturally no warning)
c2.zip OK: is correctly blocked by Filename Deny (warning is send with alert on c.exe inside)

So one file seams disappeared and one file is not blocked..

This is MailScanner Log part:

MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED c1.zip
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED c.zip
MailScanner[15060]: Filename Checks: Windows/DOS Executable (D72E62205D.AAFED c.exe)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED core.xml (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED sheet1.xml (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED workbook.xml (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED theme1.xml (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED styles.xml (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED workbook.xml.rels (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED 0000.dat (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED app.xml (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED .rels (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED Content_Types.xml (no rule matched)
MailScanner[15060]: Filename Checks: Blocked Filename Detected (D72E62205D.AAFED c.exe)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED c.zip
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED c1.zip
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED c2.zip
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED msg-15060-2.html (no rule matched)
MailScanner[15060]: Filename Checks: Allowing D72E62205D.AAFED msg-15060-1.txt
MailScanner[15060]: Other Checks: Found 2 problems
MailScanner[15060]: Virus and Content Scanning: Starting
MailScanner[15060]: Virus Scanning completed at 4074 bytes per second
MailScanner[15060]: Saved entire message to ...
MailScanner[15060]: Saved infected "c.zip" to ...
MailScanner[15060]: Saved infected "c.exe" to ...
MailScanner[15060]: Saved infected "c.exe" to ...
MailScanner[15060]: Spam Checks: Starting
MailScanner[15060]: Delivery of nonspam: message D72E62205D.AAFED from ... to ... with subject ...
MailScanner[15060]: Spam Checks completed at 18008 bytes per second
MailScanner[15060]: Requeue: D72E62205D.AAFED to BCB3123ECD
MailScanner[15060]: Cleaned: Delivered 1 cleaned messages
MailScanner[15060]: Virus Processing completed at 344764 bytes per second
MailScanner[15060]: Deleted 1 messages from processing-database
MailScanner[15060]: Batch completed at 3288 bytes per second (34353 / 10)
MailScanner[15060]: Batch (1 message) processed in 10.45 seconds

Regards

From @sjardine on March 7, 2016 16:19

I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any troubleshooting.

I am using a OpenVZ container with Ubuntu 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.

Is there a way to disable this feature?

Copied from original issue: MailScanner/v4#54

Hi guys!

We are tryin' to solve this issue:
"https://forum.efa-project.org/viewtopic.php?f=13&t=1782&p=6792#p6792"

So far the conclusion is that google is inside "/etc/MailScanner/phishing.bad.sites.conf".
Any particular reason for doing that?
We have read some threads that google had some large phishing attacks back in "2014"... but is it necessary to still be in that CONF?
How can we solve that please?
With best regards

Ownership on the quarantine folder reverts to root:root

The restart portion of the script needs to check for more than /etc/init.d/mailscanner because a true systemd implementation does not create this file.

When cron job tried to restart mailscanner, got this:

/
-/usr/lib/MailScanner/init/ms-init: line 489: [: -eq: unary operator expected
MailScanner failed to start ... doh!

Adding dead pid detection code to restart section of ms-init seems to correct issue.

Having just spun up 2 dev servers for Mailwatch, one Debian 8 the other Centos 7, it seems that on both installs, Encoding::FixLatin was wasn't automatically installed by the mailscanner install script.

Mailscanner throws an error without this - easily fixed by manually installing it but just thought I'd mention it in case you want to add this in.

Cheers,

Example below:

On 27/12/2016 19:19, Daniel Montoya wrote:

-------- Forwarded Message --------
Return-path: [email protected]
Envelope-to: [email protected]
Delivery-date: Tue, 27 Dec 2016 19:20:14 +0000
Received: from mail.mercata.co.rs ([217.169.210.229]:40925 helo=vmail.mercata.co.rs) by expresscoach.servers.eqx.misp.co.uk with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from [email protected]) id 1cLxIB-0000Uj-CW for [email protected]; Tue, 27 Dec 2016 19:20:14 +0000
Received: from agprn.com (unknown [187.17.106.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vmail.mercata.co.rs (Postfix) with ESMTP id A87BF15CAE48 for [email protected]; Tue, 27 Dec 2016 20:19:27 +0100 (CET)
Date: Tue, 27 Dec 2016 17:19:25 -0200
To: [email protected]
From: Daniel Montoya [email protected]
Reply-To: Daniel Montoya [email protected]
Subject: The secret of earning REAL money is finally revealed!
Message-ID: [email protected]
X-Mailer: PHPMailer 5.2.14 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_cbcf69f4ae11f5f284246eae29a403d4"
Content-Transfer-Encoding: 8bit
X-mercatamail-MailScanner-Information: Please contact the ISP for more information
X-mercatamail-MailScanner-ID: A87BF15CAE48.A4699
X-mercatamail-MailScanner: Found to be clean
X-mercatamail-MailScanner-From: [email protected]
X-Spam-Status: No
X-Spam-Status: No, score=-1.7
X-Spam-Score: -16
X-Spam-Bar: -
X-Ham-Report: Spam detection software, running on the system "expresscoach.servers.eqx.misp.co.uk", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root@localhost for details. Content preview: I've never had a notorious materialist and did not pride of place goes to money, but it so happened that fate had chosen me. I was one of few who found the dream job of any lazybones, who dreams about riches like a charm. [...] Content analysis details: (-1.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -3.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE BODY: HTML included in message -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100]
X-Spam-Flag: NO

I've never had a notorious materialist and did not pride of place goes to money, but it so happened that fate had chosen me. I was one of few who found the dream job of any lazybones, who dreams about riches like a charm.

Today my mean income is $5,000 per week and I stopped blame myself, I just live as I like and I help nearest and dearest.

For me works BankBot, it�s an amazing program which doesn't need sleep and rest, which does not make mistakes on the background of fatigue, and the main thing � it is only a plus!

I think you are very lucky man, as you just found today this link [ http://bigmoosecompany.com/proxy.php?e=158&ZfetXuGBhVDX1QUmE2Q6=tuM5ymg&HEr=JRG&5i=6t1v ] ! Be of good cheer!

--
This message has been scanned for viruses and
dangerous content by MailScanner [ http://www.mailscanner.info/ ] , and is
believed to be clean.

haoqin87.com/lab/gtex/ - my sister in law was hacked I guess and it sent everyone in her outlook contact list a link to that site from her work email.

Hi,

From a disastrous experience, we have discovered that the validation that the quarantine directory exists does not work, and as a result caused the ms-clean-quarantine script to delete any files older than 7 days from the entire file-system, starting in /.

As we have stopped using MailScanner, we had just removed MailScanner.conf, however had not been aware this cron was still in place. The removal of MailScanner.conf triggered this bad behaviour.

QUICKPEEK=/usr/sbin/ms-peek
ms_conf=/etc/MailScanner/MailScanner.conf
QUARDIR=`${QUICKPEEK} QuarantineDir ${ms_conf}`

QUARDIR in this case (when MailScanner.conf is missing) returns a whitespace/blank value which actually passes "# die if does not exist” check which then cd’s into / and runs "find . -type f -mtime +7 -exec rm -f {} ; >/dev/null 2>&1”.

If $QUARDIR was double quoted in the if statement it would have been fine.

# die if does not exist
if [ ! -d $QUARDIR ]; then
	logger -i -p mail.notice "ERROR: ms-clean-quarantine - quarantine directory not found"
	echo "Aborted: cannot find quarantine directory. Check the /etc/MailScanner/MailScanner.conf file"
	echo "'Quarantine Dir' setting."
	exit 1
fi

# if not disabled
if [ $q_days -gt 0 ]; then
	if [ -d $QUARDIR ]; then
		cd $QUARDIR
		logger -i -p mail.notice "ms-clean-quarantine: cleaning quarantine older than $q_days days"	
		find . -type f -mtime +$q_days -exec rm -f {} \; >/dev/null 2>&1
		find . -type d -empty -delete >/dev/null 2>&1
	fi
	exit 0
else
	logger -i -p mail.notice "WARN: ms-clean-quarantine called but is disabled"
	echo "Aborted: quarantine cleaning is disabled"
    exit 1
fi

https://github.com/MailScanner/v5/blob/master/common/usr/sbin/ms-clean-quarantine#L26
https://github.com/MailScanner/v5/blob/master/common/usr/sbin/ms-clean-quarantine#L35

We would like to ensure that nobody else is affected by this bug in future!

Thanks.

I am getting a message from my business partners in reply that says "Disarmed"

MailScanner has detected a possible fraud attempt from "www.videomapping.org" claiming to be http://www.videomapping.org

As a result this goes out to all the people in my email list and it affects my emails because people think that I am sending fraudulent emails.

However my clients receive the above message:
Web: MailScanner has detected a possible fraud attempt from "www.videomapping.org" claiming to be www.videomapping.org

How can I explain that this is NOT A FRAUD... I own the web address

Thank you

After installing MailScanner on CentOS 7, had multiple cases of ms-init hanging with MailScanner not running, I traced the issue down to this statement:

while (ps axww | grep -q '[M]ailScanner'); do

Should be:

while (ps axww | grep -q '[M]ailScanner': ); do

If it is missing the ":" then, the grep picks up on the ms-init process itself.
[root@censored ~]# ps axww | grep '[M]ailScanner'
24087 ? SN 0:46 /bin/bash /usr/lib/MailScanner/init/ms-init restart

There are multiple cases in ms-init of the grep statement missing the colon.

ms-update-phishing loops through conf.d using ms-peek to look for SyslogFacility in each file and stops on the first hit. If none it then tries ms-peek on MailScanner.conf and finally defaults to 'mail'.

This is wrong because ms-peek process include files so we should only do the one ms-peek on MailScanner.conf which will process all the included files and get the correct setting. The current method may miss files included from other than conf.d and may miss in override in a skipped file.

Hi!

I'm using Exim as MTA for MailScanner and noticed that processed mails would stay in the queue until the next queue run. After some debugging I found out that /usr/sbin/exim exited with the error

"can't get the current working directory: no such file or directory"

when called by MailScanner after the scanning of a message. It seems that MailScanner is removing the incoming subdirectory before calling exim, so I changed the corresponding line in Exim.pm to change to the queue directory before calling Exim as a workaround:

system('cd ' . MailScanner::Config::Value('outqueuedir') . ' && ' . MailScanner::Config::Value('sendmail2') . ' -Mc ' . $idlist);

Maybe someone could implement a proper fix instead of this workaround?

Thanks and kind regards,
Daniel

Hi Folks,

On CentOS 7 I seem to be having issues with the stock 5.0.3 MailScanner starting sendmail like it used to in RHEL5.x or RHEL6.x.

I am currently running sendmail via systemd but I'm not sure that MailScanner is really fully working (though it does start). I see only partial messages in logs even though I've set logging to show everything. Having used MailScanner with CentOS5.x I recall that it started and controlled sendmail.

Apr 24 19:06:26 funcamp MailScanner[9661]: MailScanner Email Processor version 5.0.3 starting...
Apr 24 19:06:26 funcamp MailScanner[9661]: Reading configuration file /etc/MailScanner/MailScanner.conf
Apr 24 19:06:26 funcamp MailScanner[9661]: Read 1501 hostnames from the phishing whitelist
Apr 24 19:06:26 funcamp MailScanner[9661]: Read 14367 hostnames from the phishing blacklists
Apr 24 19:06:26 funcamp MailScanner[9661]: Using SpamAssassin results cache
Apr 24 19:06:26 funcamp MailScanner[9661]: Connected to SpamAssassin cache database
Apr 24 19:06:26 funcamp MailScanner[9661]: Enabling SpamAssassin auto-whitelist functionality...
Apr 24 19:06:27 funcamp MailScanner[9661]: Auto: Found virus scanners: clamav
Apr 24 19:06:27 funcamp MailScanner[9661]: Connected to Processing Attempts Database
Apr 24 19:06:27 funcamp MailScanner[9661]: Found 0 messages in the Processing Attempts Database
Apr 24 19:06:27 funcamp MailScanner[9661]: Using locktype = posix

Starting/running sendmail via systemd is the only way to receive mail, and I would expect to see some more logging with these options enabled

When I receive mail I only see the normal sendmail messages and do not see anything MailScanner related despite the following logging options.

Syslog Facility = mail
Log Spam = yes
Log Non Spam = yes
Log SpamAssassin Rule Actions = yes

Is this related to issue #23 ?

Getting a syntax error when trying to install on Ubuntu server using "sh install.sh". The second step asks whether MTA needs to be installed. When I hit "N" for no. It just comes up with the following:

install.sh: 82: install.sh: Syntax error: "(" unexpected (expecting "then").

The downloaded package is from https://s3.amazonaws.com/msv5/release/MailScanner-5.0.3-7.deb.tar.gz

As suggested by Mark on the mailing list, here's the issue:

I'd need to have the recipient[s] available as a variable in the stored.*.message.txt report templates. My current workaround is:

*** Message.pm.orig     Tue Sep 13 15:16:16 2016
--- Message.pm  Tue Sep 20 17:54:18 2016
***************
*** 4443,4448 ****
--- 4443,4451 ----
  #    $report =~ s/$pattern//gm;
  #  }

+   # add recipients
+   my $to = join ', ', @{$this->{to}};
+ 
    open($textfh, $reportname)
      or MailScanner::Log::WarnLog("Cannot open message file %s, %s",
                                   $reportname, $!);

This way I can use $to in those reports.

The install script is a solid piece of work.

It could use an 'auto' mode, where you specify params on the commandline or via a config file. That would make it more automate-able.

With that in mind, making it idempotent would be good too (Ie, to let you install/update dependecies only, or to reinstall just the base package).

Strictly nice-to-haves, but they are the difference between 'i can use this in my configuration management flow' and 'I'll have to write something that does the same thing, but without prompts'

Could you please tag whenever you release a new version? Right now any pull I do will get HEAD, and I don't see any versioned release bundles.

Thanks!

MailScanner can 'disarm' a link in a message with 'MailScanner has detected definite fraud in the website at "example.com". Do not trust this website:' even if "example.com" is in phishing.safe.sites.conf.

Hi

Would be nice, to have the country from the first sender mail server based on the IP address (geo location), inside of the subject. Maybe as ISO Code or full name.

For example, because mails from the government or big local companies normally not send mails from outside of the own or suspect country. So if I get a mail from US Government or local Telco company, but the country code is for example {SO} (for Somalia), the recipient can be taken aback and takes more care about links and attachments in the mail.

Ivo

My emails from my Adobe Catalyst website email address resulted in the below message from a client:

Steve Moniak
Lightning Design
781-771-7970
[email protected]
MailScanner has detected a possible fraud attempt from "www.lightningdesign.net" claiming to be www.lightningdesign.net

Hi!

I have found a bug in the inline HTML warning code in the function SignWarningMessage in Message.pm. I was testing the attachment replacement and inline warning insertion with HTML mails. I noticed that mails created with Outlook had no inline warning inserted. Debugging into the code I found the reason on line 4601. The replacement regex tries to find the <html> starting tag, but Outlook additionally inserts a namespace, e.g

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

On the mailinglist @msapiro suggested the following fixes:

I would make it
$line =~ s/\<html[^>]*\>/$&$warning/i;
or possibly even
$line =~ s/\<html( [^>]*)?\>/$&$warning/i;
But even these won't match if the <html tag isn't closed on the same line, so maybe even
$line =~ s/\<html( [^>]*)?(\>|$)/$&$warning/i;
but I haven't tested any of this.

I have tried the last one with a sample Outlook mail and it seems to work.

This is not updating the Version number as intended. Other issues may also be present. Need to totally review the entire script.

Hi everyone

I'm running into a issue with the Filetype scan.
If i add a attachment to an e-mail i.e. "example(example)something.docx, it get identified as old Word File instead of passing.

someone ran in the same issue ?

Firstly apologies first if this is the wrong place to place message.

We have been notified that Mailscanner is posting inaccurate messages in prospects emails regards fraud attempts.

We (Regus) use a white label SMTP service (Mandrillapp) to deliver prospecting emails responding to web enquiries with SPF and DKIM verification in place. How do we remove fraud attempt messaging from appearing?

0

Good morning,

I have seen in some servers that use MailScanner that it changes the tag "<script>" to "< MailScannerScript686126>" when this tag is used to include application/ld+json data.

How can we try to avoid it?

Can you tag v5.0.5-1 please? (And any further changelog-worthy versions?)

mailscanner-sendmail.zip

Put in /etc/init.d/ and activate using

chmod 755 /etc/init.d/mailscanner-sendmail
chkconfig -add mailscanner-sendmail
chkconfig mailscanner-sendmail on

Wolfgang

This throws a warning/error:

Substitution pattern not terminated at -e line 1

I am pretty sure it is doing it because part of the pattern it is searching for is empty.

I have this error message while I start MailScanner but it still working.

" Can't locate strict.pm: /usr/share/MailScanner/perl/strict.pm: Permission denied at /usr/sbin/MailScanner line 27.
BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 27.
MailScanner restarted with process id 2209 "

There are no /usr/share/MailScanner/perl/strict.pm file in MailScanner-5.0.3-7.deb.tar.gz package file.

MailScanner -V

Running on
Linux ip-172-31-10-115 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
This is Perl version 5.022001 (5.22.1)

This is MailScanner version 5.0.3
Module versions are:
1.01 AnyDBM_File
1.56 Archive::Zip
0.39 bignum
1.36 Carp
2.068 Compress::Zlib
1.125 Convert::BinHex
0.18 Convert::TNEF
2.158 Data::Dumper
2.30 Date::Parse
1.04 DirHandle
1.13 Fcntl
2.85 File::Basename
2.30 File::Copy
2.02 FileHandle
2.09 File::Path
0.2304 File::Temp
0.92 Filesys::Df
3.69 HTML::Entities
3.72 HTML::Parser
3.69 HTML::TokeParser
1.35 IO
1.16 IO::File
1.15 IO::Pipe
2.13 Mail::Header
1.9997 Math::BigInt
0.2608 Math::BigRat
3.15 MIME::Base64
5.507 MIME::Decoder
5.507 MIME::Decoder::UU
5.507 MIME::Head
5.507 MIME::Parser
3.13 MIME::QuotedPrint
5.507 MIME::Tools
0.17 Net::CIDR
1.26 Net::IP
0.19 OLE::Storage_Lite
1.07 Pod::Escapes
3.29 Pod::Simple
1.53_01 POSIX
1.41 Scalar::Util
2.018 Socket
2.53_01 Storable
1.5 Sys::Hostname::Long
0.33 Sys::Syslog
1.51 Test::Pod
1.001014 Test::Simple
1.9726 Time::HiRes
1.02 Time::localtime

Optional module versions are:
2.04 Archive::Tar
0.39 bignum
2.010 Business::ISBN
20140910.003 Business::ISBN::Data
1.23 Data::Dump
1.835 DB_File
1.50 DBD::SQLite
1.634 DBI
1.17 Digest
1.03 Digest::HMAC
2.54 Digest::MD5
2.13 Digest::SHA1
1.01 Encode::Detect
0.17010 Error
0.280221 ExtUtils::CBuilder
3.28 ExtUtils::ParseXS
2.45 Getopt::Long
0.80 Inline
1.08 IO::String
1.10 IO::Zlib
2.28 IP::Country
missing Mail::ClamAV
3.004001 Mail::SpamAssassin
v2.009 Mail::SPF
1.999001 Mail::SPF::Query
0.422 Module::Build
0.21 Net::CIDR::Lite
0.81 Net::DNS
v0.003 Net::DNS::Resolver::Programmable
0.65 Net::LDAP
4.078 NetAddr::IP
1.967013 Parse::RecDescent
missing SAVI
3.35 Test::Harness
2.02 Test::Manifest
2.03 Text::Balanced
1.71 URI
0.9909 version
1.15 YAML
Thank you.

Hi,
I included below in the scan.messages.rules. Can the 'and' keyword be used in this ruleset as well? It doesn't seem so, but I wonder if this is by design. Same goes for MailScanner v4.
Grtz,
Ronald

From: safedomain.com and To: trusted_recipient@* no

From @alvarosplit on December 28, 2015 9:29

Hi,

I'm writing a CustomFunction to check the "Scan Messages" value in a
database:

Scan Messages = &ScanMsgs

but the function is executed two times for each message:

Sep 23 17:15:05 MailScanner[22554]: 4694D2180A7.AC573: ScanMsgs checking.
Sep 23 17:15:05 MailScanner[22554]: 4694D2180A7.AC573: ScanMsgs checking.

Debugging the code, I've found 2 calls to that "Scan Messages" function:

[+] Message.pm, new (constructor, called by Postfix.pm's CreateBatch
function):

Decide if we want to scan this message at all

$this->{scanmail} = MailScanner::Config::Value('scanmail', $this);
if ($this->{scanmail} =~ /[12]/) {
$this->{scanmail} = 1;
} else {
# Make sure it is set to something, and not left as undef.
$this->{scanmail} = 0;
}
if ($this->{scanmail} !~ /1/) {
$this->{scanvirusonly} = 1;
} else {
$this->{scanvirusonly} = 0;
}

[+] Postfix.pm, in CreateBatch function:

    if (MailScanner::Config::Value("scanmail", $newmessage) =~ /[12]/ ||
        MailScanner::Config::Value("virusscan", $newmessage) =~ /1/ ||
        MailScanner::Config::Value("dangerscan", $newmessage) =~ /1/) {
      $newmessage->NeedsScanning(1);

So in that Postfix.pm's code, insted of read the value of $newmessage's
variable "scanmail", that was created in Message.pm code that I've
pasted before, it calls again to MailScanner::Config::Value function
that searchs again for that value (if is a ruleset it will look for the
rule in the rules file or if it's a function, like in my configuration,
it will execute it one more time).
Changing that code by:

if ($newmessage->{"scanmail"} =~ /[12]/ ||
  $newmessage->{"virusscan"} =~ /1/ ||
  $newmessage->{"dangerscan"} =~ /1/) {
$newmessage->NeedsScanning(1);

it reads the value from the variable filled by Message.pm, and doesn't
call again to the function.

Copied from original issue: MailScanner/v4#43

From @ShaneOfMacquarie on April 8, 2016 1:17

When an email lands containing a phishing link and the MailScanner option 'Phishing Modify Subject' set to 'start' (or yes), the email subject is incorrectly shown as '{Disarmed}' and the link in the email still points to the fraudulent site (although it does have the inline text 'MailScanner has detected a possible fraud attempt from "areallybadlink.com" claiming to be agoodlink.com").

I noticed a couple of references to MailScanner::Config::Value('phishinsubjecttag' and tried changing them to phishinsubjecttext instead, thinking it might help - it didn't.

Copied from original issue: MailScanner/v4#63

Mailscanner blocked an attachment with:

MailScanner: Very long filenames are good signs of attacks against Microsoft e-mail packages (Reg No -2016%2.png)

so I checked: /etc/MailScanner/filename.rules.conf and the rule triggered is:

#Due to a bug in Outlook Express, you can make the 2nd from last extension
#be what is used to run the file. So very long filenames must be denied,
#regardless of the final extension.
deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages

not sure how a file name of Reg No -2016%2.png triggers that, is it the % character maybe?

Hi,
mailscanner have block my email.

How I can retreive my email ?

Check 👍 Hello,

thank you for your patience. It looks as though MailScanner may be causing some problems with the delivery of the emails. I checked the exim queue and it has 2200+ emails waiting for delivery.

[23:35:15 phobos root@8221439 ~]cPs# exim -bpc
2207
[23:37:43 phobos root@8221439 ~]cPs#

When I try to force an exim queue run it states that deliveries are being deffered due to mail scanner;

== [email protected] R=defer_router defer (-1): All deliveries are handled by MailScanner
delivering 1cbcmI-000Bvy-TL (queue run pid 43568)
LOG: MAIN
== [email protected] R=defer_router defer (-1): All deliveries are handled by MailScanner
delivering 1cbdHI-000CzJ-D5 (queue run pid 43568)
LOG: MAIN
== [email protected] R=defer_router defer (-1): All deliveries are handled by MailScanner
delivering 1cblVI-000EdD-1W (queue run pid 43568)
LOG: MAIN
== [email protected] R=defer_router defer (-1): All deliveries are handled by MailScanner
delivering 1cbjJn-0009FR-7Q (queue run pid 43568)
LOG: MAIN
== [email protected] R=defer_router defer (-1): All deliveries are handled by MailScanner
delivering 1cbmAn-000GFh-W5 (queue run pid 43568)

Can you try Disabling Mail Scanner and I can attempt another queue run as well as run some more tests to see if the emails are delivered properly, thank you.

I recently found issue with MailScanner filling the whole incoming ramdisk and then failing because some other plugin/service died miserably.

I noticed that at line 2518 of Message.pm I found this:

  # Check we haven't filled the disk. Remove this message if we have, so
  # that we can continue processing the other messages.
  my $dir = MailScanner::Config::Value("incomingworkdir");
  my $df  = df($dir, 1024);
  if ($df) {
    my $freek = $df->{bavail};
    if (defined($freek) && $freek<100 && $freek>=0) {
      MailScanner::Log::WarnLog("Message %s is too big for available disk space in %s, skipping it", $this->{id}, $dir);
      my @toclear = ( $this->{id} );
      $workarea->ClearIds(\@toclear); # Delete attachments we might have made
      $this->DropFromBatch();
      return;
    }
}

Note that is tests for $freek<100... well, 100k are not enough for almost every system out there. This to tmpfs ram disk or high reallocation of SSD.

This should be something like 10% of the disk, or at least something like 100m, not 100k.

What do you think?

Hi!

Advance sorry for my English.

I have a few suggestions by install script on Red Hat / CentOS OS.

1. In section, where checking perl modules and trying install it with YUM, in string
   THING="'perl($i)'";
   you need to remove the single quotes to get as
   THING="perl($i)";
   otherwise YUM would not be able to find packages
2. EPEL repo for RHEL7 already contains packages perl-Filesys-Df and perl-Sys-Hostname-Long
   It was possible to remove a separate section to install this packages for RHEL7?
3. Plase add additional packages to install perl modules with YUM:
   perl-Encode-Detect perl-LDAP perl-IO-Compress-Bzip2
   This packages contents in EPEL repo for RHEL releases (5,6)
   perl-IO-Compress
   This packages contents in basic repo for RHEL releases 7
4. Variable MOREPACKAGES contains twice 'unrar'

Thanks for your attention.

I am using mailscanner with postfix since 6 months and its been working very well except for one problem which is DKIM signature.
We require every email to be with with a disclaimer message which is under our control and for that we are using the mailscanners signing.rules feature.
the problem occuring is that when we enable the email signing with the disclaimer message the DKIM signature becomes invalid.
I do understand the problem because the mail content is being modified after postfix signs the DKIM signature and it is becoming invalid further when the mailscanner is modifying the message with its disclaimer. I need help here.
Is there anyway that i can make mailscanner do the DKIM signing or rewrite the DKIM signature so that it remains valid through the mail transfer process.
I tried to use a package called altermime which enables postfix to do the disclaimer signing but somehow its giving problem with centos 6.5 and it doesnt seems as flexible as the mailscanner.

awaiting response. Thanks in advance.

Regards,
Amir

Latest WHM/Cpanel upgrade has caused all outbound emails to show "Unknown" recipients and not send. After disabling MailScanner, emails can once again be sent.

I use mailwatch and to make the clamAV status work consistently the folder /var/spool/MailScanner/incoming/clamav-tmp needs to have the correct ownership. It would be better to clean up after running the wrapper, ie to also delete the parent directory.

Debugging, for me :

${TempDir} == /var/spool/MailScanner/incoming/clamav-tmp/tmp.M4rmuXQ38A: Is a directory
${IWD} == /var/spool/MailScanner/incoming/clamav-tmp: Is a directory

rm -rf ${TempDir}
rm -rf ${IWD}

v5/common/usr/lib/MailScanner/wrapper/clamav-wrapper

Cheers

Occurs on a default install on a vanilla SUSE install.

May 28 12:18:26 linux-9xun ms-init[32649]: Can't locate Filesys/Df.pm in @INC (you may need to install the Filesys::Df module)