MailScanner

MailScanner is an email virus scanner, vulnerability protector, and spam tagger. It supports the Postfix, Sendmail, Exim, Qmail, and ZMailer MTAs, and the Sophos, McAfee, F-Prot, F-Secure, CommandAV, InoculateIT, Inoculan, eTrust, Kaspersky, Nod32, AntiVir, BitDefender, RAV, Panda, DrWeb, ClamAV, and other anti-virus scanners.

MailScanner uses SpamAssassin for highly successful spam identification, and is designed to handle denial of service attacks. It will detect password-protected zip files and apply filename checking to their contents.

It is very easy to install, requires no changes at all to your sendmail.cf file, is designed to be lightweight, and won't grind your mail system to a halt with its load. It can be integrated into any email system, regardless of the software in use.

What is new in this release:

• Fixed taint errors which show up in new versions of Perl.
• Fixed another taint error. Errors in File.pm can't be found. :(
• Fixed error occurring when Antiword fails to parse the input file.
• Fixed bunch of mktemp bugs, thanks to Andrew Colin Kissa.
• Another taint bug in Quarantine.pm.
• Fixed disastrous domain expiry problem in update_bad_phishing_sites and update_bad_phishing_emails
• Updated location of Web Bug Replacement to new cdn site.

What is new in version 4.83.5:

• Fixed problem with Postfix and non-zero hash depth on "hold" queue.
• Fixed problems with spaces in virus names.
• Fixed logging of ClamAV updates (thanks for Peter Bonivart for this!).
• Fixed "Return-Path:" header so it doesn't contain any 8-bit characters which conflict with the new "RP_8BIT" rule in SpamAssassin.
• Fixed problems with permissions of zipfiles thanks to Rick Cooper and Curu Wong.

What is new in version 4.82.6:

• New Features and Improvements:
• 1 In filename.rules.conf and filetype.rules.conf files, as well as the previous "allow", "deny", "deny+delete", and email-address types of rule, there are now "rename" rules as well. If a filename or filetype matches a "rename" rule, the original attachment is left in the message but is renamed according to the "Rename Pattern" setting in MailScanner.conf. This allows for any prefixes or suffixes you may want to add to the attachment's filename. 2 Improved "rename" rules so you can now also specify "rename to new-text". If the rule matched an attachment's filename, the text matching the pattern for that rule will be replaced with the "new-text" string supplied. The "to" is optional, but makes it easier to read. 4 Rules files will be assumed in the MailScanner.conf if the filename now ends in ".Rules" as well as ".rules". 4 Allow deployments with the 'split mail per recipient' setup where mail is re-injected from 127.0.0.1 to still whitelist 127.0.0.1 for releasing of quarantined messages, while still scanning re-injected mail.
• Fixes:
• 1 AVG scanner command-line arguments typo fixed. 2 Fixed problem where HTML messages scanned for Phishing would be truncated at the start of the first tag if it was never closed properly. 3 Fixed bug stopping things like "$1" working in the replacement text of a "rename to" filename.rules.conf rule. 4 Fixed permissions of ClamAV temp files to use workperms instead of 0600. Thanks to Rick Cooper for this fix! 4 Fixed problem caused by invalid "Spam List" or "Spam Domain List" values appearing in the conf file. Thanks to Steve Freegard for this! 5 Fixed issue where messages quarantined for being a DoS attack did not have their headers quarantined correctly.

What is new in version 4.78.17:

• New Features and Improvements:
• Improved handling of Postfix messages with complex structures caused by some milters.
• In addition to the previous 'host:hostname.domain.com' method of providing a hostname in rulesets, you can now also specify host-nocheck:hostname.domain.com, which is the same thing but no anti-spoof checks are made. This is only useful if you have a 'PTR' record for providing the IP address of the hostname but no forward 'A' record for translating the IP address into a hostname. This is frequently the situation when using dynamic IP addresses.
• Swapped over virus-scanning and spam-scanning code completely, so all virus-scanning code is done before spam-scanning code. It won't virus-scan "Silent Viruses" which is pretty much all of them now, so it should work okay. This allows me to introduce...
• New feature to allow detection of "spam-viruses" which are items of spam that are reported by your virus scanner. You can set 2 new configuration options: Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/*
• The names of the "spam-viruses" found are those viruses reported by your virus scanners which match any of the strings given in "Virus Names Which Are Spam". These "spam-virus" names are added to the header set by "Spam-Virus Header". You can then write a SpamAssassin rule in spam.assassin.prefs.conf which gives a score for the presence or contents of this header. I supply an example rule which adds a score of 3 if the header exists. Feel free to re-write and extend that rule! It will not work unless you customise it. You could even write a "SpamAssassin Rule Action" to handle this rule specially!
• Improved installer for Fedora Core 11.
• Improved RPM installer so when it needs to, it only removes RPMs I installed.
• Added an "export HOSTNAME" to the init.d script. Should resolve some issues where using "$HOSTNAME" or "${HOSTNAME}" in MailScanner.conf did not work.
• Added support for "include path-to-conf-files" lines in MailScanner.conf. You can now put your site-specific customisations in separate files, to make upgrading of many servers a lot easier. You can nest "include" files, which means that an "include"d file can "include" other files. The "path-to-conf-files" can use the normal shell wildcard characters such as "*" so a valid line might be include /etc/MailScanner/config/*.conf to read all the *.conf files in that directory in turn. The *last* value read for each MailScanner.conf setting will be used.
• Added support for "include" lines in upgrade_MailScanner_conf. If you treat them as comments, the whole problem quietly disappears!
• Added /etc/MailScanner/conf.d directory to RPM and added a default include line in shipped MailScanner.conf. Put a README in the conf.d directory.
• Improved notes in conf.d/README file.
• Added "Quick.Peek" script to distribution to read configuration settings from shell scripts, which correctly handles included files.
• Fixes:
• Minor fix to phishing net for servers on port numbers that start with "80" but are not 80.
• Fixed issue of spam report not appearing in rare cases.
• Fixed problem of silent viruses not being quarantined when requested.
• Fixed issue where spam-viruses would be quarantined and found as silent. Renamed subroutine.
• Fixed installer for Perl-IO, Perl-DBI, Perl-DBD-SQLite, Perl-Filesys-Df, Perl-Net-DNS for Fedora 11.
• Fixed installer for Perl-Digest-SHA1 for Fedora 11.
• Fixed problem where "Scan Messages = no" was ignored.
• Fixed problem where multiply-infected files in the same archive may not always be removed correctly.
• Fixed issues with "include" files where they wouldn't be used for a few variables, and "%variable%" definitions in include files were ignored.
• Fixed problem where settings found in included conf files would be ignored sometimes when starting up.
• Rulesets used within Custom Functions should work again now.
• Fixed crash when "Expand TNEF = replace".
• Improved processing_messages_alert so it behaves better in the face of a ruleset defining "Notices To =".
• Fixed problem in Exim where duplicate headers could appear due to DeleteHeader not finding them correctly.
• Improved handling of Unicode and foreign character sets used in attachment filenames.

What is new in version 4.77.9:

• New Features and Improvements:
• Can now automatically unzip small zip files and other archives. This is very useful if you have some service automatically mailing you log files, which zips up the logfiles to save space. It will unpack them if there only a few of them, they are fairly small and they match a list of filename patterns. Unzip Maximum Files Per Archive = 4; Unzip Maximum File Size = 50k; Unzip Filenames = *.txt *.ini *.log *.csv; Unzip MimeType = text/plain
• Hourly cron job about messages being processed only sends a message if 'Send Notices = yes' is set in MailScanner.conf.
• "Read IP Address From Received Header" has been extended, so it will now take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to "yes" or a number, then the SMTP client IP address is taken from the "Received:" header. For example, setting it to 2 will cause the IP address to be taken from the 2nd Received: header. Users of BarricadeMX might want to set this to 2, to get the real SMTP client IP address from the 2nd Received: header, and not the 127.0.0.1 address that BarricadeMX put in the headers. Users of fetchmail might want to set this to 1 or 2 to skip over the 127.0.0.1 address which will be inserted by fetchmail.
• Set up Antiword to always return UTF-8 characters and use that in the attachment it creates.
• Removed co.dk from country.domains.conf as it's not an official 2nd level domain.
• Upgraded DBD-SQLite to 1.25 to avoid RedHat 4 build problems.
• Improved detection of some x86_64 systems.
• Corrected DBD-SQLite packaging error.
• Improved --lint checking of "Processing Attempts Database" and improved logging related to that database. Also improved documentation about the two SQLite databases in MailScanner.conf.
• Implemented a new type of line in rulesets. When you specify a "From:" rule, you can use a syntax like "host:hostname.domain.com" to use the SMTP client's hostname instead of the numerical IP address. This can also be partial hostnames or domain names, such as "host:domain.com" or include wildcards anywhere, such as "host:mail*.dom*ain.com", or even Perl regular expressions such as "host:/(de|dk)$/". This goes where the numerical IP address would go in the rule, after the "From:" and before the value to return. Note that these are slightly slower than using the IP address as they involve a DNS lookup (maximum of once per message), but that value should be in your DNS cache as other things will have already had to look it up anyway. They are described in more detail in the etc/rules/README and etc/rules/EXAMPLES files.
• Added spoofing protection to the "host:" name lookups. Forward and reverse DNS entries must now match.
• Fixes:
• Fixed problem where Unzip functions would not be found. Set default to off.
• Fixed issue with Postfix not scanning some messages in 4.77.3.
• Fixed issue with Postfix scanning too many messages in 4.77.4. :-)
• Fixed issue with extra character on the front of files created by antiword.
• Fixed UTF-8 character in Perl source code in Esets output parser.
• Fixed issue with encapsulating messages containing silent whole-message infections.