Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 51760 Details for
Bug 76256
mail-filter/qmail-scanner - add qms-analog support
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
qms-analog && st patch for 1.25
qmail-scanner-1.25-st-qms-20050219.patch (text/plain), 558.59 KB, created by
Thomas Witzenrath
on 2005-02-21 00:00:28 UTC
(
hide
)
Description:
qms-analog && st patch for 1.25
Filename:
MIME Type:
Creator:
Thomas Witzenrath
Created:
2005-02-21 00:00:28 UTC
Size:
558.59 KB
patch
obsolete
>diff -Naur qmail-scanner-1.25-DISTRO/aab.js qmail-scanner-1.25-st-qms-20050219/aab.js >--- qmail-scanner-1.25-DISTRO/aab.js 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/aab.js 2005-02-19 06:29:13.000000000 -0600 >@@ -0,0 +1,8 @@ >+// JavaScript Document. >+ function mailaddr (name,dom1,dom2) { >+ // Anti-spam address builder; >+ // From an idea of Steve Linford, by Salvatore Toribio; >+ document.write ("<a href=" + "mail" + "to:" + name + "@" + >+ dom1 + "." + dom2 + ">" + name + "@" + dom1 + "." + dom2 + "</a>"); >+ } >+ //--> >diff -Naur qmail-scanner-1.25-DISTRO/CHANGELOGpatched.html qmail-scanner-1.25-st-qms-20050219/CHANGELOGpatched.html >--- qmail-scanner-1.25-DISTRO/CHANGELOGpatched.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/CHANGELOGpatched.html 2005-02-19 06:49:52.000000000 -0600 >@@ -0,0 +1,307 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >+<html> >+<head> >+<title>CHANGELOGpatched 20050207</title> >+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+<script language="JavaScript" src="aab.js" type="text/JavaScript"> >+</script> >+</head> >+ >+<body bgcolor="#FFFFFF"><pre> >+ >+ CHANGELOG st-qms patch >+ >+qmail-scanner-1.25-st-qms-20050219 >+ >+Merged qms-monitor utility into qms patch. >+ >+Ported to qmail-scanner-1.25st >+ >+ q-s-1.25st-20050207 >+ >+Updated to version qmail-scanner-1.25, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+Small change in the way spamd-socket is detected during the configuration. >+And return to my old way of set it in qmail-scanner-queue.pl >+ >+Check if the ppid (parent pid) is still alive before doing anything, >+otherwise quit silently. >+ >+MINIDEBUG can be set to '2' to log the ppid, the message size and >+send a warn to qmail-smtpd log if there are no sender and no recipient. >+ >+Added a separate subroutine to check sa_score against sa_quarantine and >+sa_delete, to avoid duplicate code and to have a shorter code, that's >+never waste... >+ >+If a message for multiples recipients contains a virus_to_delete, >+check only for the first recipient. >+ >+----------------------------- >+ >+ q-s-1.24st-20041101 >+ >+Updated to version qmail-scanner-1.24, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+sa-fwd-verbose [yes|no] (default: no) >+Whether to add the X-Spam headers to the forwarded message >+if sa-forward is set. >+ >+If a mail from a local user is blocked it will be notified >+to the 'admin' even with 'nmladm' or 'nmlvadm' selected. >+The string 'LOCAL USER' is added to the subject of the notification, >+it would need to be localized in the future... >+(suggested by Nerijus Baliunas) >+ >+Added the script 'log-report.sh' in the qmailscan directory, this >+script does a quick statistic from qmail-queue.log (or .gz) >+ >+Added some checks in the configure script to avoid some configure >+errors with empty options, it is better don't use an empty option... >+Also added some cosmetic information. >+Added a check for automatically discover the spamd-socket >+that works in RH-7.3 >+ >+Added the code to use the spamassassin 'sql' per user settings in >+the routine 'sub spamassassin_alt', but it is commented, uncomment >+it if you wat to use 'sql' per user settings with sa_alt enabled. >+ >+Fix a minor bug in the spamassassin routine, quarantine_description >+was not set if it already existed. (thanks to Arvinn Lokkebakken) >+ >+Fix a minor bug in scanners_per_domain, there wasn't a match >+if the return-path was in capitals. (thanks to Devendra Singh) >+ >+----------------------------- >+ >+ q-s-1.23st-20040819 >+ >+I forgot to add the check for '$smaildir' when I added >+it to the distro... Fixed. (thanks to Nerijus Baliunas) >+ >+----------------------------- >+ >+ q-s-1.23st-20040817 >+ >+Add some checks to avoid that sa-report (sa_hdr_report) >+could be enabled when sa-alt or sa-debug are disabled. >+In this (unnormal) situation the header of the message >+was corrupted, but the message was still delivered >+correctly. Thanks to Joseph Murdock. >+ >+Add a check to avoid an empty $sa_report. >+ >+Fixed a bug, when scanners_per_domain was enabled and there >+were multiple recipients the X-Spam-Status was lost for >+some recipients. >+ >+----------------------------- >+ >+ q-s-1.23st-20040815 >+ >+Updated to version qmail-scanner-1.23, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+Fixed a bug in the configure script, the script returned an >+error when sa-forward was empty. >+ >+Add $smaildir to qmail-scanner-queue.pl to quarantine spam in an >+alternative mailfolder. You have to edit the file and change it, this >+is not a configuration option. Suggested by Nerijus Baliunas. >+ >+sa-report [yes|no] (default: no) >+ If sa-alt and sa-debug are enabled you can add >+ the X-Spam-Report header to the messages enabling >+ this option. >+ >+Improved the regex to extract the sa-report. >+ >+Replaced the spamc-nasty.eml to speed the configure script. >+ >+Tested sa_alt with SpamAssassin 3.0.0-pre4 >+ >+----------------------------- >+ >+ q-s-1.22st-20040806 >+ >+Add the choice 'none' to the routine scanners_per_domian, now is >+possible to set to 'none' the scanners of an user or set to 'none' >+the @scanners_default array. No headers will be add to the >+messages regardin the scanners when the scanner_array is 'none'. >+ >+Now the routine scanners_per_domian runs only once each scanner >+and stores the results in a hash when trere are multiple recipents. >+ >+sa-forward <username@domain> (default: empty) >+ User to redirect spam mails 'being quarantined' for >+ admin purposes... >+ (i.e. --sa-forward antispam@mydomain.com) >+ >+Some cosmetics changes in the routine of spamassassin. >+ >+Updated the routine check_and_grab_uuencoding to 1.22 (oops) >+ >+Add some documentation to scanners_per_domian. >+ >+Add some documentation to sa_alt, spamassassin config and sa_socket. >+ >+----------------------------- >+ >+ q-s-1.22st-20040606 >+ >+Fix a bug where the qmail-scanner-queue-version.txt file was not >+generated properly, because @scanners_array was empty, >+thanks to Peter M. Nielsen. >+ >+The match against the return-path and the domain-return-path it is >+only done if the variable RELAYCLIENT is defined, thanks to Patrik Nilsson. >+ >+----------------------------- >+ >+ q-s-1.22st-20040602 >+ >+scanners_per_domain, this options allows to define a per user/domain >+ scanners_array, see the file scanners_per_domain.txt for details. >+ The match is done for the return-path first and for "each" recipient. >+ I will write some documentation as soon as possible... >+ >+Removed the run-first-ps option >+ >+Removed an extra unuseful code that I added to the spamassassin routine... >+ >+Changed the regex that extracts SA_REPORT, and clean some invalid char >+in the reports of SA v.2.5x >+ >+Added the patch for version F-Secure 4.52 by Jyri >+ >+----------------------------- >+ >+ q-s-1.22st-20040502 >+ >+Updated to version qmail-scanner-1.22, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+SA_REPORT added to the admin notify and to the quarantined >+file (if sa_alt=1 and sa_debug=1). >+ >+Fix a bug in the process number (pid) in the email headers and in >+the log. >+ >+----------------------------- >+ >+ q-s-1.21st-20040324 >+ >+Fix a bug in the subroutine cleanup, the check for the directory where mails >+must be archived was wrong, this bug is also in the official version. >+ >+Fix a cosmetic bug in the subroutine spamassassin. >+ >+----------------------------- >+ >+ q-s-1.21st-20040319 >+ >+Updated to version qmail-scanner-1.21, that adds a lot of new features >+see http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+Add support for spamd running with unix-socket (--sa-socket) Ed. H. >+ >+BIG CHANGE: Now sa-quarantine and sa-delete are relative values >+to spamassassin required_hits, this will allow a "pseudo per user" >+configuration (never tested). >+See FAQ n.17 in http://qmail-scanner.sourceforge.net/FAQ.php >+ >+Fix a little bug in the original spamassassin routine, which some >+'rcpt to' with inside '-c', '-r', ... in the mailaddress, spamc interpret >+that string as a command line option. Pointed out by Jonas Thomsen. >+ >+Changed the way spam-mails are deleted, so now somethig will >+arrive to the syslog if log-details is enabled. >+ >+virus_to_delete is now a configuration option and now somethig will >+arrive to the syslog if log-details is enabled. >+ >+----------------------------- >+ >+ q-s-1.20st-20040204 >+ >+virus_to_delete, a control to delete some virus without notifying >+anyone, actually it is not a configuration option, you must edit >+qmail-scanner-queue to add new virus to the list. >+ >+Do not reject mails from 127.0.0.1 (note for Fetchmail users >+in the documentation), suggested by Nerijus Baliunas >+ >+Changed the name of SA_WHITELIST to SA_ONLYDELETE_HOST, suggested >+by Paul Theodoropoulos. SA_WHITELIST still valid for compatibility. >+ >+Added minidebug for mails with "no sender and no recipient" >+ >+Routine close_log (only cosmetic) >+ >+----------------------------- >+ q-s-1.20st-20040105 >+ >+sa-subject An alternative way to set spamc_subject during configuration >+ >+sa-alt Alternative subroutine for spamassassin >+ >+sa-debug Used with sa-alt logs the tests and the scores of >+ spamassassin to qmail-queue.log. There are samples of >+ the logs in the documentation. >+ >+SA_SKIP_MD SA skip MAILER-DAEMON messages, this is not a configuration >+ option, just a switch in the code, see READMEpatched for details >+ >+----------------------------- >+ q-s-1.20st-20031222 >+ >+Documentation updated, added more examples >+ >+Added some entries to quarantine-attachments.txt >+ >+sa-delta Tag the subject of spam messages with LOW, MEDIUM and HIGH. >+ >+SA_WHITELIST Do not reject spam messages from some servers, >+ just delete them (enviroment variable). >+ >+BMC_WHITELIST Disabled BAD_MIME_CHECKS based in the IP the come from >+ (enviroment variable). >+ >+ >+----------------------------- >+ q-s-1.20st-20031208 >+ >+Options added to qmail-scanner-1.20 >+ >+qs-group Group of the user that Qmail-Scanner runs as. >+ >+admin-fromname From line information used when sending reports. >+ >+dscr-hdrs-text Descriptive headers text. >+ >+minidebug Logs only important information to qmail-queue.log. >+ >+run-first-p-s Run first perl-scanner as it was in the precedents versions >+ of qmail-scanner. >+ >+sa-quarantine Quarantine spam messages over this threshold. >+ >+sa-delete Delete spam messages over this threshold. >+ >+sa-reject Reject spam messages instead of delete them. >+</pre> >+<hr> >+<center><a href="READMEpatched.html">Back</a></center> >+Salvatore Toribio<br> >+<script language="JavaScript" type="text/JavaScript"> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</script> >+<br>20050207 >+<p> >+</body> >+</html> >+ >diff -Naur qmail-scanner-1.25-DISTRO/CHANGELOGpatched.txt qmail-scanner-1.25-st-qms-20050219/CHANGELOGpatched.txt >--- qmail-scanner-1.25-DISTRO/CHANGELOGpatched.txt 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/CHANGELOGpatched.txt 2005-02-19 06:51:22.000000000 -0600 >@@ -0,0 +1,283 @@ >+ CHANGELOG st-qms patch >+ >+ qmail-scanner-1.25-st-qms-20050219 >+ >+Merged qms-monitor utility into qms patch. >+ >+Ported to qmail-scanner-1.25st >+ >+ >+ q-s-1.25st-20050207 >+ >+Updated to version qmail-scanner-1.25, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+Small change in the way spamd-socket is detected during the configuration. >+And return to my old way of set it in qmail-scanner-queue.pl >+ >+Check if the ppid (parent pid) is still alive before doing anything, >+otherwise quit silently. >+ >+MINIDEBUG can be set to '2' to log the ppid, the message size and >+send a warn to qmail-smtpd log if there are no sender and no recipient. >+ >+Added a separate subroutine to check sa_score against sa_quarantine and >+sa_delete, to avoid duplicate code and to have a shorter code, that's >+never waste... >+ >+If a message for multiples recipients contains a virus_to_delete, >+check only for the first recipient. >+ >+----------------------------- >+ >+ q-s-1.24st-20041101 >+ >+Updated to version qmail-scanner-1.24, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+sa-fwd-verbose [yes|no] (default: no) >+Whether to add the X-Spam headers to the forwarded message >+if sa-forward is set. >+ >+If a mail from a local user is blocked it will be notified >+to the 'admin' even with 'nmladm' or 'nmlvadm' selected. >+The string 'LOCAL USER' is added to the subject of the notification, >+it would need to be localized in the future... >+(suggested by Nerijus Baliunas) >+ >+Added the script 'log-report.sh' in the qmailscan directory, this >+script does a quick statistic from qmail-queue.log (or .gz) >+ >+Added some checks in the configure script to avoid some configure >+errors with empty options, it is better don't use an empty option... >+Also added some cosmetic information. >+Added a check for automatically discover the spamd-socket >+that works in RH-7.3 >+ >+Added the code to use the spamassassin 'sql' per user settings in >+the routine 'sub spamassassin_alt', but it is commented, uncomment >+it if you wat to use 'sql' per user settings with sa_alt enabled. >+ >+Fix a minor bug in the spamassassin routine, quarantine_description >+was not set if it already existed. (thanks to Arvinn Lokkebakken) >+ >+Fix a minor bug in scanners_per_domain, there wasn't a match >+if the return-path was in capitals. (thanks to Devendra Singh) >+ >+----------------------------- >+ >+ q-s-1.23st-20040819 >+ >+I forgot to add the check for '$smaildir' when I added >+it to the distro... Fixed. (thanks to Nerijus Baliunas) >+ >+----------------------------- >+ >+ q-s-1.23st-20040817 >+ >+Add some checks to avoid that sa-report (sa_hdr_report) >+could be enabled when sa-alt or sa-debug are disabled. >+In this (unnormal) situation the header of the message >+was corrupted, but the message was still delivered >+correctly. Thanks to Joseph Murdock. >+ >+Add a check to avoid an empty $sa_report. >+ >+Fixed a bug, when scanners_per_domain was enabled and there >+were multiple recipients the X-Spam-Status was lost for >+some recipients. >+ >+----------------------------- >+ >+ q-s-1.23st-20040815 >+ >+Updated to version qmail-scanner-1.23, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+Fixed a bug in the configure script, the script returned an >+error when sa-forward was empty. >+ >+Add $smaildir to qmail-scanner-queue.pl to quarantine spam in an >+alternative mailfolder. You have to edit the file and change it, this >+is not a configuration option. Suggested by Nerijus Baliunas. >+ >+sa-report [yes|no] (default: no) >+ If sa-alt and sa-debug are enabled you can add >+ the X-Spam-Report header to the messages enabling >+ this option. >+ >+Improved the regex to extract the sa-report. >+ >+Replaced the spamc-nasty.eml to speed the configure script. >+ >+Tested sa_alt with SpamAssassin 3.0.0-pre4 >+ >+----------------------------- >+ >+ q-s-1.22st-20040806 >+ >+Add the choice 'none' to the routine scanners_per_domian, now is >+possible to set to 'none' the scanners of an user or set to 'none' >+the @scanners_default array. No headers will be add to the >+messages regardin the scanners when the scanner_array is 'none'. >+ >+Now the routine scanners_per_domian runs only once each scanner >+and stores the results in a hash when trere are multiple recipents. >+ >+sa-forward <username@domain> (default: empty) >+ User to redirect spam mails 'being quarantined' for >+ admin purposes... >+ (i.e. --sa-forward antispam@mydomain.com) >+ >+Some cosmetics changes in the routine of spamassassin. >+ >+Updated the routine check_and_grab_uuencoding to 1.22 (oops) >+ >+Add some documentation to scanners_per_domian. >+ >+Add some documentation to sa_alt, spamassassin config and sa_socket. >+ >+----------------------------- >+ >+ q-s-1.22st-20040606 >+ >+Fix a bug where the qmail-scanner-queue-version.txt file was not >+generated properly, because @scanners_array was empty, >+thanks to Peter M. Nielsen. >+ >+The match against the return-path and the domain-return-path it is >+only done if the variable RELAYCLIENT is defined, thanks to Patrik Nilsson. >+ >+----------------------------- >+ >+ q-s-1.22st-20040602 >+ >+scanners_per_domain, this options allows to define a per user/domain >+ scanners_array, see the file scanners_per_domain.txt for details. >+ The match is done for the return-path first and for "each" recipient. >+ I will write some documentation as soon as possible... >+ >+Removed the run-first-ps option >+ >+Removed an extra unuseful code that I added to the spamassassin routine... >+ >+Changed the regex that extracts SA_REPORT, and clean some invalid char >+in the reports of SA v.2.5x >+ >+Added the patch for version F-Secure 4.52 by Jyri >+ >+----------------------------- >+ >+ q-s-1.22st-20040502 >+ >+Updated to version qmail-scanner-1.22, see >+http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+SA_REPORT added to the admin notify and to the quarantined >+file (if sa_alt=1 and sa_debug=1). >+ >+Fix a bug in the process number (pid) in the email headers and in >+the log. >+ >+----------------------------- >+ >+ q-s-1.21st-20040324 >+ >+Fix a bug in the subroutine cleanup, the check for the directory where mails >+must be archived was wrong, this bug is also in the official version. >+ >+Fix a cosmetic bug in the subroutine spamassassin. >+ >+----------------------------- >+ >+ q-s-1.21st-20040319 >+ >+Updated to version qmail-scanner-1.21, that adds a lot of new features >+see http://qmail-scanner.sourceforge.net/CHANGES for details. >+ >+Add support for spamd running with unix-socket (--sa-socket) Ed. H. >+ >+BIG CHANGE: Now sa-quarantine and sa-delete are relative values >+to spamassassin required_hits, this will allow a "pseudo per user" >+configuration (never tested). >+See FAQ n.17 in http://qmail-scanner.sourceforge.net/FAQ.php >+ >+Fix a little bug in the original spamassassin routine, which some >+'rcpt to' with inside '-c', '-r', ... in the mailaddress, spamc interpret >+that string as a command line option. Pointed out by Jonas Thomsen. >+ >+Changed the way spam-mails are deleted, so now somethig will >+arrive to the syslog if log-details is enabled. >+ >+virus_to_delete is now a configuration option and now somethig will >+arrive to the syslog if log-details is enabled. >+ >+----------------------------- >+ >+ q-s-1.20st-20040204 >+ >+virus_to_delete, a control to delete some virus without notifying >+anyone, actually it is not a configuration option, you must edit >+qmail-scanner-queue to add new virus to the list. >+ >+Do not reject mails from 127.0.0.1 (note for Fetchmail users >+in the documentation), suggested by Nerijus Baliunas >+ >+Changed the name of SA_WHITELIST to SA_ONLYDELETE_HOST, suggested >+by Paul Theodoropoulos. SA_WHITELIST still valid for compatibility. >+ >+Added minidebug for mails with "no sender and no recipient" >+ >+Routine close_log (only cosmetic) >+ >+----------------------------- >+ q-s-1.20st-20040105 >+ >+sa-subject An alternative way to set spamc_subject during configuration >+ >+sa-alt Alternative subroutine for spamassassin >+ >+sa-debug Used with sa-alt logs the tests and the scores of >+ spamassassin to qmail-queue.log. There are samples of >+ the logs in the documentation. >+ >+SA_SKIP_MD SA skip MAILER-DAEMON messages, this is not a configuration >+ option, just a switch in the code, see READMEpatched for details >+ >+----------------------------- >+ q-s-1.20st-20031222 >+ >+Documentation updated, added more examples >+ >+Added some entries to quarantine-attachments.txt >+ >+sa-delta Tag the subject of spam messages with LOW, MEDIUM and HIGH. >+ >+SA_WHITELIST Do not reject spam messages from some servers, >+ just delete them (enviroment variable). >+ >+BMC_WHITELIST Disabled BAD_MIME_CHECKS based in the IP the come from >+ (enviroment variable). >+ >+ >+----------------------------- >+ q-s-1.20st-20031208 >+ >+Options added to qmail-scanner-1.20 >+ >+qs-group Group of the user that Qmail-Scanner runs as. >+ >+admin-fromname From line information used when sending reports. >+ >+dscr-hdrs-text Descriptive headers text. >+ >+minidebug Logs only important information to qmail-queue.log. >+ >+run-first-p-s Run first perl-scanner as it was in the precedents versions >+ of qmail-scanner. >+ >+sa-quarantine Quarantine spam messages over this threshold. >+ >+sa-delete Delete spam messages over this threshold. >+ >+sa-reject Reject spam messages instead of delete them. >diff -Naur qmail-scanner-1.25-DISTRO/configure qmail-scanner-1.25-st-qms-20050219/configure >--- qmail-scanner-1.25-DISTRO/configure 2004-10-18 19:26:55.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/configure 2005-02-19 07:06:58.000000000 -0600 >@@ -10,14 +10,15 @@ > > umask 007 > >-OLD_LANG="$LANG" >-LANG=C >+OLD_LANG="$LANG" >+LANG=C > export LANG OLD_LANG > > QS_VERSION=`grep 'my $VERSION' qmail-scanner-queue.template|cut -d= -f2|sed -e 's/\"//g' -e 's/\;//g'` > > export QS_VERSION > >+echo > echo "Building Qmail-Scanner $QS_VERSION..." > > if [ "`id |grep root`" = "" ]; then >@@ -40,7 +41,7 @@ > > SUPPORTED_SCANNERS="clamscan,clamdscan,sweep,sophie,vscan,trophie,uvscan,csav,antivir,kavscanner,AvpLinux,kavdaemon,AvpDaemonClient,fsav,fprot,inocucmd,vexira,bitdefender,nod32,verbose_spamassassin,fast_spamassassin" > >-SILENT_VIRUSES='klez,bugbear,hybris,yaha,braid,nimda,tanatos,sobig,winevar,palyh,fizzer,gibe,cailont,lovelorn,swen,dumaru,sober,hawawi,holar-i,mimail,poffer,bagle,worm.galil,mydoom,worm.sco,tanx,novarg,\@mm' >+SILENT_VIRUSES="klez,bugbear,hybris,yaha,braid,nimda,tanatos,sobig,winevar,palyh,fizzer,gibe,cailont,lovelorn,swen,dumaru,sober,hawawi,hawaii,holar-i,mimail,poffer,bagle,worm.galil,mydoom,worm.sco,tanx,novarg,\@mm,cissy,cissi,qizy,bugler,dloade,netsky,spam" > > PWD=${PWD:-`pwd`} > TMPDIR=${TMPDIR:-/tmp} >@@ -82,7 +83,11 @@ > REDUNDANT="yes" > FIX_MIME="2" > DISABLE_EOL_CHECK="0" >-DEBUG_LEVEL="1" >+DEBUG_LEVEL="0" >+QMS_LOG="1" >+QMS_MONITOR="no" >+QMS_MON_ACCOUNTS="" >+QMS_MON_DESTINATIONS="" > FORCE_UNZIP="0" > QUARANTINE_PASSWORD_PROTECTED="0" > DESCRIPTIVE_HEADERS="0" >@@ -98,197 +103,407 @@ > SKIP_SETUID_TEST="" > MAX_ZIP_SIZE="1000000000" > >+# st patch options >+QS_GROUP="" >+MINI_DEBUG="1" >+ADMIN_FROMNAME="System Anti-Virus Administrator" >+DESCR_HEADERS_TEXT="X-Qmail-Scanner" >+SCANNERS_P_D="0" >+VIRUS_DELETE="0" >+SA_DELTA="0" >+SA_SUBJECT="" >+SA_FORWARD_IN="" >+SA_FORWARD="" >+SA_FWD_VERBOSE="0" >+SA_QUARANTINE="0" >+SA_DELETE="0" >+SA_REJECT="0" >+SA_ALT="0" >+SA_DEBUG="0" >+SA_HDR_REPORT="0" >+SPAMD_SOCKET="" >+ >+VIRUS_TO_DELETE="mydoom|worm.sco|novarg|tanx|bagle|netsky|somefool|roca|agobot|dumaru|sober|lovgate|klez|rox|(PIF|SCR|CPL|COM) files|zafi|mabutu" >+ > while [ -n "$1" ] > do > case $1 in > --qs-user) if [ "$2" != "" ] ; then shift ; fi ; QS_USER="$1" ;; > --spooldir) if [ "$2" != "" ] ; then shift ; fi ; AS_QQ="$1" ;; >- --qmaildir) if [ "$2" != "" ]; then shift ; fi ; QMAILDIR="$1" ;; >- --bindir) if [ "$2" != "" ] ; then shift ; fi ; BINDIR="$1" ;; >- --user|--admin) if [ "$2" != "" ] ; then shift ; fi ; USERNAME="$1" ;; >- --domain) if [ "$2" != "" ] ; then shift ; fi ; MAILDOMAIN="$1" ;; >- --notify) if [ "$2" != "" ]; then shift ; fi ; NOTIFY_ADDRESSES="$1" ;; >- --batch) DONOTCONFIRM="1" ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; fi ;; >- --silent-viruses) if [ "$2" != "" ]; then shift ; fi ; FIND_SILENT_VIRUSES="$1" ;; >- --local-domains) if [ "$2" != "" ]; then shift ; fi ; LOCAL_DOMAINS_ARRAY="$1" ;; >- --lang) if [ "$2" != "" ]; then shift ; fi ; QSLANG="$1" ;; >- --debug) if [ "$2" != "" ] ; then shift ; fi ; DEBUG_LEVEL="$1" ;; >- --unzip) if [ "$2" != "" ] ; then shift ; fi ; FORCE_UNZIP="$1" ;; >- --max-zip-size) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" -a "`echo $2|egrep '^[0-9]+$'`" != "" ] ; then shift ; fi ; MAX_ZIP_SIZE="$1" ;; >- --block-password-protected) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^0|^no'`" != "" ]; then QUARANTINE_PASSWORD_PROTECTED="0" ; else if [ "`echo $1|egrep -i '^1|^yes'`" != "" ]; then QUARANTINE_PASSWORD_PROTECTED="1" ; else QUARANTINE_PASSWORD_PROTECTED="1" ; fi ; fi ; fi ;; >- --add-dscr-hdrs) if [ "$2" != "" ] ; then shift ; fi ; DESCRIPTIVE_HEADERS="$1" ;; >- --scanners) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; fi ; FIND_SCANNERS="$1" ;; >- --skip-text-msgs) if [ "$2" != "" ] ; then shift ; fi ; SKIP_TEXT_MSGS="$1" ;; >+ --qmaildir) if [ "$2" != "" ]; then shift ; fi ; QMAILDIR="$1" ;; >+ --bindir) if [ "$2" != "" ] ; then shift ; fi ; BINDIR="$1" ;; >+ --user|--admin) if [ "$2" != "" ] ; then shift ; fi ; USERNAME="$1" ;; >+ --domain) if [ "$2" != "" ] ; then shift ; fi ; MAILDOMAIN="$1" ;; >+ --notify) if [ "$2" != "" ]; then shift ; fi ; NOTIFY_ADDRESSES="$1" ;; >+ --batch) DONOTCONFIRM="1" ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; fi ;; >+ --silent-viruses) if [ "$2" != "" ]; then shift ; fi ; FIND_SILENT_VIRUSES="$1" ;; >+ --local-domains) if [ "$2" != "" ]; then shift ; fi ; LOCAL_DOMAINS_ARRAY="$1" ;; >+ --lang) if [ "$2" != "" ]; then shift ; fi ; QSLANG="$1" ;; >+ --debug) if [ "$2" != "" ] ; then shift ; fi ; DEBUG_LEVEL="$1" ;; >+ --qms-log) if [ "$2" != "" ] ; then shift ; fi ; QMS_LOG="$1" ;; >+ --qms-monitor) if [ "$2" != "" ] ; then shift ; fi ; QMS_MONITOR="$1" ;; >+ --qms-monitor-accts) if [ "$2" != "" ] ; then shift ; fi ; QMS_MON_ACCOUNTS="$1" ;; >+ --qms-monitor-dests) if [ "$2" != "" ] ; then shift ; fi ; QMS_MON_DESTINATIONS="$1" ;; >+ --unzip) if [ "$2" != "" ] ; then shift ; fi ; FORCE_UNZIP="$1" ;; >+ --max-zip-size) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" -a "`echo $2|egrep '^[0-9]+$'`" != "" ] ; then shift ; fi ; MAX_ZIP_SIZE="$1" ;; >+ --block-password-protected) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^0|^no'`" != "" ]; then QUARANTINE_PASSWORD_PROTECTED="0" ; else if [ "`echo $1|egrep -i '^1|^yes'`" != "" ]; then QUARANTINE_PASSWORD_PROTECTED="1" ; else QUARANTINE_PASSWORD_PROTECTED="1" ; fi ; fi ; fi ;; >+ --add-dscr-hdrs) if [ "$2" != "" ] ; then shift ; fi ; DESCRIPTIVE_HEADERS="$1" ;; >+ --scanners) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; fi ; FIND_SCANNERS="$1" ;; >+ --skip-text-msgs) if [ "$2" != "" ] ; then shift ; fi ; SKIP_TEXT_MSGS="$1" ;; > --archive) ARCHIVEIT="1" ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^0|^no'`" != "" ]; then ARCHIVEIT="0" ; else if [ "`echo $1|egrep -i '^1|^yes'`" != "" ]; then ARCHIVEIT="1" ; else ARCHIVEIT="$1" ; fi ; fi ; fi ;; >- --redundant) REDUNDANT="no" ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; REDUNDANT="$1" ; fi ;; >+ --redundant) REDUNDANT="no" ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; REDUNDANT="$1" ; fi ;; > --log-details) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; LOG_DETAILS="$1" ; fi ;; >- --log-crypto) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; LOG_CRYPTO="$1" ; fi ;; >+ --log-crypto) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; LOG_CRYPTO="$1" ; fi ;; > --fix-mime) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^0|^no'`" != "" ]; then FIX_MIME="0" ; fi ; if [ "`echo $1|egrep -i '^[1-9]+$'`" != "" ]; then FIX_MIME="$1" ; fi ; fi ;; >- --ignore-eol-check) DISABLE_EOL_CHECK=0 ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^1|^yes'`" != "" ]; then DISABLE_EOL_CHECK=1 ; fi ; fi ;; >- --no-QQ-check) MANUAL_INSTALL="1";; >- --skip-setuid-test) SKIP_SETUID_TEST=1 ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^1|^yes'`" != "" ]; then SKIP_SETUID_TEST="1" ; fi ; if [ "`echo $1|egrep -i '^[1-9]+$'`" != "" ]; then SKIP_SETUID_TEST="$1" ; fi ; if [ "`echo $1|egrep -i '^0|^no'`" != "" ]; then SKIP_SETUID_TEST="0" ; fi ; fi ;; >- --qmail-queue-binary) if [ "$2" != "" ] ; then shift ; fi ; QMAILQUEUE_BIN="$1" ;; >+ --ignore-eol-check) DISABLE_EOL_CHECK=0 ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^1|^yes'`" != "" ]; then DISABLE_EOL_CHECK=1 ; fi ; fi ;; >+ --no-QQ-check) MANUAL_INSTALL="1";; >+ --skip-setuid-test) SKIP_SETUID_TEST=1 ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; if [ "`echo $1|egrep -i '^1|^yes'`" != "" ]; then SKIP_SETUID_TEST="1" ; fi ; if [ "`echo $1|egrep -i '^[1-9]+$'`" != "" ]; then SKIP_SETUID_TEST="$1" ; fi ; if [ "`echo $1|egrep -i '^0|^no'`" != "" ]; then SKIP_SETUID_TEST="0" ; fi ; fi ;; >+ --qmail-queue-binary) if [ "$2" != "" ] ; then shift ; fi ; QMAILQUEUE_BIN="$1" ;; > --mime-unpacker) if [ "$2" != "" ] ; then shift ; fi ; MIME_UNPACKER="$1" ;; >- --install) INSTALLIT="1" ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; fi ;; >+ --install) INSTALLIT="1" ; if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; fi ;; >+ --qs-group) if [ "$2" != "" ] ; then shift ; fi ; QS_GROUP="$1" ;; >+ --admin-fromname) if [ "$2" != "" ] ; then shift ; fi ; ADMIN_FROMNAME="$1" ;; >+ --minidebug) if [ "$2" != "" -a "`echo $2|grep '\-'`" = "" ] ; then shift ; fi ; MINI_DEBUG="$1" ;; >+ --dscr-hdrs-text) if [ "$2" != "" ] ; then shift ; fi ; DESCR_HEADERS_TEXT="$1" ;; >+ --scanners-per-domain) if [ "$2" != "" ] ; then shift ; fi ; SCANNERS_P_D="$1" ;; >+ --scanner-per-domain) if [ "$2" != "" ] ; then shift ; fi ; SCANNERS_P_D="$1" ;; >+ --virus-to-delete) if [ "$2" != "" ] ; then shift ; fi ; VIRUS_DELETE="$1" ;; >+ --sa-delta) if [ "$2" != "" ] ; then shift ; fi ; SA_DELTA="$1" ;; >+ --sa-subject) if [ "$2" != "" ] ; then shift ; fi ; SA_SUBJECT="$1" ;; >+ --sa-forward) if [ "$2" != "" ] ; then shift ; fi ; SA_FORWARD_IN="$1" ;; >+ --sa-fwd-verbose) if [ "$2" != "" ] ; then shift ; fi ; SA_FWD_VERBOSE="$1" ;; >+ --sa-quarantine) if [ "$2" != "" ] ; then shift ; fi ; SA_QUARANTINE="$1" ;; >+ --sa-delete) if [ "$2" != "" ] ; then shift ; fi ; SA_DELETE="$1" ;; >+ --sa-reject) if [ "$2" != "" ] ; then shift ; fi ; SA_REJECT="$1" ;; >+ --sa-alt) if [ "$2" != "" ] ; then shift ; fi ; SA_ALT="$1" ;; >+ --sa-debug) if [ "$2" != "" ] ; then shift ; fi ; SA_DEBUG="$1" ;; >+ --sa-report) if [ "$2" != "" ] ; then shift ; fi ; SA_HDR_REPORT="$1" ;; >+ --sa-socket) if [ "$2" != "" ] ; then shift ; fi ; SPAMD_SOCKET="$1" ;; > *) cat <<EOF >&2 > >+ Invalid option: $1 [ --help is a valid option ;-) ] >+ > valid options: >- --qs-user <username> User that Qmail-Scanner runs as (default: $QS_USER) >- --qmaildir <top of qmail> defaults to $QMAILDIR/ >- --spooldir <spooldir> defaults to $AS_QQ/ >- --bindir <installdir> where to install qmail-scanner-queue.pl >- Defaults to /var/qmail/bin/ >- --admin <username> user to Email alerts to (default: $USERNAME) >- --domain <domain name> "user"@"domain" makes up Email address >- to Email alerts to. >+ >+ --qs-user <username> (default: qscand) >+ User that Qmail-Scanner runs as >+ >+ --qs-group <usergroup> (default: same as qs-user) >+ Group of the user that Qmail-Scanner runs as >+ >+ --qmaildir <top of qmail> (defaults to /var/qmail) >+ >+ --spooldir <spooldir> (defaults to /var/spool/qmailscan) >+ >+ --bindir <installdir> (defaults to /var/qmail/bin) >+ Where to install qmail-scanner-queue.pl >+ >+ --admin <username> (default: $USERNAME) >+ User to Email alerts to >+ >+ --domain <domain name> >+ "user"@"domain" makes up Email address to Email alerts to >+ >+ --admin-fromname <"From Name"> (default: "System Anti-Virus Administrator") >+ From line information used when making reports, the input >+ must be quoted. i.e. --admin-fromname "Antivirus Admin" >+ >+ --local-domains "one.domain,two.domain" >+ Defaults to the value of the "--domain" setting. >+ Comma-separated list (no spaces!) of domains that are >+ classified as "local". This is needed to ensure alerts >+ are only sent to local users and not remote when >+ '--notify "recips"' is chosen. This will drastically >+ reduce the chance of alerts being sent to mailing-lists. >+ > --scanners <list of installed content scanners> >- Defaults to "auto" - will use >- whatever scanners are found on system. >- Use this option to override "auto" - set >- to one or more of the following: >- >-auto,none,$SUPPORTED_SCANNERS >- >- Note the special-case "none". This >- will disable all but the internal >- perlscanner module. >- >- --skip-text-msgs [yes|no] Defaults to "yes" - Q-S will skip >- running any anti-virus scanners on >- any messages it works out are text-only. >- i.e. don't have any attachments. >- Set to "no" if you want them to be scanned >- anyway. >- >- --notify "none|sender|recips|precips|admin|nmladm|nmlvadm|all" Defaults to "$NOTIFY_ADDRESSES". >- Comma-separated list (no spaces!) >- of addresses to which alerts should >- be sent to. "nmladm" means only >- notify admin for "user infections", >- i.e. non-mailing-list mail. >- "nmlvadm" is the same as nmladm - except >- that it also doesn't notify for viral e-mails. >- i.e. just "policy" quarantines get e-mails. This allows you to >- still notify people when an e-mail is blocked due to >- a policy decision (such as blocking password-protected >- zip files), but a message tagged as viral by an AV system >- will *not* trigger notification. >- Similarly, "psender"/"precips" means notify the sender/recips only >- if their e-mail was blocked for policy reasons. i.e. if an AV system >- found a virus, then don't notify the sender/recip as the address was >- probably forged. >- --local-domains "one.domain,two.domain" Defaults to the >- value of the "--domain" setting. >- Comma-separated list (no spaces!) >- of domains that are classified as >- "local". This is needed to ensure >- alerts are only sent to local users >- and not remote when '--notify "*recips"' >- is chosen. This will dramatically >- reduce the chance of alerts being >- sent to mailing-lists. >- --silent-viruses "virus1,virus2" Defaults to "auto". >- This option allows you to tell >- Qmail-Scanner *not* to notify >- senders when it quarantines one >- of these viruses. Viruses such >- as Klez alter the sender address >- so that it has no relation to the >- actual sender - so there's no point >- in responding to Klez messages - it >- just confuses people. The admin and >- recips will still be notified as set >- by "--notify". >- Use this option to override "auto". >- By default this is set to: >- $SILENT_VIRUSES >- --lang "$LANGUAGES" >- Defaults to $QSLANG. >- --archive [yes|no|regex] Defaults to "no". Whether to archive mail after >- it as been processed. If "yes", all copies of >- processed mail will be moved into the maildir >- "$AS_QQ/$ARCHIVEDIR/". Any other string besides >- "yes" and "no" will be treated as a REGEX. Only mail >- from or to an address that contains that regex will >- be archived. e.g. "jhaar|harry" or "\@our.domain". >- Be careful with this option, a badly written regex >- will cause Qmail-Scanner to crash. >- --redundant [yes|no] Defaults to "yes". Whether or not to let the scanners >- also scan any zip files and the original "raw" Email >- file. >- --log-details [yes|syslog|no] Whether or not to log to mailstats.csv/via >- syslog the attachment structure of every Email >- message. Logs to "syslog" by default. >- --log-crypto [yes|no] Defaults to "no". Whether or not to log the presence >- of cryptographic (both signing and encrypting) >- technologies in the "log-details". Q-S can flag >- PGP, S/MIME and password-protected zip files. This >- is informational logging only. >- --fix-mime [yes|no|num] Defaults to "yes". Whether or not to attempt to >- "fix" broken MIME messages before doing anything >- else. Should be safe, but *may* break some >- strange, old mailers (none known yet). If you see blocks >- occurring due to this setting, try "--fix-mime 1" first >- before "--fix-mime no". >- --ignore-eol-check [yes|no] Defaults to "no". Making this "yes" stops Qmail-Scanner >- from treating "\r" or "\0" chars in the headers of >- MIME mail messages as being suspicious enough to quarantine >- mail over. Some sites receive so much broken e-mail that this >- option has been created so that they can still receive such >- messages without having to be as drastic as to "--fix-mime no" >- - which disables all sorts of other good stuff. Use only if you >- have to. >- >- --add-dscr-hdrs [yes|no|all] Defaults to "no". This adds the now old-fashion >- X-Qmail-Scanner headers to the message. "all" adds >- the "rcpt to" headers too - this is a privacy hole. >- --debug [yes|no] Whether or not debugging is turned on. On (yes) >- by default. Can be also set to a number. Numbers >- over 100 cause Q-S to not cleanup working files >- - thus allowing for offline debugging... >- --unzip [yes|no] Whether or not to forcibly unzip all zip files. Off >- by default as most AV's do unzip'ping themselves. >- --max-zip-size [number] Defaults to 1 Gbytes. >- This setting allows you to control the maximum size you >- are willing to allow zip file attachments to unpack to. >- This is to enable you to limit DoS attacks against your >- Qmail-Scanner installation (someone could send you a small zip >- file that unpacks to Gbytes of useless files - filling your harddisk). >- Set to whatever value you think is appropriate for your system. The >- default value of 1Gb is set so large so as not to assume anything about >- your system - YOU WILL NEED TO SET THIS VALUE IN ORDER TO GAIN ANY >- PROTECTION. Something like "100000000" (100 Mb) might be appropriate. >- --block-password-protected [yes|no] Defaults to "no". Setting this to "yes" allows >- you to quarantine any incoming zip files that are password >- protected. This is primarily to stop viruses such as Bagle which >- arrive within a password-protected zip file. >- --batch Do not confirm configure information (mainly for scripting) >- --install Create directory paths, install perl script, >- and change ownerships to match. >- --mime-unpacker "reformime" Defaults to reformime. >+ Defaults to "auto" - will use whatever scanners are found >+ on system. >+ Use this option to override "auto" - set to one or more >+ of the following: >+ >+ [auto|none|$SUPPORTED_SCANNERS] >+ >+ Note the special-case "none". This will disable all but >+ the internal perlscanner module. >+ >+ --skip-text-msgs [yes|no] (defaults to "yes") >+ Q-S will skip running any anti-virus scanner on any messages >+ it works out are text-only. i.e. don't have any attachments. >+ Set to "no" if you want them to be scanned anyway. >+ >+ --notify [none|sender|recips|precips|admin|nmladm|nmlvadm|all] (defaults to "$NOTIFY_ADDRESSES") >+ Comma-separated list (no spaces!) of addresses to which >+ alerts should be sent to. "nmladm" means only notify >+ admin for "user infections", >+ i.e. non-mailing-list mail. >+ "nmlvadm" is the same as nmladm - except that it also doesn't >+ notify for viral e-mails. >+ i.e. just "policy" quarantines get e-mails. >+ This allows you to still notify people when an e-mail is >+ blocked due to a policy decision (such as blocking >+ password-protected zip files), but a message tagged as viral >+ by an AV system will *not* trigger notification. >+ Similarly, "psender"/"precips" means notify the >+ sender/recips only if their e-mail was blocked for policy >+ reasons. i.e. if an AV system found a virus, then don't >+ notify the sender/recip as the address was probably forged. >+ >+ --local-domains "one.domain,two.domain" >+ Defaults to the value of the "--domain" setting. >+ Comma-separated list (no spaces!) of domains that are >+ classified as "local". This is needed to ensure alerts >+ are only sent to local users and not remote when >+ '--notify "*recips"' is chosen. This will drastically >+ reduce the chance of alerts being sent to mailing-lists. >+ >+ --silent-viruses "virus1,virus2" (defaults to "auto") >+ This option allows you to tell Qmail-Scanner *not* to >+ notify senders when it quarantines one of these viruses. >+ Viruses such as Klez alter the sender address so that it >+ has no relation to the actual sender - so there's no point >+ in responding to Klez messages - it just confuses people. >+ The admin and recips will still be notified as set >+ by "--notify". Use this option to override "auto". >+ By default this is set to: >+ "$SILENT_VIRUSES" >+ >+ --lang <lang> (defaults to "$QSLANG") >+ "$LANGUAGES" >+ >+ --archive [yes|no|regex] (defaults to "no") >+ Whether to archive mail after it as been processed. >+ If "yes", all copies of processed mail will be moved into >+ the maildir "$AS_QQ/$ARCHIVEDIR/". >+ Any other string besides "yes" and "no" will be treated >+ as a REGEX. Only mail from or to an address that contains >+ that regex will be archived. e.g. "jhaar|harry" or >+ "\@our.domain". >+ Be careful with this option, a badly written regex >+ will cause Qmail-Scanner to crash. >+ >+ --redundant [yes|no] (defaults to "yes") >+ Whether or not to let the scanners also scan any zip files >+ and the original "raw" Email file. >+ >+ --unzip [yes|no] (defaults to "no" - off) >+ Whether or not to forcibly unzip all zip files. >+ Off by default as most AV's do unzip'ping themselves. >+ >+ --max-zip-size [number-bytes] (defaults to 1 Gbytes) >+ This setting allows you to control the maximum size you >+ are willing to allow zip file attachments to unpack to. >+ This is to enable you to limit DoS attacks against your >+ Qmail-Scanner installation (someone could send you a small >+ zip file that unpacks to Gbytes of useless files - filling >+ your harddisk). Set to whatever value you think is >+ appropriate for your system. The default value of 1Gb is >+ set so large so as not to assume anything about your >+ system - YOU WILL NEED TO SET THIS VALUE IN ORDER TO GAIN >+ ANY PROTECTION. >+ Something like "100000000" (100 Mb) might be appropriate. >+ >+ --block-password-protected [yes|no] (defaults to "no") >+ Setting this to "yes" allows you to quarantine any >+ incoming zip files that are password protected. >+ This is primarily to stop viruses such as Bagle which >+ arrive within a password-protected zip file. >+ >+ --log-crypto [yes|no] (defaults to "no") >+ Whether or not to log the presence >+ of cryptographic (both signing and encrypting) >+ technologies in the "log-details". Q-S can flag >+ PGP, S/MIME and password-protected zip files. This >+ is informational logging only. >+ >+ --fix-mime [yes|no|num] (defaults to "2") >+ Whether or not to attempt to "fix" broken MIME messages >+ before doing anything else. Should be safe, but *may* break >+ some strange, old mailers (none known yet). If you see >+ blocks occurring due to this setting, try "--fix-mime 1" >+ first before "--fix-mime no". >+ Defaults to "2" enables a bunch of extra MIME checks that >+ have proven to be very useful. >+ >+ --ignore-eol-check [yes|no] (defaults to "no") >+ Making this "yes" stops Qmail-Scanner >+ from treating "\r" or "\0" chars in the headers of >+ MIME mail messages as being suspicious enough to quarantine >+ mail over. Some sites receive so much broken e-mail that this >+ option has been created so that they can still receive such >+ messages without having to be as drastic as to "--fix-mime no" >+ which disables all sorts of other good stuff. >+ Use only if you have to. >+ >+ --add-dscr-hdrs [yes|no|all] (defaults to "no") >+ This adds the now old-fashion X-Qmail-Scanner headers to >+ the message. "all" adds the "rcpt to" headers too - this is >+ a privacy hole. >+ >+ --dscr-hdrs-text <"Descrip-Headers-Text"> (defaults to "X-Qmail-Scanner") >+ Input must be quoted. >+ i.e. --dscr-hdrs-text "X-Antivirus-MYDOMAIN" >+ >+ --log-details [yes|syslog|no] (defaults to "syslog") >+ Whether or not to log to mailstats.csv/via syslog the >+ attachment structure of every Email message. >+ >+ --debug [yes|no] (defaults to "no" - off) >+ Whether or not debugging is turned on. Can be also set to >+ a number. Numbers over 100 cause Q-S to not cleanup working >+ files. Thus allowing for offline debugging... >+ >+ --minidebug [yes|no|1|2] (default: 1) >+ Logs only important information, mail headers, blocks, >+ errors and elapsed time. If set to 2, it will log the >+ parent pid (ppid) and the message size. >+ >+ >+ --qms-log [yes|no] (default: yes) >+ Whether or not event logging is turned on. On (yes) >+ by default. Useful for qmail-scanner statistics. >+ >+ --qms-monitor [yes|no] (default: no) >+ Whether or not qms-monitor Account Monitoring is turned on. >+ >+ --qms-monitor-accts ["acct1@domain2.com,acct2@domain3.com"] >+ List of email accounts to be monitored. >+ >+ --qms-monitor-dests ["monitor.domain.com/acct1.domain2/Maildir/new, >+ monitor.domain.com/acct2.domain3/Maildir/new"] >+ List of destination paths for monitored email messages. >+ Note 1: locations here will be saved underneath >+ .../qmailscan/qms-monitor; a cron job can later >+ copy from that location to an alternate email >+ domain used for account monitoring. >+ Note 2: each entry in this array corresponds to the email >+ address in the same location of the >+ qms-monitor-accts list above - i.e., >+ qms-monitor-accts[2] msgs get stored at >+ qms-monitor-dests[2] - thus, ORDER DOES MATTER. >+ Note 3: DO NOT include a leading "/" on these paths - >+ they will typically be entries that ultimately >+ belong in /home/vpopmail/domains - i.e., starting >+ with the domain name. >+ >+ --batch >+ Do not confirm configure information (mainly for scripting) >+ >+ --install >+ Create directory paths, install perl script, and >+ change ownerships to match. >+ >+ --mime-unpacker "reformime" (defaults to reformime) >+ >+ >+ --scanners-per-domain [yes|no] (defaults to "no") >+ Enable or disable the domain-wise mode, each user/domain >+ will have a customized @scanner_array. If the user/domain >+ haven't a custom @scanner_array, qmail-scanner will fall >+ to the @scanners_default array. >+ >+ --virus-to-delete [yes|no] (defaults to "no") >+ Enable this option if you want to delete some viruses >+ (i.e. mydoom) without notifying anyone. If you don't enable >+ it now, you can later edit qmail-scanner-queue.pl and add >+ the virus you want to the list virus_to_delete. >+ >+ --sa-delta [num] (default: 0) >+ If $spamc_subject is defined, and fast_spamassassin mode is >+ selected, a tag will be added to the subject indicating how >+ the message is to be considered as spam, in this way: >+ LOW: required_hits < score < required_hits + sa_delta >+ MEDIUM: required_hits + sa_delta < score < required_hits + 2 * sa_delta >+ HIGH: required_hits + 2 * sa_delta < score >+ Be aware, sa_max+2*sa_delta must be lower than sa_quarantine. >+ 'required_hits' is the value set in the SpamAssassin >+ configuration file. >+ >+ --sa-subject <"some text"> (defaults to nothing) >+ This is an alternative way to set the tag that qmail-scanner >+ add to subject of spam mails, to some text. >+ Spamassassin must be working in *fast_spamassassin* mode >+ Be sure that is better to tag the subject, of spam messages, >+ through qmail-scanner than with the rewrite_subject >+ of SpamAssassin. >+ The input must be quoted i.e. "SPAM *** ". >+ >+ --sa-forward <username@domain> (defaults to nothing) >+ User to redirect spam mails 'being quarantined' for >+ admin purposes... >+ The message is forwarded almost unmodified so you can >+ use 'sa-learn' with them. >+ If you prefer that the message includes the spam headers >+ enable the next option. >+ (i.e. --sa-forward antispam@mydomain.com) >+ >+ --sa-fwd-verbose [yes|no] (default: no) >+ Whether to add the X-Spam headers to the forwarded message. >+ >+ --sa-quarantine [num] (default: 0) >+ Spam messages with a score higher than >+ (required_hits + sa_quarantine) should be quarantined. >+ Only relevant if SpamAssassin is used. >+ Score of 0 means deliver all messages. >+ >+ --sa-delete [num] (default: 0) >+ Spam messages with a score higher than >+ (required_hits + sa_delete) should be deleted. >+ Only relevant if SpamAssassin is used. >+ Score of 0 means deliver all messages. >+ >+ --sa-reject [yes|no] (default: no) >+ If you enable sa-reject and sa-delete is properly set, >+ messages with a score higher than sa-delete will be rejected >+ before the smtp session is closed. Otherwise they are just >+ dropped silently. (1/0) >+ >+ --sa-alt [yes|no] (default: no) >+ Use the alternative subroutine for spamassassin, it runs in >+ *fast_spamassassin* mode and doesn't pass the '-u' option >+ to spamc. (1/0) >+ >+ --sa-debug [yes|no] (default: no) >+ If sa-alt is enabled an you enable this option, you will >+ have a beautiful log with the tests and the scores of >+ spamassassin in the file qmail-queue.log (1/0) >+ >+ --sa-report [yes|no] (default: no) >+ If sa-alt and sa-debug are enabled you can add >+ the X-Spam-Report header to the messages enabling >+ this option. >+ >+ --sa-socket <path to spamd socket> (defaults to nothing) >+ Actually the configure script can automatically discover >+ if spamd is running in unix-socket mode, but, >+ if for some reasson the socket couldn't be >+ found properly you can set the path with this option. >+ i.e. --sa-socket /var/run/spamd > > **************** > Rarely Used > **************** > >- --no-QQ-check Do not check that the QMAILQUEUE patch is installed. >- This explicitly disables any "--install" reference >- as that is NOT POSSIBLE with a manual install. >- Use ONLY IF YOU MUST. The QMAILQUEUE patch is REALLY >- a GOOD THING!!!! >- >- --skip-setuid-test don't test for setuid perl. Only of use for those wanting >- to run the C-wrapper version. >- >- --qmail-queue-binary Set this to the FULL PATH to the Qmail qmail-queue >- binary. This is only EVER set when doing a manual >- install. >+ --no-QQ-check >+ Do not check that the QMAILQUEUE patch is installed. >+ This explicitly disables any "--install" reference >+ as that is NOT POSSIBLE with a manual install. >+ Use ONLY IF YOU MUST. The QMAILQUEUE patch is REALLY >+ a GOOD THING!!!! >+ >+ --skip-setuid-test >+ don't test for setuid perl. Only of use for those wanting >+ to run the C-wrapper version. >+ >+ --qmail-queue-binary >+ Set this to the FULL PATH to the Qmail qmail-queue >+ binary. This is only EVER set when doing a manual install. > > > This script must be run as root so it can detect problems with setuid > perl scripts! > >-invalid option: $1 >+invalid option: $1 [ --help is a valid option ;-) ] > > See above for the valid options > >@@ -298,23 +513,36 @@ > shift > done > >-DD="`id $QS_USER 2>/dev/null`" >+if [ "$QS_GROUP" = "" ]; then QS_GROUP=$QS_USER ; fi > >-if [ "$?" -ne 0 -o "$DD" = "" ]; then >- cat<<EOF >+UU=`grep "^$QS_USER" /etc/passwd | sed -e "s/^\$QS_USER:.*$/\$QS_USER/"` >+GG=`grep "^$QS_GROUP" /etc/group | sed -e "s/^\$QS_GROUP:.*$/\$QS_GROUP/"` >+ >+if [ "$UU" = "" -o "$GG" = "" ]; then >+echo " >+###################################################### >+Fatal Error: Qmail-Scanner must be installed and run as >+a separate account. > >-Fatal Error: Qmail-Scanner must be installed and run as a separate >-account. >+" >+ if [ "$GG" = "" ]; then >+echo "group '$QS_GROUP' doesn't exist, please create it. e.g. > >-Please create the username and group "$QS_USER" before continuing. >+groupadd $QS_GROUP > >-e.g. >+" >+ fi > >-groupadd $QS_USER >-useradd -c "Qmail-Scanner Account" -g $QS_USER -s /bin/false $QS_USER >+ if [ "$UU" = "" ]; then >+echo "user '$QS_USER' doesn't exist, please create it. e.g. > >-EOF >- exit 1 >+useradd -c \"Qmail-Scanner Account\" -g $QS_GROUP -d $AS_QQ -s /bin/false $QS_USER >+" >+ fi >+ >+echo "###################################################### >+" >+exit 1 > fi > > #Reset these Qmail vars again so that any changes made during configure time >@@ -330,12 +558,12 @@ > if [ "$FIND_SILENT_VIRUSES" != "" ]; then > FIND_SILENT_VIRUSES="`echo $FIND_SILENT_VIRUSES|sed -e 's/\"//g' -e 's/ //g'`" > if [ "$FIND_SILENT_VIRUSES" != "" ]; then >- VLA="" >- for virus in `echo $FIND_SILENT_VIRUSES|sed 's/,/ /g'` >- do >- VLA="$VLA,'$virus'" >- done >- FIND_SILENT_VIRUSES_ARRAY="`echo $VLA|sed 's/^,//g'`" >+ VLA="" >+ for virus in `echo $FIND_SILENT_VIRUSES|sed 's/,/ /g'` >+ do >+ VLA="$VLA,'$virus'" >+ done >+ FIND_SILENT_VIRUSES_ARRAY="`echo $VLA|sed 's/^,//g'`" > fi > fi > >@@ -413,11 +641,12 @@ > exit > fi > fi >+echo -n "Searching ." > PATH="$PATH:$QMAILDIR/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/etc/iscan:/usr/local/uvscan:/usr/lib/AntiVir:/usr/lib/uvscan:/usr/local/av:/opt/AV:/opt/AVP:/usr/local/f-prot:/usr/local/rav8/bin:/usr/lib/Vexira:/opt/bdc:/opt/kav/bin:/usr/local/nod32" export PATH > > if [ "$MIME_UNPACKER" != "" ]; then >- if [ "`echo $MIME_UNPACKER |egrep -v '^(reformime|ripmime)$'`" != "" ]; then >- cat<<EOF >+ if [ "`echo $MIME_UNPACKER |egrep -v '^(reformime|ripmime)$'`" != "" ]; then >+ cat<<EOF > > > ************************* >@@ -431,10 +660,10 @@ > > ************************** > EOF >- exit >- fi >+ exit >+ fi > else >- MIME_UNPACKER="reformime" >+ MIME_UNPACKER="reformime" > fi > > NOTIFY_ADDRESSES="`echo $NOTIFY_ADDRESSES|sed -e 's/\"//g' -e 's/ //g'`" >@@ -446,8 +675,8 @@ > if [ "$NOTIFY_ADDRESSES" ]; then > for addr in `echo $NOTIFY_ADDRESSES|sed 's/,/ /g'` > do >- if [ "`echo $addr|egrep -v '^(admin|nmladm|nmlvadm|none|sender|psender|recips|precips|all)$'`" != "" ]; then >- cat<<EOF >+ if [ "`echo $addr|egrep -v '^(admin|nmladm|nmlvadm|none|sender|psender|recips|precips|all)$'`" != "" ]; then >+ cat<<EOF > > > ************************* >@@ -468,13 +697,13 @@ > > ************************** > EOF >- exit >- fi >+ exit >+ fi > done > fi > > >- >+echo -n "." > #Check out command line > > SCANNERS=`echo $FIND_SCANNERS|sed -e 's/^_ //' -e 's/ _$//'` >@@ -489,7 +718,7 @@ > DD="`mktemp -d 1234.XXXXXX 2>&1`" > if [ "`ls 1234.* 2>/dev/null`" != "" ]; then > if test -d "$DD" ; then >- TMP_DIR="`mktemp -d /tmp/mkt_qs.XXXXXX`" >+ TMP_DIR="`mktemp -d /tmp/mkt_qs.XXXXXX`" > fi > fi > if [ "$TMP_DIR" = "" ]; then >@@ -506,418 +735,463 @@ > #Let's create a test EICAR virus to ensure > #the installed virus scanners are working > echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > $TMP_DIR/eicar.com >-chown $QS_USER:$QS_USER $TMP_DIR/eicar.com >+chown $QS_USER:$QS_GROUP $TMP_DIR/eicar.com > chmod 644 $TMP_DIR/eicar.com > > > for dir in `echo $PATH|sed 's/:/ /g'` > do >+ echo -n "." > if test -x $dir/perl > then >- PERLRELEASE_DETAILS=${PERLRELEASE_DETAILS:-`$dir/perl -V 2>&1|grep perl5 |head -1`} >- if [ "$?" = "0" ]; then >- PERL5="${PERL5:-$dir/perl}" >- fi >+ PERLRELEASE_DETAILS=${PERLRELEASE_DETAILS:-`$dir/perl -V 2>&1|grep perl5 |head -1`} >+ if [ "$?" = "0" ]; then >+ PERL5="${PERL5:-$dir/perl}" >+ fi > fi > if test -x $dir/suidperl > then >- SUIDPERL="${SUIDPERL:-$dir/suidperl}" >+ SUIDPERL="${SUIDPERL:-$dir/suidperl}" > fi > if test -x $dir/rm ; then RM_BINARY="${RM_BINARY:-$dir/rm}" ; fi > if test -x $dir/grep ; then GREP_BINARY="${GREP_BINARY:-$dir/grep}" ; fi > if test -x $dir/hostname > then >- HOST="${HOST:-`$dir/hostname`}" >+ HOST="${HOST:-`$dir/hostname`}" > fi > if test -x $dir/uname > then >- UNAME="${UNAME:-`$dir/uname -n`}" >+ UNAME="${UNAME:-`$dir/uname -n`}" > fi > > if test -x $dir/qmail-inject > then >- QMAILINJECT_BIN="${QMAILINJECT_BIN:-$dir/qmail-inject}" >+ QMAILINJECT_BIN="${QMAILINJECT_BIN:-$dir/qmail-inject}" > fi > > if test -x $dir/qmail-queue > then >- QMAILQUEUE_BIN="${QMAILQUEUE_BIN:-$dir/qmail-queue}" >+ QMAILQUEUE_BIN="${QMAILQUEUE_BIN:-$dir/qmail-queue}" > fi > > if test -x $dir/qmail-smtpd > then >- QMAILSMTPD="${QMAILSMTPD:-$dir/qmail-smtpd}" >+ QMAILSMTPD="${QMAILSMTPD:-$dir/qmail-smtpd}" > fi > > if test -x $dir/setuidgid > then >- SETUIDGID="${SETUIDGID:-$dir/setuidgid}" >+ SETUIDGID="${SETUIDGID:-$dir/setuidgid}" > fi > if test -x $dir/strings > then >- STRINGS="${STRINGS:-$dir/strings}" >+ STRINGS="${STRINGS:-$dir/strings}" > fi > > if [ "$MIME_UNPACKER" = "reformime" ]; then > if test -x $dir/reformime > then >- UNMIME_BINARY="${UNMIME_BINARY:-$dir/reformime}" >+ UNMIME_BINARY="${UNMIME_BINARY:-$dir/reformime}" > DD=`reformime -s1.2 -xTEST- < ./contrib/reformime-test.eml` >- if [ "`grep hello TEST-hello.txt`" = "" ]; then >- echo "** FATAL ERROR ***" >- echo "" >- echo "$UNMIME_BINARY contains bugs. Please upgrade to a release" >- echo "that post-dates Mar 22 2002 (e.g. 1.3.8)" >- echo "" >- rm -f TEST-hello.txt >- exit 1 >- fi >- rm -f TEST-hello.txt >+ if [ "`grep hello TEST-hello.txt`" = "" ]; then >+ echo "** FATAL ERROR ***" >+ echo "" >+ echo "$UNMIME_BINARY contains bugs. Please upgrade to a release" >+ echo "that post-dates Mar 22 2002 (e.g. 1.3.8)" >+ echo "" >+ rm -f TEST-hello.txt >+ exit 1 >+ fi >+ rm -f TEST-hello.txt > fi > if test -x $dir/maildrop > then >- MAILDROP_BINARY="${MAILDROP_BINARY:-$dir/maildrop}" >+ MAILDROP_BINARY="${MAILDROP_BINARY:-$dir/maildrop}" > fi > #Note that TNEF is only defined if using reformime as > #ripmime does TNEF support internally > if test -x $dir/tnef > then >- TNEF_BINARY="${TNEF_BINARY:-$dir/tnef}" >- #There's a LOCALE bug in uudecode - workaround... >- if [ "`$TNEF_BINARY --help 2>&1|grep number-backups`" = "" ]; then >- TNEF_BINARY="" >- cat<<EOF >+ TNEF_BINARY="${TNEF_BINARY:-$dir/tnef}" >+ #There's a LOCALE bug in uudecode - workaround... >+ if [ "`$TNEF_BINARY --help 2>&1|grep number-backups`" = "" ]; then >+ TNEF_BINARY="" >+ cat<<EOF > > Old tnef binary found on your system! > > Please upgrade ASAP to a version supporting the "--number-backups" option. > > EOF >- exit 1 >- fi >+ exit 1 >+ fi > fi > fi > if [ "$MIME_UNPACKER" = "ripmime" ]; then > if test -x $dir/ripmime > then >- UNMIME_BINARY="${UNMIME_BINARY:-$dir/ripmime}" >+ UNMIME_BINARY="${UNMIME_BINARY:-$dir/ripmime}" > DD=`ripmime -i - < ./contrib/reformime-test.eml` >- if [ "`grep hello hello.txt`" = "" ]; then >- echo "** FATAL ERROR ***" >- echo "" >- echo "$UNMIME_BINARY contains bugs. Please upgrade to a newer release." >- echo "" >- rm -f hello.txt textfile* >- exit 1 >- fi >- rm -f hello.txt textfile* >+ if [ "`grep hello hello.txt`" = "" ]; then >+ echo "** FATAL ERROR ***" >+ echo "" >+ echo "$UNMIME_BINARY contains bugs. Please upgrade to a newer release." >+ echo "" >+ rm -f hello.txt textfile* >+ exit 1 >+ fi >+ rm -f hello.txt textfile* > fi > fi > if test -x $dir/unzip > then >- UNZIP_BINARY="${UNZIP_BINARY:-$dir/unzip}" >- #Now check for password support >- UNZIP_PASSWD="xx${RANDOM}$$xx" >- DD=`unzip -Ptest -t contrib/test_password.zip 2>&1|egrep 'testing:.*OK'` >- if [ "$DD" != "" ]; then >- UNZIP_OPTIONS="-P$UNZIP_PASSWD" >- else >- UNZIP_OPTIONS="" >- fi >- #Now check we can get filesizes out >- EE=`unzip -Ptest -lv contrib/test_password.zip 2>&1|egrep '80688.*test/ls'` >- if [ "$EE" = "" ]; then >- echo "**FATAL ERROR ***" >- echo "" >- echo "$UNZIP_BINARY doesn't support the \"-lv\" option to view file details" >- echo "" >- echo "Please upgrade to another version of unzip" >- echo "" >- exit 1 >- fi >+ UNZIP_BINARY="${UNZIP_BINARY:-$dir/unzip}" >+ #Now check for password support >+ UNZIP_PASSWD="xx${RANDOM}$$xx" >+ DD=`unzip -Ptest -t contrib/test_password.zip 2>&1|egrep 'testing:.*OK'` >+ if [ "$DD" != "" ]; then >+ UNZIP_OPTIONS="-P$UNZIP_PASSWD" >+ else >+ UNZIP_OPTIONS="" >+ fi >+ #Now check we can get filesizes out >+ EE=`unzip -Ptest -lv contrib/test_password.zip 2>&1|egrep '80688.*test/ls'` >+ if [ "$EE" = "" ]; then >+ echo "**FATAL ERROR ***" >+ echo "" >+ echo "$UNZIP_BINARY doesn't support the \"-lv\" option to view file details" >+ echo "" >+ echo "Please upgrade to another version of unzip" >+ echo "" >+ exit 1 >+ fi > fi > > if test -x $dir/uvscan > then >- if [ "`echo $FIND_SCANNERS|grep ' uvscan '`" != "" -a "$UVSCAN" = "" ]; then >- if [ "`$dir/uvscan -r --secure --fam --unzip --macro-heuristics -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- UVSCAN="${UVSCAN:-$dir/uvscan}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`echo $FIND_SCANNERS|grep ' uvscan '`" != "" -a "$UVSCAN" = "" ]; then >+ if [ "`$dir/uvscan -r --secure --fam --unzip --macro-heuristics -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ UVSCAN="${UVSCAN:-$dir/uvscan}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > uvscan" >- fi >- fi >+ fi >+ fi > fi > if test -x $dir/csav > then >- if [ "`echo $FIND_SCANNERS|grep ' csav '`" != "" -a "$CSAV" = "" ]; then >- if [ "`$dir/csav -list -nomem -packed -archive -noboot $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- CSAV="${CSAV:-$dir/csav}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`echo $FIND_SCANNERS|grep ' csav '`" != "" -a "$CSAV" = "" ]; then >+ if [ "`$dir/csav -list -nomem -packed -archive -noboot $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ CSAV="${CSAV:-$dir/csav}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > csav" >- fi >- fi >+ fi >+ fi > fi > if [ "`echo $FIND_SCANNERS|grep ' sophie '`" != "" -a "$SOPHIE" = "" ]; then > if test -x $dir/sophie > then >- SOCKET="`$dir/sophie -d -f README 2>&1|grep 'Socket path'|awk '{print $NF}'|sed 's/\"//g'`" >- if [ "$SOCKET" != "" ]; then >- DD= >- if [ "`perl ./contrib/test-sophie.pl -s $SOCKET -f $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- SOPHIE="${SOPHIE:-$dir/sophie}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ SOCKET="`$dir/sophie -d -f README 2>&1|grep 'Socket path'|awk '{print $NF}'|sed 's/\"//g'`" >+ if [ "$SOCKET" != "" ]; then >+ DD= >+ if [ "`perl ./contrib/test-sophie.pl -s $SOCKET -f $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ SOPHIE="${SOPHIE:-$dir/sophie}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > sophie" >- SSOCKET="$SOCKET" >- else >- echo " >-Something like sophie for Sophos detected - but is not correctly installed or operational. >+ SSOCKET="$SOCKET" >+ else >+ echo " >+Something like sophie for Sophos detected - but is not correctly installed or >+operational. > Please read Q-S FAQ if you want it - especially check that sophie daemon > can read files owned by $QS_USER (i.e. run it as $QS_USER). > ". >- fi >- fi >+ fi >+ fi > fi > fi > if [ "`echo $FIND_SCANNERS|egrep ' (sophie|sweep) '`" != "" ]; then > if test -x $dir/sweep > then >- if [ "`$dir/sweep -h 2>&1|grep LAM`" = "" -a "$SWEEP" = "" ]; then >- if [ "`$dir/sweep -f -eec -all -sc -nc -ss -nb -archive $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- SWEEP="${SWEEP:-$dir/sweep}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`$dir/sweep -h 2>&1|grep LAM`" = "" -a "$SWEEP" = "" ]; then >+ if [ "`$dir/sweep -f -eec -all -sc -nc -ss -nb -archive $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ SWEEP="${SWEEP:-$dir/sweep}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > sweep" >- fi >- if [ "$SAV_IDE" = "" ]; then >- if [ ! -f "/etc/sav.conf" ]; then >- if [ -d "/usr/local/sophos" ]; then >- SAV_IDE="/usr/local/sophos" >- fi >- if [ -d "/usr/local/sav" ]; then >- SAV_IDE="/usr/local/sav" >- fi >- else >- SAV_IDE_CONF="1" >- fi >- fi >- fi >+ fi >+ if [ "$SAV_IDE" = "" ]; then >+ if [ ! -f "/etc/sav.conf" ]; then >+ if [ -d "/usr/local/sophos" ]; then >+ SAV_IDE="/usr/local/sophos" >+ fi >+ if [ -d "/usr/local/sav" ]; then >+ SAV_IDE="/usr/local/sav" >+ fi >+ else >+ SAV_IDE_CONF="1" >+ fi >+ fi >+ fi > fi > fi > if [ "`echo $FIND_SCANNERS|grep ' trophie '`" != "" -a "$TROPHIE" = "" ]; then > if test -x $dir/trophie > then >- SOCKET="`$dir/trophie -d -f README 2>&1|grep 'Socket path'|awk '{print $NF}'|sed 's/\"//g'`" >- if [ "$SOCKET" != "" ]; then >- if [ "`perl ./contrib/test-trophie.pl -s $SOCKET -f $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- TROPHIE="${TROPHIE:-$dir/trophie}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ SOCKET="`$dir/trophie -d -f README 2>&1|grep 'Socket path'|awk '{print $NF}'|sed 's/\"//g'`" >+ if [ "$SOCKET" != "" ]; then >+ if [ "`perl ./contrib/test-trophie.pl -s $SOCKET -f $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ TROPHIE="${TROPHIE:-$dir/trophie}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > trophie" >- TSOCKET="$SOCKET" >- else >- echo " >-Something like trophie for Trend detected - but is not correctly installed or operational. >+ TSOCKET="$SOCKET" >+ else >+ echo " >+Something like trophie for Trend detected - but not correctly installed >+or operational. > Please read Q-S FAQ if you want it - especially check that trophie daemon > can read files owned by $QS_USER (i.e. run it as $QS_USER). > ". >- fi >- fi >+ fi >+ fi > fi > fi > if [ "`echo $FIND_SCANNERS|egrep ' (vscan|trophie) '`" != "" -a "$ISCAN" = "" ]; then > if test -x $dir/vscan > then >- if [ "`$dir/vscan -p/etc/iscan/ -za -a -u -nl -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`$dir/vscan -p/etc/iscan/ -za -a -u -nl -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > vscan" >- ISCAN="${ISCAN:-$dir/vscan}" >- fi >+ ISCAN="${ISCAN:-$dir/vscan}" >+ fi > fi > fi > if [ "`echo $FIND_SCANNERS|grep ' antivir '`" != "" -a "$HBEDV" = "" ]; then > if test -x $dir/antivir > then >- if [ "`$dir/antivir -allfiles -s -tmp. -z -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- HBEDV="${HBEDV:-$dir/antivir}" >- HBEDV_OPTIONS="-allfiles -s -tmp. -z -v" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`$dir/antivir -allfiles -s -tmp. -z -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ HBEDV="${HBEDV:-$dir/antivir}" >+ HBEDV_OPTIONS="-allfiles -s -tmp. -z -v" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > antivir" >- elif [ "`$dir/antivir -allfiles -s -tmp. -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- HBEDV="${HBEDV:-$dir/antivir}" >- HBEDV_OPTIONS="-allfiles -s -tmp. -v" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ elif [ "`$dir/antivir -allfiles -s -tmp. -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ HBEDV="${HBEDV:-$dir/antivir}" >+ HBEDV_OPTIONS="-allfiles -s -tmp. -v" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > antivir" >- fi >+ fi > fi > fi > if test -x $dir/kavscanner > then >- if [ "`echo $FIND_SCANNERS|grep ' kavscanner '`" != "" -a "$AVPSCAN" = "" ]; then >- if [ "`$dir/kavscanner $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- AVPSCAN="${AVPSCAN:-$dir/kavscanner}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`echo $FIND_SCANNERS|grep ' kavscanner '`" != "" -a "$AVPSCAN" = "" ]; then >+ if [ "`$dir/kavscanner $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ AVPSCAN="${AVPSCAN:-$dir/kavscanner}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > kavscanner" >- fi >- fi >+ fi >+ fi > else > if test -x $dir/AvpLinux >- then >- if [ "`echo $FIND_SCANNERS|grep ' AvpLinux '`" != "" -a "$AVPSCAN" = "" ]; then >- if [ "`$dir/AvpLinux -Y $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- AVPSCAN="${AVPSCAN:-$dir/AvpLinux}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ then >+ if [ "`echo $FIND_SCANNERS|grep ' AvpLinux '`" != "" -a "$AVPSCAN" = "" ]; then >+ if [ "`$dir/AvpLinux -Y $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ AVPSCAN="${AVPSCAN:-$dir/AvpLinux}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > AvpLinux" >- fi >- fi >- fi >+ fi >+ fi >+ fi > fi > if test -x $dir/kavdaemon > then > if [ "`echo $FIND_SCANNERS|grep ' kavdaemon '`" != "" -a "$AVPDAEMON" = "" ]; then >- if test -f "sub-avpdaemon.pl" >- then >- if [ "`$dir/kavdaemon $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- AVPSCAN="" >- AVPDAEMON="${AVDAEMON:-$dir/kavdaemon}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if test -f "sub-avpdaemon.pl" >+ then >+ if [ "`$dir/kavdaemon $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ AVPSCAN="" >+ AVPDAEMON="${AVDAEMON:-$dir/kavdaemon}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > kavdaemon" >- fi >- fi >+ fi >+ fi > fi > else > if test -x $dir/AvpDaemonClient > then >- if [ "`echo $FIND_SCANNERS|grep ' AvpDaemonClient '`" != "" -a "$AVPDAEMON" = "" ]; then >- if test -f "sub-avpdaemon.pl" >- then >- if [ "`$dir/AvpDaemonClient $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- AVPSCAN="" >- AVPDAEMON="${AVDAEMON:-$dir/AvpDaemonClient}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`echo $FIND_SCANNERS|grep ' AvpDaemonClient '`" != "" -a "$AVPDAEMON" = "" ]; then >+ if test -f "sub-avpdaemon.pl" >+ then >+ if [ "`$dir/AvpDaemonClient $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ AVPSCAN="" >+ AVPDAEMON="${AVDAEMON:-$dir/AvpDaemonClient}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > AvpDaemonClient" >- fi >- fi >- fi >+ fi >+ fi >+ fi > fi > fi > if test -x $dir/fsav > then > if [ "`echo $FIND_SCANNERS|grep ' fsav '`" != "" -a "$FSECURE" = "" ]; then >- if [ "`$dir/fsav --list --archive --auto --dumb $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- FSECURE="${FSECURE:-$dir/fsav}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`$dir/fsav --list --archive --auto --dumb $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ FSECURE="${FSECURE:-$dir/fsav}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > fsav" >- fi >- fi >+ fi >+ fi > fi > if test -x $dir/f-prot > then > if [ "`echo $FIND_SCANNERS|grep ' fprot '`" != "" -a "$FPROT" = "" ]; then >- if [ "`$dir/f-prot -ai -archive -dumb -list $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- FPROT="${FPROT:-$dir/f-prot}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`$dir/f-prot -ai -archive -dumb -list $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ FPROT="${FPROT:-$dir/f-prot}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > fprot" >- fi >- fi >+ fi >+ fi > fi > if test -x $dir/bdc > then > if [ "`echo $FIND_SCANNERS|grep ' bitdefender '`" != "" -a "$BITDEFENDER" = "" ]; then >- if [ "`$dir/bdc --all --alev=10 --flev=10 --arc --mail $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- BITDEFENDER="${BITDEFENDER:-$dir/bdc}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`$dir/bdc --all --alev=10 --flev=10 --arc --mail $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ BITDEFENDER="${BITDEFENDER:-$dir/bdc}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > bdc" >- fi >- fi >+ fi >+ fi > fi > if test -x $dir/nod32cli > then >- if [ "`echo $FIND_SCANNERS|grep ' nod32 '`" != "" ]; then >- if [ "`$dir/nod32cli -r -p 8448 $TMP_DIR 2>&1|egrep -i 'infected'`" != "" ]; then >- NOD32="${NOD32:-$dir/nod32cli}" >- UPDNOD="${NOD32:-$dir/nod32upd}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`echo $FIND_SCANNERS|grep ' nod32 '`" != "" ]; then >+ if [ "`$dir/nod32cli -r -p 8448 $TMP_DIR 2>&1|egrep -i 'infected'`" != "" ]; then >+ NOD32="${NOD32:-$dir/nod32cli}" >+ UPDNOD="${NOD32:-$dir/nod32upd}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > nod32" >- fi >- fi >- fi >+ fi >+ fi >+ fi > if test -x $dir/inocucmd > then > if [ "`echo $FIND_SCANNERS|grep ' inocucmd '`" != "" -a "$INOCUCMD" = "" ]; then >- if [ "`$dir/inocucmd -SEC -NEX $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- INOCUCMD="${INOCUCMD:-$dir/inocucmd}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`$dir/inocucmd -SEC -NEX $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ INOCUCMD="${INOCUCMD:-$dir/inocucmd}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > inocucmd" >- fi >- fi >+ fi >+ fi > fi > # if test -x $dir/ravav > # then >-# if [ "`echo $FIND_SCANNERS|grep ' ravlin '`" != "" ]; then >-# if [ "`$dir/ravav --mail --archive --heuristics=on --all $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >-# RAVLIN="${RAVLIN:-$dir/ravav}" >-# INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+# if [ "`echo $FIND_SCANNERS|grep ' ravlin '`" != "" ]; then >+# if [ "`$dir/ravav --mail --archive --heuristics=on --all $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+# RAVLIN="${RAVLIN:-$dir/ravav}" >+# INSTALLED_SCANNERS="$INSTALLED_SCANNERS > #ravlin" >-# fi >-# fi >+# fi >+# fi > # fi > if test -x $dir/vexira > then >- if [ "`echo $FIND_SCANNERS|grep ' vexira '`" != "" -a "$VEXIRA" = "" ]; then >- if [ "`$dir/vexira --allfiles -s -z -nolnk -noboot -nombr -nodef -r1 $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- VEXIRA="${VEXIRA:-$dir/vexira}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`echo $FIND_SCANNERS|grep ' vexira '`" != "" -a "$VEXIRA" = "" ]; then >+ if [ "`$dir/vexira --allfiles -s -z -nolnk -noboot -nombr -nodef -r1 $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ VEXIRA="${VEXIRA:-$dir/vexira}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > vexira" >- fi >- fi >+ fi >+ fi > fi > if [ "`echo $FIND_SCANNERS|grep ' clamdscan '`" != "" -a "$CLAMDSCAN" = "" ]; then > if test -x $dir/clamdscan > then >- DD="`$dir/clamdscan -v $TMP_DIR 2>&1`|egrep -i 'virus|test'" >- if [ "$DD" != "" ]; then >- CLAMDSCAN="${CLAMDSCAN:-$dir/clamdscan}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ DD="`$dir/clamdscan -v $TMP_DIR 2>&1`|egrep -i 'virus|test'" >+ if [ "$DD" != "" ]; then >+ CLAMDSCAN="${CLAMDSCAN:-$dir/clamdscan}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > clamdscan" >- else >- echo " >+ else >+ echo " > Something like clamdscan for ClamAV detected - but not correctly installed. > Please read Q-S FAQ if you want it - especially check that clamd daemon > can read files owned by $QS_USER (i.e. make it run as $QS_USER). > ". >- fi >+ fi > fi > fi > if test -x $dir/clamscan > then >- if [ "`echo $FIND_SCANNERS|grep ' clamscan '`" != "" -a "$CLAMSCAN" = "" ]; then >- if [ "`$dir/clamscan -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >- CLAMSCAN="${CLAMSCAN:-$dir/clamscan}" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ if [ "`echo $FIND_SCANNERS|grep ' clamscan '`" != "" -a "$CLAMSCAN" = "" ]; then >+ if [ "`$dir/clamscan -v $TMP_DIR 2>&1|egrep -i 'virus|test'`" != "" ]; then >+ CLAMSCAN="${CLAMSCAN:-$dir/clamscan}" >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > clamscan" >- fi >- fi >+ fi >+ fi > fi > if [ "`echo $FIND_SCANNERS|grep spamassassin`" != "" -a "$SPAMASSASSIN_BINARY" = "" ]; then >- if test -x $dir/spamassassin >- then >- SPAMASSASSIN_BINARY="${SPAMASSASSIN_BINARY:-$dir/spamassassin}" >- fi >- if [ "$SPAMASSASSIN_BINARY" != "" -a -x "$dir/spamc" -a "$SPAMC_BINARY" = "" ] >- then >- #Test it out >- if [ "`$dir/spamc -h 2>&1|grep 'spamd'`" != "" ] ;then >- SPAMC_BINARY="${SPAMC_BINARY:-$dir/spamc}" >- >- #Test to see if spamc is calling Unix sockets instead of TCP >- SPAMD_SOCKET=`ps -ef 2>/dev/null|egrep 'spamd.*socket'|grep -v grep|sed -e 's/^.*socketpath=//'|awk '{print $1}'` >- if [ "$SPAMD_SOCKET" = "" ]; then >- SPAMD_SOCKET=`ps aux 2>/dev/null|egrep 'spamd.*socket'|grep -v grep|sed -e 's/^.*socketpath=//'|awk '{print $1}'` >- fi >- if [ "$SPAMD_SOCKET" != "" -a -S "$SPAMD_SOCKET" ]; then >- SPAMC_BINARY="$SPAMC_BINARY -U $SPAMD_SOCKET" >- fi >- DD="`$SPAMC_BINARY < ./contrib/spamc-nice.eml`" >- if [ "`echo $DD|grep '^From '`" != "" ]; then >- cat<<EOF >+ if test -x $dir/spamassassin >+ then >+ SPAMASSASSIN_BINARY="${SPAMASSASSIN_BINARY:-$dir/spamassassin}" >+ fi >+ >+ if [ "$SPAMASSASSIN_BINARY" != "" -a -x "$dir/spamc" -a "$SPAMC_BINARY" = "" ] >+ then >+ #Test it out >+ if [ "`$dir/spamc -h 2>&1|grep 'spamd'`" != "" ] ;then >+ SPAMC_BINARY="${SPAMC_BINARY:-$dir/spamc}" >+ >+ # st: are we using spamd in unix-socket mode? >+ if [ "$SPAMD_SOCKET" != "" ] ;then >+ if [ ! -S "$SPAMD_SOCKET" ] ;then >+ cat<<EOF >+ >+ Spamd socket not found in $SPAMD_SOCKET >+ >+ Are you really using spamd daemon with the '--socketpath' option? >+ Check it or allow the configure script to look for >+ it, just omiting the configure option --sa-socket ... >+ >+EOF >+ exit >+ fi >+ #SPAMC_BINARY="$SPAMC_BINARY -U $SPAMD_SOCKET" >+ SA_SKT=" -U $SPAMD_SOCKET" >+ else >+ >+ #Test to see if spamc is calling Unix sockets instead of TCP >+ SPAMD_SOCKET=`ps -ef 2>/dev/null|egrep 'spamd.*socketpath'|grep -v grep|sed -e 's/^.*socketpath=//'|awk '{print $1}'` >+ if [ "$SPAMD_SOCKET" = "" ]; then >+ SPAMD_SOCKET=`ps aux 2>/dev/null|egrep 'spamd.*socketpath'|grep -v grep|sed -e 's/^.*socketpath=//'|awk '{print $1}'` >+ fi >+ >+ # st: in my RH7.3 servers this works... >+ if [ "$SPAMD_SOCKET" = "" ]; then >+ SPAMD_SOCKET=`ps ax -w 2>/dev/null|egrep 'spamd.*socketpath'|grep -v grep|sed -e 's/^.*socketpath=//'|awk '{print $1}'` >+ fi >+ >+ if [ "$SPAMD_SOCKET" != "" ]; then >+ if [ -S "$SPAMD_SOCKET" ]; then >+ #SPAMC_BINARY="$SPAMC_BINARY -U $SPAMD_SOCKET" >+ SA_SKT=" -U $SPAMD_SOCKET" >+ else >+ cat<<EOF >+ >+ Oops... Spamd socket not found in $SPAMD_SOCKET >+ >+ It seems that you're running spamd in unix-socket mode, but the >+ configure script couldn't find the socket properly. >+ Try to set it manually using the configure option --sa-socket ... >+ >+EOF >+ exit >+ fi >+ fi >+ >+ fi >+ >+ DD="`$SPAMC_BINARY $SA_SKT < ./contrib/spamc-nice.eml`" >+ if [ "`echo $DD|grep '^From '`" != "" ]; then >+ cat<<EOF > > SpamAssassin's spamd daemon is incorrectly installed. You need to run it as: > >@@ -927,73 +1201,77 @@ > > EOF > exit >- fi >- DD="`$SPAMC_BINARY $SA_HN < ./contrib/spamc-nice.eml`" >- if [ "$?" != "0" -o "`echo $DD|grep 'X-Spam-Status: No'`" = "" ]; then >- echo " >-Something like spamc for SpamAssassin detected - but not correctly installed >-(didn't include a \"X-Spam-Status\" line in output). >-Please read Q-S FAQ if you want it - especially check that spamd daemon >+ fi >+ DD="`$SPAMC_BINARY $SA_HN $SA_SKT < ./contrib/spamc-nice.eml`" >+ if [ "$?" != "0" -o "`echo $DD|grep 'X-Spam-Status: No'`" = "" ]; then >+ echo " >+Something like spamc for SpamAssassin detected - but not correctly installed >+(didn't include a \"X-Spam-Status\" line in output). >+Please read Q-S FAQ if you want it - especially check that spamd daemon > is running. Ignoring... > " >- SPAMC_BINARY='' >- else >- DD="`$SPAMC_BINARY $SA_HN < ./contrib/spamc-nasty.eml`" >- if [ "$?" != "0" -o "`echo $DD|grep 'X-Spam-Status: Yes'`" = "" ]; then >- echo " >-Something like spamc for SpamAssassin detected - but not correctly installed >+ SPAMC_BINARY='' >+ else >+ DD="`$SPAMC_BINARY $SA_HN $SA_SKT < ./contrib/spamc-nasty.eml`" >+ if [ "$?" != "0" -o "`echo $DD|grep 'X-Spam-Status: Yes'`" = "" ]; then >+ echo " >+Something like spamc for SpamAssassin detected - but not correctly installed > (didn't include a \"X-Spam-Status: Yes\" line in output) - ignoring... > " >- SPAMC_BINARY='' >- else >- DD="`$SPAMC_BINARY $SA_HN -c < ./contrib/spamc-nasty.eml`" >- if [ "`echo $DD|tail -1|grep /`" != "" ]; then >- SPAMASSASSIN_VERSION="fast_spamassassin" >- fi >- fi >- fi >- if [ "$SPAMC_BINARY" != "" ]; then >- if [ "`echo $FIND_SCANNERS|grep ' fast_spamassassin'`" != "" ]; then >- if [ "$SPAMASSASSIN_VERSION" != "fast_spamassassin" ]; then >- cat<<EOF >- Fatal: You have asked for the "fast" v2.1 SpamAssassin support, however >+ SPAMC_BINARY='' >+ else >+ DD="`$SPAMC_BINARY $SA_HN $SA_SKT -c < ./contrib/spamc-nasty.eml`" >+ if [ "`echo $DD|tail -1|grep /`" != "" ]; then >+ SPAMASSASSIN_VERSION="fast_spamassassin" >+ SA_THRESHOLD=`echo $DD|tail -1|sed -e 's/\(.*\)\/\(.*\)/\2/'` >+ fi >+ fi >+ fi >+ if [ "$SPAMC_BINARY" != "" ]; then >+ if [ "`echo $FIND_SCANNERS|grep ' fast_spamassassin'`" != "" ]; then >+ if [ "$SPAMASSASSIN_VERSION" != "fast_spamassassin" ]; then >+ cat<<EOF >+Fatal: You have asked for the "fast" v2.1 SpamAssassin support, however > your system is NOT correctly configured for it. > > Either upgrade and try again, or reconfigure for the older "verbose" > SpamAssassin support. > > EOF >- exit >- fi >- SPAMC_OPTIONS="$SA_HN -c " >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ exit >+ fi >+ SPAMC_OPTIONS="$SA_HN -c " >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > fast_spamassassin" >- #See if they want fast_spamassassin to alter the >- #Subject: line too... >- SPAMC_SUBJECT="`echo $FIND_SCANNERS|grep ' fast_spamassassin='|sed -e 's/^.*fast_spamassassin=//g' -e 's/ .*$//g'`" >- else >- SPAMASSASSIN_VERSION="verbose_spamassassin" >- SPAMC_OPTIONS="$SA_HN -f" >- INSTALLED_SCANNERS="$INSTALLED_SCANNERS >+ #See if they want fast_spamassassin to alter the >+ #Subject: line too... >+ SPAMC_SUBJECT="`echo $FIND_SCANNERS|grep ' fast_spamassassin='|sed -e 's/^.*fast_spamassassin=//g' -e 's/ .*$//g'`" >+ if [ "$SPAMC_SUBJECT" = "" ]; then SPAMC_SUBJECT=$SA_SUBJECT ; fi >+ else >+ SPAMASSASSIN_VERSION="verbose_spamassassin" >+ # st: I don't think that '-f' is still supported... >+ #SPAMC_OPTIONS="$SA_HN -f" >+ SPAMC_OPTIONS="$SA_HN " >+ INSTALLED_SCANNERS="$INSTALLED_SCANNERS > verbose_spamassassin" >- fi >- else >- SPAMC_BINARY='' >- fi >- fi >- fi >+ fi >+ else >+ SPAMC_BINARY='' >+ fi >+ fi >+ fi > fi > if test -x $dir/find > then >- FIND="${FIND:-$dir/find}" >+ FIND="${FIND:-$dir/find}" > fi > if test -x $dir/egrep > then >- GREP="${GREP:-$dir/grep}" >+ GREP="${GREP:-$dir/grep}" > fi > if test -x $dir/uudecode > then >- UUDECODE_BINARY="${UUDECODE_BINARY:-$dir/uudecode}" >+ UUDECODE_BINARY="${UUDECODE_BINARY:-$dir/uudecode}" > fi > done > >@@ -1005,18 +1283,13 @@ > > MAILDOMAIN=${MAILDOMAIN:-$FQDN} > LOCAL_DOMAINS_ARRAY=${LOCAL_DOMAINS_ARRAY:-$MAILDOMAIN} >-CMDLINE="$0 --spooldir $AS_QQ --qmaildir $QMAILDIR --bindir $BINDIR --qmail-queue-binary $QMAILQUEUE_BIN --admin $USERNAME --domain $MAILDOMAIN --notify $NOTIFY_ADDRESSES --local-domains $LOCAL_DOMAINS_ARRAY --silent-viruses $SILENT_VIRUSES --lang $QSLANG --debug $DEBUG_LEVEL --unzip $FORCE_UNZIP --block-password-protected $QUARANTINE_PASSWORD_PROTECTED --add-dscr-hdrs $DESCRIPTIVE_HEADERS --archive $ARCHIVEIT --redundant $REDUNDANT --log-details $LOG_DETAILS --log-crypto $LOG_CRYPTO --fix-mime $FIX_MIME --ignore-eol-check $DISABLE_EOL_CHECK --scanners \"$SCANNERS\"" > >+#CMDLINE="$0 --qs-user $QS_USER --qs-group $QS_GROUP --spooldir $AS_QQ --qmaildir $QMAILDIR --bindir $BINDIR --qmail-queue-binary $QMAILQUEUE_BIN --admin $USERNAME --domain $MAILDOMAIN --admin-fromname \"$ADMIN_FROMNAME\" --notify $NOTIFY_ADDRESSES --local-domains $LOCAL_DOMAINS_ARRAY --silent-viruses $SILENT_VIRUSES --block-password-protected $QUARANTINE_PASSWORD_PROTECTED --lang $QSLANG --debug $DEBUG_LEVEL --minidebug $MINI_DEBUG --unzip $FORCE_UNZIP --add-dscr-hdrs $DESCRIPTIVE_HEADERS --dscr-hdrs-text \"$DESCR_HEADERS_TEXT\" --archive $ARCHIVEIT --scanners-per-domain $SCANNERS_P_D --redundant $REDUNDANT --log-details $LOG_DETAILS --log-crypto $LOG_CRYPTO --fix-mime $FIX_MIME --ignore-eol-check $DISABLE_EOL_CHECK --virus-to-delete $VIRUS_DELETE --sa-delta $SA_DELTA --sa-subject \"$SPAMC_SUBJECT\" --sa-quarantine $SA_QUARANTINE --sa-delete $SA_DELETE --sa-reject $SA_REJECT --sa-alt $SA_ALT --sa-debug $SA_DEBUG --sa-report $SA_HDR_REPORT --scanners \"$SCANNERS\"" > >-if [ "$MANUAL_INSTALL" = "1" ]; then >- CMDLINE="$CMDLINE --no-QQ-check $MANUAL_INSTALL" >-fi >-if [ "$INSTALLIT" = "1" ]; then >- CMDLINE="$CMDLINE --install $INSTALLIT" >-fi >+CMDLINE="$0 --qs-user $QS_USER --qs-group $QS_GROUP --spooldir $AS_QQ --qmaildir $QMAILDIR --bindir $BINDIR --qmail-queue-binary $QMAILQUEUE_BIN --admin $USERNAME --domain $MAILDOMAIN --admin-fromname \"$ADMIN_FROMNAME\" --notify $NOTIFY_ADDRESSES --local-domains $LOCAL_DOMAINS_ARRAY --silent-viruses $SILENT_VIRUSES --block-password-protected $QUARANTINE_PASSWORD_PROTECTED --lang $QSLANG --debug $DEBUG_LEVEL --minidebug $MINI_DEBUG --unzip $FORCE_UNZIP --add-dscr-hdrs $DESCRIPTIVE_HEADERS --dscr-hdrs-text \"$DESCR_HEADERS_TEXT\" --archive $ARCHIVEIT --scanners-per-domain $SCANNERS_P_D --redundant $REDUNDANT --log-details $LOG_DETAILS --log-crypto $LOG_CRYPTO --fix-mime $FIX_MIME --ignore-eol-check $DISABLE_EOL_CHECK --virus-to-delete $VIRUS_DELETE" > > #echo "configure called as: $CMDLINE" >- >+echo -n "." > > INSTALLED_SCANNERS="`echo \"$INSTALLED_SCANNERS\"|sort|uniq`" > INSTALLED_SCANNERS=`echo $INSTALLED_SCANNERS` >@@ -1163,23 +1436,23 @@ > DD=`$UUDECODE_BINARY $UUDECODE_PIPE test-uudecode.uue > test-uudecode.tst` > if [ "$?" = "0" ] ; then > if [ -f test-uudecode.tst -a ! -f $testfile ]; then >- #uudecode is good! >- echo " >+ #uudecode is good! >+ echo " > > $UUDECODE_BINARY works as expected on system... > > " > else >- UUDECODE_BINARY='' >- echo " >+ UUDECODE_BINARY='' >+ echo " > > broken uudecoder on your system - cannot use uudecode component > > " > fi > else >- UUDECODE_BINARY='' >- echo " >+ UUDECODE_BINARY='' >+ echo " > > broken uudecoder on your system - cannot use uudecode component > >@@ -1193,8 +1466,6 @@ > > #Carry on... > >- >- > if [ "`echo $LOCAL_DOMAINS_ARRAY|grep $MAILDOMAIN`" = "" ]; then > LOCAL_DOMAINS_ARRAY="$MAILDOMAIN,$LOCAL_DOMAINS_ARRAY" > fi >@@ -1206,11 +1477,45 @@ > LDA="" > for dom in `echo $LOCAL_DOMAINS_ARRAY|sed 's/,/ /g'` > do >- LDA="$LDA,'$dom'" >+ LDA="$LDA,'$dom'" > done > LOCAL_DOMAINS_ARRAY="`echo $LDA|sed 's/^,//g'`" > fi > >+ >+## qms-monitor >+if [ "`echo $QMS_MONITOR|egrep -i '^no|^0'`" != "" ]; then >+ QMS_MONITOR="0" >+ echo "qms-monitor = no" >+else >+ QMS_MONITOR="1" >+ echo "qms-monitor = yes" >+ >+ # clean up the lists a bit >+ QMS_MON_ACCOUNTS="`echo $QMS_MON_ACCOUNTS|sed -e 's/\"//g' -e 's/ //g'`" >+ if [ "$QMS_MON_ACCOUNTS" ]; then >+ LDA="" >+ for dom in `echo $QMS_MON_ACCOUNTS|sed 's/,/ /g'` >+ do >+ dom="`echo $dom|sed -e 's/@/qms_at_sign/g'`" >+ LDA="$LDA,'$dom'" >+ done >+ QMS_MON_ACCOUNTS="`echo $LDA|sed 's/^,//g'`" >+ fi >+ >+ QMS_MON_DESTINATIONS="`echo $QMS_MON_DESTINATIONS|sed -e 's/\"//g' -e 's/ //g'`" >+ if [ "$QMS_MON_DESTINATIONS" ]; then >+ LDA="" >+ for dom in `echo $QMS_MON_DESTINATIONS|sed 's/,/ /g'` >+ do >+ LDA="$LDA,'$dom'" >+ done >+ QMS_MON_DESTINATIONS="`echo $LDA|sed 's/^,//g'`" >+ fi >+ >+fi >+ >+ > if [ "$MIME_UNPACKER" = "reformime" ]; then > if [ "$UNMIME_BINARY" = "" ] > then >@@ -1258,7 +1563,10 @@ > fi > > echo " >+============================================================== > The following binaries and scanners were found on your system: >+============================================================== >+ > " > if [ "$UNMIME_BINARY" != "" ] > then >@@ -1269,7 +1577,7 @@ > then > echo "uudecode=$UUDECODE_BINARY" > fi >-if [ "$FORCE_UNZIP" = "1" -a "$UNZIP_BINARY" != "" ] >+if [ "$FORCE_UNZIP" = "1" -a "$UNZIP_BINARY" != "" ] > then > echo "unzip=$UNZIP_BINARY" > echo "max-zip-size=$MAX_ZIP_SIZE" >@@ -1309,8 +1617,8 @@ > echo "uvscan=$UVSCAN" > SCANNER_ARRAY="$SCANNER_ARRAY,\"uvscan_scanner\"" > fi >-if [ "$NOD32" != "" ]; then >- echo "nod32=$NOD32" >+if [ "$NOD32" != "" ]; then >+ echo "nod32=$NOD32" > SCANNER_ARRAY="$SCANNER_ARRAY,\"nod32_scanner\"" > fi > if [ "$SWEEP" != "" -a "$SOPHIE" = "" ]; then >@@ -1373,11 +1681,11 @@ > > if [ "$SPAMC_BINARY" != "" ]; then > if [ "$SPAMASSASSIN_VERSION" = "fast_spamassassin" ]; then >- echo "fast_spamassassin=$SPAMC_BINARY" >- SCANNER_ARRAY="$SCANNER_ARRAY,\"fast_spamassassin\"" >+ echo "fast_spamassassin=$SPAMC_BINARY" >+ SCANNER_ARRAY="$SCANNER_ARRAY,\"fast_spamassassin\"" > else >- echo "verbose_spamassassin=$SPAMC_BINARY" >- SCANNER_ARRAY="$SCANNER_ARRAY,\"verbose_spamassassin\"" >+ echo "verbose_spamassassin=$SPAMC_BINARY" >+ SCANNER_ARRAY="$SCANNER_ARRAY,\"verbose_spamassassin\"" > fi > fi > >@@ -1385,18 +1693,32 @@ > > SCANNER_ARRAY=`echo $SCANNER_ARRAY|sed 's/^,//g'` > >+# If spamassassin is not found set SA_QUARANTINE and SA_DELETE back to 0 >+if [ "`echo $SCANNER_ARRAY|grep -v 'spamassassin'`" != "" ]; then >+ SA_DELTA="0" >+ SPAMC_SUBJECT="" >+ SA_FORWARD_IN="" >+ SA_FORWARD="" >+ SA_QUARANTINE="0" >+ SA_DELETE="0" >+ SA_REJECT="0" >+ SA_ALT="0" >+ SA_DEBUG="0" >+ SA_HDR_REPORT="0" >+fi >+ > echo "" > echo "Qmail-Scanner details." > echo "" > > if [ "`echo $LOG_DETAILS|egrep -i 'yes|^1|^y|on|true|syslog'`" != "" ]; then > if [ "`echo $LOG_DETAILS|egrep -i '^1|yes|^y|on|true'`" != "" ]; then >- LOG_DETAILS="mailstats.csv" >+ LOG_DETAILS="mailstats.csv" > else >- LOG_DETAILS="syslog" >+ LOG_DETAILS="syslog" > DD=`$PERL5 -e 'use Sys::Syslog;' 2>&1` > if [ "$?" != "0" ]; then >- cat<<EOF >+ cat<<EOF > > ************************** > >@@ -1409,7 +1731,7 @@ > ************************** > > EOF >- exit >+ exit > fi > fi > else >@@ -1432,6 +1754,14 @@ > fi > fi > >+if [ "`echo $QMS_LOG|egrep -i '^no|^0'`" != "" ]; then >+ QMS_LOG="0" >+ echo "qms-log=no" >+else >+ QMS_LOG="1" >+ echo "qms-log=yes" >+fi >+ > if [ "$LOG_DETAILS" != "" ]; then > echo "log-details=$LOG_DETAILS" > fi >@@ -1453,6 +1783,9 @@ > if [ "$REDUNDANT" != "" ]; then > echo "redundant-scanning=$REDUNDANT" > fi >+if [ "$QUARANTINE_PASSWORD_PROTECTED" != "" ]; then >+ echo "block-password-protected=$QUARANTINE_PASSWORD_PROTECTED" >+fi > if [ "$ARCHIVEIT" != "0" ]; then > if [ "$ARCHIVEIT" = "1" ]; then > ASTRING="everything" >@@ -1461,10 +1794,153 @@ > fi > echo "archiving $ASTRING into $AS_QQ/$ARCHIVEDIR/" > fi >+ > echo "virus-admin=$USERNAME@$MAILDOMAIN" > echo "local-domains=$LOCAL_DOMAINS_ARRAY" > echo "silent-viruses=$FIND_SILENT_VIRUSES_ARRAY" > echo "scanners=$SCANNER_ARRAY" >+echo >+echo "-------------------------------------" >+echo "st: configuration options for 1.25st" >+echo "-------------------------------------" >+echo "admin-fromname='$ADMIN_FROMNAME'" >+if [ "`echo $MINI_DEBUG|egrep -i '^1|^yes|^y|^on|^true'`" != "" ]; then >+ MINI_DEBUG="1" >+elif [ "`echo $MINI_DEBUG|egrep -i '^[2-9]+$'`" != "" ]; then >+ MINI_DEBUG="$MINI_DEBUG" >+else >+ MINI_DEBUG="0" >+fi >+if [ "$MINI_DEBUG" != "" ]; then >+ echo "minidebug=$MINI_DEBUG" >+fi >+if [ "`echo $SCANNERS_P_D|egrep -i '^no|^0'`" != "" ]; then >+ SCANNERS_P_D="0" >+else >+ if [ "`echo $SCANNERS_P_D|egrep -i '^1|^yes|^y|^on|^true'`" != "" ]; then >+ SCANNERS_P_D="1" >+ fi >+fi >+if [ "$SCANNERS_P_D" != "" ]; then >+ echo "scanners-per-domain=$SCANNERS_P_D" >+fi >+if [ "`echo $VIRUS_DELETE|egrep -i '^no|^0'`" != "" ]; then >+ VIRUS_DELETE="0" >+ VIRUS_TO_DELETE="" >+else >+ if [ "`echo $VIRUS_DELETE|egrep -i '1|yes|^y|on|true'`" != "" ]; then >+ VIRUS_DELETE="1" >+ fi >+fi >+if [ "$VIRUS_DELETE" != "0" ]; then >+ echo "virus-to-delete=$VIRUS_DELETE" >+fi >+if [ "$DESCRIPTIVE_HEADERS" != "" ]; then >+ echo "dscr-hdrs-text='$DESCR_HEADERS_TEXT'" >+fi >+if [ "$SPAMC_BINARY" != "" ]; then >+ if [ "`echo $SA_REJECT|egrep -i '^no|^0'`" != "" ]; then >+ SA_REJECT="0" >+ else >+ if [ "`echo $SA_REJECT|egrep -i '1|yes|^y|on|true'`" != "" ]; then >+ SA_REJECT="1" >+ fi >+ fi >+ if [ "`echo $SA_ALT|egrep -i '^no|^0'`" != "" ]; then >+ SA_ALT="0" >+ else >+ if [ "`echo $SA_ALT|egrep -i '1|yes|^y|on|true'`" != "" ]; then >+ SA_ALT="1" >+ fi >+ fi >+ if [ "`echo $SA_DEBUG|egrep -i '^no|^0'`" != "" ]; then >+ SA_DEBUG="0" >+ else >+ if [ "`echo $SA_DEBUG|egrep -i '1|yes|^y|on|true'`" != "" ]; then >+ SA_DEBUG="1" >+ fi >+ fi >+ if [ "`echo $SA_HDR_REPORT|egrep -i '^no|^0'`" != "" ]; then >+ SA_HDR_REPORT="0" >+ else >+ if [ "`echo $SA_HDR_REPORT|egrep -i '1|yes|^y|on|true'`" != "" ]; then >+ SA_HDR_REPORT="1" >+ fi >+ fi >+ if [ "`echo $SA_FWD_VERBOSE|egrep -i '^no|^0'`" != "" ]; then >+ SA_FWD_VERBOSE="0" >+ else >+ if [ "`echo $SA_FWD_VERBOSE|egrep -i '1|yes|^y|on|true'`" != "" ]; then >+ SA_FWD_VERBOSE="1" >+ fi >+ fi >+ echo >+ if [ "$SPAMD_SOCKET" != "" ] ; then >+ echo "sa-socket =$SPAMD_SOCKET" >+ CMDLINE="$CMDLINE --sa-socket $SPAMD_SOCKET" >+ fi >+ if [ "$SA_FORWARD_IN" != "" ] ;then >+ # st: Add a '\' to the sa_forward mail address >+ if [ "`echo $SA_FORWARD_IN | grep @ `" = "" ]; then >+ SA_FORWARD_IN="$SA_FORWARD_IN@$MAILDOMAIN" >+ fi >+ SA_FORWARD=`echo "$SA_FORWARD_IN" | awk -F @ '{print $1 "\\\@" $2}'` >+ CMDLINE="$CMDLINE --sa-forward $SA_FORWARD" >+ echo "sa-forward=\"$SA_FORWARD_IN\" (Is it a valid address?)" >+ if [ "$SA_FWD_VERBOSE" != "0" ] ; then >+ echo "sa-fwd-verbose=$SA_FWD_VERBOSE (X-Spam headers will be added in the forwarded mail)" >+ else >+ echo "sa-fwd-verbose=$SA_FWD_VERBOSE (X-Spam headers won't be added in the forwarded mail)" >+ fi >+ CMDLINE="$CMDLINE --sa-fwd-verbose $SA_FWD_VERBOSE" >+ fi >+ if [ "$SPAMASSASSIN_VERSION" != "verbose_spamassassin" -a "$SPAMC_SUBJECT" != "" ] ;then >+ echo "sa-subject=\"$SPAMC_SUBJECT\"" >+ CMDLINE="$CMDLINE --sa-subject \"$SPAMC_SUBJECT\"" >+ fi >+ echo >+ echo "sa-delta =$SA_DELTA" >+ echo "sa-alt =$SA_ALT" >+ echo "sa-debug =$SA_DEBUG (only valid if sa-alt is enabled)" >+ echo "sa-report =$SA_HDR_REPORT (only valid if sa-alt and sa-debug are enabled)" >+ echo >+ echo "Spamassasin Required_Hits=$SA_THRESHOLD" >+ if [ "$SA_QUARANTINE" != "0" ]; then >+ SA_CONTROL="$SA_QUARANTINE $SA_DELETE" >+ if [ "$SA_DELETE" != "0" -a "`echo $SA_CONTROL | awk '{if ($1 > $2) print 1}'`" ] ; then >+ echo >+ echo "########################################################################" >+ echo "WARNING: sa-quarantine ($SA_QUARANTINE) is higher than" >+ echo " sa-delete ($SA_DELETE), resetting sa-delete and sa-reject to 0." >+ echo " You can fix this later editing qmail-scanner-queue.pl and" >+ echo " setting the appropriated values. No mail will be" >+ echo " deleted or rejected" >+ echo "########################################################################" >+ echo >+ SA_DELETE="0" >+ SA_REJECT="0" >+ fi >+ SA_QTINE=`echo "$SA_QUARANTINE $SA_THRESHOLD" | awk '{print $1+$2}'` >+ echo "sa-quarantine=$SA_QUARANTINE (messages over $SA_QTINE hits will be quarantined)" >+ else >+ echo "sa-quarantine=0 (no mail will be quarantined)" >+ fi >+ if [ "$SA_DELETE" != "0" ]; then >+ SA_DLT=`echo "$SA_DELETE $SA_THRESHOLD" | awk '{print $1+$2}'` >+ if [ "$SA_REJECT" != "0" ]; then >+ echo "sa-delete =$SA_DELETE (messages over $SA_DLT hits will be rejected)" >+ else >+ echo "sa-delete =$SA_DELETE (messages over $SA_DLT hits will be deleted)" >+ fi >+ else >+ echo "sa-delete =0 (no mail will be deleted/rejected)" >+ fi >+ echo "sa-reject =$SA_REJECT" >+ echo "-------------------------------------------------------------------------" >+ CMDLINE="$CMDLINE --sa-delta $SA_DELTA --sa-alt $SA_ALT --sa-debug $SA_DEBUG --sa-report $SA_HDR_REPORT --sa-quarantine $SA_QUARANTINE --sa-delete $SA_DELETE --sa-reject $SA_REJECT" >+fi >+ >+CMDLINE="$CMDLINE --scanners \"$SCANNERS\"" > > SCANNER_ARRAY="`echo $SCANNER_ARRAY|sed -e 's/fast_spamassassin/spamassassin/g' -e 's/verbose_spamassassin/spamassassin/g'`" > cat<<EOF >@@ -1472,6 +1948,14 @@ > If that looks correct, I will now generate qmail-scanner-queue.pl > for your system... > EOF >+ >+if [ "$MANUAL_INSTALL" = "1" ]; then >+ CMDLINE="$CMDLINE --no-QQ-check $MANUAL_INSTALL" >+fi >+if [ "$INSTALLIT" = "1" ]; then >+ CMDLINE="$CMDLINE --install $INSTALLIT" >+fi >+ > if [ "$DONOTCONFIRM" != "1" ]; then > cat<<EOF > Continue? ([Y]/N) >@@ -1538,7 +2022,7 @@ > DD=`$SETUIDGID $QS_USER $PERL5 ./.perl-test.pl 2>&1` > QS_UID=`echo "$DD"|grep ^uid=|sed 's/^uid=//g'|egrep '^[0-9]+$'` > #Now setuid it and see if the output changes >- chown $QS_USER:$QS_USER .perl-test.pl >+ chown $QS_USER:$QS_GROUP .perl-test.pl > chmod 4755 .perl-test.pl > DD=`$SETUIDGID qmailq ./.perl-test.pl 2>&1` > QS_SUID=`echo "$DD"|grep ^uid=|sed 's/^uid=//g'|egrep '^[0-9]+$'` >@@ -1581,6 +2065,10 @@ > s?HOST_RELEASE?$HOST_RELEASE?g; > s?HOST_HARDWARE?$HOST_HARDWARE?g; > s?DEBUG_LEVEL?$DEBUG_LEVEL?g; >+s?QMS_LOG?$QMS_LOG?g; >+s?QMS_MONITOR?$QMS_MONITOR?g; >+s?QMS_MON_ACCOUNTS?$QMS_MON_ACCOUNTS?g; >+s?QMS_MON_DESTINATIONS?$QMS_MON_DESTINATIONS?g; > s?DESCRIPTIVE_HEADERS?$DESCRIPTIVE_HEADERS?g; > s?CMDLINE?$CMDLINE?g; > s?PERL5?$PERL5?g; >@@ -1656,9 +2144,26 @@ > s?LOCALE_sender_explanation?$LOCALE_sender_explanation?g; > s?LOCALE_sender_msg_description?$LOCALE_sender_msg_description?g; > s?LOCALE_sender_other_content?$LOCALE_sender_other_content?g; >-s?SCANNER_ARRAY?$SCANNER_ARRAY?g;" qmail-scanner-queue.template > qmail-scanner-queue.pl-1 >-perl -pe 's/%%/\$/g' qmail-scanner-queue.pl-1 > qmail-scanner-queue.pl >+s?SCANNER_ARRAY?$SCANNER_ARRAY?g; >+s?MINI_DEBUG?$MINI_DEBUG?g; >+s?DESCR_HEADERS_TEXT?$DESCR_HEADERS_TEXT?g; >+s?ADMIN_FROMNAME?$ADMIN_FROMNAME?g; >+s?SCANNERS_P_D?$SCANNERS_P_D?g; >+s?VIRUS_TO_DELETE?$VIRUS_TO_DELETE?g; >+s?SA_DELTA?$SA_DELTA?g; >+s?SA_FORWARD?$SA_FORWARD?g; >+s?SA_FWD_VERBOSE?$SA_FWD_VERBOSE?g; >+s?SA_QUARANTINE?$SA_QUARANTINE?g; >+s?SA_DELETE?$SA_DELETE?g; >+s?SA_REJECT?$SA_REJECT?g; >+s?SA_ALT?$SA_ALT?g; >+s?SA_DEBUG?$SA_DEBUG?g; >+s?SA_HDR_REPORT?$SA_HDR_REPORT?g; >+s?SPAMD_SOCKET?$SPAMD_SOCKET?g;" qmail-scanner-queue.template > qmail-scanner-queue.pl-1 >+perl -pe 's/%%/\$/g' qmail-scanner-queue.pl-1 > qmail-scanner-queue.pl-2 > rm -f qmail-scanner-queue.pl-1 >+perl -pe 's/qms_at_sign/@/g' qmail-scanner-queue.pl-2 > qmail-scanner-queue.pl >+rm -f qmail-scanner-queue.pl-2 > > cat sub-attachments.pl >> qmail-scanner-queue.pl > >@@ -1672,7 +2177,7 @@ > (cat<<EOF > > ############################### >-# >+## > ## END of standard subroutines > ## Virus-scanner specific subroutines automatically added below by setup.sh > ## >@@ -1681,33 +2186,36 @@ > EOF > ) >> qmail-scanner-queue.pl > >+# st: Add some subroutines >+cat sub-patch-st.pl >> qmail-scanner-queue.pl >+ > for scanner in `echo $SCANNER_ARRAY|sed -e 's/\"//g' -e 's/,/ /g' -e's/_scanner//g'` > do > if [ "$scanner" = "sophie" ]; then >- sed "s?SSOCKET?$SSOCKET?" sub-sophie.template > sub-sophie.pl >+ sed "s?SSOCKET?$SSOCKET?" sub-sophie.template > sub-sophie.pl > fi > if [ "$scanner" = "trophie" ]; then >- sed "s?TSOCKET?$TSOCKET?" sub-trophie.template > sub-trophie.pl >+ sed "s?TSOCKET?$TSOCKET?" sub-trophie.template > sub-trophie.pl > fi > if [ "$scanner" = "sweep" ]; then >- #Special case for Sweep >- if [ "$SAV_IDE" != "" -o "$SAV_IDE_CONF" = "1" ]; then >- sed "s?SOPHOS_SAV_IDE?$SAV_IDE?" sub-sweep.template > sub-sweep.pl >- else >- echo "You have Sophos installed, but SAV_IDE is not defined!" >- echo "" >- echo "Bad install of Sophos, exiting...." >- exit 1 >- fi >+ #Special case for Sweep >+ if [ "$SAV_IDE" != "" -o "$SAV_IDE_CONF" = "1" ]; then >+ sed "s?SOPHOS_SAV_IDE?$SAV_IDE?" sub-sweep.template > sub-sweep.pl >+ else >+ echo "You have Sophos installed, but SAV_IDE is not defined!" >+ echo "" >+ echo "Bad install of Sophos, exiting...." >+ exit 1 >+ fi > fi > if test -f "sub-$scanner.pl" > then >- cat sub-$scanner.pl >> qmail-scanner-queue.pl >+ cat sub-$scanner.pl >> qmail-scanner-queue.pl > else >- echo "" >- echo "** scanner subroutine for $scanner not found **" >- echo "** disabled as not officially supported. ** " >- echo "" >+ echo "" >+ echo "** scanner subroutine for $scanner not found **" >+ echo "** disabled as not officially supported. ** " >+ echo "" > fi > done > >@@ -1729,12 +2237,12 @@ > fi > mv -f $BINDIR/qmail-scanner-queue.pl $BINDIR/qmail-scanner-queue.pl.old 2>/dev/null > cp -f qmail-scanner-queue.pl $BINDIR/qmail-scanner-queue.pl >- chown $QS_USER:$QS_USER $BINDIR/qmail-scanner-queue.pl >+ chown $QS_USER:$QS_GROUP $BINDIR/qmail-scanner-queue.pl > chmod 4755 $BINDIR/qmail-scanner-queue.pl > if [ -f "$BINDIR/antivirus-qmail-queue.pl" -a ! -L "$BINDIR/antivirus-qmail-queue.pl" ]; then >- mv -f $BINDIR/antivirus-qmail-queue.pl $BINDIR/antivirus-qmail-queue.pl.old >- ln -s $BINDIR/qmail-scanner-queue.pl $BINDIR/antivirus-qmail-queue.pl >- cat<<EOF >+ mv -f $BINDIR/antivirus-qmail-queue.pl $BINDIR/antivirus-qmail-queue.pl.old >+ ln -s $BINDIR/qmail-scanner-queue.pl $BINDIR/antivirus-qmail-queue.pl >+ cat<<EOF > > ** REMEMBER to alter your Qmail startup scripts to call > $BINDIR/qmail-scanner-queue.pl instead of >@@ -1744,15 +2252,15 @@ > fi > mkdir $AS_QQ 2>/dev/null > if [ -f "$AS_QQ/quaranteen.log" ]; then >- mv -f $AS_QQ/quaranteen.log $AS_QQ/quarantine.log 2>/dev/null >- rm -f $AS_QQ/viruses.log >- ln -s $AS_QQ/quarantine.log $AS_QQ/viruses.log >+ mv -f $AS_QQ/quaranteen.log $AS_QQ/quarantine.log 2>/dev/null >+ rm -f $AS_QQ/viruses.log >+ ln -s $AS_QQ/quarantine.log $AS_QQ/viruses.log > fi > mv -f $AS_QQ/quaranteen $AS_QQ/quarantine 2>/dev/null > mv -f $AS_QQ/quaranteen-attachments.txt $AS_QQ/quarantine-attachments.txt 2>/dev/null > mv -f $AS_QQ/quaranteen-attachments.db $AS_QQ/quarantine-attachments.db 2>/dev/null > if [ -d "$AS_QQ/viruses/cur" -a -d "$AS_QQ/viruses" -a ! -L "$AS_QQ/viruses" -a ! -f "$AS_QQ/quarantine" ] ; then >- mv -f $AS_QQ/viruses $AS_QQ/quarantine >+ mv -f $AS_QQ/viruses $AS_QQ/quarantine > fi > rm -f $AS_QQ/viruses 2>/dev/null > ln -s $AS_QQ/quarantine $AS_QQ/viruses >@@ -1765,37 +2273,43 @@ > mkdir $AS_QQ/working/cur 2>/dev/null > mkdir $AS_QQ/working/tmp 2>/dev/null > if [ -f "$AS_QQ/viruses.log" -a ! -L "$AS_QQ/viruses.log" ]; then >- mv -f $AS_QQ/viruses.log $AS_QQ/quarantine.log 2>/dev/null >+ mv -f $AS_QQ/viruses.log $AS_QQ/quarantine.log 2>/dev/null > fi > if [ -L "$AS_QQ/viruses.log" ]; then >- rm -f $AS_QQ/viruses.log >+ rm -f $AS_QQ/viruses.log > fi > touch $AS_QQ/quarantine.log > ln -s $AS_QQ/quarantine.log $AS_QQ/viruses.log > if [ "$ARCHIVEIT" != "0" ]; then >- mkdir $AS_QQ/$ARCHIVEDIR 2>/dev/null >- mkdir $AS_QQ/$ARCHIVEDIR/cur 2>/dev/null >- mkdir $AS_QQ/$ARCHIVEDIR/tmp 2>/dev/null >- mkdir $AS_QQ/$ARCHIVEDIR/new 2>/dev/null >+ mkdir $AS_QQ/$ARCHIVEDIR 2>/dev/null >+ mkdir $AS_QQ/$ARCHIVEDIR/cur 2>/dev/null >+ mkdir $AS_QQ/$ARCHIVEDIR/tmp 2>/dev/null >+ mkdir $AS_QQ/$ARCHIVEDIR/new 2>/dev/null > fi > > if [ "$LOG_DETAILS" = "mailstats.csv" ]; then >- if [ ! -f "$AS_QQ/$LOG_DETAILS" ]; then >- echo "#Virus_Found Process_Time From Recipients Subject Message-ID Msg_Size Date Attachment_Filenames" > $AS_QQ/$LOG_DETAILS >- chown $QS_USER:$QS_USER $AS_QQ/$LOG_DETAILS >- fi >+ if [ ! -f "$AS_QQ/$LOG_DETAILS" ]; then >+ echo "#Virus_Found Process_Time From Recipients Subject Message-ID Msg_Size Date Attachment_Filenames" > $AS_QQ/$LOG_DETAILS >+ chown $QS_USER:$QS_GROUP $AS_QQ/$LOG_DETAILS >+ fi > fi > > if [ ! -f "$AS_QQ/quarantine-attachments.txt" ] ; then > cp quarantine-attachments.txt $AS_QQ/ > fi >- chown -R $QS_USER:$QS_USER $AS_QQ/ >+ if [ ! -f "$AS_QQ/scanners_per_domain.txt" ] ; then >+ cp scanners_per_domain.txt $AS_QQ/ >+ fi >+ if [ ! -f "$AS_QQ/log-report.sh" ] ; then >+ cp log-report.sh $AS_QQ/ >+ fi >+ chown -R $QS_USER:$QS_GROUP $AS_QQ/ > $BINDIR/qmail-scanner-queue.pl -g > if [ "$?" != "0" ]; then >- cat<<EOF >+ cat<<EOF > > >- ******* FATAL ERROR ******* >+ ******* FATAL ERROR ******* > > > Whoa! Newly installed version of qmail-scanner-queue.pl exits with >@@ -1806,14 +2320,14 @@ > See ./qmail-scanner-queue.pl (current dir) for the errors refered to by > perl above... > >- **************************** >+ **************************** > > > EOF > if [ -f "$BINDIR/qmail-scanner-queue.pl.old" ]; then >- mv -f $BINDIR/qmail-scanner-queue.pl.old $BINDIR/qmail-scanner-queue.pl >- fi >- exit >+ mv -f $BINDIR/qmail-scanner-queue.pl.old $BINDIR/qmail-scanner-queue.pl >+ fi >+ exit > fi > if [ -x "$BINDIR/qmail-scanner-queue.pl" ]; then $BINDIR/qmail-scanner-queue.pl -z ; fi > cat<<EOF >@@ -1827,6 +2341,10 @@ > "$BINDIR/qmail-scanner-queue.pl -r" should return some well-known virus > definitions to show that the internal perlscanner component is working. > >+If you're upgrading, remember that your previous quarantine-attachments.txt file >+has not been changed, maybe it's a good idea to have a look at the file >+coming with this distribution. >+ > That's it! > > EOF >@@ -1882,6 +2400,17 @@ > > rm -rf $TMP_DIR > >+if [ "$SCANNERS_P_D" = "1" ]; then >+ cat<<EOF >+ >+You have enabled 'scanners-per-domain' remember to edit the file >+"$AS_QQ/scanners_per_domain.txt" and build the database with the command >+$BINDIR/qmail-scanner-queue.pl -p, other-wise qmail-scanner will fall >+to the '@scanners_installed' installed. >+EOF >+ >+fi >+ > cat<<EOF > > >diff -Naur qmail-scanner-1.25-DISTRO/configure-options.html qmail-scanner-1.25-st-qms-20050219/configure-options.html >--- qmail-scanner-1.25-DISTRO/configure-options.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/configure-options.html 2005-02-19 07:08:54.000000000 -0600 >@@ -0,0 +1,364 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"> >+<HTML> >+<head> >+ <TITLE>Qmail-Scanner (st-qms patch) configure options</TITLE> >+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+ <script language="JavaScript" src="aab.js" type="text/JavaScript"> >+ </script> >+</head> >+ >+<BODY BGCOLOR="#FFFFFF"> >+<H1>Qmail-Scanner-1.25-st-qms (st-qms patch) ./configure options</H1> >+ >+<p>The following shows what options the Qmail-Scanner-1.25-st-qms >+installation supports: </p> >+ >+<P><center> >+ >+<table border="0" cellpadding="5" width="80%" bgcolor="#CCCCCC"> >+<TR><TD ALIGN="left"><PRE> >+ ./configure --help >+ >+valid options: >+ >+ --qs-user <username> (default: qscand) >+ User that Qmail-Scanner runs as >+ >+</PRE></TD></TR> >+<TR BGCOLOR="#EEEEEE"><TD ALIGN="left"><PRE> >+ --qs-group <usergroup> (default: same as qs-user) >+ Group of the user that Qmail-Scanner runs as >+ >+</PRE></TD></TR> >+<TR><TD ALIGN="left"><PRE> >+ --qmaildir <top of qmail> (defaults to /var/qmail/) >+ >+ --spooldir <spooldir> (defaults to /var/spool/qmailscan/) >+ >+ --bindir <installdir> (defaults to /var/qmail/bin/) >+ Where to install qmail-scanner-queue.pl >+ >+ --admin <username> (default: root) >+ User to Email alerts to >+ >+ --domain <domain name> >+ "user"@"domain" makes up Email address to Email alerts to >+ >+</PRE></TD></TR> >+<TR BGCOLOR="#EEEEEE"><TD ALIGN="left"><PRE> >+ --admin-fromname <"From Name"> (default: " System Anti-Virus Administrator ") >+ From line information used when making reports, the input >+ must be quoted. i.e. --admin-fromname "Antivirus Admin" >+ >+</PRE></TD></TR> >+<TR><TD ALIGN="left"><PRE> >+ --local-domains "one.domain,two.domain" >+ Defaults to the value of the "--domain" setting. >+ Comma-separated list (no spaces!) of domains that are >+ classified as "local". This is needed to ensure alerts >+ are only sent to local users and not remote when >+ '--notify "recips"' is chosen. This will drastically >+ reduce the chance of alerts being sent to mailing-lists. >+ >+ --scanners <list of installed content scanners> >+ Defaults to "auto" - will use whatever scanners are found >+ on system. >+ Use this option to override "auto" - set to one or more >+ of the following: >+ >+ [auto|none|clamscan,clamdscan,sweep,sophie,vscan,trophie, >+ uvscan,csav,antivir,kavscanner,AvpLinux,kavdaemon, >+ AvpDaemonClient,fsav,fprot,inocucmd,vexira,bitdefender, >+ verbose_spamassassin,fast_spamassassin] >+ >+ Note the special-case "none". This will disable all but >+ the internal perlscanner module. >+ >+ --skip-text-msgs [yes|no] (defaults to "yes") >+ Q-S will skip running any anti-virus scanner on any messages >+ it works out are text-only. i.e. don't have any attachments. >+ Set to "no" if you want them to be scanned anyway. >+ >+ --notify [none|sender|recips|precips|admin|nmladm|nmlvadm|all] (defaults to "psender,nmlvadm") >+ Comma-separated list (no spaces!) of addresses to which >+ alerts should be sent to. "nmladm" means only notify >+ admin for "user infections", >+ i.e. non-mailing-list mail. >+ "nmlvadm" is the same as nmladm - except that it also doesn't >+ notify for viral e-mails. >+ i.e. just "policy" quarantines get e-mails. >+ This allows you to still notify people when an e-mail is >+ blocked due to a policy decision (such as blocking >+ password-protected zip files), but a message tagged as viral >+ by an AV system will *not* trigger notification. >+ Similarly, "psender" means notify the sender only if their >+ e-mail was blocked for policy reasons. >+ i.e. if an AV system found a virus, then don't notify the >+ sender as the address was probably forged. >+ >+ --silent-viruses "virus1,virus2" (defaults to "auto") >+ This option allows you to tell Qmail-Scanner *not* to >+ notify senders when it quarantines one of these viruses. >+ Viruses such as Klez alter the sender address so that it >+ has no relation to the actual sender - so there's no point >+ in responding to Klez messages - it just confuses people. >+ The admin and recips will still be notified as set >+ by "--notify". Use this option to override "auto". >+ By default this is set to: >+ "klez,bugbear,hybris,yaha,braid,nimda,tanatos,sobig,winevar, >+ palyh,fizzer,gibe,cailont,lovelorn,swen,dumaru,sober,hawawi, >+ hawaii,holar-i,mimail,poffer,bagle,worm.galil,mydoom,worm.sco, >+ tanx,novarg,\@mm,cissy,cissi,qizy,bugler,dloade,netsky,spam" >+ >+ --lang <lang> (defaults to en_GB) >+ "af_ZA cs_CZ de_DE en_GB enlt_LT enlt_LT_short en_PL es_ES >+ fr_FR it_IT ja_JP.EUC nl_NL no_NO pl_PL pt_BR pt_PT sv_SE >+ tr_TR tr_TR_ascii tw_BIG5" >+ >+ --archive [yes|no|regex] (defaults to "no") >+ Whether to archive mail after it as been processed. >+ If "yes", all copies of processed mail will be moved into >+ the maildir "/var/spool/qmailscan/archives/". >+ Any other string besides "yes" and "no" will be treated >+ as a REGEX. Only mail from or to an address that contains >+ that regex will be archived. e.g. "jhaar|harry" or >+ "\@our.domain". >+ Be careful with this option, a badly written regex >+ will cause Qmail-Scanner to crash. >+ >+ --redundant [yes|no] (defaults to "yes") >+ Whether or not to let the scanners also scan any zip files >+ and the original "raw" Email file. >+ >+ --unzip [yes|no] (defaults to "no" - off) >+ Whether or not to forcibly unzip all zip files. >+ Off by default as most AV's do unzip'ping themselves. >+ >+ --max-zip-size [number-bytes] (defaults to 1 Gbytes) >+ This setting allows you to control the maximum size you >+ are willing to allow zip file attachments to unpack to. >+ This is to enable you to limit DoS attacks against your >+ Qmail-Scanner installation (someone could send you a small >+ zip file that unpacks to Gbytes of useless files - filling >+ your harddisk). Set to whatever value you think is >+ appropriate for your system. The default value of 1Gb is >+ set so large so as not to assume anything about your >+ system - YOU WILL NEED TO SET THIS VALUE IN ORDER TO GAIN >+ ANY PROTECTION. >+ Something like "100000000" (100 Mb) might be appropriate. >+ >+ --block-password-protected [yes|no] (defaults to "no") >+ Setting this to "yes" allows you to quarantine any >+ incoming zip files that are password protected. >+ This is primarily to stop viruses such as Bagle which >+ arrive within a password-protected zip file. >+ >+ --fix-mime [yes|no|num] (defaults to "2") >+ Whether or not to attempt to "fix" broken MIME messages >+ before doing anything else. Should be safe, but *may* break >+ some strange, old mailers (none known yet). >+ Defaults to "2" enables a bunch of extra MIME checks that >+ have proven to be very useful. >+ >+ --ignore-eol-check [yes|no] (defaults to "no") >+ Making this "yes" stops Qmail-Scanner >+ from treating "\r" or "\0" chars in the headers of >+ MIME mail messages as being suspicious enough to quarantine >+ mail over. Some sites receive so much broken e-mail that this >+ option has been created so that they can still receive such >+ messages without having to be as drastic as to "--fix-mime no" >+ which disables all sorts of other good stuff. >+ Use only if you have to. >+ >+ --add-dscr-hdrs [yes|no|all] (defaults to "no") >+ This adds the now old-fashion X-Qmail-Scanner headers to the >+ message. "all" adds the "rcpt to" headers too - this is a >+ privacy hole. >+ >+</PRE></TD></TR> >+<TR BGCOLOR="#EEEEEE"><TD ALIGN="left"><PRE> >+ --dscr-hdrs-text <"Descrip-Headers-Text"> (defaults to "X-Qmail-Scanner") >+ Input must be quoted. >+ i.e. --dscr-hdrs-text "X-Antivirus-MYDOMAIN" >+ >+</PRE></TD></TR> >+<TR><TD ALIGN="left"><PRE> >+ --log-details [yes|syslog|no] (defaults to "syslog") >+ Whether or not to log to mailstats.csv/via syslog the >+ attachment structure of every Email message. >+ >+ --debug [yes|no] (defaults to "no" - off) >+ Whether or not debugging is turned on. Can be also set to >+ a number. Numbers over 100 cause Q-S to not cleanup working >+ files. Thus allowing for offline debugging... >+ >+ --qms-log [yes|no] (defaults to "yes" - on) >+ Whether or not event logging is turned on. On (yes) >+ by default. Useful for qmail-scanner statistics. >+ >+</PRE></TD></TR> >+<TR BGCOLOR="#EEEEEE"><TD ALIGN="left"><PRE> >+ --minidebug [yes|no|1|2] (default: 1) >+ Logs only important information, mail headers, blocks, >+ errors and elapsed time. If set to 2, it will log the >+ parent pid (ppid) and the message size. >+ >+</PRE></TD></TR> >+<TR><TD ALIGN="left"><PRE> >+ >+ --batch >+ Do not confirm configure information (mainly for scripting) >+ >+ --install >+ Create directory paths, install perl script, and >+ change ownerships to match. >+ >+ --mime-unpacker "reformime" (defaults to reformime) >+ >+</PRE></TD></TR> >+<TR BGCOLOR="#EEEEEE"><TD ALIGN="left"><PRE> >+ --scanners-per-domain [yes|no] (defaults to "no") >+ Enable or disable the domain-wise mode, each user/domain >+ will have a customized @scanner_array. If the user/domain >+ haven't a custom @scanner_array, qmail-scanner will fall >+ to the @scanners_default array. >+ >+ --virus-to-delete [yes|no] (defaults to "no") >+ Enable this option if you want to delete some viruses >+ (i.e. mydoom) without notifying anyone. If you don't enable >+ it now, you can later edit qmail-scanner-queue.pl and add >+ the virus you want to the list virus_to_delete. >+ >+ --sa-delta [num] (default: 0) >+ If $spamc_subject is defined, and fast_spamassassin mode is >+ selected, a tag will be added to the subject indicating how >+ the message is to be considered as spam, in this way: >+ LOW: required_hits < score < required_hits + sa_delta >+ MEDIUM: required_hits + sa_delta < score < required_hits + 2 * sa_delta >+ HIGH: required_hits + 2 * sa_delta < score >+ Be aware, sa_max+2*sa_delta must be lower than sa_quarantine. >+ 'required_hits' is the value set in the SpamAssassin >+ configuration file. >+ >+ --sa-subject <"some text"> (defaults to nothing) >+ This is an alternative way to set the tag that qmail-scanner >+ add to subject of spam mails, to some text. >+ Spamassassin must be working in *fast_spamassassin* mode >+ Be sure that is better to tag the subject, of spam messages, >+ through qmail-scanner than with the rewrite_subject >+ of SpamAssassin. >+ The input must be quoted i.e. "SPAM *** ". >+ >+ --sa-forward <username@domain> (default: nothing) >+ User to redirect spam mails 'being quarantined' for >+ admin purposes... >+ The message is forwarded almost unmodified so you can >+ use 'sa-learn' with it. >+ If you prefer that the message includes the spam headers >+ enable the next option. >+ (i.e. --sa-forward antispam@mydomain.com) >+ >+ --sa-fwd-verbose [yes|no] (default: no) >+ Whether to add the X-Spam headers to the forwarded message. >+ >+ --sa-quarantine [num] (default: 0) >+ Spam messages with a score higher than >+ (required_hits + sa_quarantine) should be quarantined. >+ Only relevant if SpamAssassin is used. >+ Score of 0 means deliver all messages. >+ >+ --sa-delete [num] (default: 0) >+ Spam messages with a score higher than >+ (required_hits + sa_delete) should be deleted. >+ Only relevant if SpamAssassin is used. >+ Score of 0 means deliver all messages. >+ >+ --sa-reject [yes|no] (default: no) >+ If you enable sa-reject and sa-delete is properly set, >+ messages with a score higher than sa-delete will be rejected >+ before the smtp session is closed. Otherwise they are just >+ dropped silently. (1/0) >+ >+ --sa-alt [yes|no] (default: no) >+ Use the alternative subroutine for spamassassin, it runs in >+ *fast_spamassassin* mode and doesn't pass the '-u' option >+ to spamc. (1/0) >+ >+ --sa-debug [yes|no] (default: no) >+ If sa-alt is enabled an you enable this option, you will >+ have a beautiful log with the tests and the scores of >+ spamassassin in the file qmail-queue.log (1/0) >+ >+ --sa-report [yes|no] (default: no) >+ If sa-alt and sa-debug are enabled you can add >+ the X-Spam-Report header to the messages enabling >+ this option. >+ >+ --sa-socket <path to spamd socket> (defaults to nothing) >+ Actually the configure script can automatically discover >+ if spamd is running in unix-socket mode, but, >+ if for some reasson the socket couldn't be >+ found properly you can set the path with this option. >+ i.e. --sa-socket /var/run/spamd >+ >+ --qms-monitor - [yes|no] enable qms-monitor Account Monitoring >+ --qms-monitor-accts - list of email accounts to be monitored, separated by >+ commas >+ Example: "acct1@dom2.com,acct2@dom1.com" >+ --qms-monitor-dests - list of destination paths for monitored email messages >+ Note 1: locations here will be saved underneath >+ .../qmailscan/qms-monitor; a cron job can later >+ copy from that location to an alternate email >+ domain used for account monitoring. >+ Note 2: each entry in this array corresponds to the >+ email address in the same location of the >+ qms-monitor-accts list above - i.e., >+ qms-monitor-accts[2] msgs get stored at >+ qms-monitor-dests[2] - thus, ORDER DOES MATTER >+ Note 3: DO NOT include a leading "/" on these paths - >+ they will typically be entries that ultimately >+ belong in /home/vpopmail/domains - so start with >+ the domain name. >+ Example: "mon.dom2.com/acct1/Maildir/new,mon.dom1.com/acct2/Maildir/new" >+ >+</PRE></TD></TR> >+<TR><TD ALIGN="left"><PRE> >+ **************** >+ Rarely Used >+ **************** >+ >+ --no-QQ-check >+ Do not check that the QMAILQUEUE patch is installed. >+ This explicitly disables any "--install" reference >+ as that is NOT POSSIBLE with a manual install. >+ Use ONLY IF YOU MUST. The QMAILQUEUE patch is REALLY >+ a GOOD THING!!!! >+ >+ --skip-setuid-test >+ don't test for setuid perl. Only of use for those wanting >+ to run the C-wrapper version. >+ >+ --qmail-queue-binary >+ Set this to the FULL PATH to the Qmail qmail-queue >+ binary. This is only EVER set when doing a manual install. >+ >+ >+This script must be run as root so it can detect problems with setuid >+perl scripts! >+ >+</PRE></TD></TR> >+</TABLE><p></p> >+</center> >+<hr> >+<center><a href="READMEpatched.html">Back</a></center> >+Salvatore Toribio<br> >+<script language="JavaScript" type="text/JavaScript"> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</script> >+<br> >+20050207 >+<p> >+</body> >+</html> >diff -Naur qmail-scanner-1.25-DISTRO/configure-options.php qmail-scanner-1.25-st-qms-20050219/configure-options.php >--- qmail-scanner-1.25-DISTRO/configure-options.php 2004-10-17 20:50:31.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/configure-options.php 1969-12-31 18:00:00.000000000 -0600 >@@ -1,185 +0,0 @@ >-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"> >-<HTML> >-<HEAD> >- <TITLE>Qmail-Scanner ./configure options</TITLE> >-</HEAD> >-<BODY BGCOLOR="#FFFFFF"> >- <H1>Qmail-Scanner ./configure options</H1> >- >-<P> >- >- >-The following shows what options the Qmail-Scanner >-installation supports: </P> >- >-<P> >- >-<center> >- >-<table border="1" cellpadding="5" width="80%" bgcolor="#CCCCCC"> >-<TR><TD align=left><PRE> >-./configure --help >-Building Qmail-Scanner 1.21... >- >-valid options: >- --qs-user <username> User that Qmail-Scanner runs as (default: qscand) >- --qmaildir <top of qmail> defaults to /var/qmail/ >- --spooldir <spooldir> defaults to /var/spool/qmailscan/ >- --bindir <installdir> where to install qmail-scanner-queue.pl >- Defaults to /var/qmail/bin/ >- --admin <username> user to Email alerts to (default: root) >- --domain <domain name> "user"@"domain" makes up Email address >- to Email alerts to. >- --scanners <list of installed content scanners> >- Defaults to "auto" - will use >- whatever scanners are found on system. >- Use this option to override "auto" - set >- to one or more of the following: >- >-auto,none,clamscan,clamdscan,sweep,sophie,vscan,trophie,uvscan,csav,antivir,kavscanner,AvpLinux,kavdaemon,AvpDaemonClient,fsav,fprot,inocucmd,ravlin,vexira,verbose_spamassassin,fast_spamassassin >- >- Note the special-case "none". This >- will disable all but the internal >- perlscanner module. >- >- --skip-text-msgs [yes|no] Defaults to "yes" - Q-S will skip >- running any anti-virus scanners on >- any messages it works out are text-only. >- i.e. don't have any attachments. >- Set to "no" if you want them to be scanned >- anyway. >- >- --notify "none|sender|recips|precips|admin|nmladm|nmlvadm|all" Defaults to "psender,nmlvadm". >- Comma-separated list (no spaces!) >- of addresses to which alerts should >- be sent to. "nmladm" means only >- notify admin for "user infections", >- i.e. non-mailing-list mail. >- "nmlvadm" is the same as nmladm - except >- that it also doesn't notify for viral e-mails. >- i.e. just "policy" quarantines get e-mails. This allows you to >- still notify people when an e-mail is blocked due to >- a policy decision (such as blocking password-protected >- zip files), but a message tagged as viral by an AV system >- will *not* trigger notification. >- Similarly, "psender"/"precips" means notify the sender/recips only >- if their e-mail was blocked for policy reasons. i.e. if an AV system >- found a virus, then don't notify the sender/recip as the address was >- probably forged. >- --local-domains "one.domain,two.domain" Defaults to the >- value of the "--domain" setting. >- Comma-separated list (no spaces!) >- of domains that are classified as >- "local". This is needed to ensure >- alerts are only sent to local users >- and not remote when '--notify "recips"' >- is chosen. This will drastically >- reduce the chance of alerts being >- sent to mailing-lists. >- --silent-viruses "virus1,virus2" Defaults to "auto". >- This option allows you to tell >- Qmail-Scanner *not* to notify >- senders when it quarantines one >- of these viruses. Viruses such >- as Klez alter the sender address >- so that it has no relation to the >- actual sender - so there's no point >- in responding to Klez messages - it >- just confuses people. The admin and >- recips will still be notified as set >- by "--notify". >- Use this option to override "auto". >- By default this is set to: >- klez,bugbear,hybris,yaha,braid,nimda,tanatos,sobig,winevar,palyh,fizzer,gibe,cailont,lovelorn,swen,dumaru,sober,hawawi,holar-i,mimail,poffer,bagle,worm.galil,mydoom,worm.sco,tanx,novarg,@mm >- --lang "af_ZA cs_CZ de_DE en_GB enlt_LT enlt_LT_short en_PL es_ES fr_FR it_IT ja_JP.EUC nl_NL no_NO pl_PL pt_BR pt_PT sk_SK sv_SE tr_TR tr_TR_ascii tw_BIG5" >- Defaults to en_GB. >- --archive [yes|no|regex] Defaults to "no". Whether to archive mail after >- it as been processed. If "yes", all copies of >- processed mail will be moved into the maildir >- "/var/spool/qmailscan/archives/". Any other string besides >- "yes" and "no" will be treated as a REGEX. Only mail >- from or to an address that contains that regex will >- be archived. e.g. "jhaar|harry" or "\@our.domain". >- Be careful with this option, a badly written regex >- will cause Qmail-Scanner to crash. >- --redundant [yes|no] Defaults to "yes". Whether or not to let the scanners >- also scan any zip files and the original "raw" Email >- file. >- --log-details [yes|syslog|no] Whether or not to log to mailstats.csv/via >- syslog the attachment structure of every Email >- message. Logs to "syslog" by default. >- --log-crypto [yes|no] Defaults to "no". Whether or not to log the presence >- of cryptographic (both signing and encrypting) >- technologies in the "log-details". Q-S can flag >- PGP, S/MIME and password-protected zip files. This >- is informational logging only. >- --fix-mime [yes|no|num] Defaults to "yes" (2). Whether or not to attempt to >- "fix" broken MIME messages before doing anything >- else. Should be safe, but *may* break some >- strange, old mailers (none known yet). If you see blocks >- occurring due to this setting, try "--fix-mime 1" first >- before "--fix-mime no". >- --ignore-eol-check [yes|no] Defaults to "no". Making this "yes" stops Qmail-Scanner >- from treating "\r" or "\0" chars in the headers of >- MIME mail messages as being suspicious enough to quarantine >- mail over. Some sites receive so much broken e-mail that this >- option has been created so that they can still receive such >- messages without having to be as drastic as to "--fix-mime no" >- - which disables all sorts of other good stuff. Use only if you >- have to. >- >- --add-dscr-hdrs [yes|no|all] Defaults to "no". This adds the now old-fashion >- X-Qmail-Scanner headers to the message. "all" adds >- the "rcpt to" headers too - this is a privacy hole. >- --debug [yes|no] Whether or not debugging is turned on. On (yes) >- by default. Can be also set to a number. Numbers >- over 100 cause Q-S to not cleanup working files >- - thus allowing for offline debugging... >- --unzip [yes|no] Whether or not to forcibly unzip all zip files. Off >- by default as most AV's do unzip'ping themselves. >- --max-zip-size [number] Defaults to 1 Gbytes. >- This setting allows you to control the maximum size you >- are willing to allow zip file attachments to unpack to. >- This is to enable you to limit DoS attacks against your >- Qmail-Scanner installation (someone could send you a small zip >- file that unpacks to Gbytes of useless files - filling your harddisk). >- Set to whatever value you think is appropriate for your system. The >- default value of 1Gb is set so large so as not to assume anything about >- your system - YOU WILL NEED TO SET THIS VALUE IN ORDER TO GAIN ANY >- PROTECTION. >- --block-password-protected [yes|no] Defaults to "no". Setting this to "yes" allows >- you to quarantine any incoming zip files that are password >- protected. This is primarily to stop viruses such as Bagle which >- arrive within a password-protected zip file. >- --batch Do not confirm configure information (mainly for scripting) >- --install Create directory paths, install perl script, >- and change ownerships to match. >- --mime-unpacker "reformime" Defaults to reformime. >- >- **************** >- Rarely Used >- **************** >- >- --no-QQ-check Do not check that the QMAILQUEUE patch is installed. >- This explicitly disables any "--install" reference >- as that is NOT POSSIBLE with a manual install. >- Use ONLY IF YOU MUST. The QMAILQUEUE patch is REALLY >- a GOOD THING!!!! >- >- --skip-setuid-test don't test for setuid perl. Only of use for those wanting >- to run the C-wrapper version. >- >- --qmail-queue-binary Set this to the FULL PATH to the Qmail qmail-queue >- binary. This is only EVER set when doing a manual >- install. >- >- >-This script must be run as root so it can detect problems with setuid >-perl scripts! >- >- >-</PRE></TD></TR> </TABLE> </P> >- >-<p><font size="-3"><b>Last Updated:</b> <?php echo date ("l dS of F Y h:i:s A",filemtime($_SERVER[SCRIPT_FILENAME])). " GMT"; ?></font> >-<P> >-</BODY> </HTML> >diff -Naur qmail-scanner-1.25-DISTRO/configure-options.txt qmail-scanner-1.25-st-qms-20050219/configure-options.txt >--- qmail-scanner-1.25-DISTRO/configure-options.txt 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/configure-options.txt 2005-02-19 07:13:53.000000000 -0600 >@@ -0,0 +1,312 @@ >+ Qmail-Scanner-1.25-st-qms (st-qms patch) ./configure options >+ >+The following shows what options the Qmail-Scanner-1.25-st-qms (st-qms patch) >+installation supports: >+ >+ ./configure --help >+ >+valid options: >+ >+ --qs-user <username> (default: qscand) >+ User that Qmail-Scanner runs as >+ >+ --qs-group <usergroup> (default: same as qs-user) >+ Group of the user that Qmail-Scanner runs as >+ >+ --qmaildir <top of qmail> (defaults to /var/qmail) >+ >+ --spooldir <spooldir> (defaults to /var/spool/qmailscan) >+ >+ --bindir <installdir> (defaults to /var/qmail/bin) >+ Where to install qmail-scanner-queue.pl >+ >+ --admin <username> (default: root) >+ User to Email alerts to >+ >+ --domain <domain name> >+ "user"@"domain" makes up Email address to Email alerts to >+ >+ --admin-fromname <"From Name"> (default: "System Anti-Virus Administrator") >+ From line information used when making reports, the input >+ must be quoted. i.e. --admin-fromname "Antivirus Admin" >+ >+ --local-domains "one.domain,two.domain" >+ Defaults to the value of the "--domain" setting. >+ Comma-separated list (no spaces!) of domains that are >+ classified as "local". This is needed to ensure alerts >+ are only sent to local users and not remote when >+ '--notify "recips"' is chosen. This will drastically >+ reduce the chance of alerts being sent to mailing-lists. >+ >+ --scanners <list of installed content scanners> >+ Defaults to "auto" - will use whatever scanners are found >+ on system. >+ Use this option to override "auto" - set to one or more >+ of the following: >+ >+ [auto|none|clamscan,clamdscan,sweep,sophie,vscan,trophie, >+ uvscan,csav,antivir,kavscanner,AvpLinux,kavdaemon, >+ AvpDaemonClient,fsav,fprot,inocucmd,vexira,bitdefender, >+ verbose_spamassassin,fast_spamassassin] >+ >+ Note the special-case "none". This will disable all but >+ the internal perlscanner module. >+ >+ --skip-text-msgs [yes|no] (defaults to "yes") >+ Q-S will skip running any anti-virus scanner on any messages >+ it works out are text-only. i.e. don't have any attachments. >+ Set to "no" if you want them to be scanned anyway. >+ >+ --notify [none|sender|recips|precips|admin|nmladm|nmlvadm|all] >+ (defaults to "psender,nmlvadm") >+ Comma-separated list (no spaces!) of addresses to which >+ alerts should be sent to. "nmladm" means only notify >+ admin for "user infections", >+ i.e. non-mailing-list mail. >+ "nmlvadm" is the same as nmladm - except that it also doesn't >+ notify for viral e-mails. >+ i.e. just "policy" quarantines get e-mails. >+ This allows you to still notify people when an e-mail is >+ blocked due to a policy decision (such as blocking >+ password-protected zip files), but a message tagged as viral >+ by an AV system will *not* trigger notification. >+ Similarly, "psender" means notify the sender only if their >+ e-mail was blocked for policy reasons. >+ i.e. if an AV system found a virus, then don't notify the >+ sender as the address was probably forged. >+ >+ --silent-viruses "virus1,virus2" (defaults to "auto") >+ This option allows you to tell Qmail-Scanner *not* to >+ notify senders when it quarantines one of these viruses. >+ Viruses such as Klez alter the sender address so that it >+ has no relation to the actual sender - so there's no point >+ in responding to Klez messages - it just confuses people. >+ The admin and recips will still be notified as set >+ by "--notify". Use this option to override "auto". >+ By default this is set to: >+ "klez,bugbear,hybris,yaha,braid,nimda,tanatos,sobig,winevar, >+ palyh,fizzer,gibe,cailont,lovelorn,swen,dumaru,sober,hawawi, >+ hawaii,holar-i,mimail,poffer,bagle,worm.galil,mydoom,worm.sco, >+ tanx,novarg,\@mm,cissy,cissi,qizy,bugler,dloade,netsky,spam" >+ >+ >+ --lang <lang> (defaults to en_GB) >+ "af_ZA cs_CZ de_DE en_GB enlt_LT enlt_LT_short en_PL es_ES >+ fr_FR it_IT ja_JP.EUC nl_NL no_NO pl_PL pt_BR pt_PT sv_SE >+ tr_TR tr_TR_ascii tw_BIG5" >+ >+ --archive [yes|no|regex] (defaults to "no") >+ Whether to archive mail after it as been processed. >+ If "yes", all copies of processed mail will be moved into >+ the maildir "$AS_QQ/$ARCHIVEDIR/". >+ Any other string besides "yes" and "no" will be treated >+ as a REGEX. Only mail from or to an address that contains >+ that regex will be archived. e.g. "jhaar|harry" or >+ "\@our.domain". >+ Be careful with this option, a badly written regex >+ will cause Qmail-Scanner to crash. >+ >+ --redundant [yes|no] (defaults to "yes") >+ Whether or not to let the scanners also scan any zip files >+ and the original "raw" Email file. >+ >+ --unzip [yes|no] (defaults to "no" - off) >+ Whether or not to forcibly unzip all zip files. >+ Off by default as most AV's do unzip'ping themselves. >+ >+ --max-zip-size [number-bytes] (defaults to 1 Gbytes) >+ This setting allows you to control the maximum size you >+ are willing to allow zip file attachments to unpack to. >+ This is to enable you to limit DoS attacks against your >+ Qmail-Scanner installation (someone could send you a small >+ zip file that unpacks to Gbytes of useless files - filling >+ your harddisk). Set to whatever value you think is >+ appropriate for your system. The default value of 1Gb is >+ set so large so as not to assume anything about your >+ system - YOU WILL NEED TO SET THIS VALUE IN ORDER TO GAIN >+ ANY PROTECTION. >+ Something like "100000000" (100 Mb) might be appropriate. >+ >+ --block-password-protected [yes|no] (defaults to "no") >+ Setting this to "yes" allows you to quarantine any >+ incoming zip files that are password protected. >+ This is primarily to stop viruses such as Bagle which >+ arrive within a password-protected zip file. >+ >+ --fix-mime [yes|no|num] (defaults to "2") >+ Whether or not to attempt to "fix" broken MIME messages >+ before doing anything else. Should be safe, but *may* break >+ some strange, old mailers (none known yet). >+ Defaults to "2" enables a bunch of extra MIME checks that >+ have proven to be very useful. >+ >+ --ignore-eol-check [yes|no] (defaults to "no") >+ Making this "yes" stops Qmail-Scanner >+ from treating "\r" or "\0" chars in the headers of >+ MIME mail messages as being suspicious enough to quarantine >+ mail over. Some sites receive so much broken e-mail that this >+ option has been created so that they can still receive such >+ messages without having to be as drastic as to "--fix-mime no" >+ which disables all sorts of other good stuff. >+ Use only if you have to. >+ >+ --add-dscr-hdrs [yes|no|all] (defaults to "no") >+ This adds the now old-fashion X-Qmail-Scanner headers to >+ the message. "all" adds the "rcpt to" headers too - this is >+ a privacy hole. >+ >+ --dscr-hdrs-text <"Descrip-Headers-Text"> (defaults to "X-Qmail-Scanner") >+ Input must be quoted. >+ i.e. --dscr-hdrs-text "X-Antivirus-MYDOMAIN" >+ >+ --log-details [yes|syslog|no] (defaults to "syslog") >+ Whether or not to log to mailstats.csv/via syslog the >+ attachment structure of every Email message. >+ >+ --debug [yes|no] (defaults to "no" - off) >+ Whether or not debugging is turned on. Can be also set to >+ a number. Numbers over 100 cause Q-S to not cleanup working >+ files. Thus allowing for offline debugging... >+ >+ --minidebug [yes|no|1|2] (default: 1) >+ Logs only important information, mail headers, blocks, >+ errors and elapsed time. If set to 2, it will log the >+ parent pid (ppid) and the message size. >+ >+ --qms-log [yes|no] (defaults to "yes" - on) >+ Whether or not event logging is turned on. On (yes) >+ by default. Useful for qmail-scanner statistics. >+ >+ --batch >+ Do not confirm configure information (mainly for scripting) >+ >+ --install >+ Create directory paths, install perl script, and >+ change ownerships to match. >+ >+ --mime-unpacker "reformime" (defaults to reformime) >+ >+ >+ --scanners-per-domain [yes|no] (defaults to "no") >+ Enable or disable the domain-wise mode, each user/domain >+ will have a customized @scanner_array. If the user/domain >+ haven't a custom @scanner_array, qmail-scanner will fall >+ to the @scanners_default array. >+ >+ --virus-to-delete [yes|no] (defaults to "no") >+ Enable this option if you want to delete some viruses >+ (i.e. mydoom) without notifying anyone. If you don't enable >+ it now, you can later edit qmail-scanner-queue.pl and add >+ the virus you want to the list virus_to_delete. >+ >+ --sa-delta [num] (default: 0) >+ If $spamc_subject is defined, and fast_spamassassin mode is >+ selected, a tag will be added to the subject indicating how >+ the message is to be considered as spam, in this way: >+ LOW: required_hits < score < required_hits + sa_delta >+ MEDIUM: required_hits + sa_delta < score < required_hits + 2 * sa_delta >+ HIGH: required_hits + 2 * sa_delta < score >+ Be aware, sa_max+2*sa_delta must be lower than sa_quarantine. >+ 'required_hits' is the value set in the SpamAssassin >+ configuration file. >+ >+ --sa-subject <"some text"> (defaults to nothing) >+ This is an alternative way to set the tag that qmail-scanner >+ add to subject of spam mails, to some text. >+ Spamassassin must be working in *fast_spamassassin* mode >+ Be sure that is better to tag the subject, of spam messages, >+ through qmail-scanner than with the rewrite_subject >+ of SpamAssassin. >+ The input must be quoted i.e. "SPAM *** ". >+ >+ --sa-forward <username@domain> (defaults to nothing) >+ User to redirect spam mails 'being quarantined' for >+ admin purposes... >+ The message is forwarded almost unmodified so you can >+ use 'sa-learn' with it. >+ If you prefer that the message includes the spam headers >+ enable the next option. >+ (i.e. --sa-forward antispam@mydomain.com) >+ >+ --sa-fwd-verbose [yes|no] (default: no) >+ Whether to add the X-Spam headers to the forwarded message. >+ >+ --sa-quarantine [num] (default: 0) >+ Spam messages with a score higher than >+ (required_hits + sa_quarantine) should be quarantined. >+ Only relevant if SpamAssassin is used. >+ Score of 0 means deliver all messages. >+ >+ --sa-delete [num] (default: 0) >+ Spam messages with a score higher than >+ (required_hits + sa_delete) should be deleted. >+ Only relevant if SpamAssassin is used. >+ Score of 0 means deliver all messages. >+ >+ --sa-reject [yes|no] (default: no) >+ If you enable sa-reject and sa-delete is properly set, >+ messages with a score higher than sa-delete will be rejected >+ before the smtp session is closed. Otherwise they are just >+ dropped silently. (1/0) >+ >+ --sa-alt [yes|no] (default: no) >+ Use the alternative subroutine for spamassassin, it runs in >+ *fast_spamassassin* mode and doesn't pass the '-u' option >+ to spamc. (1/0) >+ >+ --sa-debug [yes|no] (default: no) >+ If sa-alt is enabled an you enable this option, you will >+ have a beautiful log with the tests and the scores of >+ spamassassin in the file qmail-queue.log (1/0) >+ >+ --sa-report [yes|no] (default: no) >+ If sa-alt and sa-debug are enabled you can add >+ the X-Spam-Report header to the messages enabling >+ this option. >+ >+ --sa-socket <path to spamd socket> (defaults to nothing) >+ Actually the configure script can automatically discover >+ if spamd is running in unix-socket mode, but, >+ if for some reasson the socket couldn't be >+ found properly you can set the path with this option. >+ i.e. --sa-socket /var/run/spamd >+ >+ --qms-monitor - [yes|no] enable qms-monitor Account Monitoring >+ --qms-monitor-accts - list of email accounts to be monitored, separated by >+ commas >+ Example: "acct1@dom2.com,acct2@dom1.com" >+ --qms-monitor-dests - list of destination paths for monitored email messages >+ Note 1: locations here will be saved underneath >+ .../qmailscan/qms-monitor; a cron job can later >+ copy from that location to an alternate email >+ domain used for account monitoring. >+ Note 2: each entry in this array corresponds to the >+ email address in the same location of the >+ qms-monitor-accts list above - i.e., >+ qms-monitor-accts[2] msgs get stored at >+ qms-monitor-dests[2] - thus, ORDER DOES MATTER >+ Note 3: DO NOT include a leading "/" on these paths - >+ they will typically be entries that ultimately >+ belong in /home/vpopmail/domains - so start with >+ the domain name. >+ Example: "mon.dom2.com/acct1/Maildir/new,mon.dom1.com/acct2/Maildir/new" >+ >+ **************** >+ Rarely Used >+ **************** >+ >+ --no-QQ-check >+ Do not check that the QMAILQUEUE patch is installed. >+ This explicitly disables any "--install" reference >+ as that is NOT POSSIBLE with a manual install. >+ Use ONLY IF YOU MUST. The QMAILQUEUE patch is REALLY >+ a GOOD THING!!!! >+ >+ --skip-setuid-test >+ don't test for setuid perl. Only of use for those wanting >+ to run the C-wrapper version. >+ >+ --qmail-queue-binary >+ Set this to the FULL PATH to the Qmail qmail-queue >+ binary. This is only EVER set when doing a manual install. >+ >diff -Naur qmail-scanner-1.25-DISTRO/contrib/sub-avpdaemon.pl qmail-scanner-1.25-st-qms-20050219/contrib/sub-avpdaemon.pl >--- qmail-scanner-1.25-DISTRO/contrib/sub-avpdaemon.pl 2003-10-19 15:43:44.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/contrib/sub-avpdaemon.pl 2005-02-19 06:45:29.000000000 -0600 >@@ -12,18 +12,21 @@ > if ($DD =~ /(.*)[Ii]nfected: (.*)\n/) { > $quarantine_description=$2; > &debug("At least one virus was found! ($quarantine_description)"); >+ &minidebug("avp: there be a virus! ($quarantine_description)"); > $quarantine_event++; > $description .= "\n---avpdaemon results ---\n$DD"; > } > elsif ($DD =~ /(.*)[Ss]uspicion: (.*)\n/) { > $quarantine_description=$2; > &debug("There may be a virus! ($quarantine_description)"); >+ &minidebug("avp: there be a virus! ($quarantine_description)"); > $quarantine_event++; > $description .= "\n---avpdaemon results ---\n$DD"; > } > elsif ($DD =~ /(.*)[Cc]orrupted:(.*)[^0]+(.*)\n/) { > $quarantine_description=$2; > &debug("Corrupted file in attachment ($quarantine_description)"); >+ &minidebug("avp: corrupted file in attachment ($quarantine_description)"); > $quarantine_event++; > $description .= "\n---avpdaemon results ---\n$DD"; > } else { >@@ -35,4 +38,5 @@ > $stop_avpdaemon_time=[gettimeofday]; > $avpdaemon_time = tv_interval ($start_avpdaemon_time, $stop_avpdaemon_time); > &debug("avp: finished scan of dir \"$ENV{'TMPDIR'}\" in $avpdaemon_time secs"); >+ &minidebug("avp: finished scan in $avpdaemon_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/index.php qmail-scanner-1.25-st-qms-20050219/index.php >--- qmail-scanner-1.25-DISTRO/index.php 2005-01-27 16:33:51.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/index.php 1969-12-31 18:00:00.000000000 -0600 >@@ -1,456 +0,0 @@ >-<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> >-<html> >-<head> >- <meta name="MSSmartTagsPreventParsing" content="TRUE" /> >- <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >- <meta name="keywords" content="unknown virii,activex, av, avp, cai, clamscan, content scanner, e-mail, email, enterprise, filtering, f-prot, fsecure, inoculan, internet, intranet, java, javascript, linux, macafee, commandcom, misuse anti-virus, network, perl, qmail, qmail-queue qmail-scanner, scan, scan, scan4virus, scanning, scanning, script, security, SMTP, sophie, sophos, spam, spam assassin, spamassassin, trend, trophie, unix, virus, worms"> >- <meta date="<?php echo date ("l dS of F Y h:i:s A",filemtime($SCRIPT_FILENAME)); ?>"> >- <title>Qmail-Scanner - An Content Scanner for Qmail</title> >-</head> >-<body bgcolor="#FFFFFF"> >- <font size="-3"><b>Last Updated:</b> <?php echo date ("l dS of F Y h:i:s A",filemtime($_SERVER["SCRIPT_FILENAME"])). " GMT"; ?></font> >- >-<div align="right"><A href="http://sourceforge.net"> <IMG src="http://sourceforge.net/sflogo.php?group_id=6116" width="88" height="31" border="0" alt="SourceForge Logo"></A></div> >- >- >-<div align="left"><a href="http://qmail-scanner.sourceforge.net/" align="left">URL: http://qmail-scanner.sourceforge.net/</a></div> >-<center> >-<h1> >-<a href="http://qmail-scanner.sourceforge.net/" align="center">Qmail-Scanner: >-Content Scanner for Qmail</a></h1></center> >- >-<P> >- >- <i><font size="2">Copyright 2000/2004 Jason Haar. This software is distributed >-under the terms of the GNU General Public License. See <a href="COPYING">COPYING</a> for additional information.</font> >- </i> >- >- >- >-<P> >- >-<h2>Description</h2> <b>Qmail-Scanner</b> is an add-on that enables a Qmail e-mail server to scan all gateway-ed >-e-mail for certain characteristics (i.e. a content scanner). It is typically used for its >-anti-virus protection functions, in which case it is used in >-conjunction with external virus scanners. but also enables a site (at a server/site level) to >-react to e-mail that contains specific strings >-in particular headers, or particular attachment filenames or types >-(e.g. *.VBS attachments). It also can be used as an archiving tool for >-auditing or backup purposes. Qmail-Scanner is integrated into the >-mail server at a lower level than some other Unix-based virus >-scanners, resulting in better performance. It is capable of scanning >-not only locally sent/received e-mail, but also e-mail that crosses the >-server in a relay capacity. >- >-<h2> >-Features</h2> >- >-<ul> >-<li> >-Uses almost any external Unix command-line virus scanner.</li> >- >-<li> >-Can call more than one virus scanner for each mail message</li> >- >-<li> >-Has its own internal scanner that can be used to >-pick up virii for which scanner updates are not yet available</li> >- >-<li> >-The internal scanner can also be used to block e-mail based on attachment types, >-or e-mail with certain e-mail headers... Need to stop *.mp3 files or "<b>Subject:</b> >-ILOVEYOU" e-mail getting onto and off your LAN - can do! :-)</li> >- <li>Internal engine scans for poorly formatted messages that are known to be used by trojans/virii to infect clients. As such, this is <em>independent of any virus scanner, and can successfully operate against future virii/trojans</em>. Such messages are quarantined immediately. Known to block such major virii as Klez and Aliz, and as a side effect, stops a fair amount of spam too! Format checks include: >- <ul> >- <li>broken MIME continuation headers</li> >- <li>use of comments within standard headers (e.g. "Content-T(xxxxxx)ype:" is *identical* to "Content-Type:" according to the RFCs - but some virii use this as it circumvents some anti-virus scanners). Valid use of this is never seen in the wild - so it's blocked</li> >- <li>repeated occurrences of MIME headers makes Q-S rename the latter ones to nullify them</li> >- <li>MIME boundaries over 250 chars are blocked</li> >- <li>differing definitions of a particular attachment filename causes it to be blocked </li> >- <li>double-defining the same MIME boundary is blocked</li> >- <li>certain MIME types containing windows executable extensions are specifically blocked (e.g. an "audio/wav" of filename "xxx.exe" could only be a virus)</li> >- <li>broken headers within a MIME attachment are blocked</li> >- <li>windows executable attachments that aren't marked as being of MIME type "application/....." are blocked.</li> >- <li>attachment filenames over 256 chars are blocked</li> >- <li><em>some</em>double-barrelled filenames are blocked (e.g. file.gif.exe)</li> >- <li>CLSID file extensions are blocked</li> >- <li>Password-protected zip files can be blocked if you wish ("--block-password-protected yes"). This would stop any future viruses stuffed inside password-protected zip files from getting through, but of course would also stop any legitimate usage. Turned off by default, but perhaps useful to turn on during a new outbreak, and turned off again once an AV update occurs that can catch it.</li> >- <li>defaults to always running any AV you may have over messages first, then runs the internal scanner (perlscan) checks. This means if you block ".PIF" files due to them normally containing viruses, then any .PIF files that do contain a virus known to your AV system will be flagged as such, and any that were missed (perhaps they were a Day-Zero virus) are then tagged as being blocked. This differentiation is then used by the alerting system. It defaults to not notifying the sender that a virus has been found, but will still notify them of attachments been blocked (see below for more detail).</li> >- <li></li> >- </ul> >- >-</li> >- <li>Can integrate with SpamAssassin to provide comprehensive anti-spam tagging for an entire site - no more running spamc from procmail/whatever!</li> >-<li> >-Auto-detects e-mail from "postmaster"-style and mailing-list >-addresses - and doesn't send virus reports to them (i.e. attempts to act >-more like a responsible net citizen)</li> >- <li>Knows of the virii which forge the From headers - so that the virus appears to come from some poor innocent. Qmail-Scanner will not send alerts to the sender for those types of virii.</li> >- <li>Due to the fact that over 99% of all e-mail-borne viruses are now sent using forged sender information, Q-S now defaults to NOT alerting the sender that a message has been quarantined, unless it was due to a Policy/Perlscan block. This can be turned back to the "old" style by using "--notify sender" instead of the newer default of "--notify psender"</li> >-<li> >-Each message is tagged via a new <b>Received:</b> header >-with a virus report showing whether it is clean or not and virus scanner >-version numbers/etc</li> >- >-<li> >-Messages with virii are moved into a "maildir" mail folder >-for later perusal by the appropriate staff</li> >- >-<li> >-Can optionally add a descriptive header: <b>X-Qmail-Scanner</b> >-to every e-mail that passes through the system to allow users to see that >-a scanner has run over their messages</li> >- >-<li> >-Messages caught by Qmail-Scanner generate an e-mail message (currently >- supports English, Italian, Afrikaans, Polish, Swedish, Czech, German, Spanish, Turkish, >- Lithuanian, French, Portuguese, Dutch and Chinese messages) to a configurable combination of the sender, recipients and a "quarantine-admin" address explaining why their message was rejected >-</Li> >-<li> >-Can archive all processed e-mail into an archive maildir. >-Useful when debugging e-mail-based apps, for backup purposes and for audit >-policy reasons. Currently the mail envelope headers (the "rcpt to:" and "mail from:" headers) are appended to the bottom of each message.</li> >-<li>Can report via syslog or to a file, a one-line description of each processed message, giving information such as subject line, attachment filenames, sizes, etc.</li> >-<li> >-Redundant scanning. Not only does it unpack each message >-before running the scanners over it, it can also scan the original e-mail >-message as well as the unpacked messages (if you think a particular scanner >-can do a better job than <i>Qmail-scanner</i>'s internal systems allow.)</li> >- <li>Reporting: in the contrib directory there's qs2mrtg.pl. A perl script for monitoring your syslog files for qmail-scanner records. It then graphs how Qmail-Scanner is processing your e-mails. It creates different graphs for incoming vs outgoing e-mail, as well as the flow of spam and viruses.</li> >-</ul> >- >-<h2> >-Download</h2> >-The latest release is 1.25 <a href="http://prdownloads.sourceforge.net/qmail-scanner/qmail-scanner-1.25.tgz?download">(via http)</a>, >-and is kindly housed by <a href="http://sourceforge.net/">SourceForge</a>. GnuPG signature of <a href="http://prdownloads.sourceforge.net/qmail-scanner/qmail-scanner-1.25.tgz.asc?download">qmail-scanner-1.25.tgz.asc</a> is also available. Of course, you'll be needing my <a href="http://qmail-scanner.sourceforge.net/jhaar@users.sourceforge.net.gpg">GPG Public Key</a> to verify that. >-<h2> >-Requirements</h2> >- >-<ul> >-<li> >-Qmail 1.03 (<font size="-2">there's a <a href="http://untroubled.org/qmail+patches/">patched src RPM</a> for Linux users available that contains the QMAILQUEUE patch amongst other things - just "rpm --rebuild" as root to build your own i386.rpm. NOTE: I cannot vouch for it - I do not use it. Please ensure you know how it works before installing Qmail-Scanner.</font>)</li> >- <li>Create a separate account under which to run Qmail-Scanner: defaults to username and groupname "<b>qscand</b>". For extra security, create it with a normal home directory (e.g. "/home/qscand"), but with a "fake" shell (e.g. "/bin/false") - as it's never logged into directly.</li> >-<li> >-<b>reformime</b> from <a href="http://download.sourceforge.net/courier/">Maildrop >-1.3.8+</a></li> >- >-<li> >- Perl 5.005_03+ </li> >- >-<li> >-Perl module <a href="http://search.cpan.org/search?module=Time::HiRes">Time::HiRes</a></li> >-<li> >-Perl module <a href="http://search.cpan.org/search?module=DB_File">DB_File</a> (most distributions come with it pre-installed, although the latest Perl doesn't)</li> >- <li>Perl module <a href="http://search.cpan.org/search?module=Sys::Syslog">Sys::Syslog</a> (most distributions come with it pre-installed)</li> >-<li><b>Barely Optional:</b> Mark Simpson's <a href="http://sourceforge.net/projects/tnef/">TNEF unpacker</a>. Can decode those annoying MS-TNEF MIME attachments that Microsoft mail servers just <em>love</em> to use. If you don't have this, there are several classes of e-mail that you basically won't be able to detect virii in.</li> >-</ul> >- >-<h3> >-Patches</h3> >-Bruce Guenter's <a href="http://www.qmail.org/qmailqueue-patch">QMAILQUEUE</a> >-patch is required to enable Qmail to call a different qmail-queue program >-than the one compiled in by default. <i>Qmail-scanner</i>'s >-<b>qmail-scanner-queue.pl</b> >-perl script is used instead of Qmail's >-<b>qmail-queue</b> binary. After >-<b>qmail-scanner-queue.pl</b> >-has run, it calls the original <b>qmail-queue</b> binary to resubmit the >-message back into the system. >-<ul> >-<li> >-<b>Note 1:</b> Bruce Guenter also provides a <a href="http://untroubled.org/qmail+patches/">patched qmail-1.03 RPM</a> for Linux systems that contains the above patch plus a bunch of other bits and pieces. Linux users may find it easier to use that. As mentioned above, please ensure you have Qmail working before installing Qmail-Scanner. On the Qmail-Scanner mailing-lists, we are seeing too many cases of users having "problems" - which end up being Qmail configuration/understanding issues...</li> >-</ul> >- >-<h3> >-Supported Virus Scanners</h3> >-The following virus scanners are known to work with qmail-scanner. >-Other Unix-based scanners should be simple to add support for. >-<ul> >-<li> >-<a href="http://www.antivirus.com/">Trend's InterScan VirusWall Virus scanner</a></li> >- >-<li> >-<a href="http://www.sophos.com/">Sophos's "sweep" virus scanner</a></li> >- >-<li> >-<a href="http://www.hbedv.com/">H+BEDV's antivir scanner</a></li> >- >-<li> >-<a href="http://www.kaspersky.com/">Kaspersky's AVPLinux scanner</a></li> >- >-<li> >-<a href="http://www.nai.com/">MacAfee's (NAI's) virus scanner</a></li> >- <li><a href="http://www.commandsoftware.com">Command's virus scanner</a></li> >-<li> >-<a href="http://f-secure.com/">F-Secure Anti-Virus scanner</a></li> >- <li><a href="http://www.f-prot.com/f-prot/products/fplin.html">F-Prot Anti-Virus scanner</a></li> >-<li> >-<a href="http://www.cai.com/">InocuLAN Anti-Virus scanner</a></li> >- <!--li><a href="http://www.rav.ro/">RAV Anti-Virus</a></li--> >- <li><a href="http://www.bitdefender.com/bd/site/products.php?p_id=16">BitDefender Linux Edition</a></li> >- <li><a href="http://www.centralcommand.com/">Central Command's Vexira anti-virus scanner</a></li> >- <li><a href="http://www.clamav.net/">Clam Anti-Virus</a> - an Open Source anti-virus scanner</li> >- <li><a href="http://www.nod32.com/">ESET NOD32 Anti-Virus scanner</a></li> >- >-<li><a href="http://www.vanja.com/tools/">Sophie: Daemon front-end to Sophos Sweep</a> (see <a href="FAQ.php">FAQ</a> for details)</li> >-<li><a href="http://www.vanja.com/tools/">Trophie: Daemon front-end to Trend iscan</a> (see <a href="FAQ.php">FAQ</a> for details)</li> >- <li><a href="http://spamassassin.org/">Spam Assassin Daemon</a> (see <a href="FAQ.php">FAQ</a> for details)</li> >-</ul> >- >-<h2>CHANGES</h2> >-<P> There is a separate <a href="CHANGES">page</a> listing changes that have been made between releases </p> >- >-<h2> >-TODO</h2> >-<p> There is a separate <a href="TODO.php">TODO</a> page.</p> >- >-<h2> >-FAQ</h2> >-<p> There is a separate <a href="FAQ.php">FAQ</a> page.</p> >- >-<h2> >-Performance/Resource Usage</h2> >- >-Adding content/virus scanning to an e-mail server <i>will</i> >-considerably add to the resource usage of that server. As this >-"wrapper" is written in perl instead of low-level C, quite a lot of >-memory and file opens/stats occurs just to get it going. Adding to >-this the actual scanners memory and CPU usage and it becomes quite >-complicated (certainly the debugging info shows that the scanner >-harness spends more time running the external scanners than it does >-doing things itself [that is to be expected as they do quite a lot of >-thinking...]). <p>As a "rule of thumb" I'd suggest you look at how >-many simultaneous SMTP sessions you are willing your box to have going >-at any one point in time. Each SMTP session can invoke up to 'n' >-different virus scanners (although they run one after the other - not >-simultaneously) and I'd estimate that leads to around 5-6Mb of memory >-usage per SMTP session. Thus if your dedicated SMTP host has 256Mb >-RAM + 256Mb swap - that should mean you can handle - well heaps ;-) >-The scanners cause the CPU to be thrashed while they're running, so >-I'm making sure for our site that our Qmail server will only accept up >-to 30 incoming SMTP sessions at any one time - that way I know the box >-will handle it. As this leads to an increased memory usage, don't >-forget Qmail's memory limits will need to be increased to deal with it (set >-via ulimit or softlimit calls with Qmail system startup scripts). >-<p>One thing you should test for is what happens if connectivity >-between this server and another local SMTP server is down for any >-length of time (due to failure/power outage). When the link is >-restored, can your server handle the other trying to dump 1,000's of >-e-mail msgs onto it at once? You need to use softlimit and tcpserver's >-limit options to ensure your box doesn't get killed. Note that this >-resource issue isn't caused by Qmail-Scanner. >-The same thing will happen with a pure, untouched Qmail (or any other) >-system - it will just happen sooner... >-<p>After that scare-mongering I should say that I have tested >-Qmail-Scanner under ridiculously low resource conditions - and it reacts as >-it should - so at worst your system should start deferring e-mail. Thankfully >-DJB's layering of programs is such that this is easy to accomplish :-) >-<h2> >-Installation</h2> >- >-<ul> >- <li><b>IMPORTANT:</b> Ensure all anti-virus scanners and/or SpamAssassin are installed and operational before attempting to install Qmail-Scanner. Ensure these products are usable by non-root accounts (some people have had problems with permissions on some AV scanners in the past)</li> >-<li> >-Unpack <i>Qmail-Scanner</i> and run <b>./configure --help</b>. >-This will show you what >-<a href="configure-options.php">options</a> >-are available to you.</li> >- >-<li> >-Run <b>./configure ...</b> [with your options], it will autodetect >-what software is installed on your system, and will generate a script specific >-to your system. If you don't see any errors reported, then the build is (probably) successful.</li> >- >-<li> >-Run <b>./configure</b> again, this time include "<i>--install</i>" along with the options you chose, this will do the same as the previous line, but will also create the directory structure >-required, and install <b>qmail-scanner-queue.pl</b></li> >- >-<li> >-If you want to manually install it, see the <a href="manual-install.php">Manual >-Installation</a> page.</li> >-<li> >-Before going any further, you can test the installation by running <b>./contrib/test_installation.sh</b>. This will send four e-mails: one normal, two "infected" with the EICAR test virus, and one obvious SPAM - to "root". Obviously <i>Qmail-Scanner</i> should let one through,catch the viruses, and tag the SPAM as "spammy" (if SpamAssassin is installed of course!). As Qmail-Scanner now defaults to not notifying anyone when a virus is caught, you may have to depend on the logs (e.g. syslog if you used "--log-details=syslog") to see what Qmail-Scanner did.</li> >- >-</ul> >-At this stage qmail-smtpd will need to be "told" that Qmail knows to use <b>qmail-scanner-queue.pl</b> >- instead of <b>qmail-queue</b>. This is done via the tcpserver control files for smtp. Look to see where tcpserver for qmail-smtpd gets its rules from - it's the file after the "-x" option (well, that's the CDB version actually - find the text file yourself! ;-). Edit that file and tell qmail-smtpd which IP address ranges (corresponds to SMTP client IP addresses) you want Qmail-Scanner to be invoked on - typically all of them.<p> >- <pre> >-#/etc/tcpserver/smtp.rules >-# >-# No Qmail-Scanner at all for mail from 127.0.0.1 >-127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue" >-# Use Qmail-Scanner without SpamAssassin on any mail from the local network >-# [it triggers SpamAssassin via the presence of the RELAYCLIENT var] >-10.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" >-# >-# Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world >-:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" >-</pre></p> >- >-<P> >-The above example means from now on all SMTP mail will be scanned, but >-with different characteristics. Mail from the LAN (10. network) will >-be scanned by the supported virus scanners, whereas mail from the >-Internet will be scanned for virii AND tagged by SpamAssassin. This >-finer control allows you a lot of versatility, e.g. virus scanning >-only performed on mail coming from your Exchange server, and not from your Unix servers. >- >-<P> >- >-<table> >-<tr> >-<td BGCOLOR="#F5DEB3">You <em>must</em> increase the amount of memory your system allows qmail-smtpd >-to run with, as it it now running the entire perl interpreter PLUS >-virus scanners. Typical installs of Qmail have system rc/startup >-scripts (e.g. <b>/etc/rc.d/init.d/qmail</b> or <b>/service/smtp/run</b>) that limit the amount of RAM qmail-smtpd can use via ulimit or >-softlimit. You must increase that to around 5-11Mb (totally dependent on your OS and choice of anti-virus scanner). If you don't >-qmail-smtpd will crash with a "qq" error on the receipt of the very >-first message... The actual amount is dependent on the OS in question as well as the virus scanners being used, so be prepared to experiment a little. Whatever you do, <em>don't</em> just set it to something stupid like 100M "just to be sure". The whole point about limiting RAM usage is so that "unusual" mail messages (e.g. from spammers or hackers) can't cause your system to become unusable by making it run out of RAM.</td> >-</tr> >-</table> >- >- >-<p>To scan all mail sent by local shell users, the <b>QMAILQUEUE</b> >-will also need to be defined within <b>/etc/profile</b> or the like so >-that when they send mail, it will be affected as well. >-<table> >-<tr> >-<td BGCOLOR="#F5DEB3">Although as they are obviously Unix users, >-you may want to save your system the effort and explicitly NOT do that! >- :-)<p>Also, think twice before running Qmail-Scanner in front of any mailing-list servers. Do you really think it's a good idea to have 10,000 messages banging away at your anti-virus system at the same time? Either put your mailing-list servers beyond the reach of your Qmail-Scanner servers, or put the mailing-list on the Qmail-Scanner servers themselves - that way each message is only scanned once and the load issues disappear.</p></td> >-</tr> >-</table> >- >-<p>If "<i>$DEBUG=1</i>" (the default) is set within <b>qmail-scanner-queue.pl</b>, then every transaction >-will be logged to >-<b>/var/spool/qmailscan/qmail-queue.log</b> - so you'll >-see how it goes. Regardless of debugging, errors (and attachment info if >-enabled) should also be recorded in the qmail logs (probably via <i>syslog</i>) >-- just look for entries containing the string "<b>X-Qmail-Scanner</b>". >-<p>Any SMTP sessions that are dropped (due to network outages/etc) >-may lead to files lying around in <b>/var/spool/qmailscan </b>. Running >-<b>/var/qmail/bin/qmail-scanner-queue.pl -z</b> at least once daily will >-ensure such files are deleted when they're >-over 30 hours old - make a cronjob to do that. Also realize that <b>/var/spool/qmailscan/qmail-queue.log</b> will grow without bounds. At some stage turn debugging off (<i>$DEBUG=0</i>) and delete the logfile. Personally, I like the logfile, so I run a cronjob that just does "mv -f qmail-queue.log qmail-queue.log.1" at 3am every morning. That way logs don't grow without bound, but you still end up with the logs from the past two days. The file can be safely deleted at any time if it becomes a disk-hog, but unless "<i>$DEBUG=0</i>" is set, it'll just get re-created the next time a message comes through. >-<P> >- >-Qmail-Scanner contains an internal scanner which allows you to reject e-mail >-based on attachment filenames and/or e-mail headers. Read the <a href="perlscanner.php">minimal document</a> on it for details. >- >-<P> >-<h2> >-Philosophy behind Quarantining...</h2> >-When Qmail-Scanner decided to quarantine a message, it moves >-it into a local mail folder (maildir format) - by default >-<b>/var/spool/qmailscan/quarantine/</b>. >-This means the message can be read in its pure "adulterated" state (e.g. still containing virii) by maildir >-clients like <a href="http://www.mutt.org/">mutt</a> - or via IMAP (if >-maildir format supported - you'll have to work that out for yourself). >-At worse you can just read it with an editor - it's just a MIME file... >-<p>If you want a good IMAP server that supports maildir natively >-- try <a href="http://www.inter7.com/courierimap/">Courier-IMAP</a>. >-<p>I made the decision to write it into maildir format for >-performance and reliability reasons - and it expressly makes it difficult >-for any Windows admin to click on it with their vulnerable Windows mailer >-and read it :-) Qmail actually comes with a program called /var/qmail/bin/maildir2mbox >-which can do just that... (you could run it from cron to automatically >-suck all the new mail messages from <b>/var/spool/qmailscan/quarantine/new/</b> >-into a mbox.) >-<p> >- >- Also note that Qmail-Scanner <em>only</em> quarantines. It >- doesn't drop or "clean" messages. Cleaning a message is >- complicated and is becoming less of an issue. Personally I feel >- that if someone sends a virus-laden message through >- Qmail-Scanner, then it should be blocked - not cleaned. Why >- should Qmail-Scanner "fix" someone else's problem? People need to >- take responsibility for their own problems. They get an alert >- telling them they're infected, so they will need to disinfect >- their system before attempting to send mail through your site >- again. Virus scanners that "clean" just make these people think >- they don't have to worry about their problem - someone else is >- fixing it. </p> >- >-<p> >-Qmail-Scanner also doesn't distinguish between >- "blocking" attachments (via the perlscanner module) and >- virii. i.e. if a zip file contains a MP3 file, and you are >- blocking MP3s - then the message will be quarantined. Some >- people think that Qmail-Scanner should only block files if they >- are "direct" attachments - not contained within archive >- attachments. Again, if you have a policy saying "no MP3" - then >- it should apply no matter how it's sent... </p> >- >-<p>Finally, I am finding >- the majority of virii are now trojans - which means that there >- is no actual human-generated message to allow through >- anyway. There is nothing more annoying than being behind some >- other vendors anti-virus scanner when 1,000 copies of the latest >- virus comes through. Receiving 1,000 copies of a "cleaned" >- trojan is only marginally better than receiving the trojan! (in >- fact it's worse for Unix users like me! ;-) In fact, but the >- 10'th copy, all the users receiving mail are now paranoid to >- open <em>any</em> mail as they don't feel secure about what's >- going on. The better response is that the ORIGINATOR receive >- 1,000 alerts telling them they're infected - maybe they'll do >- something about it. >-</p> >- >-<p>Also this event is logged in <b>/var/spool/qmailscan/quarantine.log</b> >-in a tab-delimited format (for post-processing). A good script is needed >-to convert this file into some nice graphs for management :-). See <a >- href="http://sourceforge.net/projects/qss/">QSS</a> for an example of one way of generating stats. >- >-<P> >-If Qmail-Scanner was configured with the "--log-details" option, then a >-one-line summary of every message processed is recorded either in mailstats.csv or via syslog. e.g: >-<P> >- <font size="-2"><pre> >-Aug 14 16:22:41 srvname qmail-scanner[30802]: Clear:RC:1(1.2.3.4): 0.030769 11569 root@x.y jdoe@y.z More_Power! <20020814042234.27902.qmail@x.y> 1029298961.30804-0.srvname:10649 >-Aug 14 16:23:17 srvname qmail-scanner[30820]: Clear:RC:0(1.2.3.4): 0.033618 2021 root@x.y jdoe@y.z Cron_<root@x.y>_run-parts_/etc/cron.daily <20020814042243.28092.qmail@x.y> 1029298997.30822-0.srvname:895 >- >-</pre></font> >- >- <p> >-The format is as follows: >-</p> >- <ul> >- <li>[standard syslog stuff]</li> >- <li>qmail-scanner[PID]</li> >- <li>message status: "Clear" or description of quarantine event >- <ul> >- <li>SpamAssassin is recorded as "SA:1" when SA tags the message as Spam, and "SA:0" otherwise</li> >- <li>The "RC:" bit refers to whether or not the e-mail came from a RELAYCLIENT or not: i.e. "1" says the message was from a "local" SMTP client and "0" means it was from an Internet one. The IP address of the SMTP client is then shown in brackets (127.0.0.1 if the message was generated locally). There are extremely useful if (say) you want to trigger a page if a local SMTP client <em>sends</em> a virus...</li> >- <li>If you have "--log-crypto" enabled, "CR:XXX will appear in the log record of any message that uses PGP, S/MIME or contains a password-protected ZIP file (e.g. CR:PGP(encrypted)). Options are: >- <ul> >- <li>PGP(signed) or PGP(encrypted) for digitally signed or encrypted PGP/MIME e-mails. There is also "old-signed"/etc to cover the "older" method of doing PGP</li> >- <li>SMIME(signed) or SMIME(encrypted) for digitally signed or encrypted S/MIME e-mails</li> >- <li>CR:ZIP(encrypted) for password-protected ZIP files</li> >- </ul> >- </li> >- </ul> >- </li> >- <li>time taken (sec) to process the message</li> >- <li>"raw" size of message</li> >- <li>sender (i.e. "mail from")</li> >- <li>recipient (i.e. "rcpt to")</li> >- <li>Subject: header</li> >- <li>Message-ID: header</li> >- <li>space-delimited listing of attachment filenames plus their individual sizes appended to the filename</li> >- </ul> >- >- <p><b>Note:</b> fields are space-delimited when syslog used (with spaces within fields replaced by underscores), and tab-delimited in mailstats.cvs format >-</p> >-<h2> >-Support</h2> >-This software is released under the GPL as found in the <a href="COPYING">COPYING</a> >-file enclosed. >-<p>This package is housed on <a href="http://sourceforge.net/project/?group_id=6116">SourceForge</a>. >-<p> >-Any questions, suggestions, etc to the mailing-list set up to discuss this, subscribe via <a href="http://lists.sourceforge.net/mailman/listinfo/qmail-scanner-general">http://lists.sourceforge.net/mailman/listinfo/qmail-scanner-general</a> , >-or subscribe to the announcements-only list via <a href="http://lists.sourceforge.net/mailman/listinfo/qmail-scanner-announce">http://lists.sourceforge.net/mailman/listinfo/qmail-scanner-announce</a>. >-</p> >-<p><font size="-3"><b>Last Updated:</b> <?php echo date ("l dS of F Y h:i:s A",filemtime($_SERVER[SCRIPT_FILENAME])). " GMT"; ?></font> >-<P> >-</body> >-</html> >diff -Naur qmail-scanner-1.25-DISTRO/log-report.sh qmail-scanner-1.25-st-qms-20050219/log-report.sh >--- qmail-scanner-1.25-DISTRO/log-report.sh 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/log-report.sh 2005-02-19 06:29:13.000000000 -0600 >@@ -0,0 +1,43 @@ >+#/bin/sh >+# >+# This is a very simple script to report a quick statistic from the >+# qmail-queue.log or qmail-queue.log.x.gz, it needs to be improved... >+# >+# Salvatore Toribio >+# 20041101 >+# >+ >+if [ ! $1 ]; then >+ echo " >+ Usage: $0 <qmail-queue.log> >+ >+ It is possible to analize compress files i.e.: qmail-queue.log.1.gz >+ >+" >+ exit 1 >+fi >+ >+if [ ! -f "$1" ]; then >+ echo " >+ File: '$1' doesn't exist, exit. >+" >+ exit >+fi >+ >+FF="`file $1 | grep 'gzip compressed data'`" >+ >+echo >+ >+if [ ! "$FF" ]; then >+ # It is not a compress file >+ grep 'here be a virus' $1 | sed -e "s/.*(\(.*\))$/\1/" | sort | uniq -c | sort -gr >+ echo >+ grep 'SA: yup, this smells ' $1 | sed -e "s/.* hits.* - \(.*\) message...$/\1/" | sort | uniq -c | sort -gr >+else >+ # It is a compress file >+ zcat $1 | grep 'here be a virus' | sed -e "s/.*(\(.*\))$/\1/" | sort | uniq -c | sort -gr >+ echo >+ zcat $1 | grep 'SA: yup, this smells ' | sed -e "s/.* hits.* - \(.*\) message...$/\1/" | sort | uniq -c | sort -gr >+fi >+ >+echo >diff -Naur qmail-scanner-1.25-DISTRO/qmail-scanner-queue.template qmail-scanner-1.25-st-qms-20050219/qmail-scanner-queue.template >--- qmail-scanner-1.25-DISTRO/qmail-scanner-queue.template 2005-01-27 16:51:58.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qmail-scanner-queue.template 2005-02-19 07:46:36.000000000 -0600 >@@ -1,10 +1,29 @@ > #!SUIDPERL -T > # > # File: qmail-scanner-queue.pl >-# Version: 1.25 >+# Version: 1.25 - st - patch - 20050207 > # > # Author: Jason L. Haar <jhaar@users.sourceforge.net> > # >+# Patched by: Salvatore Toribio <toribio@pusc.it> >+# >+# Patched for Event Logging by: Mark S. Teel <mteel@users.sourceforge.net> >+# Version: 1.22 - patched: st-qms - 20040530 >+# >+# Patched for Account Monitoring by Mark S. Teel <mteel@users.sourceforge.net> >+# Version: 1.22 - patched: st-qms-monitor - 20040919 >+# >+# Patched for Version 1.24 and merge of qms-monitor functions >+# by Mark S. Teel <mteel@users.sourceforge.net> >+# Version: 1.24 - patched: st-qms - 20041102 >+# >+# Patched for Version 1.25 >+# by Mark S. Teel <mteel@users.sourceforge.net> >+# Version: 1.25 - patched: st-qms - 20050219 >+# >+# See the file READMEpatched for information about the patch >+# This version deletes/rejects spam based in Chris Hine's patch for v1.16 >+# > # This file was auto-generated by: > # > # CMDLINE >@@ -71,7 +90,7 @@ > > use strict 'vars', 'subs'; > >-#Set locale to "C" (English). That way any string checks on forked apps >+#Set locale to "C" (English). That way any string checks on forked apps > #will tend to be in English - simplifying/standardizing regex matches > my $orig_locale=$ENV{'LC_ALL'}; > $ENV{'LC_ALL'}= $ENV{'LANG'} = $ENV{'LANGUAGE'} = 'C'; >@@ -80,20 +99,20 @@ > use Sys::Syslog qw(:DEFAULT setlogsock); > setlogsock('unix'); > >-my $VERSION="1.25"; >+my $VERSION="1.25-st-qms"; > >-#Mail header to add to each scanned message to report stuff in... >-#Default is to not generate them ($descriptive_hdrs = 0) - as that >-#info is also in the Received: headers... >+# Mail header to add to each scanned message to report stuff in... >+# Default is to not generate them ($descriptive_hdrs = 0) - as that >+# info is also in the Received: headers... > my $descriptive_hdrs=DESCRIPTIVE_HEADERS; >-my $V_HEADER="X-Qmail-Scanner"; >+my $V_HEADER="DESCR_HEADERS_TEXT"; > my($qsmsgid); > $qsmsgid=tolower("$V_HEADER-message-id"); > > >-#From: line information used when making reports >+# From: line information used when making reports > my $V_FROM='USERNAME@MAILDOMAIN'; >-my $V_FROMNAME='System Anti-Virus Administrator'; >+my $V_FROMNAME="ADMIN_FROMNAME"; > > # Address carbon-copied on any virus reports > my $QUARANTINE_CC='USERNAME@MAILDOMAIN'; >@@ -102,12 +121,53 @@ > #deciding whether or not to send recipient alerts to > my @local_domains_array=(LOCAL_DOMAINS_ARRAY); > >+# qms: save local domains list string >+my $local_domains_string="LOCAL_DOMAINS_ARRAY"; >+ >+ >+######## qms-monitor: selective account monitoring/archiving >+### >+### Description: >+### 1) qms-monitor will archive ALL email msgs SENT OR RECEIVED for >+### any email address listed below >+### 2) Messages are archived to $qms_monitor_home - they can be left >+### there for manual examination, or a cron script can be run periodically >+### to move them into a "monitor" email domain so that the mail can be >+### partitioned into individual monitor domain accounts and read with >+### any email client >+######## >+ >+my $qms_monitor_enabled='QMS_MONITOR'; >+ >+### qms_monitor_array: add email addresses of local domains to be monitored >+my @qms_monitor_array=(QMS_MON_ACCOUNTS); >+ >+### qms_monitor_dest_array: add destination for email message copies >+# Note 1: locations here will be saved underneath $qms_monitor_home; >+# a cron job can later copy from that location to an alternate >+# email domain used for account monitoring. >+# Note 2: each entry in this array corresponds to the email address in the >+# same location of the @qms_monitor_array above - i.e., >+# @qms_monitor_array[2] msgs get stored at >+# @qms_monitor_dest_array[2] - thus, ORDER DOES MATTER. >+# Note 3: DO NOT include a leading "/" on these paths - they will typically >+# be entries that ultimately belong in /home/vpopmail/domains - >+# i.e., starting with the domain name. >+### >+my @qms_monitor_dest_array=(QMS_MON_DESTINATIONS); >+ >+######## qms-monitor BLOCK END >+ >+ > # Array of virus that we don't want to inform the sender of. > my @silent_viruses_array=(SILENT_VIRUSES_ARRAY); > >- >-#Array of virus scanners used must point to subroutines >-my @scanner_array=(SCANNER_ARRAY); >+# st: Virus that will be deleted without notifying anyone, >+# you can add other viruses in the form "virus1|virus2|virus3". >+# Most of the viruses in the 'silent_viruses_array' could be >+# added to this list safely. >+# i.e. "mydoom|worm.sco|novarg|tanx|bagle|netsky|somefool|roca|agobot|dumaru|sober|lovgate|klez|rox|zafi|PIF files|SCR files" >+my $virus_to_delete="VIRUS_TO_DELETE"; > > #Addresses that should be alerted of any quarantined Email > my $NOTIFY_ADDRS='NOTIFY_ADDRESSES'; >@@ -137,7 +197,6 @@ > #What maildir folder to store quarantine in > my $vmaildir='quarantine'; > >- > #What maildir folder to archive received Email in instead of deleting > my $archiveit='ARCHIVEIT'; > my $archivedir='ARCHIVEDIR'; >@@ -148,6 +207,9 @@ > #Name of file where quarantine reports go (for long-term storage) > my $quarantinelog="quarantine.log"; > >+# qms: Name of file where usable logs for analysis are written >+my $eventlog="qms-events.log"; >+ > #Generate nice random filename > my ($sysname, $hostname, $release, $version, $machine) = uname(); > #my $hostname='FQDN'; #could get via call I suppose... >@@ -165,6 +227,111 @@ > #turn this on > my $log_crypto="LOG_CRYPTO"; > >+# qms-monitor - the root for temporary storage >+my $qms_monitor_home = "$scandir/qms-monitor"; >+ >+# st: If $spamc_subject is defined and fast_spamassassin mode is selected, >+# a tag will be added to the subject indicating how the message is to >+# be considered as spam, in this way: >+# LOW: required_hits < score < required_hits + sa_delta >+# MEDIUM: required_hits + sa_delta < score < required_hits + 2 * sa_delta >+# HIGH: required_hits + 2 * sa_delta < score >+# Be aware, 2*sa_delta must be lower than sa_quarantine. >+# 'required_hits' is the value set in the SpamAssassin configuration file. >+my $sa_delta='SA_DELTA'; >+ >+# st: Spam messages with a score higher than >+# (required_hits + sa_quarantine) should be quarantined. >+# Only relevant if SpamAssassin is used. >+# Score of 0 means deliver all messages. Defaults to 0. >+my $sa_quarantine='SA_QUARANTINE'; >+ >+# st: Some people wants to quarantine spam in a different >+# maildir folder than viruses, maybe to run sa-learn. >+# The default is: >+# my $smaildir="$vmaildir"; >+# But you can change it i.e. my $smaildir="spamdir"; >+my $smaildir="$vmaildir"; >+ >+# st: address to send a copy of the mails 'quarantined' >+# as spam for admin puropose (I thought), almost unmodifyed. >+# Enable $sa_fwd_verbose if you want the X-Spam headers in >+# the forwarded message. >+my $sa_forward='SA_FORWARD'; >+my $sa_fwd_verbose='SA_FWD_VERBOSE'; >+ >+# st: Spam messages with a score higher than >+# (required_hits + sa_delete) should be deleted (or rejected). >+# Only relevant if SpamAssassin is used. Score of 0 >+# means deliver all messages. Defaults to 0. >+# If sa-quarantine is set, sa-delete must be greater. >+my $sa_delete='SA_DELETE'; >+ >+# st: If you enable sa-reject and sa-delete is properly set, >+# messages with a score higher than (required_hits + sa_delete) >+# will be rejected before the smtp session is closed. >+# Otherwise they are just dropped silently. (1/0) >+my $sa_reject='SA_REJECT'; >+ >+# st: Use the alternative subroutine for spamassassin, it runs >+# ALWAYS in *fast_spamassassin* mode and doesn't pass the '-u' option >+# to spamc. So if you want to run in *verbose_spamassasin* mode or you >+# want to use the sql per user preferences for spamassassin, you have >+# to disable this option and run the standard spamassassin routine. >+# It also allows to log the spamassassin report. (1/0) >+my $sa_alt='SA_ALT'; >+ >+# st: If sa_alt is enabled an you enable this option, you will >+# have a beautiful log with the tests and the scores of >+# spamassassin in the file qmail-queue.log, and you >+# can add the X-Spam-Report header enabling the >+# option below. (1/0) >+my $sa_debug='SA_DEBUG'; >+ >+# st: If sa_alt and sa_debug are enabled, *qmail-scanner* will >+# add the X-Spam-Report header to the messages if you >+# enable this option. (1/0) >+my $sa_hdr_report='SA_HDR_REPORT'; >+ >+# st: Enable this option to do not pass to spamassassin messages >+# from MAILER-DAEMON, see READMEpatched for details. (1/0) >+my $SA_SKIP_MD='0'; >+ >+############################################## >+# st: SCANNERS PER DOMAIN >+############################################## >+ >+# st: Enable or diasable scanner per domain (1/0) >+my $scanners_pd='SCANNERS_P_D'; >+ >+# Array of virus scanners used must point to subroutines >+my @scanner_array=(); >+ >+# st: @scanners_installed is the array with all scanners installed >+# in the computer, if you disable $scanners_pd qmail-scanner will fall to >+# this array. Don't modify it unless you really know what you do. >+my @scanners_installed=(SCANNER_ARRAY,"perlscan_scanner"); >+ >+# st: @scanners_default if $scanners_pd is enabled qmail-scanner will >+# use this array for the users/domains that don't have a custom >+# scanner_array set in the $scanners_per_domain.txt file. >+# You can set it to "none" to skip all the scanners, even perlscan. >+# If you want to skip the scanners only for a particular user/domain >+# set his scanners list to "none" in the $scanners_per_domain.txt file. >+my @scanners_default=(SCANNER_ARRAY,"perlscan_scanner"); >+ >+# st: DB file (without extension) where per domain/user scanners >+# are saved, edit $scanners_per_domain.txt and run >+# "qmail-scanner-queue.pl -p" to generate $scanners_per_domain.db >+my $scanners_per_domain="$scandir/scanners_per_domain"; >+ >+my $domain_returnpath=''; >+my $domain_one_recip=''; >+my $sa_rcpt='0'; >+my (%found_event); >+ >+############################################## >+ > #Full path to file in which virus-scanner versioning info is kept > my $versionfile="$scandir/qmail-scanner-queue-version.txt"; > >@@ -216,10 +383,22 @@ > my $clamscan_options="-r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=100000"; > my $clamdscan_binary='CLAMDSCAN'; > my $clamdscan_options="--no-summary"; >+ >+# st: I have returned to my own way to set the SPAMD_SOCKET (1.25st) > my $spamc_binary='SPAMC_BINARY'; >+ >+# st: fast_spamassassin options=" -c " / verbose_spamassassion options=" " >+# remember that the routine sa_alt ignores these options. > my $spamc_options='SPAMC_OPTIONS'; >-my $spamc_subject='SPAMC_SUBJECT'; >+my $spamc_subject="SPAMC_SUBJECT"; # st: if fast_spamassassin mode is selected > my $spamassassin_binary='SPAMASSASSIN_BINARY'; >+ >+# st: If somebody is using spamassassin with unix socket... >+# from version 1.24 the socket is included directly in $spamc_binary above >+# for compatibility with the official version >+my $spamd_socket='SPAMD_SOCKET'; >+$spamc_binary.=" -U $spamd_socket" if ($spamd_socket ne ""); >+ > my ($sa_comment,$sa_level); > my $sa_symbol='+'; > my ($tag_score)=""; >@@ -267,6 +446,14 @@ > #Want debugging? Enable this and read $scandir/qmail-queue.log > my $DEBUG='DEBUG_LEVEL'; > >+# st: Minimal debug only works if $DEBUG=0 >+# If set to 2, the parent pid is written to the logs, and also >+# the message size >+my $MINIDEBUG='MINI_DEBUG'; >+ >+# qms: Want meaningful event logs? Enable this and read $scandir/qms-events.log >+my $EVENTLOG='QMS_LOG'; >+ > my @uufile_list = (); > my @attachment_list = (); > my @zipfile_list = (); >@@ -275,13 +462,13 @@ > use Time::HiRes qw( usleep ualarm gettimeofday tv_interval ); > use POSIX; > >-use vars qw/ $opt_v $opt_h $opt_g $opt_r $opt_z/; >+use vars qw/ $opt_v $opt_h $opt_g $opt_r $opt_z $opt_p $opt_d $opt_s/; > > use Getopt::Std; > > #my ($opt_v,$opt_h,$opt_g,$opt_r,$opt_z); > >-getopts('vhgrz'); >+getopts('vhgrzpds'); > > my ($start_time,$last_time); > $start_time = $last_time = [gettimeofday]; >@@ -299,14 +486,27 @@ > -z - gather virus scanner/DAT versions > and cleanup old temp files > -g - generate perlscanner database >- -r - read from perlscanner database\n"; >+ -r - read from perlscanner database >+ >+ -p - generate scanner per domain database >+ -d - display scanner per domain database >+ -s - sort the text file $scanners_per_domain.txt >+ (not yet implemented)\n\n"; > exit; > } > > > if ( $opt_g || $opt_r) { > &generate_quarantine_db; >- exit 0; >+ exit 0; >+} elsif ($opt_p) { >+ &generate_spd; >+ exit 0; >+} elsif ($opt_d) { >+ &read_spd; >+ exit 0; >+} elsif ($opt_s) { >+ print " \nOption not yet implemented\n\n"; > } > > if ( $opt_v ) { >@@ -342,19 +542,64 @@ > #Get current timestamp for logs > my ($sec,$min,$hour,$mday,$mon,$year,$nowtime); > ($sec,$min,$hour,$mday,$mon,$year) = localtime(time); >-#my $nowtime = sprintf "%02d/%02d/%02d %02d:%02d:%02d", $mday, $mon+1, $year+1900, $hour, $min, $sec; >-#my $nowtime = strftime("%a, %d %b %Y %H:%M:%S %Z", localtime(time)); > my ($smtp_sender,$remote_smtp_ip,$real_uid,$effective_uid); > > $real_uid=$<; > $effective_uid=$>; > >-if ($DEBUG ) { >+# st: I will need the process number, and other variables, later >+my $nprocess=$$; >+my $nppid=getppid; >+if ($nppid == 1) { >+ # The parent pid is dead, maybe a message with BLFs >+ warn "$V_HEADER-$VERSION: Process $nprocess closed, parent process died\n" if ($MINIDEBUG < 3); >+ warn "$nprocess QS-$VERSION: Process $nprocess closed, parent process died\n" if ($MINIDEBUG >= 3); >+ exit 111; >+} >+$nprocess.="/$nppid" if ($MINIDEBUG >= 2); >+my $sa_report=''; >+my ($sa_hits,$required_hits)=('0','0'); >+# st: Flag to delete message >+my $del_message='0'; >+ >+if ($DEBUG || $MINIDEBUG ) { > open(LOG,">>$scandir/$debuglog"); > select(LOG);$|=1; >- &debug("+++ starting debugging for process $$ by uid=$real_uid"); >+ &debug("+++ starting debugging for process $$ (ppid=$nppid) by uid=$real_uid"); >+ &minidebug("+++ starting debugging for process $$ (ppid=$nppid) by uid=$real_uid"); > } > >+# qms: open the event log if enabled >+if ($EVENTLOG ) { >+ open(ELOG,">>$scandir/$eventlog"); >+ select(ELOG);$|=1; >+ my $starttime = strftime("%F %H:%M:%S", localtime(time)); >+ &eventlog("------ START MSG $starttime ------"); >+} >+ >+# st: if sa_alt or sa_debug are '0', sa_hdr_report must be 0 >+$sa_hdr_report='0' if ( !$sa_alt || !$sa_debug ); >+ >+# st: if the variable SA_ONLYDELETE_HOST is set in the tcpserver >+# don't reject messages coming from those IPs, just delete them >+# You should set this variable for your secondary mail server. >+if (defined($ENV{'SA_ONLYDELETE_HOST'}) || defined($ENV{'SA_WHITELIST'})) { >+ $sa_reject="0"; >+ &debug("WL: The server is a SA_ONLYDELETE_HOST, don't reject"); >+ &minidebug("WL: The server is a SA_ONLYDELETE_HOST, don't reject"); >+} >+ >+# st: if the variable BMC_WHITELIST is set in the tcpserver >+# don't search for 'bad mime characters' in the headers of messages >+# coming from those IPs. >+# It would be hard to mantain this whitelist... >+if (defined($ENV{'BMC_WHITELIST'})) { >+ $BAD_MIME_CHECKS='0'; >+ &debug("WL: The server is in the BMC_WHITELIST, don't check BMC"); >+ &minidebug("WL: The server is in the BMC_WHITELIST, don't check BMC"); >+} >+ >+ > &debug("setting UID to EUID so subprocesses can access files generated by this script"); > $< = $>; # set real to effective uid > #$( = $); # set real to effective gid >@@ -365,22 +610,27 @@ > exit 0; > } > >- > &scanner_info; > >- > if ($ENV{'TCPREMOTEIP'}) { > $smtp_sender="via SMTP from $ENV{'TCPREMOTEIP'}"; > $remote_smtp_ip=$ENV{'TCPREMOTEIP'}; >+ # st: do not reject mails from localhost useful for fetchmail >+ $sa_reject="0" if ($remote_smtp_ip eq "127.0.0.1"); > $tag_score.="RC:1($remote_smtp_ip):" if (defined($ENV{'RELAYCLIENT'})); > &debug("incoming SMTP connection from $smtp_sender"); > #system("/usr/bin/printenv > /tmp/qmail-scanner.env"); >+ &eventlog("CONNECT-SMTP:$ENV{'TCPREMOTEIP'}"); > } else { > $smtp_sender="via local process $$"; > $remote_smtp_ip='127.0.0.1'; > $tag_score.="RC:1($remote_smtp_ip):"; #Always would be relayed >+ # st: do not reject mails from localhost useful for fetchmail >+ $sa_reject="0"; > &debug("incoming pipe connection from $smtp_sender"); >+ &eventlog("CONNECT-PIPE:$$"); > } >+ > $tag_score.="RC:0($remote_smtp_ip):" if ($tag_score !~ /RC:1/); > > my (%headers ); >@@ -398,6 +648,11 @@ > > &working_copy; > >+ # st: working_copy is quite heavy, let see the elapsed time from start >+ &minidebug("w_c: message size $msg_size bytes") if ($MINIDEBUG >= 2); >+ my $elapsed_1=tv_interval ($start_time, [gettimeofday]); >+ &minidebug("w_c: elapsed time from start $elapsed_1 secs"); >+ > #Now alarm this area so that hung networks/virus scanners don't cause > #double-delivery... > >@@ -416,6 +671,18 @@ > #This SMTP session is incomplete until we see dem envelope headers! > &grab_envelope_hdrs; > &debug("from=$headers{'from'},subj=$headers{'subject'}, $qsmsgid=$headers{$qsmsgid} $smtp_sender"); >+ &minidebug("from='$headers{'from'}', subj='$headers{'subject'}', $smtp_sender"); >+ &eventlog("HEADER:$headers{'from'}:$headers{'to'}:$headers{'subject'}"); >+ >+ ##### st: variables for scanners per domain >+ $returnpath=tolower($returnpath); >+ $domain_returnpath=$returnpath; >+ $domain_returnpath=~ s/^(.*)\@(.*)$/$2/; >+ # >+ $one_recip=tolower($one_recip); >+ $domain_one_recip=$one_recip; >+ $domain_one_recip=~ s/^(.*)\@(.*)$/$2/ if ($one_recip); >+ ###### > > #Add envelope details to headers array so that they can be matched within > #perlscanner. >@@ -430,24 +697,39 @@ > #Hmm, doesn't look nice, but it feels better to make this a separate check for some reason > if ($skip_text_msgs && ($indicates_attachments < 2) && !@uufile_list && !@attachment_list) { > &debug("This is a PLAIN text message (because it's either not mime, or is text/plain), skip virus scanners - but not SA"); >+ &minidebug("This is a PLAIN text message, skip virus scanners - but not SA"); >+ &eventlog("TYPE:PLAIN"); > $plain_text_msg=1; > } >+ else { >+ &eventlog("TYPE:MIXED"); >+ } >+ } >+ else { >+ &eventlog("TYPE:MIXED"); > } > >- #Now, start the scanners! >- #if (!$quarantine_event) { >- &init_scanners; >- #} >- if ($quarantine_event) { >- &debug("unsetting TCPREMOTEIP env var"); >- delete $ENV{'TCPREMOTEIP'}; >- #Reset locale back to original >- $ENV{'LC_ALL'}=$orig_locale; >- &email_quarantine_report; >+############################################## >+# st: SCANNERS PER DOMAIN >+############################################## >+ >+ $quarantine_event_tmp=$quarantine_event; >+ >+ if ($scanners_pd && ( ! -f "$scanners_per_domain.db")) { >+ &debug("s_p_d: $scanners_per_domain.db doesn't exist falling to installed scanners"); >+ &minidebug("s_p_d: $scanners_per_domain.db doesn't exist falling to installed scanners"); >+ $scanners_pd='0'; >+ } >+ >+ if ($scanners_pd) { >+ &scanners_p_d; > } else { >- &qmail_parent_check; >- &qmail_requeue($env_returnpath,$env_recips,"$scandir/$wmaildir/new/$file_id"); >+ @scanner_array=@scanners_installed; >+ &start_scanners($env_returnpath,$env_recips,"$scandir/$wmaildir/new/$file_id"); > } >+ >+############################################## >+ > alarm 0; > }; > >@@ -478,10 +760,10 @@ > } > &cleanup; > >-($sec,$min,$hour,$mday,$mon,$year) = localtime(time); >-#$nowtime = sprintf "%02d/%02d/%02d %02d:%02d:%02d", $mday, $mon+1, $year+1900, $hour, $min, $sec; >- >-&debug("all finished. Total of ",tv_interval ($start_time, [gettimeofday])," secs"); >+# st: write to the log the end of the process >+&close_log; >+&eventlog("SCANTIME:",tv_interval ($start_time, [gettimeofday]),""); >+&eventlog("------ STOP MSG ---------------------------"); > exit 0; > > ############################################################################ >@@ -510,16 +792,106 @@ > } > #$nowtime = sprintf "%02d/%02d/%02d %02d:%02d:%02d", $mday, $mon+1, $year+1900, $hour, $min, $sec; > &debug("error_condition: $V_HEADER-$VERSION: $string"); >- close(LOG); >+ &minidebug("error_condition: $V_HEADER-$VERSION: $string"); >+ &eventlog("ERROR:$V_HEADER-$VERSION:$string"); >+ close(ELOG); > &cleanup; >+ &close_log; > exit $errcode; > } > > sub debug { > my $dnowtime = strftime("%a, %d %b %Y %H:%M:%S %Z", localtime(time)); >- print LOG "$dnowtime:$$: ",@_,"\n" if ($DEBUG); >+ print LOG "$dnowtime:$nprocess: ",@_,"\n" if ($DEBUG); >+} >+ >+# qms: log events to the file >+sub eventlog { >+ my $enowtime = sprintf "%10d", time; >+ print ELOG "$enowtime:$$:",@_,"\n" if ($EVENTLOG); >+} >+ >+ >+######## qms-monitor BLOCK BEGIN >+# qms-monitor: Entry point called prior to requeueing the msg >+sub qms_monitor >+{ >+ my($msg) = @_; >+ my($acct) = ''; >+ my($aindex) = '0'; >+ >+ foreach $acct (@qms_monitor_array) >+ { >+ # check the sender address first >+ if ($returnpath =~ /$acct/i) >+ { >+ &qms_monitor_save($acct,$msg,"@qms_monitor_dest_array[$aindex]"); >+ $aindex += 1; >+ next; >+ } >+ >+ if ($recips =~ /$acct/i) >+ { >+ &qms_monitor_save($acct,$msg,"@qms_monitor_dest_array[$aindex]"); >+ } >+ >+ $aindex += 1; >+ } > } > >+# qms-monitor: save the msg to our archive location >+sub qms_monitor_save >+{ >+ my($qmsacct,$src,$dest) = @_; >+ my($finaldest) = "$qms_monitor_home/$dest"; >+ my($fname) = &qms_monitor_get_filename($qmsacct); >+ >+ if (!open(INMSG, "<$src")) >+ { >+ &eventlog("--- qms_monitor_save: unable to open src $src"); >+ &debug ("qms_monitor_save: unable to open src $src\n"); >+ return; >+ } >+ >+ if (! -d "$finaldest") >+ { >+ if (system("mkdir -p $finaldest")) >+ { >+ &eventlog("--- qms_monitor_save: unable to mkdir $finaldest"); >+ &debug ("qms_monitor_save: unable to mkdir $finaldest"); >+ return; >+ } >+ } >+ >+ >+ if (!open(OUTMSG, ">$finaldest/$fname")) >+ { >+ &eventlog("--- qms_monitor_save: unable to open dest $finaldest/$fname"); >+ &debug ("qms_monitor_save: unable to open dest $finaldest/$fname\n"); >+ return; >+ } >+ >+ while (<INMSG>) >+ { >+ print OUTMSG; >+ } >+ >+ close(OUTMSG); >+ close(INMSG); >+} >+ >+# qms-monitor: Generate meaninful file names >+sub qms_monitor_get_filename >+{ >+ my($aname) = @_; >+ my($stime) = strftime("%F_%H:%M:%S", localtime(time)); >+ >+ return "$aname" . "_" . "$hostname" . "_" . "$stime" . "_" . $$; >+} >+ >+######## qms-monitor BLOCK END >+ >+ > sub working_copy { > my ($hdr,$last_hdr,$value,$num_of_headers,$last_header,$last_value,$attachment_filename); > select(STDIN); $|=1; >@@ -541,155 +913,167 @@ > $HEADERS .= $_; > #Catch any naughty illegal header chars here > if ($BAD_MIME_CHECKS && !$IGNORE_EOL_CHECK && /\r|\0/) { >- $illegal_mime=1; >- &debug("w_c: found CRL/NULL in header - invalid if this is a MIME message"); >+ $illegal_mime=1; >+ &debug("w_c: found CRL/NULL in header - invalid if this is a MIME message"); >+ &minidebug("w_c: found CRL/NULL in header - invalid if this is a MIME message"); >+ &eventlog("QMSWC:BAD_HDR_CHARS"); > } > #Put headers into array > if (/^\s+(.*)$/ && $last_hdr) { >- #Hmmm, a continuation... >- $headers{$last_hdr} .= $1 if (!$illegal_mime); >+ #Hmmm, a continuation... >+ $headers{$last_hdr} .= $1 if (!$illegal_mime); > } elsif (/^([^\s]+)/) { >- #This means it's not a continuation header >- if (!$quarantine_event && $BAD_MIME_CHECKS && ($headers{'mime-version'} ne "") && !/^([^\s]+):(.*)$/) { >- #Wow - a header (not header+value) that goes onto another line - not likely! >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_description="Disallowed breakage found in header name - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Break"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- &debug("w_c: disallowed breakage found in header name ($_) - potential virus"); >- #next; >- } else { >- /^([^\s]+):(.*)$/; >- $hdr=$1; >- $last_hdr=tolower($hdr); >- $value=$2; >- $value =~ s/^\s//; >- if (!$quarantine_event && $BAD_MIME_CHECKS && $hdr =~ /^[^X].*\(/i) { >- #Wow - a comment *inside* a standard header name. Only viruses are known to do that >- #Should we test for [^0-9a-z\_\-\=\+] instead? >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_description='Disallowed MIME comment found in header name - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Comment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- &debug("w_c: $quarantine_description"); >- } >- $num_of_headers++; >- } >- #Don't let this array grow without bounds... >- if ($num_of_headers < $MAX_NUM_HDRS) { >- if ($hdr =~ /^to|cc/i && $headers{tolower($hdr)}) { >- #Special-case the To: and Cc: headers. >- #Broken mailers generate messages with multiple >- #instances of these, so merge them into one... >- $headers{tolower($hdr)} .= ",$value"; >- } elsif ($hdr =~ /^(from|x-mail|User-Agent|Organi|Received|Message-ID|Subject)/i && $headers{tolower($hdr)}) { >- #Make sure any multiples of these headers are remembered, so that >- #perlscanner checks can see all instances - just wrap em up >- #into one long line >- $headers{tolower($hdr)} .= " $value"; >- } elsif (!$quarantine_event && $BAD_MIME_CHECKS > 1 && (($headers{'mime-version'} ne "" && tolower($hdr) eq "mime-version") || ($headers{'content-type'} ne "" && tolower($hdr) eq "content-type") || ($headers{'content-transfer-encoding'} ne "" && tolower($hdr) eq "content-transfer-encoding") || ($headers{'content-disposition'} ne "" && tolower($hdr) eq "content-disposition"))) { >- #Why would a legit message have important MIME headers defined >1 time? It could imply someone is trying to sneak >- #something past SMTP scanners... >- #To much parsing needs to be done to do this correctly - stuff 'em - break the sucker ;-/ >- &debug("Duplicate MIME headers found [$hdr] - renaming"); >- print TMPFILE "$V_HEADER-$VERSION: renamed duplicate MIME headers\n"; >- $_="$V_HEADER-Renamed-$_"; >- } else { >- #All other headers: the last occurance wins! >- $headers{tolower($hdr)}=$value; >- } >- } >+ #This means it's not a continuation header >+ if (!$quarantine_event && $BAD_MIME_CHECKS && ($headers{'mime-version'} ne "") && !/^([^\s]+):(.*)$/) { >+ #Wow - a header (not header+value) that goes onto another line - not likely! >+ $illegal_mime=1; >+ $destring='problem'; >+ $quarantine_description="Disallowed breakage found in header name - potential virus"; >+ $quarantine_event="Policy:Bad_MIME_Break"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &debug("w_c: disallowed breakage found in header name ($_) - potential virus"); >+ &minidebug("w_c: disallowed breakage found in header name ($_) - potential virus"); >+ &eventlog("QMSWC:BAD_HDR_BREAKAGE"); >+ #next; >+ } else { >+ /^([^\s]+):(.*)$/; >+ $hdr=$1; >+ $last_hdr=tolower($hdr); >+ $value=$2; >+ $value =~ s/^\s//; >+ if (!$quarantine_event && $BAD_MIME_CHECKS && $hdr =~ /^[^X].*\(/i) { >+ #Wow - a comment *inside* a standard header name. Only viruses are known to do that >+ #Should we test for [^0-9a-z\_\-\=\+] instead? >+ $illegal_mime=1; >+ $destring='problem'; >+ $quarantine_description='Disallowed MIME comment found in header name - potential virus'; >+ $quarantine_event="Policy:Bad_MIME_Comment"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &debug("w_c: $quarantine_description"); >+ &minidebug("w_c: $quarantine_description"); >+ &eventlog("QMSWC:BAD_HDR_MIME"); >+ } >+ $num_of_headers++; >+ } >+ #Don't let this array grow without bounds... >+ if ($num_of_headers < $MAX_NUM_HDRS) { >+ if ($hdr =~ /^to|cc/i && $headers{tolower($hdr)}) { >+ #Special-case the To: and Cc: headers. >+ #Broken mailers generate messages with multiple >+ #instances of these, so merge them into one... >+ $headers{tolower($hdr)} .= ",$value"; >+ } elsif ($hdr =~ /^(from|x-mail|User-Agent|Organi|Received|Message-ID|Subject)/i && $headers{tolower($hdr)}) { >+ #Make sure any multiples of these headers are remembered, so that >+ #perlscanner checks can see all instances - just wrap em up >+ #into one long line >+ $headers{tolower($hdr)} .= " $value"; >+ } elsif (!$quarantine_event && $BAD_MIME_CHECKS > 1 && (($headers{'mime-version'} ne "" && tolower($hdr) eq "mime-version") || ($headers{'content-type'} ne "" && tolower($hdr) eq "content-type") || ($headers{'content-transfer-encoding'} ne "" && tolower($hdr) eq "content-transfer-encoding") || ($headers{'content-disposition'} ne "" && tolower($hdr) eq "content-disposition"))) { >+ #Why would a legit message have important MIME headers defined >1 time? It could imply someone is trying to sneak >+ #something past SMTP scanners... >+ #To much parsing needs to be done to do this correctly - stuff 'em - break the sucker ;-/ >+ &debug("Duplicate MIME headers found [$hdr] - renaming"); >+ print TMPFILE "$V_HEADER-$VERSION: renamed duplicate MIME headers\n"; >+ $_="$V_HEADER-Renamed-$_"; >+ } else { >+ #All other headers: the last occurance wins! >+ $headers{tolower($hdr)}=$value; >+ } >+ } > } > if (/^(\r|\r\n|\n)$/) { >- #headers have finished >- $still_headers=0; >- #Try to workaround those nasty broken viruses that produce Content-Type without MIME-Version >- #to get around virus scanners >- if ($headers{'mime-version'} eq "") { >- #Make sure it's a MIME-style Content-type, Sun used to use Content-type for other purposes... >- if ($BAD_MIME_CHECKS && $headers{'content-type'} =~ /\//) { >- print TMPFILE "$V_HEADER-$VERSION: added fake MIME-Version header\nMIME-Version: 1.0\n"; >- $headers{'mime-version'}="1.0"; >- &debug("w_c: added fake MIME-Version header"); >- } >- } elsif ($BAD_MIME_CHECKS > 1 && $headers{'content-type'} eq "") { >- #OK, now do the same for Content-Type. RFCs state "if no Content-Type present, then it's text/plain" >- #However, Outlook chooses to read the entire message and "figures out" it's mixed/multipart, etc. >- #This'll break that - as it should. >- #I wonder if I shouldn't just block these instead, the only ones I've seen are either viruses or spam... >- print TMPFILE "$V_HEADER-$VERSION: added fake Content-Type header\nContent-Type: text/plain\n"; >- $headers{'content-type'}="text/plain"; >- &debug("w_c: added fake Content-Type header"); >- } >- if ( $headers{'content-type'} =~ /\// ) { >- if ( $headers{'content-type'} =~ /^(\s+|)([^\/\s\(]+)(\s+|)\/(\s+|)([^\/\s\(\;]+)/ ) { >- $content_type{$attachment_counter}="$2/$5"; >- &debug("w_c: primary Content-Type of $content_type{$attachment_counter} found"); >- if ($log_crypto) { >- if ($content_type{$attachment_counter} =~ /multipart\/signed/i) { >- $CRYPTO_TYPE="CR:SMIME(signed)" if ($CRYPTO_TYPE eq "" && $headers{'content-type'} =~ /protocol=\"application\/(x\-|)pkcs/i); >- $CRYPTO_TYPE="CR:PGP(signed)" if ($CRYPTO_TYPE eq "" && $headers{'content-type'} =~ /protocol=\"application\/(x\-|)pgp/i); >- &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >- } elsif ($content_type{$attachment_counter} =~ /multipart\/encrypted/i) { >- $CRYPTO_TYPE="CR:PGP(encrypted)" if ($headers{'content-type'} =~ /protocol=\"application\/(x\-|)pgp/i); >- &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >- }elsif ($content_type{$attachment_counter} =~ /application\/(x\-|)pkcs7/i) { >- $CRYPTO_TYPE="CR:SMIME(encrypted)" if ($headers{'content-type'} =~ /application\/(x\-|)pkcs7/i); >- &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >- } >- } >- } else { >- $destring="problem"; >- $illegal_mime=1; >- $quarantine_description="Disallowed MIME Content-Type found - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Type"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- } >- #if ( $headers{'content-type'} =~ /boundary(\s*)=(|\s+|\s*\")([^\"\;]+)($|\;|\")/i) { >- if ( $headers{'content-type'} =~ /boundary(\s*)=(|\s+|\s*\")([^\s\"\;]+)($|\;|\")/i) { >- $BOUNDARY{$attachment_counter}=$3; >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && ($BOUNDARY{$attachment_counter} =~ /\"|\;/ || $BOUNDARY{$attachment_counter} eq "")) { >- &debug("w_c: RFC2046 says boundaries ($BOUNDARY{$attachment_counter}) can't contain such chars [see bcharsnospace]"); >- #$destring="problem"; >- #$illegal_mime=1; >- #$quarantine_description="Disallowed MIME boundary found - potential virus"; >- #$quarantine_event="Policy:Bad_MIME_Boundary"; >- #$description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- #Strip off stuff after semicolon, and escape any odd chars >- $BOUNDARY{$attachment_counter} =~ s/(\"|\;).*$//g; >- #$BOUNDARY{$attachment_counter} =~ s/([^a-z0-9=\_])/\\\1/gi; >- $BOUNDARY{$attachment_counter} =~ s/(\W)/\\$1/g; >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && length($BOUNDARY{$attachment_counter}) > 250) { >- #RFC2046 says boundarys are 0-70 chars >- $destring="problem"; >- $illegal_mime=1; >- $quarantine_description="Disallowed MIME boundary length found (".length($BOUNDARY{$attachment_counter}).") - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Length"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- $BOUNDARY_REGEX=$BOUNDARY{$attachment_counter}; >- &debug("w_c: found a top-level boundary definition of $BOUNDARY{$attachment_counter}"); >- } >- if ( $headers{'content-type'} =~ /name(|\s+)=(|\s+|\s*\")([^\s\"].*)/i) { >- $ATTACHMENT=$3; >- $attachment_counter++; >- #Strip off stuff after semicolon >- $ATTACHMENT =~ s/(\"|\;).*$//g; >- &debug("w_c: found a top-level file attachment definition of $ATTACHMENT"); >- push(@attachment_list, $ATTACHMENT); >- } >- if ($headers{'message-id'} eq "" && !$headers{$qsmsgid}) { >- $headers{$qsmsgid}="<".time . __LINE__ . $$ . "\@$hostname>"; >- print TMPFILE "$V_HEADER-Message-ID: $headers{$qsmsgid}\n"; >- } else { >- if (!$headers{$qsmsgid}) { >- $headers{$qsmsgid}=$headers{'message-id'}; >- } >- } >+ #headers have finished >+ $still_headers=0; >+ #Try to workaround those nasty broken viruses that produce Content-Type without MIME-Version >+ #to get around virus scanners >+ if ($headers{'mime-version'} eq "") { >+ #Make sure it's a MIME-style Content-type, Sun used to use Content-type for other purposes... >+ if ($BAD_MIME_CHECKS && $headers{'content-type'} =~ /\//) { >+ print TMPFILE "$V_HEADER-$VERSION: added fake MIME-Version header\nMIME-Version: 1.0\n"; >+ $headers{'mime-version'}="1.0"; >+ &debug("w_c: added fake MIME-Version header"); >+ } >+ } elsif ($BAD_MIME_CHECKS > 1 && $headers{'content-type'} eq "") { >+ #OK, now do the same for Content-Type. RFCs state "if no Content-Type present, then it's text/plain" >+ #However, Outlook chooses to read the entire message and "figures out" it's mixed/multipart, etc. >+ #This'll break that - as it should. >+ #I wonder if I shouldn't just block these instead, the only ones I've seen are either viruses or spam... >+ print TMPFILE "$V_HEADER-$VERSION: added fake Content-Type header\nContent-Type: text/plain\n"; >+ $headers{'content-type'}="text/plain"; >+ &debug("w_c: added fake Content-Type header"); >+ } >+ if ( $headers{'content-type'} =~ /\// ) { >+ if ( $headers{'content-type'} =~ /^(\s+|)([^\/\s\(]+)(\s+|)\/(\s+|)([^\/\s\(\;]+)/ ) { >+ $content_type{$attachment_counter}="$2/$5"; >+ &debug("w_c: primary Content-Type of $content_type{$attachment_counter} found"); >+ if ($log_crypto) { >+ if ($content_type{$attachment_counter} =~ /multipart\/signed/i) { >+ $CRYPTO_TYPE="CR:SMIME(signed)" if ($CRYPTO_TYPE eq "" && $headers{'content-type'} =~ /protocol=\"application\/(x\-|)pkcs/i); >+ $CRYPTO_TYPE="CR:PGP(signed)" if ($CRYPTO_TYPE eq "" && $headers{'content-type'} =~ /protocol=\"application\/(x\-|)pgp/i); >+ &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >+ &minidebug("found MIME-based crypto ($CRYPTO_TYPE)"); >+ } elsif ($content_type{$attachment_counter} =~ /multipart\/encrypted/i) { >+ $CRYPTO_TYPE="CR:PGP(encrypted)" if ($headers{'content-type'} =~ /protocol=\"application\/(x\-|)pgp/i); >+ &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >+ &minidebug("found MIME-based crypto ($CRYPTO_TYPE)"); >+ } elsif ($content_type{$attachment_counter} =~ /application\/(x\-|)pkcs7/i) { >+ $CRYPTO_TYPE="CR:SMIME(encrypted)" if ($headers{'content-type'} =~ /application\/(x\-|)pkcs7/i); >+ &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >+ &minidebug("found MIME-based crypto ($CRYPTO_TYPE)"); >+ } >+ } >+ } else { >+ $destring="problem"; >+ $illegal_mime=1; >+ $quarantine_description="Disallowed MIME Content-Type found - potential virus"; >+ $quarantine_event="Policy:Bad_MIME_Type"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &eventlog("QMSWC:BAD_MIME_CONTENT"); >+ } >+ } >+ #if ( $headers{'content-type'} =~ /boundary(\s*)=(|\s+|\s*\")([^\"\;]+)($|\;|\")/i) { >+ if ( $headers{'content-type'} =~ /boundary(\s*)=(|\s+|\s*\")([^\s\"\;]+)($|\;|\")/i) { >+ $BOUNDARY{$attachment_counter}=$3; >+ if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && ($BOUNDARY{$attachment_counter} =~ /\"|\;/ || $BOUNDARY{$attachment_counter} eq "")) { >+ &debug("w_c: RFC2046 says boundaries ($BOUNDARY{$attachment_counter}) can't contain such chars [see bcharsnospace]"); >+ #$destring="problem"; >+ #$illegal_mime=1; >+ #$quarantine_description="Disallowed MIME boundary found - potential virus"; >+ #$quarantine_event="Policy:Bad_MIME_Boundary"; >+ #$description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &eventlog("QMSWC:BAD_MIME_BOUNDARY"); >+ } >+ #Strip off stuff after semicolon, and escape any odd chars >+ $BOUNDARY{$attachment_counter} =~ s/(\"|\;).*$//g; >+ #$BOUNDARY{$attachment_counter} =~ s/([^a-z0-9=\_])/\\\1/gi; >+ $BOUNDARY{$attachment_counter} =~ s/(\W)/\\$1/g; >+ if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && length($BOUNDARY{$attachment_counter}) > 250) { >+ #RFC2046 says boundarys are 0-70 chars >+ $destring="problem"; >+ $illegal_mime=1; >+ $quarantine_description="Disallowed MIME boundary length found (".length($BOUNDARY{$attachment_counter}).") - potential virus"; >+ $quarantine_event="Policy:Bad_MIME_Length"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &eventlog("QMSWC:BAD_MIME_BOUNDARY"); >+ } >+ $BOUNDARY_REGEX=$BOUNDARY{$attachment_counter}; >+ &debug("w_c: found a top-level boundary definition of $BOUNDARY{$attachment_counter}"); >+ } >+ if ( $headers{'content-type'} =~ /name(|\s+)=(|\s+|\s*\")([^\s\"].*)/i) { >+ $ATTACHMENT=$3; >+ $attachment_counter++; >+ #Strip off stuff after semicolon >+ $ATTACHMENT =~ s/(\"|\;).*$//g; >+ &debug("w_c: found a top-level file attachment definition of $ATTACHMENT"); >+ push(@attachment_list, $ATTACHMENT); >+ } >+ if ($headers{'message-id'} eq "" && !$headers{$qsmsgid}) { >+ $headers{$qsmsgid}="<".time . __LINE__ . $$ . "\@$hostname>"; >+ print TMPFILE "$V_HEADER-Message-ID: $headers{$qsmsgid}\n"; >+ } else { >+ if (!$headers{$qsmsgid}) { >+ $headers{$qsmsgid}=$headers{'message-id'}; >+ } >+ } > } > } > if (/^(\r|\r\n|\n)$/) { >@@ -697,97 +1081,105 @@ > #&debug("w_c: last attachment header: $attachment_header:$attachment_value"); > $attach_hdrs{tolower($attachment_header)}=$attachment_value; > if ($still_attachment ne "") { >- $still_attachment=''; >- $begin_content=$attach_hdrs{'content-transfer-encoding'}; >+ $still_attachment=''; >+ $begin_content=$attach_hdrs{'content-transfer-encoding'}; > } else { >- $begin_content=''; >+ $begin_content=''; > } > $attachment_header=$attachment_value=''; > #Let's see what the last MIME attachment contained > if ($cd_attachment_filename ne "" && $ct_attachment_filename ne "" && $ct_attachment_filename ne $cd_attachment_filename) { >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1) { >- &debug("w_c: Disallowed MIME filename manipulation - potential virus"); >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description='Disallowed MIME filename manipulation - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Manipulation"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message attachment: \"$ct_attachment_filename\" != \"$cd_attachment_filename\""; >- } >+ if (!$quarantine_event && $BAD_MIME_CHECKS > 1) { >+ &debug("w_c: Disallowed MIME filename manipulation - potential virus"); >+ &minidebug("w_c: Disallowed MIME filename manipulation - potential virus"); >+ &eventlog("QMSWC:BAD_MIME_FILENAME"); >+ $illegal_mime=1; >+ $destring="problem"; >+ $quarantine_description='Disallowed MIME filename manipulation - potential virus'; >+ $quarantine_event="Policy:Bad_MIME_Manipulation"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message attachment: \"$ct_attachment_filename\" != \"$cd_attachment_filename\""; >+ } > } > #$ct_attachment_filename=$cd_attachment_filename=''; > if ($attach_hdrs{'content-type'} =~ /name(|\s+)=(|\s+|\s*\")([^\s\"].*)/i && $ATTACHMENT eq "") { >- $ATTACHMENT=$3; >- #Strip off stuff after semicolon >- $ATTACHMENT =~ s/(\"|\;).*$//g; >- $ATTACHMENT=tolower($ATTACHMENT); >- if (!grep(/^\Q$ATTACHMENT\E$/,@attachment_list)) { >- &debug("found C-T attachment filename $ATTACHMENT"); >- push(@attachment_list, $ATTACHMENT); >- } >- $ct_attachment_filename=$ATTACHMENT; >- $ATTACHMENT=''; >- #&debug("w_c: found a Content-Type attachment filename of \"$ct_attachment_filename\""); >+ $ATTACHMENT=$3; >+ #Strip off stuff after semicolon >+ $ATTACHMENT =~ s/(\"|\;).*$//g; >+ $ATTACHMENT=tolower($ATTACHMENT); >+ if (!grep(/^\Q$ATTACHMENT\E$/,@attachment_list)) { >+ &debug("found C-T attachment filename $ATTACHMENT"); >+ push(@attachment_list, $ATTACHMENT); >+ } >+ $ct_attachment_filename=$ATTACHMENT; >+ $ATTACHMENT=''; >+ #&debug("w_c: found a Content-Type attachment filename of \"$ct_attachment_filename\""); > } > if ($attach_hdrs{'content-disposition'} =~ /name(|\s+)=(|\s+|\s*\")([^\s\"].*)/i && $ATTACHMENT eq "") { >- $ATTACHMENT=$3; >- #Strip off stuff after semicolon >- $ATTACHMENT =~ s/(\"|\;).*$//g; >- $ATTACHMENT=tolower($ATTACHMENT); >- if (!grep(/^\Q$ATTACHMENT\E$/,@attachment_list)) { >- push(@attachment_list, $ATTACHMENT); >- &debug("found C-D attachment filename $ATTACHMENT"); >- } >- $cd_attachment_filename=$ATTACHMENT; >- $ATTACHMENT=''; >- #&debug("w_c: found a Content-Disposition attachment filename of \"$cd_attachment_filename\""); >+ $ATTACHMENT=$3; >+ #Strip off stuff after semicolon >+ $ATTACHMENT =~ s/(\"|\;).*$//g; >+ $ATTACHMENT=tolower($ATTACHMENT); >+ if (!grep(/^\Q$ATTACHMENT\E$/,@attachment_list)) { >+ push(@attachment_list, $ATTACHMENT); >+ &debug("found C-D attachment filename $ATTACHMENT"); >+ } >+ $cd_attachment_filename=$ATTACHMENT; >+ $ATTACHMENT=''; >+ #&debug("w_c: found a Content-Disposition attachment filename of \"$cd_attachment_filename\""); > } > if ($attach_hdrs{'content-type'} =~ /boundary(|\s+)=(|\s+|\s*\")([^\s\"].*)/i) { >- $BOUNDARY{$attachment_counter}=$3; >- #Strip off delimiters around boundary >- $BOUNDARY{$attachment_counter} =~ s/(\"|\;).*$//g; >- $BOUNDARY{$attachment_counter} =~ s/(\W)/\\$1/g; >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && length($BOUNDARY{$attachment_counter}) > 250) { >- #RFC2046 says boundarys are 0-70 chars >- $destring="problem"; >- $illegal_mime=1; >- $quarantine_description="Disallowed MIME boundary length found (".length($BOUNDARY{$attachment_counter}).") - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Boundary"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- if ( !$quarantine_event && $BAD_MIME_CHECKS > 1 && $BOUNDARY{$attachment_counter} =~ /^($BOUNDARY_REGEX)$/i) { >- &debug("w_c: hmm, a new boundary defintion that has already being set. Sounds like a trojan"); >+ $BOUNDARY{$attachment_counter}=$3; >+ #Strip off delimiters around boundary >+ $BOUNDARY{$attachment_counter} =~ s/(\"|\;).*$//g; >+ $BOUNDARY{$attachment_counter} =~ s/(\W)/\\$1/g; >+ if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && length($BOUNDARY{$attachment_counter}) > 250) { >+ #RFC2046 says boundarys are 0-70 chars >+ $destring="problem"; >+ $illegal_mime=1; >+ $quarantine_description="Disallowed MIME boundary length found (".length($BOUNDARY{$attachment_counter}).") - potential virus"; >+ $quarantine_event="Policy:Bad_MIME_Boundary"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &eventlog("QMSWC:BAD_MIME_BOUNDARY"); >+ } >+ if ( !$quarantine_event && $BAD_MIME_CHECKS > 1 && $BOUNDARY{$attachment_counter} =~ /^($BOUNDARY_REGEX)$/i) { >+ &debug("w_c: hmm, a new boundary defintion that has already being set. Sounds like a trojan"); >+ &minidebug("w_c: hmm, a new boundary defintion that has already being set. Sounds like a trojan"); > &debug("w_c: broken attachment MIME details - block it!"); >+ &minidebug("w_c: broken attachment MIME details - block it!"); > $illegal_mime=1; >- $destring="problem"; >+ $destring="problem"; > $quarantine_description='Disallowed MIME boundary found in attachment - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Boundary"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ $quarantine_event="Policy:Bad_MIME_Boundary"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &eventlog("QMSWC:BAD_MIME_BOUNDARY"); >+ } >+ if ($BOUNDARY_REGEX ne "") { >+ $BOUNDARY_REGEX.="|".$BOUNDARY{$attachment_counter}; >+ } else { >+ $BOUNDARY_REGEX=$BOUNDARY{$attachment_counter}; > } >- if ($BOUNDARY_REGEX ne "") { >- $BOUNDARY_REGEX.="|".$BOUNDARY{$attachment_counter}; >- } else { >- $BOUNDARY_REGEX=$BOUNDARY{$attachment_counter}; >- } >- #&debug("w_c: BOUNDARY_REGEX=$BOUNDARY_REGEX"); >+ #&debug("w_c: BOUNDARY_REGEX=$BOUNDARY_REGEX"); > } > if ($attach_hdrs{'content-type'} =~ /\//) { >- $attachment_filename=''; >- $attachment_filename=$cd_attachment_filename ne "" ? $cd_attachment_filename : $ct_attachment_filename; >- #&debug("w_c: just parsed attachment $attach_hdrs{'content-type'}: filename=$attachment_filename"); >- if ( $attach_hdrs{'content-type'} =~ /^(\s+|)([^\/\s\(]+)(\s+|)\/(\s+|)([^\/\s\(\;]+)/ ) { >- $content_type{$attachment_counter}="$2/$5"; >- &debug("w_c: attachment $attachment_counter: Content-Type of $content_type{$attachment_counter} found"); >- if ($attachment_filename =~ /\.(scr|pif|vbs|exe)$/i && $content_type{$attachment_counter} !~ /^(message|text|application)/i) { >- $quarantine_description="Disallowed file ($attachment_filename) assosiated with unrelated MIME type ($content_type{$attachment_counter}) - potential virus"; >- &debug("w_c: $quarantine_description"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_event="Policy:Forged_Attachment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment $attachment_filename"; >- } >- } >- $attach_hdrs{'content-type'}=''; >- $ct_attachment_filename=$cd_attachment_filename=''; >+ $attachment_filename=''; >+ $attachment_filename=$cd_attachment_filename ne "" ? $cd_attachment_filename : $ct_attachment_filename; >+ #&debug("w_c: just parsed attachment $attach_hdrs{'content-type'}: filename=$attachment_filename"); >+ if ( $attach_hdrs{'content-type'} =~ /^(\s+|)([^\/\s\(]+)(\s+|)\/(\s+|)([^\/\s\(\;]+)/ ) { >+ $content_type{$attachment_counter}="$2/$5"; >+ &debug("w_c: attachment $attachment_counter: Content-Type of $content_type{$attachment_counter} found"); >+ if ($attachment_filename =~ /\.(scr|pif|vbs|exe)$/i && $content_type{$attachment_counter} !~ /^(message|text|application)/i) { >+ $quarantine_description="Disallowed file ($attachment_filename) assosiated with unrelated MIME type ($content_type{$attachment_counter}) - potential virus"; >+ &debug("w_c: $quarantine_description"); >+ &minidebug("w_c: $quarantine_description"); >+ &eventlog("QMSWC:BAD_MIME_ASSOCIATION"); >+ $illegal_mime=1; >+ $destring='problem'; >+ $quarantine_event="Policy:Forged_Attachment"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment $attachment_filename"; >+ } >+ } >+ $attach_hdrs{'content-type'}=''; >+ $ct_attachment_filename=$cd_attachment_filename=''; > } > } else { > #&debug("line=$_"); >@@ -796,36 +1188,38 @@ > if ($still_attachment ne "") { > #&debug("w_c: check those attachment headers ($_)"); > if (/^([^\s]+):(|\s+)(.*)$/) { >- $last_header=$attachment_header; >- $last_value=$attachment_value; >- $attachment_header=$1; >- $attachment_value=$3; >- $attachment_value =~ s/^\s+//; >- if ($last_header) { >- #&debug("w_c: $last_header:$last_value"); >- $attach_hdrs{tolower($last_header)}=$last_value; >- } >- #&debug("w_c: beginning of $attachment_header, value=$attachment_value"); >+ $last_header=$attachment_header; >+ $last_value=$attachment_value; >+ $attachment_header=$1; >+ $attachment_value=$3; >+ $attachment_value =~ s/^\s+//; >+ if ($last_header) { >+ #&debug("w_c: $last_header:$last_value"); >+ $attach_hdrs{tolower($last_header)}=$last_value; >+ } >+ #&debug("w_c: beginning of $attachment_header, value=$attachment_value"); > } elsif (/^\s(.+)/) { >- #&debug("w_c: line :$_: reached"); >- $attachment_value.=$1; >+ #&debug("w_c: line :$_: reached"); >+ $attachment_value.=$1; > } elsif (/^(\r|\r\n|\n|\s+)$/) { >- #Yeah - I should block spaces, but too many valid lists send out such junk... >- $still_attachment=''; >+ #Yeah - I should block spaces, but too many valid lists send out such junk... >+ $still_attachment=''; > } else { >- #This will catch headers that are *correctly* broken over two lines. >- #No known mailer does that, but virus writers do, so we block it. >- #Note that a lot of mailing-lists (and AV systems...) shove their trailers >- #on the bottom of messages irrespective of whether they are MIME or not - so >- #we must allow such "hacks" to slip through >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && ($BOUNDARY_REGEX ne "" && $still_attachment !~ /^\-\-($BOUNDARY_REGEX)\-\-$/) ) { >- &debug("w_c: broken attachment MIME details (still_attachment=$still_attachment, but BOUNDARY_REGEX=\"$BOUNDARY_REGEX\")- block it!"); >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description='Disallowed content found in MIME attachment - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Header"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >+ #This will catch headers that are *correctly* broken over two lines. >+ #No known mailer does that, but virus writers do, so we block it. >+ #Note that a lot of mailing-lists (and AV systems...) shove their trailers >+ #on the bottom of messages irrespective of whether they are MIME or not - so >+ #we must allow such "hacks" to slip through >+ if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && ($BOUNDARY_REGEX ne "" && $still_attachment !~ /^\-\-($BOUNDARY_REGEX)\-\-$/) ) { >+ &debug("w_c: broken attachment MIME details (still_attachment=$still_attachment, but BOUNDARY_REGEX=\"$BOUNDARY_REGEX\")- block it!"); >+ &minidebug("w_c: broken attachment MIME details (still_attachment=$still_attachment, but BOUNDARY_REGEX=\"$BOUNDARY_REGEX\")- block it!"); >+ $illegal_mime=1; >+ $destring="problem"; >+ $quarantine_description='Disallowed content found in MIME attachment - potential virus'; >+ $quarantine_event="Policy:Bad_MIME_Header"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >+ &eventlog("QMSWC:BAD_MIME_CONTENT"); >+ } > } > } > if ($begin_content =~ /base64/i && !/^\s/) { >@@ -833,41 +1227,45 @@ > $begin_content=''; > #Only looking for base64 encoded as both QP and binary appear to arrive corrupted under Outlook > if ($_ =~ /^TV(qq|qQ|r1|pQ|pA|py|rm|rh|oF|oI|rQ|o8|ou|oA)/) { >- &debug("w_c: base64 looks like a Windows executable, filename=$attachment_filename,type=$content_type{$attachment_counter}"); >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && $content_type{$attachment_counter} !~ /^application/i) { >- #As far as I'm aware, a Windows/DOS executable should always be of type "application/<something>" >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description="Disallowed executable attachment associated with \"$content_type{$attachment_counter}\" MIME type - potential virus"; >- $quarantine_event="Policy:Forged_Attachment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment \"$attachment_filename\""; >- &debug("w_c: $quarantine_description"); >- } >+ &debug("w_c: base64 looks like a Windows executable, filename=$attachment_filename,type=$content_type{$attachment_counter}"); >+ if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && $content_type{$attachment_counter} !~ /^application/i) { >+ #As far as I'm aware, a Windows/DOS executable should always be of type "application/<something>" >+ $illegal_mime=1; >+ $destring="problem"; >+ $quarantine_description="Disallowed executable attachment associated with \"$content_type{$attachment_counter}\" MIME type - potential virus"; >+ $quarantine_event="Policy:Forged_Attachment"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment \"$attachment_filename\""; >+ &debug("w_c: $quarantine_description"); >+ &minidebug("w_c: $quarantine_description"); >+ &eventlog("QMSWC:BAD_MIME_WINBLOWS"); >+ } > } > if ($_ =~ /^(UEsDB[AB]|UEswMFBL)/) { >- &debug("w_c: base64 looks like a zip file, filename=$attachment_filename,type=$content_type{$attachment_counter}"); >- if (!$quarantine_event && $BAD_MIME_CHECKS > 2 && $attachment_filename !~ /\.zip$/i) { >- #This is a zip file, and yet the filename doesn't end in .zip - should quarantine it! >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description="Disallowed zip attachment when not assosiated with a .zip filename - potential virus"; >- $quarantine_event="Policy:Forged_Attachment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment \"$attachment_filename\""; >- &debug("w_c: $quarantine_description"); >- } >+ &debug("w_c: base64 looks like a zip file, filename=$attachment_filename,type=$content_type{$attachment_counter}"); >+ if (!$quarantine_event && $BAD_MIME_CHECKS > 2 && $attachment_filename !~ /\.zip$/i) { >+ #This is a zip file, and yet the filename doesn't end in .zip - should quarantine it! >+ $illegal_mime=1; >+ $destring="problem"; >+ $quarantine_description="Disallowed zip attachment when not assosiated with a .zip filename - potential virus"; >+ $quarantine_event="Policy:Forged_Attachment"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment \"$attachment_filename\""; >+ &debug("w_c: $quarantine_description"); >+ &minidebug("w_c: $quarantine_description"); >+ &eventlog("QMSWC:BAD_MIME_ZIP"); >+ } > } > } > if ($BOUNDARY_REGEX ne "" && /^\-\-($BOUNDARY_REGEX)/) { > $still_attachment=$_; > chomp($still_attachment); > if (/^\-\-($BOUNDARY_REGEX)\-\-.$/) { >- &debug("w_c: found end of attachment boundary, BOUNDARY_REGEX was \"$BOUNDARY_REGEX\"..."); >- my ($delete_bb)=$1; >- $delete_bb =~ s/(\W)/\\$1/g; >- $BOUNDARY_REGEX =~ s/\Q$delete_bb\E//; >- $BOUNDARY_REGEX =~ s/\|\|//; >- $BOUNDARY_REGEX =~ s/(^\||\|$)//; >- &debug("w_c: now that \"$delete_bb\" has been removed, it's \"$BOUNDARY_REGEX\"..."); >+ &debug("w_c: found end of attachment boundary, BOUNDARY_REGEX was \"$BOUNDARY_REGEX\"..."); >+ my ($delete_bb)=$1; >+ $delete_bb =~ s/(\W)/\\$1/g; >+ $BOUNDARY_REGEX =~ s/\Q$delete_bb\E//; >+ $BOUNDARY_REGEX =~ s/\|\|//; >+ $BOUNDARY_REGEX =~ s/(^\||\|$)//; >+ &debug("w_c: now that \"$delete_bb\" has been removed, it's \"$BOUNDARY_REGEX\"..."); > } > $attachment_counter++; > #&debug("w_c: found :$BOUNDARY_REGEX: - must be attachment section $attachment_counter"); >@@ -876,6 +1274,7 @@ > $CRYPTO_TYPE="CR:PGP(old-signed)" if ($CRYPTO_TYPE eq "" && /^\-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-/); > $CRYPTO_TYPE="CR:PGP(old-encrypted)" if (/^\-\-\-\-\-BEGIN PGP MESSAGE\-\-\-\-\-/); > &debug("found old PGP crypto ($CRYPTO_TYPE)") if ($CRYPTO_TYPE ne ""); >+ &minidebug("found old PGP crypto ($CRYPTO_TYPE)") if ($CRYPTO_TYPE ne ""); > } > &check_and_grab_attachments; > print TMPFILE ; >@@ -929,10 +1328,17 @@ > #qmail-smtpd must be officially dropping the incoming message for > #some (valid) reason (including the other end dropping the connection). > &debug("g_e_h: no sender and no recips."); >+ &eventlog("SMTP-DROP"); >+ &minidebug("g_e_h: no sender and no recips, from $smtp_sender. Dropping."); >+ warn "$$ QS-$VERSION: no sender and no recips, from $smtp_sender\n" if ($MINIDEBUG >= 3); >+ warn "$V_HEADER-$VERSION: no sender and no recips, from $smtp_sender\n" if ($MINIDEBUG == 2); > &cleanup; >+ &close_log; > exit; > } > &debug("g_e_h: return-path is \"$returnpath\", recips is \"$recips\""); >+ &minidebug("return-path='$returnpath', recips='$recips'"); >+ &eventlog("ENV-HEADER:$local_domains_string:$returnpath:$recips"); > } > > >@@ -963,17 +1369,17 @@ > $save_filename =~ /^(.*)$/; $save_filename=$1; > ($new_filename=$save_filename) =~ s/([^a-z0-9\.\-\_\+\=\~]+)//gi; > if ($save_filename ne $new_filename) { >- $new_filename =~ /(\.[^\.]+)$/; >- $new_filename=&uniq_id."$new_filename"; >- rename($save_filename,$new_filename); >- &debug("d_m: ren $save_filename to $new_filename"); >- $save_filename=$new_filename; >+ $new_filename =~ /(\.[^\.]+)$/; >+ $new_filename=&uniq_id."$new_filename"; >+ rename($save_filename,$new_filename); >+ &debug("d_m: ren $save_filename to $new_filename"); >+ $save_filename=$new_filename; > } > #Who cares if it is or isn't tnef, just scan it! > if ($tnef_binary) { >- $MAYBETNEF=`$tnef_binary --number-backups -d $ENV{'TMPDIR'}/ -f $ENV{'TMPDIR'}/$save_filename 2>&1`; >- $tnef_status=$?; >- &debug("d_m: is $ENV{'TMPDIR'}/$save_filename is a TNEF file?: $tnef_status [",&deltatime,"]"); >+ $MAYBETNEF=`$tnef_binary --number-backups -d $ENV{'TMPDIR'}/ -f $ENV{'TMPDIR'}/$save_filename 2>&1`; >+ $tnef_status=$?; >+ &debug("d_m: is $ENV{'TMPDIR'}/$save_filename is a TNEF file?: $tnef_status [",&deltatime,"]"); > } > } > } >@@ -992,14 +1398,14 @@ > $save_filename =~ /^(.*)$/; $save_filename=$1; > ($new_filename=$save_filename) =~ s/([^a-z0-9\.\-\_\+\=\~]+)//gi; > if ($save_filename ne $new_filename) { >- $new_filename =~ /(\.[^\.]+)$/; >- $new_filename=&uniq_id."$new_filename"; >- rename($save_filename,$new_filename); >- &debug("d_m: ren $save_filename to $new_filename"); >- $save_filename=$new_filename; >+ $new_filename =~ /(\.[^\.]+)$/; >+ $new_filename=&uniq_id."$new_filename"; >+ rename($save_filename,$new_filename); >+ &debug("d_m: ren $save_filename to $new_filename"); >+ $save_filename=$new_filename; > } > if ( $save_filename =~ /\.(zip|exe)$/i) { >- &unzip_file($save_filename); >+ &unzip_file($save_filename); > } > } > } >@@ -1029,15 +1435,20 @@ > #due to some Policy: this way you get the definitive answer as to what is > #a virus... > >- &scanloop; #JLH if (!$quarantine_event); >- >- #Only run perlscanner if no reason to quarantine found so far >- &perlscan_scanner if (!$quarantine_event); >+ &scanloop if (!$quarantine_DOS); #JLH if (!$quarantine_event); > > chdir("$scandir"); > >+ # st: mark the viruses we don't want to quarantine, but delete them >+ if (($virus_to_delete ne "") && ($quarantine_description=~/($virus_to_delete)/i)) { >+ $del_message='1'; >+ &debug("v_t_d: Virus ($quarantine_description), dropping"); >+ &minidebug("v_t_d: Virus ($quarantine_description), dropping"); >+ } >+ > my($decon_time)=tv_interval ($start_init_scanners_time, [gettimeofday]); > &debug("ini_sc: scanning message took $decon_time seconds"); >+ &minidebug("ini_sc: finished scan of \"$ENV{'TMPDIR'}\"..."); > } > > >@@ -1062,6 +1473,7 @@ > $quarantine_description="Disallowed characters found in MIME headers" if (!$quarantine_description); > $quarantine_event="Policy:Bad_MIME"; > $description .= "\n---perlscanner results ---\n$destring '$quarantine_description'\n found in message"; >+ &eventlog("PERLSCAN:BAD_MIME_HEADER"); > } > #check out headers against DB... > >@@ -1075,12 +1487,14 @@ > $type =~ s/^Virus-//g; > &debug("p_s: checking for objects containing $type: $var"); > if ($headers{$type} =~ /^$var$/) { >- $quarantine_description="$desc"; >- ($quarantine_event=$quarantine_description) =~ s/\s/_/g; >- $quarantine_event="Perlscan:".substr($quarantine_event,0,$QE_LEN); >- $quarantine_event=~s/_$//g; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- &debug("p_s: something to block! ($quarantine_description)"); >+ $quarantine_description="$desc"; >+ ($quarantine_event=$quarantine_description) =~ s/\s/_/g; >+ $quarantine_event="Perlscan:".substr($quarantine_event,0,$QE_LEN); >+ $quarantine_event=~s/_$//g; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >+ &debug("p_s: something to block! ($quarantine_description)"); >+ &minidebug("p_s: something to block! ($quarantine_description)"); >+ &eventlog("PERLSCAN:BAD_HDR_DB"); > } > } else { > &debug("p_s: type is a size!"); >@@ -1097,7 +1511,8 @@ > close(DIR); > > if ($#allfiles > $MAX_NUM_UNPACKED_FILES) { >- &debug("w_c: more than MAX_NUM_UNPACKED_FILES files found - quarantine"); >+ &debug("w_c: more than $MAX_NUM_UNPACKED_FILES files found - quarantine"); >+ &minidebug("w_c: more than $MAX_NUM_UNPACKED_FILES files found - quarantine"); > $illegal_mime=1; > $destring='problem'; > $quarantine_description="Too many file components found (".$#allfiles.") - potential DoS"; >@@ -1127,6 +1542,8 @@ > > if (!$quarantine_event && length($file) > 256 && $BAD_MIME_CHECKS > 1 ) { > &debug("w_c: majorly long attachment filename found - block it"); >+ &minidebug("w_c: majorly long attachment filename found - block it"); >+ &eventlog("PERLSCAN:BAD_ATTACH_LENGTH"); > $illegal_mime=1; > $destring='problem'; > $quarantine_description="Disallowed attachment file length found (".length($file).") - potential virus"; >@@ -1142,26 +1559,29 @@ > #The VALID_WINDOWS_EXTENSIONS is based on double-barrel virii caught in a years worth of Qmail-Scanner > #logs (gotta love those logs!). Notice that I expressly allow "file.exe.exe" through - as the double-extension > #doesn't hide anything [just implies a user made a mistake] >- > if (!$quarantine_event && ($file =~ /(^.*)\.($VALID_WINDOWS_EXTENSIONS)\s*\.($SNEAKY_WINDOWS_EXTENSIONS)$/i) && $file !~ /(\.[a-z0-9]{3})\1|\.pp.\.pp.$/i) { >- $quarantine_description="Disallowed double-barrelled attachment filename ($file) - potential virus"; >- &debug("w_c: $quarantine_description"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_event="Policy:Win_Ext"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $file_desc .= "$file:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >- return; >+ $quarantine_description="Disallowed double-barrelled attachment filename ($file) - potential virus"; >+ &debug("w_c: $quarantine_description"); >+ &minidebug("w_c: $quarantine_description"); >+ &eventlog("QMSWC:BAD_ATTACH_FILENAME"); >+ $illegal_mime=1; >+ $destring='problem'; >+ $quarantine_event="Policy:Win_Ext"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >+ $file_desc .= "$file:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >+ return; > } > if (!$quarantine_event && $file =~ /\{[0-9a-f]{8}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12}\}$/i) { >- $quarantine_description="Disallowed CLSID file extensions ($file) - potential virus"; >- &debug("w_c: $quarantine_description"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_event="Policy:Win_CLSID"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $file_desc .= "$file:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >- return; >+ $quarantine_description="Disallowed CLSID file extensions ($file) - potential virus"; >+ &debug("w_c: $quarantine_description"); >+ &minidebug("w_c: $quarantine_description"); >+ &eventlog("QMSWC:BAD_ATTACH_FILENAME"); >+ $illegal_mime=1; >+ $destring='problem'; >+ $quarantine_event="Policy:Win_CLSID"; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >+ $file_desc .= "$file:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >+ return; > } > } > if ($file =~ /(^.*)(\.[^\.]+)\.?$/) { >@@ -1186,28 +1606,35 @@ > &debug("p_s: compare $lfile (size $size) against perlscanner database") if (!$ps_skipfile); > if ( ($array{$lfile} || $array{$extension}) && !$ps_skipfile ) { > if ($array{$lfile}) { >- ($fsize,$quarantine_description) = split(/\t/,$array{$lfile},2); >+ ($fsize,$quarantine_description) = split(/\t/,$array{$lfile},2); > } else { >- $destring="Disallowed attachment type"; >- ($fsize,$quarantine_description) = split(/\t/,$array{$extension},2); >+ $destring="Disallowed attachment type"; >+ ($fsize,$quarantine_description) = split(/\t/,$array{$extension},2); > } > $attachment_list.="$file:$size,"; > if (!$quarantine_event && $size eq $fsize || $fsize =~ /^(\-|\*|any|0)$/i ) { >- &debug("p_s: Quarantine $file! ($quarantine_description)"); >- ($quarantine_event=$quarantine_description) =~ s/\s/_/g; >- $quarantine_event="Perlscan:".substr($quarantine_event,0,$QE_LEN); >- $quarantine_event=~s/_$//g; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $section=$apptype=$save_filename=$filename=""; >-# return; >+ &debug("p_s: Quarantine $file! ($quarantine_description)"); >+ &minidebug("p_s: Quarantine $file! ($quarantine_description)"); >+ &eventlog("PERLSCAN:BAD_ATTACHMENT_TYPE"); >+ ($quarantine_event=$quarantine_description) =~ s/\s/_/g; >+ $quarantine_event="Perlscan:".substr($quarantine_event,0,$QE_LEN); >+ $quarantine_event=~s/_$//g; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >+ $section=$apptype=$save_filename=$filename=""; >+# return; > } > } > } >+ # st: cosmetic, if the messages is spam don't call it a virus. >+ if ($quarantine_description =~ /spam/i) { >+ $destring="Problem"; >+ } > untie %array; > chdir("$scandir/"); > my($stop_perlscan_time)=[gettimeofday]; > $perlscan_time = tv_interval ($start_perlscan_time, $stop_perlscan_time); > &debug("p_s: finished scan of dir \"$ENV{'TMPDIR'}\" in $perlscan_time secs"); >+ &minidebug("p_s: finished scan in $perlscan_time secs"); > } > > >@@ -1215,39 +1642,68 @@ > &debug("scanloop: starting scan of directory \"$ENV{'TMPDIR'}\"..."); > > my ($scanner); >- >- #If it has already been blocked as a Policy DoS attack - don't >- #run AVs over it! You might - well - DoS you system... >- if (!$quarantine_DOS) { >- #Remember any policy blocks that have already occurred, but reset >- #$quarantine_event so that if a virus is found, that "wins" >- $quarantine_event_tmp=$quarantine_event; >- $quarantine_event='0'; >- foreach $scanner (@scanner_array) { >- #Any scanner errors caused by broken zip files/etc will be ignored >- # - not sure how that should be handled... >- &debug("scanloop: scanner=$scanner,plain_text_msg=$plain_text_msg"); >- >- #Just run virus scanners over mail that isn't plain text >- if ($plain_text_msg) { >- #If it's plain text - just run anti-spam checks >- &{$scanner} if ($scanner =~ /spam/i); >- }else { >- &{$scanner}; >- } >- if ($quarantine_event) { >- #If one scanner finds a virus - why run the rest over it? >- last; >+ >+ #Remember any policy blocks that have already occurred, but reset >+ #$quarantine_event so that if a virus is found, that "wins". st: done above. >+ #$quarantine_event_tmp=$quarantine_event; >+ $quarantine_event='0'; >+ >+ foreach $scanner (@scanner_array) { >+ # st: if this recipient has spamassassin in his array we will add the X-Spam headers. >+ $sa_rcpt='1' if ( $scanner =~ /spam/ ); >+ >+ # st: s_p_d, if we have multiples recipients (a lot) run each scanner just once... >+ if (exists $found_event{$scanner}) { >+ ($destring,$quarantine_event,$quarantine_description,$description)=split(/\t/,$found_event{$scanner}); >+ $scanner =~ s/^(.*)_scanner$/$1/; >+ $scanner =~ s/^perlscan$/p_s/; >+ $scanner =~ s/^spamassassin$/SA/; >+ if ($quarantine_description ne "") { >+ &debug("$scanner: $destring found $quarantine_description"); >+ &minidebug("$scanner: $destring found $quarantine_description"); >+ last; >+ } else { >+ &debug("$scanner: already checked and clear, skip"); >+ &minidebug("$scanner: already checked and clear, skip"); >+ next; > } > } >- if (!$quarantine_event) { >+ #Any scanner errors caused by broken zip files/etc will be ignored >+ # - not sure how that should be handled... >+ &debug("scanloop: scanner=$scanner,plain_text_msg=$plain_text_msg"); >+ >+ # st: call spamassassin_alt if sa_alt is enabled >+ $scanner = "spamassassin_alt" if ( $scanner =~ /spam/i && $sa_alt eq "1" ); >+ >+ # st: I am not sure if this is correct >+ if ($scanner =~ /perl/i) { > $quarantine_event=$quarantine_event_tmp; >+ } >+ >+ #Just run virus scanners over mail that isn't plain text >+ if ($plain_text_msg) { >+ #If it's plain text - just run anti-spam checks and perl_scanner >+ &{$scanner} if ($scanner =~ /spam|perl/i); > } else { >- #Make sure this is set correctly >- $destring="virus"; >+ &{$scanner}; > } >- &debug("scanloop: finished scan of \"$ENV{'TMPDIR'}\"..."); >- } >+ $scanner = "spamassassin" if ($scanner eq "spamassassin_alt"); >+ if ($quarantine_event) { >+ #Make sure this is set correctly >+ $destring="virus" if ($quarantine_event !~ /spam/i && $scanner !~ /perl/i ); >+ $found_event{$scanner}="$destring\t$quarantine_event\t$quarantine_description\t$description"; >+ #If one scanner finds a virus - why run the rest over it? >+ last; >+ } >+ $found_event{$scanner}="\t\t\t"; >+ } >+# if (!$quarantine_event) { >+# $quarantine_event=$quarantine_event_tmp; >+# } else { >+# #Make sure this is set correctly >+# $destring="virus" if ($quarantine_event !~ /spam/i); >+# } >+ &debug("scanloop: finished scan of \"$ENV{'TMPDIR'}\"..."); > } > > sub qmail_requeue { >@@ -1292,41 +1748,44 @@ > $findate = POSIX::strftime( "%d %b ",$sec,$min,$hour,$mday,$mon,$year); > $findate .= sprintf "%02d %02d:%02d:%02d -0000", $year+1900, $hour, $min, $sec; > print QMQ "Received: from $remote_smtp_ip by $hostname (envelope-from <$returnpath>, uid $real_uid) with qmail-scanner-$VERSION \n"; >- print QMQ " ($SCANINFO \n Clear:$tag_score. \n"; >- print QMQ " Processed in $elapsed_time secs); $findate\n"; >- print QMQ "X-Spam-Status: $sa_comment\n" if ($sa_comment ne ""); >- print QMQ "X-Spam-Level: $sa_level\n" if ($sa_comment ne "" && $sa_level ne ""); >- if ( $descriptive_hdrs ) { >- print QMQ "${V_HEADER}-Mail-From: $returnpath via $hostname\n"; >- print QMQ "${V_HEADER}-Rcpt-To: $recips\n" if ($descriptive_hdrs eq "2"); >- print QMQ "$V_HEADER: $VERSION (Clear:$tag_score. Processed in $elapsed_time secs)\n"; >+ if ($scanner_array[0] ne "none") { >+ print QMQ " ($SCANINFO \n Clear:$tag_score. \n"; >+ print QMQ " Processed in $elapsed_time secs); $findate\n"; >+ print QMQ "X-Spam-Status: $sa_comment\n" if ($sa_comment ne "" && $sa_rcpt); >+ print QMQ "X-Spam-Level: $sa_level\n" if ($sa_comment ne "" && $sa_level ne "" && $sa_rcpt); >+ print QMQ "X-Spam-Report: SA TESTS\n$sa_report\n" if ($sa_comment ne "" && $sa_rcpt && $sa_report && $sa_hdr_report); >+ if ( $descriptive_hdrs ) { >+ print QMQ "${V_HEADER}-Mail-From: $returnpath via $hostname\n"; >+ print QMQ "${V_HEADER}-Rcpt-To: $recips\n" if ($descriptive_hdrs eq "2"); >+ print QMQ "$V_HEADER: $VERSION (Clear:$tag_score. Processed in $elapsed_time secs Process $nprocess)\n"; >+ } > } > my $still_headers=1; > my $seen_env=0; > while (<STDIN>) { > #Fiddle with headers IFF using fast_spamassassin > if ($still_headers && $spamc_options =~ / \-c /) { >- #if (!$seen_env && /^X\-Envelope\-From:/) { >- #$seen_env=1; >- #just skip the next line (X-Envelope-To:) >- #<STDIN>; >- #next; >- #} >- #break any X-Spam-Status/Level IFF we've set a SA value ourselves. Easier than removing - and it leaves >- #them around for diagnosis... >- s/^(X-Spam-Status|X-Spam-Flag):/${V_HEADER}-MOVED-$1:/ if ($sa_comment ne "" && /^(X-Spam-Status|X-Spam-Flag):/i); >- s/^(X-Spam-Level):/${V_HEADER}-MOVED-$1:/ if ($sa_level ne "" && /^X-Spam-Level:/i); >- if ($sa_comment =~ /^yes/i && $spamc_subject ne "" && !/^Subject: \Q$spamc_subject\E/i && /^(Subject):(\s?)([^\n]+)\n/i ) { >- $altered_subject="$1: $spamc_subject $3"; >- if ($altered_subject !~ /^: \Q$spamc_subject\E/) { >- &debug("altering subject line to $altered_subject"); >- print QMQ "$altered_subject\n"; >- next; >- } >- } >- $still_headers=0 if (/^(\r|\r\n|\n)$/); >+ #if (!$seen_env && /^X\-Envelope\-From:/) { >+ #$seen_env=1; >+ #just skip the next line (X-Envelope-To:) >+ #<STDIN>; >+ #next; >+ #} >+ #break any X-Spam-Status/Level IFF we've set a SA value ourselves. Easier than removing - and it leaves >+ #them around for diagnosis... >+ s/^(X-Spam-Status|X-Spam-Flag):/${V_HEADER}-MOVED-$1:/ if ($sa_comment ne "" && /^(X-Spam-Status|X-Spam-Flag):/i); >+ s/^(X-Spam-Level):/${V_HEADER}-MOVED-$1:/ if ($sa_level ne "" && /^X-Spam-Level:/i); >+ if ($sa_comment =~ /^yes/i && $spamc_subject ne "" && !/^Subject: \Q$spamc_subject\E/i && /^(Subject):(\s?)([^\n]+)\n/i && $sa_rcpt) { >+ $altered_subject="$1: $spamc_subject $3"; >+ if ($altered_subject !~ /^: \Q$spamc_subject\E/) { >+ &debug("altering subject line to $altered_subject"); >+ print QMQ "$altered_subject\n"; >+ next; >+ } >+ } >+ $still_headers=0 if (/^(\r|\r\n|\n)$/); > #Insert Subject: line if e-mail dosn't contain one but must be tagged >- print QMQ "Subject: $spamc_subject\n" if ((!$still_headers) && ($sa_comment =~ /^yes/i) && (!$altered_subject) && $spamc_subject ne "" ); >+ print QMQ "Subject: $spamc_subject\n" if ((!$still_headers) && ($sa_comment =~ /^yes/i) && (!$altered_subject) && $spamc_subject ne "" && $sa_rcpt); > > } > print QMQ; >@@ -1372,6 +1831,7 @@ > #&debug("v_v_t_r: does $virus_type contain $virus?"); > if ($virus_type =~ /$virus/i) { > &debug("v_v_t_r: $virus_type contain $virus - so don't notify the sender"); >+ &minidebug("v_v_t_r: Description contain \"$virus\" - so don't notify the sender"); > return 0; > } > } >@@ -1406,8 +1866,8 @@ > foreach $dom (@local_domains_array) { > #&debug("i_u_e: does $recips contain $dom?"); > if ($recips =~ /$dom$/i) { >- #&debug("i_u_e: yes it does!"); >- $is_local++; >+ #&debug("i_u_e: yes it does!"); >+ $is_local++; > } > } > } else { >@@ -1430,14 +1890,29 @@ > > sub email_quarantine_report { > my($start_email_time)=[gettimeofday]; >+ # st: quarantine spam in a different maildir folder if $smaildir is set. >+ if ( $smaildir ne $vmaildir && $quarantine_description =~/spam/i ) { >+ if (! -d "$scandir/$smaildir") { >+ mkdir("$scandir/$smaildir",0750) || &error_condition("cannot create $scandir/$smaildir - $!"); >+ mkdir("$scandir/$smaildir/new",0750) || &error_condition("cannot create $scandir/$smaildir/new - $!"); >+ mkdir("$scandir/$smaildir/cur",0750) || &error_condition("cannot create $scandir/$smaildir/cur - $!"); >+ mkdir("$scandir/$smaildir/tmp",0750) || &error_condition("cannot create $scandir/$smaildir/tmp - $!"); >+ } >+ $vmaildir=$smaildir; >+ } >+ # st: if we have multiple recipient quarantine the file once >+ return if ( -f "$scandir/$vmaildir/new/$file_id"); > &debug("e_v_r: quarantine msg to $scandir/$vmaildir/new/$file_id"); > link("$scandir/$wmaildir/new/$file_id","$scandir/$vmaildir/new/$file_id")||&error_condition("cannot link $scandir/$wmaildir/new/$file_id into $scandir/$vmaildir/new/ - $!"); > open(QTINE,">>$scandir/$vmaildir/new/$file_id"); > print QTINE "\n*** Qmail-Scanner Quarantine Envelope Details Begin ***\n"; > print QTINE "${V_HEADER}-Mail-From: \"$returnpath\" via $hostname\n"; > print QTINE "${V_HEADER}-Rcpt-To: \"$recips\"\n"; >- print QTINE "$V_HEADER: $VERSION ($SCANINFO $destring Found. Processed in ",tv_interval($start_time,[gettimeofday])," secs)\n"; >+ print QTINE "$V_HEADER: $VERSION ($SCANINFO $destring Found. Processed in ",tv_interval($start_time,[gettimeofday])," secs) process $nprocess \n"; > print QTINE "Quarantine-Description: $quarantine_description\n"; >+ if (($quarantine_description =~ /spam/i) && $sa_report) { >+ print QTINE "SA_REPORT hits = $sa_hits/$required_hits\n$sa_report\n"; >+ } > print QTINE "*** Qmail-Scanner Envelope Details End ***\n"; > close QTINE; > &email_sender("sender") if (&valid_virus_to_report($quarantine_description)); >@@ -1467,7 +1942,7 @@ > &debug("cleanup: $rm_binary -rf $ENV{'TMPDIR'}/ $scandir/$wmaildir/new/$file_id") ; > } else { > # check if $archivedir exists >- if (!-d "$scandir/$archivedir") { >+ if (! -d "$scandir/$archivedir") { > mkdir("$scandir/$archivedir",0700) || &error_condition("cannot create $scandir/$archivedir - $!"); > mkdir("$scandir/$archivedir/new",0700) || &error_condition("cannot create $scandir/$archivedir/new - $!"); > mkdir("$scandir/$archivedir/cur",0700) || &error_condition("cannot create $scandir/$archivedir/cur - $!"); >@@ -1475,6 +1950,7 @@ > } > if ( -f "$scandir/$wmaildir/new/$file_id" ) { > &debug("cleanup: archiving into $scandir/$archivedir/new/"); >+ &minidebug("cleanup: archiving into $scandir/$archivedir/new/"); > rename("$scandir/$wmaildir/new/$file_id","$scandir/$archivedir/new/$file_id"); > #This will do for now. Not pretty - but very cheap! > #We need to append this information, otherwise how do you know who this message >@@ -1485,6 +1961,9 @@ > print ARCHIVE "${V_HEADER}-Mail-From: \"$returnpath\" via $hostname\n"; > print ARCHIVE "${V_HEADER}-Rcpt-To: \"$recips\"\n"; > print ARCHIVE "$V_HEADER: $VERSION ($SCANINFO Clear:$tag_score. Processed in ",tv_interval($start_time,[gettimeofday])," secs)\n"; >+ if (($quarantine_description =~ /spam/i) && $sa_report) { >+ print ARCHIVE "SA_REPORT hits = $sa_hits/$required_hits\n$sa_report\n"; >+ } > print ARCHIVE "*** Qmail-Scanner Envelope Details End ***\n"; > close ARCHIVE; > } >@@ -1501,53 +1980,54 @@ > > chdir($scandir); > &debug("s_q: re-create the quarantine version file"); >- foreach $scanner (@scanner_array) { >+ &minidebug("s_q: re-create the quarantine version file"); >+ foreach $scanner (@scanners_installed) { > $scanner =~ s/_scanner//; > &debug("s_q: detecting version of $scanner"); > if ($scanner eq "uvscan") { > open(UV,"$uvscan_binary --version|")||die "failed to call $uvscan_binary --version - $!"; > while (<UV>) { >- chomp; >- if (/^Scan engine (v[0-9\.]+) /) { >- $SCANINFO .="uvscan: $1/"; >- } elsif (/^Virus data file (v[0-9\.]+) /) { >- $SCANINFO .= "$1. "; >- } >+ chomp; >+ if (/^Scan engine (v[0-9\.]+) /) { >+ $SCANINFO .="uvscan: $1/"; >+ } elsif (/^Virus data file (v[0-9\.]+) /) { >+ $SCANINFO .= "$1. "; >+ } > } > close(UV); > } elsif ($scanner eq "csav") { > open(CS,"$csav_binary -virno|")||die "failed to call $csav_binary -virno - $!"; > while (<CS>) { >- chomp; >- if (/Command Software AntiVirus for Linux (version [0-9\.]+)/) { >- $SCANINFO .="csav: $1/"; >- } elsif (/^CSA[V]: (.*)/) { >- $SCANINFO .= "$1/"; >- } >+ chomp; >+ if (/Command Software AntiVirus for Linux (version [0-9\.]+)/) { >+ $SCANINFO .="csav: $1/"; >+ } elsif (/^CSA[V]: (.*)/) { >+ $SCANINFO .= "$1/"; >+ } > } > close(CS); > } elsif ($scanner eq "trophie" ) { > open(IS,"$trophie_binary -v 2>&1|")||die "failed to call $trophie_binary -v - $!"; > while (<IS>) { >- chomp; >- if (/VSAPI version (.*)/) { >- $SCANINFO .= "trophie: $1/"; >- } elsif (/Pattern version ([0-9]+) \(pattern number ([0-9]+)\)/) { >- $SCANINFO .= "$1/$2. "; >- } >+ chomp; >+ if (/VSAPI version (.*)/) { >+ $SCANINFO .= "trophie: $1/"; >+ } elsif (/Pattern version ([0-9]+) \(pattern number ([0-9]+)\)/) { >+ $SCANINFO .= "$1/$2. "; >+ } > } > close(IS); > } elsif ($scanner eq "iscan") { > open(IS,"$iscan_binary -v|")||die "failed to call $iscan_binary -v - $!"; > while (<IS>) { >- chomp; >- if (/Virus Scanner (v[0-9\.]+), VSAPI (v[0-9\.\-]+)/) { >- $SCANINFO .="iscan: $1/$2/"; >- } elsif (/Pattern version ([0-9\.]+)/) { >- $SCANINFO .= "$1/"; >- } elsif (/Pattern number ([0-9\.]+)/) { >- $SCANINFO .= "$1. "; >- } >+ chomp; >+ if (/Virus Scanner (v[0-9\.]+), VSAPI (v[0-9\.\-]+)/) { >+ $SCANINFO .="iscan: $1/$2/"; >+ } elsif (/Pattern version ([0-9\.]+)/) { >+ $SCANINFO .= "$1/"; >+ } elsif (/Pattern number ([0-9\.]+)/) { >+ $SCANINFO .= "$1. "; >+ } > } > close(IS); > } elsif ($scanner eq "fsecure") { >@@ -1563,150 +2043,151 @@ > } elsif (/sign2.def version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { > $SCANINFO .= "$1. "; > } elsif (/F-PROT database version (.*)$/) { >- $SCANINFO .= "fprot($1)/"; >- } elsif (/AVP FPI Engine database version (.*)$/) { >- $SCANINFO .= "avp($1). "; >- } elsif (/Libra database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "libra database $1/"; >- } elsif (/Orion database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "orion database $1/"; >- } elsif (/AVP FPI Engine database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "avp fpi database $1. "; >- } >+ $SCANINFO .= "fprot($1)/"; >+ # Patch for version F-Secure 4.52 by Jyri >+ } elsif (/AVP FPI Engine database version (.*)$/) { >+ $SCANINFO .= "avp($1). "; >+ } elsif (/Libra database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >+ $SCANINFO .= "libra database $1 / "; >+ } elsif (/Orion database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >+ $SCANINFO .= "orion database $1 / "; >+ } elsif (/AVP FPI Engine database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >+ $SCANINFO .= "avp fpi database $1. "; >+ } > } > close(FS); > $SCANINFO .= ". " if ($SCANINFO !~ /\. $/); > } elsif ($scanner eq "fprot") { > open(FP,"$fprot_binary \?|")||die "failed to call $fprot_binary --version - $!"; > while (<FP>) { >- chomp; >- if (/(F-PROT|Program version:) ([0-9\.]+)/) { >- $SCANINFO .="f-prot: $2/"; >- } elsif (/Engine version: ([0-9\.]+)/) { >- $SCANINFO .= "$1"; >- } >+ chomp; >+ if (/(F-PROT|Program version:) ([0-9\.]+)/) { >+ $SCANINFO .="f-prot: $2/"; >+ } elsif (/Engine version: ([0-9\.]+)/) { >+ $SCANINFO .= "$1"; >+ } > } > $SCANINFO .= ". "; > close(FP); > } elsif ($scanner eq "hbedv") { > open(IS,"$hbedv_binary --version 2>&1 |")||die "failed to call $hbedv_binary --version - $!"; > while (<IS>) { >- chomp; >- if (/engine version:\s+([0-9\.]+)/) { >- $SCANINFO .= "hbedv: $1"; >- } elsif (/vdf version:\s+([0-9\.]+)/) { >- $SCANINFO .= "/$1. "; >- } >+ chomp; >+ if (/engine version:\s+([0-9\.]+)/) { >+ $SCANINFO .= "hbedv: $1"; >+ } elsif (/vdf version:\s+([0-9\.]+)/) { >+ $SCANINFO .= "/$1. "; >+ } > } > close(IS); > } elsif ($scanner eq "avp") { > open(AVP,"$avp_binary -Y -VL 2>&1 |")||die "failed to call $avp_binary -Y -VL - $!"; > while (<AVP>) { >- chomp; >- if (/Version (([0-9\.]+)\s+build ([0-9\.]+)|([0-9\.]+))/) { >- if ($2) { >- $SCANINFO .= "avp: $1/$2. "; >- } else { >- $SCANINFO .= "avp: $1. "; >- } >- } >+ chomp; >+ if (/Version (([0-9\.]+)\s+build ([0-9\.]+)|([0-9\.]+))/) { >+ if ($2) { >+ $SCANINFO .= "avp: $1/$2. "; >+ } else { >+ $SCANINFO .= "avp: $1. "; >+ } >+ } > } > close(AVP); > } elsif ($scanner eq "ravlin") { > open(RAV,"$ravlin_binary --version 2>&1 |")||die "failed to call $ravlin_binary --version - $!"; > while (<RAV>) { >- chomp; >- if (/^Version: ([0-9\.]+)\./) { >- $SCANINFO .= "ravlin: $1. "; >- } >+ chomp; >+ if (/^Version: ([0-9\.]+)\./) { >+ $SCANINFO .= "ravlin: $1. "; >+ } > } > close(RAV); > } elsif ($scanner eq "vexira") { > open(VEX,"$vexira_binary --version 2>&1 |")||die "failed to call $vexira_binary --version - $!"; > while (<VEX>) { >- chomp; >- if (/^engine version:\s+([0-9\.]+)/) { >- $SCANINFO .= "vexira: $1. "; >- } >+ chomp; >+ if (/^engine version:\s+([0-9\.]+)/) { >+ $SCANINFO .= "vexira: $1. "; >+ } > } > close(RAV); > } elsif ($scanner eq "bitdefender") { > open(BITDEF,"$bitdefender_binary --info 2>&1 |")||die "failed to call $bitdefender_binary --info - $!"; > while(<BITDEF>) { >- chomp; >- if (/^BDC\/Linux\-Console (.*) \(build ([^\)]+)\)/){ >- $SCANINFO .= "bitdefender: $1/$2"; >- } >- if (/^Engine signatures:\s+([0-9]+)/) { >- $SCANINFO .= "/$1. "; >- } >+ chomp; >+ if (/^BDC\/Linux\-Console (.*) \(build ([^\)]+)\)/){ >+ $SCANINFO .= "bitdefender: $1/$2"; >+ } >+ if (/^Engine signatures:\s+([0-9]+)/) { >+ $SCANINFO .= "/$1. "; >+ } > } > close(BITDEF); > } elsif ($scanner eq "nod32") { > open(NOD,"$nod32upd_binary /help 2>&1 |")||die "failed to call $nod32upd_binary /help - $!"; > while(<NOD>) { >- chomp; >- if (/^Version.* (.*)/){ >- $SCANINFO .= "nod32: $1"; >- } >+ chomp; >+ if (/^Version.* (.*)/){ >+ $SCANINFO .= "nod32: $1"; >+ } > } > close(NOD); > } elsif ($scanner eq "sophie") { > open(SOP,"$sophie_binary -v 2>&1|")||die "failed to call $sophie_binary -v - $!"; > while (<SOP>) { >- chomp; >- if (/Sophos engine version (.*)$/) { >- $sweep_eng=$1; >- } elsif (/Sophos IDE version ([0-9\.]+)/) { >- $sweep_product=$1; >- } elsif (/Sophie version\s+:\s+([0-9\.]+)/) { >- $sophie_eng=$1; >- } >+ chomp; >+ if (/Sophos engine version (.*)$/) { >+ $sweep_eng=$1; >+ } elsif (/Sophos IDE version ([0-9\.]+)/) { >+ $sweep_product=$1; >+ } elsif (/Sophie version\s+:\s+([0-9\.]+)/) { >+ $sophie_eng=$1; >+ } > } > $SCANINFO .= "sophie: $sophie_eng/$sweep_eng/$sweep_product. "; > close(SOP); > } elsif ($scanner eq "sweep") { > open(SOP,"$sweep_binary -v|")||die "failed to call $sweep_binary -v - $!"; > while (<SOP>) { >- chomp; >- if (/Engine version\s+:\s+(.*)$/) { >- $sweep_eng=$1; >- } elsif (/Product version\s+:\s+(.*)$/) { >- $sweep_product=$1; >- } >+ chomp; >+ if (/Engine version\s+:\s+(.*)$/) { >+ $sweep_eng=$1; >+ } elsif (/Product version\s+:\s+(.*)$/) { >+ $sweep_product=$1; >+ } > } > $SCANINFO .= "sweep: $sweep_eng/$sweep_product. "; > close(SOP); > } elsif ($scanner eq "inocucmd") { > open(IOP,"$inocucmd_binary -HEL|")||die "failed to call $inocucmd_binary -HEL - $!"; > while (<IOP>) { >- chomp; >- if (/Engine version:\s+(.*) ([0-9\/]+)$/) { >- $inocucmd_eng=$1; >- } elsif (/Data version:\s+(.*) ([0-9\/]+)$/) { >- $inocucmd_product=$1; >- } >+ chomp; >+ if (/Engine version:\s+(.*) ([0-9\/]+)$/) { >+ $inocucmd_eng=$1; >+ } elsif (/Data version:\s+(.*) ([0-9\/]+)$/) { >+ $inocucmd_product=$1; >+ } > } > $SCANINFO .= "inocucmd: $inocucmd_eng/$inocucmd_product. "; > close(IOP); > } elsif ($scanner eq "clamscan") { > open(CLAMS,"$clamscan_binary --stdout -V|")||die "failed to call $clamscan_binary --stdout -V - $!"; > while (<CLAMS>) { >- chomp; >- if (/ersion ([0-9\.\-a-z]+)/i) { >- $SCANINFO .="clamscan: $1. "; >- } >+ chomp; >+ if (/ersion ([0-9\.\-a-z]+)/i) { >+ $SCANINFO .="clamscan: $1. "; >+ } > } > close(CLAMS); > } elsif ($scanner eq "clamdscan") { > open(CLAMS,"$clamdscan_binary --version 2>&1|")||die "failed to call $clamdscan_binary --version - $!"; > while (<CLAMS>) { >- chomp; >- if (/ersion ([0-9\.\-a-z]+)/i) { >- $SCANINFO .="clamdscan: $1. "; >- } elsif (/^ClamAV ([^\/]+)\/([^\/]+)\//) { >- $SCANINFO .="clamdscan: $1/$2. "; >- } >+ chomp; >+ if (/ersion ([0-9\.\-a-z]+)/i) { >+ $SCANINFO .="clamdscan: $1. "; >+ } elsif (/^ClamAV ([^\/]+)\/([^\/]+)\//) { >+ $SCANINFO .="clamdscan: $1/$2. "; >+ } > } > close(CLAMS); > } elsif ($scanner eq "spamassassin") { >@@ -1714,13 +2195,15 @@ > open(SPAS,"$spamassassin_binary -V |")||die "failed to call $spamassassin_binary -V - $!"; > $spamassassin_eng="2.x"; > while (<SPAS>) { >- chomp; >- if (/^SpamAssassin version (.*)$/i) { >- $spamassassin_eng=$1; >- } >+ chomp; >+ if (/^SpamAssassin version (.*)$/i) { >+ $spamassassin_eng=$1; >+ } > } > close(SPAS); > $SCANINFO .= "spamassassin: $spamassassin_eng. "; >+ } elsif ($scanner eq "perlscan") { >+ $SCANINFO .="perlscan: $VERSION. "; > } else { > #Catch-all for other ones > $SCANINFO .= "$scanner: ???. "; >@@ -1733,6 +2216,7 @@ > rename("$versionfile.tmp","$versionfile"); > > &debug("s_q: cleaning up files older than 2 days via $find_binary $scandir/tmp -mtime +2 -exec $rm_binary -rf {} \;"); >+ &minidebug("s_q: cleaning up files older than 2 days via $find_binary $scandir/tmp -mtime +2 -exec $rm_binary -rf {} \;"); > my ($OLDFILES)=`$find_binary $scandir/tmp -mtime +2 -exec $rm_binary -rf {} \\; 2>/dev/null`; > } > >@@ -1776,31 +2260,31 @@ > $count++; > ($match,$type,$descr)=split(/\t+/,$_,3); > if ( $match eq "" || ($type !~ /^[0-9]+$/ && $type !~ /^Virus-[0-9a-z\_\-]+:$/i) ) { >- print "ERROR: incorrect format on line \"$line\"\n"; >- &error_condition("ERROR: incorrect format on line \"$line\""); >+ print "ERROR: incorrect format on line \"$line\"\n"; >+ &error_condition("ERROR: incorrect format on line \"$line\""); > } else { >- #Strip off any regex endings >- if ($type =~ /^[0-9]+$/) { >- #this is a filename/attachment >- if ( $match =~ /^\.dat$/i ) { >- >- print "ERROR: on line \"$line\".\nCannot block all .dat files. Will block too many normal messages.\n"; >- &error_condition("ERROR: on line \"$line\".\nCannot block all .dat files. Will block too many normal messages."); >- next; >- } >- $match = tolower($match); >- } else { >- #this is for header matches >- $match =~ s/^\^|\$$//g; >- #Now make unique >- $match = "$line:$match"; >- $type =~ s/:$//; >- $type =~ /^Virus\-(.*)/; >- if ($1 !~ /^(MAILFROM|RCPTTO|TCPREMOTEIP)$/) { >- $type="Virus-".tolower($1); >- } >- } >- $array{"$match"}="$type\t$descr"; >+ #Strip off any regex endings >+ if ($type =~ /^[0-9]+$/) { >+ #this is a filename/attachment >+ if ( $match =~ /^\.dat$/i ) { >+ >+ print "ERROR: on line \"$line\".\nCannot block all .dat files. Will block too many normal messages.\n"; >+ &error_condition("ERROR: on line \"$line\".\nCannot block all .dat files. Will block too many normal messages."); >+ next; >+ } >+ $match = tolower($match); >+ } else { >+ #this is for header matches >+ $match =~ s/^\^|\$$//g; >+ #Now make unique >+ $match = "$line:$match"; >+ $type =~ s/:$//; >+ $type =~ /^Virus\-(.*)/; >+ if ($1 !~ /^(MAILFROM|RCPTTO|TCPREMOTEIP)$/) { >+ $type="Virus-".tolower($1); >+ } >+ } >+ $array{"$match"}="$type\t$descr"; > } > } > close(TXT); >@@ -1815,22 +2299,22 @@ > $count++; > ($type,$descrip)=split(/\t/,$array{$entry},2); > if ( $type =~ /^([0-9]+|Any)/) { >- if ($type eq "0") { >- $type="Any"; >- } elsif ($size =~ /^[0-9]+$/) { >- $type="$type bytes"; >- } >- print "File: \t$entry\n\t\t\tSize: $type\n\t\t\tDescription: $descrip\n\n"; >+ if ($type eq "0") { >+ $type="Any"; >+ } elsif ($size =~ /^[0-9]+$/) { >+ $type="$type bytes"; >+ } >+ print "File: \t$entry\n\t\t\tSize: $type\n\t\t\tDescription: $descrip\n\n"; > } > if ($type =~ /^Virus-(.*)$/i) { >- $type=$1; >- #Strip off numeric uid... >- $entry =~ s/^[0-9]+://; >- if ($type =~ /^(MAILFROM|RCPTTO|TCPREMOTEIP)$/) { >- print "Envelope Header: \t$type\n\t\t\tContent: ^$entry\$\n\t\t\tDescription: $descrip\n\n"; >- } else { >- print "Email Header: \t$type\n\t\t\tContent: ^$entry\$\n\t\t\tDescription: $descrip\n\n"; >- } >+ $type=$1; >+ #Strip off numeric uid... >+ $entry =~ s/^[0-9]+://; >+ if ($type =~ /^(MAILFROM|RCPTTO|TCPREMOTEIP)$/) { >+ print "Envelope Header: \t$type\n\t\t\tContent: ^$entry\$\n\t\t\tDescription: $descrip\n\n"; >+ } else { >+ print "Email Header: \t$type\n\t\t\tContent: ^$entry\$\n\t\t\tDescription: $descrip\n\n"; >+ } > } > } > untie %array; >@@ -1853,7 +2337,7 @@ > Perl: PERLRELEASE_DETAILS > > Scanners: perlscanner"; >- foreach $scanner (@scanner_array) { >+ foreach $scanner (@scanners_installed) { > print ", $scanner"; > } > >@@ -1879,25 +2363,26 @@ > $addr_type='psender' if ($NOTIFY_ADDRS =~ /psender/); > if ($addr_type eq "sender") { > if (!&is_unreplyable_email('sender') && ¬ify_addr('sender')) { >- &debug("e_s: sending quarantine report via: $qmailinject to sender address ($returnpath)"); >- print SM "To: $returnpath\n"; >- $tmpsndrs = "$returnpath"; >+ &debug("e_s: sending quarantine report via: $qmailinject to sender address ($returnpath)"); >+ print SM "To: $returnpath\n"; >+ $tmpsndrs = "$returnpath"; > } else { >- &debug("e_s: don't notify sender"); >+ &debug("e_s: don't notify sender"); > } >- }elsif ($addr_type eq "psender") { >+ } elsif ($addr_type eq "psender") { > if (!&is_unreplyable_email('sender') && ¬ify_addr('sender') && ($quarantine_event =~ /^(policy|perlscan)/i && $quarantine_event !~ /virus/i)) { >- &debug("e_s: sending policy quarantine report via: $qmailinject to psender address ($returnpath)"); >- print SM "To: $returnpath\n"; >- $tmpsndrs = "$returnpath"; >+ &debug("e_s: sending policy quarantine report via: $qmailinject to psender address ($returnpath)"); >+ &minidebug("e_s: sending policy quarantine report via: $qmailinject to psender address ($returnpath)"); >+ print SM "To: $returnpath\n"; >+ $tmpsndrs = "$returnpath"; > } else { >- &debug("e_s: don't notify psender"); >+ &debug("e_s: don't notify psender"); > } > } else { > return; > } > } else { >- if (¬ify_addr('admin') || (¬ify_addr('nmladm') && !&is_unreplyable_email('sender')) || (¬ify_addr('nmlvadm') && ($quarantine_event =~ /^(policy|perlscan)/i && $quarantine_event !~ /virus/i) && !&is_unreplyable_email('sender'))) { >+ if ( ¬ify_addr('admin') || ( ¬ify_addr('nmladm') && (!&is_unreplyable_email('sender') || defined($ENV{'RELAYCLIENT'})) ) || ( ¬ify_addr('nmlvadm') && (($quarantine_event =~ /^(policy|perlscan)/i && $quarantine_event !~ /virus/i && !&is_unreplyable_email('sender')) || defined($ENV{'RELAYCLIENT'})) ) ) { > &debug("e_s: sending $polstring quarantine report via: $qmailinject to admin address ($QUARANTINE_CC)"); > print SM "To: $QUARANTINE_CC\n"; > $tmpsndrs .= "$QUARANTINE_CC"; >@@ -1907,7 +2392,11 @@ > } > $tmpsubj="$destring LOCALE_sender_subject \"$headers{'subject'}\""; > $tmpsubj =~ s/(\r|\0|\n)/ /g; >- print SM "Subject: $tmpsubj\n"; >+ if (defined($ENV{'RELAYCLIENT'})) { >+ print SM "Subject: LOCAL USER - $tmpsubj\n"; >+ } else { >+ print SM "Subject: $tmpsubj\n"; >+ } > print SM "Message-ID: <".&uniq_id."\@$hostname>\n"; > print SM "X-Tnz-Problem-Type: 40\n"; > print SM "Auto-Submitted: auto-replied\n"; >@@ -1932,6 +2421,9 @@ > print SM "LOCALE_attention: $returnpath\n"; > } > print SM "\nLOCALE_sender_explanation\n"; >+ if (($addr_type !~ /sender/) && ($quarantine_description =~ /spam/i) && $sa_report) { >+ print SM "\nSA_REPORT hits = $sa_hits/$required_hits\n$sa_report\n\n"; >+ } > if ($destring eq "virus") { > print SM "\nLOCALE_sender_virus_content\n"; > } else { >@@ -1942,7 +2434,7 @@ > print SM "MAILFROM: $headers{'MAILFROM'}\n"; > print SM "$HEADERS\n"; > print SM "---\n"; >- if ($addr_type ne "sender" ) { >+ if ($addr_type !~ /sender/) { > print SM "\nLOCALE_sender_quarantine\n"; > } > close(SM); >@@ -2035,6 +2527,7 @@ > } else { > if ($MAYBEZIP =~ /skipping:.*password/) { > &debug ("u_f: it is a password-protected zip file"); >+ &minidebug ("u_f: it is a password-protected zip file"); > $passwd_protected_zip++; > $CRYPTO_TYPE="CR:ZIP(encrypted)"; > } else { >@@ -2044,67 +2537,71 @@ > #Quarantine it! > $quarantine_description="Disallowed password-protected zip files ($zipfile) - potential virus"; > &debug("u_f: $quarantine_description"); >+ &minidebug("u_f: $quarantine_description"); >+ &eventlog("UNZIP:PASSWORD_PROTECTED"); > $destring='problem'; > $quarantine_event="Policy:Passwd_ZIP"; > $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$zipfile"; > } else { > if ($force_unzip) { >- &debug ("u_f: check size of contents before exploding to disk"); >- my $CHECK_ZIP_SIZE=`$unzip_binary $unzip_options -lv $ENV{'TMPDIR'}/$zipfile 2>&1`; >- open(ZIPPED,"$unzip_binary $unzip_options -lv $ENV{'TMPDIR'}/$zipfile 2>&1|")||&error_condition("u_f: cannot open $ENV{'TMPDIR'}/$zipfile - $!"); >- my $zip_file_size=0; >- while (<ZIPPED>) { >- $zip_file_size=$1 if (/^\s+([0-9]+)\s+/); >- } >- close ZIPPED ; >- &debug("u_f: this zip file unpacks to $zip_file_size bytes of content"); >- if ($max_zip_size > 0 && $max_zip_size < $zip_file_size) { >- $quarantine_description="Disallowed zip file ($zipfile) - content exceeds maximum allowed size"; >- &debug("u_f: $quarantine_description"); >- $destring='problem'; >- $quarantine_event="Policy:Oversized_ZIP"; >- $quarantine_DOS=$quarantine_event; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$zipfile"; >- } >- &debug("u_f: run $unzip_binary $unzip_options $ENV{'TMPDIR'}/$zipfile 2>&1"); >- open(ZIPPED,"$unzip_binary $unzip_options $ENV{'TMPDIR'}/$zipfile 2>&1|")||&error_condition("u_f: cannot open $ENV{'TMPDIR'}/$zipfile - $!"); >- while (<ZIPPED>) { >- if (/^\s+\w+:\s+(.*)$/) { >- ($ztmp=$1)=~s/^.*\///g; >- #Grrr, I don't know if this'll be exploited, but I have to remove the whitespace... >- #$ztmp=~s/\s+$//g; >- #if ($ztmp ne "" && !grep(/^${ztmp}$/,@zipfile_list)) { >- #&debug("u_f: adding file \"$ztmp\" to list of zipped files"); >- #push(@zipfile_list, $ztmp); >- #} >- } >- if (/^\s+skipping:\s(.*)\s+(shrink|encrypted|incorrect password)/) { >- $passwd_protected_zip++ if (!/^\s+skipping:\s(.*)\s+shrink/); >- #grab these protected filenames for reports anyway. >- $zfile = $1; >- $zfile =~ s/^.*\///g; >- $zfile =~ s/(^\s+|\s+$)//g; >- #$file_desc .= "$zfile:$zsize\t"; >- } >- } >- close(ZIPPED); >- $zip_status=($? >> 8); >- if ($zip_status > 0 && ($zip_status !~ /^(1|2|3|51|81|82)$/ && !$passwd_protected_zip)) { >- &error_condition("u_f: cannot close unzip (error code: $zip_status,$passwd_protected_zip) - $!"); >- } >+ &debug ("u_f: check size of contents before exploding to disk"); >+ my $CHECK_ZIP_SIZE=`$unzip_binary $unzip_options -lv $ENV{'TMPDIR'}/$zipfile 2>&1`; >+ open(ZIPPED,"$unzip_binary $unzip_options -lv $ENV{'TMPDIR'}/$zipfile 2>&1|")||&error_condition("u_f: cannot open $ENV{'TMPDIR'}/$zipfile - $!"); >+ my $zip_file_size=0; >+ while (<ZIPPED>) { >+ $zip_file_size=$1 if (/^\s+([0-9]+)\s+/); >+ } >+ close ZIPPED ; >+ &debug("u_f: this zip file unpacks to $zip_file_size bytes of content"); >+ if ($max_zip_size > 0 && $max_zip_size < $zip_file_size) { >+ $quarantine_description="Disallowed zip file ($zipfile) - content exceeds maximum allowed size"; >+ &debug("u_f: $quarantine_description"); >+ &minidebug("u_f: $quarantine_description"); >+ $destring='problem'; >+ $quarantine_event="Policy:Oversized_ZIP"; >+ $quarantine_DOS=$quarantine_event; >+ $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$zipfile"; >+ return; # st: Maybe a return here is a good idea or maybe not >+ } >+ &debug("u_f: run $unzip_binary $unzip_options $ENV{'TMPDIR'}/$zipfile 2>&1"); >+ open(ZIPPED,"$unzip_binary $unzip_options $ENV{'TMPDIR'}/$zipfile 2>&1|")||&error_condition("u_f: cannot open $ENV{'TMPDIR'}/$zipfile - $!"); >+ while (<ZIPPED>) { >+ if (/^\s+\w+:\s+(.*)$/) { >+ ($ztmp=$1)=~s/^.*\///g; >+ #Grrr, I don't know if this'll be exploited, but I have to remove the whitespace... >+ #$ztmp=~s/\s+$//g; >+ #if ($ztmp ne "" && !grep(/^${ztmp}$/,@zipfile_list)) { >+ #&debug("u_f: adding file \"$ztmp\" to list of zipped files"); >+ #push(@zipfile_list, $ztmp); >+ #} >+ } >+ if (/^\s+skipping:\s(.*)\s+(shrink|encrypted|incorrect password)/) { >+ $passwd_protected_zip++ if (!/^\s+skipping:\s(.*)\s+shrink/); >+ #grab these protected filenames for reports anyway. >+ $zfile = $1; >+ $zfile =~ s/^.*\///g; >+ $zfile =~ s/(^\s+|\s+$)//g; >+ #$file_desc .= "$zfile:$zsize\t"; >+ } >+ } >+ close(ZIPPED); >+ $zip_status=($? >> 8); >+ if ($zip_status > 0 && ($zip_status !~ /^(1|2|3|51|81|82)$/ && !$passwd_protected_zip)) { >+ &error_condition("u_f: cannot close unzip (error code: $zip_status,$passwd_protected_zip) - $!"); >+ } > } > } > #Only delete original zip file if it happily unpacked. > if ( $zip_status eq 0 && -f "$ENV{'TMPDIR'}/$zipfile") { >- #system $rm_binary,"-f","$ENV{'TMPDIR'}/$zipfile"; >- &debug("u_f: $zip_status, and successfully unzipped"); >- #It may have been deleted, but you still want to see if >- #it matches the perlscanner DB... >- #$zipfile=tolower($zipfile); >- #push(@zipfile_list, $zipfile) if (!grep(/^$zipfile$/,@zipfile_list)); >- my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$zsize,$atime,$mtime,$ctime,$blksize,$blocks); >- ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$zsize,$atime,$mtime,$ctime,$blksize,$blocks) = stat("$zipfile"); >- $file_desc .= "$zipfile:$zsize\t"; >+ #system $rm_binary,"-f","$ENV{'TMPDIR'}/$zipfile"; >+ &debug("u_f: $zip_status, and successfully unzipped"); >+ #It may have been deleted, but you still want to see if >+ #it matches the perlscanner DB... >+ #$zipfile=tolower($zipfile); >+ #push(@zipfile_list, $zipfile) if (!grep(/^$zipfile$/,@zipfile_list)); >+ my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$zsize,$atime,$mtime,$ctime,$blksize,$blocks); >+ ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$zsize,$atime,$mtime,$ctime,$blksize,$blocks) = stat("$zipfile"); >+ $file_desc .= "$zipfile:$zsize\t"; > } > } > } >@@ -2122,9 +2619,11 @@ > #&debug("q_s_c: PPID=$ppid"); > if ($ppid == 1) { > &debug("q_s_c: Whoa! parent process is dead! (ppid=$ppid) Better die too..."); >- close(LOG); >+ &minidebug("q_s_c: Whoa! parent process is dead! (ppid=$ppid) Better die too..."); > &cleanup; >+ &close_log; > #Exit with temp error anyway - just to be real anal... > exit 111; > } > } >+ >diff -Naur qmail-scanner-1.25-DISTRO/qmail-scanner-queue.template.orig qmail-scanner-1.25-st-qms-20050219/qmail-scanner-queue.template.orig >--- qmail-scanner-1.25-DISTRO/qmail-scanner-queue.template.orig 2004-12-08 17:12:01.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qmail-scanner-queue.template.orig 1969-12-31 18:00:00.000000000 -0600 >@@ -1,2122 +0,0 @@ >-#!SUIDPERL -T >-# >-# File: qmail-scanner-queue.pl >-# Version: 1.24 >-# >-# Author: Jason L. Haar <jhaar@users.sourceforge.net> >-# >-# This file was auto-generated by: >-# >-# CMDLINE >-# >-# Description: This is a replacement/add-on for Qmail 1.0.3's qmail-queue. >-# It can call several blocking programs - such as virus scanners - on every >-# SMTP-received Email message, checking for viruses and blocked filenames, >-# only allowing the message to continue if it passes the tests. >-# >-# Copyright (C) 1999,2000,2001 the people mentioned above >-# >-# This program is free software; you can redistribute it and/or modify >-# it under the terms of the GNU General Public License as published by >-# the Free Software Foundation; either version 1, or (at your option) >-# any later version. See <URL:http://www.gnu.org/copyleft/gpl.html> >-# for a copy. >-# >-# This program is distributed in the hope that it will be useful, >-# but WITHOUT ANY WARRANTY; without even the implied warranty of >-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >-# GNU General Public License for more details. >-# >-# The software is provided as is. Please bear in mind that we have >-# done this in my spare time. While it is as accurate as we could >-# make it there is a reasonable chance that there are mistakes >-# somewhere in here. If you email me and tell me about them, I will >-# be happy to fix them but I can't take responsibility for your system. >-# Basically use this at your own risk. >-# >-##################################################################### >- >-##################################################################### >-## >-## Required Packages >-## >-## Qmail-1.03 >-## Perl 5.005_03+ >-## Maildrop-0.73 >-## Bruce Guenter's QMAILQUEUE patch <URL:http://www.qmail.org/qmailqueue-patch> >-## Perl module Time::HiRes and DB_File >-## >-## >-## So-far tested Virus scanners: >-## Trend's Virus scanner for Linux >-## MacAfee's (NAI's) virus scanner for Linux >-## Sophos's virus scanner for Linux >-## H+BEDV's antivir scanner for Linux >-## F-Secure's fsav scanner for Linux >-## P-Prot for Linux >-## Sophie (daemonized Sophos scanner) >-## Trophie (daemonized Trend scanner) >-## ...and more - see README for full list >-## >-##################################################################### >- >-##################################################################### >-## >-## Site-specific config >-## >-##################################################################### >- >- >-delete @ENV{qw(IFS CDPATH ENV BASH_ENV QMAILMFTFILE QMAILINJECT)}; >- >-use strict 'vars', 'subs'; >- >-#Set locale to "C" (English). That way any string checks on forked apps >-#will tend to be in English - simplifying/standardizing regex matches >-my $orig_locale=$ENV{'LC_ALL'}; >-$ENV{'LC_ALL'}= $ENV{'LANG'} = $ENV{'LANGUAGE'} = 'C'; >-POSIX::setlocale(&POSIX::LC_ALL,'C'); >- >-use Sys::Syslog qw(:DEFAULT setlogsock); >-setlogsock('unix'); >- >-my $VERSION="1.24"; >- >-#Mail header to add to each scanned message to report stuff in... >-#Default is to not generate them ($descriptive_hdrs = 0) - as that >-#info is also in the Received: headers... >-my $descriptive_hdrs=DESCRIPTIVE_HEADERS; >-my $V_HEADER="X-Qmail-Scanner"; >-my($qsmsgid); >-$qsmsgid=tolower("$V_HEADER-message-id"); >- >- >-#From: line information used when making reports >-my $V_FROM='USERNAME@MAILDOMAIN'; >-my $V_FROMNAME='System Anti-Virus Administrator'; >- >-# Address carbon-copied on any virus reports >-my $QUARANTINE_CC='USERNAME@MAILDOMAIN'; >- >-#Array of local domains that are checked against for >-#deciding whether or not to send recipient alerts to >-my @local_domains_array=(LOCAL_DOMAINS_ARRAY); >- >-# Array of virus that we don't want to inform the sender of. >-my @silent_viruses_array=(SILENT_VIRUSES_ARRAY); >- >- >-#Array of virus scanners used must point to subroutines >-my @scanner_array=(SCANNER_ARRAY); >- >-#Addresses that should be alerted of any quarantined Email >-my $NOTIFY_ADDRS='NOTIFY_ADDRESSES'; >- >-#Try to fix bad MIME messages before passing to MIME unpacker >-my $BAD_MIME_CHECKS='FIX_MIME'; >- >-#Block password protected zip files >-my $BLOCK_PASSWORD_PROTECTED_ARCHIVES='QUARANTINE_PASSWORD_PROTECTED'; >- >-#Disable just the EOL char check instead of all of BAD_MIME_CHECKS >-my $IGNORE_EOL_CHECK='DISABLE_EOL_CHECK'; >- >-# The full path to qmail programs we'll need. >-my $qmailinject = 'QMAILINJECT_BIN'; >-my $qmailqueue = 'QMAILQUEUE_BIN'; >- >-# What directory to use for storing temporary files. >-my $scandir = 'AS_QQ'; >- >-#What maildir folder to store working files in >-my $wmaildir='working'; >- >-#What maildir folder to store failed messages in (for cronjob scan) >-my $fmaildir='failed'; >- >-#What maildir folder to store quarantine in >-my $vmaildir='quarantine'; >- >- >-#What maildir folder to archive received Email in instead of deleting >-my $archiveit='ARCHIVEIT'; >-my $archivedir='ARCHIVEDIR'; >- >-#Name of file in $scandir where debugging output goes >-my $debuglog="qmail-queue.log"; >- >-#Name of file where quarantine reports go (for long-term storage) >-my $quarantinelog="quarantine.log"; >- >-#Generate nice random filename >-my ($sysname, $hostname, $release, $version, $machine) = uname(); >-#my $hostname='FQDN'; #could get via call I suppose... >- >-#If you trust the virus scanners handling of mbox format itself >-#you may want to let it have a go at the "raw" message, and original >-#zip files if present >-my $redundant_scanning='REDUNDANT'; >- >-#If you want to log via file/syslog information of all Email >-# that passes through your system (from/to/subj/size/attachments) >-my $log_details="LOG_DETAILS"; >- >-#If you'd like Q-S to report which messages are PGP or S/MIME, >-#turn this on >-my $log_crypto="LOG_CRYPTO"; >- >-#Full path to file in which virus-scanner versioning info is kept >-my $versionfile="$scandir/qmail-scanner-queue-version.txt"; >- >-#DB file (without extension) where bad filenames are kept. >-# You edit $db_filename.txt, and "qmail-scanner-queue.pl -g" generates $db_filename.db >-my $db_filename="$scandir/quarantine-attachments"; >- >-my $MAX_NUM_UNPACKED_FILES=10000; #10,000 is stupidly high. This rule exists but is never >- #expected to trigger normally >- >-#What locale is used on this system >-#$sys_locale="LOCALE"; >- >-#Full paths to binaries used within this script follow - small performance >-#improvement :-) >- >- >-my $mimeunpacker_binary='MIMEUNPACKER'; >-my $unzip_binary='UNZIP_BINARY'; >-my $unzip_options='UNZIP_OPTIONS'; >-my $max_zip_size='MAX_ZIP_SIZE'; >-my $tnef_binary='TNEF_BINARY'; >-my $rm_binary='RM_BINARY'; >-my $grep_binary='GREP_BINARY'; >-my $find_binary='FIND'; >-my $uudecode_binary='UUDECODE_BINARY'; >-my $uudecode_pipe='UUDECODE_PIPE'; >- >- >-my $uvscan_binary='UVSCAN'; >-my $csav_binary='CSAV'; >-my $nod32_binary='NOD32'; >-my $nod32upd_binary='UPDNOD'; >-my $sweep_binary='SWEEP'; >-my $sophie_binary='SOPHIE'; >-my $trophie_binary='TROPHIE'; >-my $iscan_binary='ISCAN'; >-my $hbedv_binary='HBEDV'; >-my $hbedv_options='HBEDV_OPTIONS'; >-my $avp_binary='AVPSCAN'; >-my $avpdaemon_binary='AVPDAEMON'; >-my $fprot_binary='FPROT'; >-my $fsecure_binary='FSECURE'; >-my $inocucmd_binary='INOCUCMD'; >-my $ravlin_binary='RAVLIN'; >-my $vexira_binary='VEXIRA'; >-my $bitdefender_binary='BITDEFENDER'; >-my $clamscan_binary='CLAMSCAN'; >-my $clamscan_options="-r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=100000"; >-my $clamdscan_binary='CLAMDSCAN'; >-my $clamdscan_options="--no-summary"; >-my $spamc_binary='SPAMC_BINARY'; >-my $spamc_options='SPAMC_OPTIONS'; >-my $spamc_subject='SPAMC_SUBJECT'; >-my $spamassassin_binary='SPAMASSASSIN_BINARY'; >-my ($sa_comment,$sa_level); >-my $sa_symbol='+'; >-my ($tag_score)=""; >-my $SNEAKY_WINDOWS_EXTENSIONS="exe|com|pps|w[pm][szd]|vcf|nws|cmd|bat|pif|sc[rt]|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|cil|cpl"; >-my $VALID_WINDOWS_EXTENSIONS="sav|htm|html|pst|ost|txt|gif|jpeg|mpeg|jpg|png|mny|wav|tif|$SNEAKY_WINDOWS_EXTENSIONS"; >- >-$ENV{'PATH'}='/bin:/usr/bin'; >- >-my $SCANINFO=''; >- >-my $MAX_FILE_LENGTH=100; >-my $MAX_NUM_HDRS=140; >-my $QE_LEN=20; >- >-#Maximum amount of time we allow Q-S to run before returning >-# a temp failure. This is so remote SMTP servers don't get confused >-# over whether or not they have delivered to a SMTP server >-# that's refused to say "OK" for over an hour... >-# We'll default to 20 minutes. If the scanner loop takes more than 20 >-# minutes to scan the message, then something *must* be wrong with the >-# scanner. >-my $MAXTIME=20*60; >- >-#Finally, are you sure your virus scanners can unpack zip files? >-#McAfee's doesn't! >-my $force_unzip=FORCE_UNZIP; >- >-#Descriptive string to use in generated Email >-my $destring="virus"; >- >-##################################################################### >-## >-## End of site-specific settings >-## >-##################################################################### >- >- >- >-#Want debugging? Enable this and read $scandir/qmail-queue.log >-my $DEBUG='DEBUG_LEVEL'; >- >-my @uufile_list = (); >-my @attachment_list = (); >-my @zipfile_list = (); >- >-#Want microsec times for debugging >-use Time::HiRes qw( usleep ualarm gettimeofday tv_interval ); >-use POSIX; >- >-use vars qw/ $opt_v $opt_h $opt_g $opt_r $opt_z/; >- >-use Getopt::Std; >- >-#my ($opt_v,$opt_h,$opt_g,$opt_r,$opt_z); >- >-getopts('vhgrz'); >- >-my ($start_time,$last_time); >-$start_time = $last_time = [gettimeofday]; >- >-(my $prog=$0) =~ s/^.*\///g; >- >-if ( $opt_h ) { >- print " >- >-$prog >- >- -h - This help >- -v - show details about this install. >- Please include in any bug reports. >- -z - gather virus scanner/DAT versions >- and cleanup old temp files >- -g - generate perlscanner database >- -r - read from perlscanner database\n"; >- exit; >-} >- >- >-if ( $opt_g || $opt_r) { >- &generate_quarantine_db; >- exit 0; >-} >- >-if ( $opt_v ) { >- &show_version; >- exit 0; >-} >- >-chdir($scandir); >-umask(0077); >- >-if (! -d "$scandir/tmp") { >- mkdir("$scandir/tmp",0700) || &error_condition("cannot create $scandir/tmp - $!"); >-} >- >-my ($quarantine_event,$quarantine_event_tmp,$quarantine_DOS)=0; >- >-my $file_id = &uniq_id(); >- >-#For security reasons, tighten the follow vars... >-$ENV{'SHELL'} = '/bin/sh' if exists $ENV{SHELL}; >-$ENV{'TMP'} = $ENV{'TMPDIR'} = "$scandir/tmp/$file_id"; >-#$ENV{'QMAILSUSER'} = $ENV{'QMAILSHOST'} = ''; >- >- >- >-if ($mimeunpacker_binary =~ /reformime/) { >- $mimeunpacker_binary .= " -x$ENV{'TMPDIR'}/"; >-} elsif ($mimeunpacker_binary =~ /ripmime/) { >- $mimeunpacker_binary .= " --unique_names -i - -d $ENV{'TMPDIR'}/"; >-} >- >- >-#Get current timestamp for logs >-my ($sec,$min,$hour,$mday,$mon,$year,$nowtime); >-($sec,$min,$hour,$mday,$mon,$year) = localtime(time); >-#my $nowtime = sprintf "%02d/%02d/%02d %02d:%02d:%02d", $mday, $mon+1, $year+1900, $hour, $min, $sec; >-#my $nowtime = strftime("%a, %d %b %Y %H:%M:%S %Z", localtime(time)); >-my ($smtp_sender,$remote_smtp_ip,$real_uid,$effective_uid); >- >-$real_uid=$<; >-$effective_uid=$>; >- >-if ($DEBUG ) { >- open(LOG,">>$scandir/$debuglog"); >- select(LOG);$|=1; >- &debug("+++ starting debugging for process $$ by uid=$real_uid"); >-} >- >-&debug("setting UID to EUID so subprocesses can access files generated by this script"); >-$< = $>; # set real to effective uid >-#$( = $); # set real to effective gid >- >-&debug("program name is $prog, version $VERSION"); >-if ($opt_z) { >- &scan_queue; >- exit 0; >-} >- >- >-&scanner_info; >- >- >-if ($ENV{'TCPREMOTEIP'}) { >- $smtp_sender="via SMTP from $ENV{'TCPREMOTEIP'}"; >- $remote_smtp_ip=$ENV{'TCPREMOTEIP'}; >- $tag_score.="RC:1($remote_smtp_ip):" if (defined($ENV{'RELAYCLIENT'})); >- &debug("incoming SMTP connection from $smtp_sender"); >- #system("/usr/bin/printenv > /tmp/qmail-scanner.env"); >-} else { >- $smtp_sender="via local process $$"; >- $remote_smtp_ip='127.0.0.1'; >- $tag_score.="RC:1($remote_smtp_ip):"; #Always would be relayed >- &debug("incoming pipe connection from $smtp_sender"); >-} >-$tag_score.="RC:0($remote_smtp_ip):" if ($tag_score !~ /RC:1/); >- >-my (%headers ); >-my ($CRYPTO_TYPE,$altered_subject, $HEADERS, $env_returnpath, $returnpath); >-my ($ATTACHMENT, %BOUNDARY,$BOUNDARY_REGEX,$attachment_header,$attachment_value,%attach_hdrs,%content_type); >-my ($ct_attachment_filename,$cd_attachment_filename); >-my ($env_recips, $recips, $trecips, $recip, $one_recip); >-my ($alarm_status,$elapsed_time,$msg_size,$file_desc); >-my ($description,$quarantine_description,$illegal_mime); >-my $skip_text_msgs=SKIP_TEXT_MSGS; >-my $plain_text_msg=0; >-my $indicates_attachments=0; >-my $xstatus=0; >-my $attachment_counter=0; >- >-&working_copy; >- >-#Now alarm this area so that hung networks/virus scanners don't cause >-#double-delivery... >- >-eval { >- $SIG{ALRM} = sub { die "Maximum time exceeded. Something cannot handle this message." }; >- alarm $MAXTIME; >- >- &deconstruct_msg; #JLH if (!$quarantine_event); >- >- >- #Now unset env var QMAILQUEUE so any further Email's sent don't >- #go through the Qmail-Scanner again >- &debug("unsetting QMAILQUEUE env var"); >- delete $ENV{'QMAILQUEUE'}; >- >- #This SMTP session is incomplete until we see dem envelope headers! >- &grab_envelope_hdrs; >- &debug("from=$headers{'from'},subj=$headers{'subject'}, $qsmsgid=$headers{$qsmsgid} $smtp_sender"); >- >- #Add envelope details to headers array so that they can be matched within >- #perlscanner. >- #Note how they're uppercase cf the message headers which are all forced >- #lowercased. This is to ensure no-one can override them... >- >- $headers{'MAILFROM'}=$returnpath; >- $headers{'RCPTTO'}=$recips; >- $headers{'TCPREMOTEIP'}=$remote_smtp_ip; >- >- if ( ($BAD_MIME_CHECKS > 1 && $headers{'mime-version'} eq "") || ($headers{'mime-version'} ne "" && $headers{'content-type'} =~ /^text\/plain/i)) { >- #Hmm, doesn't look nice, but it feels better to make this a separate check for some reason >- if ($skip_text_msgs && ($indicates_attachments < 2) && !@uufile_list && !@attachment_list) { >- &debug("This is a PLAIN text message (because it's either not mime, or is text/plain), skip virus scanners - but not SA"); >- $plain_text_msg=1; >- } >- } >- >- #Now, start the scanners! >- #if (!$quarantine_event) { >- &init_scanners; >- #} >- if ($quarantine_event) { >- &debug("unsetting TCPREMOTEIP env var"); >- delete $ENV{'TCPREMOTEIP'}; >- #Reset locale back to original >- $ENV{'LC_ALL'}=$orig_locale; >- &email_quarantine_report; >- } else { >- &qmail_parent_check; >- &qmail_requeue($env_returnpath,$env_recips,"$scandir/$wmaildir/new/$file_id"); >- } >- alarm 0; >-}; >- >-$alarm_status=$@; >-if ($alarm_status and $alarm_status ne "" ) { >- if ($alarm_status eq "Maximum time exceeded. Something cannot handle this message.") { >- &error_condition("ALARM: taking longer than $MAXTIME secs. Requeuing..."); >- } else { >- &error_condition("Requeuing: $alarm_status"); >- } >-} >- >- >-#Msg has been delivered now, so don't want hangs in this part >-#to affect delivery >- >-if ($log_details) { >- $tag_score .= "$CRYPTO_TYPE:" if ($log_crypto && $CRYPTO_TYPE ne ""); >- $tag_score=":$tag_score" if ($tag_score ne ""); >- if ($trecips =~ /\0T/) { >- for $recip (split(/\0T/,$trecips)) { >- &log_msg("qmail-scanner",($quarantine_event ne "0" ? "$quarantine_event$tag_score" : "Clear$tag_score"),$elapsed_time,$msg_size,$returnpath,$recip,$headers{'subject'},$headers{$qsmsgid},$file_desc) if ($recip ne ""); >- } >- } else { >- #Only one recip >- &log_msg("qmail-scanner",($quarantine_event ne "0" ? "$quarantine_event$tag_score" : "Clear$tag_score"),$elapsed_time,$msg_size,$returnpath,$recips,$headers{'subject'},$headers{$qsmsgid},$file_desc); >- } >-} >-&cleanup; >- >-($sec,$min,$hour,$mday,$mon,$year) = localtime(time); >-#$nowtime = sprintf "%02d/%02d/%02d %02d:%02d:%02d", $mday, $mon+1, $year+1900, $hour, $min, $sec; >- >-&debug("all finished. Total of ",tv_interval ($start_time, [gettimeofday])," secs"); >-exit 0; >- >-############################################################################ >-# Error handling >-############################################################################ >- >-#Generate uniq identifiers >-sub uniq_id { >- return "$hostname" . time . __LINE__ . $$; >-} >- >- >-# Fail with the given message and a temporary failure code. >-sub error_condition { >- my ($string,$errcode)=@_; >- $errcode=111 if (!$errcode); >- eval { >- syslog('mail|err',"$V_HEADER-$VERSION:[$file_id] $string"); >- }; >- if ($@) { >- setlogsock('inet'); >- syslog('mail|err',"$V_HEADER-$VERSION:[$file_id] $string"); >- } >- if ($log_details ne "syslog") { >- warn "$V_HEADER-$VERSION:[$file_id] $string\n"; >- } >- #$nowtime = sprintf "%02d/%02d/%02d %02d:%02d:%02d", $mday, $mon+1, $year+1900, $hour, $min, $sec; >- &debug("error_condition: $V_HEADER-$VERSION: $string"); >- close(LOG); >- &cleanup; >- exit $errcode; >-} >- >-sub debug { >- my $dnowtime = strftime("%a, %d %b %Y %H:%M:%S %Z", localtime(time)); >- print LOG "$dnowtime:$$: ",@_,"\n" if ($DEBUG); >-} >- >-sub working_copy { >- my ($hdr,$last_hdr,$value,$num_of_headers,$last_header,$last_value,$attachment_filename); >- select(STDIN); $|=1; >- >- &debug("w_c: mkdir $ENV{'TMPDIR'}"); >- mkdir("$ENV{'TMPDIR'}",0700)||&error_condition("$ENV{'TMPDIR'} exists - try again later..."); >- chdir("$ENV{'TMPDIR'}")||&error_condition("cannot chdir to $ENV{'TMPDIR'}/"); >- if (-f "$scandir/$wmaildir/tmp/$file_id" || -f "$scandir/$wmaildir/new/$file_id") { >- &error_condition("$file_id exists, try again later"); >- } >- &debug("w_c: start dumping incoming msg into $scandir/$wmaildir/tmp/$file_id [",&deltatime,"]"); >- open(TMPFILE,">$scandir/$wmaildir/tmp/$file_id")||&error_condition("cannot write to $scandir/$wmaildir/tmp/$file_id - $!"); >- >- my $still_headers=1; >- my $begin_content=''; >- my $still_attachment=''; >- while (<STDIN>) { >- if ($still_headers) { >- $HEADERS .= $_; >- #Catch any naughty illegal header chars here >- if ($BAD_MIME_CHECKS && !$IGNORE_EOL_CHECK && /\r|\0/) { >- $illegal_mime=1; >- &debug("w_c: found CRL/NULL in header - invalid if this is a MIME message"); >- } >- #Put headers into array >- if (/^\s+(.*)$/ && $last_hdr) { >- #Hmmm, a continuation... >- $headers{$last_hdr} .= $1 if (!$illegal_mime); >- } elsif (/^([^\s]+)/) { >- #This means it's not a continuation header >- if (!$quarantine_event && $BAD_MIME_CHECKS && ($headers{'mime-version'} ne "") && !/^([^\s]+):(.*)$/) { >- #Wow - a header (not header+value) that goes onto another line - not likely! >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_description="Disallowed breakage found in header name - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Break"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- &debug("w_c: disallowed breakage found in header name ($_) - potential virus"); >- #next; >- } else { >- /^([^\s]+):(.*)$/; >- $hdr=$1; >- $last_hdr=tolower($hdr); >- $value=$2; >- $value =~ s/^\s//; >- if (!$quarantine_event && $BAD_MIME_CHECKS && $hdr =~ /^[^X].*\(/i) { >- #Wow - a comment *inside* a standard header name. Only viruses are known to do that >- #Should we test for [^0-9a-z\_\-\=\+] instead? >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_description='Disallowed MIME comment found in header name - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Comment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- &debug("w_c: $quarantine_description"); >- } >- $num_of_headers++; >- } >- #Don't let this array grow without bounds... >- if ($num_of_headers < $MAX_NUM_HDRS) { >- if ($hdr =~ /^to|cc/i && $headers{tolower($hdr)}) { >- #Special-case the To: and Cc: headers. >- #Broken mailers generate messages with multiple >- #instances of these, so merge them into one... >- $headers{tolower($hdr)} .= ",$value"; >- } elsif ($hdr =~ /^(from|x-mail|User-Agent|Organi|Received|Message-ID|Subject)/i && $headers{tolower($hdr)}) { >- #Make sure any multiples of these headers are remembered, so that >- #perlscanner checks can see all instances - just wrap em up >- #into one long line >- $headers{tolower($hdr)} .= " $value"; >- } elsif (!$quarantine_event && $BAD_MIME_CHECKS > 1 && (($headers{'mime-version'} ne "" && tolower($hdr) eq "mime-version") || ($headers{'content-type'} ne "" && tolower($hdr) eq "content-type") || ($headers{'content-transfer-encoding'} ne "" && tolower($hdr) eq "content-transfer-encoding") || ($headers{'content-disposition'} ne "" && tolower($hdr) eq "content-disposition"))) { >- #Why would a legit message have important MIME headers defined >1 time? It could imply someone is trying to sneak >- #something past SMTP scanners... >- #To much parsing needs to be done to do this correctly - stuff 'em - break the sucker ;-/ >- &debug("Duplicate MIME headers found [$hdr] - renaming"); >- print TMPFILE "$V_HEADER-$VERSION: renamed duplicate MIME headers\n"; >- $_="$V_HEADER-Renamed-$_"; >- } else { >- #All other headers: the last occurance wins! >- $headers{tolower($hdr)}=$value; >- } >- } >- } >- if (/^(\r|\r\n|\n)$/) { >- #headers have finished >- $still_headers=0; >- #Try to workaround those nasty broken viruses that produce Content-Type without MIME-Version >- #to get around virus scanners >- if ($headers{'mime-version'} eq "") { >- #Make sure it's a MIME-style Content-type, Sun used to use Content-type for other purposes... >- if ($BAD_MIME_CHECKS && $headers{'content-type'} =~ /\//) { >- print TMPFILE "$V_HEADER-$VERSION: added fake MIME-Version header\nMIME-Version: 1.0\n"; >- $headers{'mime-version'}="1.0"; >- &debug("w_c: added fake MIME-Version header"); >- } >- } elsif ($BAD_MIME_CHECKS > 1 && $headers{'content-type'} eq "") { >- #OK, now do the same for Content-Type. RFCs state "if no Content-Type present, then it's text/plain" >- #However, Outlook chooses to read the entire message and "figures out" it's mixed/multipart, etc. >- #This'll break that - as it should. >- #I wonder if I shouldn't just block these instead, the only ones I've seen are either viruses or spam... >- print TMPFILE "$V_HEADER-$VERSION: added fake Content-Type header\nContent-Type: text/plain\n"; >- $headers{'content-type'}="text/plain"; >- &debug("w_c: added fake Content-Type header"); >- } >- if ( $headers{'content-type'} =~ /\// ) { >- if ( $headers{'content-type'} =~ /^(\s+|)([^\/\s\(]+)(\s+|)\/(\s+|)([^\/\s\(\;]+)/ ) { >- $content_type{$attachment_counter}="$2/$5"; >- &debug("w_c: primary Content-Type of $content_type{$attachment_counter} found"); >- if ($log_crypto) { >- if ($content_type{$attachment_counter} =~ /multipart\/signed/i) { >- $CRYPTO_TYPE="CR:SMIME(signed)" if ($CRYPTO_TYPE eq "" && $headers{'content-type'} =~ /protocol=\"application\/(x\-|)pkcs/i); >- $CRYPTO_TYPE="CR:PGP(signed)" if ($CRYPTO_TYPE eq "" && $headers{'content-type'} =~ /protocol=\"application\/(x\-|)pgp/i); >- &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >- } elsif ($content_type{$attachment_counter} =~ /multipart\/encrypted/i) { >- $CRYPTO_TYPE="CR:PGP(encrypted)" if ($headers{'content-type'} =~ /protocol=\"application\/(x\-|)pgp/i); >- &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >- }elsif ($content_type{$attachment_counter} =~ /application\/(x\-|)pkcs7/i) { >- $CRYPTO_TYPE="CR:SMIME(encrypted)" if ($headers{'content-type'} =~ /application\/(x\-|)pkcs7/i); >- &debug("found MIME-based crypto ($CRYPTO_TYPE)"); >- } >- } >- } else { >- $destring="problem"; >- $illegal_mime=1; >- $quarantine_description="Disallowed MIME Content-Type found - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Type"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- } >- #if ( $headers{'content-type'} =~ /boundary(\s*)=(|\s+|\s*\")([^\"\;]+)($|\;|\")/i) { >- if ( $headers{'content-type'} =~ /boundary(\s*)=(|\s+|\s*\")([^\s\"\;]+)($|\;|\")/i) { >- $BOUNDARY{$attachment_counter}=$3; >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && ($BOUNDARY{$attachment_counter} =~ /\"|\;/ || $BOUNDARY{$attachment_counter} eq "")) { >- &debug("w_c: RFC2046 says boundaries ($BOUNDARY{$attachment_counter}) can't contain such chars [see bcharsnospace]"); >- #$destring="problem"; >- #$illegal_mime=1; >- #$quarantine_description="Disallowed MIME boundary found - potential virus"; >- #$quarantine_event="Policy:Bad_MIME_Boundary"; >- #$description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- #Strip off stuff after semicolon, and escape any odd chars >- $BOUNDARY{$attachment_counter} =~ s/(\"|\;).*$//g; >- #$BOUNDARY{$attachment_counter} =~ s/([^a-z0-9=\_])/\\\1/gi; >- $BOUNDARY{$attachment_counter} =~ s/(\W)/\\$1/g; >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && length($BOUNDARY{$attachment_counter}) > 250) { >- #RFC2046 says boundarys are 0-70 chars >- $destring="problem"; >- $illegal_mime=1; >- $quarantine_description="Disallowed MIME boundary length found (".length($BOUNDARY{$attachment_counter}).") - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Length"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- $BOUNDARY_REGEX=$BOUNDARY{$attachment_counter}; >- &debug("w_c: found a top-level boundary definition of $BOUNDARY{$attachment_counter}"); >- } >- if ( $headers{'content-type'} =~ /name(|\s+)=(|\s+|\s*\")([^\s\"].*)/i) { >- $ATTACHMENT=$3; >- $attachment_counter++; >- #Strip off stuff after semicolon >- $ATTACHMENT =~ s/(\"|\;).*$//g; >- &debug("w_c: found a top-level file attachment definition of $ATTACHMENT"); >- push(@attachment_list, $ATTACHMENT); >- } >- if ($headers{'message-id'} eq "" && !$headers{$qsmsgid}) { >- $headers{$qsmsgid}="<".time . __LINE__ . $$ . "\@$hostname>"; >- print TMPFILE "$V_HEADER-Message-ID: $headers{$qsmsgid}\n"; >- } else { >- if (!$headers{$qsmsgid}) { >- $headers{$qsmsgid}=$headers{'message-id'}; >- } >- } >- } >- } >- if (/^(\r|\r\n|\n)$/) { >- #&debug("w_c: attachment num=$attachment_counter"); >- #&debug("w_c: last attachment header: $attachment_header:$attachment_value"); >- $attach_hdrs{tolower($attachment_header)}=$attachment_value; >- if ($still_attachment ne "") { >- $still_attachment=''; >- $begin_content=$attach_hdrs{'content-transfer-encoding'}; >- } else { >- $begin_content=''; >- } >- $attachment_header=$attachment_value=''; >- #Let's see what the last MIME attachment contained >- if ($cd_attachment_filename ne "" && $ct_attachment_filename ne "" && $ct_attachment_filename ne $cd_attachment_filename) { >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1) { >- &debug("w_c: Disallowed MIME filename manipulation - potential virus"); >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description='Disallowed MIME filename manipulation - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Manipulation"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message attachment: \"$ct_attachment_filename\" != \"$cd_attachment_filename\""; >- } >- } >- #$ct_attachment_filename=$cd_attachment_filename=''; >- if ($attach_hdrs{'content-type'} =~ /name(|\s+)=(|\s+|\s*\")([^\s\"].*)/i && $ATTACHMENT eq "") { >- $ATTACHMENT=$3; >- #Strip off stuff after semicolon >- $ATTACHMENT =~ s/(\"|\;).*$//g; >- $ATTACHMENT=tolower($ATTACHMENT); >- if (!grep(/^\Q$ATTACHMENT\E$/,@attachment_list)) { >- &debug("found C-T attachment filename $ATTACHMENT"); >- push(@attachment_list, $ATTACHMENT); >- } >- $ct_attachment_filename=$ATTACHMENT; >- $ATTACHMENT=''; >- #&debug("w_c: found a Content-Type attachment filename of \"$ct_attachment_filename\""); >- } >- if ($attach_hdrs{'content-disposition'} =~ /name(|\s+)=(|\s+|\s*\")([^\s\"].*)/i && $ATTACHMENT eq "") { >- $ATTACHMENT=$3; >- #Strip off stuff after semicolon >- $ATTACHMENT =~ s/(\"|\;).*$//g; >- $ATTACHMENT=tolower($ATTACHMENT); >- if (!grep(/^\Q$ATTACHMENT\E$/,@attachment_list)) { >- push(@attachment_list, $ATTACHMENT); >- &debug("found C-D attachment filename $ATTACHMENT"); >- } >- $cd_attachment_filename=$ATTACHMENT; >- $ATTACHMENT=''; >- #&debug("w_c: found a Content-Disposition attachment filename of \"$cd_attachment_filename\""); >- } >- if ($attach_hdrs{'content-type'} =~ /boundary(|\s+)=(|\s+|\s*\")([^\s\"].*)/i) { >- $BOUNDARY{$attachment_counter}=$3; >- #Strip off delimiters around boundary >- $BOUNDARY{$attachment_counter} =~ s/(\"|\;).*$//g; >- $BOUNDARY{$attachment_counter} =~ s/(\W)/\\$1/g; >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && length($BOUNDARY{$attachment_counter}) > 250) { >- #RFC2046 says boundarys are 0-70 chars >- $destring="problem"; >- $illegal_mime=1; >- $quarantine_description="Disallowed MIME boundary length found (".length($BOUNDARY{$attachment_counter}).") - potential virus"; >- $quarantine_event="Policy:Bad_MIME_Boundary"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- if ( !$quarantine_event && $BAD_MIME_CHECKS > 1 && $BOUNDARY{$attachment_counter} =~ /^($BOUNDARY_REGEX)$/i) { >- &debug("w_c: hmm, a new boundary defintion that has already being set. Sounds like a trojan"); >- &debug("w_c: broken attachment MIME details - block it!"); >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description='Disallowed MIME boundary found in attachment - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Boundary"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- if ($BOUNDARY_REGEX ne "") { >- $BOUNDARY_REGEX.="|".$BOUNDARY{$attachment_counter}; >- } else { >- $BOUNDARY_REGEX=$BOUNDARY{$attachment_counter}; >- } >- #&debug("w_c: BOUNDARY_REGEX=$BOUNDARY_REGEX"); >- } >- if ($attach_hdrs{'content-type'} =~ /\//) { >- $attachment_filename=''; >- $attachment_filename=$cd_attachment_filename ne "" ? $cd_attachment_filename : $ct_attachment_filename; >- #&debug("w_c: just parsed attachment $attach_hdrs{'content-type'}: filename=$attachment_filename"); >- if ( $attach_hdrs{'content-type'} =~ /^(\s+|)([^\/\s\(]+)(\s+|)\/(\s+|)([^\/\s\(\;]+)/ ) { >- $content_type{$attachment_counter}="$2/$5"; >- &debug("w_c: attachment $attachment_counter: Content-Type of $content_type{$attachment_counter} found"); >- if ($attachment_filename =~ /\.(scr|pif|vbs|exe)$/i && $content_type{$attachment_counter} !~ /^(message|text|application)/i) { >- $quarantine_description="Disallowed file ($attachment_filename) assosiated with unrelated MIME type ($content_type{$attachment_counter}) - potential virus"; >- &debug("w_c: $quarantine_description"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_event="Policy:Forged_Attachment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment $attachment_filename"; >- } >- } >- $attach_hdrs{'content-type'}=''; >- $ct_attachment_filename=$cd_attachment_filename=''; >- } >- } else { >- #&debug("line=$_"); >- } >- >- if ($still_attachment ne "") { >- #&debug("w_c: check those attachment headers ($_)"); >- if (/^([^\s]+):(|\s+)(.*)$/) { >- $last_header=$attachment_header; >- $last_value=$attachment_value; >- $attachment_header=$1; >- $attachment_value=$3; >- $attachment_value =~ s/^\s+//; >- if ($last_header) { >- #&debug("w_c: $last_header:$last_value"); >- $attach_hdrs{tolower($last_header)}=$last_value; >- } >- #&debug("w_c: beginning of $attachment_header, value=$attachment_value"); >- } elsif (/^\s(.+)/) { >- #&debug("w_c: line :$_: reached"); >- $attachment_value.=$1; >- } elsif (/^(\r|\r\n|\n|\s+)$/) { >- #Yeah - I should block spaces, but too many valid lists send out such junk... >- $still_attachment=''; >- } else { >- #This will catch headers that are *correctly* broken over two lines. >- #No known mailer does that, but virus writers do, so we block it. >- #Note that a lot of mailing-lists (and AV systems...) shove their trailers >- #on the bottom of messages irrespective of whether they are MIME or not - so >- #we must allow such "hacks" to slip through >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && ($BOUNDARY_REGEX ne "" && $still_attachment !~ /^\-\-($BOUNDARY_REGEX)\-\-$/) ) { >- &debug("w_c: broken attachment MIME details (still_attachment=$still_attachment, but BOUNDARY_REGEX=\"$BOUNDARY_REGEX\")- block it!"); >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description='Disallowed content found in MIME attachment - potential virus'; >- $quarantine_event="Policy:Bad_MIME_Header"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in message"; >- } >- } >- } >- if ($begin_content =~ /base64/i && !/^\s/) { >- #&debug("w_c: begin=\"$begin_content\",line=$_"); >- $begin_content=''; >- #Only looking for base64 encoded as both QP and binary appear to arrive corrupted under Outlook >- if ($_ =~ /^TV(qq|qQ|r1|pQ|pA|py|rm|rh|oF|oI|rQ|o8|ou|oA)/) { >- &debug("w_c: base64 looks like a Windows executable, filename=$attachment_filename,type=$content_type{$attachment_counter}"); >- if (!$quarantine_event && $BAD_MIME_CHECKS > 1 && $content_type{$attachment_counter} !~ /^application/i) { >- #As far as I'm aware, a Windows/DOS executable should always be of type "application/<something>" >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description="Disallowed executable attachment associated with \"$content_type{$attachment_counter}\" MIME type - potential virus"; >- $quarantine_event="Policy:Forged_Attachment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment \"$attachment_filename\""; >- &debug("w_c: $quarantine_description"); >- } >- } >- if ($_ =~ /^(UEsDB[AB]|UEswMFBL)/) { >- &debug("w_c: base64 looks like a zip file, filename=$attachment_filename,type=$content_type{$attachment_counter}"); >- if (!$quarantine_event && $BAD_MIME_CHECKS > 2 && $attachment_filename !~ /\.zip$/i) { >- #This is a zip file, and yet the filename doesn't end in .zip - should quarantine it! >- $illegal_mime=1; >- $destring="problem"; >- $quarantine_description="Disallowed zip attachment when not assosiated with a .zip filename - potential virus"; >- $quarantine_event="Policy:Forged_Attachment"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in attachment \"$attachment_filename\""; >- &debug("w_c: $quarantine_description"); >- } >- } >- } >- if ($BOUNDARY_REGEX ne "" && /^\-\-($BOUNDARY_REGEX)/) { >- $still_attachment=$_; >- chomp($still_attachment); >- if (/^\-\-($BOUNDARY_REGEX)\-\-.$/) { >- &debug("w_c: found end of attachment boundary, BOUNDARY_REGEX was \"$BOUNDARY_REGEX\"..."); >- my ($delete_bb)=$1; >- $delete_bb =~ s/(\W)/\\$1/g; >- $BOUNDARY_REGEX =~ s/\Q$delete_bb\E//; >- $BOUNDARY_REGEX =~ s/\|\|//; >- $BOUNDARY_REGEX =~ s/(^\||\|$)//; >- &debug("w_c: now that \"$delete_bb\" has been removed, it's \"$BOUNDARY_REGEX\"..."); >- } >- $attachment_counter++; >- #&debug("w_c: found :$BOUNDARY_REGEX: - must be attachment section $attachment_counter"); >- } >- if ($log_crypto) { >- $CRYPTO_TYPE="CR:PGP(old-signed)" if ($CRYPTO_TYPE eq "" && /^\-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-/); >- $CRYPTO_TYPE="CR:PGP(old-encrypted)" if (/^\-\-\-\-\-BEGIN PGP MESSAGE\-\-\-\-\-/); >- &debug("found old PGP crypto ($CRYPTO_TYPE)") if ($CRYPTO_TYPE ne ""); >- } >- &check_and_grab_attachments; >- print TMPFILE ; >- } >- close(TMPFILE)||&error_condition("cannot close $scandir/$wmaildir/tmp/$file_id - $!"); >- >- #Set the tag_score after the file as been read >- #$tag_score .= "$CRYPTO_TYPE:" if ($log_crypto && $CRYPTO_TYPE ne ""); >- $HEADERS =~ s/\r|\0//g; >- >- &debug("w_c: rename new msg from $scandir/$wmaildir/tmp/$file_id to $scandir/$wmaildir/new/$file_id [",&deltatime,"]"); >- #Not atomic but who cares about the overhead - this is the only app using this area... >- link("$scandir/$wmaildir/tmp/$file_id","$scandir/$wmaildir/new/$file_id")||&error_condition("cannot link $scandir/$wmaildir/tmp/$file_id into $scandir/$wmaildir/new/$file_id - $!"); >- unlink("$scandir/$wmaildir/tmp/$file_id")||&error_condition("cannot delete $scandir/$wmaildir/tmp/$file_id - $!"); >- my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$atime,$mtime,$ctime,$blksize,$blocks); >- ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$msg_size,$atime,$mtime,$ctime,$blksize,$blocks) = stat("$scandir/$wmaildir/new/$file_id"); >- if (!$headers{'date'}) { >- my (@day, @mon); >- $day[0]='Sun';$day[1]='Mon';$day[2]='Tue';$day[3]='Wed';$day[4]='Thu';$day[5]='Fri';$day[6]='Sat'; >- $mon[0]='Jan';$mon[1]='Feb';$mon[2]='Mar';$mon[3]='Apr';$mon[4]='May';$mon[5]='Jun';$mon[6]='Jul';$mon[7]='Aug';$mon[8]='Sep';$mon[9]='Oct';$mon[10]='Nov';$mon[11]='Dec'; >- my ($tm_sec,$tm_min,$tm_hour,$tm_mday,$tm_mon,$tm_year,$tm_wday,$tm_yday,$tm_isdst); >- ($tm_sec,$tm_min,$tm_hour,$tm_mday,$tm_mon,$tm_year,$tm_wday,$tm_yday,$tm_isdst)=localtime; >- $tm_year += 1900; >- $headers{'date'}=$day[$tm_wday].", $tm_mday ".$mon[$tm_mon]." $tm_year $tm_hour:$tm_min:$tm_sec"; >- } >-} >- >-sub grab_envelope_hdrs { >- select(STDOUT); $|=1; >- >- open(SOUT,"<&1")||&error_condition("cannot dup fd 0 - $!"); >- while (<SOUT>) { >- ($env_returnpath,$env_recips) = split(/\0/,$_,2); >- if ( ($returnpath=$env_returnpath) =~ s/^F(.*)$// ) { >- $returnpath=$1; >- ($recips=$env_recips) =~ s/^T//; >- $recips =~ /^(.*)\0+$/; >- $recips=$1; >- $recips =~ s/\0+$//g; >- #Keep a note of the NULL-separated addresses >- $trecips=$recips; >- $one_recip=$trecips if ($trecips !~ /\0T/); >- $recips =~ s/\0T/\,/g; >- } >- #only meant to be one line! >- last; >- } >- close(SOUT)||&error_condition("cannot close fd 1 - $!"); >- if ( ($env_returnpath eq "" && $env_recips eq "") || ($returnpath eq "" && $recips eq "") ) { >- #At the very least this is supposed to be $env_returnpath='F' - so >- #qmail-smtpd must be officially dropping the incoming message for >- #some (valid) reason (including the other end dropping the connection). >- &debug("g_e_h: no sender and no recips."); >- &cleanup; >- exit; >- } >- &debug("g_e_h: return-path is \"$returnpath\", recips is \"$recips\""); >-} >- >- >-sub deconstruct_msg { >- my ($start_decon_time) = [gettimeofday]; >- my $save_filename =''; >- my ($new_filename,$MAYBETNEF,$tnef_status); >- >- &debug("d_m: starting $mimeunpacker_binary <$scandir/$wmaildir/new/$file_id [",&deltatime,"]"); >- open(MIME,"$mimeunpacker_binary <$scandir/$wmaildir/new/$file_id 2>&1|")||&error_condition("cannot call $mimeunpacker_binary - $!"); >- while (<MIME>) { >- next if (/exists/); >- &error_condition("d_m: output spotted from $mimeunpacker_binary ($_) - that shouldn't happen!"); >- } >- close(MIME)||&error_condition("cannot close $mimeunpacker_binary - $!"); >- my $unpacker=''; >- >- opendir(DIR,"$ENV{'TMPDIR'}/")||&error_condition("cannot open dir $ENV{'TMPDIR'}/ - $!"); >- my @all_unpacked_files = grep(!/^\.+$/, readdir(DIR)); >- closedir(DIR); >- &debug("d_m: finished $mimeunpacker_binary [",&deltatime,"]"); >- #If you have the tnef app, you'll be able to scan broken M$ attachments >- >- if ( $tnef_binary ) { >- &debug("d_m: Checking all attachments to see if they're MS-TNEF"); >- foreach $save_filename (@all_unpacked_files) { >- #Clean up $save_filename so as to keep taint happy >- $save_filename =~ /^(.*)$/; $save_filename=$1; >- ($new_filename=$save_filename) =~ s/([^a-z0-9\.\-\_\+\=\~]+)//gi; >- if ($save_filename ne $new_filename) { >- $new_filename =~ /(\.[^\.]+)$/; >- $new_filename=&uniq_id."$new_filename"; >- rename($save_filename,$new_filename); >- &debug("d_m: ren $save_filename to $new_filename"); >- $save_filename=$new_filename; >- } >- #Who cares if it is or isn't tnef, just scan it! >- if ($tnef_binary) { >- $MAYBETNEF=`$tnef_binary --number-backups -d $ENV{'TMPDIR'}/ -f $ENV{'TMPDIR'}/$save_filename 2>&1`; >- $tnef_status=$?; >- &debug("d_m: is $ENV{'TMPDIR'}/$save_filename is a TNEF file?: $tnef_status [",&deltatime,"]"); >- } >- } >- } >- >- #If you're happy with your scanners zip file handling, you can >- #skip this whole section. >- >- if ($force_unzip || $BLOCK_PASSWORD_PROTECTED_ARCHIVES || $log_crypto) { >- &debug("d_m: Check for zip files..."); >- #Re-initialize directory listing >- opendir(DIR,"$ENV{'TMPDIR'}/")||&error_condition("cannot open dir $ENV{'TMPDIR'}/ - $!"); >- @all_unpacked_files = grep(!/^\.+$/, readdir(DIR)); >- closedir(DIR); >- foreach $save_filename (@all_unpacked_files) { >- #Clean up $save_filename so as to keep taint happy >- $save_filename =~ /^(.*)$/; $save_filename=$1; >- ($new_filename=$save_filename) =~ s/([^a-z0-9\.\-\_\+\=\~]+)//gi; >- if ($save_filename ne $new_filename) { >- $new_filename =~ /(\.[^\.]+)$/; >- $new_filename=&uniq_id."$new_filename"; >- rename($save_filename,$new_filename); >- &debug("d_m: ren $save_filename to $new_filename"); >- $save_filename=$new_filename; >- } >- if ( $save_filename =~ /\.(zip|exe)$/i) { >- &unzip_file($save_filename); >- } >- } >- } >- if (!$redundant_scanning) { >- if (-f "$ENV{'TMPDIR'}/$save_filename") { >- system $rm_binary,"-f","$ENV{'TMPDIR'}/$save_filename"; >- } >- } >- my($decon_time)=tv_interval ($start_decon_time, [gettimeofday]); >- &debug("d_m: unpacking message took $decon_time seconds"); >-} >- >-sub init_scanners { >- my($start_init_scanners_time)=[gettimeofday]; >- &debug("ini_sc: start scanning"); >- chdir("$ENV{'TMPDIR'}/"); >- >- #Delete original zip'ped attachment as there's no point >- #in the other scanners double-scanning it - unless $redundant scanning >- #is set.... >- if ($redundant_scanning) { >- link("$scandir/$wmaildir/new/$file_id","$ENV{'TMPDIR'}/orig-$file_id"); >- } >- &debug("ini_sc: recursively scan the directory $ENV{'TMPDIR'}/"); >- >- #Run AV scanners - even if the message is already going to be quarantined >- #due to some Policy: this way you get the definitive answer as to what is >- #a virus... >- >- &scanloop; #JLH if (!$quarantine_event); >- >- #Only run perlscanner if no reason to quarantine found so far >- &perlscan_scanner if (!$quarantine_event); >- >- chdir("$scandir"); >- >- my($decon_time)=tv_interval ($start_init_scanners_time, [gettimeofday]); >- &debug("ini_sc: scanning message took $decon_time seconds"); >-} >- >- >-sub perlscan_scanner { >- #This is most efficient if called from within deconstruct_msg >- >- my($start_perlscan_time)=[gettimeofday]; >- my (%array,$var,$lfile,$filename,$section,$apptype,$save_filename); >- my ($type,$desc,$file,$filepath); >- my ($ps_skipfile,$extension); >- my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks,$fsize); >- my ($attachment_list,$perlscan_time); >- &debug("p_s: starting scan of directory \"$ENV{'TMPDIR'}\"..."); >- >- use DB_File; >- >- >- tie (%array, 'DB_File', "$db_filename.db", O_RDONLY, 0600) || &error_condition("cannot open $db_filename.db - $!"); >- >- if (!$quarantine_event && $illegal_mime && $headers{'mime-version'} && $BAD_MIME_CHECKS) { >- $destring="problem"; >- $quarantine_description="Disallowed characters found in MIME headers" if (!$quarantine_description); >- $quarantine_event="Policy:Bad_MIME"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description'\n found in message"; >- } >- #check out headers against DB... >- >- foreach $var (sort keys(%array)) { >- ($type,$desc)=split(/\t/,$array{$var},2); >- &debug("p_s: '$var' = '$type' = '$desc'"); >- if ($type !~ /^[0-9]+$/) { >- &debug("p_s: type is a header!"); >- #Strip off numeric uid... >- $var =~ s/^[0-9]+://; >- $type =~ s/^Virus-//g; >- &debug("p_s: checking for objects containing $type: $var"); >- if ($headers{$type} =~ /^$var$/) { >- $quarantine_description="$desc"; >- ($quarantine_event=$quarantine_description) =~ s/\s/_/g; >- $quarantine_event="Perlscan:".substr($quarantine_event,0,$QE_LEN); >- $quarantine_event=~s/_$//g; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- &debug("p_s: something to block! ($quarantine_description)"); >- } >- } else { >- &debug("p_s: type is a size!"); >- } >- } >- >- #opendir(DIR,"$ENV{'TMPDIR'}/")||&error_condition("cannot open dir $ENV{'TMPDIR'}/ - $!"); >- #@allfiles = grep(!/^\.+$/, readdir(DIR)); >- #closedir(DIR); >- open(DIR,"$find_binary $ENV{'TMPDIR'}/ -type f |")||&error_condition("cannot open dir $ENV{'TMPDIR'}/ - $!"); >- #append any ORIGINAL uuencoded filenames to this directory array >- #so that perlscanner can match on uuencoded filenames >- my @allfiles=<DIR>; >- close(DIR); >- >- if ($#allfiles > $MAX_NUM_UNPACKED_FILES) { >- &debug("w_c: more than MAX_NUM_UNPACKED_FILES files found - quarantine"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_description="Too many file components found (".$#allfiles.") - potential DoS"; >- $quarantine_event="Policy:Many_Files"; >- $quarantine_DOS=$quarantine_event; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $file_desc .= "too_many:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >- return; >- } >- foreach $filepath (@allfiles,@uufile_list,@zipfile_list,@attachment_list) { >- chomp($filepath); >- ($file=$filepath)=~s/^.*\///g; >- #skip files that reformime/ripmime generates. >- #This will potentially allow baddies to smuggle files through >- #by using filenames like this... Nothing can be done about that:-( >- #Reformime generates filenames of the form: >- # 967067231.24320-X.host.name (where X is a number) >- #Ripmime generates filenames of the form: >- # textfileX (where X is a number) >- if ($file =~ /^[0-9]+\.[0-9]+\-[0-9]+\.$hostname|^(orig\-|)$file_id|^textfile[0-9]+/) { >- &debug("p_s: skipping auto-generated file $file"); >- $ps_skipfile=1; >- } else { >- &debug("p_s: checking $file against perlscanner database..."); >- $ps_skipfile=0; >- } >- >- if (!$quarantine_event && length($file) > 256 && $BAD_MIME_CHECKS > 1 ) { >- &debug("w_c: majorly long attachment filename found - block it"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_description="Disallowed attachment file length found (".length($file).") - potential virus"; >- $quarantine_event="Policy:Attach_Length"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $file_desc .= "$file:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >- return; >- } >- >- #Do the patently obvious filename security checks here >- if ( $BAD_MIME_CHECKS > 1) { >- #Not as thorough as I'd like - but I got too many false positives doing it more generically... :-( >- #The VALID_WINDOWS_EXTENSIONS is based on double-barrel virii caught in a years worth of Qmail-Scanner >- #logs (gotta love those logs!). Notice that I expressly allow "file.exe.exe" through - as the double-extension >- #doesn't hide anything [just implies a user made a mistake] >- if (!$quarantine_event && ($file =~ /(^.*)\.($VALID_WINDOWS_EXTENSIONS)\.($SNEAKY_WINDOWS_EXTENSIONS)$/i) && $file !~ /((\.[a-z0-9]{3})\1|\.pp.\.pp.)$/i) { >- $quarantine_description="Disallowed double-barrelled attachment filename ($file) - potential virus"; >- &debug("w_c: $quarantine_description"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_event="Policy:Win_Ext"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $file_desc .= "$file:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >- return; >- } >- if (!$quarantine_event && $file =~ /\{[0-9a-f]{8}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12}\}$/i) { >- $quarantine_description="Disallowed CLSID file extensions ($file) - potential virus"; >- &debug("w_c: $quarantine_description"); >- $illegal_mime=1; >- $destring='problem'; >- $quarantine_event="Policy:Win_CLSID"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $file_desc .= "$file:$msg_size\t" if ($file_desc !~ /\Q$file\E:$size\t/); >- return; >- } >- } >- if ($file =~ /(^.*)(\.[^\.]+)\.?$/) { >- $extension=tolower($2); >- } else { >- $extension=""; >- } >- $lfile = tolower($file); >- &debug("p_s: file $file is lowercased to $lfile and has extension $extension") if (!$ps_skipfile); >- #Stat'ing attachment names from @attachment_list will fail on filenames that reformime rewrites >- #that's OK, as they'll still be picked up via their new filename >- ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat("$filepath"); >- #As you stat virtual files as well as real ones, you can't do this check against virtual files... >- if ($effective_uid ne "" && $uid ne "" && $uid != $effective_uid) { >- $DEBUG=101; >- &error_condition("owner of unpacked file \"$filepath\" (uid=$uid) doesn't match UID of Qmail-Scanner (uid=$effective_uid) - can't expect this to work. Fix whatever is creating files with uid=$uid"); >- } >- if ($ino && $file_desc !~ /\Q$file\E:$size\t/) { >- #Sanity check so that the virtual attachments don't get double-counted >- $file_desc .= "$file:$size\t"; >- } >- &debug("p_s: compare $lfile (size $size) against perlscanner database") if (!$ps_skipfile); >- if ( ($array{$lfile} || $array{$extension}) && !$ps_skipfile ) { >- if ($array{$lfile}) { >- ($fsize,$quarantine_description) = split(/\t/,$array{$lfile},2); >- } else { >- $destring="Disallowed attachment type"; >- ($fsize,$quarantine_description) = split(/\t/,$array{$extension},2); >- } >- $attachment_list.="$file:$size,"; >- if (!$quarantine_event && $size eq $fsize || $fsize =~ /^(\-|\*|any|0)$/i ) { >- &debug("p_s: Quarantine $file! ($quarantine_description)"); >- ($quarantine_event=$quarantine_description) =~ s/\s/_/g; >- $quarantine_event="Perlscan:".substr($quarantine_event,0,$QE_LEN); >- $quarantine_event=~s/_$//g; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$file"; >- $section=$apptype=$save_filename=$filename=""; >-# return; >- } >- } >- } >- untie %array; >- chdir("$scandir/"); >- my($stop_perlscan_time)=[gettimeofday]; >- $perlscan_time = tv_interval ($start_perlscan_time, $stop_perlscan_time); >- &debug("p_s: finished scan of dir \"$ENV{'TMPDIR'}\" in $perlscan_time secs"); >-} >- >- >-sub scanloop { >- &debug("scanloop: starting scan of directory \"$ENV{'TMPDIR'}\"..."); >- >- my ($scanner); >- >- #If it has already been blocked as a Policy DoS attack - don't >- #run AVs over it! You might - well - DoS you system... >- if (!$quarantine_DOS) { >- #Remember any policy blocks that have already occurred, but reset >- #$quarantine_event so that if a virus is found, that "wins" >- $quarantine_event_tmp=$quarantine_event; >- $quarantine_event='0'; >- foreach $scanner (@scanner_array) { >- #Any scanner errors caused by broken zip files/etc will be ignored >- # - not sure how that should be handled... >- &debug("scanloop: scanner=$scanner,plain_text_msg=$plain_text_msg"); >- >- #Just run virus scanners over mail that isn't plain text >- if ($plain_text_msg) { >- #If it's plain text - just run anti-spam checks >- &{$scanner} if ($scanner =~ /spam/i); >- }else { >- &{$scanner}; >- } >- if ($quarantine_event) { >- #If one scanner finds a virus - why run the rest over it? >- last; >- } >- } >- if (!$quarantine_event) { >- $quarantine_event=$quarantine_event_tmp; >- } else { >- #Make sure this is set correctly >- $destring="virus"; >- } >- &debug("scanloop: finished scan of \"$ENV{'TMPDIR'}\"..."); >- } >-} >- >-sub qmail_requeue { >- my($sender,$env_recips,$msg)=@_; >- my ($temp,$findate); >- >- &debug("q_r: fork off child into $qmailqueue..."); >- >- #($recips=$env_recips) =~ s/^T//; >- #$recips =~ s/\0T/\,/g; >- #$recips =~ /^(.*)\0+$/; >- #$recips = $1; >- #$recips =~ s/\0+$//g; >- >- # Create a pipe through which to send the envelope addresses. >- pipe (EOUT, EIN) or &error_condition("Unable to create a pipe. - $!"); >- select(EOUT);$|=1; >- select(EIN);$|=1; >- # Fork qmail-queue. The qmail-queue child will then open fd 0 as >- # $message and fd 1 as the reading end of the envelope pipe and exec >- # qmail-queue. The parent will read in the addresses and pass them >- # through the pipe and then check the exit status. >- >- $elapsed_time = tv_interval ($start_time, [gettimeofday]); >- local $SIG{PIPE} = 'IGNORE'; >- my $pid = fork; >- >- if (not defined $pid) { >- &error_condition ("Unable to fork. (#4.3.0) - $!"); >- } elsif ($pid == 0) { >- # In child. Mutilate our file handles. >- close EIN; >- >- open(STDIN,"<$msg")|| &error_condition ("Unable to reopen fd 0. (#4.3.0) - $!"); >- >- open (STDOUT, "<&EOUT") || &error_condition ("Unable to reopen fd 1. (#4.3.0) - $!"); >- select(STDIN);$|=1; >- &debug("q_r: xstatus=$xstatus"); >- open (QMQ, "|$qmailqueue")|| &error_condition ("Unable to open pipe to $qmailqueue [$xstatus] (#4.3.0) - $!"); >- ($sec,$min,$hour,$mday,$mon,$year) = gmtime(time); >- $elapsed_time = tv_interval ($start_time, [gettimeofday]); >- $findate = POSIX::strftime( "%d %b ",$sec,$min,$hour,$mday,$mon,$year); >- $findate .= sprintf "%02d %02d:%02d:%02d -0000", $year+1900, $hour, $min, $sec; >- print QMQ "Received: from $remote_smtp_ip by $hostname (envelope-from <$returnpath>, uid $real_uid) with qmail-scanner-$VERSION \n"; >- print QMQ " ($SCANINFO \n Clear:$tag_score. \n"; >- print QMQ " Processed in $elapsed_time secs); $findate\n"; >- print QMQ "X-Spam-Status: $sa_comment\n" if ($sa_comment ne ""); >- print QMQ "X-Spam-Level: $sa_level\n" if ($sa_comment ne "" && $sa_level ne ""); >- if ( $descriptive_hdrs ) { >- print QMQ "${V_HEADER}-Mail-From: $returnpath via $hostname\n"; >- print QMQ "${V_HEADER}-Rcpt-To: $recips\n" if ($descriptive_hdrs eq "2"); >- print QMQ "$V_HEADER: $VERSION (Clear:$tag_score. Processed in $elapsed_time secs)\n"; >- } >- my $still_headers=1; >- my $seen_env=0; >- while (<STDIN>) { >- if ($still_headers) { >- #if (!$seen_env && /^X\-Envelope\-From:/) { >- #$seen_env=1; >- #just skip the next line (X-Envelope-To:) >- #<STDIN>; >- #next; >- #} >- #break any X-Spam-Status/Level IFF we've set a SA value ourselves. Easier than removing - and it leaves >- #them around for diagnosis... >- s/^(X-Spam-Status|X-Spam-Flag):/${V_HEADER}-MOVED-$1:/ if ($sa_comment ne "" && /^(X-Spam-Status|X-Spam-Flag):/i); >- s/^(X-Spam-Level):/${V_HEADER}-MOVED-$1:/ if ($sa_level ne "" && /^X-Spam-Level:/i); >- if ($sa_comment =~ /^yes/i && $spamc_subject ne "" && !/^Subject: \Q$spamc_subject\E/i && /^(Subject):(\s?)([^\n]+)\n/i ) { >- $altered_subject="$1: $spamc_subject $3"; >- if ($altered_subject !~ /^: \Q$spamc_subject\E/) { >- &debug("altering subject line to $altered_subject"); >- print QMQ "$altered_subject\n"; >- next; >- } >- } >- $still_headers=0 if (/^(\r|\r\n|\n)$/); >- #Insert Subject: line if e-mail dosn't contain one but must be tagged >- print QMQ "Subject: $spamc_subject\n" if ((!$still_headers) && ($sa_comment =~ /^yes/i) && (!$altered_subject) && $spamc_subject ne "" ); >- >- } >- print QMQ; >- } >- close(QMQ); #||&error_condition("Unable to close pipe to $qmailqueue (#4.3.0) - $!"); >- $xstatus = ( $? >> 8 ); >- if ( $xstatus > 10 && $xstatus < 41 ) { >- &error_condition("mail server permanently rejected message. (#5.3.0) - $!",$xstatus); >- } elsif ($xstatus > 0) { >- &error_condition("Unable to open pipe to $qmailqueue [$xstatus] (#4.3.0) - $!",$xstatus); >- } >- #This child is finished - exit >- exit; >- } else { >- # In parent. >- close EOUT; >- >- # Feed the envelope addresses to qmail-queue. >- print EIN "$sender\0$env_recips"; >- close EIN || &error_condition ("Write error to envelope pipe. (#4.3.0) - $!"); >-} >- >- # We should now have queued the message. Let's find out the exit status >- # of qmail-queue. >- waitpid ($pid, 0); >- $xstatus =($? >> 8); >- if ( $xstatus > 10 && $xstatus < 41 ) { >- &error_condition("mail server permanently rejected message. (#5.3.0) - $!",$xstatus); >- } elsif ($xstatus > 0) { >- &error_condition("Unable to close pipe to $qmailqueue [$xstatus] (#4.3.0) - $!",$xstatus); >- } >-} >- >- >-sub valid_virus_to_report { >- my ($virus_type)=@_; >- my ($virus)=''; >- # This subroutine is used to determine if the virus found during the scan >- # is reportable. i.e. do we want to send a message to this user or not as is >- # the case with the KLEZ virus. >- #&debug("v_v_t_r: called with $virus_type"); >- foreach $virus (@silent_viruses_array) { >- #&debug("v_v_t_r: does $virus_type contain $virus?"); >- if ($virus_type =~ /$virus/i) { >- &debug("v_v_t_r: $virus_type contain $virus - so don't notify the sender"); >- return 0; >- } >- } >- return 1; >-} >- >-sub automated_msg { >- if ($headers{'x-loop'} || $headers{'auto-submitted'} !~ /^(|no)$/i || $headers{'x-listname'} || $headers{'x-listmember'} || $headers{'mailing-list'} || $headers{'x-mailing-list'} || $headers{'precedence'} =~ /^(bulk|list|junk)$/i || $returnpath =~ /^$|^\#\@\[\]$|anonymous|nobody|daemon|request|bounce|mailer|postm|owner|list|words|majordom|experts|\-(return|error)/i) { >- return 1; >- } else { >- return 0; >- } >-} >- >-sub bounce_msg { >- if ($returnpath =~ /^$|^\#\@\[\]$|(daemon|bounce|mailer|postm)/i) { >- return 1; >- } else { >- return 0; >- } >-} >- >-sub is_unreplyable_email { >- my ($addr_type)=@_; >- my ($dom,$is_local)=''; >- #This subroutine is used to see if the sender of this message >- #was a mailing-list/postmaster/etc, or the recipient is a local user. >- #If it is we don't want to send a reply. >- #&debug("i_u_e: called with $addr_type"); >- >- if ($addr_type eq "recips") { >- foreach $dom (@local_domains_array) { >- #&debug("i_u_e: does $recips contain $dom?"); >- if ($recips =~ /$dom$/i) { >- #&debug("i_u_e: yes it does!"); >- $is_local++; >- } >- } >- } else { >- $is_local="99"; >- if (&automated_msg ) { >- #&debug("i_u_e: $addr_type is a mailing-list"); >- return 1; >- } >- } >- # >- #Only reply if it is a local address >- if (!$is_local) { >- #&debug("i_u_e: is_local=$is_local"); >- return 1; >- } else { >- #&debug("i_u_e: is_local=$is_local"); >- return 0; >- } >-} >- >-sub email_quarantine_report { >- my($start_email_time)=[gettimeofday]; >- &debug("e_v_r: quarantine msg to $scandir/$vmaildir/new/$file_id"); >- link("$scandir/$wmaildir/new/$file_id","$scandir/$vmaildir/new/$file_id")||&error_condition("cannot link $scandir/$wmaildir/new/$file_id into $scandir/$vmaildir/new/ - $!"); >- open(QTINE,">>$scandir/$vmaildir/new/$file_id"); >- print QTINE "\n*** Qmail-Scanner Quarantine Envelope Details Begin ***\n"; >- print QTINE "${V_HEADER}-Mail-From: \"$returnpath\" via $hostname\n"; >- print QTINE "${V_HEADER}-Rcpt-To: \"$recips\"\n"; >- print QTINE "$V_HEADER: $VERSION ($SCANINFO $destring Found. Processed in ",tv_interval($start_time,[gettimeofday])," secs)\n"; >- print QTINE "Quarantine-Description: $quarantine_description\n"; >- print QTINE "*** Qmail-Scanner Envelope Details End ***\n"; >- close QTINE; >- &email_sender("sender") if (&valid_virus_to_report($quarantine_description)); >- &email_sender("admin"); >- if ($trecips =~ /\0T/) { >- for $recip (split(/\0T/,$trecips)) { >- &email_recips($recip); >- } >- } else { >- &email_recips($recips); >- } >- &write_quarantine_report; >- $elapsed_time = tv_interval ($start_time, [gettimeofday]); >- &debug("e_v_r: email_quarantine_report took ".tv_interval ($start_email_time, [gettimeofday])." seconds to execute"); >-} >- >-sub cleanup { >- closelog(); >- chdir("$scandir/"); >- if ($archiveit !~ /^(1|yes)$/i) { >- #This will only archive mail where the sender or recipient matches the regex that is $archiveit >- if ($headers{'MAILFROM'} !~ /$archiveit/i && $headers{'RCPTTO'} !~ /$archiveit/i) { >- $archiveit=0; >- } >- } >- if (!$archiveit) { >- &debug("cleanup: $rm_binary -rf $ENV{'TMPDIR'}/ $scandir/$wmaildir/new/$file_id") ; >- } else { >- # check if $archivedir exists >- if (!-d "$scandir/$archivedir") { >- mkdir("$scandir/$archivedir",0700) || &error_condition("cannot create $scandir/$archivedir - $!"); >- mkdir("$scandir/$archivedir/new",0700) || &error_condition("cannot create $scandir/$archivedir/new - $!"); >- mkdir("$scandir/$archivedir/cur",0700) || &error_condition("cannot create $scandir/$archivedir/cur - $!"); >- mkdir("$scandir/$archivedir/tmp",0700) || &error_condition("cannot create $scandir/$archivedir/tmp - $!"); >- } >- if ( -f "$scandir/$wmaildir/new/$file_id" ) { >- &debug("cleanup: archiving into $scandir/$archivedir/new/"); >- rename("$scandir/$wmaildir/new/$file_id","$scandir/$archivedir/new/$file_id"); >- #This will do for now. Not pretty - but very cheap! >- #We need to append this information, otherwise how do you know who this message >- #was from or to? >- # >- open(ARCHIVE,">>$scandir/$archivedir/new/$file_id"); >- print ARCHIVE "\n*** Qmail-Scanner Envelope Details Begin ***\n"; >- print ARCHIVE "${V_HEADER}-Mail-From: \"$returnpath\" via $hostname\n"; >- print ARCHIVE "${V_HEADER}-Rcpt-To: \"$recips\"\n"; >- print ARCHIVE "$V_HEADER: $VERSION ($SCANINFO Clear:$tag_score. Processed in ",tv_interval($start_time,[gettimeofday])," secs)\n"; >- print ARCHIVE "*** Qmail-Scanner Envelope Details End ***\n"; >- close ARCHIVE; >- } >- } >- system("$rm_binary -rf $ENV{'TMPDIR'}/ $scandir/$wmaildir/new/$file_id") if ($DEBUG < 100 && $file_id ne ""); >- >-} >- >- >-sub scan_queue { >- my ($scanner,$SCANINFO,$files,$sweep_eng,$sweep_product,$sophie_eng,$dir); >- my $start_scan_time =time; >- my ($inocucmd_eng,$inocucmd_product,$spamassassin_eng); >- >- chdir($scandir); >- &debug("s_q: re-create the quarantine version file"); >- foreach $scanner (@scanner_array) { >- $scanner =~ s/_scanner//; >- &debug("s_q: detecting version of $scanner"); >- if ($scanner eq "uvscan") { >- open(UV,"$uvscan_binary --version|")||die "failed to call $uvscan_binary --version - $!"; >- while (<UV>) { >- chomp; >- if (/^Scan engine (v[0-9\.]+) /) { >- $SCANINFO .="uvscan: $1/"; >- } elsif (/^Virus data file (v[0-9\.]+) /) { >- $SCANINFO .= "$1. "; >- } >- } >- close(UV); >- } elsif ($scanner eq "csav") { >- open(CS,"$csav_binary -virno|")||die "failed to call $csav_binary -virno - $!"; >- while (<CS>) { >- chomp; >- if (/Command Software AntiVirus for Linux (version [0-9\.]+)/) { >- $SCANINFO .="csav: $1/"; >- } elsif (/^CSA[V]: (.*)/) { >- $SCANINFO .= "$1/"; >- } >- } >- close(CS); >- } elsif ($scanner eq "trophie" ) { >- open(IS,"$trophie_binary -v 2>&1|")||die "failed to call $trophie_binary -v - $!"; >- while (<IS>) { >- chomp; >- if (/VSAPI version (.*)/) { >- $SCANINFO .= "trophie: $1/"; >- } elsif (/Pattern version ([0-9]+) \(pattern number ([0-9]+)\)/) { >- $SCANINFO .= "$1/$2. "; >- } >- } >- close(IS); >- } elsif ($scanner eq "iscan") { >- open(IS,"$iscan_binary -v|")||die "failed to call $iscan_binary -v - $!"; >- while (<IS>) { >- chomp; >- if (/Virus Scanner (v[0-9\.]+), VSAPI (v[0-9\.\-]+)/) { >- $SCANINFO .="iscan: $1/$2/"; >- } elsif (/Pattern version ([0-9\.]+)/) { >- $SCANINFO .= "$1/"; >- } elsif (/Pattern number ([0-9\.]+)/) { >- $SCANINFO .= "$1. "; >- } >- } >- close(IS); >- } elsif ($scanner eq "fsecure") { >- open(FS,"$fsecure_binary --version|")||die "failed to call $fsecure_binary --version - $!"; >- while (<FS>) { >- chomp; >- if (/^F-Secure.*(Release|version)\s+([0-9\.]+)\s+build\s+([0-9]+)/i) { >- $SCANINFO .="fsecure: $2/$3/"; >- } elsif (/sign.def version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "$1/"; >- } elsif (/fsmacro.def version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "$1/"; >- } elsif (/sign2.def version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "$1. "; >- } elsif (/F-PROT database version (.*)$/) { >- $SCANINFO .= "fprot($1)/"; >- } elsif (/AVP FPI Engine database version (.*)$/) { >- $SCANINFO .= "avp($1). "; >- } elsif (/Libra database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "libra database $1/"; >- } elsif (/Orion database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "orion database $1/"; >- } elsif (/AVP FPI Engine database version ([0-9\.]+-[0-9\.]+-[0-9\.]+)/) { >- $SCANINFO .= "avp fpi database $1. "; >- } >- } >- close(FS); >- $SCANINFO .= ". " if ($SCANINFO !~ /\. $/); >- } elsif ($scanner eq "fprot") { >- open(FP,"$fprot_binary \?|")||die "failed to call $fprot_binary --version - $!"; >- while (<FP>) { >- chomp; >- if (/(F-PROT|Program version:) ([0-9\.]+)/) { >- $SCANINFO .="f-prot: $2/"; >- } elsif (/Engine version: ([0-9\.]+)/) { >- $SCANINFO .= "$1"; >- } >- } >- $SCANINFO .= ". "; >- close(FP); >- } elsif ($scanner eq "hbedv") { >- open(IS,"$hbedv_binary --version 2>&1 |")||die "failed to call $hbedv_binary --version - $!"; >- while (<IS>) { >- chomp; >- if (/engine version:\s+([0-9\.]+)/) { >- $SCANINFO .= "hbedv: $1"; >- } elsif (/vdf version:\s+([0-9\.]+)/) { >- $SCANINFO .= "/$1. "; >- } >- } >- close(IS); >- } elsif ($scanner eq "avp") { >- open(AVP,"$avp_binary -Y -VL 2>&1 |")||die "failed to call $avp_binary -Y -VL - $!"; >- while (<AVP>) { >- chomp; >- if (/Version (([0-9\.]+)\s+build ([0-9\.]+)|([0-9\.]+))/) { >- if ($2) { >- $SCANINFO .= "avp: $1/$2. "; >- } else { >- $SCANINFO .= "avp: $1. "; >- } >- } >- } >- close(AVP); >- } elsif ($scanner eq "ravlin") { >- open(RAV,"$ravlin_binary --version 2>&1 |")||die "failed to call $ravlin_binary --version - $!"; >- while (<RAV>) { >- chomp; >- if (/^Version: ([0-9\.]+)\./) { >- $SCANINFO .= "ravlin: $1. "; >- } >- } >- close(RAV); >- } elsif ($scanner eq "vexira") { >- open(VEX,"$vexira_binary --version 2>&1 |")||die "failed to call $vexira_binary --version - $!"; >- while (<VEX>) { >- chomp; >- if (/^engine version:\s+([0-9\.]+)/) { >- $SCANINFO .= "vexira: $1. "; >- } >- } >- close(RAV); >- } elsif ($scanner eq "bitdefender") { >- open(BITDEF,"$bitdefender_binary --info 2>&1 |")||die "failed to call $bitdefender_binary --info - $!"; >- while(<BITDEF>) { >- chomp; >- if (/^BDC\/Linux\-Console (.*) \(build ([^\)]+)\)/){ >- $SCANINFO .= "bitdefender: $1/$2"; >- } >- if (/^Engine signatures:\s+([0-9]+)/) { >- $SCANINFO .= "/$1. "; >- } >- } >- close(BITDEF); >- } elsif ($scanner eq "nod32") { >- open(NOD,"$nod32upd_binary /help 2>&1 |")||die "failed to call $nod32upd_binary /help - $!"; >- while(<NOD>) { >- chomp; >- if (/^Version.* (.*)/){ >- $SCANINFO .= "nod32: $1"; >- } >- } >- close(NOD); >- } elsif ($scanner eq "sophie") { >- open(SOP,"$sophie_binary -v 2>&1|")||die "failed to call $sophie_binary -v - $!"; >- while (<SOP>) { >- chomp; >- if (/Sophos engine version (.*)$/) { >- $sweep_eng=$1; >- } elsif (/Sophos IDE version ([0-9\.]+)/) { >- $sweep_product=$1; >- } elsif (/Sophie version\s+:\s+([0-9\.]+)/) { >- $sophie_eng=$1; >- } >- } >- $SCANINFO .= "sophie: $sophie_eng/$sweep_eng/$sweep_product. "; >- close(SOP); >- } elsif ($scanner eq "sweep") { >- open(SOP,"$sweep_binary -v|")||die "failed to call $sweep_binary -v - $!"; >- while (<SOP>) { >- chomp; >- if (/Engine version\s+:\s+(.*)$/) { >- $sweep_eng=$1; >- } elsif (/Product version\s+:\s+(.*)$/) { >- $sweep_product=$1; >- } >- } >- $SCANINFO .= "sweep: $sweep_eng/$sweep_product. "; >- close(SOP); >- } elsif ($scanner eq "inocucmd") { >- open(IOP,"$inocucmd_binary -HEL|")||die "failed to call $inocucmd_binary -HEL - $!"; >- while (<IOP>) { >- chomp; >- if (/Engine version:\s+(.*) ([0-9\/]+)$/) { >- $inocucmd_eng=$1; >- } elsif (/Data version:\s+(.*) ([0-9\/]+)$/) { >- $inocucmd_product=$1; >- } >- } >- $SCANINFO .= "inocucmd: $inocucmd_eng/$inocucmd_product. "; >- close(IOP); >- } elsif ($scanner eq "clamscan") { >- open(CLAMS,"$clamscan_binary --stdout -V|")||die "failed to call $clamscan_binary --stdout -V - $!"; >- while (<CLAMS>) { >- chomp; >- if (/ersion ([0-9\.\-a-z]+)/i) { >- $SCANINFO .="clamscan: $1. "; >- } >- } >- close(CLAMS); >- } elsif ($scanner eq "clamdscan") { >- open(CLAMS,"$clamdscan_binary --version 2>&1|")||die "failed to call $clamdscan_binary --version - $!"; >- while (<CLAMS>) { >- chomp; >- if (/ersion ([0-9\.\-a-z]+)/i) { >- $SCANINFO .="clamdscan: $1. "; >- } elsif (/^ClamAV ([^\/]+)\/([^\/]+)\//) { >- $SCANINFO .="clamdscan: $1/$2. "; >- } >- } >- close(CLAMS); >- } elsif ($scanner eq "spamassassin") { >- #X-Spam-Checker-Version: SpamAssassin 2.01 >- open(SPAS,"$spamassassin_binary -V |")||die "failed to call $spamassassin_binary -V - $!"; >- $spamassassin_eng="2.x"; >- while (<SPAS>) { >- chomp; >- if (/^SpamAssassin version (.*)$/i) { >- $spamassassin_eng=$1; >- } >- } >- close(SPAS); >- $SCANINFO .= "spamassassin: $spamassassin_eng. "; >- } else { >- #Catch-all for other ones >- $SCANINFO .= "$scanner: ???. "; >- } >- } >- $SCANINFO =~ s/ \. / /g; >- open(VER,">$versionfile.tmp")||die "cannot write to $versionfile.tmp - $!"; >- print VER $SCANINFO; >- close(VER); >- rename("$versionfile.tmp","$versionfile"); >- >- &debug("s_q: cleaning up files older than 2 days via $find_binary $scandir/tmp -mtime +2 -exec $rm_binary -rf {} \;"); >- my ($OLDFILES)=`$find_binary $scandir/tmp -mtime +2 -exec $rm_binary -rf {} \\; 2>/dev/null`; >-} >- >-sub write_quarantine_report { >- my ($temp,$desc,$report,$subj); >- $subj=$headers{'subject'}; >- $subj =~ s/\t/ /g; >- $desc=$quarantine_description; >- $desc =~ s/\n\t/ /g; >- $nowtime = strftime("%a, %d %b %Y %H:%M:%S %Z", localtime(time)); >- $report = "$nowtime\t$returnpath\t$recips\t$subj\t$desc\t$SCANINFO\n"; >- open(QUARANTINELOG,">>$scandir/$quarantinelog"); >- print QUARANTINELOG $report; >- close QUARANTINELOG; >- &debug("w_v_r: writing quarantine log report of: $report"); >-} >- >-sub scanner_info { >- open(SC,"<$versionfile")||&error_condition("cannot open $versionfile - did you initialise the system by running \"$prog -z\"? - $!"); >- $SCANINFO = <SC>; >- $SCANINFO =~ s/\n|\r|\0/ /g; >- close(SC); >-} >- >-sub generate_quarantine_db { >- use DB_File; >- use vars qw( %h); >- my ($line,%array,$count,$match,$type,$descr,$entry,$descrip,$size); >- if ($opt_g) { >- print "perlscanner: generate new DB file from $db_filename.txt\n"; >- unlink("$db_filename.db.tmp"); >- tie (%array, 'DB_File', "$db_filename.db.tmp", O_CREAT|O_RDWR, 0640, $DB_HASH ) || &error_condition("cannot open for write $db_filename.db.tmp - $!"); >- >- open(TXT,"<$db_filename.txt")||&error_condition("cannot read $db_filename.txt - $!"); >- >- #Remeber: all filenames are lowercased, but headers aren't... >- while (<TXT>) { >- $line++; >- next if (/^\#|^\s+$/); #ignore lines starting with hashes >- chomp; >- $count++; >- ($match,$type,$descr)=split(/\t+/,$_,3); >- if ( $match eq "" || ($type !~ /^[0-9]+$/ && $type !~ /^Virus-[0-9a-z\_\-]+:$/i) ) { >- print "ERROR: incorrect format on line \"$line\"\n"; >- &error_condition("ERROR: incorrect format on line \"$line\""); >- } else { >- #Strip off any regex endings >- if ($type =~ /^[0-9]+$/) { >- #this is a filename/attachment >- if ( $match =~ /^\.dat$/i ) { >- >- print "ERROR: on line \"$line\".\nCannot block all .dat files. Will block too many normal messages.\n"; >- &error_condition("ERROR: on line \"$line\".\nCannot block all .dat files. Will block too many normal messages."); >- next; >- } >- $match = tolower($match); >- } else { >- #this is for header matches >- $match =~ s/^\^|\$$//g; >- #Now make unique >- $match = "$line:$match"; >- $type =~ s/:$//; >- $type =~ /^Virus\-(.*)/; >- if ($1 !~ /^(MAILFROM|RCPTTO|TCPREMOTEIP)$/) { >- $type="Virus-".tolower($1); >- } >- } >- $array{"$match"}="$type\t$descr"; >- } >- } >- close(TXT); >-# $array->sync; >- untie %array ; >- rename("$db_filename.db.tmp","$db_filename.db"); >- print "perlscanner: total of $count entries.\n"; >- } else { >- print "perlscanner: reading from $db_filename.db\n"; >- tie (%array, 'DB_File', "$db_filename.db", O_RDONLY, 0600) || &error_condition("cannot open $db_filename.db - $!"); >- foreach $entry (keys %array) { >- $count++; >- ($type,$descrip)=split(/\t/,$array{$entry},2); >- if ( $type =~ /^([0-9]+|Any)/) { >- if ($type eq "0") { >- $type="Any"; >- } elsif ($size =~ /^[0-9]+$/) { >- $type="$type bytes"; >- } >- print "File: \t$entry\n\t\t\tSize: $type\n\t\t\tDescription: $descrip\n\n"; >- } >- if ($type =~ /^Virus-(.*)$/i) { >- $type=$1; >- #Strip off numeric uid... >- $entry =~ s/^[0-9]+://; >- if ($type =~ /^(MAILFROM|RCPTTO|TCPREMOTEIP)$/) { >- print "Envelope Header: \t$type\n\t\t\tContent: ^$entry\$\n\t\t\tDescription: $descrip\n\n"; >- } else { >- print "Email Header: \t$type\n\t\t\tContent: ^$entry\$\n\t\t\tDescription: $descrip\n\n"; >- } >- } >- } >- untie %array; >- print "perlscanner: total of $count entries found.\n"; >- } >-} >- >- >- >- >-sub show_version { >- my ($scanner); >- &scanner_info; >- print " >- >-$prog >- >-Version: $VERSION >- >-Perl: PERLRELEASE_DETAILS >- >-Scanners: perlscanner"; >- foreach $scanner (@scanner_array) { >- print ", $scanner"; >- } >- >- print "\n\nScanner versioning: $SCANINFO\n"; >- print " >-Operating System: HOST_OS, HOST_RELEASE >-Hardware: HOST_HARDWARE"; >- print "\n\n\n"; >-} >- >- >-sub email_sender { >- #Don't e-mail bounced mail messages/etc! >- return if (&is_unreplyable_email('sender')); >- my($addr_type)=@_; >- my ($HDR,$hdr,$tmpsndrs,$tmpsubj,$polstring)=''; >- my ($tmpmsgid)= &uniq_id() . "-" . $V_FROM; >- $polstring='policy' if (¬ify_addr('nmlvadm')); >- >- open(SM,"|$qmailinject -h -f ''")||&error_condition("cannot open $qmailinject for sending quarantine report - $!"); >- print SM "From: \"$V_FROMNAME\" <$V_FROM>\n"; >- if ($addr_type =~ /sender/) { >- $addr_type='psender' if ($NOTIFY_ADDRS =~ /psender/); >- if ($addr_type eq "sender") { >- if (!&is_unreplyable_email('sender') && ¬ify_addr('sender')) { >- &debug("e_s: sending quarantine report via: $qmailinject to sender address ($returnpath)"); >- print SM "To: $returnpath\n"; >- $tmpsndrs = "$returnpath"; >- } else { >- &debug("e_s: don't notify sender"); >- } >- }elsif ($addr_type eq "psender") { >- if (!&is_unreplyable_email('sender') && ¬ify_addr('sender') && ($quarantine_event =~ /^(policy|perlscan)/i && $quarantine_event !~ /virus/i)) { >- &debug("e_s: sending policy quarantine report via: $qmailinject to psender address ($returnpath)"); >- print SM "To: $returnpath\n"; >- $tmpsndrs = "$returnpath"; >- } else { >- &debug("e_s: don't notify psender"); >- } >- } else { >- return; >- } >- } else { >- if (¬ify_addr('admin') || (¬ify_addr('nmladm') && !&is_unreplyable_email('sender')) || (¬ify_addr('nmlvadm') && ($quarantine_event =~ /^(policy|perlscan)/i && $quarantine_event !~ /virus/i) && !&is_unreplyable_email('sender'))) { >- &debug("e_s: sending $polstring quarantine report via: $qmailinject to admin address ($QUARANTINE_CC)"); >- print SM "To: $QUARANTINE_CC\n"; >- $tmpsndrs .= "$QUARANTINE_CC"; >- } else { >- &debug("e_s: don't notify admin"); >- } >- } >- $tmpsubj="$destring LOCALE_sender_subject \"$headers{'subject'}\""; >- $tmpsubj =~ s/(\r|\0|\n)/ /g; >- print SM "Subject: $tmpsubj\n"; >- print SM "Message-ID: <".&uniq_id."\@$hostname>\n"; >- print SM "X-Tnz-Problem-Type: 40\n"; >- print SM "Auto-Submitted: auto-replied\n"; >- if ($headers{'message-id'} ne "") { >- print SM "In-Reply-To: ",$headers{'message-id'},"\n"; >- print SM "References: ",$headers{'message-id'},"\n"; >- } >- print SM "MIME-Version: 1.0\n"; >- print SM "Content-type: text/plain\n"; >- if ( $descriptive_hdrs ) { >- print SM "${V_HEADER}-Mail-From: $returnpath via $hostname\n"; >- print SM "${V_HEADER}-Rcpt-To: $recips\n" if ($descriptive_hdrs eq "2"); >- print SM "$V_HEADER: $VERSION ($SCANINFO $destring Found. \n"; >- print SM " Processed in ",tv_interval($start_time,[gettimeofday])," secs)\n"; >- } >- print SM "\n"; >- if (&is_unreplyable_email('sender')) { >- print SM "LOCALE_attention: $V_FROMNAME.\n"; >- print SM "LOCALE_sender_automated_mail_note\n"; >- print SM "\n---------------------------------------\n\n"; >- } else { >- print SM "LOCALE_attention: $returnpath\n"; >- } >- print SM "\nLOCALE_sender_explanation\n"; >- if ($destring eq "virus") { >- print SM "\nLOCALE_sender_virus_content\n"; >- } else { >- print SM "\nLOCALE_sender_other_content\n"; >- } >- print SM "\nLOCALE_sender_msg_description\n\n"; >- print SM "---\n"; >- print SM "MAILFROM: $headers{'MAILFROM'}\n"; >- print SM "$HEADERS\n"; >- print SM "---\n"; >- if ($addr_type ne "sender" ) { >- print SM "\nLOCALE_sender_quarantine\n"; >- } >- close(SM); >- if ($log_details) { >- &log_msg("qmail-scanner","Clear:$tag_score",$elapsed_time,1100,$V_FROM,$tmpsndrs,$tmpsubj,$tmpmsgid,"quarantine-event.txt:1000"); >- } >-} >- >-sub email_recips { >- my($recip)=@_; >- return if ($recip eq ""); >- #Don't notify precips if this is NOT a "Policy block" >- if (¬ify_addr('precips')) { >- return if ($quarantine_event !~ /^(policy|perlscan)/i); >- } else { >- #From now on precips is the same as recips >- $NOTIFY_ADDRS=~s/precips/recips/; >- } >- return if (!¬ify_addr('recips')); >- my($HDR,$hdr,$tmprecips,$tmpsubj)=''; >- my($tmpmsgid)= &uniq_id() . "-" . $V_FROM; >- >- open(SM,"|$qmailinject -h -f ''")||&error_condition("cannot open $qmailinject for sending quarantine report - $!"); >- print SM "From: \"$V_FROMNAME\" <$V_FROM>\n"; >- if (!&is_unreplyable_email('recips')) { >- &debug("e_r: sending quarantine report via: $qmailinject to recip address ($recip)"); >- print SM "To: $recip\n"; >- } >- $tmpsubj= "$destring LOCALE_recips_subject \"$headers{'subject'}\""; >- $tmpsubj =~ s/(\r|\0|\n)/ /g; >- print SM "Subject: $tmpsubj\n"; >- print SM "Message-ID: <".&uniq_id."\@$hostname>\n"; >- print SM "X-Tnz-Problem-Type: 40\n"; >- if ($headers{'message-id'} ne "") { >- print SM "In-Reply-To: ",$headers{'message-id'},"\n"; >- print SM "References: ",$headers{'message-id'},"\n"; >- } >- print SM "Auto-Submitted: auto-replied\n"; >- print SM "MIME-Version: 1.0\n"; >- print SM "Content-type: text/plain\n"; >- if ( $descriptive_hdrs ) { >- print SM "${V_HEADER}-Mail-From: $returnpath via $hostname\n"; >- print SM "${V_HEADER}-Rcpt-To: $recip\n" if ($descriptive_hdrs eq "2"); >- print SM "$V_HEADER: $VERSION ($SCANINFO $destring Found. \n"; >- print SM " Processed in ",tv_interval($start_time,[gettimeofday])," secs)\n"; >- } >- print SM "\n"; >- print SM "LOCALE_attention: $recip\n"; >- if (!&is_unreplyable_email('recips')) { >- if (¬ify_addr('sender')) { >- print SM "LOCALE_recips_not_automated_mail_note\n"; >- } >- } else { >- print SM "LOCALE_recips_automated_mail_note\n"; >- } >- print SM "\nLOCALE_recips_explanation\n"; >- print SM "\nLOCALE_recips_msg_description\n\n"; >- print SM "---\n"; >- print SM "MAILFROM: $headers{'MAILFROM'}\n"; >- print SM "$HEADERS\n"; >- print SM "---\n"; >- #print SM "\nLxOCALE_recips_quarantine\n"; >- close(SM); >- if ($log_details) { >- &log_msg("qmail-scanner","Clear:$tag_score",$elapsed_time,1100,$V_FROM,$recip,$tmpsubj,$tmpmsgid,"quarantine-event.txt:1000"); >- } >-} >- >-sub notify_addr { >- my($addr_type)=@_; >- #&debug("n_a: notify_addr (set to $NOTIFY_ADDRS) called with $addr_type"); >- if (($NOTIFY_ADDRS =~ /$addr_type/ || $NOTIFY_ADDRS =~ /all/) && ($NOTIFY_ADDRS !~ /none/)) { >- return 1; >- } else { >- return 0; >- } >-} >- >-sub unzip_file { >- my($zipfile)=@_; >- my ($MAYBEZIP,$ztmp,$zfile,$zline,$zsize,$zip_status,$passwd_protected_zip); >- >- &debug("u_f: potential zip archive file found ($zipfile)."); >- &debug ("u_f: it is possibly a zip file, run unzip $unzip_options -t $ENV{'TMPDIR'}/$zipfile"); >- $MAYBEZIP=`$unzip_binary $unzip_options -t $ENV{'TMPDIR'}/$zipfile 2>&1`; >- $zip_status=($? >> 8); >- >- if ( ($zip_status > 0) && ($zip_status !~ /^(1|2|3|51|81|82)$/) && ($MAYBEZIP !~ /skipping: /) ) { >- &debug("u_f: not a recognisable zip file ($MAYBEZIP)"); >- } else { >- if ($MAYBEZIP =~ /skipping:.*password/) { >- &debug ("u_f: it is a password-protected zip file"); >- $passwd_protected_zip++; >- $CRYPTO_TYPE="CR:ZIP(encrypted)"; >- } else { >- &debug ("u_f: it is a zip file - unpack it!"); >- } >- if ($BLOCK_PASSWORD_PROTECTED_ARCHIVES && $passwd_protected_zip) { >- #Quarantine it! >- $quarantine_description="Disallowed password-protected zip files ($zipfile) - potential virus"; >- &debug("u_f: $quarantine_description"); >- $destring='problem'; >- $quarantine_event="Policy:Passwd_ZIP"; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$zipfile"; >- } else { >- if ($force_unzip) { >- &debug ("u_f: check size of contents before exploding to disk"); >- my $CHECK_ZIP_SIZE=`$unzip_binary $unzip_options -lv $ENV{'TMPDIR'}/$zipfile 2>&1`; >- open(ZIPPED,"$unzip_binary $unzip_options -lv $ENV{'TMPDIR'}/$zipfile 2>&1|")||&error_condition("u_f: cannot open $ENV{'TMPDIR'}/$zipfile - $!"); >- my $zip_file_size=0; >- while (<ZIPPED>) { >- $zip_file_size=$1 if (/^\s+([0-9]+)\s+/); >- } >- close ZIPPED ; >- &debug("u_f: this zip file unpacks to $zip_file_size bytes of content"); >- if ($max_zip_size > 0 && $max_zip_size < $zip_file_size) { >- $quarantine_description="Disallowed zip file ($zipfile) - content exceeds maximum allowed size"; >- &debug("u_f: $quarantine_description"); >- $destring='problem'; >- $quarantine_event="Policy:Oversized_ZIP"; >- $quarantine_DOS=$quarantine_event; >- $description .= "\n---perlscanner results ---\n$destring '$quarantine_description' found in file $ENV{'TMPDIR'}/$zipfile"; >- } >- &debug("u_f: run $unzip_binary $unzip_options $ENV{'TMPDIR'}/$zipfile 2>&1"); >- open(ZIPPED,"$unzip_binary $unzip_options $ENV{'TMPDIR'}/$zipfile 2>&1|")||&error_condition("u_f: cannot open $ENV{'TMPDIR'}/$zipfile - $!"); >- while (<ZIPPED>) { >- if (/^\s+\w+:\s+(.*)$/) { >- ($ztmp=$1)=~s/^.*\///g; >- #Grrr, I don't know if this'll be exploited, but I have to remove the whitespace... >- #$ztmp=~s/\s+$//g; >- #if ($ztmp ne "" && !grep(/^${ztmp}$/,@zipfile_list)) { >- #&debug("u_f: adding file \"$ztmp\" to list of zipped files"); >- #push(@zipfile_list, $ztmp); >- #} >- } >- if (/^\s+skipping:\s(.*)\s+(shrink|encrypted|incorrect password)/) { >- $passwd_protected_zip++ if (!/^\s+skipping:\s(.*)\s+shrink/); >- #grab these protected filenames for reports anyway. >- $zfile = $1; >- $zfile =~ s/^.*\///g; >- $zfile =~ s/(^\s+|\s+$)//g; >- #$file_desc .= "$zfile:$zsize\t"; >- } >- } >- close(ZIPPED); >- $zip_status=($? >> 8); >- if ($zip_status > 0 && ($zip_status !~ /^(1|2|3|51|81|82)$/ && !$passwd_protected_zip)) { >- &error_condition("u_f: cannot close unzip (error code: $zip_status,$passwd_protected_zip) - $!"); >- } >- } >- } >- #Only delete original zip file if it happily unpacked. >- if ( $zip_status eq 0 && -f "$ENV{'TMPDIR'}/$zipfile") { >- #system $rm_binary,"-f","$ENV{'TMPDIR'}/$zipfile"; >- &debug("u_f: $zip_status, and successfully unzipped"); >- #It may have been deleted, but you still want to see if >- #it matches the perlscanner DB... >- #$zipfile=tolower($zipfile); >- #push(@zipfile_list, $zipfile) if (!grep(/^$zipfile$/,@zipfile_list)); >- my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$zsize,$atime,$mtime,$ctime,$blksize,$blocks); >- ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$zsize,$atime,$mtime,$ctime,$blksize,$blocks) = stat("$zipfile"); >- $file_desc .= "$zipfile:$zsize\t"; >- } >- } >-} >- >-sub deltatime { >- my ($delta,$current_time); >- $current_time = [gettimeofday]; >- $delta = tv_interval ($last_time, $current_time); >- $last_time=$current_time; >- return $delta; >-} >- >-sub qmail_parent_check { >- my $ppid=getppid; >- #&debug("q_s_c: PPID=$ppid"); >- if ($ppid == 1) { >- &debug("q_s_c: Whoa! parent process is dead! (ppid=$ppid) Better die too..."); >- close(LOG); >- &cleanup; >- #Exit with temp error anyway - just to be real anal... >- exit 111; >- } >-} >diff -Naur qmail-scanner-1.25-DISTRO/qms-analog-types.txt qmail-scanner-1.25-st-qms-20050219/qms-analog-types.txt >--- qmail-scanner-1.25-DISTRO/qms-analog-types.txt 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qms-analog-types.txt 2004-09-20 21:37:36.000000000 -0500 >@@ -0,0 +1,64 @@ >+qms-analog log files are of the general form: >+<time (secs since epoch)>:processID:LOGTYPE:<type-specific parms>... >+ >+ >+LOGTYPES and associated parameters are listed below: >+ >+*Info* >+----------------------------------------------------------------- >+ >+-* - remark line >+CONNECT-SMTP:<IP ADRS> - SMTP connect from IP >+CONNECT-PIPE:$$ - SMTP connect from process $$ >+HEADER:<from adrs>:<to adrs>:subject - SMTP header contents >+ENV-HEADER:<returnpath>:<recips> - envelope hdr contents >+TYPE:PLAIN - message has no mime type or text/plain >+TYPE:MIXED - message has non-text/plain mime type >+SCANTIME:<time> - total time in qmail-scanner >+SPAM-RESULT:<score>:<thresh>:<delete> - spamassassin score for msg >+ >+ERROR:<VERSION>:<string> - error condition >+SMTP-DROP - qmail dropping msg >+ >+ >+*Flagged Msgs* >+----------------------------------------------------------------- >+ >+QMSWC: - QMS working copy detection >+ BAD_HDR_CHARS - bad chars in hdr >+ BAD_HDR_BREAKAGE - breakage in header name >+ BAD_HDR_MIME - Disallowed mime content in hdr name >+ BAD_MIME_CONTENT - Disallowed mime content type >+ BAD_MIME_FILENAME - Disallowed MIME filename manipulation >+ BAD_MIME_BOUNDARY - broken attachment MIME details >+ BAD_MIME_ASSOCIATION - Disallowed file associated with unrelated MIME type >+ BAD_MIME_WINBLOWS - Disallowed executable attachment (windows) >+ BAD_ATTACH_FILENAME - Disallowed attachment filename MIME type >+ BAD_MIME_ZIP - Disallowed zip attachment when not assoc with a .zip >+ >+PERLSCAN: - PerlScan detection >+ BAD_MIME_HEADER - Disallowed characters found in MIME headers >+ BAD_HDR_DB - hdr type in disallowed db >+ BAD_ATTACH_LENGTH - majorly long attachment filename found >+ BAD_ATTACHMENT_TYPE - Disallowed attachment type >+ >+UNZIP:PASSWORD_PROTECTED - zip file is password protected >+ >+CLAMAV:<quarantine_description> - clamAV found a virus >+AVPAV:<quarantine_description> - AVPLinux AV found a virus >+CSAV:<quarantine_description> - Command scanner AV found a virus >+FPROTAV:<quarantine_description> - F-prot scanner AV found a virus >+FSECUREAV:<quarantine_description> - Fsecure AV found a virus >+HBEDVAV:<quarantine_description> - H+BEDV scanner AV found a virus >+INNOCAV:<quarantine_description> - Innoculan AV found a virus >+ISCANAV:<quarantine_description> - Iscan AV found a virus >+RAVLINAV:<quarantine_description> - Ravlin AV found a virus >+UVSCANAV:<quarantine_description> - McAfee AV found a virus >+VEXIRAV:<quarantine_description> - Vexira AV found a virus >+ >+ >+SPAM-DETECT: - spamassassin spam detected >+ DELETE - score > thresh + delete >+ MARK - thresh < score < thresh + delete >+ QUARANTINE - thresh + quarantine < score < thresh + delete >+ REJECT - SMTP reject sent to sender >\ No newline at end of file >diff -Naur qmail-scanner-1.25-DISTRO/qms-config qmail-scanner-1.25-st-qms-20050219/qms-config >--- qmail-scanner-1.25-DISTRO/qms-config 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qms-config 2004-11-08 08:18:35.000000000 -0600 >@@ -0,0 +1,81 @@ >+#!/bin/sh >+ >+## File: qms-config >+## >+## Purpose: Provide a file to save personal qmail-scanner configuration >+## options. This file should be edited for your server and >+## saved somewhere so that it survives qmail-scanner and >+## qms-analog upgrades. >+## >+ >+# Was the "install" option given? >+if [ "$1" != "install" ]; then >+ INSTALL= >+else >+ INSTALL="--install" >+fi >+ >+## Definition of Options >+## >+## domain - your primary email domain, where your postmaster >+## account is located >+## admin - your postmaster username, normally "postmaster" >+## local-domains - list all of your local email domains for this qmail >+## server, separated by commas >+## add-dscr-hdrs - enable descriptive email headers >+## dscr-hdrs-text - "Header" for the header >+## ignore-eol-check - ignore end of line characters in email headers >+## sa-quarantine - enable/disable quarantining email identified as spam >+## sa-delete - enable/disable deleting email identified as spam; >+## if 0, deletion is disabled; if positive, the value >+## over "required_hits" to start deletion >+## sa-reject - enable/disable rejection of emails identified as spam >+## sa-subject - spam-identifying test to be prepended to the subject >+## header >+## sa-alt - use alternative "fast" Spamassassin processing >+## provided in the "st" patch >+## sa-debug - turn on default qmail-scanner debugging; very verbose >+## and annoying >+## notify - comma-separated list parties to notify when a virus >+## is quarantined; see the qmail-scanner docs for more >+## details >+## redundant - enable/disable allowing the scanners to scan any zip >+## files and the original "raw" email file >+## qms-monitor - [yes|no] enable qms-monitor Account Monitoring >+## qms-monitor-accts - list of email accounts to be monitored, separated by >+## commas >+## Example: "acct1@dom2.com,acct2@dom1.com" >+## qms-monitor-dests - list of destination paths for monitored email messages >+## Note 1: locations here will be saved underneath >+## .../qmailscan/qms-monitor; a cron job can later >+## copy from that location to an alternate email >+## domain used for account monitoring. >+## Note 2: each entry in this array corresponds to the >+## email address in the same location of the >+## qms-monitor-accts list above - i.e., >+## qms-monitor-accts[2] msgs get stored at >+## qms-monitor-dests[2] - thus, ORDER DOES MATTER >+## Note 3: DO NOT include a leading "/" on these paths - >+## they will typically be entries that ultimately >+## belong in /home/vpopmail/domains - so start with >+## the domain name. >+## Example: "mon.dom2.com/acct1/Maildir/new,mon.dom1.com/acct2/Maildir/new" >+## >+ >+./configure --domain yourdomain.com \ >+ --admin postmaster \ >+ --local-domains "yourdomain.com,yourotherdomain.com" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --sa-quarantine 0 \ >+ --sa-delete 0 \ >+ --sa-reject no \ >+ --sa-subject ":SPAM:" \ >+ --sa-alt yes \ >+ --sa-debug no \ >+ --notify admin \ >+ --redundant yes \ >+ --qms-monitor no \ >+ "$INSTALL" >+ >diff -Naur qmail-scanner-1.25-DISTRO/qms-config-cwrapper qmail-scanner-1.25-st-qms-20050219/qms-config-cwrapper >--- qmail-scanner-1.25-DISTRO/qms-config-cwrapper 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qms-config-cwrapper 2004-11-08 08:18:49.000000000 -0600 >@@ -0,0 +1,82 @@ >+#!/bin/sh >+ >+## File: qms-config-cwrapper >+## >+## Purpose: Provide a file to save personal qmail-scanner configuration >+## options. This file should be edited for your server and >+## saved somewhere so that it survives qmail-scanner and >+## qms-analog upgrades. >+## >+ >+# Was the "install" option given? >+if [ "$1" != "install" ]; then >+ INSTALL= >+else >+ INSTALL="--install" >+fi >+ >+## Definition of Options >+## >+## domain - your primary email domain, where your postmaster >+## account is located >+## admin - your postmaster username, normally "postmaster" >+## local-domains - list all of your local email domains for this qmail >+## server, separated by commas >+## add-dscr-hdrs - enable descriptive email headers >+## dscr-hdrs-text - "Header" for the header >+## ignore-eol-check - ignore end of line characters in email headers >+## sa-quarantine - enable/disable quarantining email identified as spam >+## sa-delete - enable/disable deleting email identified as spam; >+## if 0, deletion is disabled; if positive, the value >+## over "required_hits" to start deletion >+## sa-reject - enable/disable rejection of emails identified as spam >+## sa-subject - spam-identifying test to be prepended to the subject >+## header >+## sa-alt - use alternative "fast" Spamassassin processing >+## provided in the "st" patch >+## sa-debug - turn on default qmail-scanner debugging; very verbose >+## and annoying >+## notify - comma-separated list parties to notify when a virus >+## is quarantined; see the qmail-scanner docs for more >+## details >+## redundant - enable/disable allowing the scanners to scan any zip >+## files and the original "raw" email file >+## qms-monitor - [yes|no] enable qms-monitor Account Monitoring >+## qms-monitor-accts - list of email accounts to be monitored, separated by >+## commas >+## Example: "acct1@dom2.com,acct2@dom1.com" >+## qms-monitor-dests - list of destination paths for monitored email messages >+## Note 1: locations here will be saved underneath >+## .../qmailscan/qms-monitor; a cron job can later >+## copy from that location to an alternate email >+## domain used for account monitoring. >+## Note 2: each entry in this array corresponds to the >+## email address in the same location of the >+## qms-monitor-accts list above - i.e., >+## qms-monitor-accts[2] msgs get stored at >+## qms-monitor-dests[2] - thus, ORDER DOES MATTER >+## Note 3: DO NOT include a leading "/" on these paths - >+## they will typically be entries that ultimately >+## belong in /home/vpopmail/domains - so start with >+## the domain name. >+## Example: "mon.dom2.com/acct1/Maildir/new,mon.dom1.com/acct2/Maildir/new" >+## >+ >+./configure --domain yourdomain.com \ >+ --admin postmaster \ >+ --local-domains "yourdomain.com,yourotherdomain.com" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --sa-quarantine 0 \ >+ --sa-delete 0 \ >+ --sa-reject no \ >+ --sa-subject ":SPAM:" \ >+ --sa-alt yes \ >+ --sa-debug no \ >+ --notify admin \ >+ --redundant yes \ >+ --skip-setuid-test \ >+ --qms-monitor no \ >+ "$INSTALL" >+ >diff -Naur qmail-scanner-1.25-DISTRO/qms-config-monitor qmail-scanner-1.25-st-qms-20050219/qms-config-monitor >--- qmail-scanner-1.25-DISTRO/qms-config-monitor 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qms-config-monitor 2004-10-30 11:15:20.000000000 -0500 >@@ -0,0 +1,85 @@ >+#!/bin/sh >+ >+## File: qms-config-monitor >+## >+## Purpose: Provide a file to save personal qmail-scanner configuration >+## options. This file should be edited for your server and >+## saved somewhere so that it survives qmail-scanner and >+## qms-analog upgrades. >+## >+## Note: This is a special version to enable qms-monitor >+## >+ >+# Was the "install" option given? >+if [ "$1" != "install" ]; then >+ INSTALL= >+else >+ INSTALL="--install" >+fi >+ >+## Definition of Options >+## >+## domain - your primary email domain, where your postmaster >+## account is located >+## admin - your postmaster username, normally "postmaster" >+## local-domains - list all of your local email domains for this qmail >+## server, separated by commas >+## add-dscr-hdrs - enable descriptive email headers >+## dscr-hdrs-text - "Header" for the header >+## ignore-eol-check - ignore end of line characters in email headers >+## sa-quarantine - enable/disable quarantining email identified as spam >+## sa-delete - enable/disable deleting email identified as spam; >+## if 0, deletion is disabled; if positive, the value >+## over "required_hits" to start deletion >+## sa-reject - enable/disable rejection of emails identified as spam >+## sa-subject - spam-identifying test to be prepended to the subject >+## header >+## sa-alt - use alternative "fast" Spamassassin processing >+## provided in the "st" patch >+## sa-debug - turn on default qmail-scanner debugging; very verbose >+## and annoying >+## notify - comma-separated list parties to notify when a virus >+## is quarantined; see the qmail-scanner docs for more >+## details >+## redundant - enable/disable allowing the scanners to scan any zip >+## files and the original "raw" email file >+## qms-monitor - [yes|no] enable qms-monitor Account Monitoring >+## qms-monitor-accts - list of email accounts to be monitored, separated by >+## commas >+## Example: "acct1@dom2.com,acct2@dom1.com" >+## qms-monitor-dests - list of destination paths for monitored email messages >+## Note 1: locations here will be saved underneath >+## .../qmailscan/qms-monitor; a cron job can later >+## copy from that location to an alternate email >+## domain used for account monitoring. >+## Note 2: each entry in this array corresponds to the >+## email address in the same location of the >+## qms-monitor-accts list above - i.e., >+## qms-monitor-accts[2] msgs get stored at >+## qms-monitor-dests[2] - thus, ORDER DOES MATTER >+## Note 3: DO NOT include a leading "/" on these paths - >+## they will typically be entries that ultimately >+## belong in /home/vpopmail/domains - so start with >+## the domain name. >+## Example: "mon.dom2.com/acct1/Maildir/new,mon.dom1.com/acct2/Maildir/new" >+## >+ >+./configure --domain yourdomain.com \ >+ --admin postmaster \ >+ --local-domains "yourdomain.com,yourotherdomain.com" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --sa-quarantine 0 \ >+ --sa-delete 0 \ >+ --sa-reject no \ >+ --sa-subject ":SPAM:" \ >+ --sa-alt yes \ >+ --sa-debug no \ >+ --notify admin \ >+ --redundant yes \ >+ --qms-monitor yes \ >+ --qms-monitor-accts "acct1@dom2.com,acct2@dom1.com" \ >+ --qms-monitor-dests "monitor.dom2.com/acct1/Maildir/new,monitor.dom1.com/acct2/Maildir/new" \ >+ "$INSTALL" >+ >diff -Naur qmail-scanner-1.25-DISTRO/qms-config-monitor-cwrapper qmail-scanner-1.25-st-qms-20050219/qms-config-monitor-cwrapper >--- qmail-scanner-1.25-DISTRO/qms-config-monitor-cwrapper 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qms-config-monitor-cwrapper 2004-10-30 11:17:49.000000000 -0500 >@@ -0,0 +1,86 @@ >+#!/bin/sh >+ >+## File: qms-config-monitor-cwrapper >+## >+## Purpose: Provide a file to save personal qmail-scanner configuration >+## options. This file should be edited for your server and >+## saved somewhere so that it survives qmail-scanner and >+## qms-analog upgrades. >+## >+## Note: This is a special version to enable qms-monitor with the >+## C-wrapper >+## >+ >+# Was the "install" option given? >+if [ "$1" != "install" ]; then >+ INSTALL= >+else >+ INSTALL="--install" >+fi >+ >+## Definition of Options >+## >+## domain - your primary email domain, where your postmaster >+## account is located >+## admin - your postmaster username, normally "postmaster" >+## local-domains - list all of your local email domains for this qmail >+## server, separated by commas >+## add-dscr-hdrs - enable descriptive email headers >+## dscr-hdrs-text - "Header" for the header >+## ignore-eol-check - ignore end of line characters in email headers >+## sa-quarantine - enable/disable quarantining email identified as spam >+## sa-delete - enable/disable deleting email identified as spam; >+## if 0, deletion is disabled; if positive, the value >+## over "required_hits" to start deletion >+## sa-reject - enable/disable rejection of emails identified as spam >+## sa-subject - spam-identifying test to be prepended to the subject >+## header >+## sa-alt - use alternative "fast" Spamassassin processing >+## provided in the "st" patch >+## sa-debug - turn on default qmail-scanner debugging; very verbose >+## and annoying >+## notify - comma-separated list parties to notify when a virus >+## is quarantined; see the qmail-scanner docs for more >+## details >+## redundant - enable/disable allowing the scanners to scan any zip >+## files and the original "raw" email file >+## qms-monitor - [yes|no] enable qms-monitor Account Monitoring >+## qms-monitor-accts - list of email accounts to be monitored, separated by >+## commas >+## Example: "acct1@dom2.com,acct2@dom1.com" >+## qms-monitor-dests - list of destination paths for monitored email messages >+## Note 1: locations here will be saved underneath >+## .../qmailscan/qms-monitor; a cron job can later >+## copy from that location to an alternate email >+## domain used for account monitoring. >+## Note 2: each entry in this array corresponds to the >+## email address in the same location of the >+## qms-monitor-accts list above - i.e., >+## qms-monitor-accts[2] msgs get stored at >+## qms-monitor-dests[2] - thus, ORDER DOES MATTER >+## Note 3: DO NOT include a leading "/" on these paths - >+## they will typically be entries that ultimately >+## belong in /home/vpopmail/domains - so start with >+## the domain name. >+## Example: "mon.dom2.com/acct1/Maildir/new,mon.dom1.com/acct2/Maildir/new" >+## >+ >+./configure --domain yourdomain.com \ >+ --admin postmaster \ >+ --local-domains "yourdomain.com,yourotherdomain.com" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --sa-quarantine 0 \ >+ --sa-delete 0 \ >+ --sa-reject no \ >+ --sa-subject ":SPAM:" \ >+ --sa-alt yes \ >+ --sa-debug no \ >+ --notify admin \ >+ --redundant yes \ >+ --skip-setuid-test \ >+ --qms-monitor yes \ >+ --qms-monitor-accts "acct1@dom2.com,acct2@dom1.com" \ >+ --qms-monitor-dests "monitor.dom2.com/acct1/Maildir/new,monitor.dom1.com/acct2/Maildir/new" \ >+ "$INSTALL" >diff -Naur qmail-scanner-1.25-DISTRO/qms-monitor-move.sh qmail-scanner-1.25-st-qms-20050219/qms-monitor-move.sh >--- qmail-scanner-1.25-DISTRO/qms-monitor-move.sh 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/qms-monitor-move.sh 2004-10-30 11:20:28.000000000 -0500 >@@ -0,0 +1,21 @@ >+#!/bin/sh >+ >+## example cron script to move qms-monitor messages to their final destination >+## >+## must be run from the root cron table! >+## >+## cron entry: 0-59/5 * * * * /var/qmail/bin/qms-monitor-move.sh >/dev/null >+## will run the script every 5 minutes, moving emails to the appropriate >+## monitor email domains, where they can be read as normal email >+## >+## Just run crontab -e (as root) and add the line above. >+## >+ >+# change ownership so we can retrieve via vpopmail >+chown -R vpopmail:vchkpw /var/spool/qmailscan/qms-monitor/* >+ >+# copy from the temp location to vpopmail home >+cp -R -p /var/spool/qmailscan/qms-monitor/* /home/vpopmail/domains >+ >+# delete the temp copies >+rm -rf /var/spool/qmailscan/qms-monitor/* >diff -Naur qmail-scanner-1.25-DISTRO/quarantine-attachments.html qmail-scanner-1.25-st-qms-20050219/quarantine-attachments.html >--- qmail-scanner-1.25-DISTRO/quarantine-attachments.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/quarantine-attachments.html 2005-02-19 07:28:13.000000000 -0600 >@@ -0,0 +1,227 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >+<html> >+<head> >+<title>quarantine-attachments 20050207</title> >+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+<script language="JavaScript" src="aab.js" type="text/JavaScript"> >+</script> >+</head> >+ >+<body bgcolor="#FFFFFF"><pre> >+ >+# Sample of well-known viruses that perlscan_scanner can use >+# >+# This is case-insensitive, and TAB-delimited. >+# >+# ****** >+# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after >+# this file is modified >+# ****** >+# >+# Format: three columns >+# >+# filename<TAB>size (in bytes)<TAB>Description of virus/whatever >+# >+# OR: >+# >+# string<TAB>Header<TAB>Description of virus/whatever >+# >+# [this one allows you to match on (e.g.) Subject line. >+# >+# NOTE 1: This is the crudest "virus scanning" you can do - we are >+# arbitrarily deciding that particular filenames of certain sizes contain >+# viruses - when they may not. However this can be useful for the times >+# when a new virus is discovered and your scanner cannot detect it (yet). >+# >+# NOTE 2: This is only good for picking up stand-alone viruses like the >+# following. Macro viruses are impossible to detect with this method as >+# they infect users docs. >+# >+# NOTE 3: Wildcards are supported. This system can also be used to deny >+# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other >+# wildcard type is supported. Be very careful with this feature. With >+# wildcards, the size field is ignored (i.e. any size matches). >+# >+# .exe 0 Executable attachment too large >+# >+# That would ban .EXE files from your site (but would >+# still allow .zip files... >+# >+# .mp3 0 MP3 attachments disallowed >+# >+# ...would stop any Email containing MP3 attachments passing. >+# >+# NOTE 4: No you can't use this to ban any file (i.e. *.*) that's over >+# a certain size - you should >+# "echo 10000000 > /var/qmail/control/databytes" >+# to set the maximum SMTP message size to 10Mb. >+# >+# NOTE 5: The second option allows you to match on header. This would allow >+# you to block Email viruses when you don't know anything else other than >+# there's a wierd Subject line (or From line, or X-Spanska: header, ...). >+# Note that it's a case-sensitive, REGEX string, and the system will >+# automatically surround it with ^ and $ before matching. i.e. if you >+# want wildcards, explicitly put them in... >+# >+# The string _must_be_ "Virus-" followed by the header you wish to match >+# on - followed by a colon (:). >+# >+# e.g. >+# >+# Pickles.*Breakfast Virus-Subject: Fake Example Pickles virus >+# >+# will match "Subject: Pickles for Breakfast" - and >+# not "Subject: Pickles - where did you go?" >+# >+# >+# NOTE 6: Similar to the headers option, you can match on the mail ENVELOPE >+# headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to >+# Virus-<header>, except that the header names are MAILFROM and RCPTTO only. >+# >+# e.g. >+# >+# bogus@address.here Virus-MAILFROM: Bad mail envelope not allowed here! >+# >+# NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to match >+# actions against the IP address of the SMTP client. >+# >+ >+EICAR.COM 69 EICAR Test Virus >+Happy99.exe 10000 Happy99 Trojan >+zipped_files.exe 120495 W32/ExploreZip.worm.pak virus >+ILOVEYOU Virus-Subject: Love Letter Virus/Trojan >+message/partial.* Virus-Content-Type: Message/partial MIME attachments blocked by policy >+ >+#The following matches Date: headers that are over 100 chars in length >+#these are impossible in the wild >+.{100,} Virus-Date: MIME Header Buffer Overflow >+.{100,} Virus-Mime-Version: MIME Header Buffer Overflow >+.{100,} Virus-Resent-Date: MIME Header Buffer Overflow >+# >+#Let's stop that nasty BadTrans virus from uploading your keystrokes... >+ZVDOHYIK@yahoo.com|udtzqccc@yahoo.com|DTCELACB@yahoo.com|I1MCH2TH@yahoo.com|WPADJQ12@yahoo.com|smr@eurosport.com|bgnd2@canada.com|muwripa@fairesuivre.com|eccles@ballsy.net|S_Mentis@mail-x-change.com|YJPFJTGZ@excite.com|JGQZCD@excite.com|XHZJ3@excite.com|OZUNYLRL@excite.com|tsnlqd@excite.com|cxkawog@krovatka.net|ssdn@myrealbox.com Virus-To: BadTrans Trojan exploit! >+ >+# >+# These are examples of prudent defaults to set for most sites. >+# Commented out by default (you may uncomment all of them) >+# st: nobody must send a file like these... >+.pif 0 PIF files not allowed per Company security policy >+.scr 0 SCR files not allowed per Company security policy >+.hta 0 HTA files not allowed per Company security policy >+.cpl 0 CPL files not allowed per Company security policy >+.vbs 0 VBS files not allowed per Company security policy >+# >+#.lnk 0 LNK files not allowed per Company security policy >+#.wsh 0 WSH files not allowed per Company security policy >+# >+# st: also these may be blocked >+#.bat 0 COMMAND.COM batch file not allowed per Company security policy >+#.com 0 COM files not allowed per Company security policy >+# >+#.exe 0 EXE files not allowed per Company security policy >+ >+# st: Blocking Sobig and don't notify sender... >+movie0045.pif 0 Sobig.F >+wicked_scr.scr 0 Sobig.F >+application.pif 0 Sobig.F >+document_9446.pif 0 Sobig.F >+details.pif 0 Sobig.F >+your_details.pif 0 Sobig.F >+thank_you.pif 0 Sobig.F >+document_all.pif 0 Sobig.F >+your_document.pif 0 Sobig.F >+ >+# Block also the mails from broken SoBig >+.*That movie Virus-Subject: Sobig.F >+.*Your details Virus-Subject: Sobig.F >+.*My details Virus-Subject: Sobig.F >+.*Wicked screensaver Virus-Subject: Sobig.F >+.*Your application Virus-Subject: Sobig.F >+ >+.*duma.gov.ru Virus-MAILFROM: Virus Dumaru >+ >+.*our private photo.* Virus-Subject: Virus Mimail >+don't be late.* Virus-Subject: Virus Mimail >+.*YOUR PAYPAL.* Virus-Subject: Virus Mimail >+wendy.zip 0 Virus Mimail >+ >+application/hta.* Virus-Content-Type: MS03-032 exploit? >+ >+MyProfile.zip 0 Virus Troj/Tofger-A >+ >+.*eCard from Secret Admirer Virus-Subject: Virus W32/Poffer-A >+ >+.*viagra.* Virus-Subject: Spam Viagra >+.*Viagra.* Virus-Subject: Spam Viagra >+.*VIAGRA.* Virus-Subject: Spam Viagra >+.*via-gra.* Virus-Subject: Spam Viagra >+.*v1agra.* Virus-Subject: Spam Viagra >+.*viagara.* Virus-Subject: Spam Viagra >+.*v.i.a.g.r.a.* Virus-Subject: Spam Viagra >+.*V.i.a.g.r.a.* Virus-Subject: Spam Viagra >+.*V.I.A.G.R.A.* Virus-Subject: Spam Viagra >+.*V.1.@.G.R.A.* Virus-Subject: Spam Viagra >+ >+DateiList.pif 0 Virus W32/Sober-B >+Daten-Text.pif 0 Virus W32/Sober-B >+Server.com 0 Virus W32/Sober-B >+www.gwbush-new-wars.com 0 Virus W32/Sober-B >+www.hcket-user-pcs.com 0 Virus W32/Sober-B >+allfiles.cmd 0 Virus W32/Sober-B >+yourlist.pif 0 Virus W32/Sober-B >+ >+.*baath@iraq.com.* Virus-From: Virus W32/Bugler-A >+.*osama@fbi.gov.* Virus-From: Virus W32/Bugler-B >+.*president@white.gov.* Virus-From: Virus W32/Bugler-B >+.*fool@first.gov.* Virus-From: Virus W32/Bugler-B >+.*Free Porn.* Virus-Subject: W32/Bugler-B >+ >+cissi@yahoo.com Virus-From: Virus W32/Cissi-A >+ >+# Bagle >+Attach.zip 12420 Virus Bagle >+AttachedDocument.zip 0 Virus Bagle >+AttachedFile.zip 0 Virus Bagle >+Document.zip 0 Virus Bagle >+Info.zip 0 Virus Bagle >+Information.zip 12420 Virus Bagle >+Letter.zip 0 Virus Bagle >+Message.zip 0 Virus Bagle >+MoreInfo.zip 0 Virus Bagle >+Msg.zip 0 Virus Bagle >+MsgInfo.zip 0 Virus Bagle >+Readme.zip 12422 Virus Bagle >+Text.zip 0 Virus Bagle >+TextDocument.zip 0 Virus Bagle >+TextFile.zip 12416 Virus Bagle >+ >+.*mail account security warning.* Virus-Subject: Virus Bagle >+.*otify about using the e-mail account.* Virus-Subject: Virus Bagle >+.*arning about your e-mail account.* Virus-Subject: Virus Bagle >+.*mportant notify about your e-mail account.* Virus-Subject: Virus Bagle >+.*mail account utilization warning.* Virus-Subject: Virus Bagle >+.*otify about your e-mail account utilization.* Virus-Subject: Virus Bagle >+.*mail account disabling warning.* Virus-Subject: Virus Bagle >+ >+# ****** >+# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after >+# this file is modified >+# ****** >+# >+# EOF >+</pre> >+<hr> >+<center><a href="quarantine-attachments.txt">Download quarantine-attachments.txt</a></center> >+<hr> >+<center><a href="READMEpatched.html">Back</a></center> >+Salvatore Toribio<br> >+<script language="JavaScript" type="text/JavaScript"> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</script> >+<br>20050207 >+<p> >+</body> >+</html> >+ >diff -Naur qmail-scanner-1.25-DISTRO/quarantine-attachments.txt qmail-scanner-1.25-st-qms-20050219/quarantine-attachments.txt >--- qmail-scanner-1.25-DISTRO/quarantine-attachments.txt 2004-07-18 17:48:10.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/quarantine-attachments.txt 2005-02-19 06:29:13.000000000 -0600 >@@ -79,7 +79,8 @@ > Happy99.exe 10000 Happy99 Trojan > zipped_files.exe 120495 W32/ExploreZip.worm.pak virus > ILOVEYOU Virus-Subject: Love Letter Virus/Trojan >-message/partial.* Virus-Content-Type: Message/partial MIME attachments blocked by policy >+message/partial.* Virus-Content-Type: Message/partial MIME attachments blocked by policy >+ > #The following matches Date: headers that are over 100 chars in length > #these are impossible in the wild > .{100,} Virus-Date: MIME Header Buffer Overflow >@@ -91,14 +92,105 @@ > > # > # These are examples of prudent defaults to set for most sites. >-# Commented out by default >-#.vbs 0 VBS files not allowed per Company security policy >+# Commented out by default (you may uncomment all of them) >+# st: nobody must send a file like these... >+.pif 0 PIF files not allowed per Company security policy >+.scr 0 SCR files not allowed per Company security policy >+.hta 0 HTA files not allowed per Company security policy >+.cpl 0 CPL files not allowed per Company security policy >+.vbs 0 VBS files not allowed per Company security policy >+# > #.lnk 0 LNK files not allowed per Company security policy >-#.scr 0 SCR files not allowed per Company security policy > #.wsh 0 WSH files not allowed per Company security policy >-#.hta 0 HTA files not allowed per Company security policy >-#.pif 0 PIF files not allowed per Company security policy >-#.cpl 0 CPL files not allowed per Company security policy >+# >+# st: also these may be blocked >+#.bat 0 COMMAND.COM batch file not allowed per Company security policy >+#.com 0 COM files not allowed per Company security policy >+# >+#.exe 0 EXE files not allowed per Company security policy >+ >+# st: Blocking Sobig and don't notify sender... >+movie0045.pif 0 Sobig.F >+wicked_scr.scr 0 Sobig.F >+application.pif 0 Sobig.F >+document_9446.pif 0 Sobig.F >+details.pif 0 Sobig.F >+your_details.pif 0 Sobig.F >+thank_you.pif 0 Sobig.F >+document_all.pif 0 Sobig.F >+your_document.pif 0 Sobig.F >+ >+# Block also the mails from broken SoBig >+.*That movie Virus-Subject: Sobig.F >+.*Your details Virus-Subject: Sobig.F >+.*My details Virus-Subject: Sobig.F >+.*Wicked screensaver Virus-Subject: Sobig.F >+.*Your application Virus-Subject: Sobig.F >+ >+.*duma.gov.ru Virus-MAILFROM: Virus Dumaru >+ >+.*our private photo.* Virus-Subject: Virus Mimail >+don't be late.* Virus-Subject: Virus Mimail >+.*YOUR PAYPAL.* Virus-Subject: Virus Mimail >+wendy.zip 0 Virus Mimail >+ >+application/hta.* Virus-Content-Type: MS03-032 exploit? >+ >+MyProfile.zip 0 Virus Troj/Tofger-A >+ >+.*eCard from Secret Admirer Virus-Subject: Virus W32/Poffer-A >+ >+.*viagra.* Virus-Subject: Spam Viagra >+.*Viagra.* Virus-Subject: Spam Viagra >+.*VIAGRA.* Virus-Subject: Spam Viagra >+.*via-gra.* Virus-Subject: Spam Viagra >+.*v1agra.* Virus-Subject: Spam Viagra >+.*viagara.* Virus-Subject: Spam Viagra >+.*v.i.a.g.r.a.* Virus-Subject: Spam Viagra >+.*V.i.a.g.r.a.* Virus-Subject: Spam Viagra >+.*V.I.A.G.R.A.* Virus-Subject: Spam Viagra >+.*V.1.@.G.R.A.* Virus-Subject: Spam Viagra >+ >+DateiList.pif 0 Virus W32/Sober-B >+Daten-Text.pif 0 Virus W32/Sober-B >+Server.com 0 Virus W32/Sober-B >+www.gwbush-new-wars.com 0 Virus W32/Sober-B >+www.hcket-user-pcs.com 0 Virus W32/Sober-B >+allfiles.cmd 0 Virus W32/Sober-B >+yourlist.pif 0 Virus W32/Sober-B >+ >+.*baath@iraq.com.* Virus-From: Virus W32/Bugler-A >+.*osama@fbi.gov.* Virus-From: Virus W32/Bugler-B >+.*president@white.gov.* Virus-From: Virus W32/Bugler-B >+.*fool@first.gov.* Virus-From: Virus W32/Bugler-B >+.*Free Porn.* Virus-Subject: W32/Bugler-B >+ >+cissi@yahoo.com Virus-From: Virus W32/Cissi-A >+ >+# Bagle >+Attach.zip 12420 Virus Bagle >+AttachedDocument.zip 0 Virus Bagle >+AttachedFile.zip 0 Virus Bagle >+Document.zip 0 Virus Bagle >+Info.zip 0 Virus Bagle >+Information.zip 12420 Virus Bagle >+Letter.zip 0 Virus Bagle >+Message.zip 0 Virus Bagle >+MoreInfo.zip 0 Virus Bagle >+Msg.zip 0 Virus Bagle >+MsgInfo.zip 0 Virus Bagle >+Readme.zip 12422 Virus Bagle >+Text.zip 0 Virus Bagle >+TextDocument.zip 0 Virus Bagle >+TextFile.zip 12416 Virus Bagle >+ >+.*mail account security warning.* Virus-Subject: Virus Bagle >+.*otify about using the e-mail account.* Virus-Subject: Virus Bagle >+.*arning about your e-mail account.* Virus-Subject: Virus Bagle >+.*mportant notify about your e-mail account.* Virus-Subject: Virus Bagle >+.*mail account utilization warning.* Virus-Subject: Virus Bagle >+.*otify about your e-mail account utilization.* Virus-Subject: Virus Bagle >+.*mail account disabling warning.* Virus-Subject: Virus Bagle > > # ****** > # REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after >diff -Naur qmail-scanner-1.25-DISTRO/READMEpatched.html qmail-scanner-1.25-st-qms-20050219/READMEpatched.html >--- qmail-scanner-1.25-DISTRO/READMEpatched.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/READMEpatched.html 2005-02-19 07:30:19.000000000 -0600 >@@ -0,0 +1,607 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >+<HTML> >+<HEAD> >+ <TITLE>Qmail-Scanner-1.25st (st patch)</TITLE> >+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+ <meta name="description" content="Qmail-Scanner patched st is an add-on for Qmail, that >+ connects antivirus and antispam tools with a mailserver, >+ this patched version deletes/rejects/quarantines spam."> >+ <meta name="keywords" content="qmail,qmail-scanner,antivirus,linux,antispam,spamassasin, >+ delete spam,deleting spam,reject spam,mailhub, mailhub antispam, >+ mailhub antivirus,spamassassin configuration,bayes"> >+<script language="JavaScript" src="aab.js" type="text/JavaScript"> >+</script> >+</HEAD> >+ >+<BODY BGCOLOR="#FFFFFF"> >+Last Updated 20050207 >+<hr> >+<CENTER> >+ <H1>Qmail-Scanner-1.25st (st patch)</H1> >+</CENTER> >+<p><p> >+ >+<hr> >+<DL> >+ <DT>1. <A HREF="#n.1">Introduction</A> >+ </DT> >+ <DT>2. <A HREF="#n.2">Download</A> >+ (See <a href="CHANGELOGpatched.html">CHANGELOGpatched</a> file) >+ </DT> >+ <DT>3. <A HREF="#n.3">To apply the patch</A> >+ </DT> >+ <DT>4. <A HREF="#n.4">Antispam options</A> >+ (All the <A HREF="configure-options.html">configuration options</A>) >+ <DD><DL> >+ <DT>a) <A HREF="#n.4.a">--sa-quarantine [num]</A> >+ (<a href="requeue.html">how to requeue</a> a quarantined message) >+ <DD><DL> >+ <DT>a.1) <A HREF="#n.4.a.1">--sa-forward <user@domain></A> >+ </DT> >+ <DT>a.2) <A HREF="#n.4.a.2">--sa-fwd-verbose [yes|no]</A> >+ </DT> >+ <DT>a.3) <A HREF="#n.4.a.3">$smaildir</A> >+ </DT> >+ </DL></DD> >+ </DT> >+ <DT>b) <A HREF="#n.4.b">--sa-delete [num]</A> >+ </DT> >+ <DT>c) <A HREF="#n.4.c">--sa-reject [yes|no]</A> >+ (<a href="testingreject.html">examples</a> of the logs) >+ </DT> >+ <DT>d) <A HREF="#n.4.d">--sa-delta [num]</A> >+ </DT> >+ <DT>e) <A HREF="#n.4.e">--sa-subject <"some text"></A> >+ </DT> >+ <DT>f) <A HREF="#n.4.f">--sa-alt [yes|no]</A> >+ <DD><DL> >+ <DT>f.1) <A HREF="#n.4.f.1">--sa-debug [yes|no]</A> >+ (SpamAssassin <a href="sa-alt.html#spamd">configuration</a> sample) >+ </DT> >+ <DT>f.2) <A HREF="#n.4.f.2">--sa-report [yes|no]</A> >+ </DT> >+ </DL></DD> >+ </DT> >+ <DT>g) <A HREF="#n.4.g">SA_SKIP_MD</A> >+ </DT> >+ <DT>h) <A HREF="#n.4.h">--sa-socket <path to spamd socket></A> >+ (<a href="sa-alt.html#test"><em>unix-socket</em></a> performance tests) >+ </DT> >+ </DL></DD> >+ </DT> >+ <DT>5. <A HREF="#n.5">Miscellaneous options</A> >+ <DD><DL> >+ <DT>a) <A HREF="#n.5.a">--qs-group <usergroup></A> >+ </DT> >+ <DT>b) <A HREF="#n.5.b">--minidebug [yes|no|1|2]</A> >+ </DT> >+ <DT>c) <A HREF="#n.5.c">BMC_WHITELIST="on"</A> >+ </DT> >+ <DT>d) <A HREF="#n.5.d">--virus-to-delete [yes|no]</A> >+ </DT> >+ <DT>e) <A HREF="#n.5.e">--scanners-per-domain [yes|no]</A> >+ (file <a href="scanners_per_domain.html">scanners_per_domain.txt</a>) >+ </DT> >+ </DL></DD> >+ </DT> >+ <DT>6. <A HREF="#n.6">Cosmetic options</A> >+ <DD><DL> >+ <DT>a) <A HREF="#n.6.a">--admin-fromname <"From Name"></A> >+ </DT> >+ <DT>b) <A HREF="#n.6.b">--dscr-hdrs-text <"Descrip-Headers-Text"></A> >+ </DT> >+ <DT>c) <A HREF="#n.6.c">log-report.sh</A> >+ </DT> >+ </DL></DD> >+ </DT> >+ <DT>7. <A HREF="#n.7">Examples</A> >+ </DT> >+ >+</DL> >+ >+<hr> >+<A NAME="n.1"></A> >+<H2>1. Introduction</H2> >+<P>This is a patched version (ergo unofficial) of <A HREF="http://qmail-scanner.sourceforge.net/"> >+ qmail-scanner-1.25</A>, that adds some options focused in deal with spam and >+ others features. >+<P><B>Qmail-Scanner</B> (by <em>Jason Haar</em>) is an excellent add-on for <A HREF="http://cr.yp.to/qmail.html">Qmail</A>, >+ that enables a Qmail server to scan all gateway-ed email searching for virus >+ and/or Spam. For detailed instructions on how to install and run <em>qmail-scanner</em> >+ visit the home page at <A HREF="http://qmail-scanner.sourceforge.net/"> http://qmail-scanner.sourceforge.net/</A>, >+ in this page you will only find explanations of the options added by this patch. >+<P>I started running qmail-scanner in april 2002, mainly to stop viruses >+ arriving to my users by mail, but since march 2003 the volume of spam mail had >+ increased enormously and my users clamed to block all those messages. So I modified >+ the code of <em>qmail-scanner</em> with the patch from Chris Hine to block (quarantine) >+ spam, based in the score of <A HREF="http://www.spamassassin.org/">SpamAssassin</A>, >+ most of my users don't know how to filter messages tagged as spam. And later >+ I added some other little functionalities. >+<A NAME="n.2"></A> >+<H2>2. Download</H2> >+<P>It's possible to download the patch >+ (<A HREF="http://xoomer.virgilio.it/j.toribio/qmail-scanner/download/q-s-1.25st-20050207.patch.gz">q-s-1.25st-20050207.patch.gz</A>) >+ and apply it yourself, or download a complete distribution >+ (<A HREF="http://xoomer.virgilio.it/j.toribio/qmail-scanner/download/q-s-1.25st-20050207.tgz">q-s-1.25st-20050207.tgz</A>) >+ already patched. >+<P>See the file <a href="CHANGELOGpatched.html">CHANGELOGpatched</a> to know what is >+ new in this version. >+<A NAME="n.3"></A> >+<H2>3. To apply the patch</H2> >+<P>(Skip this step if you have downloaded the distribution already patched) >+<P>Untar the file "qmail-scanner-1.25.tgz", cd to the parent directory >+ of the directory "qmail-scanner-1.25" and copy the patch there and >+ gunzip it. (Ok... just do this..) >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ tar xzf qmail-scanner-1.25.tgz -C /var/tmp/ >+ cp q-s-1.25st-20050207.patch.gz /var/tmp/ >+ cd /var/tmp >+ gunzip q-s-1.25st-20050207.patch.gz >+</PRE></TD> >+ </TR> >+</TABLE> >+<P>Apply the patch >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ patch -p0 < q-s-1.25st-20050207.patch >+</PRE></TD> >+ </TR> >+</TABLE> >+<P> >+<A NAME="n.4"></A> >+<H2>4. Antispam options</H2> >+<P>You can read in this separate page all the <A HREF="configure-options.html">configuration-options</A> of this patched version.<BR> >+ (For detailed instructions on how to install and run <em>qmail-scanner</em> >+ visit the home page at <A HREF="http://qmail-scanner.sourceforge.net/"> http://qmail-scanner.sourceforge.net/</A>, >+ in this page you will only find information about the specific options of the >+ patch) </P> >+<center> >+ <table width="80%" border="0" bgcolor="#99FF66"> >+ <tr> >+ <td><p><strong>Tip:</strong> Once you have configured and installed <em>qmail-scanner</em>, >+ you don't need to reconfigure again to change most of the parameters, >+ just edit the file <em>/var/qmail/bin/qmail-scanner-queue.pl</em> and >+ change the variables in the first part of the file. You will only have >+ to reconfigure if you add a new scanner, or, >+ obviously, if there is a new version of <em>qmail-scanner</em>... </td> >+ </tr> >+ </table> >+</center> >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ ./configure ...your options... --sa-quarantine [num] --sa-delete [num] --sa-reject [yes|no] >+</PRE></TD> >+ </TR> >+</TABLE> >+<P> >+<A NAME="n.4.a"></A> >+<H3>a) --sa-quarantine [num] (default 0, no message will >+ be quarantined)</H3> >+<p><b>NEW:</b> Now <em>sa-quarantine</em> is a relative value to the SpamAssassin >+ <em>required_hits</em>. >+<p>You can set a score in /etc/mail/spamassasin/local.cf (for example 6.5) and >+ <A HREF="http://www.spamassassin.org/">SpamAssassin</A> will tag <em>as spam</em> all >+ messages over this score, messages that exceed the <em>"required_hits</em> + <em>sa-quarantine"</em> >+ are quarantined.</p> >+<p>Basically what it does is extend the spam checking, so that if a message exceeds >+ a certain configurable spam threshold, the message >+ is quarantined as though it had a virus. Obviously this is only relevant if >+ <em>SpamAssassin</em> is detected.</p> >+<p>I check every day the subject of the quarantine messages and I have never seen >+ a false positive over 8 points until 24th december 2003, I got three in one day, >+ two with a score of 8.1 and one with 8.4. And very democratic, one in <em>english</em>, >+ one in <em>italian</em> and one in <em>spanish</em>. Really some people writes >+ down all sort of silly things in <em>Christmas Greetings</em> and <em>SpamAssassin</em> >+ was confused. So, better be ready (<a href="requeue.html">how to requeue</a> >+ a quarantined message to the recipient)</p> >+<p>The string '<em>spam</em>' have been added to the "<em>@silent_viruses_array</em>", >+ so no notify will be sent to the sender, as usually is a faked sender. If you >+ don't want this option, edit <em>qmail-scanner-queue.pl</em> and remove '<em>spam</em>' >+ from the array.</p> >+<blockquote> >+ <A NAME="n.4.a.1"></A> >+ <H3>a.1) --sa-forward <user@domain> (defaults to nothing)</H3> >+ User to redirect spam mails <em>'being quarantined'</em> for admin purposes...<br> >+ The mails are redirected <em>almost unmodified</em> to the address set in this option, >+ (an Ip.Guy suggestion) so you can use <em>sa-lern</em> with them. <br> >+ (i.e. --sa-forward antispam@mydomain.com ).<p> >+ <A NAME="n.4.a.2"></A> >+ <H3>a.2) --sa-fwd-verbose [yes|no] (default: no)</H3> >+ Whether to add the X-Spam headers to the forwarded message. Obviously <em>sa-forward</em> >+ must be defined. >+ <A NAME="n.4.a.3"></A> >+ <H3>a.3) $smaildir</H3> >+ Some people wants to quarantine spam in a different <em>maildir folder</em> than viruses, >+ maybe to run <em>sa-learn</em>.<br> >+ The default is: <em>my $smaildir="$vmaildir";</em> You can change it to whatever you want >+ editing <em>qmail-scanner-queue.pl</em>. i.e. <em>my $smaildir="spamdir";</em><p> >+ >+</blockquote> >+<A NAME="n.4.b"></A> >+<H3>b) --sa-delete [num] (default 0, no message will be >+ deleted)</H3> >+<p><b>NEW:</b> Now <em>sa-delete</em> is a relative value to the SpamAssassin >+ <em>required_hits</em>. >+<p>Similar at <em>sa-quarantine</em> but the messages will be deleted. >+ Messages that exceed the <em>"required_hits</em> + <em>sa-delete"</em> >+ will be deleted.</p> >+<p>If <em>sa-quarantine</em> is set, <em>sa-delete</em> must be greater.</p> >+<p>It is possible to use both, <em>sa-quarantine</em> and <em>sa-delete</em>. >+ For example you can set "<em>required-hits</em>" of spamassassin to >+ 6.5, <em>sa-quarantine</em> to 2.1 and <em>sa-delete</em> to 4.2. Mails with >+ a score over 6.5 will be tagged as spam, over 8.6 will be quarantined and over >+ 10.7 will be deleted (these are my actual settings, but you have to choose your >+ by your experience).</p> >+<p>No notify mail will be sent, neither to the admin.</p> >+<p>Now with <em>sa-quarantine</em> and <em>sa-delete</em> as relative values >+ you will be able to do a <em>pseudo per user configuration</em> (never tested). >+ The user can set his own <em>required_hits</em> settings, then the admin (you) sets >+ <em>sa-quarantine</em> and <em>sa-delete</em>, so the user could know at what score >+ over his <em>required_hits</em> the mails are quarantined or deleted.<br> >+ See <a href="http://qmail-scanner.sourceforge.net/FAQ.php#cs">FAQ n.19</a> >+ in the official page for details. >+<A NAME="n.4.c"></A> >+<H3>c) --sa-reject [yes|no] (default no)</H3> >+<p>If you enable <em>sa-reject</em> and <em>sa-delete</em> is properly set, messages >+ with a score higher than <em>sa-delete</em> will be rejected before the smtp >+ session is closed. Otherwise they are just dropped silently. Messages from the >+ <em>LOCALHOST</em> are never rejected.</p> >+<p>Be aware that there is no bandwidth saving, but at least the remote smtp server >+ will have to deal with the rejected messages instead of your server.</p> >+<p>The remote smtp server will receive a <em>"554 mail server permanently >+ rejected message (#5.3.0)"</em> code. If you want to customize the messages >+ to the remote server (and the remote user, if there is one) you can edit the >+ source of qmail-1.03 and modify the file <em>qmail.c</em>, it is a short file. >+ Just search for the line </p> >+ >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ case 31: return "Dmail server permanently rejected message (#5.3.0)"; >+</PRE></TD> >+ </TR> >+</TABLE> >+ >+<p> and change it to what ever you want, for example (Don't remove the first D): >+</p> >+ >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ case 31: return "DWe have reasons to believe this mail is SPAM (#5.7.1)"; >+</PRE></TD> >+ </TR> >+</TABLE> >+ >+<p>and then recompile <em>qmail</em> (<em>make clean ; make setup check ; strip /var/qmail/bin/*</em>).</p> >+<p><em>qmail-smtpd</em> receives an exitcode 31 from <em>qmail-scanner</em>, but you can use >+ one of the exitcodes that you see in the file <em>qmail.c</em>. Be cautious...</p> >+<p>You can see some <a href="testingreject.html">examples</a> of the logs in the mail >+ server and the message that is sent to the remote user (if he is real...) when >+ a mail is rejected.</p> >+<p>Stefano Pasquini has pointed me to a little odd situation, he is using this >+ feature and his server is rejecting several mails from his secondary server, >+ which is running by another ISP, this is really no good. To avoid this embarrassing >+ situation you can add a rule in the <em>tcp.smtp</em> file with the enviroment >+ variable <em>SA_ONLYDELETE_HOST</em>, if this variable is defined, spam mails >+ coming through your secondary server will be deleted instead of rejected.</p> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ your.secondary.server.ip:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl",SA_ONLYDELETE_HOST="on" >+</PRE></TD> >+ </TR> >+</TABLE> >+<p>Don't forget to rebuild the <em>tcp.smtp.cdb</em> database.<p> >+<center><TABLE BORDER="0" BGCOLOR="#FFFF66" WIDTH="90%"> >+ <TR> >+ <TD> NOTE: <em>FETCHMAIL</em> users might want to check the messages that >+ are injected to 127.0.0.1 against <em>SpamAssassin</em>, to do that add >+ this line to the <em>tcp.smtp</em> database: >+ <PRE> >+127.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl",QS_SPAMASSASSIN="on" >+</PRE> >+ There is no need to define the variable SA_ONLYDELETE_HOST, as mails from >+ the <em>LOCALHOST</em> are never rejected. </TD> >+ </TR> >+</TABLE></center> >+<p> >+<A NAME="n.4.d"></A> >+<H3>d) --sa-delta [num] (default 0, no tag will be added >+ to spamc_subject)</H3> >+<p>If you enabled this feature (only works in FAST_SPAMASSASSIN mode) and set <em>$spamc_subject</em> to some text, your >+ users will recieve an indication (HIGH, MEDIUM, LOW) about the score spamassassin >+ gives to the message, in the subject.</p> >+<p>If the message has reach a score minor than <em>required_hits</em> (<em>sa_max</em>) >+ plus <em>sa_delta</em>, the messages will be tagged as LOW, in other words the >+ subject will be somethig like this "SPAM *** LOW", assuming that <em>$spamc_subject</em>="SPAM >+ *** ".</p> >+<p>A score betwin <em>sa_max+sa_delta</em> and <em>sa_max+2*sa_delta</em> will >+ be tagged as MEDIUM, and if the score is higher than <em>sa_max+2*sa_delta</em> >+ as HIGH.</p> >+<p>Be aware that <em>sa_max+2*sa_delta</em> must be lower than <em>sa-quarantine</em>, >+ otherwise it won't never catch any message.</p> >+<p>You can edit <em>qmail-scanner-queue.pl</em> and change this in the <em>sub >+ spamassassin</em> to whatever you want.</p> >+<p> >+<A NAME="n.4.e"></A> >+<H3>e) --sa-subject <"some text"> (default >+ to nothing)</H3> >+<p>This is an <em>alternative</em> way to set <em>$spamc_subject</em> to some >+ text, for example "SPAM *** ". Be sure that is better to tag the subject, >+ of spam messages (only works in FAST_SPAMASSASSIN mode), through <em>qmail-scanner</em> than with the <em>rewrite_subject</em> >+ of <em>SpamAssassin</em>.The input must be quoted. </p> >+<p> >+<A NAME="n.4.f"></A> >+<H3>f) --sa-alt [yes|no] (default no)</H3> >+<p>This is an <em>alternative</em> subroutine to call <em>SpamAssassin</em>. It >+ ALWAYS works in <em>FAST_SPAMASSASSIN</em> mode, and it would be a little bit >+ faster because it doesn't create a <em>tmp_file</em> and neither pass the '<em>-u</em>' >+ option to <em>spamc</em> (but you will find the code commented inside >+ <em>qmail-scanner-queue.pl</em> in the routine <em>sub spamassassin_alt</em>, >+ uncomment it if you need <em>spamassassin sql per user</em> settings).</p> >+<p>When I said above ALWAYS I mean ALWAYS, <em>sa-alt</em> sets the <em>spamc_options</em> by >+ itself so if you want to run in <em>VERBOSE_SPAMASSASSIN</em> mode or you >+ want to use the <em>'sql per user preferences'</em> for spamassassin, you have >+ to disable this option and run the <em>'standard spamassassin'</em> routine. >+<center> >+ <table width="80%" border="0" bgcolor="#99FF66"> >+ <tr> >+ <td><p><strong>FAST_SPAMASSASSIN vs. VERBOSE_SPAMASSASSIN:</strong> There are >+ a lot of people confusing these two ways of using <em>spamassassin</em>.<br> >+ If you work in FAST mode the message IS NOT modified by <em>spamassassin</em>, >+ so all the options set in <em>local.cf</em> to modify the message are ignored >+ (rewrite_subject, add-header...). But you can still modify the subject setting >+ the <em>sa-subject</em> in <em>qmail-scanner</em> and also the <em>X-Spam-Report</em>, >+ see below.<br> >+ See the <a href="http://qmail-scanner.sourceforge.net/FAQ.php#cs">FAQ 15, 16 and 19</a> for more info. >+ </td> >+ </tr> >+ </table> >+</center> >+<p>This option should be used with the following two options.</p> >+<blockquote> >+ <A NAME="n.4.f.1"></A> >+ <H3>f.1) --sa-debug [yes|no] (default no)</H3> >+ If <em>sa-alt</em> is enabled and you enable this option, you will have a log >+ of the tests and scores from <em>SpamAssassin</em> in <em>qmail-queue.log</em>. >+ And these score and tests will be also added to the notifies sent to the <em>admin</em>.<br> >+ I was looking for a way to control how <em>SpamAssassin</em> was working, and >+ this is the reason for that I wrote the alternative subroutine to connect to >+ <em>SpamAssassin</em>.<br> >+ If you enable <em>add-dscr-hdrs</em> you will get the <em>process number</em> and then you >+ can do a <em>grep</em> by the process number in <em>qmail-queue.log</em> and debug what happened >+ with a message.<br> >+ Don't worry, you don't need to reconfigure <em>qmail-scanner</em> to switch >+ from one subroutine to the other, just edit <em>qmail-scanner-queue.pl</em> >+ and disable/enable <em>sa-alt</em> (sa_alt).<br> >+ Want to see the <a href="sa-alt.html#spamd">configuration of <em>SpamAssassin</em></a> >+ and a <a href="sa-alt.html#logs">sample</a> of the logs?<p> >+ <A NAME="n.4.f.2"></A> >+ <H3>f.2) --sa-report [yes|no] (default no)</H3> >+ If <em>sa-alt</em> and <em>sa-debug</em> are enabled >+ the <em>X-Spam-Report</em> header will be added to the messages enabling this option.<br> >+ Notice that you are still running in <em>FAST_SPAMASSASSIN</em> mode...<p> >+</blockquote> >+ >+<A NAME="n.4.g"></A> >+<H3>g) SA_SKIP_MD ( SA skip MAILER-DAEMON )</H3> >+<p>This is not a configuration option (yet another option for Stefano Pasquini), >+ this is a switch inside the code that you can enable or disable when you need >+ it. Set to something different from <em>zero</em> to enable it.</p> >+<p>Supposing that a spammer drops in the net several tens of thousands mails with >+ a random from address like <em>abxtyicj@yourdomain.com</em>, and then in a few >+ minutes your mail server will receive something like 3.800 messages from MAILER-DAEMON >+ because some user from some server is unknown.. Well, you have to deal with >+ all those messages quickly but <em>SpamAssassin</em> spends some seconds for >+ each message, so your server will be on his knees. In this case you can edit >+ <em>qmail-scanner-queue.pl</em> and set <em>SA_SKIP_MD</em> to '1', <em>qmail-scanner</em> >+ will skip <em>SpamAssassin</em> for messages 'From: MAILER-DAEMON' and empty >+ Return-Path, but the antivirus scanners will always check the messages.</p> >+<p>I don't think that is a good idea to have it always enabled.</p> >+<p> >+<A NAME="n.4.h"></A> >+<H3>h) --sa-socket <path to spamd socket> (defaults to nothing)</H3> >+<p>Actually the configure script can automatically discover >+ if <em>spamd</em> is running in <em>unix-socket</em> mode, but, >+ if for some reasson the socket couldn't be >+ found properly you can set the path with this option. >+ (i.e. --sa-socket /var/run/spamd).</p> >+<p>From my test over ten thousand mails, <em>spamd</em> is 7,8% faster running with >+ <a href="sa-alt.html#test"><em>unix-socket</em></a>.</p> >+<p> >+<A NAME="n.5"></A> >+<h2>5. Miscellaneous options</h2> >+<A NAME="n.5.a"></A> >+<H3>a) --qs-group <usergroup> (default: same as qs-user)</H3> >+<p>Group of the user that <em>Qmail-Scanner</em> runs as. This option allows you >+ to install qmail-scanner-1.25 over an old installation (1.1x) where the user >+ was "<em>qmailq</em>" and the group "<em>qmail</em>". This >+ will decrease the security level, but <em>qmail</em> itself is already heavily >+ compartmented. (This option is only used during the install process).</p> >+<A NAME="n.5.b"></A> >+<H3>b) --minidebug [yes|no|1|2] (default: yes)</H3> >+<p>This option only logs important information to <em>qmail-queue.log</em>, >+ that give me a sense that how >+ it is going up. If set to 2, it will log the >+ parent pid (ppid) and the message size.</p> >+<p>If you enable <em>debug</em>, minidebug is automatically disabled.</p> >+ >+<A NAME="n.5.c"></A> >+<H3>c) BMC_WHITELIST="on"</H3> >+ >+<p>Set this enviroment variable in <em>tcp.smtp</em> to disable <em>BAD_MIME_CHECKS</em> >+ for some servers. It's a little bit hard to mantain...</p> >+ >+<A NAME="n.5.d"></A> >+<H3>d) --virus-to-delete [yes|no] (defaults to "no")</H3> >+<p>Enable this option if you want to delete some viruses >+ (i.e. mydoom) without notifying anyone. If you don't enable >+ it now, you can later edit <em>qmail-scanner-queue.pl</em> and add >+ the virus you want to the list virus_to_delete.</p> >+ >+<A NAME="n.5.e"></A> >+<H3>e) --scanners-per-domain [yes|no] (defaults to "no")</H3> >+<p>Enable or disable the domain-wise mode, each user/domain >+ will have a customized @scanner_array. If the user/domain >+ haven't a custom @scanner_array, qmail-scanner will fall >+ to the @scanners_default array.</p> >+<p>You have to edit the file 'scanners_per_domain.txt' and configure there your >+ domains, you will find some instructions inside the file. >+ <a href="scanners_per_domain.html">More info...</a></p> >+<p><p> >+ >+<A NAME="n.6"></A> >+<h2>6. Cosmetic options</h2> >+ >+<A NAME="n.6.a"></A> >+<H3>a) --admin-fromname <"From Name"> (default: >+ "System Anti-Virus Administrator")</H3> >+<p>As its name says, this option sets the from name for the emails reports sent >+ by <em>qmail-scanner</em>, I was annoyed of edit and change it on every new >+ installation. The input must be quoted.</p> >+<A NAME="n.6.b"></A> >+<h3>b) --dscr-hdrs-text <"Descrip-Headers-Text"> (defaults: >+ "X-Qmail-Scanner")</h3> >+<p>Well, the same as previous...</p> >+<A NAME="n.6.c"></A> >+<h3>c) log-report.sh</h3> >+<p>This script is installed in the <em>qmailscan</em> directory and does a >+quick statistic from the <em>qmail-queue.log</em> files, you can send a >+mail after rotating the logs....</p> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ ./log-report.sh qmail-queue.log.1.gz >+ >+ 2841 W32/Netsky-P >+ 430 W32/Mabutu-A >+ 218 W32/MyDoom-O >+ 142 W32/Netsky-Q >+ 70 W32/MyDoom-A >+ 57 W32/MyDoom-H >+ 36 W32/Netsky-N >+ 12 W32/MyDoom-N >+ 11 W32/Mydoom-T >+ 11 W32/MyDoom-S >+ 4 W32/MyDoom-AG >+ 3 W32/Zafi-B >+ 2 W32/NetskyP-Dam >+ 2 W32/Mydoom-F >+ 2 W32/Lovgate-V >+ 2 W32/Flcss >+ 1 W32/Torvil-A >+ 1 W32/Parite-B >+ 1 W32/Netsky-C >+ 1 W32/Bagle-AU >+ >+ >+ 11173 rejecting >+ 596 tagging >+ </PRE></TD> >+ </TR> >+</TABLE> >+ >+<A NAME="n.7"></A> >+<h2>7. Examples</h2> >+<P>This will be an example of installing over a previous 1.1x installation, obviously >+ the mailbox "antivirus@mydomain.com" should exist... The <em>required_hits</em> >+ in the file <em>/etc/mail/spamassassin/local.cf</em> is '6.5'. If you're upgrading >+ from 1.1x, don't try the manual installation, lets the configure script do its >+ job. >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ ./configure --qs-user qmailq \ >+ --qs-group qmail \ >+ --domain mydomain.com \ >+ --admin antivirus \ >+ --admin-fromname "Antivirus MYDOMAIN" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --redundant yes \ >+ --max-zip-size 50000000 \ >+ --virus-to-delete yes \ >+ --block-password-protected yes \ >+ --sa-quarantine 2.1 \ >+ --sa-delete 4.2 \ >+ --sa-reject yes \ >+ --sa-subject "SPAM *** " \ >+ --sa-delta 0.5 \ >+ --sa-alt yes \ >+ --sa-debug yes \ >+ --sa-report yes \ >+ --sa-socket /var/run/spamd [ --install ] >+ </PRE></TD> >+ </TR> >+</TABLE> >+<P>For an <em>standard</em> installation (new or upgrade) with the user <em>qscand</em>, (first create the user) >+and then the options below would be enough: >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+groupadd qscand >+useradd -c "Qmail-Scanner Account" -g qscand -d /var/spool/qmailscan -s /bin/false qscand >+ </PRE></TD> >+ </TR> >+</TABLE> >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ ./configure --domain mydomain.com \ >+ --admin antivirus \ >+ --admin-fromname "Antivirus MYDOMAIN" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --redundant yes \ >+ --max-zip-size 50000000 \ >+ --virus-to-delete yes \ >+ --block-password-protected yes \ >+ --sa-quarantine 2.1 \ >+ --sa-delete 4.2 \ >+ --sa-reject yes \ >+ --sa-subject "SPAM *** " \ >+ --sa-delta 0.5 \ >+ --sa-alt yes \ >+ --sa-debug yes \ >+ --sa-report yes \ >+ --sa-socket /var/run/spamd [ --install ] >+ </PRE></TD> >+ </TR> >+</TABLE> >+<P> >+<HR> >+<P>I hope these options will be useful for you as they are for me. There isn't a >+ specific mailing-list for this version, you can reach the official >+ <a href="http://lists.sourceforge.net/mailman/listinfo/qmail-scanner-general"> >+ qmail-scanner-general</a> mailing-list, you will find a lot of good stuff there. >+<P>Thanks to Jason for this very very good tool. >+<P>Thanks to Chris for the spamassasin quarantine patch, all my users are very >+ happy since the patch was installed blocking tons of spam. >+<P>Salvatore Toribio<BR> >+ <SCRIPT LANGUAGE=JavaScript> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</SCRIPT> >+ <BR> >+ 20050207 >+<HR> >+<P>No warranty, expressed or implied, etc, etc, etc... >+<!-- >+<img src="http://usi.pusc.it/img/t20050207.gif" border="0" WIDTH="1" HEIGHT="1"> >+--> >+</BODY> >+</HTML> >diff -Naur qmail-scanner-1.25-DISTRO/READMEpatched.txt qmail-scanner-1.25-st-qms-20050219/READMEpatched.txt >--- qmail-scanner-1.25-DISTRO/READMEpatched.txt 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/READMEpatched.txt 2005-02-19 07:31:08.000000000 -0600 >@@ -0,0 +1,369 @@ >+Last Updated 20050207 >+------------------------------------------------------------------------ >+ >+ Qmail-Scanner-1.25st (st patch) >+ >+ >+------------------------------------------------------------------------ >+ >+1. Introduction >+2. Download (See CHANGELOGpatched file) >+3. To apply the patch >+4. Antispam options (All the configuration options) >+ >+a) --sa-quarantine [num] (how to requeue a quarantined message) >+ >+a.1) --sa-forward <user@domain> >+a.2) --sa-fwd-verbose [yes|no] >+a.3) $smaildir >+ >+b) --sa-delete [num] >+c) --sa-reject [yes|no] (examples of the logs) >+d) --sa-delta [num] >+e) --sa-subject <"some text"> >+f) --sa-alt [yes|no] >+ >+f.1) --sa-debug [yes|no] (SpamAssassin configuration sample) >+f.2) --sa-report [yes|no] >+ >+g) SA_SKIP_MD >+h) --sa-socket <path to spamd socket> (unix-socket performance tests) >+ >+5. Miscellaneous options >+ >+a) --qs-group <usergroup> >+b) --minidebug [yes|no|1|2] >+c) BMC_WHITELIST="on" >+d) --virus-to-delete [yes|no] >+e) --scanners-per-domain [yes|no] (file scanners_per_domain.txt) >+ >+6. Cosmetic options >+ >+a) --admin-fromname <"From Name"> >+b) --dscr-hdrs-text <"Descrip-Headers-Text"> >+c) log-report.sh >+ >+7. Examples >+ >+------------------------------------------------------------------------ >+ >+1. Introduction >+ >+This is a patched version (ergo unofficial) of qmail-scanner-1.25, that adds some options focused in deal with spam and others features. >+ >+Qmail-Scanner (by Jason Haar) is an excellent add-on for Qmail, that enables a Qmail server to scan all gateway-ed email searching for virus and/or Spam. For detailed instructions on how to install and run qmail-scanner visit the home page at http://qmail-scanner.sourceforge.net/, in this page you will only find explanations of the options added by this patch. >+ >+I started running qmail-scanner in april 2002, mainly to stop viruses arriving to my users by mail, but since march 2003 the volume of spam mail had increased enormously and my users clamed to block all those messages. So I modified the code of qmail-scanner with the patch from Chris Hine to block (quarantine) spam, based in the score of SpamAssassin, most of my users don't know how to filter messages tagged as spam. And later I added some other little functionalities. >+ >+2. Download >+ >+It's possible to download the patch (q-s-1.25st-20050207.patch.gz) and apply it yourself, or download a complete distribution (q-s-1.25st-20050207.tgz) already patched. >+ >+See the file CHANGELOGpatched to know what is new in this version. >+ >+3. To apply the patch >+ >+(Skip this step if you have downloaded the distribution already patched) >+ >+Untar the file "qmail-scanner-1.25.tgz", cd to the parent directory of the directory "qmail-scanner-1.25" and copy the patch there and gunzip it. (Ok... just do this..) >+ >+ >+ tar xzf qmail-scanner-1.25.tgz -C /var/tmp/ >+ cp q-s-1.25st-20050207.patch.gz /var/tmp/ >+ cd /var/tmp >+ gunzip q-s-1.25st-20050207.patch.gz >+ >+Apply the patch >+ >+ >+ patch -p0 < q-s-1.25st-20050207.patch >+ >+ >+4. Antispam options >+ >+You can read in this separate page all the configuration-options of this patched version. >+(For detailed instructions on how to install and run qmail-scanner visit the home page at http://qmail-scanner.sourceforge.net/, in this page you will only find information about the specific options of the patch) >+Tip: Once you have configured and installed qmail-scanner, you don't need to reconfigure again to change most of the parameters, just edit the file /var/qmail/bin/qmail-scanner-queue.pl and change the variables in the first part of the file. You will only have to reconfigure if you add a new scanner, or, obviously, if there is a new version of qmail-scanner... >+ >+ >+ ./configure ...your options... --sa-quarantine [num] --sa-delete [num] --sa-reject [yes|no] >+ >+ >+a) --sa-quarantine [num] (default 0, no message will be quarantined) >+ >+NEW: Now sa-quarantine is a relative value to the SpamAssassin required_hits. >+ >+You can set a score in /etc/mail/spamassasin/local.cf (for example 6.5) and SpamAssassin will tag as spam all messages over this score, messages that exceed the "required_hits + sa-quarantine" are quarantined. >+ >+Basically what it does is extend the spam checking, so that if a message exceeds a certain configurable spam threshold, the message is quarantined as though it had a virus. Obviously this is only relevant if SpamAssassin is detected. >+ >+I check every day the subject of the quarantine messages and I have never seen a false positive over 8 points until 24th december 2003, I got three in one day, two with a score of 8.1 and one with 8.4. And very democratic, one in english, one in italian and one in spanish. Really some people writes down all sort of silly things in Christmas Greetings and SpamAssassin was confused. So, better be ready (how to requeue a quarantined message to the recipient) >+ >+The string 'spam' have been added to the "@silent_viruses_array", so no notify will be sent to the sender, as usually is a faked sender. If you don't want this option, edit qmail-scanner-queue.pl and remove 'spam' from the array. >+ >+ >+a.1) --sa-forward <user@domain> (defaults to nothing) >+User to redirect spam mails 'being quarantined' for admin purposes... >+The mails are redirected almost unmodified to the address set in this option, (an Ip.Guy suggestion) so you can use sa-lern with them. >+(i.e. --sa-forward antispam@mydomain.com ). >+ >+ >+a.2) --sa-fwd-verbose [yes|no] (default: no) >+Whether to add the X-Spam headers to the forwarded message. Obviously sa-forward must be defined. >+ >+a.3) $smaildir >+Some people wants to quarantine spam in a different maildir folder than viruses, maybe to run sa-learn. >+The default is: my $smaildir="$vmaildir"; You can change it to whatever you want editing qmail-scanner-queue.pl. i.e. my $smaildir="spamdir"; >+ >+ >+ >+b) --sa-delete [num] (default 0, no message will be deleted) >+ >+NEW: Now sa-delete is a relative value to the SpamAssassin required_hits. >+ >+Similar at sa-quarantine but the messages will be deleted. Messages that exceed the "required_hits + sa-delete" will be deleted. >+ >+If sa-quarantine is set, sa-delete must be greater. >+ >+It is possible to use both, sa-quarantine and sa-delete. For example you can set "required-hits" of spamassassin to 6.5, sa-quarantine to 2.1 and sa-delete to 4.2. Mails with a score over 6.5 will be tagged as spam, over 8.6 will be quarantined and over 10.7 will be deleted (these are my actual settings, but you have to choose your by your experience). >+ >+No notify mail will be sent, neither to the admin. >+ >+Now with sa-quarantine and sa-delete as relative values you will be able to do a pseudo per user configuration (never tested). The user can set his own required_hits settings, then the admin (you) sets sa-quarantine and sa-delete, so the user could know at what score over his required_hits the mails are quarantined or deleted. >+See FAQ n.19 in the official page for details. >+ >+c) --sa-reject [yes|no] (default no) >+ >+If you enable sa-reject and sa-delete is properly set, messages with a score higher than sa-delete will be rejected before the smtp session is closed. Otherwise they are just dropped silently. Messages from the LOCALHOST are never rejected. >+ >+Be aware that there is no bandwidth saving, but at least the remote smtp server will have to deal with the rejected messages instead of your server. >+ >+The remote smtp server will receive a "554 mail server permanently rejected message (#5.3.0)" code. If you want to customize the messages to the remote server (and the remote user, if there is one) you can edit the source of qmail-1.03 and modify the file qmail.c, it is a short file. Just search for the line >+ >+ case 31: return "Dmail server permanently rejected message (#5.3.0)"; >+ >+and change it to what ever you want, for example (Don't remove the first D): >+ >+ case 31: return "DWe have reasons to believe this mail is SPAM (#5.7.1)"; >+ >+and then recompile qmail (make clean ; make setup check ; strip /var/qmail/bin/*). >+ >+qmail-smtpd receives an exitcode 31 from qmail-scanner, but you can use one of the exitcodes that you see in the file qmail.c. Be cautious... >+ >+You can see some examples of the logs in the mail server and the message that is sent to the remote user (if he is real...) when a mail is rejected. >+ >+Stefano Pasquini has pointed me to a little odd situation, he is using this feature and his server is rejecting several mails from his secondary server, which is running by another ISP, this is really no good. To avoid this embarrassing situation you can add a rule in the tcp.smtp file with the enviroment variable SA_ONLYDELETE_HOST, if this variable is defined, spam mails coming through your secondary server will be deleted instead of rejected. >+ >+ your.secondary.server.ip:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl",SA_ONLYDELETE_HOST="on" >+ >+Don't forget to rebuild the tcp.smtp.cdb database. >+ >+NOTE: FETCHMAIL users might want to check the messages that are injected to 127.0.0.1 against SpamAssassin, to do that add this line to the tcp.smtp database: >+ >+ >+127.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl",QS_SPAMASSASSIN="on" >+ >+There is no need to define the variable SA_ONLYDELETE_HOST, as mails from the LOCALHOST are never rejected. >+ >+ >+d) --sa-delta [num] (default 0, no tag will be added to spamc_subject) >+ >+If you enabled this feature (only works in FAST_SPAMASSASSIN mode) and set $spamc_subject to some text, your users will recieve an indication (HIGH, MEDIUM, LOW) about the score spamassassin gives to the message, in the subject. >+ >+If the message has reach a score minor than required_hits (sa_max) plus sa_delta, the messages will be tagged as LOW, in other words the subject will be somethig like this "SPAM *** LOW", assuming that $spamc_subject="SPAM *** ". >+ >+A score betwin sa_max+sa_delta and sa_max+2*sa_delta will be tagged as MEDIUM, and if the score is higher than sa_max+2*sa_delta as HIGH. >+ >+Be aware that sa_max+2*sa_delta must be lower than sa-quarantine, otherwise it won't never catch any message. >+ >+You can edit qmail-scanner-queue.pl and change this in the sub spamassassin to whatever you want. >+ >+ >+e) --sa-subject <"some text"> (default to nothing) >+ >+This is an alternative way to set $spamc_subject to some text, for example "SPAM *** ". Be sure that is better to tag the subject, of spam messages (only works in FAST_SPAMASSASSIN mode), through qmail-scanner than with the rewrite_subject of SpamAssassin.The input must be quoted. >+ >+ >+f) --sa-alt [yes|no] (default no) >+ >+This is an alternative subroutine to call SpamAssassin. It ALWAYS works in FAST_SPAMASSASSIN mode, and it would be a little bit faster because it doesn't create a tmp_file and neither pass the '-u' option to spamc (but you will find the code commented inside qmail-scanner-queue.pl in the routine sub spamassassin_alt, uncomment it if you need spamassassin sql per user settings). >+ >+When I said above ALWAYS I mean ALWAYS, sa-alt sets the spamc_options by itself so if you want to run in VERBOSE_SPAMASSASSIN mode or you want to use the 'sql per user preferences' for spamassassin, you have to disable this option and run the 'standard spamassassin' routine. >+FAST_SPAMASSASSIN vs. VERBOSE_SPAMASSASSIN: There are a lot of people confusing these two ways of using spamassassin. >+If you work in FAST mode the message IS NOT modified by spamassassin, so all the options set in local.cf to modify the message are ignored (rewrite_subject, add-header...). But you can still modify the subject setting the sa-subject in qmail-scanner and also the X-Spam-Report, see below. >+See the FAQ 15, 16 and 19 for more info. >+ >+This option should be used with the following two options. >+ >+ >+f.1) --sa-debug [yes|no] (default no) >+If sa-alt is enabled and you enable this option, you will have a log of the tests and scores from SpamAssassin in qmail-queue.log. And these score and tests will be also added to the notifies sent to the admin. >+I was looking for a way to control how SpamAssassin was working, and this is the reason for that I wrote the alternative subroutine to connect to SpamAssassin. >+If you enable add-dscr-hdrs you will get the process number and then you can do a grep by the process number in qmail-queue.log and debug what happened with a message. >+Don't worry, you don't need to reconfigure qmail-scanner to switch from one subroutine to the other, just edit qmail-scanner-queue.pl and disable/enable sa-alt (sa_alt). >+Want to see the configuration of SpamAssassin and a sample of the logs? >+ >+ >+f.2) --sa-report [yes|no] (default no) >+If sa-alt and sa-debug are enabled the X-Spam-Report header will be added to the messages enabling this option. >+Notice that you are still running in FAST_SPAMASSASSIN mode... >+ >+ >+ >+g) SA_SKIP_MD ( SA skip MAILER-DAEMON ) >+ >+This is not a configuration option (yet another option for Stefano Pasquini), this is a switch inside the code that you can enable or disable when you need it. Set to something different from zero to enable it. >+ >+Supposing that a spammer drops in the net several tens of thousands mails with a random from address like abxtyicj@yourdomain.com, and then in a few minutes your mail server will receive something like 3.800 messages from MAILER-DAEMON because some user from some server is unknown.. Well, you have to deal with all those messages quickly but SpamAssassin spends some seconds for each message, so your server will be on his knees. In this case you can edit qmail-scanner-queue.pl and set SA_SKIP_MD to '1', qmail-scanner will skip SpamAssassin for messages 'From: MAILER-DAEMON' and empty Return-Path, but the antivirus scanners will always check the messages. >+ >+I don't think that is a good idea to have it always enabled. >+ >+ >+h) --sa-socket <path to spamd socket> (defaults to nothing) >+ >+Actually the configure script can automatically discover if spamd is running in unix-socket mode, but, if for some reasson the socket couldn't be found properly you can set the path with this option. (i.e. --sa-socket /var/run/spamd). >+ >+From my test over ten thousand mails, spamd is 7,8% faster running with unix-socket. >+ >+ >+5. Miscellaneous options >+ >+a) --qs-group <usergroup> (default: same as qs-user) >+ >+Group of the user that Qmail-Scanner runs as. This option allows you to install qmail-scanner-1.25 over an old installation (1.1x) where the user was "qmailq" and the group "qmail". This will decrease the security level, but qmail itself is already heavily compartmented. (This option is only used during the install process). >+ >+b) --minidebug [yes|no|1|2] (default: yes) >+ >+This option only logs important information to qmail-queue.log, that give me a sense that how it is going up. If set to 2, it will log the parent pid (ppid) and the message size. >+ >+If you enable debug, minidebug is automatically disabled. >+ >+c) BMC_WHITELIST="on" >+ >+Set this enviroment variable in tcp.smtp to disable BAD_MIME_CHECKS for some servers. It's a little bit hard to mantain... >+ >+d) --virus-to-delete [yes|no] (defaults to "no") >+ >+Enable this option if you want to delete some viruses (i.e. mydoom) without notifying anyone. If you don't enable it now, you can later edit qmail-scanner-queue.pl and add the virus you want to the list virus_to_delete. >+ >+e) --scanners-per-domain [yes|no] (defaults to "no") >+ >+Enable or disable the domain-wise mode, each user/domain will have a customized @scanner_array. If the user/domain haven't a custom @scanner_array, qmail-scanner will fall to the @scanners_default array. >+ >+You have to edit the file 'scanners_per_domain.txt' and configure there your domains, you will find some instructions inside the file. More info... >+ >+ >+ >+6. Cosmetic options >+ >+a) --admin-fromname <"From Name"> (default: "System Anti-Virus Administrator") >+ >+As its name says, this option sets the from name for the emails reports sent by qmail-scanner, I was annoyed of edit and change it on every new installation. The input must be quoted. >+ >+b) --dscr-hdrs-text <"Descrip-Headers-Text"> (defaults: "X-Qmail-Scanner") >+ >+Well, the same as previous... >+ >+c) log-report.sh >+ >+This script is installed in the qmailscan directory and does a quick statistic from the qmail-queue.log files, you can send a mail after rotating the logs.... >+ >+ ./log-report.sh qmail-queue.log.1.gz >+ >+ 2841 W32/Netsky-P >+ 430 W32/Mabutu-A >+ 218 W32/MyDoom-O >+ 142 W32/Netsky-Q >+ 70 W32/MyDoom-A >+ 57 W32/MyDoom-H >+ 36 W32/Netsky-N >+ 12 W32/MyDoom-N >+ 11 W32/Mydoom-T >+ 11 W32/MyDoom-S >+ 4 W32/MyDoom-AG >+ 3 W32/Zafi-B >+ 2 W32/NetskyP-Dam >+ 2 W32/Mydoom-F >+ 2 W32/Lovgate-V >+ 2 W32/Flcss >+ 1 W32/Torvil-A >+ 1 W32/Parite-B >+ 1 W32/Netsky-C >+ 1 W32/Bagle-AU >+ >+ >+ 11173 rejecting >+ 596 tagging >+ >+ >+7. Examples >+ >+This will be an example of installing over a previous 1.1x installation, obviously the mailbox "antivirus@mydomain.com" should exist... The required_hits in the file /etc/mail/spamassassin/local.cf is '6.5'. If you're upgrading from 1.1x, don't try the manual installation, lets the configure script do its job. >+ >+ >+ ./configure --qs-user qmailq \ >+ --qs-group qmail \ >+ --domain mydomain.com \ >+ --admin antivirus \ >+ --admin-fromname "Antivirus MYDOMAIN" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --redundant yes \ >+ --max-zip-size 50000000 \ >+ --virus-to-delete yes \ >+ --block-password-protected yes \ >+ --sa-quarantine 2.1 \ >+ --sa-delete 4.2 \ >+ --sa-reject yes \ >+ --sa-subject "SPAM *** " \ >+ --sa-delta 0.5 \ >+ --sa-alt yes \ >+ --sa-debug yes \ >+ --sa-report yes \ >+ --sa-socket /var/run/spamd [ --install ] >+ >+ >+For an standard installation (new or upgrade) with the user qscand, (first create the user) and then the options below would be enough: >+ >+ >+groupadd qscand >+useradd -c "Qmail-Scanner Account" -g qscand -d /var/spool/qmailscan -s /bin/false qscand >+ >+ >+ >+ ./configure --domain mydomain.com \ >+ --admin antivirus \ >+ --admin-fromname "Antivirus MYDOMAIN" \ >+ --add-dscr-hdrs yes \ >+ --dscr-hdrs-text "X-Antivirus-MYDOMAIN" \ >+ --ignore-eol-check yes \ >+ --redundant yes \ >+ --max-zip-size 50000000 \ >+ --virus-to-delete yes \ >+ --block-password-protected yes \ >+ --sa-quarantine 2.1 \ >+ --sa-delete 4.2 \ >+ --sa-reject yes \ >+ --sa-subject "SPAM *** " \ >+ --sa-delta 0.5 \ >+ --sa-alt yes \ >+ --sa-debug yes \ >+ --sa-report yes \ >+ --sa-socket /var/run/spamd [ --install ] >+ >+ >+------------------------------------------------------------------------ >+ >+I hope these options will be useful for you as they are for me. There isn't a specific mailing-list for this version, you can reach the official qmail-scanner-general mailing-list, you will find a lot of good stuff there. >+ >+Thanks to Jason for this very very good tool. >+ >+Thanks to Chris for the spamassasin quarantine patch, all my users are very happy since the patch was installed blocking tons of spam. >+ >+Salvatore Toribio >+toribio@pusc.it >+20050207 >+------------------------------------------------------------------------ >+ >+No warranty, expressed or implied, etc, etc, etc... >\ No newline at end of file >diff -Naur qmail-scanner-1.25-DISTRO/README-qms-analog qmail-scanner-1.25-st-qms-20050219/README-qms-analog >--- qmail-scanner-1.25-DISTRO/README-qms-analog 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/README-qms-analog 2004-11-06 11:07:21.000000000 -0600 >@@ -0,0 +1,275 @@ >+qms-analog: Qmail-Scanner Log File Analyzer >+------------------------------------------- >+ >+Version: 0.4.0, 11/02/2004 >+ >+ >+Distribution Files >+------------------ >+ >+COPYING - The GPL Version 2 License file >+Makefile - builds the qms-analog utility >+qmail-scanner-1.24-st-qms-20041102.patch >+ - patch file for clean qmail-scanner-1.24 >+ distro which contains the qms event logger >+ and the popular "st" patch >+qms-analog-types.txt - defines the event log types provided >+ by the patch >+qms-config - qmail-scanner config script for qms-analog >+qms-config-cwrapper - qmail-scanner config script for qms-analog >+ used when perl doesn't have setuid support >+qms-config-monitor - qmail-scanner config script for qms-analog >+ and qms-monitor >+qms-config-monitor-cwrapper - qmail-scanner config script for qms-analog >+ and qms-monitor used when perl doesn't have >+ setuid support >+README - this file >+RELEASE-NOTES - version change log >+src/ - source directory for qms-analog >+ >+ >+ >+What You Get >+------------ >+ >+/var/qmail/bin/qms-analog >+ The utility which takes /var/spool/qmailscan/qms-events.log >+ records as input from stdin and generates statistics on stdout. >+ >+/var/qmail/bin/qmail-scanner-queue.pl >+ The patched version which generates nice logs in >+ /var/spool/qmailscan/qms-events.log and optionally provides account >+ monitoring if qms-monitor is enabled >+ >+ >+ >+!!!!!!!! ATTENTION: READ THIS FIRST !!!!!!!! >+-------------------------------------------- >+qms-analog requires a patch be applied to your qmail-scanner-1.24 >+distribution in order to generate a new, more legible log file. The >+patch file includes the popular "st" patch which adds useful >+capabilities to qmail-scanner. >+ >+The following are minimum requirements for qms-analog to work: >+1) qmail-scanner version 1.24 (unpatched, clean distro) >+2) ClamAV or other qmail-scanner supported AV software. >+3) Spamassassin >+ >+If you don't have these, and are unwilling to upgrade or install >+them, DO NOT USE qms-analog. I cannot be responsible for what might >+happen. >+ >+Disclaimer: >+----------- >+Generally speaking, it is a quite simple matter to upgrade versions >+of qms-analog. Patch a clean distro of qmail-scanner-1.24, configure >+it, modify qmail-scanner-queue.pl if using the C wrapper instead of >+setuid, then build and install qms-analog. I have done this time and >+time again with no adverse effects on my Qmail installation or any >+of the ancillary utilities that were installed in the QmailRocks >+procedure. Having said that, as with all open-source software, no >+guarantee is expressed or implied in any way, and I am not responsible >+for mistakes or abnormalities in your particular installation. >+ >+ >+If you meet these requirements, let's get started... >+ >+ >+ >+Note Concerning Where This Fits In the QmailRocks Procedure >+----------------------------------------------------------- >+ >+qms-analog is now part of the QmailRocks procedure. See >+http://qmailrocks.org for details. >+ >+ >+ >+A. Patching the qmail-scanner-1.24 Distribution >+----------------------------------------------- >+ >+1) Obtain the unpatched source distribution qmail-scanner-1.24.tgz. >+ >+2) Extract it to the location of your choice. >+ >+3) Make a backup copy of the qmail-scanner-1.24 directory before >+ patching it: >+ cp -R qmail-scanner-1.24 qmail-scanner-1.24-orig >+ >+4) Copy qmail-scanner-1.24-st-qms-20041102.patch from the qms-analog >+ distro to the qmail-scanner-1.24 directory where the tarball was >+ extracted. >+ cp qmail-scanner-1.24-st-qms-20041102.patch <path_qm-scanner-1.24> >+ >+5) Change directory to the qmail-scanner-1.24 distribution: >+ cd <path_qm-scanner-1.24> >+ >+6) Patch qmail-scanner-1.24: >+ patch -p1 < qmail-scanner-1.24-st-qms-20041102.patch >+ >+7) Configure qmail-scanner-1.24: >+ >+ To configure qms-monitor support: CONFFILE = qms-config-monitor >+ To disable qms-monitor support: CONFFILE = qms-config >+ >+ Substitute the appropriate config file name above for the place holder >+ CONFFILE in the following directions. >+ >+ >+ a) Edit CONFFILE to insert your domain name, postmaster account name, >+ and local domain list. Also modify other settings of interest including >+ qms-monitor accounts, etc. >+ >+ b) Execute: >+ ./CONFFILE >+ >+ c) if the test configure looks good, install it: >+ ./CONFFILE install >+ >+ Proceed to step 8. >+ >+ d) if the script complains about setuid, execute: >+ ./CONFFILE-cwrapper >+ >+ e) if that works, execute: >+ ./CONFFILE-cwrapper install >+ to install it and follow the "C Wrapper" instructions >+ >+ >+ This sets up qmail-scanner in a qms-analog friendly way. >+ >+ Note: I changed debug to default to disabled in the patch. You can add >+ "--debug=1" as an option to configure to enable it. It gets very >+ large and is of no real use anyway to users. The st --minidebug >+ together with --sa_alt and --sa_debug produce much better debug >+ output anyway. >+ >+8) After successful configuration , if you are using the C-wrapper instead >+ of perl's setuid, follow the directions in the >+ qmail-scanner-1.24/contrib/qmail-scanner-queue.c file - to modify the >+ permissions of qmail-scanner-queue.pl and the perl tag at the top of >+ that file (delete the "-T"). >+ >+9) Copy the qmailstats script from the qms-analog distro directory to >+ /var/qmail/bin: >+ cp <qms-analog directory>/qmailstats /var/qmail/bin >+ chmod 0755 /var/qmail/bin/qmailstats >+ >+10) The following log files will need to be rotated or otherwise monitored >+ so they do not grow too large: >+ >+ /var/spool/qmailscan/qmail-queue.log >+ /var/spool/qmailscan/qms-events.log >+ >+ >+ >+B. Building qms-analog and installing it with a new qmailstats script >+--------------------------------------------------------------------- >+ >+1) Become root >+ >+2) cd to the qms-analog directory (wherever you extracted it) >+ >+3) make all >+ >+ >+ >+C. Testing >+---------- >+ >+1) Allow several logs to accumulate in /var/spool/qmailscan/qms-events.log. >+ >+2) Execute: >+ cat /var/spool/qmailscan/qms-events.log | /var/qmail/bin/qms-analog 0 >+ >+ This should dump the qms-analog results to stdout (the shell you ran it >+ from). >+ >+3) If that looks good, execute: >+ /var/qmail/bin/qmailstats >+ >+ This should generate the nightly email to the postmaster including the >+ qms-analog stats at the bottom. >+ >+4) If those two tests pass, you are done! >+ >+ >+ >+D. Using qms-analog >+------------------- >+ >+1) qms-analog reads the log records from stdin. Thus you can pipe the >+ output of "cat /var/spool/qmailscan/qms-events.log" into qms-analog. >+ >+2) qms-analog writes its results to stdout. This can be redirected to >+ a file or viewed on the controlling console. >+ >+3) qms-analog requires the hours-of-history argument which specifies the >+ number of hours of historical stats to compile. >+ You can also pass a second argument, sort-key. This specifies the order >+ of the account based statistics. >+ >+ usage: qms-analog hours-of-history <sort-key> >+ >+ hours-of-history (0 - n) hours of history to collect >+ 0 => all records >+ sort-key (optional) sort key for account statistics >+ msgbw (default) msg bandwidth - successful msgs >+ alpha alphanumeric by account name >+ virus number of viruses received >+ saavg Spamassassin avg score >+ sadet Spamassassin msgs detected >+ >+ Some examples: >+ "qms-analog 24" - use only records within the last 24 hours, >+ sort by msg bandwidth >+ "qms-analog 168" - use only records within the last 7 days, >+ sort by msg bandwidth >+ "qms-analog 0" - use all records, sort by msg bandwidth >+ "qms-analog 0 alpha" - use all records, sort alphabetically >+ "qms-analog 0 saavg" - use all records, sort by Spam average score >+ >+4) Although qms-analog is installed as part of the "qmailstats" script, >+ it could easily be invoked from a custom script which could be run >+ from a shell at any time, or as part of the cron daemon's tasks. See >+ "qmailstats" for example usage. >+ >+5) Notes on Statistical Output >+ The headings for the account statistics are described below: >+ >+ MsgRx - messages successfully received (not virus, not deleted or >+ quarantined spam) >+ MsgTx - messages successfully transmitted (not virus) >+ %Total - what percent of total successful messages for the mail server >+ (MsgRx + MsgTx) comprises >+ ScanTime - total time in secs that qmail-scanner took to process the >+ messages >+ VirusRx - messages received that were intercepted as containing a virus >+ VirusTx - messages transmited that were intercepted as containing a virus >+ SA-AVG - average Spamassassin score for all messages for this account >+ run through Spamassassin >+ SA-MRK - number of messages for this account marked and delivered by >+ qmail-scanner based on the Spamassassin score >+ SA-DEL - number of messages for this account deleted by qmail-scanner >+ based on the Spamassassin score >+ SA-REJ - number of messages for this account rejected by qmail-scanner >+ based on the Spamassassin score >+ SA-QUA - number of messages for this account quarantined by qmail-scanner >+ based on the Spamassassin score >+ >+ >+E. Notes >+-------- >+ >+If you have any problems, first re-read the directions and make sure you did >+everything as prescribed, and if you are still having a problem, just restore >+the original qmail-scanner-1.24 distribution (we backed it up, right?) and >+configure it as normal. Also, please report problems or suggestions to the >+Sourceforge mailing list or to the appropriate Sourceforge forum at: >+http://sourceforge.net/projects/qms-analog/ >+ >+I try to be very responsive. >+ >+ >+Mark Teel >+mteel@users.sourceforge.net >+ >diff -Naur qmail-scanner-1.25-DISTRO/README-qms-monitor qmail-scanner-1.25-st-qms-20050219/README-qms-monitor >--- qmail-scanner-1.25-DISTRO/README-qms-monitor 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/README-qms-monitor 2004-10-30 11:32:13.000000000 -0500 >@@ -0,0 +1,146 @@ >+qms-monitor: Local Account Email Activity Monitoring for qmail-scanner >+---------------------------------------------------------------------- >+ >+ >+What Is It? >+----------- >+ >+A patch to the qmail-scanner distro which provides per account email >+monitoring, incoming and outgoing. For accounts specified in the >+qmail-scanner configure script, there will be a corresponding destination >+specified for the monitor copies of all email into or out of that account. >+The destination is a path that will be placed under >+/var/spool/qmailscan/qms-monitor. A cron script is provided to periodically >+move messages from this location to alternate vpopmail account locations, >+if you want to use a normal email client to retrieve and manage the monitored >+mail in unique monitor accounts/domains, or to one unique account/domain. >+Otherwise it will collect in that location until you archive it or delete it. >+ >+ >+ >+Purpose: >+-------- >+ >+Provide a mechanism to specify email addresses and corresponding archive >+locations for local accounts so that ALL incoming and outgoing SMTP mail from >+those accounts is archived for later review. >+ >+ >+ >+Setup (all done as root): >+------------------------- >+ >+1) Edit the qms-monitor-config (or qms-monitor-config-cwrapper) script: >+ >+ NOTE: Before you can accurately set up destinations for your monitored >+ email, you must decide on a monitor strategy (see #6 below). >+ >+ Pay particular attention to the following in the script: >+ >+ domain - your primary email domain, where your postmaster >+ account is located >+ admin - your postmaster username, normally "postmaster" >+ local-domains - list all of your local email domains for this qmail >+ server, separated by commas >+ qms-monitor - [yes|no] enable qms-monitor Account Monitoring >+ qms-monitor-accts - list of email accounts to be monitored, separated by >+ commas >+ Example: "acct1@dom2.com,acct2@dom1.com" >+ qms-monitor-dests - list of destination paths for monitored email messages >+ Note 1: locations here will be saved underneath >+ .../qmailscan/qms-monitor; a cron job can later >+ copy from that location to an alternate email >+ domain used for account monitoring. >+ Note 2: each entry in this array corresponds to the >+ email address in the same location of the >+ qms-monitor-accts list above - i.e., >+ qms-monitor-accts[2] msgs get stored at >+ qms-monitor-dests[2] - thus, ORDER DOES MATTER >+ Note 3: DO NOT include a leading "/" on these paths - >+ they will typically be entries that ultimately >+ belong in /home/vpopmail/domains - so start with >+ the domain name. >+ Example: "mon.dom2.com/acct1/Maildir/new,mon.dom1.com/acct2/Maildir/new" >+ >+ The example destination paths in the config scripts provided indicate the >+ proper paths for vpopmail Maildir accounts >+ (<domain>/<account name>/Maildir/new). The account name here should be the >+ monitor account and the domain can be the monitor domain if you are using >+ one, otherwise the existing domain you will create the monitor accounts in. >+ >+2) Configure qmail-scanner: >+ >+ For use with setuid: >+ ./qms-config-monitor >+ >+ For use with the qmail-scanner-queue C-wrapper and no setuid: >+ ./qms-config-monitor-cwrapper >+ >+3) If that does not produce errors, install the new perl script: >+ >+ For use with setuid: >+ ./qms-config-monitor install >+ >+ For use with the qmail-scanner-queue C-wrapper and no setuid: >+ ./qms-config-monitor-cwrapper install >+ >+4) Setup version and database (and C-wrapper): >+ >+ For use with setuid: >+ setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z >+ setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g >+ >+ For use with the qmail-scanner-queue C-wrapper and no setuid: >+ (Unset the setuid bit on /var/qmail/bin/qmail-scanner-queue.pl) >+ chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl >+ >+ (Remove the "-T" from the perl signature in >+ /var/qmail/bin/qmail-scanner-queue.pl (first line of the file)) >+ vi /var/qmail/bin/qmail-scanner-queue.pl >+ >+ /var/qmail/bin/qmail-scanner-queue -z >+ /var/qmail/bin/qmail-scanner-queue -g >+ >+ >+***************************************************************************** >+That's it to start archiving all incoming and outgoing email for the accounts >+specified in the config script. But if you want to be able to read/manage the >+email with any email client, a cron job and associated script are required as >+well as the creation of a new email domain(s) and/or accounts to >+store/retrieve/manage the monitored mail. Those optional instructions follow... >+***************************************************************************** >+ >+5) Create Monitor Email Domain(s) and/or Account(s): >+ >+ I suggest adopting a convention like creating a shadow domain for every >+ real email domain, for example if you have domain domain.com, your >+ shadow domain could be monitor.domain.com, if you can control or add >+ domains to your DNS server of record. If not, you can just shadow at >+ the account level in your existing domain(s). In this case, if the account >+ of interest is shady@domain.com, you could create an account called >+ monitor.shady@domain.com, and monitor the account from that account. >+ These are just suggestions, bottom line is that you decide on a strategy >+ BEFORE setting up the monitoring domains and/or accounts. If you adopt >+ the convention of providing the destinations in the qms-config-monitor >+ script as starting with the email domain name (no leading '/'), then >+ the cron script below will work right out of the box if your vpopmail >+ is located in /home/vpopmail, otherwise some simple editing of the >+ script is required to get email placed into the proper monitor locations. >+ >+ I will leave it to the QMR guide to describe how new domains and >+ accounts are created... >+ >+6) Copy the cron script to /var/qmail/bin: >+ >+ cp ./qms-monitor-move.sh /var/qmail/bin >+ chmod 700 /var/qmail/bin/qms-monitor-move.sh >+ >+7) Add an entry to the root's cron table so this script will be run (and >+ the monitored mail moved to the proper vpopmail location: >+ >+ crontab -e >+ >+ (Add a line such as: >+ 0-59/5 * * * * /var/qmail/bin/qms-monitor-move.sh >/dev/null >+ to the root's cron table. Save it and it will start running every >+ 5 minutes.) >diff -Naur qmail-scanner-1.25-DISTRO/requeue.html qmail-scanner-1.25-st-qms-20050219/requeue.html >--- qmail-scanner-1.25-DISTRO/requeue.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/requeue.html 2005-02-19 06:29:13.000000000 -0600 >@@ -0,0 +1,42 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >+<html> >+<head> >+<title>qmail-inject</title> >+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+ <script language="JavaScript" src="aab.js" type="text/JavaScript"> >+ </script> >+</head> >+ >+<body bgcolor="#FFFFFF"> >+<h2 align="center">How to requeue a quarantined message to the recipient </h2> >+<p> </p> >+<p>I've used this command to send spam messages to my test server during the develop >+ of this options, but it will also be useful if you need to resend a quarantined >+ message to the recipient</p> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ /var/qmail/bin/qmail-inject user@mydomain.com < name_of_the_file >+</PRE></TD> >+ </TR> >+</TABLE> >+<p>The <em>return-path</em> of the resent message will be the user who runs this >+ command, unless you give as first argument: >+<pre><strong> -f</strong><em>remote_user@remote-domain.com</em></pre> >+The order is mandatory. See <em>man qmail-inject</em> for more details.<p></p> >+<p>As <em>qmail-inject</em> is not in your path it is a good idea to make an alias >+ of it.</p> >+<hr> >+<center><a href="READMEpatched.html">Back</a></center> >+Salvatore Toribio<br> >+<script language="JavaScript" type="text/JavaScript"> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</script> >+<br> >+20031218 >+<p> >+</body> >+</html> >+ >diff -Naur qmail-scanner-1.25-DISTRO/sa-alt.html qmail-scanner-1.25-st-qms-20050219/sa-alt.html >--- qmail-scanner-1.25-DISTRO/sa-alt.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/sa-alt.html 2005-02-19 07:33:30.000000000 -0600 >@@ -0,0 +1,177 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >+<html> >+<head> >+<title>SpamAssassin_alt</title> >+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+ <script language="JavaScript" src="aab.js" type="text/JavaScript"> >+ </script> >+</head> >+ >+<body bgcolor="#FFFFFF"> >+<a name="spamd"></a> >+<p>WARNNING: This is not a HOW-TO, this is a HOW-I-DID, so you should do in your >+ own way, using or not the information in this page.</p> >+<hr> >+<h2>1) Spamd configuration</h2> >+<p><em>Spamd</em> is started with the <em>RedHat</em> style script that comes >+ with the <em>SpamAssassin</em> distribution with the following options:</p> >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ OPTIONS="-d -x -m 5 --max-conn-per-child=5 --socketpath=/var/spool/spamd/spamd -u spamd"</PRE></TD> >+ </TR> >+</TABLE> >+<p>Qmail <em>max smtp incoming connections</em> is set to 20, so I configure the <em>spamd</em> >+children to 25.</p> >+<p>I run <em>spamd</em> in <em>unix-socket</em> mode since from my test over ten thousand mails, >+<em>spamd</em> is 7,8% faster running with <a href="#test"><em>unix-socket</em></a>.</p> >+ >+<p>The user <em>spamd</em> was created in this way:</p> >+<P> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ mkdir /var/spool/spamd >+ groupadd spamd >+ useradd -g spamd -d /var/spool/spamd spamd >+ chown spamd:spamd /var/spool/spamd >+</PRE></TD> >+ </TR> >+</TABLE> >+<p>/etc/mail/spamassassin/local.cf</p> >+<p> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ # This is the right place to customize your installation of SpamAssassin. >+ # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be >+ # tweaked. >+ # >+ ########################################################################### >+ # >+ # Some settings are same as default, but I like to see them... >+ >+ required_hits 6.5 >+ dns_available yes >+ >+ # Site-wide files >+ use_bayes 1 >+ bayes_path /var/spool/spamd/bayes >+ bayes_file_mode 0666 >+ bayes_min_ham_num 150 >+ bayes_min_spam_num 150 >+ >+ bayes_auto_learn 1 >+ bayes_auto_learn_threshold_nonspam -0.5 >+ bayes_auto_learn_threshold_spam 11.2 >+ >+ auto_whitelist_path /var/spool/spamd/whitelist >+ auto_whitelist_file_mode 0666 >+ >+ # DCC >+ use_dcc 1 >+ dcc_path /usr/bin/dccproc >+ >+ # My score >+ score NO_DNS_FOR_FROM 2.550 >+ >+ # I trust my bayes database so I modified the score >+ # Don't do this until you have a good database >+ >+ score BAYES_00 0 0 -1.901 -2.1 >+ score BAYES_05 0 0 -0.8 -0.37 >+ score BAYES_20 0 0 -0.6 -0.3 >+ score BAYES_40 0 0 -0.4 -0.2 >+ score BAYES_50 0 0 0.8 0.8 >+ score BAYES_60 0 0 3.1 3.1 >+ score BAYES_80 0 0 3.9 3.9 >+ score BAYES_95 0 0 5.4 5.4 >+ score BAYES_99 0 0 6.2 6.2 >+ >+ score DCC_CHECK 0 1.806 0 3.5 >+ >+ >+ </PRE></TD> >+ </TR> >+</TABLE> >+<p> <a name="logs" id="logs"></a> >+<h2>2) Sample of qmail-queue.log </h2> >+<p> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+Fri, 04 Feb 2005 12:55:32 CET:19447: +++ starting debugging for process 19447 (ppid=19445) by uid=81 >+Fri, 04 Feb 2005 12:55:32 CET:19447: w_c: message size 1256 bytes >+Fri, 04 Feb 2005 12:55:32 CET:19447: w_c: elapsed time from start 0.514413 secs >+Fri, 04 Feb 2005 12:55:32 CET:19447: return-path='marty_horn@wetworks.com.sg', >+ recips='user-1@domain.com,user-2@domain.com' >+Fri, 04 Feb 2005 12:55:32 CET:19447: from='"Marty Horn" <marty_horn@wetworks.com.sg>', >+ subj='New product! Cialis soft tabs.', >+ via SMTP from 219.241.47.201 >+Fri, 04 Feb 2005 12:55:32 CET:19447: s_p_d: we have multiple recipient, checking each of them >+Fri, 04 Feb 2005 12:55:32 CET:19447: s_p_d: recipient 'user-1@domain.com', >+ scanners 'sophie_scanner,spamassassin,perlscan_scanner' >+Fri, 04 Feb 2005 12:55:32 CET:19447: sophie: finished scan in 0.023313 secs >+Fri, 04 Feb 2005 12:55:34 CET:19447: SA: REPORT hits = 23.7/6.5 >+ 1.3 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis' >+ 6.2 BAYES_99 BODY: Bayesian spam probability is 99 to 100% >+ [score: 1.0000] >+ 3.5 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) >+ 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP >+ [219.241.47.201 listed in combined.njabl.org] >+ 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address >+ [219.241.47.201 listed in dnsbl.sorbs.net] >+ 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist >+ [URIs: gfdgfppp.com] >+ 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist >+ [URIs: gfdgfppp.com] >+ 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist >+ [URIs: gfdgfppp.com] >+ 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist >+ [URIs: gfdgfppp.com] >+ 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist >+ [URIs: gfdgfppp.com] >+ 0.2 DRUGS_ERECTILE Refers to an erectile drug >+Fri, 04 Feb 2005 12:55:34 CET:19447: SA: yup, this smells like SPAM - hits=23.7 - rejecting message... >+Fri, 04 Feb 2005 12:55:34 CET:19447: SA: finished scan in 1.623569 secs - hits=23.7 >+Fri, 04 Feb 2005 12:55:34 CET:19447: r_e: QS-1.25st: We have reasons to believe this mail is SPAM >+Fri, 04 Feb 2005 12:55:34 CET:19447: ------ Process 19447/19445 finished. Total of 2.179352 secs >+ </PRE></TD> >+ </TR> >+</TABLE> >+<p> <a name="test" id="test"></a> >+<h2>3) Spamassassin: tcp-server vs. unix-socket</h2> >+<p>Test done in a dedicated mailhub:<br> >+HW: Pentium IV 2,4 Ghz, ram 1 Gb, HardDisk SCSI (Adaptec 29160).<br> >+SW: RedHat 7.3, kernel 2.4.26, perl 5.6.1, spamassassin 3.0.2.</p> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ Spamassassin TCP-SERVER mode >+ >+ Average: 2.0614 >+ Median: 1.1995 >+ Std_dev: 3.2359 >+ >+ Spamassassin UNIX-SOCKET mode (faster 7,8%) >+ >+ Average: 1.9124 >+ Median: 1.0033 >+ Std_dev: 2.7514 >+ </PRE></TD> >+ </TR> >+</TABLE> >+<p><hr> >+<center><a href="READMEpatched.html">Back</a></center> >+Salvatore Toribio<br> >+<script language="JavaScript" type="text/JavaScript"> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</script> >+<br> >+20050204 >+<p> >+</body> >+</html> >diff -Naur qmail-scanner-1.25-DISTRO/scanners_per_domain.html qmail-scanner-1.25-st-qms-20050219/scanners_per_domain.html >--- qmail-scanner-1.25-DISTRO/scanners_per_domain.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/scanners_per_domain.html 2005-02-19 07:33:45.000000000 -0600 >@@ -0,0 +1,169 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >+<html> >+<head> >+<title>Scanners per domain</title> >+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+ <script language="JavaScript" src="aab.js" type="text/JavaScript"> >+ </script> >+</head> >+ >+<body bgcolor="#FFFFFF"> >+<h1 align="center">Scanners per domain</h1> >+ >+<p>This feature allows selecting which scanners (and in what order) they are >+ to be run for a domain or even for a user. >+ This is a useful feature in a commercial environment, >+ where the user must pay to have his messages scanned for virus and/or spam. >+ If you are using this feature in a commercial environment or if you just find this >+ software useful, you could consider <a href="#paypal">donating</a> me some money >+ (something between 10 and 100 US $) to my PayPal account using >+ <a href="#paypal">the button at the bottom of this page...</a> (of course, this patch will always >+ be free software). I will be very happy with that and I will send you a email >+ when ever a new version is released.<br> >+ This feature doesn't slows down <em>qmail-scanner</em>.</p> >+ >+<p>When <em>qmail-scanner</em> is being installed the <em>@scanner_array</em> (the array >+ that contains the scanners that will be run) is left empty, and there are two new arrays:</p> >+<blockquote><em>@scanners_installed</em> is the array with all installed scanners >+ in the computer, if you disable <em>$scanners_pd</em> then <em>qmail-scanner</em> will fall to >+ this array. Don't modify it unless you really know what you do.<p> >+ >+ <em>@scanners_default</em> if <em>$scanners_pd</em> is enabled <em>qmail-scanner</em> will >+ use this array for the users/domains that don't have a custom >+ scanner_array set in the <em>$scanners_per_domain.txt</em> file.<br> >+ After the installation, you can edit <em>qmail-scanner-queue.pl</em> and set it to <em>none</em> >+ to skip all the scanners, even perlscan, or to whatever you want and is >+ present in <em>@scanners_installed</em>.<br> >+ If you want to skip the scanners only for a particular user/domain >+ set his scanners list to <em>none</em> in the <em>$scanners_per_domain.txt</em> file.<p> >+</blockquote> >+ >+<h2><em>scanners_per_domain.txt</em></h2> >+<p>The user/domain configurations are stored in the file <em>scanners_per_domain.txt</em>, >+ the syntax of this file is:<p> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ domain.com:scanner1,scanner2,scanner3 >+ user1@domain.com:scanner1,scanner2 >+ user2@domain.com:none >+ # >+ domain2.com:none >+ user3@domain2.com:scanner1,scanner2,scanner3 >+ </PRE></TD> >+ </TR> >+</TABLE> >+<p>Lines starting with a '#' or 'space' will be ignored. For the users you have to write >+ the full mail address.</p> >+<p>It is possible to write '<em>sophie</em>' or '<em>sophie_scanner</em>', '<em>clamdscan</em>' or '<em>clamdscan_scanner</em>'...</p> >+<p>You can write '<em>ps</em>' or '<em>perlscanner</em>' instead of '<em>perlscan_scanner</em>' and >+ '<em>sa</em>' instead of '<em>spamassassin</em>'. But you must *not* write in this file <em>fast_spamassassin</em> >+ or <em>verbose_spamassassin</em>, >+ that is set in the variable <em>spamc_options</em> (or <em>sa_alt</em>) in the >+ file <em>qmail-scanner-queue.pl</em>.</p> >+<p>Run '<em>/var/qmail/bin/qmail-scanner-queue.pl -p</em>' to generate the db after this file is modified.</p> >+ >+<p>Run '<em>/var/qmail/bin/qmail-scanner-queue.pl -h</em>' to see all the flags.</p> >+ >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ # /var/qmail/bin/qmail-scanner-queue.pl -h >+ >+ >+ qmail-scanner-queue.pl >+ >+ -h - This help >+ -v - show details about this install. >+ Please include in any bug reports. >+ -z - gather virus scanner/DAT versions >+ and cleanup old temp files >+ -g - generate perlscanner database >+ -r - read from perlscanner and >+ >+ -p - generate scanner per domain database >+ -d - display scanner per domain database >+ -s - sort the text file /var/spool/qmailscan/scanners_per_domain.txt >+ (not yet implemented) >+ >+ </PRE></TD> >+ </TR> >+</TABLE> >+ >+<h2>How it works</h2> >+<p>The first thing you must understand is that when there are multiple recipients <em>qmail-scanner</em> >+ will check the message for <em>each</em> recipient (but each scanner runs only once). >+The match is done is this order:</p> >+<blockquote>1) If the variable RELAYCLIENT is set, <em>qmail-scanner</em> tries to match >+ the <em>return-path</em> first and then the <em>domain-return-path</em> against the database. >+ If there is a match the <em>@scanner_array</em> is set for this <em>message</em>.<p> >+ 2) If there is not a match or if the RELAYCLIENT is not set, starts the match for >+ <em>each</em> recipient, first the <em>rcpt-to</em> and then the <em>rcpt-to-domain</em>.<p> >+ 3) If there is *not* a match (for the <em>actual</em> recipient) <em>qmail-scanner</em> sets >+ for this recipient the <em>@scanner_array</em> to the <em>@scanners_default</em> array >+ (that could be set to <em>none</em> or not) and runs the scanners.<p> >+ 4) If there is a match the <em>@scanner_array</em> is set to the read value from the <em>scanners_per_domain.txt</em> >+ and then the scanners are run.<p> >+ 5) If there are more recipients return to the third step. >+</blockquote> >+<p>When the <em>@scanner_array</em> is set to <em>none</em> only a <em>recieved header</em> will be added >+ to the message. But if you have a messages with multiple recipients the <em>tag_score</em> >+ will be added to each recipent that has at least one scanner in his <em>@scanner_array</em>, so you >+ will find the <em>spamassassin score</em> in the headers even when the user doesn't have >+ <em>spamassassin</em> in his own array, but the <em>X-Spam-Status</em> is only added for >+ the users that really has <em>spamassassin</em> in their own array.</p> >+<p>The scanners are run only <em>once</em> for a message, if there are multiple recipient (a lot of) >+ <em>qmail-scanner</em> won't slow down running <em>spamassassin</em> many times. The results of the >+ scanners are stored in a <em>hash</em> from where be readed for the following recipients of the >+ message.</p> >+ >+<h2>Example</h2> >+<TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ From -> /var/qmail/bin/qmail-scanner-queue.pl >+ >+ my @scanners_installed=("clamdscan_scanner","sophie_scanner","spamassassin","perlscan_scanner"); >+ my @scanners_default=("perlscan_scanner"); >+ >+ >+ From -> /var/spool/qmailscan/scanners_per_domain.txt >+ >+ domain.com:sophie,clamdscan,sa,ps >+ tizio@domain.com:sa,ps >+ caio@domain.com:clamdscan,sa,ps >+ sempronio@domain.com:none >+ # >+ otherdomain.com:none >+ jsmith@otherdomain.com:sophie,sa,ps >+ jdoe@otherdomain.com:sa,ps >+ </PRE></TD> >+ </TR> >+</TABLE> >+ >+<p>Che fatica...</p> >+<a name="paypal"></a><hr> >+<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> >+<TABLE> >+<TR><TD VALIGN="center"> >+<input type="hidden" name="cmd" value="_s-xclick">To make a donation through Paypal click on this button >+</TD><TD VALIGN="center"> >+<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but21.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> >+<input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----MIIHBgYJKoZIhvcNAQcEoIIG9zCCBvMCAQExggEwMIIBLAIBADCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYBmikDJxoZDv8frJob0nhuTUZJWAa18P8wazoAnnj/rAys+xNL9bcodM98JyP0SYhmr9OQm9M3SnCvaqTH5JSAb/4Znh4Und0+mM0xY5laYAGxPfPf7Tz55h54n+kumw2eGjbgCmiUn9cdlG1IceH5cXmj7ZnsdbkJ9vsWzEOxqYDELMAkGBSsOAwIaBQAwgYMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIM7WLg8QEfC6AYEzK0F3T6WjddENEXhxCOrsPk50sdKz7fR0be5A+86mhom+PNd59baeQ1+YAJ0Fk31Tp4DXG9Tp0hl/Bxurspupu6QHWERsZ2Nvq4I6gZA0OwLWLt4mVgtg2yVJvraYBUaCCA4cwggODMIIC7KADAgECAgEAMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbTAeFw0wNDAyMTMxMDEzMTVaFw0zNTAyMTMxMDEzMTVaMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwUdO3fxEzEtcnI7ZKZL412XvZPugoni7i7D7prCe0AtaHTc97CYgm7NsAtJyxNLixmhLV8pyIEaiHXWAh8fPKW+R017+EmXrr9EaquPmsVvTywAAE1PMNOKqo2kl4Gxiz9zZqIajOm1fZGWcGS0f5JQ2kBqNbvbg2/Za+GJ/qwUCAwEAAaOB7jCB6zAdBgNVHQ4EFgQUlp98u8ZvF71ZP1LXChvsENZklGswgbsGA1UdIwSBszCBsIAUlp98u8ZvF71ZP1LXChvsENZklGuhgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAgV86VpqAWuXvX6Oro4qJ1tYVIT5DgWpE692Ag422H7yRIr/9j/iKG4Thia/Oflx4TdL+IFJBAyPK9v6zZNZtBgPBynXb048hsP16l2vi0k5Q2JKiPDsEfBhGI+HnxLXEaUWAcVfCsQFvd2A1sxRr67ip5y2wwBelUecP3AjJ+YcxggGaMIIBlgIBATCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0MTEzMDEzNDgxMlowIwYJKoZIhvcNAQkEMRYEFCNGbaJOjOJPHnmXQeZLKqtivPTzMA0GCSqGSIb3DQEBAQUABIGAAg9l22igjGaz7ueSdga6pA+QsW6RJaq9dr5AlbydYwuD34PEtdUOJziuoc60itavQHp0K2gFw3UozNTCooemrQhIifuU3SZX4r7KOvCl6q+JVW4Cw21onaE/BLd3Z+9shjnDOQJv136J0vIKLAX6FCxY+b84NzkCKaifoQPxmr0=-----END PKCS7----- >+"></TD></TR> >+</TABLE> >+</form> >+<hr> >+<center><a href="READMEpatched.html">Back</a></center> >+Salvatore Toribio<br> >+<script language="JavaScript" type="text/JavaScript"> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</script> >+<br> >+20040809 >+<p> >+</body> >+</html> >+ >diff -Naur qmail-scanner-1.25-DISTRO/scanners_per_domain.txt qmail-scanner-1.25-st-qms-20050219/scanners_per_domain.txt >--- qmail-scanner-1.25-DISTRO/scanners_per_domain.txt 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/scanners_per_domain.txt 2005-02-19 06:29:13.000000000 -0600 >@@ -0,0 +1,43 @@ >+##################################################################### >+# File: scanners_per_domain.txt >+# >+# This file contains the scanners that will be run >+# for "each" user/domain that match the db, if there isn't a >+# match qmail-scanner will fall to the @scanners_default array, >+# this array could be set to @scanners_default=('none') if by default >+# you don't want to run any scanner (see below) >+# >+# The scanners will be run in the "same order" as you write them >+# >+# Format user@domain.com:scanner1,scanner2 >+# user2@domain.com:none >+# domain.com:scanner1,scanner2,scanner3 >+# domain2.com:none >+# user3@domain2.com:scanner1,scanner2,scanner3 >+# >+# The full address will be checked first >+# >+# It is possible to write 'sophie' or 'sophie_scanner', >+# 'clamdscan' or 'clamdscan_scanner'... >+# >+# You can write 'ps' or 'perlscanner' instead of 'perlscan_scanner' and >+# 'sa' instead of 'spamassassin' >+# >+# You must not write in this file fast_spamassassin or verbose_spamassassin, >+# that is set in the variable spamc_options (or sa_alt) in the >+# file qmail-scanner-queue.pl >+# >+# Setting the scanners to 'none' qmail-scanner will just unpack the message >+# and then send it to qmail-queue >+# >+# Lines starting with a '#' or 'space' will be ignored >+# >+# Run '/var/qmail/bin/qmail-scanner-queue.pl -p' to generate the db >+# >+# Run '/var/qmail/bin/qmail-scanner-queue.pl -d' to display the db >+# >+# Run '/var/qmail/bin/qmail-scanner-queue.pl -s' to rebuild this >+# file in alphabetic order, the original file will be renamed >+# >+##################################################################### >+# >diff -Naur qmail-scanner-1.25-DISTRO/sss qmail-scanner-1.25-st-qms-20050219/sss >--- qmail-scanner-1.25-DISTRO/sss 2004-10-19 22:00:43.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sss 1969-12-31 18:00:00.000000000 -0600 >@@ -1,95 +0,0 @@ >-sub spamassassin { >- #Only run SA if mail is from a "remote" SMTP client, or QS_SPAMASSASSIN >- #is defined via tcpserver... >- if (defined($ENV{'RELAYCLIENT'}) && !defined($ENV{'QS_SPAMASSASSIN'})) { >- &debug("spamassassin: don't scan as RELAYCLIENT implies this was sent by a local user"); >- return; >- } >- #SpamAssassin client scanner >- my ($spamassassin_found,$spamassassin_status); >- my ($start_spamassassin_time)=[gettimeofday]; >- my ($sa_tag,$DD,$stop_spamassassin_time,$spamassassin_time,$cmdline_recip,$sa_fast); >- my ($sa_status)=0; >- my ($sa_score)=0; my ($sa_max)=0; >- >- if ($msg_size > 250000) { >- &debug("spamassassin: message too big - skip it"); >- $sa_score=$sa_max="?"; >- $tag_score .= "SA:0($sa_score/$sa_max):"; >- $sa_comment = "No, hits=$sa_score required=$sa_max" if ($sa_fast); >- return; >- } >- >- #Cleanup $one_recip so it's usable from the commandline... >- #any char that isn't supported to changed into an '_' >- ($cmdline_recip=$one_recip)=~s/[^0-9a-z\.\_\-\=\+\@]/_/gi; >- $cmdline_recip=~/^([0-9a-z\.\_\-\=\+\@]+)$/i; >- $cmdline_recip=tolower($1); >- >- $sa_fast=1 if ($spamc_options =~ /\-c /); >- $spamc_options="$spamc_options -u \"$cmdline_recip\"" if ($cmdline_recip ne ""); >- &debug("SA: run $spamc_binary $spamc_options < $scandir/$wmaildir/new/$file_id"); >- open(SIN,"<$scandir/$wmaildir/new/$file_id")||&error_condition("cannot open $scandir/$wmaildir/new/$file_id - $!"); >- open(SOUT,"|$spamc_binary $spamc_options > $scandir/$wmaildir/new/$file_id.spamc")||&error_condition("cannot open for write $scandir/$wmaildir/new/$file_id.spamc - $!"); >- >- print SOUT "X-Envelope-From: $headers{'MAILFROM'}\n"; >- while (<SIN>) { >- print SOUT; >- } >- close(SIN)||&error_condition("cannot close $scandir/$wmaildir/new/$file_id - $!"); >- close SOUT; >- $spamassassin_status=($? >> 8); >- $sa_status=$spamassassin_status if ($sa_fast); >- open(SA,"<$scandir/$wmaildir/new/$file_id.spamc")||&error_condition("cannot open for read $scandir/$wmaildir/new/$file_id.spamc - $!"); >- while (<SA>) { >- if ($sa_fast) { >- chomp; >- ($sa_score,$sa_max)=split(/\//,$_,2); >- $sa_tag++; >- last; >- } else { >- #X-Spam-Status: No, hits=2.8 required=5.0 >- if (/^X-Spam-Status: (Yes|No), (hits|score)=(-?[\d\.]*) required=([\d\.]*)/) { >- $sa_tag++; >- $sa_status=1 if ($1 eq "Yes"); >- $sa_score=$3;$sa_max=$4; >- } >- } >- } >- close SA ; >- >- $sa_score='?' if (!$sa_score); >- $sa_max='?' if (!$sa_max); >- >- if (!$sa_fast && -s "$scandir/$wmaildir/new/$file_id.spamc" && $spamassassin_status == 0) { >- &debug("SA: overwriting $scandir/$wmaildir/new/$file_id with $scandir/$wmaildir/new/$file_id.spamc"); >- rename ("$scandir/$wmaildir/new/$file_id.spamc","$scandir/$wmaildir/new/$file_id"); >- } else { >- unlink("$scandir/$wmaildir/new/$file_id.spamc"); >- } >- if ($sa_max > $sa_score || ($sa_score == 0)) { >- $tag_score .= "SA:0($sa_score/$sa_max):"; >- $sa_comment = "No, hits=$sa_score required=$sa_max" if ($sa_fast); >- } else { >- $tag_score .= "SA:1($sa_score/$sa_max):"; >- $sa_comment = "Yes, hits=$sa_score required=$sa_max" if ($sa_fast); >- &debug("SA: yup, this smells like SPAM"); >- } >- if ($sa_score > 0) { >- $sa_score=int($sa_score); >- #Keep it RFC compliant >- $sa_score=100 if ($sa_score > 100); >- my $si=0; >- if ($sa_fast) { >- while ($si < $sa_score) { >- $si++; >- $sa_level .= $sa_symbol; >- } >- } >- } >- $stop_spamassassin_time=[gettimeofday]; >- $spamassassin_time = tv_interval ($start_spamassassin_time, $stop_spamassassin_time); >- &debug("spamassassin: finished scan of dir \"$ENV{'TMPDIR'}\" in $spamassassin_time secs"); >-} >- >- >diff -Naur qmail-scanner-1.25-DISTRO/sub-attachments.pl qmail-scanner-1.25-st-qms-20050219/sub-attachments.pl >--- qmail-scanner-1.25-DISTRO/sub-attachments.pl 2004-08-02 21:37:04.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-attachments.pl 2005-02-19 06:29:13.000000000 -0600 >@@ -10,15 +10,18 @@ > if (/^\-\-\- Below this line is a copy of the message/) { > $indicates_attachments += 2; > &debug("c_a_g: found hidden MIME attachment") if ($indicates_attachments == 2); >+ &minidebug("c_a_g: found hidden MIME attachment") if ($indicates_attachments == 2); > } > #This finds BinHex attachments > if (/^\(This file must be converted with BinHex/) { > $indicates_attachments += 2; > &debug("c_a_g: found hidden BinHex attachment") if ($indicates_attachments == 2); >+ &minidebug("c_a_g: found hidden BinHex attachment") if ($indicates_attachments == 2); > } > my ($begin,$perms,$uufile,$uuextension,$uulength,$uuencoded_attachments,$begin_content); > if (/^(begin) ([0-9][0-9][0-9]) (.*)\n$/) { > &debug("Ooohhhh, a uuencoded attachment!"); >+ &minidebug("Ooohhhh, a uuencoded attachment!"); > #Better reset this message back to potentially having attachments > $plain_text_msg=0; > $uuencoded_attachments++; >@@ -35,6 +38,7 @@ > #Ensure the filelength isn't too large! > if ( $uulength > $MAX_FILE_LENGTH) { > &debug("uudecode output: gah! filename is > $MAX_FILE_LENGTH (actually $uulength), chopping..."); >+ &minidebug("uudecode output: gah! filename is > $MAX_FILE_LENGTH (actually $uulength), chopping..."); > $uufile=substr($uufile,0,$MAX_FILE_LENGTH).".".$uuextension; > } > return if (!$uudecode_binary); >diff -Naur qmail-scanner-1.25-DISTRO/sub-avp.pl qmail-scanner-1.25-st-qms-20050219/sub-avp.pl >--- qmail-scanner-1.25-DISTRO/sub-avp.pl 2004-04-19 23:20:01.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-avp.pl 2005-02-19 07:34:47.000000000 -0600 >@@ -1,3 +1,4 @@ >+ > sub avp_scanner { > #Kaspersky AVPLinux scanner > &debug("kasp: starting scan of directory \"$ENV{'TMPDIR'}\"..."); >@@ -26,6 +27,8 @@ > $quarantine_description=$3; > } > &debug("There be a $destring! ($quarantine_description)"); >+ &minidebug("kasp: there be a virus! ($quarantine_description)"); >+ &eventlog("AVPAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="AVP:".substr($quarantine_event,0,$QE_LEN); > } else { >@@ -39,4 +42,5 @@ > &debug("Deleting enviroment \$TEMP"); > delete $ENV{'TEMP'}; > &debug("kasp: finished scan of dir \"$ENV{'TMPDIR'}\" in $avp_time secs"); >+ &minidebug("kasp: finished scan in $avp_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-bitdefender.pl qmail-scanner-1.25-st-qms-20050219/sub-bitdefender.pl >--- qmail-scanner-1.25-DISTRO/sub-bitdefender.pl 2004-06-02 18:13:40.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-bitdefender.pl 2005-02-19 06:29:13.000000000 -0600 >@@ -1,3 +1,4 @@ >+ > sub bitdefender_scanner { > #BitDefender Linux scanner > &debug("bitdefender: starting scan of directory \"$ENV{'TMPDIR'}\"..."); >@@ -20,6 +21,7 @@ > $quarantine_description=$3; > $quarantine_description=~s/^\s+//g; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("bitdefender: there be a virus! ($quarantine_description)"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="BITDEFENDER:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---bitdefender results ---\n$DD"; >@@ -35,4 +37,5 @@ > $stop_bitdefender_time=[gettimeofday]; > $bitdefender_time = tv_interval ($start_bitdefender_time, $stop_bitdefender_time); > &debug("bitdefender: finished scan of dir \"$ENV{'TMPDIR'}\" in $bitdefender_time secs"); >+ &minidebug("bitdefender: finished scan in $bitdefender_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-clamdscan.pl qmail-scanner-1.25-st-qms-20050219/sub-clamdscan.pl >--- qmail-scanner-1.25-DISTRO/sub-clamdscan.pl 2004-10-17 20:40:36.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-clamdscan.pl 2005-02-19 07:34:57.000000000 -0600 >@@ -1,3 +1,4 @@ >+ > sub clamdscan_scanner { > #Clamdscan scanner > &debug("clamdscan: starting scan of directory \"$ENV{'TMPDIR'}\"..."); >@@ -19,6 +20,8 @@ > if ($eclamdscan_status == 1 && $DD =~ /\:\s(.*)\sFOUND$/m) { > $quarantine_description=$+; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("clamdscan: there be a virus! ($quarantine_description)"); >+ &eventlog("CLAMAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="CLAMDSCAN:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---clamdscan results ---\n$DD"; >@@ -32,6 +35,8 @@ > if ($DD =~ /Recursion limit exceeded/) { > $quarantine_description="Resource attack - $1"; > &debug("clamdscan: $quarantine_description"); >+ &minidebug("clamdscan: $quarantine_description"); >+ &eventlog("CLAMAV:$quarantine_description"); > $quarantine_event="CLAMDSCAN:Resource_attack"; > $description .= "\n---clamdscan results ---\n$DD"; > } elsif ($clamdscan_status > 0) { >@@ -48,4 +53,5 @@ > $stop_clamdscan_time=[gettimeofday]; > $clamdscan_time = tv_interval ($start_clamdscan_time, $stop_clamdscan_time); > &debug("clamdscan: finished scan of dir \"$ENV{'TMPDIR'}\" in $clamdscan_time secs"); >+ &minidebug("clamdscan: finished scan in $clamdscan_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-clamscan.pl qmail-scanner-1.25-st-qms-20050219/sub-clamscan.pl >--- qmail-scanner-1.25-DISTRO/sub-clamscan.pl 2004-04-19 23:04:15.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-clamscan.pl 2005-02-19 07:35:06.000000000 -0600 >@@ -19,6 +19,8 @@ > if ($eclamscan_status == 1 && $DD =~ /\:\s(.*)\sFOUND$/m) { > $quarantine_description=$+; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("clamscan: there be a virus! ($quarantine_description)"); >+ &eventlog("CLAMAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="CLAMSCAN:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---clamscan results ---\n$DD"; >@@ -30,6 +32,8 @@ > if ($DD =~ /Recursion limit exceeded/) { > $quarantine_description="Resource attack - $1"; > &debug("clamscan: $quarantine_description"); >+ &minidebug("clamscan: $quarantine_description"); >+ &eventlog("CLAMAV:$quarantine_description"); > $quarantine_event="CLAMSCAN:Resource_attack"; > $description .= "\n---clamscan results ---\n$DD"; > } elsif ($clamscan_status > 0) { >@@ -41,4 +45,5 @@ > $stop_clamscan_time=[gettimeofday]; > $clamscan_time = tv_interval ($start_clamscan_time, $stop_clamscan_time); > &debug("clamscan: finished scan of dir \"$ENV{'TMPDIR'}\" in $clamscan_time secs"); >+ &minidebug("clamscan: finished scan in $clamscan_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-csav.pl qmail-scanner-1.25-st-qms-20050219/sub-csav.pl >--- qmail-scanner-1.25-DISTRO/sub-csav.pl 2004-04-19 22:59:50.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-csav.pl 2005-02-19 07:35:15.000000000 -0600 >@@ -17,6 +17,8 @@ > if ($DD =~ / Infection: (.*)/) { > $quarantine_description=$1; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("csav_scanner: there be a virus! ($quarantine_description)"); >+ &eventlog("CSAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="CSAV:".substr($quarantine_event,0,$QE_LEN); > } >@@ -24,4 +26,5 @@ > $stop_csav_time=[gettimeofday]; > $csav_time = tv_interval ($start_csav_time, $stop_csav_time); > &debug("csav_scanner: finished scan of dir \"$ENV{'TMPDIR'}\" in $csav_time secs"); >+ &minidebug("csav_scanner: finished scan in $csav_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-fprot.pl qmail-scanner-1.25-st-qms-20050219/sub-fprot.pl >--- qmail-scanner-1.25-DISTRO/sub-fprot.pl 2004-04-19 23:05:02.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-fprot.pl 2005-02-19 07:35:23.000000000 -0600 >@@ -20,6 +20,8 @@ > $quarantine_description=$+; > $quarantine_description=~s/^\s+//g; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("fprot: there be a virus! ($quarantine_description)"); >+ &eventlog("FPROTAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="FPROT:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---fprot results ---\n$DD"; >@@ -36,4 +38,5 @@ > $stop_fprot_time=[gettimeofday]; > $fprot_time = tv_interval ($start_fprot_time, $stop_fprot_time); > &debug("fprot: finished scan of dir \"$ENV{'TMPDIR'}\" in $fprot_time secs"); >+ &minidebug("fprot: finished scan in $fprot_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-fsecure.pl qmail-scanner-1.25-st-qms-20050219/sub-fsecure.pl >--- qmail-scanner-1.25-DISTRO/sub-fsecure.pl 2004-04-19 23:24:41.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-fsecure.pl 2005-02-19 07:36:04.000000000 -0600 >@@ -23,6 +23,8 @@ > } > $quarantine_description=~s/^\s+//g; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("fsecure: there be a virus! ($quarantine_description)"); >+ &eventlog("FSECUREAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="FSEC:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---fsecure results ---\n$DD"; >@@ -40,4 +42,5 @@ > $stop_fsecure_time=[gettimeofday]; > $fsecure_time = tv_interval ($start_fsecure_time, $stop_fsecure_time); > &debug("fsecure: finished scan of dir \"$ENV{'TMPDIR'}\" in $fsecure_time secs"); >+ &minidebug("fsecure: finished scan in $fsecure_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-hbedv.pl qmail-scanner-1.25-st-qms-20050219/sub-hbedv.pl >--- qmail-scanner-1.25-DISTRO/sub-hbedv.pl 2004-04-19 22:57:07.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-hbedv.pl 2005-02-19 07:36:12.000000000 -0600 >@@ -16,6 +16,8 @@ > if ($DD =~ /^\s+ALERT:\s+\[([^\]]+)/m || $DD =~ /(VIRUS.*)$/m) { > $quarantine_description=$1; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("hbedv: there be a virus! ($quarantine_description)"); >+ &eventlog("HBEDVAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="HBEDV:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---hbedv results ---\n$DD"; >@@ -33,5 +35,6 @@ > $stop_hbedv_time=[gettimeofday]; > $hbedv_time = tv_interval ($start_hbedv_time, $stop_hbedv_time); > &debug("hbedv: finished scan of dir \"$ENV{'TMPDIR'}\" in $hbedv_time secs"); >+ &minidebug("hbedv: finished scan in $hbedv_time secs"); > } > >diff -Naur qmail-scanner-1.25-DISTRO/sub-inocucmd.pl qmail-scanner-1.25-st-qms-20050219/sub-inocucmd.pl >--- qmail-scanner-1.25-DISTRO/sub-inocucmd.pl 2004-04-19 23:21:50.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-inocucmd.pl 2005-02-19 07:36:18.000000000 -0600 >@@ -14,6 +14,8 @@ > if ( $einocucmd_status == 100 && $DD =~ /.*infected\sby\svirus\s(.*)\s/m ) { > $quarantine_description=$1; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("inocucmd: there be a virus! ($quarantine_description)"); >+ &eventlog("INNOCAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="INOC:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n$DD\n"; >@@ -25,6 +27,7 @@ > $stop_inocucmd_time=[gettimeofday]; > $inocucmd_time = tv_interval ($start_inocucmd_time, $stop_inocucmd_time); > &debug("inocucmd: finished scan of dir \"$ENV{'TMPDIR'}\" in $inocucmd_time secs"); >+ &minidebug("inocucmd: finished scan in $inocucmd_time secs"); > } > > >diff -Naur qmail-scanner-1.25-DISTRO/sub-iscan.pl qmail-scanner-1.25-st-qms-20050219/sub-iscan.pl >--- qmail-scanner-1.25-DISTRO/sub-iscan.pl 2004-04-19 23:22:11.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-iscan.pl 2005-02-19 07:36:25.000000000 -0600 >@@ -15,6 +15,8 @@ > if ( $DD =~ /\*\*\*\s+Found(.*) in file/m ) { > $quarantine_description=$1; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("iscan: there be a virus! ($quarantine_description)"); >+ &eventlog("ISCANAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="ISCAN:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---iscan results ---\n$DD"; >@@ -25,4 +27,5 @@ > $stop_iscan_time=[gettimeofday]; > $iscan_time = tv_interval ($start_iscan_time, $stop_iscan_time); > &debug("iscan: finished scan of dir \"$ENV{'TMPDIR'}\" in $iscan_time secs"); >+ &minidebug("iscan: finished scan in $iscan_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-nod32.pl qmail-scanner-1.25-st-qms-20050219/sub-nod32.pl >--- qmail-scanner-1.25-DISTRO/sub-nod32.pl 2004-08-10 16:56:28.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-nod32.pl 2005-02-19 06:29:13.000000000 -0600 >@@ -14,6 +14,7 @@ > if ($DD =~ /infected(.*)$/m) { > $quarantine_description=$1; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("nod32: there be a virus! ($quarantine_description)"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="nod32:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---nod32 results ---\n$DD"; >@@ -26,4 +27,5 @@ > $stop_nod32_time=[gettimeofday]; > $nod32_time = tv_interval ($start_nod32_time, $stop_nod32_time); > &debug("nod32: finished scan of dir \"$ENV{'TMPDIR'}\" in $nod32_time secs"); >+ &minidebug("nod32: finished scan in $nod32_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-patch-st.pl qmail-scanner-1.25-st-qms-20050219/sub-patch-st.pl >--- qmail-scanner-1.25-DISTRO/sub-patch-st.pl 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/sub-patch-st.pl 2005-02-19 07:37:27.000000000 -0600 >@@ -0,0 +1,256 @@ >+ >+################################################# >+# Subroutines added by ST >+################################################# >+ >+sub minidebug { >+ my $dnowtime = strftime("%a, %d %b %Y %H:%M:%S %Z", localtime(time)); >+ print LOG "$dnowtime:$nprocess: ",@_,"\n" if ($MINIDEBUG && !$DEBUG); >+} >+ >+sub close_log { >+ ($sec,$min,$hour,$mday,$mon,$year) = localtime(time); >+ >+ &debug("--- all finished. Total of ",tv_interval ($start_time, [gettimeofday])," secs"); >+ &minidebug("------ Process $nprocess finished. Total of ",tv_interval ($start_time, [gettimeofday])," secs"); >+ close(LOG); >+} >+ >+sub reject_email { >+ my ($exit_string,$exit_code)=@_; >+ $exit_code=111 if (!$exit_code); >+ >+ # st: tell qmail-smtpd why the message is rejected, >+ # so it can be written to the qmail-smtpd log >+ warn "$V_HEADER-$VERSION: $exit_string\n" if ($MINIDEBUG <= 2); >+ warn "$nppid QS-$VERSION: $exit_string\n" if ($MINIDEBUG > 2); >+ >+ &debug("r_e: $V_HEADER-$VERSION: $exit_string"); >+ &minidebug("r_e: $V_HEADER-$VERSION: $exit_string") if ($MINIDEBUG <= 2); >+ &minidebug("r_e: QS-$VERSION: $exit_string") if ($MINIDEBUG > 2); >+ >+ &cleanup; >+ >+ &close_log; >+ exit $exit_code; >+} >+ >+############################################## >+# st: SCANNERS PER DOMAIN routines >+############################################## >+ >+sub start_scanners { >+ my($e_sender,$f_recips,$msg)=@_; >+ $sa_rcpt='0'; >+ >+ # Now, start the scanners! >+ &init_scanners if ($scanner_array[0] ne "none"); >+ >+ # st: if the message is marked to delete skip the mailing routines >+ if (!$del_message) { >+ if ($quarantine_event && ($scanner_array[0] ne "none")) { >+ &debug("unsetting TCPREMOTEIP env var"); >+ delete $ENV{'TCPREMOTEIP'}; >+ #Reset locale back to original >+ $ENV{'LC_ALL'}=$orig_locale; >+ if ($sa_forward ne "" && $quarantine_event =~/spam/i && $description !~/potential virus/i) { >+ if ($sa_fwd_verbose) { >+ $sa_hdr_report='1' if ($sa_alt && $sa_debug && $sa_report); >+ &qmail_parent_check; >+ &qmail_requeue($e_sender,"T$sa_forward\0\0",$msg); >+ } else { >+ open (SF,"$qmailinject -f$returnpath $sa_forward < $msg|")||&error_condition("cannot run $qmailinject -f$returnpath $sa_forward < $msg - $!"); >+ close SF ; >+ } >+ # st: forward the messages just once.. >+ $sa_rcpt='0'; >+ $sa_forward=''; >+ } >+ &email_quarantine_report; >+ } else { >+ # qms-monitor invocation >+ if ($qms_monitor_enabled) >+ { >+ &qms_monitor("$scandir/$wmaildir/new/$file_id"); >+ } >+ &qmail_parent_check; >+ &qmail_requeue($e_sender,$f_recips,$msg); >+ } >+ } >+} >+ >+sub scanners_p_d { >+ my (%domain_scanners,@scanners_rcpt_array,%seen,$scanners_array); >+ >+ &debug("s_p_d: reading from $scanners_per_domain.db"); >+ tie (%domain_scanners,'DB_File',"$scanners_per_domain.db",O_RDONLY, 0600, $DB_HASH) || &error_condition("cannot open $scanners_per_domain.db - $!"); >+ >+ # Check if we have a match within the database >+ # Check order: >+ # 1) return-path >+ # 2) domain-return-path >+ # 3) for each recipient: recipient, domain-recipient >+ if ((exists $domain_scanners{$returnpath}) && (defined($ENV{'RELAYCLIENT'}))) { >+ @scanner_array=split(/,/,$domain_scanners{"$returnpath"}); >+ &debug("s_p_d: return-path '$returnpath', scanners '$domain_scanners{$returnpath}'"); >+ &minidebug("s_p_d: return-path '$returnpath', scanners '$domain_scanners{$returnpath}'"); >+ } >+ elsif ((exists $domain_scanners{$domain_returnpath}) && (defined($ENV{'RELAYCLIENT'}))) { >+ @scanner_array=split(/,/,$domain_scanners{$domain_returnpath}); >+ &debug("s_p_d: domain-return-path match '$domain_returnpath', scanners '$domain_scanners{$domain_returnpath}'"); >+ &minidebug("s_p_d: domain-return-path match '$domain_returnpath', scanners '$domain_scanners{$domain_returnpath}'"); >+ } >+ elsif ($one_recip && (exists $domain_scanners{$one_recip})) { >+ @scanner_array=split(/,/,$domain_scanners{$one_recip}); >+ &debug("s_p_d: rcpt '$one_recip', scanners '$domain_scanners{$one_recip}'"); >+ &minidebug("s_p_d: rcpt '$one_recip', scanners '$domain_scanners{$one_recip}'"); >+ } >+ elsif ($one_recip && (exists $domain_scanners{$domain_one_recip})) { >+ @scanner_array=split(/,/,$domain_scanners{$domain_one_recip}); >+ &debug("s_p_d: domain_rcpt '$domain_one_recip', scanners '$domain_scanners{$domain_one_recip}'"); >+ &minidebug("s_p_d: domain_rcpt '$domain_one_recip', scanners '$domain_scanners{$domain_one_recip}'"); >+ } >+ elsif (!$one_recip) { >+ &debug("s_p_d: we have multiple recipient, checking each of them"); >+ &minidebug("s_p_d: we have multiple recipient, checking each of them"); >+ my @mrecips=split(',',$recips); >+ my $mrcpt=''; >+ my $domain_mrcpt=''; >+ my %m_rcpt; >+ foreach $mrcpt(@mrecips) { >+ $mrcpt=tolower($mrcpt); >+ $domain_mrcpt=$mrcpt; >+ $domain_mrcpt=~ s/^(.*)\@(.*)$/$2/; >+ if (exists $domain_scanners{$mrcpt}) { >+ @scanner_array=split(/,/,$domain_scanners{$mrcpt}); >+ } >+ elsif (exists $domain_scanners{$domain_mrcpt}) { >+ @scanner_array=split(/,/,$domain_scanners{$domain_mrcpt}); >+ } else { >+ @scanner_array=@scanners_default; >+ } >+ @scanner_array=&check_scanners(@scanner_array); >+ $m_rcpt{$mrcpt}=join(',',@scanner_array); >+ } >+ untie %domain_scanners; >+ while( ($one_recip,$scanners_array)=each %m_rcpt) { >+ &debug("s_p_d: recipient '$one_recip', scanners '$scanners_array'"); >+ &minidebug("s_p_d: recipient '$one_recip', scanners '$scanners_array'"); >+ @scanner_array=split(',',$scanners_array); >+ &start_scanners($env_returnpath,"T$one_recip\0\0","$scandir/$wmaildir/new/$file_id"); >+ # st: maybe I had to change this if I will ever do sa per user config... >+ last if ($del_message); >+ } >+ return; >+ } else { >+ @scanner_array=@scanners_default; >+ &debug("s_p_d: no match, falling to the scanners_default"); >+ &minidebug("s_p_d: no match, falling to the scanners_default"); >+ } >+ # if no multiples recipients >+ untie %domain_scanners; >+ @scanner_array=&check_scanners(@scanner_array); >+ &start_scanners($env_returnpath,$env_recips,"$scandir/$wmaildir/new/$file_id"); >+} >+ >+sub generate_spd { >+ my ($line,$count,%domain_scanners,$match_rcpt,$scanners_rcpt,@scanners_rcpt_array,%seen); >+ >+ print "\n Generating $scanners_per_domain.db\n\n"; >+ >+ unlink ("$scanners_per_domain.db.tmp"); >+ tie (%domain_scanners,'DB_File',"$scanners_per_domain.db.tmp",O_CREAT|O_RDWR,0640,$DB_HASH) || &error_condition("cannot open for write $scanners_per_domain.db.tmp - $!"); >+ #tie (%domain_scanners,'DB_File',"$scanners_per_domain.db.tmp",O_CREAT|O_RDWR,0640,$DB_BTREE) || &error_condition("cannot open for write $scanners_per_domain.db.tmp - $!"); >+ >+ open(SPD, "<$scanners_per_domain.txt") ||&error_condition("cannot read $scanners_per_domain.txt - $!");; >+ >+ while (<SPD>) { >+ $line++; >+ next if (/^\#|^\s.*$/); # Ignore lines starting with # or spaces >+ next if (!(/:/)); # Ignore lines doesn't contain a ':' >+ if (/\;|\!/) { >+ print "d_w: line $line contains an invalid char, SKIP\n"; >+ next; >+ } >+ chomp; >+ s/\s|\t//g; >+ ($match_rcpt,$scanners_rcpt)=split(/:/,$_); >+ $match_rcpt=tolower("$match_rcpt"); >+ $scanners_rcpt=tolower("$scanners_rcpt"); >+ >+ if (exists $domain_scanners{$match_rcpt}) { >+ print " d_w: duplicated value '$match_rcpt' at line $line, SKIP \n"; >+ next; >+ } >+ >+ >+ # Let check if the scanner are really installed, >+ # change 'sa' and 'ps' for the correct name, and >+ # add _scanner to the AVs scanners >+ >+ @scanners_rcpt_array=split(/,/,$scanners_rcpt); >+ foreach (@scanners_rcpt_array) { >+ s/^sa$/spamassassin/; >+ s/^ps$/perlscan/; >+ s/^perlscanner$/perlscan/; >+ s/^(.*)$/$1_scanner/ if((!/spamassassin/) && (!/_scanner/) && (!/^none$/)); >+ } >+ >+ # Check if the scanners are installed >+ @scanners_rcpt_array=&check_scanners(@scanners_rcpt_array); >+ >+ $scanners_rcpt = join(',',@scanners_rcpt_array); >+ >+ # Check if at least we have one valid scanner >+ >+ if (@scanners_rcpt_array==0) { >+ print " d_w: There are no valid scanner for address '$match_rcpt' at line $line, SKIP\n"; >+ next; >+ } >+ $count++; >+ # print " address: $match_rcpt / scanner: $scanners_rcpt\n"; >+ $domain_scanners{$match_rcpt}=$scanners_rcpt; >+ } >+ close(SPD); >+ untie %domain_scanners; >+ rename( "$scanners_per_domain.db.tmp", "$scanners_per_domain.db" ); >+ print "\n Read $line lines, got $count entries\n\n"; >+} >+ >+ >+sub read_spd { >+ my ($count,%domain_scanners,$match_rcpt,$scanners_rcpt); >+ $count=0; >+ >+ print "\n Reading from $scanners_per_domain.db\n\n"; >+ #tie (%domain_scanners,'DB_File',"$scanners_per_domain.db",O_RDONLY, 0600, $DB_BTREE) || &error_condition("cannot open for write $scanners_per_domain.db - $!");; >+ tie (%domain_scanners,'DB_File',"$scanners_per_domain.db",O_RDONLY, 0600, $DB_HASH) || &error_condition("cannot open for write $scanners_per_domain.db - $!");; >+ >+ foreach(sort keys %domain_scanners) { >+ print " $_ : $domain_scanners{$_}\n"; >+ $count++; >+ } >+ >+ untie %domain_scanners; >+ print "\n d_w: total of $count entries found\n\n"; >+} >+ >+ >+sub check_scanners { >+ # Check against the installed scanners >+ my @scanners_to_check=@_; >+ return @scanners_to_check if ($scanners_to_check[0] eq "none"); >+ my %seen=(); >+ foreach (@scanners_installed) { >+ $seen{$_}=1; >+ } >+ >+ @scanners_to_check=grep($seen{$_},@scanners_to_check); >+ return @scanners_to_check; >+} >+ >+ >+################################################# >+# END of subroutines added by ST >+################################################# >+ >diff -Naur qmail-scanner-1.25-DISTRO/sub-ravlin.pl qmail-scanner-1.25-st-qms-20050219/sub-ravlin.pl >--- qmail-scanner-1.25-DISTRO/sub-ravlin.pl 2003-09-28 19:17:22.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-ravlin.pl 2005-02-19 07:37:49.000000000 -0600 >@@ -21,18 +21,23 @@ > if ($DD =~ ?$scandir.* Infected: (.*)$?m) { > $quarantine_description=$1; > &debug("ravlin_scanner: There be a virus! ($quarantine_description)"); >+ &minidebug("ravlin_scanner: There be a virus! ($quarantine_description)"); >+ &eventlog("RAVLINAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="RAV:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---ravlin results ---\n$DD"; > } else { > &debug("ravlin_scanner: Whoops! Found a virus - but no description!"); >+ &minidebug("ravlin_scanner: Whoops! Found a virus - but no description!"); > &error_condition("unknown Ravlin scanner virus found but not described - exit status $ravlin_status"); > } > } else { > &debug("ravlin_scanner: Whoops! Something went wrong - requeue"); >+ &minidebug("ravlin_scanner: Whoops! Something went wrong - requeue"); > &error_condition("corrupt or unknown Ravlin scanner error or memory/resource/perms problem - exit status $ravlin_status"); > } > $stop_ravlin_time=[gettimeofday]; > $ravlin_time = tv_interval ($start_ravlin_time, $stop_ravlin_time); > &debug("ravlin_scanner: finished scan of dir \"$ENV{'TMPDIR'}\" in $ravlin_time secs"); >+ &minidebug("ravlin_scanner: finished scan in $ravlin_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-sophie.template qmail-scanner-1.25-st-qms-20050219/sub-sophie.template >--- qmail-scanner-1.25-DISTRO/sub-sophie.template 2004-05-03 20:21:31.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-sophie.template 2005-02-19 06:29:13.000000000 -0600 >@@ -1,3 +1,4 @@ >+ > sub sophie_scanner { > #Sophie scanner modification > use IO::Socket; >@@ -13,6 +14,7 @@ > > if(!(socket(\*ssock, AF_UNIX, SOCK_STREAM, 0))) { > &debug("Couldn\'t create sophie socket SSOCKET \($!\)\n"); >+ &minidebug("Couldn\'t create sophie socket SSOCKET \($!\)\n"); > &error_condition("Couldn\'t create sophie socket SSOCKET \($!\)\n"); > } > >@@ -21,6 +23,7 @@ > sleep(5); > if(!(connect(\*ssock, pack_sockaddr_un "SSOCKET"))) { > &debug("Couldn\'t connect\(\) to the sophie socket SSOCKET \($!\)\n"); >+ &minidebug("Couldn\'t connect\(\) to the sophie socket SSOCKET \($!\)\n"); > &error_condition("Couldn\'t connect\(\) to the sophie socket SSOCKET \($!\)\n"); > } > } >@@ -41,6 +44,7 @@ > } > > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("sophie: there be a virus! ($quarantine_description)"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="SOPHIE:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---sophie results ---\n"; >@@ -54,4 +58,5 @@ > $stop_sophie_time=[gettimeofday]; > $sophie_time = tv_interval ($start_sophie_time, $stop_sophie_time); > &debug("sophie: finished scan of dir \"$ENV{'TMPDIR'}\" in $sophie_time secs"); >+ &minidebug("sophie: finished scan in $sophie_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-spamassassin.pl qmail-scanner-1.25-st-qms-20050219/sub-spamassassin.pl >--- qmail-scanner-1.25-DISTRO/sub-spamassassin.pl 2004-10-18 19:58:17.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-spamassassin.pl 2005-02-19 07:41:34.000000000 -0600 >@@ -1,22 +1,33 @@ >+ > sub spamassassin { > #Only run SA if mail is from a "remote" SMTP client, or QS_SPAMASSASSIN > #is defined via tcpserver... > if (defined($ENV{'RELAYCLIENT'}) && !defined($ENV{'QS_SPAMASSASSIN'})) { > &debug("spamassassin: don't scan as RELAYCLIENT implies this was sent by a local user"); >+ &minidebug("SA: don't scan as RELAYCLIENT implies this was sent by a local user"); >+ return; >+ } >+ if ( $SA_SKIP_MD ne "0" && $returnpath eq "" && $headers{'from'} =~ /mailer-daemon|postmaster|bounce/i ) { >+ &debug("SA: skipping message from MAILER-DAEMON"); >+ &minidebug("SA: skipping message from MAILER-DAEMON"); > return; > } >+ > #SpamAssassin client scanner >- my ($spamassassin_found,$spamassassin_status); >+ #my ($spamassassin_found,$spamassassin_status); >+ my ($spamassassin_status); > my ($start_spamassassin_time)=[gettimeofday]; >- my ($sa_tag,$DD,$stop_spamassassin_time,$spamassassin_time,$cmdline_recip,$sa_fast); >+ my ($sa_tag,$DD,$cmdline_recip,$sa_fast,$sa_score); > my ($sa_status)=0; >- my ($sa_score)=0; my ($sa_max)=0; >+ ($sa_score,$required_hits)=('0','0'); >+ ($sa_comment,$sa_level)=('',''); > > if ($msg_size > 250000) { > &debug("spamassassin: message too big - skip it"); >- $sa_score=$sa_max="?"; >- $tag_score .= "SA:0($sa_score/$sa_max):"; >- $sa_comment = "No, hits=$sa_score required=$sa_max" if ($sa_fast); >+ &minidebug("SA: message too big ($msg_size) - skip it"); >+ $sa_score=$required_hits="?"; >+ $tag_score .= "SA:0($sa_score/$required_hits):"; >+ $sa_comment = "No, hits=$sa_score required=$required_hits"; > return; > } > >@@ -44,22 +55,22 @@ > while (<SA>) { > if ($sa_fast) { > chomp; >- ($sa_score,$sa_max)=split(/\//,$_,2); >+ ($sa_score,$required_hits)=split(/\//,$_,2); > $sa_tag++; > last; > } else { > #X-Spam-Status: No, hits=2.8 required=5.0 > if (/^X-Spam-Status: (Yes|No), (hits|score)=(-?[\d\.]*) required=([\d\.]*)/) { >- $sa_tag++; >- $sa_status=1 if ($1 eq "Yes"); >- $sa_score=$3;$sa_max=$4; >+ $sa_tag++; >+ $sa_status=1 if ($1 eq "Yes"); >+ $sa_score=$3;$required_hits=$4; > } > } > } > close SA ; > > $sa_score='?' if (!$sa_score); >- $sa_max='?' if (!$sa_max); >+ $required_hits='?' if (!$required_hits); > > if (!$sa_fast && -s "$scandir/$wmaildir/new/$file_id.spamc" && $spamassassin_status == 0) { > &debug("SA: overwriting $scandir/$wmaildir/new/$file_id with $scandir/$wmaildir/new/$file_id.spamc"); >@@ -67,29 +78,207 @@ > } else { > unlink("$scandir/$wmaildir/new/$file_id.spamc"); > } >- if ($sa_max > $sa_score || ($sa_score == 0)) { >- $tag_score .= "SA:0($sa_score/$sa_max):"; >- $sa_comment = "No, hits=$sa_score required=$sa_max" if ($sa_fast); >+ >+ # st: new routine to avoid duplicate code, so a shorter code... >+ &check_sa_score($sa_score,$sa_fast,$start_spamassassin_time); >+} >+ >+################################################# >+# Spamassassin subroutine added by ST >+################################################# >+ >+sub spamassassin_alt { >+ # st: Alternative routine for spamassassin, lighter and can logs the report... >+ >+ #Only run SA if mail is from a "remote" SMTP client, or QS_SPAMASSASSIN >+ #is defined via tcpserver... >+ if (defined($ENV{'RELAYCLIENT'}) && !defined($ENV{'QS_SPAMASSASSIN'})) { >+ &debug("spamassassin: don't scan as RELAYCLIENT implies this was sent by a local user"); >+ &minidebug("SA: don't scan as RELAYCLIENT implies this was sent by a local user"); >+ return; >+ } >+ if ( $SA_SKIP_MD ne "0" && $returnpath eq "" && $headers{'from'} =~ /mailer-daemon|postmaster|bounce/i ) { >+ &debug("SA: skipping message from MAILER-DAEMON"); >+ &minidebug("SA: skipping message from MAILER-DAEMON"); >+ return; >+ } >+ >+ #SpamAssassin client scanner >+ my ($start_spamassassin_time)=[gettimeofday]; >+ my ($sa_tag,$spamassassin_status,$sa_score); >+ my ($sa_status)=0; >+ ($sa_score,$required_hits)=('0','0'); >+ ($sa_comment,$sa_level)=('',''); >+ $sa_report=''; >+ my $sa_fast=1; >+ >+ if ($msg_size > 250000) { >+ &debug("spamassassin: message too big - skip it"); >+ &minidebug("SA: message too big - skip it"); >+ $sa_score=$required_hits="?"; >+ $tag_score .= "SA:0($sa_score/$required_hits):"; >+ $sa_comment = "No, hits=$sa_score required=$required_hits"; >+ return; >+ } >+ >+ if ( $sa_debug eq "1" ) { >+ $spamc_options=" -R "; >+ } else { >+ $spamc_options=" -c "; >+ } >+ >+ ######################################################### >+ # st: uncomment these lines if you need to use >+ # 'spamassassin sql per user' settings. >+ # >+ #my ($cmdline_recip); >+ #($cmdline_recip=$one_recip)=~s/[^0-9a-z\.\_\-\=\+\@]/_/gi; >+ #$cmdline_recip=~/^([0-9a-z\.\_\-\=\+\@]+)$/i; >+ #$cmdline_recip=tolower($1); >+ #$spamc_options="$spamc_options -u \"$cmdline_recip\"" if ($cmdline_recip ne ""); >+ ######################################################### >+ >+ open(SA,"$spamc_binary $spamc_options < $scandir/$wmaildir/new/$file_id|")||&error_condition("cannot run $spamc_binary < $scandir/$wmaildir/new/$file_id - $!"); >+ while (<SA>) { >+ if (!$sa_tag) { >+ chomp; >+ ($sa_score,$required_hits)=split(/\//,$_,2); >+ # Clean some invalid returns from SA v.2.5x >+ $required_hits =~ s/\r//g; >+ chomp $required_hits; >+ $sa_tag=1; >+ next; >+ } >+ if ( $sa_tag<2 ) { >+ $sa_tag=2 if (/^---- ---------------------- --------------------------------------------------$/); >+ next; >+ } >+ #if ( /^(\s|-)\d(\.|\d)\d\s[A-Z].*$/ || /^\s(\s|-)\d\d\s[A-Z].*$/ ) { >+ $sa_report .= " $_" if ( !/^$/ || !/^\s$/ ); >+ #} >+ } >+ >+ # Clean some invalid returns from SA v.2.5x >+ $sa_report =~ s/\r/\n/g; >+ chomp $sa_report; >+ $sa_report = '' if ($sa_report =~ /\n\n/ ); >+ >+ $spamassassin_status=($? >> 8); >+ $sa_status=$spamassassin_status if ($spamc_options =~ /\s\-c/); >+ >+ close SA ; >+ >+ $sa_score='?' if (!$sa_score); >+ $required_hits='?' if (!$required_hits); >+ >+ &debug("SA: REPORT hits = $sa_score/$required_hits\n$sa_report") if ( $sa_debug && $sa_report ); >+ &minidebug("SA: REPORT hits = $sa_score/$required_hits\n$sa_report") if ( $sa_debug && $sa_report ); >+ &eventlog("- - -:SCORE:REQ:QRTN:DEL:REJ"); >+ &eventlog("SPAM-RESULT:$sa_score:$required_hits:$sa_quarantine:$sa_delete:$sa_reject"); >+ >+ # st: new routine to avoid duplicate code, so a shorter code... >+ &check_sa_score($sa_score,$sa_fast,$start_spamassassin_time); >+} >+ >+sub check_sa_score { >+ my ($sa_score,$sa_fast,$start_spamassassin_time)=@_ ; >+ my ($stop_spamassassin_time,$spamassassin_time); >+ >+ if ($required_hits > $sa_score || ($sa_score == 0) || ($sa_score eq "\?")) { >+ $tag_score .= "SA:0($sa_score/$required_hits):"; >+ $sa_comment = "No, hits=$sa_score required=$required_hits"; > } else { >- $tag_score .= "SA:1($sa_score/$sa_max):"; >- $sa_comment = "Yes, hits=$sa_score required=$sa_max" if ($sa_fast); >- &debug("SA: yup, this smells like SPAM"); >- } >+ $tag_score .= "SA:1($sa_score/$required_hits):"; >+ $sa_comment = "Yes, hits=$sa_score required=$required_hits" if ($sa_fast); >+ >+ # If sa_quarantine/sa_delete are set, then compare them to the current score and >+ # quarantine/delete it if necessary, >+ # otherwise tag the message as spam. >+ >+ # Control the values of sa_delete and sa_quarantine >+ if ($sa_delete && ($sa_quarantine>$sa_delete)) { >+ &debug("SA: WARNING, sa_delete is lower than sa_quarantine, spam could be quarantined, but not deleted"); >+ &minidebug("SA: WARNING, sa_delete is lower than sa_quarantine, spam could be quarantined, but not deleted"); >+ &eventlog("---- WARN: sa_delete < sa_quarantine => setting sa_delete = 0"); >+ $sa_delete='0'; >+ } >+ >+ if ( $sa_delete && (($sa_delete+$required_hits)<$sa_score)) { >+ if ( $sa_reject) { >+ &debug("SA: yup, this smells like SPAM - hits=$sa_score - rejecting message..."); >+ &minidebug("SA: yup, this smells like SPAM - hits=$sa_score - rejecting message..."); >+ &eventlog("SPAM-DETECT:REJECT"); >+ $stop_spamassassin_time=[gettimeofday]; >+ $spamassassin_time = tv_interval ($start_spamassassin_time, $stop_spamassassin_time); >+ &debug("SA: finished scan of dir \"$ENV{'TMPDIR'}\" in $spamassassin_time secs"); >+ &minidebug("SA: finished scan in $spamassassin_time secs - hits=$sa_score"); >+ &reject_email("We have reasons to believe this mail is SPAM",31); >+ } else { >+ # st: mark the message to delete it >+ $del_message='1'; >+ # st: maybe these three lines are useful for those who wants the 'log_details'... >+ # But if the message is rejected nothing remains >+ $destring="problem"; >+ $quarantine_description="SPAM exceeds \"delete\" threshold - hits=$sa_score/$required_hits"; >+ $quarantine_event="SA:SPAM-DELETE"; >+ &debug("SA: yup, this smells like SPAM - hits=$sa_score - deleting message..."); >+ &minidebug("SA: yup, this smells like SPAM - hits=$sa_score - deleting message..."); >+ &eventlog("SPAM-DETECT:DELETE"); >+ $description .= "\n---spamassassin results ---\n$destring '$quarantine_description'\n found in message $ENV{'TMPDIR'}"; >+ } >+ } else { >+ if ( $sa_quarantine && (($sa_quarantine+$required_hits)<$sa_score)) { >+ $destring="problem"; >+ $quarantine_description="SPAM exceeds \"quarantine\" threshold - hits=$sa_score/$required_hits"; >+ $quarantine_event="SA:SPAM-QUARANTINE"; >+ &debug("SA: yup, this smells like SPAM - hits=$sa_score - quarantining message..."); >+ &minidebug("SA: yup, this smells like SPAM - hits=$sa_score - quarantining message..."); >+ &eventlog("SPAM-DETECT:QUARANTINE"); >+ $description .= "\n---spamassassin results ---\n$destring '$quarantine_description'\n found in message $ENV{'TMPDIR'}"; >+ } else { >+ >+ #st: if $spamc_subjec and $sa_delta are set, add in the subject the spam-level >+ if ($spamc_subject ne "" && $sa_delta) { >+ if ($sa_score < ($required_hits+$sa_delta)) { >+ $spamc_subject .= " LOW * "; >+ } elsif ($sa_score > ($required_hits+(2 * $sa_delta))) { >+ $spamc_subject .= " HIGH * "; >+ } else { >+ $spamc_subject .= " MEDIUM * "; >+ } >+ } >+ &debug("SA: yup, this smells like SPAM - hits=$sa_score - tagging message..."); >+ &minidebug("SA: yup, this smells like SPAM - hits=$sa_score - tagging message..."); >+ &eventlog("SPAM-DETECT:MARK"); >+ } >+ } >+ } >+ >+ $sa_hits=$sa_score; > if ($sa_score > 0) { > $sa_score=int($sa_score); > #Keep it RFC compliant > $sa_score=100 if ($sa_score > 100); > my $si=0; >- if ($sa_fast) { >+ if ($sa_fast || $sa_alt) { > while ($si < $sa_score) { >- $si++; >- $sa_level .= $sa_symbol; >+ $si++; >+ $sa_level .= $sa_symbol; > } > } > } >+ > $stop_spamassassin_time=[gettimeofday]; > $spamassassin_time = tv_interval ($start_spamassassin_time, $stop_spamassassin_time); >- &debug("spamassassin: finished scan of dir \"$ENV{'TMPDIR'}\" in $spamassassin_time secs"); >+ >+ &debug("SA: required_hits $required_hits / sa_quarantine +$sa_quarantine / sa_delete +$sa_delete") if ($sa_quarantine || $sa_delete); >+ &minidebug("SA: required_hits $required_hits / sa_quarantine +$sa_quarantine / sa_delete +$sa_delete") if ($sa_quarantine || $sa_delete); >+ >+ &debug("SA: finished scan of dir \"$ENV{'TMPDIR'}\" in $spamassassin_time secs"); >+ &minidebug("SA: finished scan in $spamassassin_time secs - hits=$sa_hits"); > } > >+################################################# >+# END of Spamassassin subroutines added by ST >+################################################# > >diff -Naur qmail-scanner-1.25-DISTRO/sub-sweep.template qmail-scanner-1.25-st-qms-20050219/sub-sweep.template >--- qmail-scanner-1.25-DISTRO/sub-sweep.template 2004-04-19 22:55:13.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-sweep.template 2005-02-19 06:29:13.000000000 -0600 >@@ -21,6 +21,7 @@ > $quarantine_description=$2; > } > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("sweep: there be a virus! ($quarantine_description)"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="SWEEP:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---sweep results ---\n$DD"; >@@ -38,4 +39,5 @@ > $stop_sweep_time=[gettimeofday]; > $sweep_time = tv_interval ($start_sweep_time, $stop_sweep_time); > &debug("sweep: finished scan of dir \"$ENV{'TMPDIR'}\" in $sweep_time secs"); >+ &minidebug("sweep: finished scan in $sweep_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-trophie.template qmail-scanner-1.25-st-qms-20050219/sub-trophie.template >--- qmail-scanner-1.25-DISTRO/sub-trophie.template 2004-05-03 20:22:15.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-trophie.template 2005-02-19 06:29:13.000000000 -0600 >@@ -10,6 +10,7 @@ > > if(!(socket(\*tsock, AF_UNIX, SOCK_STREAM, 0))) { > &debug("Couldn\'t create trophie socket TSOCKET \($!\)\n"); >+ &minidebug("Couldn\'t create trophie socket TSOCKET \($!\)\n"); > &error_condition("Couldn\'t create trophie socket TSOCKET \($!\)\n"); > } > >@@ -18,6 +19,7 @@ > sleep(5); > if(!(connect(\*tsock, pack_sockaddr_un "TSOCKET"))) { > &debug("Couldn\'t connect\(\) to the trophie socket TSOCKET \($!\)\n"); >+ &minidebug("Couldn\'t connect\(\) to the trophie socket TSOCKET \($!\)\n"); > &error_condition("Couldn\'t connect\(\) to the trophie socket TSOCKET \($!\)\n"); > } > } >@@ -38,6 +40,7 @@ > } > > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("trophie: there be a virus! ($quarantine_description)"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="TROPHIE:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---trophie results ---\n"; >@@ -51,4 +54,5 @@ > $stop_trophie_time=[gettimeofday]; > $trophie_time = tv_interval ($start_trophie_time, $stop_trophie_time); > &debug("trophie: finished scan of dir \"$ENV{'TMPDIR'}\" in $trophie_time secs"); >+ &minidebug("trophie: finished scan in $trophie_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-uvscan.pl qmail-scanner-1.25-st-qms-20050219/sub-uvscan.pl >--- qmail-scanner-1.25-DISTRO/sub-uvscan.pl 2004-04-19 22:53:49.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-uvscan.pl 2005-02-19 07:41:44.000000000 -0600 >@@ -15,6 +15,8 @@ > if ($DD =~ /^\s+Found(.*)$/m) { > $quarantine_description=$1; > &debug("There be a virus! ($quarantine_description)"); >+ &minidebug("uvscan: there be a virus! ($quarantine_description)"); >+ &eventlog("UVSCANAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="UVSCAN:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---uvscan results ---\n$DD"; >@@ -30,4 +32,5 @@ > $stop_uvscan_time=[gettimeofday]; > $uvscan_time = tv_interval ($start_uvscan_time, $stop_uvscan_time); > &debug("uvscan: finished scan of dir \"$ENV{'TMPDIR'}\" in $uvscan_time secs"); >+ &minidebug("uvscan: finished scan in $uvscan_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/sub-vexira.pl qmail-scanner-1.25-st-qms-20050219/sub-vexira.pl >--- qmail-scanner-1.25-DISTRO/sub-vexira.pl 2004-09-26 19:15:48.000000000 -0500 >+++ qmail-scanner-1.25-st-qms-20050219/sub-vexira.pl 2005-02-19 07:41:53.000000000 -0600 >@@ -17,6 +17,8 @@ > if ($DD =~ /^\s+ALERT: \[([^\]]+)\]/m) { > $quarantine_description=$1; > &debug("vexira_scanner: There be a virus! ($quarantine_description)"); >+ &minidebug("vexira_scanner: there be a virus! ($quarantine_description)"); >+ &eventlog("VEXIRAV:$quarantine_description"); > ($quarantine_event=$quarantine_description)=~s/\s/_/g; > $quarantine_event="VEX:".substr($quarantine_event,0,$QE_LEN); > $description .= "\n---vexira results ---\n$DD"; >@@ -29,6 +31,7 @@ > if ($DD =~ /WARNING: archive not completely scanned: (contents exceed \d+ (levels of recursion|bytes))/) { > $quarantine_description="Resource attack - $1"; > &debug("vexira_scanner: $quarantine_description"); >+ &eventlog("VEXIRAV:$quarantine_description"); > $quarantine_event="VEX:Resource_attack"; > $description .= "\n---vexira results ---\n$DD"; > } elsif ($vexira_status > 0) { >@@ -39,4 +42,5 @@ > $stop_vexira_time=[gettimeofday]; > $vexira_time = tv_interval ($start_vexira_time, $stop_vexira_time); > &debug("vexira_scanner: finished scan of dir \"$ENV{'TMPDIR'}\" in $vexira_time secs"); >+ &minidebug("vexira_scanner: finished scan in $vexira_time secs"); > } >diff -Naur qmail-scanner-1.25-DISTRO/testingreject.html qmail-scanner-1.25-st-qms-20050219/testingreject.html >--- qmail-scanner-1.25-DISTRO/testingreject.html 1969-12-31 18:00:00.000000000 -0600 >+++ qmail-scanner-1.25-st-qms-20050219/testingreject.html 2005-02-19 06:29:13.000000000 -0600 >@@ -0,0 +1,206 @@ >+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >+<html> >+<head> >+<title>Testing Rejecting Spam</title> >+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> >+ <script language="JavaScript" src="aab.js" type="text/JavaScript"> >+ </script> >+</head> >+ >+<body bgcolor="#FFFFFF"> >+<h1 align="center"> Testing "Rejecting spam mail"</h1> >+ >+<h2>1. Without modifying the source of qmail.c </h2> >+ >+<p>I've sent a spam message from <em>remote_server</em> (1.1.1.1) running <em>qmail</em> >+ to <em>my_server</em> (2.2.2.2) running <em>qmail</em> with <em>qmail-scanner-1.20st</em>, >+ This is what I see in the logs:</p> >+<p><TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ [root@remote_server root]# /var/qmail/bin/qmail-inject -ftoribio@tin.it tori@myserver.it < mess2 >+ >+ [root@remote_server root]# tail -f /var/log/qmail/current >+ 2003-12-07 16:37:12 new msg 81932 >+ 2003-12-07 16:37:12 info msg 81932: bytes 2811 from <toribio@tin.it> qp 27067 uid 0 >+ 2003-12-07 16:37:12 starting delivery 6425: msg 81932 to remote tori@myserver.it >+ 2003-12-07 16:37:12 status: local 0/10 remote 1/20 >+ 2003-12-07 16:37:13 delivery 6425: failure: 2.2.2.2_failed_after_I_sent_the_message./ >+ Remote_host_said:_554_mail_server_permanently_rejected_message_(#5.3.0)/ >+ 2003-12-07 16:37:13 status: local 0/10 remote 0/20 >+ 2003-12-07 16:37:13 bounce msg 81932 qp 27069 >+ 2003-12-07 16:37:13 end msg 81932 >+ >+ 2003-12-07 16:37:13 new msg 81934 >+ 2003-12-07 16:37:13 info msg 81934: bytes 3400 from <> qp 27069 uid 85 >+ 2003-12-07 16:37:13 starting delivery 6426: msg 81934 to remote toribio@tin.it >+ 2003-12-07 16:37:13 status: local 0/10 remote 1/20 >+ 2003-12-07 16:37:13 delivery 6426: success: 62.211.72.32_accepted_message./ >+ Remote_host_said:_250_<3FD30FD100073E63>_Mail_accepted/ >+ 2003-12-07 16:37:13 status: local 0/10 remote 0/20 >+ 2003-12-07 16:37:13 end msg 81934 >+ >+ ............... >+ >+ [root@my_server root]# tail -f /var/log/qmail/smtpd/current >+ 2003-12-07 16:37:12 tcpserver: status: 1/10 >+ 2003-12-07 16:37:12 tcpserver: pid 31143 from 1.1.1.1 >+ 2003-12-07 16:37:13 tcpserver: ok 31143 0:2.2.2.2:25 remote_server.it:1.1.1.1::37797 >+ 2003-12-07 16:37:13 X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM >+ 2003-12-07 16:37:13 tcpserver: end 31143 status 0 >+ 2003-12-07 16:37:13 tcpserver: status: 0/10 >+ ............... >+ >+ [root@myserver root]# tail -f /var/spool/qmailscan/qmail-queue.log >+ 07/12/2003 16:37:13:31144: +++ starting debugging for process 31144 by uid=81 >+ 07/12/2003 16:37:13:31144: w_c: elapsed time from start 0.005233 secs >+ 07/12/2003 16:37:13:31144: return-path='toribio@tin.it', recips='tori@myserver.it' >+ 07/12/2003 16:37:13:31144: from='"Ollie Hammer" <312olprcx@qwest.com>', >+ subj='Re:Secrets Of Real Estate Investing pxqicbyu mf', via SMTP from 1.1.1.1 >+ 07/12/2003 16:37:13:31144: p_s: finished scan in 0.006952 secs >+ 07/12/2003 16:37:13:31144: sophie: finished scan in 0.026474 secs >+ 07/12/2003 16:37:13:31144: SA: yup, this smells like SPAM - rejecting message... >+ 07/12/2003 16:37:13:31144: r_e: X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM >+ 07/12/2003 16:37:13:31144: ------ all finished. Total of 0.280166 secs >+ </PRE></TD> >+ </TR> >+</TABLE> >+ >+<p>The remote user (if he is real) will receive this bounce:</p> >+<p><TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ Date: 7 Dec 2003 15:37:13 -0000 >+ From: MAILER-DAEMON@remote_server.it >+ To: toribio@tin.it >+ Subject: failure notice >+ >+ Hi. This is the qmail-send program at remote_server.it. >+ I'm afraid I wasn't able to deliver your message to the following addresses. >+ This is a permanent error; I've given up. Sorry it didn't work out. >+ >+ <tori@myserver.it>: >+ 2.2.2.2 failed after I sent the message. >+ Remote host said: 554 mail server permanently rejected message (#5.3.0) >+ (...... skip......) >+ </PRE></TD> >+ </TR> >+</TABLE> >+ >+<p> </p> >+<h2>2. After modifying the source of qmail.c</h2> >+<p><TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ [root@remote_server root]# /var/qmail/bin/qmail-inject -ftoribio@tin.it tori@myserver.it < mess2 >+ >+ [root@remote_server root]# tail -f /var/log/qmail/current >+ 2003-12-07 17:42:11 new msg 81932 >+ 2003-12-07 17:42:11 info msg 81932: bytes 2811 from <toribio@tin.it> qp 27337 uid 0 >+ 2003-12-07 17:42:11 starting delivery 16: msg 81932 to remote tori@myserver.it >+ 2003-12-07 17:42:11 status: local 0/10 remote 1/20 >+ 2003-12-07 17:42:12 delivery 16: failure: 2.2.2.2_failed_after_I_sent_the_message./ >+ Remote_host_said:_554_We_have_reasons_to_believe_this_mail_is_SPAM_(#5.7.1)/ >+ 2003-12-07 17:42:12 status: local 0/10 remote 0/20 >+ 2003-12-07 17:42:12 bounce msg 81932 qp 27339 >+ 2003-12-07 17:42:12 end msg 81932 >+ >+ 2003-12-07 17:42:12 new msg 81934 >+ 2003-12-07 17:42:12 info msg 81934: bytes 3404 from <> qp 27339 uid 85 >+ 2003-12-07 17:42:12 starting delivery 17: msg 81934 to remote toribio@tin.it >+ 2003-12-07 17:42:12 status: local 0/10 remote 1/20 >+ 2003-12-07 17:42:13 delivery 17: success: 62.211.72.32_accepted_message./ >+ Remote_host_said:_250_<3FD0DD3E005B3510>_Mail_accepted/ >+ 2003-12-07 17:42:13 status: local 0/10 remote 0/20 >+ 2003-12-07 17:42:13 end msg 81934 >+ >+ ............... >+ >+ [root@my_server root]# tail -f /var/log/qmail/smtpd/current >+ 2003-12-07 17:42:12.477504500 tcpserver: status: 1/10 >+ 2003-12-07 17:42:12.477632500 tcpserver: pid 1005 from 1.1.1.1 >+ 2003-12-07 17:42:12.479646500 tcpserver: ok 1005 0:2.2.2.2:25 remote_server.it:1.1.1.1::51193 >+ 2003-12-07 17:42:13.540254500 X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM >+ 2003-12-07 17:42:13.595452500 tcpserver: end 1005 status 0 >+ 2003-12-07 17:42:13.595458500 tcpserver: status: 0/10 >+ ............... >+ >+ [root@myserver root]# tail -f /var/spool/qmailscan/qmail-queue.log >+ 07/12/2003 17:42:13:1006: +++ starting debugging for process 1006 by uid=81 >+ 07/12/2003 17:42:13:1006: w_c: elapsed time from start 0.005277 secs >+ 07/12/2003 17:42:13:1006: return-path='toribio@tin.it', recips='tori@myserver.it' >+ 07/12/2003 17:42:13:1006: from='"Ollie Hammer" <312olprcx@qwest.com>', >+ subj='Re:Secrets Of Real Estate Investing pxqicbyu mf', via SMTP from 1.1.1.1 >+ 07/12/2003 17:42:13:1006: p_s: finished scan in 0.006884 secs >+ 07/12/2003 17:42:13:1006: sophie: finished scan in 0.026429 secs >+ 07/12/2003 17:42:13:1006: SA: yup, this smells like SPAM - hits=9.3 - rejecting message... >+ 07/12/2003 17:42:13:1006: r_e: X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM >+ 07/12/2003 17:42:13:1006: ------ all finished. Total of 0.284837 secs >+ </PRE></TD> >+ </TR> >+</TABLE> >+ >+<p>The remote user (if he is real) will receive this bounce:</p> >+<p><TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ Date: 7 Dec 2003 16:42:12 -0000 >+ From: MAILER-DAEMON@remote_server.it >+ To: toribio@tin.it >+ Subject: failure notice >+ >+ Hi. This is the qmail-send program at remote_server.it. >+ I'm afraid I wasn't able to deliver your message to the following addresses. >+ This is a permanent error; I've given up. Sorry it didn't work out. >+ >+ <tori@myserver.it>: >+ 2.2.2.2 failed after I sent the message. >+ Remote host said: 554 We have reasons to believe this mail is SPAM (#5.7.1) >+ (...... skip......) >+ </PRE></TD> >+ </TR> >+</TABLE> >+ >+<p>This is a very nice bounce messages from SIMS (a good old mail server for Macintosh)</p> >+<p><TABLE BORDER="0" BGCOLOR="#EEEEEE" WIDTH="100%"> >+ <TR> >+ <TD><PRE> >+ Subject: Undeliverable mail: Re:Secrets Of Real Estate Inves >+ From: MAILER-DAEMON@remote_server2.it >+ To: 312olprcx@qwest.com >+ Date: Mon, 08 Dec 2003 17:48:51 +0100 >+ Message-Id: <AUTOS.0000066148-66149@remote_server2.it> >+ X-Mailer: Stalker Internet Mail Server 1.8b8js >+ MIME-Version: 1.0 >+ Content-Type: multipart/report; report-type=delivery-status; >+ boundary="_=receipt=_=66149=_" >+ >+ --_=receipt=_=66149=_ >+ Content-Type: text/plain >+ >+ Failed to deliver your message to tori@myserver.it: >+ SMTP: The letter body is rejected by host >+ Host '2.2.2.2' says: >+ 554 We have reasons to believe this mail is SPAM (#5.7.1) >+ (...... skip......) >+ </PRE></TD> >+ </TR> >+</TABLE> >+<p> </p> >+<hr> >+<p>NOTE: I've had noticed that a <em>qmail</em> server always close the connection >+ when it receives a 5xx code, but other servers keep the connection open for >+ 10-15 seconds. </p> >+<hr> >+<center><a href="READMEpatched.html">Back</a></center> >+Salvatore Toribio<br> >+<script language="JavaScript" type="text/JavaScript"> >+<!-- // Anti-spam address builder >+ mailaddr ('toribio', 'pusc', 'it') >+// --> >+</script> >+<br> >+20031218 >+<p> >+</body> >+</html>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=51760">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 76256
:
47284
|
47285
|
51759
| 51760
