[Mailwatch-users] Re: Blocked filenames not showing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi David,

Those are some hairy cows - you don't get ones like that here in the UK 
(or if you do I haven't seen them).

Martin's given me a heads-up on this as I've not been around too much 
lately (studying for my next round of exams next week...).

Anyway back to business....

I've never seen this happen before - especially as the detail page 
correctly shows the message as a blocked file (meaning that MailScanner 
reported this correctly).

If you could edit functions.php and around line 946 you should find the 
following:

      case 'nameinfected':
       if($row[$f] == 'Y' || $row[$f] == 1) {
        $infected = true;
        array_push($status_array,'Bad Content');
       }

change it to:

      case 'nameinfected':
+     debug("Seen nameinfected as: ".$row[$f]);
       if($row[$f] == 'Y' || $row[$f] == 1) {
        $infected = true;
        array_push($status_array,'Bad Content');
       }

and set define(DEBUG,true) in conf.php then run a banned attachment 
through it.  Have a look at the HTML source in the browser and you 
should see something like:

<!-- DEBUG: Seen nameinfected as: 0 -->
<tr class="whitelisted">
  <td>[<a href="detail.php?id=xxxxxx">&nbsp;&nbsp;</a>]</td>
  <td>12/11/04 18:32:11</td>
  <td>xx...@xx...</td>
  <td>xx...@xx...</td>
  <td>BLAH BLAH BLAH</td>
  <td align="RIGHT">6.8Kb</td>
  <td align="RIGHT">0.00</td>
  <td>W/L</td>
  </tr>

I couldn't find any recent blocked attachments on my server - but the 
code looks for a '1' in this field and I suspect that for some reason 
this is different on your box for some reason.  An off the top of my 
head fix would be to change the above code to:

      case 'nameinfected':
       if($row[$f] == 'Y' || $row[$f] > 0) {
        $infected = true;
        array_push($status_array,'Bad Content');
       }

Which would better mirror the SQL statement used on the message detail page.

Let me know how you get on.

Kind regards,
Steve.

David Hooton wrote:
> On Fri, 12 Nov 2004 09:30:37 +0000, Martin Hepworth
> <ma...@so...> wrote:
> 
>>mooo :-)
> 
> 
> Yes, it's friday can you tell?
> 
> 
>>I presume other blocked are are showing fine, or is it all?
> 
> 
> Viruses are highlighted Red like normal, but blocked filenames are not
> highlighted and are shown clean.  There is nothing else which I am
> seeing out of the ordinary right now.
> 
> 
>>for that message id what does the underlying data in the mysql database
>>look like, and also can you dig out the maillog file for that message,
>>anything from dbitrace.log would be good too.
> 
> 
> Logs:
> ============================================================
> Nov 12 14:20:50 mx1 sendmail[12201]: iAC3KhA12201:
> from=<da...@ho...>, size=75262, class=0, nrcpts=1,
> msgid=<200...@mx...>,
> proto=ESMTP, daemon=MTA, mech=LOGIN,
> relay=220-244-164-248-nsw-pppoe.tpgi.com.au [220.244.164.248]
> Nov 12 14:20:50 mx1 MailScanner[7465]: New Batch: Scanning 1 messages,
> 75830 bytes
> Nov 12 14:20:50 mx1 MailScanner[7465]: MCP Checks completed at 75830
> bytes per second
> Nov 12 14:20:50 mx1 MailScanner[7465]: Spam Checks: Starting
> Nov 12 14:20:50 mx1 MailScanner[7465]: Spam Checks completed at 75830
> bytes per second
> Nov 12 14:20:51 mx1 MailScanner[7465]: Virus and Content Scanning: Starting
> Nov 12 14:20:52 mx1 MailScanner[7465]: Filename Checks: Windows/DOS
> Executable (iAC3KhA12201 drtcp.exe)
> Nov 12 14:20:52 mx1 MailScanner[7465]: Filetype Checks: No executables
> (iAC3KhA12201 drtcp.exe)
> Nov 12 14:20:52 mx1 MailScanner[7465]: Other Checks: Found 2 problems
> Nov 12 14:20:52 mx1 MailScanner[7465]: Virus Scanning completed at
> 37915 bytes per second
> Nov 12 14:20:52 mx1 MailScanner[7465]: Sender Warnings: Delivered 1
> warnings to virus senders
> Nov 12 14:20:52 mx1 MailScanner[7465]: Virus Processing completed at
> 75830 bytes per second
> Nov 12 14:20:52 mx1 MailScanner[7465]: Disinfection completed at 75830
> bytes per second
> Nov 12 14:20:52 mx1 MailScanner[7465]: Batch completed at 37915 bytes
> per second (75830 / 2)
> Nov 12 14:20:52 mx1 sendmail[12217]: iAC3Kq712214:
> to=...@ho..., delay=00:00:00, xdelay=00:00:00, mailer=local,
> pri=30645, dsn=2.0.0, stat=Sent
> ============================================================
> 
> MySQL DB doesn't look any different from the message detail screen dump.
> 
> 
>>I presume this is a clean installation of MS and you've not altered the
>>messages produced in anyway???
> 
> 
> Yes it's a clean install I'm not aware of any tinkering to this
> particular install of MailWatch or MailScanner.
> 