Re: [Exim] exim + exiscan + sophie...

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Margrit Lottmann
Datum:  
To: exim-users
Betreff: Re: [Exim] exim + exiscan + sophie...
On Wed, 28 Jul 2004, Wakko Warner wrote:

> > Some emails cannot be scanned because of errors
>
> Look at the attachment. That is before you base64 decode it. There's
> random length lines, spaces on the lines. The decoder I wrote only decodes
> upto the first space and thus corrupted enough that the virus scanner can't
> see it. I'm still glad I block based on extension.
>

Here is our acl-part to demime/virus scanning:
::::::::::::::::::::::::::::::::::::::::::::::
 warn  message = X-Mime-Error: $demime_reason
        demime = *
        condition = ${if >{$demime_errorlevel}{2}{1}{0}}


  deny  message = This site does not accept attachments of this type
($found_extension)
        demime  = ade:adp:bas:bat:chm:cmd:com:cpl:exe:hlp:hta:\
                  inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:\
                  reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh


  warn  message = X-Malware-Error: $malware_name
        malware = *


(The central system filter will discard messages with X-Mime-Error:-,
X-Malware-Error:-Headers. Messages with blocked extensions will be
discarded already before...)

results of my recherche in logfiles of last days:
:::::::::::::::::::::::::::::::::::::::::::::::::
(2 examples of many...)

example 1:
::::::::::

message 1BpujM-0000wz-9f
.........................
in mainlog:
...no demime.error was specified...

in sophie.log:
2004-07-28 22:08:52 WARNING
: /mailsrv/spool/scan/1BpujM-0000wz-9f/1BpujM-0000wz-9f-00000.zip
Error: The file passed for scanning represented part of a multi volume
archive. The file cannot be scanned.

example 2:
::::::::::

message 1BprRv-00043s-4N
........................
in mainlog:
2004-07-28 18:38:55 1BprRv-00043s-4N demime acl condition: base64 line
length is not a multiple of 4 characters
2004-07-28 18:38:55 1BprRv-00043s-4N demime acl condition: base64 line
contains illegal character
2004-07-28 18:38:55 1BprRv-00043s-4N demime acl condition: base64 line
length exceeds 76 characters
2004-07-28 18:38:56 1BprRv-00043s-4N <= ...I can already see...that this
is a virus message (manipulated addresses ... not from our net)
...
2004-07-28 18:38:56 1BprRv-00043s-4N Completed

...which $demime_errorlevel have such errors >>> not 2 or ??? <<<

in sophie.log:
2004-07-28 18:38:55 WARNING
: /mailsrv/spool/scan/1BprRv-00043s-4N/1BprRv-00043s-4N-00000.zip
Error: The file passed for scanning represented part of a multi volume
archive. The file cannot be scanned.

What can I do? I'm looking for a possibility to get return codes from
sophie to warn recipients if the scanner program has any problems.

In the old perl version of exiscan I've changed the perl code to
resolve such problems...but in the C version ???

--
Mit freundlichen Gruessen
M.Lottmann

 Otto - von - Guericke  Universitaet      __  __   ____ _____         _   __
               Magdeburg                 / / / /  / __ \__  /        / | / /
 ------------------------------------   / / / /  / /_/ / / / ______ /  |/ /
           Margrit Lottmann            / /_/ /  / _, _/ / /_______// /|  /
       Universitaetsrechenzentrum      \____/  /_/ |_| /____/     /_/ |_/
         Netze & Kommunikation