Hi,
We have recently installed qmail-scanner 1.22 on two relatively high volume systems in
order to filter both virus and spam
and so far the statistics are very very pleasing. We have noticed two recurrent
anomalies however with certain
MIME messages passing through the system whereby they are blocked for no obvious
reason because of illegal characters or abnormal
MIME boundaries. The MIME boundary issue seems to relate to some cases where the
boundary
string itself starts with -- (such that the actual boundarys start ----). I may be
being daft but I think this might be a problem
with qmail-scanner rather than the message but perhaps someone can take a look.
qmail-queue.log states:
Thu, 06 May 2004 14:56:19 BST:28117: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/goose108385177947928117 [1083851779.3
4342]
Thu, 06 May 2004 14:56:19 BST:28117: c_a_g: found hidden MIME attachment
Thu, 06 May 2004 14:56:19 BST:28117: w_c: primary Content-Type of multipart/mixed found
Thu, 06 May 2004 14:56:19 BST:28117: w_c: found a top-level boundary definition of
\-\-Boundary\.8f61c4033417dca7abe732170804cfee4e5bd5b9\-\-
Thu, 06 May 2004 14:56:19 BST:28117: w_c: attachment 1: Content-Type of text/plain
found
Thu, 06 May 2004 14:56:19 BST:28117: found C-T attachment filename bin-6dt-001164.txt
Thu, 06 May 2004 14:56:19 BST:28117: w_c: attachment 2: Content-Type of text/plain
found
Thu, 06 May 2004 14:56:19 BST:28117: w_c: found end of attachment boundary,
BOUNDARY_REGEX was "\-\-Boundary\.8f61c4033417dca7abe732170804cfee4e
5bd5b9\-\-"...
Thu, 06 May 2004 14:56:19 BST:28117: w_c: now that
"\-\-Boundary\.8f61c4033417dca7abe732170804cfee4e5bd5b9\-" has been removed, it's
"\-"...
Thu, 06 May 2004 14:56:19 BST:28117: w_c: broken attachment MIME details
(still_attachment=----Boundary.8f61c4033417dca7abe732170804cfee4e5bd5b9
----, but BOUNDARY_REGEX="\-")- block it!
Thu, 06 May 2004 14:56:19 BST:28117: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/goose108385177947928117 to /var/spool/qmailscan/w
orking/new/goose108385177947928117 [1083851779.34665]
And the actual message was (some body omitted to make it readable, please ask if you
need more):
Content-Type: multipart/mixed;
boundary="--Boundary.8f61c4033417dca7abe732170804cfee4e5bd5b9--"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on goose.dnsmaster.net
X-Spam-Level: ***
X-Spam-Status: No, hits=3.2 required=5.0 tests=FORGED_RCVD_NET_HELO,
TO_ADDRESS_EQ_REAL autolearn=no version=2.63
This message is in MIME format
----Boundary.8f61c4033417dca7abe732170804cfee4e5bd5b9--
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Card origin :
----Boundary.8f61c4033417dca7abe732170804cfee4e5bd5b9--
Content-Type: text/plain; name="BIN-6DT-001164.txt"
Content-Transfer-Encoding: 7bit
Please view this with a fixed-width font.
----Boundary.8f61c4033417dca7abe732170804cfee4e5bd5b9----
If you see this your mailer is not MIME enabled
The other example I found that seemed odd is with a single part MIME email which
reported bad headers but I have analysed it
for abnormal LFs but cannot find anything wrong. It might not be easy to diagnose via
this email but again someone might be able
to spot it.
Actual message:
Subject: Order number 12817 from [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: application/octet-stream; name="12817.ord"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="12817.ord"
X-Spam-Processed: xxxxxxxxxx.co.uk, Wed, 05 May 2004 12:21:08 +0100
(not processed: message from valid local sender)
X-MDRemoteIP: xxxxxxxxxxxx
X-Return-Path: [EMAIL PROTECTED]
X-MDaemon-Deliver-To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
X-MDAV-Processed: xxxxxxxx.co.uk, Wed, 05 May 2004 12:21:17 +0100
X-n13ASF-Prob: 0.1049
X-n13ASF-Matched: 54/208 patterns
X-n13ASF-Preview: Order number 12817 from xxxxxxxxxxxxxxxx
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xxxxxxxxxxxxxx
X-Spam-Level:
X-Spam-Status: No, hits=0.7 required=5.0 tests=MISSING_MIMEOLE,
MISSING_OUTLOOK_NAME autolearn=no version=2.63
/tjoqtPt/NG6k/qD1Ji4p3GqjsKZ/O/diq+d04GemKPzyIaa+87x8eDcyObv4LCzvba+x8/UHfD+
rcLcjBTQ4+G0qJHTrI2i0LzW5Lz1gN6V4J+Mw5ji9sTYkuqZiveesu7Rnfy/24iA4aPsn7Tviru4
gpji/ZTm8tmNt6/WtNiyx9+wxdXvqvrTmPO1uJXbhdaZkdf/0cCo3YLTsYmz9qm/tbOD3K/nga7h
SLLJt9OxspDUvcjQg8q33rPJmMLB9MGSh6/fv4ahttrCjZrohPyspsju9IyQvLL6ixv0pM2toeSI
l7XIkPiJkaqxwpmMlpKKp9+o/9u7rYqGoeLXrw+b6b3U7gz+4+eY4eKu+MfdgK6l/JWbo+UZ0pzN
xN713vOX36aZvvyvhZ7cyJPNu7uwp8bRyonu67C5oUu26/ur9kyCy7eoysWe/ZL0orjr7oHX2cSX
9hLLyJSq37SItpjyvMOo9IX9xZzn5uHboZvS19KQ8PyU+r+nuYbVluicpcHcr56hxfrrz5KayreA
hue/sfC06NHMqsKCmqrImZrRpLW81+jQjJy1vBjh9s2JiZiu+L3I3aGh5I3vld689crGpNH5vtzM
67TRzI2L+ZWx0pL5y7bN37qi7pMNs4mr8ODu9/m8282a4A==
qmail-queue.log reports "Disallowed characters found in MIME headers"
Obviously the MIME checks can be disabled which I have done for the time being but it
would
be nicer to keep them running.
Kind Regards,
Tristan Graham,
Skymarket
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
