This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--
Hi,
we're using Exim 4.22_1 (FreeBSD 4.9) with Spamassassin 2.60 and ClamAV 0.60_1
mainly as a relay server.
We fetch the mails with fetchmail and forward them to the internal mail server.
With the outcome of the SWEN-Worm we installed Spamassassin + Clamav to stop
these messages.
Since we cannot reject the incoming mails, we discard all mails with viruses
and unknown sender and all messages with wormish file extensions.
To keep track what happens really we generate log-messages for all
discards.
Now we see that there are mails discarded without a log-message and
mails are passed that should be discarded.
How it's possible to accomplish the intended behaviour?
Our DATA-ACL:
acl_check_content:
accept hosts = +clean_hosts
endpass
warn message = X-Mime: This message contains a MIME error ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
set acl_m0 = -MIME-
warn log_message = This message contains an unwanted file extension ($found_extension)
demime = scr:vbs:bat:lnk:pif
discard demime = scr:vbs:bat:lnk:pif
# Reject virus infested messages.
warn message = X-Virus: This message contains malware ($malware_name)
demime = *
malware = *
set acl_m1 = -VIRUS-
warn message = X-Viagra: This message matches a blacklisted regular expression ($regex_match_string)
condition = ${if <{$message_size}{80k}{1}{0}}
regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]
set acl_m3 = -BLACK-
warn message = X-Penis: This message matches a blacklisted regular expression ($regex_match_string)
condition = ${if <{$message_size}{80k}{1}{0}}
regex = [Pp] *[Ee] *[Nn] *[Ii] *[Ss]
set acl_m3 = -BLACK-
warn message = X-Spam-Score: $spam_score ($spam_bar)
condition = ${if <{$message_size}{80k}{1}{0}}
spam = nobody:true
warn message = X-Spam-Report: $spam_report
condition = ${if <{$message_size}{80k}{1}{0}}
spam = nobody:true
warn message = X-Spam-Flag: YES
condition = ${if <{$message_size}{80k}{1}{0}}
spam = nobody
set acl_m2 = -SPAM-
warn message = X-ACL-Header: ${if def:acl_m2 {$acl_m2 }}${if def:acl_m1 {$acl_m1 }}${if def:acl_m3 {$acl_m3 }}${if def:acl_m0 {$acl_m0 }}$h_subject:
condition = ${if or {{def:acl_m0} {def:acl_m1} {def:acl_m2} {def:acl_m3} }{1}{0}}
warn log_message = This message contains a Virus and the header_syntax is not verified
message = X-Verify-Sender: header syntax error
condition = ${if def:acl_m1 {1}{0}}
verify = header_syntax
warn log_message = This message contains a Virus and the sender is not verified
message = X-Verify-Sender: sender error
condition = ${if def:acl_m1 {1}{0}}
verify = sender
warn log_message = This message contains a Virus and the header_sender is not verified
message = X-Verify-Sender: header sender error
condition = ${if def:acl_m1 {1}{0}}
verify = header_sender
discard condition = ${if def:acl_m1 {1}{0}}
verify = header_syntax
verify = sender
verify = header_sender
# finally accept all the rest
accept
Samples of mainlog:
1) first message with logging before discarding, third message discarded without
logging
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr H=localhost [127.0.0.1] Warning: This message contains a Virus and the header_syntax is not verified
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr H=localhost [127.0.0.1] Warning: This message contains a Virus and the sender is not verified
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr H=localhost [127.0.0.1] Warning: This message contains a Virus and the header_sender is not verified
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr <= pauladeckers@??? H=localhost [127.0.0.1] P=esmtp S=157723 id=HNEXFE08nY9QzOs43ko0002bfa5@???
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr => blackhole (DATA ACL discarded recipients)
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr Completed
2003-10-06 06:04:09 1A6MbG-000GFQ-Cn <= suse-linux@??? H=localhost [127.0.0.1] P=esmtp S=3666 id=200310051830.10906.Manfred.Tremmel@???
2003-10-06 06:04:10 1A6MbG-000GFQ-Cn => x.y@??? R=local_network T=remote_smtp H=internal.mail.server
2003-10-06 06:04:10 1A6MbG-000GFQ-Cn Completed
2003-10-06 06:04:12 1A6MbS-000GFQ-4w <= pauladeckers@??? H=localhost [127.0.0.1] P=esmtp S=145463 id=HNEXFE07NPuBcljpybJ00041d3d@???
2003-10-06 06:04:12 1A6MbS-000GFQ-4w => blackhole (DATA ACL discarded recipients)
2003-10-06 06:04:12 1A6MbS-000GFQ-4w Completed
2) message not discarded, even if all conditions are met
2003-10-07 10:18:16 1A6n2r-000I7J-SF H=localhost [127.0.0.1] Warning: This message contains a Virus and the sender is not verified
2003-10-07 10:18:16 1A6n2r-000I7J-SF <= desmondlu@??? H=localhost [127.0.0.1] P=esmtp S=157865 id=20031007080321.EMCP1219.maxwell6.pacific.net.sg@qykaqnft
2003-10-07 10:18:16 1A6n2r-000I7J-SF => x.y@??? R=local_network T=remote_smtp H=internal.mail.server
2003-10-07 10:18:16 1A6n2r-000I7J-SF Completed
the message header of the above message contains:
Received: from qykaqnft ([210.24.227.82]) by maxwell6.pacific.net.sg
with SMTP
id <20031007080321.EMCP1219.maxwell6.pacific.net.sg@qykaqnft>;
Tue, 7 Oct 2003 16:03:21 +0800
FROM: "Microsoft Technical Support" < @poTO: "Client" <cbrslsb_liynvahkbe@???>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="dqzotmsifslyoeapk"
Message-Id: <20031007080321.EMCP1219.maxwell6.pacific.net.sg@qykaqnft>
Date: Tue, 7 Oct 2003 16:03:30 +0800
Bcc:
X-Virus: This message contains malware (Worm.Gibe.F)
X-Verify-Sender: sender error
Subject: -VIRUS- Latest Internet Pack
--dqzotmsifslyoeapk
Thanks
Reinhard Haller
--
Dipl. Inform. Reinhard Haller
INTERACTIVE Network Systems GmbH
Hermann-Hesse-Str. 5
85551 Kirchheim b. München
Tel.: 089/904880-0
Mob.: 0171/8022551
Fax: 089/904880-22
mailto: reinhard.haller@???
--
[ Content of type text/x-vcard deleted ]
--
