2.11 15/Feb/2013
* Increased value of $MAX_NUM_HDRS to 256 due to some legit Lotus
MTA generating emails with over 100 lines of "X-Notes-Item"
headers. Ewwww...
* created new Q-S headers containing metadata learnt during the
parsing phase - to pass to SpamAssassin. This would allow for
creating SA rules to (say) score highly email containing zip
files that contain .exe files - that claim to be from a PDF
printer...
* altered contrib/qscan-spam-to-users.pl to look at "cur" dir too
* tweaked double-barrelled filename checks
* changed syslog calls as rsyslog works differently than older
syslog servers
* cleaned up and speed up configure script
* Put in Digest::SHA and Digest::SHA1 check to ensure MHR module works.
Thanks to Salvatore
* moved mhr to be in front of clam[d]scan due to its performance. Cleaned
up some code too
2.10 16/Aug/2011
* ./configure now exits if you choose a "--lang" language
that isn't supported
* Change Received: header used to show diagnostic detail
to X-Qmail-Scanner-Diagnostics: - that will make SpamAssassin
happier
* changed password-protected zip files to not bother
unpacking them - just a waste of time
* Team Cymru Malware Hash Registry (MHR) support added.
NOTE: even though this is a free, DNS-based AV service, it
is free for non-commercial use ONLY. Please see their website
for details
2.09 22/Sep/2010
* Added DLPmonitor feature. If you want to use clamAV or perlscanner
to block the movement of intellectual property/etc (i.e DLP),
you can create rules that will enable Q-S to treat such files/data
identically to viruses. However, it is common to want to *track*
such events first (to get a feel for false-positives), so
$DLPmonitor_REGEX enables you to define a regex of strings
that cause Q-S to archive and log as "DLP:" - but otherwise
treat as "Clear", non-quarantine events
* Added ${V_HEADER}-Remote-OS: header contain OS of SMTP client
as discovered if you are using qmail-delay with p0f. Adding it
as a header means SA can use the OS information for rule checks.
Be aware that NAT gateways at either end can adversely affect
the results p0f discovers, so this feature may not work well
in your particular environment. This header by itself doesn't
do much - you'll have to write SA rules to use this "meta data"
* Changed internal localization from "C" to "en_US" to workaround
bug in latest reformime.
* small debugging changes. Thanks to Toni Mueller
* HBEDV change. New version has replaced "antivir" with "avscan".
Thanks to Wolfgang Hamann for the patch
2.08 8/Sep/2009
* Changed "--sa-timeout" from 30 to 120 seconds. Should enable
spamc to handle really large text emails without triggering
a false SA "failure"
2.07 31/Aug/2009
* Support for AVAST! This will support avastlite - which interacts
with the avastd daemon
* BEHAVIOUR CHANGE: enable sites to trigger tempfails if SpamAssassin
fails to process a message. ie treat SA identically to antivirus
on errors. This is ENABLED by default. Set "--sa-tempfail 0"
if you want to revert to old method of continuing
on errors - with the "?/?" score. To spell it out, "?/?" should
NEVER happen again if you allow the new default
* BEHAVIOUR CHANGE: "--sa-faulttolerant yes" now the default. Set
to "--sa-faulttolerant no" to revert to old behaviour
* stupid mistake with altering unzip'ped file perms - forgot daemonized
scanners would need eXecute access to the dir - doh!
* mistake in perlscanner filesize detection fixed
* changed maildrop test and ensured all error exit codes are non-zero
for the ./configure script. Thanks to David Sveningsson
* clamscan commandline options altered to support 0.95 (not that anyone
should be using clamscan - clamdscan is vastly preferred).
* Support for the new esets_cli version of NOD32 - called "esets".
Thanks to Salvatore
2.06 05/Mar/2009
* Brenda Bell picked up a buglet with how a BAD_MIME_CHECK was
handling certain b0rked legitimate mail. Fixed
* Upgraded fprot support to version 6, "fprot" has been replaced
with "fpscan" and "fpscand" (daemonized)
modules. Thanks for the work by Salvatore, Matthias, Futhwo
* wording changes on some error messages
* added an exception to cover a sophie error condition
* forcibly "chmod -R 740 ." after unpacking zip files to ensure the
files are readable by daemonized scanners like clamd, etc.
2.05 2/Jul/2008
* document that even though Qmail-Scanner will add a Message-ID header
if there *isn't* already one, it will ensure this added header is
not passed to SpamAssassin when it is called. This ensures SA can
correctly interpret the lack of that header.
* Fix bug in above new code! Causing some message-ids to be skipped
when passing to SA.
2.04 07/May/2008
* Regex bug fixed in message-id check.
2.03 25/Mar/2008
* Code cleanup and reorg. Thanks to Salvatore
* Updated nod32 support. Users of this MUST CHECK that they have
configured /etc/nod32/nod32.cfg correctly. Thanks to Salvatore
* Updated support for qmail-queue-custom-error. Thanks to Futhwo
for noticing the change
* Enhanced perlscanner to be able to policy-block attachments based
on arbitrary sizes. e.g. "block zip attachments if less than 1024 Bytes"
* Fixed buglet in attachment filesize checks
* Workaround for Berkeley DB bug. Thanks to Manuel Mausz for the patch
* Updated clamdscan module to support more expected error
conditions
2.02 30/Aug/2007
* It is strongly suggested that everyone enable PTR lookups within
Qmail itself (i.e. the "-H" option in tcpserver). Q-S now uses
TCPREMOTEHOST (if present) in the creation of
Received: headers - as SpamAssassin now expects that.
* Support for generating SMTP permanent errors for quarantine events
- including high-scoring SPAM ("--quarantine-reject 1").
This is disabled by default, but I intend to make this the default
soon. Note that enabling this option WILL DISABLE ALL "OLD" Q-S
NOTIFICATION CODE. i.e. no more "policy-violation found in..."
emails.
* Extra loop around spamc put in place to allow Q-S to try
up to three times to get SA to produce a result if
"--sa-faulttolerant 1" set. For thoses of us who REALLY WANT
SA to always return a score. This may worsen load problems - there
may have been a reason spamd couldn't return a result the first
time...
* A GREETDELAY implementation in contrib/qmail-delay. This allows you
to delay accepting email connections based on such parameters as
the remote IP address, as well as OPERATING-SYSTEM AND
GEOGRAPHIC LOCATION
* Q-S now adds Message-ID if one isn't present to improve
the trackability of emails through your systems. This used to
be added as X-Qmail-Scanner-Message-ID
* Small buglet in where Q-S detects latest SA output in
verbose_spamassassin
* Small update to F-prot. Thanks to dimaki
* Buglet in how policy blocking occurs if BAD_MIME_CHECKS=0 fixed.
Thanks to Simone Lazzaris
* New Polish translation, and bugfix by Maciej Budzynski
* Allows configuration of SpamAssassin's "max size" limit - which
tells SA not to scan messages larger than that size. Defaults to
the SA standard 256000 Bytes - but allows you to make it higher
if you wish (I use 700000)
* Support for latest Sophos savscan scanner. Recommend using
sophie-3.06 which fully supports it (i.e still use sophie)
* Updated qscan-spam-to-users.pl.
* Updated qs2mrtg to reflect SA quarantine events as "RBL"
events instead of "virus" events
* Explicitly mention daemontools as being required
2.01 5/Apr/2006
* Changed setuidgid calls in ./configure as some people had PATHs that
were not playing nicely.
2.00 20/Mar/2006
* cleanup: removed "virusdir" option
* Changed uudecode perm to 0640
* Updated nod32 - thanks to Max Kellermann
* Added 30sec timeout to calls to spamc. i.e. spamc will exit without
knowing the score of a piece of mail if spamd takes more than 30sec
to respond. This should cut down on silly amounts of time being spent
dealing with DNS timeouts/etc, without making SA miss anything it
would have caught before.
* Refer to logrotate script in contrib/ directory which can be used to
perform "housekeeping" duties for Q-S
2.00rc1 23/Jan/2006
* Big version jump from 1.25 to 2.00 to reflect some of the changes
that have take place.
* NAME CHANGE.
The spool directory into which Qmail-Scanner is installed is now
/var/spool/qscan. This is to reflect (or force ;-) that you need
to re-evaluate all your settings as some pretty fundamental changes
have been made
* NAME CHANGE.
quarantine-attachments.txt has been renamed quarantine-events.txt as
it is used to quarantine more than just attachments, and the format
of that file has been changed.
* NEW FEATURE.
Quarantine directory is now separated into THREE subdirs: "spam",
"viruses" and "policy". This is so sites can arrange different auto-delete
jobs to control the size of these areas if they so wish. See below
for more details
* NEW FEATURE.
Starting to include concepts from Salvatore Toribio
"st" patch to add spam quarantining features to Q-S. If you
set "--sa-quarantine X" (where "X" is a positive number), then
if SA tags a message as having a score higher than "required_hits"
plus "X", that message will be quarantined into a new
maildir "./spam/" and not delivered to the end-user (also
no-one is notified). e.g. for "--sa-quarantine 5", a score of
10/5 would cause the message to be quarantined into maildir
"./spam/" instead of being delivered. A message with a score
of 7/5 would be tagged as SPAM and delivered as per older versions. Note
that this is a serious step to take. It means a false match ends up
with no-one being notified and the e-mail effectively
"blackholes". You can use your old Q-S logs of previous
"tagged-only" mail to go through to prove to yourself that the
"sa-quarantine" value you are going to use won't result in
lost e-mail. DISABLED by default
* To go along with the above new feature, the contrib dir contains
"qscan-spam-to-users.pl". A cronjob script designed to move any
high-scoring SPAM out of the "spam" quarantine dir into an
IMAP maildir structure where the recipient of the SPAM gets
their own mail subfolder. This gives a more filtered
way for IS staff to deal with any false positives. You can
log in via IMAP, go to a particular users (sub)mail folder and
see all the high-scoring SPAM sent to them - and forward
any false matches. Hopefully this should never be needed
as SpamAssassin scores over 10/5 should really never be
wrong...
* NEW FEATURE
The "qmail-scanner-queue.pl -z" script has also been updated to
auto-delete messages quarantined under the "quarantine/" maildirs
when they are older than 14 days. This is
to stop these maildirs growing insanely large! You are of course
welcome and encouraged to do something about e-mail in these
folders according to your own timescales if you wish. Simply
have your own cronjob move it into some other area of diskspace
- and then it's your problem to deal with :-)
* NEW FEATURE
A maximum size for scanning (--max-scan-size) can be set. This means
if a message is greater than this size (in bytes), then Q-S won't
run any AV or anti-Spam checks against it. Use with caution and
note that I have hard-wired a minimum value of 10000000 (10M) to
this variable to stop people making stupid mistakes. I am concerned that
virus writers will just start making really large viruses to bypass
systems with such options - so be careful!
* BIG CHANGE
Some features that were hard-wired into the main body of Q-S have
been moved into quarantine-events.txt where they should have been
all along. This makes it possible to change settings without
reconfiguring the main body of qmail-scanner-queue.pl. You will need
to rewrite any rules you had in place within the old
quarantine-attachments.txt into the new format quarantine-events.txt
One of these changes allows you to block zero-length attachments at last
("any" length is now represented by "-1" instead of "0"). LET ME SAY THAT
AGAIN!!! "0" NOW MEANS "0" - IT USED TO MEAN "ANY"!!!!
* BIG CHANGE in definition of times. Previously Q-S "started
the clock" the moment it was invoked, and stopped it when it
finished. Unfortunately that meant that if you were receiving
a large e-mail over a slow link, your Q-S stats would show it
took (let's say) *hours* to "process" the message - when in
fact it took hours to *receive* the message, and 2 seconds to
process. From now on the debug file (qmail-queue.log) will
differentiate between the two, and the per-message syslog reports
generated will contain a timestamp of how long the message took to
process i.e. - ***once it had been delivered to disk*** This will
make Q-S look faster than it did before - faster and more
correct IMO. Thanks go to a ratty old hub for making me realise how bad
the stats could look (I had some *8* hour deliveries... ;-)
* Changed setuid to 6755 - ie it's now setuid and setgid. Forcing all files to
be group qscand will allow those who wish to do so to keep their AV daemons
running as other accounts. They just need to ensure those daemons are members
of the qscand group - and as such should be able to read the necessary files.
e.g. clamd could run as "clamav", but as long as account "clamav" is a member
of group "qscand", clamd is able to read the mail enough to scan it
* Changed regex-matching in quarantine-events.txt to be case-*insensitive*
instead of case-sensitive. It was causing too much confusion.
* Added new monitor script to contrib dir - check_AV_daemons.
This perl script can be used to monitor that your daemonized
AV system (and SpamAssassin too!) is running correctly.
"perldoc contrib/check_AV_daemons" for details
* Added extra alarm on writing to syslog to stop Qmail-Scanner hanging waiting for a broken
syslog daemon to respond.
* Act like RELAYCLIENT is set if qmail-scanner called via pipe instead of SMTP. This makes it more
consistant with other Qmail apps - e.g a call to qmail-inject is equivalent to a local SMTP
connection. All this does is disable calling SA. If you want SA to be called (maybe this is
being called by a Web app), then just set QS_SPAMASSASSIN=1 in your environment. Note that I've
also changed the documentation to refer to QS_SPAMASSASSIN=1 instead of QS_SPAMASSASSIN=on
- think boolean.
* Added support for "greylisting"-style policy blocks. Instead of blocking and quarantining
an email, you can configure a Perlscan rule to trigger a SMTP temporary failure. This is
meant for emergency situaions where your current AV is being hit by a Day-Zero using some
attachment type you cannot afford to just blanket block. e.g. ZIP files. With the "greylisted"
option, you can tell Q-S to exit with a temp failure whenever such mails show up - which will
cause legitimate mail to simply requeue at the other end. Then when your AV is able to detect
the virus, you can remove the rule, and all that legitimate mail that was being blocked should
flow through again (assuming you don't have the rule in place for days of course!). Greylisted
events show up in logging as "Perlscan:Greylisted". Note: this is NOT "recipient greylisting"
- offers accepted for a better word...
* Localized the "$destring" at last. Can other languages that are supported
please send in translations for the "destring_*" files?
* Added support for AVG Antivirus from GrisSoft. Thanks to Jaroslav Suchanek
* Change to the Kaspersky avp scanner to allow corrupt attachments through
* Added support for decoding encoded attachment filenames and Subject: headers
by calling MIME::Base64. Now that's been done, you must reference "normalized"
filenames or strings in quarantine-attachments.txt and Q-S will catch them
even if they are encoded. Enabled by default, but as I'm not sure
how many bad implementations of MIME encoding there are, it can be disabled. Disable
via the "--normalize 0" ./configure option - and tell me if it starts blocking
valid mail... I am also concerned about people running broken syslog servers, and
how they handle 8bit chars showing up. Please keep an eye on this feature.
* Just noticed that Q-S spamassassin tagging was still reporting
SA scores as "hits=xx" instead of SA's official "score=xx". Fixed
* Fix to MacAfee scanner - well - kludge really. Thanks to
Beni Schoedler for spotting it.
* If you use "--add-dscr-hdrs", this will only be set on e-mails
that came from *non* relayed addresses. e.g mail from the Internet
to your site will have the headers added, but mail leaving your site
won't. This should make it safer (from a privacy perspective) to
enable
* Presence of DomainKeys signing added to report if "--log-crypto" enabled
* Now treat the presense of URLs in even text-only e-mails as enough
reason to run AV modules. This will mean that quite a lot of extra
text-only e-mail gets scanned - but is needed to thoroughly allow
Phishing attacks to be caught (most [all?] are currently HTML and
were scanned anyway - but they'll figure this out shortly...).
* Buglet in how the alert syslog records were written. They contained
details of the actual virus e-mail (e.g. IP address) instead
of more correctly reflecting they were locally generated.
* Added check to ensure clamdscan isn't just a link to clamscan
- which some third-party Web sites recommend! Gah! If you want
to run clamdscan - THEN SET UP THE DAEMON PROPERLY. Otherwise
don't - and you'll get clamscan instead (at 100th the performance)
Let me say it again: No-one running ClamAV should be using clamscan.
* Tiny change to configure to better discover if spamd is running
in socket mode - thanks to Renato Botelho
* Changed uudecoding sequence to just use system() instead of pipes as an anonymous
user reported an error on an unknown system that sounds like that OS has issues
with perl pipes (which reminded me of the problem FreeBSD had in 1.24). The code
change should only be cosmetic - but if it solves a problem - I'm all for it!
1.25 28/Jan/2005
* BUG: SA was removing X-Spam-Status headers when run in verbose mode - duh! Fixed
* Bug in double-barrelled check fixed.
* Typo in CHANGES from 1.24. It said SA is only called "for messages bigger than 250K"
- when obviously that should be "for messages smaller than 250K".
1.24 18/Oct/2004
* Fixed a localization issue by using POSIX setlocale - thanks Piotr Paw~ow
* Bug in sub-vexira.pl fixed. Thanks to Shai
* Fixes buglet with Q-S not successfully removing old X-Spam-Status: headers when it adds
its own. Now Q-S simply renames such headers - it gives a nice audit trail of previous
SA checks (real or fake)
* Fixed a FreeBSD buglet to do with spamc not playing with pipes correctly for messages
bigger than 250K. Q-S is now hard-wired to only call spamc for messages smaller than 250K.
Hopefully that doesn't burn anyone (you can always edit the code...)
* Quarantine events now separates "Denial of Service" attacks (which can affect the server)
from other AV/Policy events. DoS events don't get passed through AVs - they are blocked
instantly. Currently this covers overlong attachment filenames and zip files that would
have unpacked into more diskspace than allowed by the new "--max-zip-size" option. Note
that DoS check only kicks in if you are using "--unzip 1" - if you are not, it's up to
the AV you are using to do such checks.
* Crypto logging now has a "pecking order". An encrypted object is weighted higher than
a signed object WRT logging (i.e. if an e-mail is both signed and encrypted, it's only
reported as encrypted).
* Increased max size of syslog entry to 1024 chars - the RFC max limit
of a UDP-based syslog record.
* non-existant options in clamdscan removed, and version checking updated to catch
the newest release format change
* Added support for ESET NOD32 AV. Thanks to Maciej Soltysiak for the work
* Long standing buglet in configure script found when using the "--bindir" option.
Thanks to Tomas Hoger for pointing it out
* configure script will now auto-detect if you are running spamd in the (faster)
Unix socket mode, and will configure spamc accordingly. Not tested much as I think there may
be bugs in SA WRT this?
1.23 03/Aug/2004
* The format of the "Received:" header inserted by Q-S has been changed to
allow better interoperability with SpamAssassin's SPF checks
* "--log-details syslog" now set as default.
* New notification option: "precips". This will allow you to notify recipients
that a message to them was blocked, but unlike "recips", will only trigger
if it was blocked for "Policy" or Q-s internal reasons - i.e. wasn't tagged
as a virus by an AV sub-system.
* Tiny change to sub-spamassassin.pl to add support for the altered format
in upcoming SA 3.0
* Sanity check ownership of unpacked files. Too many people seem to have
weird setups with bad permissions. This should help focus their minds
a bit.
* X-Envelope-From: header banged in front of SA calls to allow extra checks.
* Changed some variable names to be more descriptive of what they do. Also
renamed subroutine check_and_grab_uuencoding to check_and_grab_attachments
for the same reason
* rewrote perlscan to search recursively for files via "find". This allows
unzip to run without options any more (removing the "-o" option - which
is a Good Thing), and will lend itself to future development
* "--redundant" enabled by default. It's all about stopping viruses, so we
should always use whatever added features are available by default instead
of making everyone work that out for themselves the hard way
* Changes to Kavscanner thanks to Nicola Percacci
* Jyri Hovila provided patches to F-Secure to enable support for the
latest release
* Bitdefender exit status update to catch corrupt archive files
* Made change with setuid test to allow you to continue with
a warning after it fails to find a working setuid perl installed
* Alex Pleiner has created a patch for vpopmail's roaming users feature
that allows it to inter-operate with Qmail-Scanner. See the contrib/
directory for the patch (vpopmail-issues.eml)
* Added a few more regex for detecting Windows binaries
* Added support for BitDefender AV. This appears to be free
for Linux...
* Cees Hek noticed a problem with deltatime - fixed
* timestamp accidentally dropped from mailstat.csv - fixed
1.22 10/Apr/2004
* Bug in uudecoding component fixed. Now will recognise a message
as having uuencoded bits even if uudecode not installed.
Note: if you expect Q-S to unpack certain things (instead of
just detect them), make sure you have such unpackers
installed... (e.g. unzip, uudecode).
* New logging feature: "--log-crypto". More for the Corporate
environments. Simply notes in the log record if the message contained
any form of digital signing or encryption (S/MIME, PGP and password
protected ZIP files for now). Disabled by default as your site may
have privacy issues in turning this on...
* reverted calling /usr/bin/suidperl back to the "official" way of doing
suid perl: /usr/bin/perl
* Standardized date timestamps in logs. There was a mix of formats - not
too nice to see...
* Fixed buglet where Q-S was replacing X-Spam-Level when it shouldn't be
* Removed RAV from list of supported AVs as Microsoft bought them out an
they have ceased development.
* archive support was broken (fat-finger problem) - fixed.
* Bug in how Q-S policed boundaries has been relaxed, given some bizarre
but valid behaviour by Eudora.
* Changed exit code check for sub-avp.
* The locale is forced to "C" (English) at the beginning of Q-S. That
will standardize the output of localized apps (such as AVs) so that
the string regexes will work more reliably. Note that this has
nothing to do with the normal Q-S language support
* If you have set $spamc_subject (which allows you to put a string at the
beginning of the Subject line when SPAM is found), then Q-S now checks
to see if that string is already present so as not to double-add it.
* Added Danish locale - thanks to Max Andersen
1.21 11/Mar/2004
* "--fix-mime" now defaults to "2". This enables a bunch of extra MIME checks that have proven to
be very useful. You can reset "--fix-mime 1" to regain older behaviour if you need to, but please
let me know why it isn't working for you...
* $hostname is now dynamically set instead of being hardwired. This should make pushing out
Q-S onto multiple boxes a bit easier.
* zipfiles are no longer deleted after unpacking to allow AV a better go at the original zip.
These Bagle/password-protected zip files viruses mean deleting any information (such as a zip
file you thought you didn't need any more) may be a bad thing...
* Due to those grotty new password-protected viruses showing up, Q-S now has the option of
blocking password-protected zip files ("--block-password-protected"). It obviously has
to use the systems "unzip" program - which has to support passwords. It can be used without
having to fully turn on the "--unzip" option.
* The CR/NULL char check has historically caused grief for some sites. Even though I feel that
people should fix the broken client that generates such messages, Q-S now allows you to configure
it with a "--ignore-eol-checks" which will turn off those checks - but allows it to keep doing
the other invalid MIME checks. I hope now that no-one will need to use "--fix-mime 0"
* In an attempt to prevent people getting concerned that Qmail-Scanner is letting through
viruses - when it isn't, Q-S now treats any bounced e-mail that appears to contain MIME
headers in the body as potentially containing an attachment. As such it will now
allow the virus scanners to scan them. Previously Q-S
would only scan them if the bounced e-mail was an attachment to the bounce - which obviously
should be scanned. Some MTAs (such as raw Qmail) simply append the original message to bounces, which
slips through Q-S as a "plain/text" message that doesn't need scanning. However, some other SMTP
virus scanners scan them anyway, and people were becoming concerned that Q-S was "broken" because it
wasn't detecting them - even though no known MUA could actually get infected off such a bounced message.
Go figure! It's one of these cases of needing to "be seen to be doing the right thing" - even when there
is really no need...
* More work on getting that suidperl check working correctly
* Big Change: Qmail-Scanner now defaults to only sending alerts to "psender,nmlvadm". i.e. only
alert sender and admin when the e-mail isn't assosiated with a mailing-list, and the quarantining
event is due to a policy block instead of an AV block. Note: if the string "virus" shows up in the first
20 chars of the description of the policy block within quarantine-attachments.txt, then that too is treated
as a virus and no notification will be sent either. The outcome of this new default is that quarantined
virus-infected e-mails won't send alerts to anyone, whereas e-mails quarantined due to other reasons
(e.g. MIME fiddles or you chose the "--block-password-protected" zip file option) will cause alerts.
The rationale behind defaulting to not notifying senders of viruses is that the vast majority of viruses
now alter the envelope from header, so there is no point in notifying someone who didn't send the
virus - that they have a virus!
* Pasi Kärkkäinen and Jyri Hovila sent in updates for fsecure
* Updated sub-avp.pl for Kaspersky kavscanner 5.0.1.0. I ASSUME THIS WILL BREAK OLD INSTALLS OF
kavscanner! Please upgrade your scanner. Thanks to Erik Wasser for the update
* Changed reference to vpopmail bug to specifically say this is to do with "pop-before-smtp"
functionality - the only part where vpopmail strips out/doesn't set the QMAILQUEUE variable
* Updated silent-viruses to skip notifying sender on my worm virus types
* Optimizing some of the regex used. Thanks to Doug Monroe
* Change references to quarantine maildir in alert e-mails to refer to the actual e-mail
file itself. Otherwise you're having to get a maildir-capable MUA up and running, and then
searching through the 1,000's of viruses you probably have for the actual message you're
after. Thanks to Salvatore Toribio for the suggestion.
* Rewrote a few error msgs to be a bit more concise
* Bug in how SA decides to run in fast-vs-verbose mode discovered by Jonas Thomsen - fixed.
* Slovak locale translation added - thanks to Viktor Daniel
* Documentation changes
* Bug in how archiving was disabled in the configuration script fixed. Thanks to Alex Pleiner
* Renamed references to clamuko to clamdscan - clamuko is an inline virus scanner for filesystems!
* changed default max-space that clamscan can use to 100M
* added X-Spam-Level header. This header adds "+" chars - one for each point scored up to a max of 100.
This is to allow less sophisticated mail filters (i.e. Outlook Rules Wizard ;-) to do more intelligent
things such as "delete mail that has "X-Spam-Level: ++++++++++" - i.e. delete spam with a score over 10.
Note that SA itself defaults to using a "*" char instead of "+", but that's a wildcard character, so I
think we'd be better off with "+" [which is a regex char - but if you're the type of person using a filter
that parses regex, then you're the type of person who'd know how to escape it too ;-)]
1.20 5/Nov/2003
* The IP address of the SMTP client is now added to the RC field in the Q-S logs. I have conceded
the arguement to Jesse Guardiani after having to track a virus that came in via a dialup user.
The information is there in the other Qmail logs - but it does take a while to figure out, so now
it's part of the Q-S logs. (e.g. "RC:0(1.2.3.4):" shows the SMTP client was 1.2.3.4 and that they are
*not* a RELAYCLIENT address).
* tidied up the fsecure and fprot subroutines
* Nicolas Croiset pointed out the contrib/sub-avpdaemon.pl didn't have support
for the new TMPDIR area. Fixed
* qs2mrtg.pl (and .cfg) added to contrib directory. This script reads syslog-only formatted
Q-S log records and converts them into MRTG graphs mail throughput,viruses and
spam stats. Run it as a cronjob like:
*/5 * * * * /usr/bin/qs2mrtg.pl && /usr/bin/mrtg /var/www/html/mrtg/mrtg-qmail-scanner.cfg > /dev/null 2>&1
1.20rc4 7/Oct/2003
* Put back references to Vpopmail breaking Qmail-Scanner in the FAQ. There are
just too many people having problems with Vpopmail for me to ignore.
* Have had enough of dealing with problems with find on different OSes. From
now on all temp dirs (where email unpacking occurs) now occurs under
/var/spool/qmailscan/tmp. That way find can just run over that dir and
can deal with dirs as well as files...
* Improved Fsecure version details to include the sub-engines it uses - gah!
* Made recreation of versioning information more resilient. Thanks to
Mark Simon Powell
* Just a note that there has been a change in the logging format. Actually there hasn't
- it's just that apparently no-one can read my mind to realise it follows a format :-)
Basically the "Clear:RC:0:SA:1(11.5/5.0):" part of the logging follows the following format:
"Name" : "Value"
...and are separated from each other by a colon ":" - sorta "colon separated values" :-)
Hence above translates to "not quarantined", "SMTP client wasn't a relayclient", "was spam".
The exception is "Clear" - which is always bunged onto the front of any message that was
*NOT* quarantined - it probably should be "Clear:1" or something silly like that - but I
just like to save the extra two chars ;-)
* bug found in re-org of AV ordering fixed.
* fixed bug in SA lowercasing of email addresses when passed to spamc.
* bug in new setuid perl checks stopping people from running the
C-wrapper version. Added new configure option: "--skip-setuid-test"
1.20rc3 2/Sep/2003
* Major change: Qmail-Scanner now runs under it's own separate account
to give better priviledge separation. Defaults to "qscand". Make sure
you check that any daemonized versions of virus scanners run as the
same account - otherwise they won't be able to scan within the
/var/spool/qmailscan directory. Upgrade from previous releases by:
disable SMTP (e.g. svc-stop /service/smtpd)
chown -R qscand:qscand /var/spool/qmailscan
edit (to make run as qscand) and restart any daemonized AVs
run ./configure ..... --install
re-enable SMTP (e.g. svc-start /service/smtpd)
Note: this is only needed for upgrading from releases running under
"qmailq". New site installs and future releases will be fine again
* Updated FAQ to mention Redhat9 issues with Qmail, and more information
on how daemonized versions of AV programs should be run WRT Q-S
* made perlscanner run AFTER antivirus scanners. That way if an attachment contains
a virus, it will be flagged as such, instead of relying on the generic attachment-blocking
(i.e. Policy) to catch it.
* Changed SpamAssassin module to work with upcoming 2.60. Thanks to Doug Monroe
* Bug in the order that clamscan was found on your system stopped it from being run first
like I claimed in RC1! Fixed
* Buglet in SA lowercasing of email addresses when passed to spamc.
1.20rc2 20/Aug/2003
* Bug in text/plain checking found. Pretty major really. I had checks to see if
an attachment was found in the e-mail, but didn't check to see if
@attachment_list actually had anything when the decision was made. Thanks to Alex
Shipp for finding that.
1.20rc1 15/Aug/2003
* Changed defaults so that clamav scanners are listed as the first
scanners. This means if you have clam + some commercial AV scanning
all your emails, you'll be able to tell from the logs just how
often the commercial AV is actually catching anything... It'd be
great to see clamav catching everything :-)
* SpamAssassin now puts "?" chars in instead of "0" when it fails
to get an answer from spamd: this is typically due to the msg being
too big or spamd being down. It used to be that way, but someone didn't
like it and I changed it to "0". Now of course that was a bad decision as
that actually implies the email wasn't spam - not that an error occured.
* FIX: the tempfail function has been renamed error_condition and now
allows Qmail-Scanner to return permanent errors along with it's
current temp failures. This will allow filters such a qfilter to
be used with Qmail-Scanner.
* Rav AV updated as they've changed the format again. This may break
older releases of ravlin8 - but you don't need to run those now do
you :-)
* BIG CHANGE: "--unzip" disabled by default now. This means Q-S now
relies on the AV systems to unzip the files, and also means that
if you block (say) .EXE files, they can now get in via putting them
within a ZIP file. If you want the old behaviour, use "--unzip yes"
again.
* Maciej Budzyski has provided new Polish translations.
* Removed references to broken installs of VPopmail causing problems.
Apparently there has never been a problem with VPopmail - only
mis-installation by some people (hey, don't shoot me - I'm only the
messenger!).
* Better logging detail - so you can tell what is quarantining what.
* Logging now includes whether or not the email was from a RELAYCLIENT
SMTP client ("RC" == 1 or 0). Useful for seeing if any of your users
(i.e. RC(1)) are sending *out* viruses... (i.e. good to trigger alerts off)
* Update FSecure module to handle newer versions
* Updated configure to check setuid'ness better. Still not perfect...
* Buglet in message/partial definition in quarantine-attachments.txt
fixed
* Buglet in how qmail-queue was found on systems with non-standard
Qmail installs fixed. Thanks to Adrian Offerman
* Made a jump to 1.20 to demonstrate the added functionality.
* Changed some variable names to better reflect their function.
* Added "--batch" option to ease scripting - it stops configure asking for
input. Thanks to Douglas Schilling Landgraf
* This release candidate has added some simple MIME parsing that captures
quite a few viruses/trojans. Since it may also catch some valid mail in an
unusual layout, it is not enabled by default. To test (and *please* do!!!),
you need to set "--fix-mime 2". Please notify the list as to any problems,
as the intention is to make these checks part of the standard configuration
by 1.20 release...
* Dutch language support added by Martin Roest
* A hack added to try to make the syslog call work on broken Solaris perl
installs.
* configure now uses "strings -a" so that it'll work on AIX. Should
still work on other OSes...
* Q-S now skips virus-scanning messages that are either text/plain
or non-MIME/uuencoded. This will speed things up a tad. Note that if
configured for SpamAssassin, that will still be run - just the virus scanners
are skipped. Again, due to the potential of missing messages that should have
been treated as having attachments, you need to have used "--fix-mime 2" to
enable.
* Fixed bug with the "-z" option not leaving the archives maildir
tree alone. It was deleting old messages lying around in there...
* Made QS better at detecting old Sun "enriched" mail so that the
new MIME detection code doesn't mis-label it.
* SpamAssassin now sets the spamc "username" field to the recipient address.
This only happens if there is ONE recipient. If a spammer sends a spam to
20 local users in one SMTP session, then no user-specific SA rules will
apply, but all the general SA rules still do of course. Note: As spamc
must be passed the recipient address on the commandline, Q-S has to strip
back the e-mail address to shell-friendly chars - this should be fine for
99.9% of your e-mail addresses, but may mean that the more odd addresses won't
be able to access their user-specific SA options. The address is also lowercased
before being passed to spamc. Note that all this has no effect on the recipient
address of the e-mail - just the address used for "spamc -u ..."
* Made errors in reformime appear to debug file.
* Fixed BUG in SpamAssassin subroutine where the wrong SA score could be found.
Thanks to Dallas Engelken
* Block messages with Windows executables that are *not* of MIME type application/*
Never seen in the wild unless they are viruses. This may block some bogus mail
that is otherwise valid, so you can only get this by setting "--fix-mime 2"
when configuring.
* Explicitly block double-barrelled filenames which end in known Windows "executable"
stype extensions - such as "file.doc.pif". Again, only
seen assosiated with viruses. This may block some bogus mail
that is otherwise valid, so you must set "--fix-mime 2" when configuring to enable.
* Block messages with attachment filenames over 256 chars in size. There are buffer
overflows in... (go on - guess!)... Outlook that exploit this issue. As most file
systems don't support filenames over 256 chars anyway (e.g. NTFS and ext2), this
shouldn't inconvenience anyone.
* Added support for the Central Command Vexira virus scanner
* NOTE: format of "--archive" option has been changed!!! All archiving goes to a
maildir called "archive" now - whereas it used to allow you to change that dir
name.
Archiving now supports archiving only mail to or from a regex (as well as
archiving everything). e.g.
./configure --archive "jason|harry"
would make Qmail-Scanner only archive mail where the sender or recipient
contained the string "jason" or "harry". NOTE: this is only matching on the
envelope headers ("mail from", "rcpt to") - not arbitrary headers or body
content.
1.16 3/Feb/2003
* Changes some occurances of rename to link due to recent
discussions on how OpenBSD handles PIDs...
* Buglet in detection code in configure fixed. Thanks to Ted Behling
* Added SoBig to the list of viruses that shouldn't generate an alert
to the sender.
* Altered error messages when virus scanners crash to more pointedly
suggest that people should check their memory sizing... Thanks
to Rick Romero for the suggestion
* Now checks for comments within mail header names. Some viruses
are shoving comments in them to make AV systems miss them...
* Documented problem with vpopmail not reading the tcpserver SMTP
rules correctly.
* Updated RAV support. Newer versions now exit status 1 when no
virus found - go figure!
* Put more sanity checks in the SA return values. Looks like people
are running all sorts of broken SA installs out there...
1.15 30/Oct/2002
* Silent viruses configure option changed to default to "auto".
Older version didn't have this, which means that those relying
on looking at the previous install of Q-S to tell them what the
configuration options were should re-run ./configure without
the "--silent-viruses" option to reset their config correctly.
* Cleaned up configure a bit.
* made test_installation.sh to send spam message to test SpamAssassin
if it's installed. Thanks to Michel Bouissou for these ideas
* Support for perl 5.8.0! A one-char alteration made it all work
again. Thanks to Emerson Wu
* Added bugbear/tanatos to the exclude list along with klez.
* Workaround for SpamAssassin bug where it doesn't report a spammy
message as spam when it marks it as such (i.e. SA 2.4X)
* Added important new entry into quaratine-attachments.txt. Everyone
should seriously consider adding this to their own copy as it will
stop a potentially nasty future exploit. This does mean your site
will basically block all "message/partial" MIME types from now on,
but I've never seen anyone use them "in the wild" anyway, so it
should be low risk.
* Updated HBDEV to handle newer versions
* Changed AVP - Kaspersky regex to better match new engine. Thanks to
Thorsten Spaeth.
* Comment in FAQ that sophie/trophie/other daemonized scanners should
be run with larger than needed memory softlimits. Setting a
higher limit reduces the likelyhood that (say) an
automated pattern file update at 2am (that pushes up the memory
requirements) suddenly make your Qmail-Scanner server
start reporting out-of-memory errors! :-)
* Strip illegal_chars out of headers when generating alert messages.
1.14 14/Aug/2002
* Bug found in 1.13 SpamAssassin code that allows you to change the
Subject line. Fixed thanks to Chris Hine
* Moved some of the alert text around so that the admin e-mail still
contains a description of the quarantine event.
1.13 5-Jul-2002
* Big change to logging. Now a message to 20 recipients creates 20
log entries. This will dramatically improve the usefulness of the
log entries (the size-limit issues of syslog almost disappear)
* Added new tracking header X-Qmail-Scanner-Message-ID. This is
normally set to Message-ID - but is randomly generated if that
header doesn't exist. It's used in the logging so as to provide
an explicit linkage between different log entries from the same
message. It is used internally, and is only added to actual messages
that don't have a Message-ID header.
* Alerts now refer to the envelope "mail from" address instead of the
address shown in the From: header. There are too many trojans
out there screwing around with these things that it's just too
confusing to try to be smart now.
* New feature! Envelope headers ("mail from" and "rcpt to") and the
IP address of the SMTP client (TCPREMOTEIP) are now
made available to the perlscanner module! You can now use
Virus-MAILFROM,Virus-RCPTTO and Virus-TCPREMOTEIP to match on
those headers. Note that they are uppercased - to separate them
from standard mail headers - which are always lowercased.
* Strip out line breaks from SCANINFO - apparently some virus scanners
have CR in their version ids...
* Changed all occurances of "Illegal" to "Disallowed". Illegal seems
a bit harsh...
* Quarantine alert messages now contain ALL headers.
Will need to keep an eye on this when Q-S introduces
body-scanning. You could get an infinite loop...
* More examples added to quaratine-attachments.txt. Everyone should
read it to see if there's anything they want, as if you are just
upgrading Q-S, your existing quarantine-attachments.txt file is
NOT touched.
* ensure that regenerating the perlscanner DB fails if the TXT
file is unreadable.
* Fixed bug in perlscanner that stopped you having header matches that
contained the same regex.
* Changed sub-avp again (Kaspersky AVPLinux scanner) - sheesh!
* Information Leakage: some people have complained about how Q-S
tells the sender and recips where the unpacked message was. Now
the admin, sender and recips are sent separate messages, and only
the admin address will receive such details. The rest will be told
that their message contains a "XXX" virus - but no file path details.
* Added new feature to limit the damage done by trojans that change
the From address to be someone other than the person actually sending
the trojan. '--silent-viruses="klez,othernastyvirus"' would mean
that *IF* a virus is detected, AND the string "klez" or
"othernastyvirus" appears in the virus description given by the
virus scanner, THEN the quarantine alert message is NOT sent to the
supposed sender - as it won't actually have been them. This
may help limit the confusion people are feeling these days
with such anti-social (more anti-social?) viruses
Thanks to Greg Wildman for the implementation.
* Added new feature to "fast_spamassassin". If you change this to
"fast_spamassassin='*****SPAM*****'", then the faster SA setting
is still used, but the string "*****SPAM*****" is prepended
to the Subject: line. Apparently users find the other methods
of finding the SA tags too difficult :-)
Note: the format is actually "fast_spamassassin=<string>" - so you
can have any single-word marker there that you want. Just make sure
it looks obvious.
* Fixed bug where logging reports quarantine message being sent to
recipients even when Q-S configured to not notify recips! (they
weren't actually sent anything - but it was reported they did...)
* Changed documentation to reflect the fact that setting QMAILQUEUE
within the tcpserver rules file is now the ONLY supported way of
setting Qmail-Scanner. The other methods are too diverse to document
correctly, so let's just stick to the one that works best.
* Document that DB_File has disappeared from Perl 5.6.1
* By default, SpamAssassin is only run on Email that comes from
"non-local" SMTP clients. That is decided on the lack of the
RELAYCLIENT environment variable (see Qmail docs). If that doesn't
do what you want, you can also set
"QS_SPAMASSASSIN=1" in your tcpserver rules file to
force SA to be run.
* More explicit documentation that the SpamAssassin support DOES NOT
QUARANTINE POTENTIAL SPAM!!!! There - I think that's pretty
explicit :-) SpamAssassin has always been designed to "tag" messages
as being spam, and to make the USER (not the Sys Admin!) decide what to
do with it.
* Added support for CLAM AV. An Open Source (yup!) antivirus scanner that
uses the Openantivirus.org ScannerDaemon pattern files.
* Fixed buglet in ravlin detection
* Updated kavscanner subroutine
* Fixed bug in configure script's generating of the CMDLINE
* Updated ./contrib/test_installation.sh to be a bit more descriptive
* Documented quarantine philosphy. Apparently I just expected you all to
work it out for yourselves...
* Documented that SpamAssassin is only run on mail deemed not to be local
via the standard Qmail RELAYCLIENT environment variable. i.e. if
to SMTP client is classified as local, it won't be spam-scanned...
* fixed buglet in how redundant_scanning handled zipped attachments.
Thanks to Brian Johnson.
1.12 6-May-2002
* cut-n-paste bug in quarantine-attachments.txt that would break
new installs of Qmail-Scanner. Duh! - did that last year too!
* another bug in how the documentation says to run SpamAssassin.
* Added "-eec" to sweep to gain access to the "extended error codes".
* Documented some SpamAssassin issues.
1.11 26-Mar-2002
* Must be using maildrop-1.3.8 or later due to bug in previous
releases.
* Added sub-sender-cache.pl to contrib. This was work done for
element5.de - who wanted the ability to restrict Q-S to only
send a limited number of alerts regarding quarantine events
per sender. Using this option makes Q-S create a separate
DB file where it tracks how many times an alert is sent to
an Email address. It also saves the timestamp so that you can
configure it to do things like "only send 5 alerts within a
7 day period to any individual Email address". The main use of
this would be to limit the amount of "spamming" the AV admin
receives when an individual infected PC is busily spamming
everyone in its addressbook 1000 times over...
* By default the OS "unzip" program doesn't support "shrink"
as a compression algorithm - and exits 81 - which means this sort
of message would never get through Q-S. That shouldn't happen as
there's nothing Q-S can do to fix that. So I have checked the unzip
error codes, and now let some "broken" unzips be treated as OK - as
there's nothing else Q-S can do to correct them... This will mean
some zip files with viruses will get through Qmail-Scanner, so of
course you will be then relying on your antivirus product to catch
such things...
* Added NULL char to my (small) list of chars to treat
as hostile. I wonder if I should reverse this and block
everything that is not an acceptable char instead....
* Whoops! I see my references to "lone LF" is incorrect: "\r"
is a CR not a LF! Duh! :-) Oh well, just a documentation typo.
* SpamAssassin v2 is supported. New feature in v2 allows
Qmail-Scanner to *halve* the amount of traffic generated doing a
SpamAssassin check! If you want to use the old-style support
(which recreates the entire message with the SpamAssassin headers
added), then ./configure with "verbose_spamassassin" as the
scanner name instead of "fast_spamassassin". Note: I don't like the
"verbose_spamassasin" method - so *please* try to move to the new
method, as there's going to be more of that in the future with
Body content-scanning/etc. If your users want to auto-move
Emails in their mailer marked as Spam under the new method,
you can match on:
"Received: .* with qmail-scanner.*Clear:SA:1"
or...
"X-Spam-Status: Yes,"
* Allow the "Clear" message to now include "scoring" so that scanners
such as SpamAssassin can still report what they found, even if a
quarantine event didn't occur.
* It is now a requirement to have Sys::Syslog as all errrors are
reported by syslog. It makes sense.
* masses of changes in configure to actually check that programs
and scanners called by Q-S actually work correctly before being
used. Should cut down on run-time errors, but cause a flood of
people saying "why does Q-S claim scanner XXX doesn't work on my
system?" :-) I just can't win ;-)
1.10 22-Jan-2002
* Jumped from 1.03 to 1.10 to reflect internal changes
* Phase out referring to ulimit. That utils is OS-dependent and
doesn't work consistently well. Everyone should use softlimit from
daemontools instead.
* Added calling UID to Received header - and to debug logs.
* Renamed logging reference of "perlscanner" to "qmail-scanner". Why
on earth did I ever do it that way in the first place?!?!?
* Added support for Command's AV scanner. Thanks to John Lombardo
for doing the port.
* Added support for SpamAssassin.
* Changes to logging: Logging used to have a boolean to describe
whether a message was quarantined or not.
This has been changed to now be either "Clear" or the scanner
responsible for that quarantine event plus the
first 10 chars of the name of the quarantine event (e.g. "Clear:0").
This should mean you can now use either your syslog logs or the
mailstats.cvs log to produce stats on ALL mail through your server
as well as virus penetration events, etc (i.e. the quarantine.log
file is now redundant).
* ALSO CHANGED THE ORDERING!!! This was to ensure details that were
under user-control didn't cause details such as message size to be
cut off when logging via syslog.
* Removed recording Date: header in logs - they're all timestamped
anyway, so it's almost redundant.
* "./configure --scanners sweep,vscan", etc now supported. Default
is like old system: "./configure --scanners auto" - which auto
detects what supported scanners are installed on your system.
This can now be overridden so that you can have 5 different
scanners installed on your system, and yet only have Qmail-Scanner
use one of them if you like.
* Added support for SpamAssassin! If you have a working installation
of the SpamAssassin spamd installed, then Q-S will configure itself
to pipe every message received through and resend the message
as altered by SpamAssassin. This could seriously annoy your users
as this is a site-wide installation of SpamAssassin - unlike it's
normal per-user install. See FAQ for details.
* Now will use syslog to report any temp errors directly if
"--log-details syslog" set. This is so that such errors end
up somewhere more noticable than the standard Qmail multilog
area (which no-one monitors!)
* Added support for Trophie - a GPLed daemonized version of Trends
vscan. Please read the FAQ on how to install it so that it will
correctly run with Q-S. Ensure you are comfortable with trophie
before using it within Q-S. NO QUESTIONS ON Q-S MAILING-LISTS
PLEASE!!!
* Extra comments about Sophie/Trophie added.
* "--fix-mime" option will now block as viral any message containing
LF chars in the headers. This will stop Badtrans and the like. Only
a very broken mailer should otherwise get hit by this.
*Please* tell me if any non-bad mail is caught by this!!!
* Removed kill check for dead qmail-smtpd processes (the "Whoa!" error).
There are some weird issues with it on some systems, and it isn't
needed anyway. If qmail-smtpd dies, the parent PID of Q-S becomes
"1" - so just check for that instead! This means the "--smtpd-check"
option has been removed!!!
* Minor wording changes
* Minor issue with archive mode corrected
* Sanity check added to ./configure to help ensure up-to-date
version of tnef is installed if it is installed at all.
1.03 4-Dec-2001
* Whoops! Forgot my tabs in the quarantine-attachments.txt file
(darn X-Windows cut-n-paste!)
* New sub-svpdaemon.pl added to contrib directory. AVPdaemon is
officially not supported by Q-S due to the company involved
being unable to stick to a standard format...
1.02 3-Dec-2001
* Added "--smtpd-check" so that people can disable the
qmail_smtpd_check subroutine that has been causing problems
for *some* sites (the "Whoa!" errors). Defaults to "yes"
- change to "no" to disable it. MAKE SURE YOU KNOW IT'S A
PROBLEM BEFORE DISABLING THIS AS OTHERWISE YOU WILL GET
DOUBLE-DELIVERY OF SOME MAIL DURING SOME ERROR CONDITIONS!!!
* Changed required maildrop release to 1.3.6 as there's a buglet
in previous reformime releases WRT how they handle broken
MIME messages.
* Added LANG support for Czech. Thanks to Pavel Lisy
* Added "--fix-mime" option. This will allow Q-S to attempt to
"fix" broken MIME mail messages before passing the message
to reformime for initial processing. Disabled by default, it
should be safe to turn on, and if it is, will allow Q-S to
trap some viruses which might have bypassed the system due to
their "broken" nature. This feature will probably grow in the
future...
* Added LANG support for Afrikaans. Thanks to Schalk Cronje
* Added support for Sophie - a GPLed daemonized version of Sophos
sweep. Please read the FAQ on how to install it so that it will
correctly run with Q-S. Ensure you are comfortable with sophie
before using it within Q-S. NO QUESTIONS ON Q-S MAILING-LISTS
PLEASE!!!
* Re-positioned the alarm statement
* Added support for F-Prot (thanks to "Charlie") - see
http://www.theboenings.com/qmail-scanner/
* Added comments to contrib/qmail-scanner-queue.c to help those
who need to use it
* Added LANG support for Portuguese. Thanks to Ricardo Oliveira
1.01 6-Sep-2001
* Privacy issue. the "--add-dscr-hdrs yes" option now doesn't include
the "rcpt to" information for privacy reasons. If you must have that,
configure as "--add-dscr-hdrs all" instead.
* The infamous "Whoa!" bug should have been nailed dead. The problem
was with running a smtp daemon check on messages injected by
qmail-inject - pretty stupid really...
* Added LANG support for Polish. Thanks to Maciej Gruszczyski
* Added LANG support for Swedish. Thanks to Thomas Berghemm
1.00 18-Aug-2001
* Due to the tonnes of problems people are reporting with AVPDaemon,
I am moving it back into the contrib directory. Please Email Kaspersky
about problems you have with AVP. If you can't get it working by itself,
there's no way it'll "magically" work under Qmail-Scanner.
* documentation changes
* Added LANG support for French. Thanks to Cedric Fontaine!
* Added LANG support for Traditional Chinese. Thanks to tbsky!
1.00rc1 29-Jun-2001
* Jumped to Release Candidate for 1.00! I've gone through
and rewritten Qmail-Scanner in strict mode to make it
happier with the newer perl-5.6 installs, tested on RH 7.1
* For security reasons, all new releases of Qmail-Scanner should come
with a GnuPG signature signed by myself:
(Jason L. Haar <jhaar@users.sourceforge.net>)
KEYID: 0xFE1D66D1
Find my public key via key servers or from the Qmail-Scanner homepage
* I've removed the ability of Q-S reporting all the attachment
filenames. It used to report even the filenames of files extracted
from attachments. As someone could easily send an Email with a zip
file with 1,000's of files within, this obviously just becomes
stupid. So now it will only report on the actual original
Email attachments. Of course perlscanner and any anti-virus
scanners still get to scan everything!
* Many cosmetic changes. Removed almost all references to "virus"
and introduced "quarantine" instead, as that better illustrates
how Qmail-Scanner is more than just an Anti-Virus package
* Better handling of multi-line headers
0.97 <unreleased>
* Added more sanity checks for insane conditions. Q-S will now
exit with a temp error if it finds itself running the scanner
loop for more than 20 minutes. That will catch broken virus
scanners that are spinning around on wierd messages. It will
also check that the qmail-smtpd process that spawned it is
still operating before it reinjects into qmail-queue. Previously
it would end up double-delivering under such conditions.
* Alerts to the "AV" admin can now be stopped if the offending
Email is from a mailing-list. Use "--notify nmladm" instead of
"--notify admin" to activate.
* Alerts to recipients are now limited to only local users. See
"--local-domains" configure option. Set to "." for backwards
compatibility. Be warned you could end up spamming mailing-lists
with alerts if you do that (there's no way Q-S can detect a
recipient address is a mailing-list - only senders).
* Bug fix with newer unzip programs. Well, more of a
"change in interpretation" :-).
* Changed quite a few debug statements - hopefully they're more
self-explanatory now.
* Try to workaround problem with password-protected zip files, without
losing information about the files. NOTE: password-protected files
show up in the logs, but aren't checked against the perlscanner
database. This is a *FEATURE* - not a bug.
* Martin Lesser has helped add support for AVPDaemon. You must have a
working install of it before Qmail-Scanner will even have a hope
of working with it...
* Allow $headers array to do multi-line matching on To: and Cc:
headers.
* Updated error messages for scanners.
* Added LANG support for Lithuanian. Thanks to Aidas Kasparas!
* Added LANG support for Turkish. Thanks to Deniz Akkus Kanca!
* Sophos SWEEP now called with "-f -sc" options. Too bad if it slows
it down. It's needed to catch HTML viruses like KAKworm, and to
scan inside dynamically compressed files.
0.96 26-Feb-2001
* Documentation changes
* BUG Fix. Fixed variable bug that could screw up extension matching
in some circumstances.
0.95 24-Jan-2001
* Fixed buglet where uuencoded file attachments weren't correctly
check against internal perlscanner database.
* Added support for other OSes uudecode. Should work on more
systems now.
* Added test_installation.sh to the contrib directory. This wee
script will send two Email messages to "root" contain different
variants of the EICAR test virus. The first will be picked by
perlscanner, and the second by any commercial anti-virus package
installed on your system. Simply running this after an Q-S
install should prove that Q-S is installed correctly.
* Altered some of the headers produced to make Q-S even more
"postmaster-like".
* Added LANG support for Spanish. Thanks to Francisco J. Montilla!
* Fixed some documentation errors
* Changed some of the environment variables used
* Made the generated Received: header RFC compliant
* New option ("--log-details") generate log entries of mail
message details (frm/to/subject/attachments). Works well,
but running in the syslog mode involves two extra exec
calls - not for overloaded systems... Where possible, stick
to the default logging to file mode.
* The Qmail RPMs referenced on www.qmail.org have a charming
"feature" that breaks qmail-inject. Work-around put in place
* Yet another sanity check for uuencoded attachments with
stupidly long filename extensions.
0.94 10-Nov-2000
* Fixes for new version of Sophos. They've changed it's format
which breaks under older releases of Qmail-Scanner
* more setuid changes to help reduce installation problems
* error condition check altered for MacAfee
* Bug found in uudecoding section! Like old versions of reformime
it wasn't checking for majorly long filenames and compensating,
- now it does.
0.93 9-Oct-2000
* Allow sites to attempt to run Qmail-Scanner even if they
don't have suidperl installed. Apparently there are some
systems out there that support this - so who am I to stop
them! :-)
* Added support for InocuLAN - thanks to Michael Lahr!
* Added LANG support for German - thanks to Michael Lahr!
* Documented the perlscanner module. Can't believe I didn't
notice that before!
* Sigh - more documentation updates to fix.
* Altered configure to be more Unix-independent.
* Altered HBEDV subroutine
* Have inserted sanity check for auto-generated filenames.
This check will STOP perlscanner from looking at their
extensions as the filenames are autogenerated and should
never match anyway.
0.92 23-Aug-2000
* Cosmetic documentation changes - that's the trouble with
renaming a package...
* Altered qmail-scanner-queue.pl to detect whether or not an
attachment filename was generated by reformime. Such files
should never be matched by the perlscanner module as their
filenames are randomly generated
0.91 22-Aug-2000
* Spelling mistake - gah! quaranteen instead of quarantine...
* Added support for Italian! Thanks to Luca Gibelli
* Support for non /var/qmail installed Qmail systems (like Debian).
./configure will now work out where qmail is installed. Thanks
to Werner Fleck.
0.90 10-Aug-2000
* NAME CHANGE. Scan4Virus is no more - now Qmail-Scanner. This name
better reflects the functionality of the product.
* Added support for tnef. This wonderous utility allows us to unpack
M$ TNEF attachments back into their "true" form before we run
the scanners over them. Pick up heaps more viruses than you used
to this way!
* Added (poorly) documented calls to MacAfee's uvscan that allows it
to unpack zip files and better macro-virus support.
0.53 30-Jun-2000
* Removed support for metamail due to metamail not been able to handle
some types of MIME attachments.
* Added support for F-Secure's fsav virus scanner. Thanks to Ian Scott
for that.
* Updated documentation on altering the perms on suidperl.
0.52 7-Jun-2000
* missing command-line option to Trend scanner - makes a BIG difference!
Looks like there's some differences in the way Trend's vscan exits
depending on engine version - grrrrrr! Have had to remove exit status
check....
* problem noticed by Kevin A. Hall regarding how the DB calls operate.
Extra brackets fixed that!
0.51 23-May-2000
* cosmetic changes
* humungous mistake with metamail (again! - I really need separate
systems to test this on!), hopefully fixed for sure this time.
0.50 12-May-2000
* Bit of a jump in versioning as I've added a major new feature in that
the internal scanner now supports scanning Email headers!
* BUG FIX: METAMAIL_TMPDIR not defined - needed to make metamail
save into the correct directory.
* BUG FIX: If $descriptive_headers was defined, the extra headers
weren't added to "clean" Email.
* "antivirus-qmail-queue.pl -v" returns information regarding your
system and scanning environment. Please include that output in any
bug reports you make!
* Support for uudecoding! If your uudecode program is deemed "safe",
any uuencoded attachments will be decoded before the scanner runs.
* Explicitly mention that QMAILQUEUE needs to be set in /etc/profile
or the like if you want local shell users to have their mail scanned.
[although as they are inherently not Windows users, you may want to
save your system the effort and explicitly NOT do that! :-)]
* Set TMP and TMPDIR env vars to "help" virus scanners write their
temp files into a protected area - don't want to worry about
race conditions now do we!
* The "Love Letter" virus got me thinking. We really need to match
on headers too. Here we knew the subject line of that virus
was "ILOVEYOU" hours before we knew what the attachment
filename was - let alone had any "official" antivirus
update. The perlscanner can now match on any Email header as
well as attachment filename. See quarantine-attachments.txt for
details.
* BUG FIX: Bug in the way that the perlscan module handles wildcard
attachments.
* New feature. perlscan now runs exactly as other scanner modules do.
Zip files are unpacked before being scanned - but it can still match
on zip files!
* Initial support for avp. Untested by me - but should be fine. Thanks
to Tulipant Gergely.
* Redundant scanning. If $redundant_scanning is enabled, the scanners
will scan original zip files and the original "raw" Email msg. Adds
extra load, but allows specific virus scanners that supports such
advanced features to operate closer to their potential.
0.19 13-Mar-2000
* BUG FIX: qmail-smtpd can reject mail and so drops its connection
to $QMAILQUEUE. Now check that envelope addresses exist before
carrying on - gets rid of "Unable to queue message (28416)" errors.
* Tighter umask.
* Added archive support. If $archiveit=1, processed mail is
archived into maildir /var/spool/qmailqueue/archive instead of
being deleted. BE VERY CAREFUL YOU DON'T RUN OUT OF DISKSPACE!
* Added support for H+BEDV's antivir scanner. Details supplied by
Johan Almqvist of luna.lu.se.
* Changed a few variable names, and a small mis-calling of the macro
checking under MacAfee's uvscanner.
0.18 24-Feb-2000
* Nasty bug in that I didn't have an explicit path to the find command
- which screwed things up no end.
0.17 21-Feb-2000
* Wildcard support for perlscanner! e.g. can now exclude
all *.MP3 files from entering your site :-)
* Removed mention of explicit "find" cronjob to scan
/var/spool/qmailqueue for files. Network
outages (as well as killing local qmail processes!) can lead
to files lying around under that tree. So
"antivirus-qmail-queue.pl -z" now deletes any files older than
30 hours it finds there (excluding the "viruses/" tree) instead
of just the "tmp/" ones. That should be called daily by cron instead
* Minor wording changes.
* Documented existance of mailing-list (duh!)
0.16 31-Jan-2000
* Possible security hole found! Due to my historic use of
qmail-inject, I'd overlooked one nasty command-line
call... Fixed now - no longer any SMTP-generated data allowed
on the command-line...
0.15 25-Jan-2000
* Few documentation changes I forgot for 0.14.
0.14 24-Jan-2000
* MAJOR IMPROVEMENT. Now uses qmail-queue directly - no longer
needs to invoke qmail-inject. Thanks to Russ Allbery's
Qmail-Majordomo perl script for inspiration :-)
* New built-in scanner! perlscan_scanner scans a DB file containing
attachment filenames and sizes - a match means virus. This can be very
useful when a new virus is discovered, details (including
filenames and sizes) are released, and the antivirus vendors
say it will be days/weeks before an official fix is released -
this can tide you over...
* Initial support for metamail for those who don't want to use
reformime. I'd recommend reformime as it is more actively
supported, is smaller and doesn't have the feature-set that
metamail does - which should mean it's inherently more secure
(no real evidence for that tho!). Anyway, look at $mimeunpacker
if you would prefer to use metamail.
* Support for Sophos's sweep virus scanner.
* Removed X-Scan4Virus: headers. They were just a repeat of what was
in the Received: header anyway, and if an Email went through two
scan4virus servers, they'd be overwritten anyway. Save some writes
and speed things up a bit :-)
* Increased example ulimit for data segment size as I found that
some virus scanners need more memory than others.
* Moved several files back into default spool dir - keep the package
all in one place.
* Assorted little cleanups
0.13 15-Dec-1999
* Added Received: header that contains the scan4virus information
regarding version numbers of scanners and pattern-files - that
way if a message goes through several sites running scan4virus,
all of their reports will show up in the headers.
* Created a virus log function whereby every Email received with a virus
is logged - so that reports can be generated (tab-delimited).