Dear Jason,
Thanks for the details. We have been using Spamassassin + ClamAV with Qmail
Scanner. Please let us know the steps to configure the DLP Monitor with
ClamAV and Qmail Scanner and How we can monitoer the emails with the
reserved words with this.
Thanks again.
On Thu, Jun 13, 2013 at 7:37 AM, <
qmail-scanner-general-requ...@lists.sourceforge.net> wrote:
> Send Qmail-scanner-general mailing list submissions to
> qmail-scanner-general@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
> or, via email, send a message with subject or body 'help' to
> qmail-scanner-general-requ...@lists.sourceforge.net
>
> You can reach the person managing the list at
> qmail-scanner-general-ow...@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Qmail-scanner-general digest..."
>
>
> Today's Topics:
>
> 1. Unable to Block the attached emails (Kunal Soni)
> 2. Required Mail Filter for reserved words (Kunal Soni)
> 3. Re: Required Mail Filter for reserved words (Salvatore Toribio)
> 4. Re: Required Mail Filter for reserved words (Jason Haar)
> 5. Using qmail-scanner-queue.pl for injected mail (Jan
> Nekvapil)
> 6. Re: Using qmail-scanner-queue.pl for injected mail
> (Salvatore Toribio)
> 7. Re: Using qmail-scanner-queue.pl for injected mail (Jan
> Nekvapil)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 May 2013 11:10:58 +0530
> From: Kunal Soni <kunalso...@gmail.com>
> Subject: [Qmail-scanner-general] Unable to Block the attached emails
> To: qmail-scanner-general@lists.sourceforge.net
> Message-ID:
> <
> cao7m4vtzvatac5zzetti2zep_a3uoxzmr-pn23ctpm_xarr...@mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Dear Mailing list,
>
> We have been using Qmail Scanner 1.25 with Spamassassin and Clamav. From
> past few days, we are unable to block the attached type emails from our
> mail server. Please us to rectify this problem. The common content in these
> emails are GTRL or $, USD.
>
> Please find attached is the same email for your reference.
>
>
>
> --
> Kunal Soni
> (9810019739)
> -------------- next part --------------
> An HTML attachment was scrubbed...
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: Attached Message1
> Type: application/octet-stream
> Size: 1333 bytes
> Desc: not available
>
> ------------------------------
>
> Message: 2
> Date: Tue, 28 May 2013 16:19:08 +0530
> From: Kunal Soni <kunalso...@gmail.com>
> Subject: [Qmail-scanner-general] Required Mail Filter for reserved
> words
> To: qmail-scanner-general@lists.sourceforge.net
> Message-ID:
> <
> cao7m4vsm600iyq4pq22e102e2z6teyytkxr5ftvn7tufznq...@mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> HI ST,
>
> We have been using Qmail, configured using qmail rocks.
>
> I have one more requirement...
>
> Is there any way emails with any reserved word on the mail body can be sent
> to postmaster
>
> As a scenario, we need to monitor the emails having some reserved words
> like "resume", "resignation". If any email contains the above word will get
> a copy to email address configured in qmail-scanner
>
> This is very important for our business needs.
>
> Thanks in advance.
>
> --
> Kunal Soni
> (9810019739)
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Tue, 28 May 2013 18:02:42 +0200
> From: Salvatore Toribio <tori...@pusc.it>
> Subject: Re: [Qmail-scanner-general] Required Mail Filter for reserved
> words
> To: Kunal Soni <kunalso...@gmail.com>,
> qmail-scanner-general@lists.sourceforge.net
> Message-ID: <a0624080fcdca84c44b6c@[10.10.82.254]>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
> Hi Kunal
>
> Sorry, no. The only thing qs could do for you is check for that words
> in the subject, adding the rules to the file 'quarantine-events.txt'
> (in older version it was a different file..) and rebuild
> quarantine-events.db.
>
> Regards
>
> ST
>
> At 16:19 +0530 28-05-2013, Kunal Soni wrote:
> >HI ST,
> >
> >We have been using Qmail, configured using qmail rocks.
> >
> >I have one more requirement...
> >
> >Is there any way emails with any reserved word on the mail body can
> >be sent to postmaster
> >
> >As a scenario, we need to monitor the emails having some reserved
> >words like "resume", "resignation". If any email contains the above
> >word will get a copy to email address configured in qmail-scanner
> >
> >This is very important for our business needs.
> >
> >Thanks in advance.
> >
> >
> >--
> >Kunal Soni
> >(9810019739)
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 29 May 2013 13:37:57 +1200
> From: Jason Haar <jason_h...@trimble.com>
> Subject: Re: [Qmail-scanner-general] Required Mail Filter for reserved
> words
> To: qmail-scanner-general@lists.sourceforge.net
> Message-ID: <51a55bf5.8020...@trimble.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 29/05/13 04:02, Salvatore Toribio wrote:
> > Hi Kunal
> >
> > Sorry, no.
>
> Not quite true :-).
>
> >From the home page http://qmail-scanner.sf.net/
>
> If an organization is using clamav, Qmail-Scanner can be directly used
> for Data Loss Prevention (DLP). Localized clamav signature rules can be
> written that enable Qmail-Scanner to detect and block emails that clamav
> detects as "malware". A bit of a misuse perhaps - but clamav's built-in
> support for archival formats and understanding of document types makes
> it perfect in this role. If you want Qmail-Scanner to log but not block
> such DLP "hits" (perhaps because the false positive rates are too high
> to go with full block-mode), then Qmail-Scanner has a "dlp-monitor"
> option which tells it which regex of normally quarantinable events are
> in fact to be let past (i.e. without blocking). It will archive a copy
> of such messages, and the logging will reflect this was a "DLP:" event.
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 12 Jun 2013 14:05:30 +0100
> From: Jan Nekvapil <jan.nekva...@gmail.com>
> Subject: [Qmail-scanner-general] Using qmail-scanner-queue.pl for
> injected mail
> To: qmail-scanner-general@lists.sourceforge.net
> Message-ID:
> <CAK8z+3ysBGjEnm8uJWGtGsYZ=+Kvn=F0hBbumd1Te41_m+=
> z...@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello guys,
> new qmail admin here building server for demanding client.
>
> I need to run additional scans also on mails from my users, but those
> are send by qmail-inject which is invoking the original qmail-queue.
> Simply linking qmail-queue to qmail-scanner-queue.pl doesn't work
> (even if its compiled using pp) as it fails with qq temporary problem
> 4.3.3. (in qmail-scanner-queue.pl I changed the invoked qmail-queue to
> qmail-queue-orig to avoid looping)
>
> I know I will have to check injected mail for looping also because
> qmail-scanner is using it for reports.
>
> I am not afraid to touch qmail-inject.c a little but I couldn't find
> the qmail-queue in there yet.
> (also I used qmailrocks.thibs.com to setup qmail on Debian 6 (still on
> testserver so I can change to 7))
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 12 Jun 2013 15:56:13 +0200
> From: Salvatore Toribio <tori...@pusc.it>
> Subject: Re: [Qmail-scanner-general] Using qmail-scanner-queue.pl for
> injected mail
> To: Jan Nekvapil <jan.nekva...@gmail.com>,
> qmail-scanner-general@lists.sourceforge.net
> Message-ID: <a0624080acdde2d478862@[10.10.82.254]>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
> Hi
>
> Maybe you can try doing in the same way of sqwebmail, sending the
> mails through a bash script that invokes qmail-inject, something like
> this:
>
> -----
> [root@fluffy-1 ~]# more /usr/sqwebmail/share/sqwebmail/sendit.sh
> #!/bin/sh
> #
> # sendit.sh for qmail-inject and qmail-scanner 20091221
> #
> #
>
> # $1 will contain the return (or bounce) address for this mailboxid, as
> # specified by auth.c
> #
> # $2 will contain the sqwebmail mailboxid of the sender (note that we're
> # executing under whatever id auth.c sets for this mailboxid).
> Furthermore,
> # $REMOTE_ADDR will contain the IP address where the client is coming from
> # (the rest of the CGI vars are available too).
> #
>
> QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
> export QMAILQUEUE
>
> # If you want to run spamassassin
> #QS_SPAMASSASSIN="on"
> #export QS_SPAMASSASSIN
>
> QMAILUSER="$1"
> export QMAILUSER
>
> exec /var/qmail/bin/qmail-inject -hf "$1"
> -----
>
> Probably you can ignore the variable QMAILUSER. It's a start...
>
> Regards
>
> ST
>
>
> At 14:05 +0100 12-06-2013, Jan Nekvapil wrote:
> >Hello guys,
> >new qmail admin here building server for demanding client.
> >
> >I need to run additional scans also on mails from my users, but those
> >are send by qmail-inject which is invoking the original qmail-queue.
> >Simply linking qmail-queue to qmail-scanner-queue.pl doesn't work
> >(even if its compiled using pp) as it fails with qq temporary problem
> >4.3.3. (in qmail-scanner-queue.pl I changed the invoked qmail-queue to
> >qmail-queue-orig to avoid looping)
> >
> >I know I will have to check injected mail for looping also because
> >qmail-scanner is using it for reports.
> >
> >I am not afraid to touch qmail-inject.c a little but I couldn't find
> >the qmail-queue in there yet.
> >(also I used qmailrocks.thibs.com to setup qmail on Debian 6 (still on
> >testserver so I can change to 7))
> >
>
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 13 Jun 2013 04:07:15 +0200
> From: Jan Nekvapil <jan.nekva...@gmail.com>
> Subject: Re: [Qmail-scanner-general] Using qmail-scanner-queue.pl for
> injected mail
> To: Salvatore Toribio <tori...@pusc.it>
> Cc: qmail-scanner-general@lists.sourceforge.net
> Message-ID:
> <
> cak8z+3yba-xpqxb5opti9d6mzyg8nkmimr2+lb5g5+t8ojl...@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> thanks for reply.
>
> I tried using this script but qmail-inject just ignores exported
> QMAILQUEUE and calls default qmail-queue
>
> -------
> #!/bin/sh
> QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
> export QMAILQUEUE
> exec /var/qmail/bin/qmail-inject-orig
> -------
> /var/qmail/bin# ls -l *inject
> lrwxrwxrwx 1 root root 30 Jun 13 01:43 qmail-inject ->
> /var/qmail/bin/qmail-inject.sh
>
> if I try to wrap qmail-queue in bash script I get jus unable to exec
> qq - inject fails this way if execv($QMAILQUEUE,0) fails, I tried
> changing permisions permisions but still the same error.
>
> I am thinking of hardcoding /var/qmail/bin/qmail-scanner-queue.pl into
> qmail.c where is declared path to qeue (with QMAILQUEUE patch it
> should first look for env. var)
>
> 2013/6/12, Salvatore Toribio <tori...@pusc.it>:
> > Hi
> >
> > Maybe you can try doing in the same way of sqwebmail, sending the
> > mails through a bash script that invokes qmail-inject, something like
> > this:
> >
> > -----
> > [root@fluffy-1 ~]# more /usr/sqwebmail/share/sqwebmail/sendit.sh
> > #!/bin/sh
> > #
> > # sendit.sh for qmail-inject and qmail-scanner 20091221
> > #
> > #
> >
> > # $1 will contain the return (or bounce) address for this mailboxid, as
> > # specified by auth.c
> > #
> > # $2 will contain the sqwebmail mailboxid of the sender (note that we're
> > # executing under whatever id auth.c sets for this mailboxid).
> > Furthermore,
> > # $REMOTE_ADDR will contain the IP address where the client is coming
> from
> > # (the rest of the CGI vars are available too).
> > #
> >
> > QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
> > export QMAILQUEUE
> >
> > # If you want to run spamassassin
> > #QS_SPAMASSASSIN="on"
> > #export QS_SPAMASSASSIN
> >
> > QMAILUSER="$1"
> > export QMAILUSER
> >
> > exec /var/qmail/bin/qmail-inject -hf "$1"
> > -----
> >
> > Probably you can ignore the variable QMAILUSER. It's a start...
> >
> > Regards
> >
> > ST
> >
> >
> > At 14:05 +0100 12-06-2013, Jan Nekvapil wrote:
> >>Hello guys,
> >>new qmail admin here building server for demanding client.
> >>
> >>I need to run additional scans also on mails from my users, but those
> >>are send by qmail-inject which is invoking the original qmail-queue.
> >>Simply linking qmail-queue to qmail-scanner-queue.pl doesn't work
> >>(even if its compiled using pp) as it fails with qq temporary problem
> >>4.3.3. (in qmail-scanner-queue.pl I changed the invoked qmail-queue to
> >>qmail-queue-orig to avoid looping)
> >>
> >>I know I will have to check injected mail for looping also because
> >>qmail-scanner is using it for reports.
> >>
> >>I am not afraid to touch qmail-inject.c a little but I couldn't find
> >>the qmail-queue in there yet.
> >>(also I used qmailrocks.thibs.com to setup qmail on Debian 6 (still on
> >>testserver so I can change to 7))
> >>
> >
>
>
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
> ------------------------------
>
> _______________________________________________
> Qmail-scanner-general mailing list
> Qmail-scanner-general@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
>
> End of Qmail-scanner-general Digest, Vol 51, Issue 1
> ****************************************************
>
--
Kunal Soni
(9810019739)
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
