2.11 15/Feb/2013 * Increased value of $MAX_NUM_HDRS to 256 due to some legit Lotus MTA generating emails with over 100 lines of "X-Notes-Item" headers. Ewwww... * created new Q-S headers containing metadata learnt during the parsing phase - to pass to SpamAssassin. This would allow for creating SA rules to (say) score highly email containing zip files that contain .exe files - that claim to be from a PDF printer... * altered contrib/qscan-spam-to-users.pl to look at "cur" dir too * tweaked double-barrelled filename checks * changed syslog calls as rsyslog works differently than older syslog servers * cleaned up and speed up configure script * Put in Digest::SHA and Digest::SHA1 check to ensure MHR module works. Thanks to Salvatore * moved mhr to be in front of clam[d]scan due to its performance. Cleaned up some code too 2.10 16/Aug/2011 * ./configure now exits if you choose a "--lang" language that isn't supported * Change Received: header used to show diagnostic detail to X-Qmail-Scanner-Diagnostics: - that will make SpamAssassin happier * changed password-protected zip files to not bother unpacking them - just a waste of time * Team Cymru Malware Hash Registry (MHR) support added. NOTE: even though this is a free, DNS-based AV service, it is free for non-commercial use ONLY. Please see their website for details 2.09 22/Sep/2010 * Added DLPmonitor feature. If you want to use clamAV or perlscanner to block the movement of intellectual property/etc (i.e DLP), you can create rules that will enable Q-S to treat such files/data identically to viruses. However, it is common to want to *track* such events first (to get a feel for false-positives), so $DLPmonitor_REGEX enables you to define a regex of strings that cause Q-S to archive and log as "DLP:" - but otherwise treat as "Clear", non-quarantine events * Added ${V_HEADER}-Remote-OS: header contain OS of SMTP client as discovered if you are using qmail-delay with p0f. Adding it as a header means SA can use the OS information for rule checks. Be aware that NAT gateways at either end can adversely affect the results p0f discovers, so this feature may not work well in your particular environment. This header by itself doesn't do much - you'll have to write SA rules to use this "meta data" * Changed internal localization from "C" to "en_US" to workaround bug in latest reformime. * small debugging changes. Thanks to Toni Mueller * HBEDV change. New version has replaced "antivir" with "avscan". Thanks to Wolfgang Hamann for the patch 2.08 8/Sep/2009 * Changed "--sa-timeout" from 30 to 120 seconds. Should enable spamc to handle really large text emails without triggering a false SA "failure" 2.07 31/Aug/2009 * Support for AVAST! This will support avastlite - which interacts with the avastd daemon * BEHAVIOUR CHANGE: enable sites to trigger tempfails if SpamAssassin fails to process a message. ie treat SA identically to antivirus on errors. This is ENABLED by default. Set "--sa-tempfail 0" if you want to revert to old method of continuing on errors - with the "?/?" score. To spell it out, "?/?" should NEVER happen again if you allow the new default * BEHAVIOUR CHANGE: "--sa-faulttolerant yes" now the default. Set to "--sa-faulttolerant no" to revert to old behaviour * stupid mistake with altering unzip'ped file perms - forgot daemonized scanners would need eXecute access to the dir - doh! * mistake in perlscanner filesize detection fixed * changed maildrop test and ensured all error exit codes are non-zero for the ./configure script. Thanks to David Sveningsson * clamscan commandline options altered to support 0.95 (not that anyone should be using clamscan - clamdscan is vastly preferred). * Support for the new esets_cli version of NOD32 - called "esets". Thanks to Salvatore 2.06 05/Mar/2009 * Brenda Bell picked up a buglet with how a BAD_MIME_CHECK was handling certain b0rked legitimate mail. Fixed * Upgraded fprot support to version 6, "fprot" has been replaced with "fpscan" and "fpscand" (daemonized) modules. Thanks for the work by Salvatore, Matthias, Futhwo * wording changes on some error messages * added an exception to cover a sophie error condition * forcibly "chmod -R 740 ." after unpacking zip files to ensure the files are readable by daemonized scanners like clamd, etc. 2.05 2/Jul/2008 * document that even though Qmail-Scanner will add a Message-ID header if there *isn't* already one, it will ensure this added header is not passed to SpamAssassin when it is called. This ensures SA can correctly interpret the lack of that header. * Fix bug in above new code! Causing some message-ids to be skipped when passing to SA. 2.04 07/May/2008 * Regex bug fixed in message-id check. 2.03 25/Mar/2008 * Code cleanup and reorg. Thanks to Salvatore * Updated nod32 support. Users of this MUST CHECK that they have configured /etc/nod32/nod32.cfg correctly. Thanks to Salvatore * Updated support for qmail-queue-custom-error. Thanks to Futhwo for noticing the change * Enhanced perlscanner to be able to policy-block attachments based on arbitrary sizes. e.g. "block zip attachments if less than 1024 Bytes" * Fixed buglet in attachment filesize checks * Workaround for Berkeley DB bug. Thanks to Manuel Mausz for the patch * Updated clamdscan module to support more expected error conditions 2.02 30/Aug/2007 * It is strongly suggested that everyone enable PTR lookups within Qmail itself (i.e. the "-H" option in tcpserver). Q-S now uses TCPREMOTEHOST (if present) in the creation of Received: headers - as SpamAssassin now expects that. * Support for generating SMTP permanent errors for quarantine events - including high-scoring SPAM ("--quarantine-reject 1"). This is disabled by default, but I intend to make this the default soon. Note that enabling this option WILL DISABLE ALL "OLD" Q-S NOTIFICATION CODE. i.e. no more "policy-violation found in..." emails. * Extra loop around spamc put in place to allow Q-S to try up to three times to get SA to produce a result if "--sa-faulttolerant 1" set. For thoses of us who REALLY WANT SA to always return a score. This may worsen load problems - there may have been a reason spamd couldn't return a result the first time... * A GREETDELAY implementation in contrib/qmail-delay. This allows you to delay accepting email connections based on such parameters as the remote IP address, as well as OPERATING-SYSTEM AND GEOGRAPHIC LOCATION * Q-S now adds Message-ID if one isn't present to improve the trackability of emails through your systems. This used to be added as X-Qmail-Scanner-Message-ID * Small buglet in where Q-S detects latest SA output in verbose_spamassassin * Small update to F-prot. Thanks to dimaki * Buglet in how policy blocking occurs if BAD_MIME_CHECKS=0 fixed. Thanks to Simone Lazzaris * New Polish translation, and bugfix by Maciej Budzynski * Allows configuration of SpamAssassin's "max size" limit - which tells SA not to scan messages larger than that size. Defaults to the SA standard 256000 Bytes - but allows you to make it higher if you wish (I use 700000) * Support for latest Sophos savscan scanner. Recommend using sophie-3.06 which fully supports it (i.e still use sophie) * Updated qscan-spam-to-users.pl. * Updated qs2mrtg to reflect SA quarantine events as "RBL" events instead of "virus" events * Explicitly mention daemontools as being required 2.01 5/Apr/2006 * Changed setuidgid calls in ./configure as some people had PATHs that were not playing nicely. 2.00 20/Mar/2006 * cleanup: removed "virusdir" option * Changed uudecode perm to 0640 * Updated nod32 - thanks to Max Kellermann * Added 30sec timeout to calls to spamc. i.e. spamc will exit without knowing the score of a piece of mail if spamd takes more than 30sec to respond. This should cut down on silly amounts of time being spent dealing with DNS timeouts/etc, without making SA miss anything it would have caught before. * Refer to logrotate script in contrib/ directory which can be used to perform "housekeeping" duties for Q-S 2.00rc1 23/Jan/2006 * Big version jump from 1.25 to 2.00 to reflect some of the changes that have take place. * NAME CHANGE. The spool directory into which Qmail-Scanner is installed is now /var/spool/qscan. This is to reflect (or force ;-) that you need to re-evaluate all your settings as some pretty fundamental changes have been made * NAME CHANGE. quarantine-attachments.txt has been renamed quarantine-events.txt as it is used to quarantine more than just attachments, and the format of that file has been changed. * NEW FEATURE. Quarantine directory is now separated into THREE subdirs: "spam", "viruses" and "policy". This is so sites can arrange different auto-delete jobs to control the size of these areas if they so wish. See below for more details * NEW FEATURE. Starting to include concepts from Salvatore Toribio "st" patch to add spam quarantining features to Q-S. If you set "--sa-quarantine X" (where "X" is a positive number), then if SA tags a message as having a score higher than "required_hits" plus "X", that message will be quarantined into a new maildir "./spam/" and not delivered to the end-user (also no-one is notified). e.g. for "--sa-quarantine 5", a score of 10/5 would cause the message to be quarantined into maildir "./spam/" instead of being delivered. A message with a score of 7/5 would be tagged as SPAM and delivered as per older versions. Note that this is a serious step to take. It means a false match ends up with no-one being notified and the e-mail effectively "blackholes". You can use your old Q-S logs of previous "tagged-only" mail to go through to prove to yourself that the "sa-quarantine" value you are going to use won't result in lost e-mail. DISABLED by default * To go along with the above new feature, the contrib dir contains "qscan-spam-to-users.pl". A cronjob script designed to move any high-scoring SPAM out of the "spam" quarantine dir into an IMAP maildir structure where the recipient of the SPAM gets their own mail subfolder. This gives a more filtered way for IS staff to deal with any false positives. You can log in via IMAP, go to a particular users (sub)mail folder and see all the high-scoring SPAM sent to them - and forward any false matches. Hopefully this should never be needed as SpamAssassin scores over 10/5 should really never be wrong... * NEW FEATURE The "qmail-scanner-queue.pl -z" script has also been updated to auto-delete messages quarantined under the "quarantine/" maildirs when they are older than 14 days. This is to stop these maildirs growing insanely large! You are of course welcome and encouraged to do something about e-mail in these folders according to your own timescales if you wish. Simply have your own cronjob move it into some other area of diskspace - and then it's your problem to deal with :-) * NEW FEATURE A maximum size for scanning (--max-scan-size) can be set. This means if a message is greater than this size (in bytes), then Q-S won't run any AV or anti-Spam checks against it. Use with caution and note that I have hard-wired a minimum value of 10000000 (10M) to this variable to stop people making stupid mistakes. I am concerned that virus writers will just start making really large viruses to bypass systems with such options - so be careful! * BIG CHANGE Some features that were hard-wired into the main body of Q-S have been moved into quarantine-events.txt where they should have been all along. This makes it possible to change settings without reconfiguring the main body of qmail-scanner-queue.pl. You will need to rewrite any rules you had in place within the old quarantine-attachments.txt into the new format quarantine-events.txt One of these changes allows you to block zero-length attachments at last ("any" length is now represented by "-1" instead of "0"). LET ME SAY THAT AGAIN!!! "0" NOW MEANS "0" - IT USED TO MEAN "ANY"!!!! * BIG CHANGE in definition of times. Previously Q-S "started the clock" the moment it was invoked, and stopped it when it finished. Unfortunately that meant that if you were receiving a large e-mail over a slow link, your Q-S stats would show it took (let's say) *hours* to "process" the message - when in fact it took hours to *receive* the message, and 2 seconds to process. From now on the debug file (qmail-queue.log) will differentiate between the two, and the per-message syslog reports generated will contain a timestamp of how long the message took to process i.e. - ***once it had been delivered to disk*** This will make Q-S look faster than it did before - faster and more correct IMO. Thanks go to a ratty old hub for making me realise how bad the stats could look (I had some *8* hour deliveries... ;-) * Changed setuid to 6755 - ie it's now setuid and setgid. Forcing all files to be group qscand will allow those who wish to do so to keep their AV daemons running as other accounts. They just need to ensure those daemons are members of the qscand group - and as such should be able to read the necessary files. e.g. clamd could run as "clamav", but as long as account "clamav" is a member of group "qscand", clamd is able to read the mail enough to scan it * Changed regex-matching in quarantine-events.txt to be case-*insensitive* instead of case-sensitive. It was causing too much confusion. * Added new monitor script to contrib dir - check_AV_daemons. This perl script can be used to monitor that your daemonized AV system (and SpamAssassin too!) is running correctly. "perldoc contrib/check_AV_daemons" for details * Added extra alarm on writing to syslog to stop Qmail-Scanner hanging waiting for a broken syslog daemon to respond. * Act like RELAYCLIENT is set if qmail-scanner called via pipe instead of SMTP. This makes it more consistant with other Qmail apps - e.g a call to qmail-inject is equivalent to a local SMTP connection. All this does is disable calling SA. If you want SA to be called (maybe this is being called by a Web app), then just set QS_SPAMASSASSIN=1 in your environment. Note that I've also changed the documentation to refer to QS_SPAMASSASSIN=1 instead of QS_SPAMASSASSIN=on - think boolean. * Added support for "greylisting"-style policy blocks. Instead of blocking and quarantining an email, you can configure a Perlscan rule to trigger a SMTP temporary failure. This is meant for emergency situaions where your current AV is being hit by a Day-Zero using some attachment type you cannot afford to just blanket block. e.g. ZIP files. With the "greylisted" option, you can tell Q-S to exit with a temp failure whenever such mails show up - which will cause legitimate mail to simply requeue at the other end. Then when your AV is able to detect the virus, you can remove the rule, and all that legitimate mail that was being blocked should flow through again (assuming you don't have the rule in place for days of course!). Greylisted events show up in logging as "Perlscan:Greylisted". Note: this is NOT "recipient greylisting" - offers accepted for a better word... * Localized the "$destring" at last. Can other languages that are supported please send in translations for the "destring_*" files? * Added support for AVG Antivirus from GrisSoft. Thanks to Jaroslav Suchanek * Change to the Kaspersky avp scanner to allow corrupt attachments through * Added support for decoding encoded attachment filenames and Subject: headers by calling MIME::Base64. Now that's been done, you must reference "normalized" filenames or strings in quarantine-attachments.txt and Q-S will catch them even if they are encoded. Enabled by default, but as I'm not sure how many bad implementations of MIME encoding there are, it can be disabled. Disable via the "--normalize 0" ./configure option - and tell me if it starts blocking valid mail... I am also concerned about people running broken syslog servers, and how they handle 8bit chars showing up. Please keep an eye on this feature. * Just noticed that Q-S spamassassin tagging was still reporting SA scores as "hits=xx" instead of SA's official "score=xx". Fixed * Fix to MacAfee scanner - well - kludge really. Thanks to Beni Schoedler for spotting it. * If you use "--add-dscr-hdrs", this will only be set on e-mails that came from *non* relayed addresses. e.g mail from the Internet to your site will have the headers added, but mail leaving your site won't. This should make it safer (from a privacy perspective) to enable * Presence of DomainKeys signing added to report if "--log-crypto" enabled * Now treat the presense of URLs in even text-only e-mails as enough reason to run AV modules. This will mean that quite a lot of extra text-only e-mail gets scanned - but is needed to thoroughly allow Phishing attacks to be caught (most [all?] are currently HTML and were scanned anyway - but they'll figure this out shortly...). * Buglet in how the alert syslog records were written. They contained details of the actual virus e-mail (e.g. IP address) instead of more correctly reflecting they were locally generated. * Added check to ensure clamdscan isn't just a link to clamscan - which some third-party Web sites recommend! Gah! If you want to run clamdscan - THEN SET UP THE DAEMON PROPERLY. Otherwise don't - and you'll get clamscan instead (at 100th the performance) Let me say it again: No-one running ClamAV should be using clamscan. * Tiny change to configure to better discover if spamd is running in socket mode - thanks to Renato Botelho * Changed uudecoding sequence to just use system() instead of pipes as an anonymous user reported an error on an unknown system that sounds like that OS has issues with perl pipes (which reminded me of the problem FreeBSD had in 1.24). The code change should only be cosmetic - but if it solves a problem - I'm all for it! 1.25 28/Jan/2005 * BUG: SA was removing X-Spam-Status headers when run in verbose mode - duh! Fixed * Bug in double-barrelled check fixed. * Typo in CHANGES from 1.24. It said SA is only called "for messages bigger than 250K" - when obviously that should be "for messages smaller than 250K". 1.24 18/Oct/2004 * Fixed a localization issue by using POSIX setlocale - thanks Piotr Paw~ow * Bug in sub-vexira.pl fixed. Thanks to Shai * Fixes buglet with Q-S not successfully removing old X-Spam-Status: headers when it adds its own. Now Q-S simply renames such headers - it gives a nice audit trail of previous SA checks (real or fake) * Fixed a FreeBSD buglet to do with spamc not playing with pipes correctly for messages bigger than 250K. Q-S is now hard-wired to only call spamc for messages smaller than 250K. Hopefully that doesn't burn anyone (you can always edit the code...) * Quarantine events now separates "Denial of Service" attacks (which can affect the server) from other AV/Policy events. DoS events don't get passed through AVs - they are blocked instantly. Currently this covers overlong attachment filenames and zip files that would have unpacked into more diskspace than allowed by the new "--max-zip-size" option. Note that DoS check only kicks in if you are using "--unzip 1" - if you are not, it's up to the AV you are using to do such checks. * Crypto logging now has a "pecking order". An encrypted object is weighted higher than a signed object WRT logging (i.e. if an e-mail is both signed and encrypted, it's only reported as encrypted). * Increased max size of syslog entry to 1024 chars - the RFC max limit of a UDP-based syslog record. * non-existant options in clamdscan removed, and version checking updated to catch the newest release format change * Added support for ESET NOD32 AV. Thanks to Maciej Soltysiak for the work * Long standing buglet in configure script found when using the "--bindir" option. Thanks to Tomas Hoger for pointing it out * configure script will now auto-detect if you are running spamd in the (faster) Unix socket mode, and will configure spamc accordingly. Not tested much as I think there may be bugs in SA WRT this? 1.23 03/Aug/2004 * The format of the "Received:" header inserted by Q-S has been changed to allow better interoperability with SpamAssassin's SPF checks * "--log-details syslog" now set as default. * New notification option: "precips". This will allow you to notify recipients that a message to them was blocked, but unlike "recips", will only trigger if it was blocked for "Policy" or Q-s internal reasons - i.e. wasn't tagged as a virus by an AV sub-system. * Tiny change to sub-spamassassin.pl to add support for the altered format in upcoming SA 3.0 * Sanity check ownership of unpacked files. Too many people seem to have weird setups with bad permissions. This should help focus their minds a bit. * X-Envelope-From: header banged in front of SA calls to allow extra checks. * Changed some variable names to be more descriptive of what they do. Also renamed subroutine check_and_grab_uuencoding to check_and_grab_attachments for the same reason * rewrote perlscan to search recursively for files via "find". This allows unzip to run without options any more (removing the "-o" option - which is a Good Thing), and will lend itself to future development * "--redundant" enabled by default. It's all about stopping viruses, so we should always use whatever added features are available by default instead of making everyone work that out for themselves the hard way * Changes to Kavscanner thanks to Nicola Percacci * Jyri Hovila provided patches to F-Secure to enable support for the latest release * Bitdefender exit status update to catch corrupt archive files * Made change with setuid test to allow you to continue with a warning after it fails to find a working setuid perl installed * Alex Pleiner has created a patch for vpopmail's roaming users feature that allows it to inter-operate with Qmail-Scanner. See the contrib/ directory for the patch (vpopmail-issues.eml) * Added a few more regex for detecting Windows binaries * Added support for BitDefender AV. This appears to be free for Linux... * Cees Hek noticed a problem with deltatime - fixed * timestamp accidentally dropped from mailstat.csv - fixed 1.22 10/Apr/2004 * Bug in uudecoding component fixed. Now will recognise a message as having uuencoded bits even if uudecode not installed. Note: if you expect Q-S to unpack certain things (instead of just detect them), make sure you have such unpackers installed... (e.g. unzip, uudecode). * New logging feature: "--log-crypto". More for the Corporate environments. Simply notes in the log record if the message contained any form of digital signing or encryption (S/MIME, PGP and password protected ZIP files for now). Disabled by default as your site may have privacy issues in turning this on... * reverted calling /usr/bin/suidperl back to the "official" way of doing suid perl: /usr/bin/perl * Standardized date timestamps in logs. There was a mix of formats - not too nice to see... * Fixed buglet where Q-S was replacing X-Spam-Level when it shouldn't be * Removed RAV from list of supported AVs as Microsoft bought them out an they have ceased development. * archive support was broken (fat-finger problem) - fixed. * Bug in how Q-S policed boundaries has been relaxed, given some bizarre but valid behaviour by Eudora. * Changed exit code check for sub-avp. * The locale is forced to "C" (English) at the beginning of Q-S. That will standardize the output of localized apps (such as AVs) so that the string regexes will work more reliably. Note that this has nothing to do with the normal Q-S language support * If you have set $spamc_subject (which allows you to put a string at the beginning of the Subject line when SPAM is found), then Q-S now checks to see if that string is already present so as not to double-add it. * Added Danish locale - thanks to Max Andersen 1.21 11/Mar/2004 * "--fix-mime" now defaults to "2". This enables a bunch of extra MIME checks that have proven to be very useful. You can reset "--fix-mime 1" to regain older behaviour if you need to, but please let me know why it isn't working for you... * $hostname is now dynamically set instead of being hardwired. This should make pushing out Q-S onto multiple boxes a bit easier. * zipfiles are no longer deleted after unpacking to allow AV a better go at the original zip. These Bagle/password-protected zip files viruses mean deleting any information (such as a zip file you thought you didn't need any more) may be a bad thing... * Due to those grotty new password-protected viruses showing up, Q-S now has the option of blocking password-protected zip files ("--block-password-protected"). It obviously has to use the systems "unzip" program - which has to support passwords. It can be used without having to fully turn on the "--unzip" option. * The CR/NULL char check has historically caused grief for some sites. Even though I feel that people should fix the broken client that generates such messages, Q-S now allows you to configure it with a "--ignore-eol-checks" which will turn off those checks - but allows it to keep doing the other invalid MIME checks. I hope now that no-one will need to use "--fix-mime 0" * In an attempt to prevent people getting concerned that Qmail-Scanner is letting through viruses - when it isn't, Q-S now treats any bounced e-mail that appears to contain MIME headers in the body as potentially containing an attachment. As such it will now allow the virus scanners to scan them. Previously Q-S would only scan them if the bounced e-mail was an attachment to the bounce - which obviously should be scanned. Some MTAs (such as raw Qmail) simply append the original message to bounces, which slips through Q-S as a "plain/text" message that doesn't need scanning. However, some other SMTP virus scanners scan them anyway, and people were becoming concerned that Q-S was "broken" because it wasn't detecting them - even though no known MUA could actually get infected off such a bounced message. Go figure! It's one of these cases of needing to "be seen to be doing the right thing" - even when there is really no need... * More work on getting that suidperl check working correctly * Big Change: Qmail-Scanner now defaults to only sending alerts to "psender,nmlvadm". i.e. only alert sender and admin when the e-mail isn't assosiated with a mailing-list, and the quarantining event is due to a policy block instead of an AV block. Note: if the string "virus" shows up in the first 20 chars of the description of the policy block within quarantine-attachments.txt, then that too is treated as a virus and no notification will be sent either. The outcome of this new default is that quarantined virus-infected e-mails won't send alerts to anyone, whereas e-mails quarantined due to other reasons (e.g. MIME fiddles or you chose the "--block-password-protected" zip file option) will cause alerts. The rationale behind defaulting to not notifying senders of viruses is that the vast majority of viruses now alter the envelope from header, so there is no point in notifying someone who didn't send the virus - that they have a virus! * Pasi Kärkkäinen and Jyri Hovila sent in updates for fsecure * Updated sub-avp.pl for Kaspersky kavscanner 5.0.1.0. I ASSUME THIS WILL BREAK OLD INSTALLS OF kavscanner! Please upgrade your scanner. Thanks to Erik Wasser for the update * Changed reference to vpopmail bug to specifically say this is to do with "pop-before-smtp" functionality - the only part where vpopmail strips out/doesn't set the QMAILQUEUE variable * Updated silent-viruses to skip notifying sender on my worm virus types * Optimizing some of the regex used. Thanks to Doug Monroe * Change references to quarantine maildir in alert e-mails to refer to the actual e-mail file itself. Otherwise you're having to get a maildir-capable MUA up and running, and then searching through the 1,000's of viruses you probably have for the actual message you're after. Thanks to Salvatore Toribio for the suggestion. * Rewrote a few error msgs to be a bit more concise * Bug in how SA decides to run in fast-vs-verbose mode discovered by Jonas Thomsen - fixed. * Slovak locale translation added - thanks to Viktor Daniel * Documentation changes * Bug in how archiving was disabled in the configuration script fixed. Thanks to Alex Pleiner * Renamed references to clamuko to clamdscan - clamuko is an inline virus scanner for filesystems! * changed default max-space that clamscan can use to 100M * added X-Spam-Level header. This header adds "+" chars - one for each point scored up to a max of 100. This is to allow less sophisticated mail filters (i.e. Outlook Rules Wizard ;-) to do more intelligent things such as "delete mail that has "X-Spam-Level: ++++++++++" - i.e. delete spam with a score over 10. Note that SA itself defaults to using a "*" char instead of "+", but that's a wildcard character, so I think we'd be better off with "+" [which is a regex char - but if you're the type of person using a filter that parses regex, then you're the type of person who'd know how to escape it too ;-)] 1.20 5/Nov/2003 * The IP address of the SMTP client is now added to the RC field in the Q-S logs. I have conceded the arguement to Jesse Guardiani after having to track a virus that came in via a dialup user. The information is there in the other Qmail logs - but it does take a while to figure out, so now it's part of the Q-S logs. (e.g. "RC:0(1.2.3.4):" shows the SMTP client was 1.2.3.4 and that they are *not* a RELAYCLIENT address). * tidied up the fsecure and fprot subroutines * Nicolas Croiset pointed out the contrib/sub-avpdaemon.pl didn't have support for the new TMPDIR area. Fixed * qs2mrtg.pl (and .cfg) added to contrib directory. This script reads syslog-only formatted Q-S log records and converts them into MRTG graphs mail throughput,viruses and spam stats. Run it as a cronjob like: */5 * * * * /usr/bin/qs2mrtg.pl && /usr/bin/mrtg /var/www/html/mrtg/mrtg-qmail-scanner.cfg > /dev/null 2>&1 1.20rc4 7/Oct/2003 * Put back references to Vpopmail breaking Qmail-Scanner in the FAQ. There are just too many people having problems with Vpopmail for me to ignore. * Have had enough of dealing with problems with find on different OSes. From now on all temp dirs (where email unpacking occurs) now occurs under /var/spool/qmailscan/tmp. That way find can just run over that dir and can deal with dirs as well as files... * Improved Fsecure version details to include the sub-engines it uses - gah! * Made recreation of versioning information more resilient. Thanks to Mark Simon Powell * Just a note that there has been a change in the logging format. Actually there hasn't - it's just that apparently no-one can read my mind to realise it follows a format :-) Basically the "Clear:RC:0:SA:1(11.5/5.0):" part of the logging follows the following format: "Name" : "Value" ...and are separated from each other by a colon ":" - sorta "colon separated values" :-) Hence above translates to "not quarantined", "SMTP client wasn't a relayclient", "was spam". The exception is "Clear" - which is always bunged onto the front of any message that was *NOT* quarantined - it probably should be "Clear:1" or something silly like that - but I just like to save the extra two chars ;-) * bug found in re-org of AV ordering fixed. * fixed bug in SA lowercasing of email addresses when passed to spamc. * bug in new setuid perl checks stopping people from running the C-wrapper version. Added new configure option: "--skip-setuid-test" 1.20rc3 2/Sep/2003 * Major change: Qmail-Scanner now runs under it's own separate account to give better priviledge separation. Defaults to "qscand". Make sure you check that any daemonized versions of virus scanners run as the same account - otherwise they won't be able to scan within the /var/spool/qmailscan directory. Upgrade from previous releases by: disable SMTP (e.g. svc-stop /service/smtpd) chown -R qscand:qscand /var/spool/qmailscan edit (to make run as qscand) and restart any daemonized AVs run ./configure ..... --install re-enable SMTP (e.g. svc-start /service/smtpd) Note: this is only needed for upgrading from releases running under "qmailq". New site installs and future releases will be fine again * Updated FAQ to mention Redhat9 issues with Qmail, and more information on how daemonized versions of AV programs should be run WRT Q-S * made perlscanner run AFTER antivirus scanners. That way if an attachment contains a virus, it will be flagged as such, instead of relying on the generic attachment-blocking (i.e. Policy) to catch it. * Changed SpamAssassin module to work with upcoming 2.60. Thanks to Doug Monroe * Bug in the order that clamscan was found on your system stopped it from being run first like I claimed in RC1! Fixed * Buglet in SA lowercasing of email addresses when passed to spamc. 1.20rc2 20/Aug/2003 * Bug in text/plain checking found. Pretty major really. I had checks to see if an attachment was found in the e-mail, but didn't check to see if @attachment_list actually had anything when the decision was made. Thanks to Alex Shipp for finding that. 1.20rc1 15/Aug/2003 * Changed defaults so that clamav scanners are listed as the first scanners. This means if you have clam + some commercial AV scanning all your emails, you'll be able to tell from the logs just how often the commercial AV is actually catching anything... It'd be great to see clamav catching everything :-) * SpamAssassin now puts "?" chars in instead of "0" when it fails to get an answer from spamd: this is typically due to the msg being too big or spamd being down. It used to be that way, but someone didn't like it and I changed it to "0". Now of course that was a bad decision as that actually implies the email wasn't spam - not that an error occured. * FIX: the tempfail function has been renamed error_condition and now allows Qmail-Scanner to return permanent errors along with it's current temp failures. This will allow filters such a qfilter to be used with Qmail-Scanner. * Rav AV updated as they've changed the format again. This may break older releases of ravlin8 - but you don't need to run those now do you :-) * BIG CHANGE: "--unzip" disabled by default now. This means Q-S now relies on the AV systems to unzip the files, and also means that if you block (say) .EXE files, they can now get in via putting them within a ZIP file. If you want the old behaviour, use "--unzip yes" again. * Maciej Budzyski has provided new Polish translations. * Removed references to broken installs of VPopmail causing problems. Apparently there has never been a problem with VPopmail - only mis-installation by some people (hey, don't shoot me - I'm only the messenger!). * Better logging detail - so you can tell what is quarantining what. * Logging now includes whether or not the email was from a RELAYCLIENT SMTP client ("RC" == 1 or 0). Useful for seeing if any of your users (i.e. RC(1)) are sending *out* viruses... (i.e. good to trigger alerts off) * Update FSecure module to handle newer versions * Updated configure to check setuid'ness better. Still not perfect... * Buglet in message/partial definition in quarantine-attachments.txt fixed * Buglet in how qmail-queue was found on systems with non-standard Qmail installs fixed. Thanks to Adrian Offerman * Made a jump to 1.20 to demonstrate the added functionality. * Changed some variable names to better reflect their function. * Added "--batch" option to ease scripting - it stops configure asking for input. Thanks to Douglas Schilling Landgraf * This release candidate has added some simple MIME parsing that captures quite a few viruses/trojans. Since it may also catch some valid mail in an unusual layout, it is not enabled by default. To test (and *please* do!!!), you need to set "--fix-mime 2". Please notify the list as to any problems, as the intention is to make these checks part of the standard configuration by 1.20 release... * Dutch language support added by Martin Roest * A hack added to try to make the syslog call work on broken Solaris perl installs. * configure now uses "strings -a" so that it'll work on AIX. Should still work on other OSes... * Q-S now skips virus-scanning messages that are either text/plain or non-MIME/uuencoded. This will speed things up a tad. Note that if configured for SpamAssassin, that will still be run - just the virus scanners are skipped. Again, due to the potential of missing messages that should have been treated as having attachments, you need to have used "--fix-mime 2" to enable. * Fixed bug with the "-z" option not leaving the archives maildir tree alone. It was deleting old messages lying around in there... * Made QS better at detecting old Sun "enriched" mail so that the new MIME detection code doesn't mis-label it. * SpamAssassin now sets the spamc "username" field to the recipient address. This only happens if there is ONE recipient. If a spammer sends a spam to 20 local users in one SMTP session, then no user-specific SA rules will apply, but all the general SA rules still do of course. Note: As spamc must be passed the recipient address on the commandline, Q-S has to strip back the e-mail address to shell-friendly chars - this should be fine for 99.9% of your e-mail addresses, but may mean that the more odd addresses won't be able to access their user-specific SA options. The address is also lowercased before being passed to spamc. Note that all this has no effect on the recipient address of the e-mail - just the address used for "spamc -u ..." * Made errors in reformime appear to debug file. * Fixed BUG in SpamAssassin subroutine where the wrong SA score could be found. Thanks to Dallas Engelken * Block messages with Windows executables that are *not* of MIME type application/* Never seen in the wild unless they are viruses. This may block some bogus mail that is otherwise valid, so you can only get this by setting "--fix-mime 2" when configuring. * Explicitly block double-barrelled filenames which end in known Windows "executable" stype extensions - such as "file.doc.pif". Again, only seen assosiated with viruses. This may block some bogus mail that is otherwise valid, so you must set "--fix-mime 2" when configuring to enable. * Block messages with attachment filenames over 256 chars in size. There are buffer overflows in... (go on - guess!)... Outlook that exploit this issue. As most file systems don't support filenames over 256 chars anyway (e.g. NTFS and ext2), this shouldn't inconvenience anyone. * Added support for the Central Command Vexira virus scanner * NOTE: format of "--archive" option has been changed!!! All archiving goes to a maildir called "archive" now - whereas it used to allow you to change that dir name. Archiving now supports archiving only mail to or from a regex (as well as archiving everything). e.g. ./configure --archive "jason|harry" would make Qmail-Scanner only archive mail where the sender or recipient contained the string "jason" or "harry". NOTE: this is only matching on the envelope headers ("mail from", "rcpt to") - not arbitrary headers or body content. 1.16 3/Feb/2003 * Changes some occurances of rename to link due to recent discussions on how OpenBSD handles PIDs... * Buglet in detection code in configure fixed. Thanks to Ted Behling * Added SoBig to the list of viruses that shouldn't generate an alert to the sender. * Altered error messages when virus scanners crash to more pointedly suggest that people should check their memory sizing... Thanks to Rick Romero for the suggestion * Now checks for comments within mail header names. Some viruses are shoving comments in them to make AV systems miss them... * Documented problem with vpopmail not reading the tcpserver SMTP rules correctly. * Updated RAV support. Newer versions now exit status 1 when no virus found - go figure! * Put more sanity checks in the SA return values. Looks like people are running all sorts of broken SA installs out there... 1.15 30/Oct/2002 * Silent viruses configure option changed to default to "auto". Older version didn't have this, which means that those relying on looking at the previous install of Q-S to tell them what the configuration options were should re-run ./configure without the "--silent-viruses" option to reset their config correctly. * Cleaned up configure a bit. * made test_installation.sh to send spam message to test SpamAssassin if it's installed. Thanks to Michel Bouissou for these ideas * Support for perl 5.8.0! A one-char alteration made it all work again. Thanks to Emerson Wu * Added bugbear/tanatos to the exclude list along with klez. * Workaround for SpamAssassin bug where it doesn't report a spammy message as spam when it marks it as such (i.e. SA 2.4X) * Added important new entry into quaratine-attachments.txt. Everyone should seriously consider adding this to their own copy as it will stop a potentially nasty future exploit. This does mean your site will basically block all "message/partial" MIME types from now on, but I've never seen anyone use them "in the wild" anyway, so it should be low risk. * Updated HBDEV to handle newer versions * Changed AVP - Kaspersky regex to better match new engine. Thanks to Thorsten Spaeth. * Comment in FAQ that sophie/trophie/other daemonized scanners should be run with larger than needed memory softlimits. Setting a higher limit reduces the likelyhood that (say) an automated pattern file update at 2am (that pushes up the memory requirements) suddenly make your Qmail-Scanner server start reporting out-of-memory errors! :-) * Strip illegal_chars out of headers when generating alert messages. 1.14 14/Aug/2002 * Bug found in 1.13 SpamAssassin code that allows you to change the Subject line. Fixed thanks to Chris Hine * Moved some of the alert text around so that the admin e-mail still contains a description of the quarantine event. 1.13 5-Jul-2002 * Big change to logging. Now a message to 20 recipients creates 20 log entries. This will dramatically improve the usefulness of the log entries (the size-limit issues of syslog almost disappear) * Added new tracking header X-Qmail-Scanner-Message-ID. This is normally set to Message-ID - but is randomly generated if that header doesn't exist. It's used in the logging so as to provide an explicit linkage between different log entries from the same message. It is used internally, and is only added to actual messages that don't have a Message-ID header. * Alerts now refer to the envelope "mail from" address instead of the address shown in the From: header. There are too many trojans out there screwing around with these things that it's just too confusing to try to be smart now. * New feature! Envelope headers ("mail from" and "rcpt to") and the IP address of the SMTP client (TCPREMOTEIP) are now made available to the perlscanner module! You can now use Virus-MAILFROM,Virus-RCPTTO and Virus-TCPREMOTEIP to match on those headers. Note that they are uppercased - to separate them from standard mail headers - which are always lowercased. * Strip out line breaks from SCANINFO - apparently some virus scanners have CR in their version ids... * Changed all occurances of "Illegal" to "Disallowed". Illegal seems a bit harsh... * Quarantine alert messages now contain ALL headers. Will need to keep an eye on this when Q-S introduces body-scanning. You could get an infinite loop... * More examples added to quaratine-attachments.txt. Everyone should read it to see if there's anything they want, as if you are just upgrading Q-S, your existing quarantine-attachments.txt file is NOT touched. * ensure that regenerating the perlscanner DB fails if the TXT file is unreadable. * Fixed bug in perlscanner that stopped you having header matches that contained the same regex. * Changed sub-avp again (Kaspersky AVPLinux scanner) - sheesh! * Information Leakage: some people have complained about how Q-S tells the sender and recips where the unpacked message was. Now the admin, sender and recips are sent separate messages, and only the admin address will receive such details. The rest will be told that their message contains a "XXX" virus - but no file path details. * Added new feature to limit the damage done by trojans that change the From address to be someone other than the person actually sending the trojan. '--silent-viruses="klez,othernastyvirus"' would mean that *IF* a virus is detected, AND the string "klez" or "othernastyvirus" appears in the virus description given by the virus scanner, THEN the quarantine alert message is NOT sent to the supposed sender - as it won't actually have been them. This may help limit the confusion people are feeling these days with such anti-social (more anti-social?) viruses Thanks to Greg Wildman for the implementation. * Added new feature to "fast_spamassassin". If you change this to "fast_spamassassin='*****SPAM*****'", then the faster SA setting is still used, but the string "*****SPAM*****" is prepended to the Subject: line. Apparently users find the other methods of finding the SA tags too difficult :-) Note: the format is actually "fast_spamassassin=" - so you can have any single-word marker there that you want. Just make sure it looks obvious. * Fixed bug where logging reports quarantine message being sent to recipients even when Q-S configured to not notify recips! (they weren't actually sent anything - but it was reported they did...) * Changed documentation to reflect the fact that setting QMAILQUEUE within the tcpserver rules file is now the ONLY supported way of setting Qmail-Scanner. The other methods are too diverse to document correctly, so let's just stick to the one that works best. * Document that DB_File has disappeared from Perl 5.6.1 * By default, SpamAssassin is only run on Email that comes from "non-local" SMTP clients. That is decided on the lack of the RELAYCLIENT environment variable (see Qmail docs). If that doesn't do what you want, you can also set "QS_SPAMASSASSIN=1" in your tcpserver rules file to force SA to be run. * More explicit documentation that the SpamAssassin support DOES NOT QUARANTINE POTENTIAL SPAM!!!! There - I think that's pretty explicit :-) SpamAssassin has always been designed to "tag" messages as being spam, and to make the USER (not the Sys Admin!) decide what to do with it. * Added support for CLAM AV. An Open Source (yup!) antivirus scanner that uses the Openantivirus.org ScannerDaemon pattern files. * Fixed buglet in ravlin detection * Updated kavscanner subroutine * Fixed bug in configure script's generating of the CMDLINE * Updated ./contrib/test_installation.sh to be a bit more descriptive * Documented quarantine philosphy. Apparently I just expected you all to work it out for yourselves... * Documented that SpamAssassin is only run on mail deemed not to be local via the standard Qmail RELAYCLIENT environment variable. i.e. if to SMTP client is classified as local, it won't be spam-scanned... * fixed buglet in how redundant_scanning handled zipped attachments. Thanks to Brian Johnson. 1.12 6-May-2002 * cut-n-paste bug in quarantine-attachments.txt that would break new installs of Qmail-Scanner. Duh! - did that last year too! * another bug in how the documentation says to run SpamAssassin. * Added "-eec" to sweep to gain access to the "extended error codes". * Documented some SpamAssassin issues. 1.11 26-Mar-2002 * Must be using maildrop-1.3.8 or later due to bug in previous releases. * Added sub-sender-cache.pl to contrib. This was work done for element5.de - who wanted the ability to restrict Q-S to only send a limited number of alerts regarding quarantine events per sender. Using this option makes Q-S create a separate DB file where it tracks how many times an alert is sent to an Email address. It also saves the timestamp so that you can configure it to do things like "only send 5 alerts within a 7 day period to any individual Email address". The main use of this would be to limit the amount of "spamming" the AV admin receives when an individual infected PC is busily spamming everyone in its addressbook 1000 times over... * By default the OS "unzip" program doesn't support "shrink" as a compression algorithm - and exits 81 - which means this sort of message would never get through Q-S. That shouldn't happen as there's nothing Q-S can do to fix that. So I have checked the unzip error codes, and now let some "broken" unzips be treated as OK - as there's nothing else Q-S can do to correct them... This will mean some zip files with viruses will get through Qmail-Scanner, so of course you will be then relying on your antivirus product to catch such things... * Added NULL char to my (small) list of chars to treat as hostile. I wonder if I should reverse this and block everything that is not an acceptable char instead.... * Whoops! I see my references to "lone LF" is incorrect: "\r" is a CR not a LF! Duh! :-) Oh well, just a documentation typo. * SpamAssassin v2 is supported. New feature in v2 allows Qmail-Scanner to *halve* the amount of traffic generated doing a SpamAssassin check! If you want to use the old-style support (which recreates the entire message with the SpamAssassin headers added), then ./configure with "verbose_spamassassin" as the scanner name instead of "fast_spamassassin". Note: I don't like the "verbose_spamassasin" method - so *please* try to move to the new method, as there's going to be more of that in the future with Body content-scanning/etc. If your users want to auto-move Emails in their mailer marked as Spam under the new method, you can match on: "Received: .* with qmail-scanner.*Clear:SA:1" or... "X-Spam-Status: Yes," * Allow the "Clear" message to now include "scoring" so that scanners such as SpamAssassin can still report what they found, even if a quarantine event didn't occur. * It is now a requirement to have Sys::Syslog as all errrors are reported by syslog. It makes sense. * masses of changes in configure to actually check that programs and scanners called by Q-S actually work correctly before being used. Should cut down on run-time errors, but cause a flood of people saying "why does Q-S claim scanner XXX doesn't work on my system?" :-) I just can't win ;-) 1.10 22-Jan-2002 * Jumped from 1.03 to 1.10 to reflect internal changes * Phase out referring to ulimit. That utils is OS-dependent and doesn't work consistently well. Everyone should use softlimit from daemontools instead. * Added calling UID to Received header - and to debug logs. * Renamed logging reference of "perlscanner" to "qmail-scanner". Why on earth did I ever do it that way in the first place?!?!? * Added support for Command's AV scanner. Thanks to John Lombardo for doing the port. * Added support for SpamAssassin. * Changes to logging: Logging used to have a boolean to describe whether a message was quarantined or not. This has been changed to now be either "Clear" or the scanner responsible for that quarantine event plus the first 10 chars of the name of the quarantine event (e.g. "Clear:0"). This should mean you can now use either your syslog logs or the mailstats.cvs log to produce stats on ALL mail through your server as well as virus penetration events, etc (i.e. the quarantine.log file is now redundant). * ALSO CHANGED THE ORDERING!!! This was to ensure details that were under user-control didn't cause details such as message size to be cut off when logging via syslog. * Removed recording Date: header in logs - they're all timestamped anyway, so it's almost redundant. * "./configure --scanners sweep,vscan", etc now supported. Default is like old system: "./configure --scanners auto" - which auto detects what supported scanners are installed on your system. This can now be overridden so that you can have 5 different scanners installed on your system, and yet only have Qmail-Scanner use one of them if you like. * Added support for SpamAssassin! If you have a working installation of the SpamAssassin spamd installed, then Q-S will configure itself to pipe every message received through and resend the message as altered by SpamAssassin. This could seriously annoy your users as this is a site-wide installation of SpamAssassin - unlike it's normal per-user install. See FAQ for details. * Now will use syslog to report any temp errors directly if "--log-details syslog" set. This is so that such errors end up somewhere more noticable than the standard Qmail multilog area (which no-one monitors!) * Added support for Trophie - a GPLed daemonized version of Trends vscan. Please read the FAQ on how to install it so that it will correctly run with Q-S. Ensure you are comfortable with trophie before using it within Q-S. NO QUESTIONS ON Q-S MAILING-LISTS PLEASE!!! * Extra comments about Sophie/Trophie added. * "--fix-mime" option will now block as viral any message containing LF chars in the headers. This will stop Badtrans and the like. Only a very broken mailer should otherwise get hit by this. *Please* tell me if any non-bad mail is caught by this!!! * Removed kill check for dead qmail-smtpd processes (the "Whoa!" error). There are some weird issues with it on some systems, and it isn't needed anyway. If qmail-smtpd dies, the parent PID of Q-S becomes "1" - so just check for that instead! This means the "--smtpd-check" option has been removed!!! * Minor wording changes * Minor issue with archive mode corrected * Sanity check added to ./configure to help ensure up-to-date version of tnef is installed if it is installed at all. 1.03 4-Dec-2001 * Whoops! Forgot my tabs in the quarantine-attachments.txt file (darn X-Windows cut-n-paste!) * New sub-svpdaemon.pl added to contrib directory. AVPdaemon is officially not supported by Q-S due to the company involved being unable to stick to a standard format... 1.02 3-Dec-2001 * Added "--smtpd-check" so that people can disable the qmail_smtpd_check subroutine that has been causing problems for *some* sites (the "Whoa!" errors). Defaults to "yes" - change to "no" to disable it. MAKE SURE YOU KNOW IT'S A PROBLEM BEFORE DISABLING THIS AS OTHERWISE YOU WILL GET DOUBLE-DELIVERY OF SOME MAIL DURING SOME ERROR CONDITIONS!!! * Changed required maildrop release to 1.3.6 as there's a buglet in previous reformime releases WRT how they handle broken MIME messages. * Added LANG support for Czech. Thanks to Pavel Lisy * Added "--fix-mime" option. This will allow Q-S to attempt to "fix" broken MIME mail messages before passing the message to reformime for initial processing. Disabled by default, it should be safe to turn on, and if it is, will allow Q-S to trap some viruses which might have bypassed the system due to their "broken" nature. This feature will probably grow in the future... * Added LANG support for Afrikaans. Thanks to Schalk Cronje * Added support for Sophie - a GPLed daemonized version of Sophos sweep. Please read the FAQ on how to install it so that it will correctly run with Q-S. Ensure you are comfortable with sophie before using it within Q-S. NO QUESTIONS ON Q-S MAILING-LISTS PLEASE!!! * Re-positioned the alarm statement * Added support for F-Prot (thanks to "Charlie") - see http://www.theboenings.com/qmail-scanner/ * Added comments to contrib/qmail-scanner-queue.c to help those who need to use it * Added LANG support for Portuguese. Thanks to Ricardo Oliveira 1.01 6-Sep-2001 * Privacy issue. the "--add-dscr-hdrs yes" option now doesn't include the "rcpt to" information for privacy reasons. If you must have that, configure as "--add-dscr-hdrs all" instead. * The infamous "Whoa!" bug should have been nailed dead. The problem was with running a smtp daemon check on messages injected by qmail-inject - pretty stupid really... * Added LANG support for Polish. Thanks to Maciej Gruszczyski * Added LANG support for Swedish. Thanks to Thomas Berghemm 1.00 18-Aug-2001 * Due to the tonnes of problems people are reporting with AVPDaemon, I am moving it back into the contrib directory. Please Email Kaspersky about problems you have with AVP. If you can't get it working by itself, there's no way it'll "magically" work under Qmail-Scanner. * documentation changes * Added LANG support for French. Thanks to Cedric Fontaine! * Added LANG support for Traditional Chinese. Thanks to tbsky! 1.00rc1 29-Jun-2001 * Jumped to Release Candidate for 1.00! I've gone through and rewritten Qmail-Scanner in strict mode to make it happier with the newer perl-5.6 installs, tested on RH 7.1 * For security reasons, all new releases of Qmail-Scanner should come with a GnuPG signature signed by myself: (Jason L. Haar ) KEYID: 0xFE1D66D1 Find my public key via key servers or from the Qmail-Scanner homepage * I've removed the ability of Q-S reporting all the attachment filenames. It used to report even the filenames of files extracted from attachments. As someone could easily send an Email with a zip file with 1,000's of files within, this obviously just becomes stupid. So now it will only report on the actual original Email attachments. Of course perlscanner and any anti-virus scanners still get to scan everything! * Many cosmetic changes. Removed almost all references to "virus" and introduced "quarantine" instead, as that better illustrates how Qmail-Scanner is more than just an Anti-Virus package * Better handling of multi-line headers 0.97 * Added more sanity checks for insane conditions. Q-S will now exit with a temp error if it finds itself running the scanner loop for more than 20 minutes. That will catch broken virus scanners that are spinning around on wierd messages. It will also check that the qmail-smtpd process that spawned it is still operating before it reinjects into qmail-queue. Previously it would end up double-delivering under such conditions. * Alerts to the "AV" admin can now be stopped if the offending Email is from a mailing-list. Use "--notify nmladm" instead of "--notify admin" to activate. * Alerts to recipients are now limited to only local users. See "--local-domains" configure option. Set to "." for backwards compatibility. Be warned you could end up spamming mailing-lists with alerts if you do that (there's no way Q-S can detect a recipient address is a mailing-list - only senders). * Bug fix with newer unzip programs. Well, more of a "change in interpretation" :-). * Changed quite a few debug statements - hopefully they're more self-explanatory now. * Try to workaround problem with password-protected zip files, without losing information about the files. NOTE: password-protected files show up in the logs, but aren't checked against the perlscanner database. This is a *FEATURE* - not a bug. * Martin Lesser has helped add support for AVPDaemon. You must have a working install of it before Qmail-Scanner will even have a hope of working with it... * Allow $headers array to do multi-line matching on To: and Cc: headers. * Updated error messages for scanners. * Added LANG support for Lithuanian. Thanks to Aidas Kasparas! * Added LANG support for Turkish. Thanks to Deniz Akkus Kanca! * Sophos SWEEP now called with "-f -sc" options. Too bad if it slows it down. It's needed to catch HTML viruses like KAKworm, and to scan inside dynamically compressed files. 0.96 26-Feb-2001 * Documentation changes * BUG Fix. Fixed variable bug that could screw up extension matching in some circumstances. 0.95 24-Jan-2001 * Fixed buglet where uuencoded file attachments weren't correctly check against internal perlscanner database. * Added support for other OSes uudecode. Should work on more systems now. * Added test_installation.sh to the contrib directory. This wee script will send two Email messages to "root" contain different variants of the EICAR test virus. The first will be picked by perlscanner, and the second by any commercial anti-virus package installed on your system. Simply running this after an Q-S install should prove that Q-S is installed correctly. * Altered some of the headers produced to make Q-S even more "postmaster-like". * Added LANG support for Spanish. Thanks to Francisco J. Montilla! * Fixed some documentation errors * Changed some of the environment variables used * Made the generated Received: header RFC compliant * New option ("--log-details") generate log entries of mail message details (frm/to/subject/attachments). Works well, but running in the syslog mode involves two extra exec calls - not for overloaded systems... Where possible, stick to the default logging to file mode. * The Qmail RPMs referenced on www.qmail.org have a charming "feature" that breaks qmail-inject. Work-around put in place * Yet another sanity check for uuencoded attachments with stupidly long filename extensions. 0.94 10-Nov-2000 * Fixes for new version of Sophos. They've changed it's format which breaks under older releases of Qmail-Scanner * more setuid changes to help reduce installation problems * error condition check altered for MacAfee * Bug found in uudecoding section! Like old versions of reformime it wasn't checking for majorly long filenames and compensating, - now it does. 0.93 9-Oct-2000 * Allow sites to attempt to run Qmail-Scanner even if they don't have suidperl installed. Apparently there are some systems out there that support this - so who am I to stop them! :-) * Added support for InocuLAN - thanks to Michael Lahr! * Added LANG support for German - thanks to Michael Lahr! * Documented the perlscanner module. Can't believe I didn't notice that before! * Sigh - more documentation updates to fix. * Altered configure to be more Unix-independent. * Altered HBEDV subroutine * Have inserted sanity check for auto-generated filenames. This check will STOP perlscanner from looking at their extensions as the filenames are autogenerated and should never match anyway. 0.92 23-Aug-2000 * Cosmetic documentation changes - that's the trouble with renaming a package... * Altered qmail-scanner-queue.pl to detect whether or not an attachment filename was generated by reformime. Such files should never be matched by the perlscanner module as their filenames are randomly generated 0.91 22-Aug-2000 * Spelling mistake - gah! quaranteen instead of quarantine... * Added support for Italian! Thanks to Luca Gibelli * Support for non /var/qmail installed Qmail systems (like Debian). ./configure will now work out where qmail is installed. Thanks to Werner Fleck. 0.90 10-Aug-2000 * NAME CHANGE. Scan4Virus is no more - now Qmail-Scanner. This name better reflects the functionality of the product. * Added support for tnef. This wonderous utility allows us to unpack M$ TNEF attachments back into their "true" form before we run the scanners over them. Pick up heaps more viruses than you used to this way! * Added (poorly) documented calls to MacAfee's uvscan that allows it to unpack zip files and better macro-virus support. 0.53 30-Jun-2000 * Removed support for metamail due to metamail not been able to handle some types of MIME attachments. * Added support for F-Secure's fsav virus scanner. Thanks to Ian Scott for that. * Updated documentation on altering the perms on suidperl. 0.52 7-Jun-2000 * missing command-line option to Trend scanner - makes a BIG difference! Looks like there's some differences in the way Trend's vscan exits depending on engine version - grrrrrr! Have had to remove exit status check.... * problem noticed by Kevin A. Hall regarding how the DB calls operate. Extra brackets fixed that! 0.51 23-May-2000 * cosmetic changes * humungous mistake with metamail (again! - I really need separate systems to test this on!), hopefully fixed for sure this time. 0.50 12-May-2000 * Bit of a jump in versioning as I've added a major new feature in that the internal scanner now supports scanning Email headers! * BUG FIX: METAMAIL_TMPDIR not defined - needed to make metamail save into the correct directory. * BUG FIX: If $descriptive_headers was defined, the extra headers weren't added to "clean" Email. * "antivirus-qmail-queue.pl -v" returns information regarding your system and scanning environment. Please include that output in any bug reports you make! * Support for uudecoding! If your uudecode program is deemed "safe", any uuencoded attachments will be decoded before the scanner runs. * Explicitly mention that QMAILQUEUE needs to be set in /etc/profile or the like if you want local shell users to have their mail scanned. [although as they are inherently not Windows users, you may want to save your system the effort and explicitly NOT do that! :-)] * Set TMP and TMPDIR env vars to "help" virus scanners write their temp files into a protected area - don't want to worry about race conditions now do we! * The "Love Letter" virus got me thinking. We really need to match on headers too. Here we knew the subject line of that virus was "ILOVEYOU" hours before we knew what the attachment filename was - let alone had any "official" antivirus update. The perlscanner can now match on any Email header as well as attachment filename. See quarantine-attachments.txt for details. * BUG FIX: Bug in the way that the perlscan module handles wildcard attachments. * New feature. perlscan now runs exactly as other scanner modules do. Zip files are unpacked before being scanned - but it can still match on zip files! * Initial support for avp. Untested by me - but should be fine. Thanks to Tulipant Gergely. * Redundant scanning. If $redundant_scanning is enabled, the scanners will scan original zip files and the original "raw" Email msg. Adds extra load, but allows specific virus scanners that supports such advanced features to operate closer to their potential. 0.19 13-Mar-2000 * BUG FIX: qmail-smtpd can reject mail and so drops its connection to $QMAILQUEUE. Now check that envelope addresses exist before carrying on - gets rid of "Unable to queue message (28416)" errors. * Tighter umask. * Added archive support. If $archiveit=1, processed mail is archived into maildir /var/spool/qmailqueue/archive instead of being deleted. BE VERY CAREFUL YOU DON'T RUN OUT OF DISKSPACE! * Added support for H+BEDV's antivir scanner. Details supplied by Johan Almqvist of luna.lu.se. * Changed a few variable names, and a small mis-calling of the macro checking under MacAfee's uvscanner. 0.18 24-Feb-2000 * Nasty bug in that I didn't have an explicit path to the find command - which screwed things up no end. 0.17 21-Feb-2000 * Wildcard support for perlscanner! e.g. can now exclude all *.MP3 files from entering your site :-) * Removed mention of explicit "find" cronjob to scan /var/spool/qmailqueue for files. Network outages (as well as killing local qmail processes!) can lead to files lying around under that tree. So "antivirus-qmail-queue.pl -z" now deletes any files older than 30 hours it finds there (excluding the "viruses/" tree) instead of just the "tmp/" ones. That should be called daily by cron instead * Minor wording changes. * Documented existance of mailing-list (duh!) 0.16 31-Jan-2000 * Possible security hole found! Due to my historic use of qmail-inject, I'd overlooked one nasty command-line call... Fixed now - no longer any SMTP-generated data allowed on the command-line... 0.15 25-Jan-2000 * Few documentation changes I forgot for 0.14. 0.14 24-Jan-2000 * MAJOR IMPROVEMENT. Now uses qmail-queue directly - no longer needs to invoke qmail-inject. Thanks to Russ Allbery's Qmail-Majordomo perl script for inspiration :-) * New built-in scanner! perlscan_scanner scans a DB file containing attachment filenames and sizes - a match means virus. This can be very useful when a new virus is discovered, details (including filenames and sizes) are released, and the antivirus vendors say it will be days/weeks before an official fix is released - this can tide you over... * Initial support for metamail for those who don't want to use reformime. I'd recommend reformime as it is more actively supported, is smaller and doesn't have the feature-set that metamail does - which should mean it's inherently more secure (no real evidence for that tho!). Anyway, look at $mimeunpacker if you would prefer to use metamail. * Support for Sophos's sweep virus scanner. * Removed X-Scan4Virus: headers. They were just a repeat of what was in the Received: header anyway, and if an Email went through two scan4virus servers, they'd be overwritten anyway. Save some writes and speed things up a bit :-) * Increased example ulimit for data segment size as I found that some virus scanners need more memory than others. * Moved several files back into default spool dir - keep the package all in one place. * Assorted little cleanups 0.13 15-Dec-1999 * Added Received: header that contains the scan4virus information regarding version numbers of scanners and pattern-files - that way if a message goes through several sites running scan4virus, all of their reports will show up in the headers. * Created a virus log function whereby every Email received with a virus is logged - so that reports can be generated (tab-delimited).