simscan
December 14, 2016 Roberto Puzzanghera22 comments
- Info: http://www.inter7.com/simscan-email-scanner/
- Simcontrol guide: http://qmailwiki.org/Simscan/Guide
- simscan/chkuser guide
- John Simpson's simscan page (patch and a lot of info)
- README
- Download: http://sourceforge.net/projects/simscan/files/
- Combined patch used
- Used version: simscan-1.4.0
Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.
ripMIME
- Info: http://www.pldaniels.com/ripmime/
- Download: http://www.pldaniels.com/ripmime/ripmime-1.4.0.10.tar.gz
ripMIME's primary purpose is to extract attachments out of a MIME encoded email packages. It is used by simscan. It is a recommended package.
cd /usr/local/src wget http://www.pldaniels.com/ripmime/ripmime-1.4.0.10.tar.gz tar xzf ripmime-1.4.0.10.tar.gz cd ripmime-1.4.0.10 chown -R root.root . make make install
Installing simscan
For more informations about the patch applayed, see the J.Simpson site linked above. The applied patch includes a bug fix by Bob Greco (more info here).
cd /usr/local/src wget -O simscan-1.4.0.tar.gz http://downloads.sourceforge.net/project/simscan/simscan/simscan-1.4.0/simscan-1.4.0.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fsimscan%2F&ts=1287839373&use_mirror=ovh wget http://notes.sagredo.eu/files/qmail/patches/simscan-1.4.0.patch tar xzf simscan-1.4.0.tar.gz cd simscan-1.4.0 chown -R root.root . patch < ../simscan-1.4.0.patch ./configure \ --enable-user=clamav \ --enable-clamav=y \ --enable-spam=y \ --enable-spam-passthru=y \ --enable-spam-hits=9.5 \ --enable-per-domain=y \ --enable-ripmime \ --enable-attach=y \ --enable-custom-smtp-reject=y \ --enable-spamc-user=y \ --enable-received=y make make install-strip
Take a look to the README file for an explanation of alla the configuration options. Concerning spam, I want to reject via smtp the spam with a score greater than 9.5 and pass to the user the spam below this score.
--enable-per-domain=y|n Turn on per domain based checking.
--enable-spam=y|n Turn on spam scanning. default no.
--enable-spam-passthru=y|n Pass spam email thru or reject. Default: disable (reject)
--enable-spam-hits=number Reject spam above this hit level. Default 10.0
--enable-custom-smtp-reject=y Turns custom smtp reject messages on and off. When enabled simscan will place the virus name in the reject message if a virus is detected. Requires the qmail-queue-custom-error.patch. Enabling dropmsg disables this option (more info here http://www.qmailwiki.org/index.php/Simscan/README#How_SMTP_rejection_works).
--enable-spamc-user=y Mandatory option if you want to allow the spamassassin user preferences via SQL.
--enable-received=y Add a Received: line to the message, showing the runned scanners and some stats (you have to patch simscan)
qmail-queue-custom-error.patch
As you know the qmail-queue-custom-error.patch (more info here) that we applyed before enables Simscan to return the appropriate message for each e-mail it refuses to deliver.
Please refer to this page (http://www.qmailwiki.org/index.php/Simscan/README#How_SMTP_rejection_works) to understand how the smtp rejection works with simscan. This guide shortly remainds that:
For virus rejection, the message contains the name of the virus such as :
Your email was rejected because it contains the Worm.Bagle.AU virus
For spam rejection, the message is more generic, merely stating that the message was rejected because it was considered spam :
Your email is considered spam (53.5 spam-hits)
For attachment rejection, the message contains the name of the attachment :
Your email was rejected because it contains a bad attachment: trojan.exe
How to setup simscan to manage the spamming as better as possible
Let's assume that spamassassin is configured with a spam level of 5.0, so that hits above this score are labeled as spam.
Of course, soon or later, spamassassin will label as junk an important email for a customer of yours, and we will never want to reject such a message. On the other hand there will be a score level, say 9.5, above which we can absolutely trust in spamassassin response and let simscan reject those emails without storing them in the user's mailbox.
Therefore we will configure simscan/spamassassin in order to:
- Reject the emails with a score > 9.5
- Pass through the emails with a 5.0
- Consider all the other emails with a score
To accomplish this create a simcontrol like the following:
cat > /var/qmail/control/simcontrol << __EOF__ :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
Remember to update simcontrol.cdb every time you modify simcontrol
# update simcontrol.cdb /var/qmail/bin/simscanmk
Turning on scanning
echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp qmailctl cdb
Now simscan/chkuser will close the smtp communication after 3 wrong recipient. You may want to add an instruction like CHKUSER_RCPTLIMIT="50" to limit to the number of recipient per SMTP connection. To be honest, these are settings chkuser (not simscan).
Understanding the simcontrol file
You can setup rules for a specific user, a specific domain and a default rule as follows:
cat > /var/qmail/control/simcontrol << __EOF__ postmaster@example.com:clam=yes,spam=no,attach=.txt:.com example.com:clam=no,spam=yes,attach=.mp3 :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
- The first line sets clam on and spam off for postmaster@example.com and checks for viruses inside attached file .txt and .com names.
- The second line sets clam off and spam on for the example.com domain and disallows .mp3 files for the attachment scanner.
- The third line sets the default for the whole machine to enable clam, spam scanning, and sets the reject level for spam hits to 9.5.
Configuring simscan with the DKIM patch
If you want to enable DKIM you have to modify the simscan configuration accordingly as explained in the DKIM page.
Updating simscan
The patch applayed will add a line like this to the header:
Received: by simscan 1.4.0 ppid: 5613, pid: 5684, t: 0.7355s
scanners: attach: 1.4.0 clamav: 0.98.4/m:55/d:19599 spam: 3.4.0
You have to update the simscan's database if you want to get the current versions of clamav and spamassassin:
# /var/qmail/bin/simscanmk -g simscan versions cdb file built. /var/qmail/control/simversions.cdb
Since the update has to be done each time you refresh the virus database, you have to adjust you freshclam configutation as follows.
First of all let's download and install the program that will do the update:
wget --no-check-certificate https://qmail.jms1.net/simscan/update-simscan.c gcc -s -o /usr/local/sbin/update-simscan update-simscan.c chown root:clamav /usr/local/sbin/update-simscan chmod 4110 /usr/local/sbin/update-simscan
Now modify the freshclam configuration file in order to run the update-simscan executable each time the database is changed. You have to edit the file /usr/local/etc/freshclam.conf and modify it in this way:
OnUpdateExecuteOnUpdateExecute /usr/local/sbin/update-simscan
/var/qmail/simscan on a ramdisk
On his simscan's information page, John Simpson suggests to mount the work directory of simscan on a ramdisk, in order to speed up the process of file load from the disk.
It is sufficient to mount that directory in this way in your /etc/fstab:
none on /var/qmail/simscan type tmpfs (nodev,noexec,noatime,uid=1010,gid=1004,mode=2750)
Be aware that you have to adjust the uid and gid to the actual clamav user and group numbers respectively.
qmail notes
Pay me a coffee:
Other contents
Recent comments
patch of multilog file size limit
April 6, 2018 20:55
patch of multilog file size limit
April 6, 2018 12:35
Modified of qmailctl
April 4, 2018 11:43
Modified of qmailctl
April 4, 2018 02:17
Reason 3 aliases needed
March 25, 2018 14:33
Reason 3 aliases needed
March 25, 2018 14:22
roundcube plugin for change password and set vacation message in qmailadmin cgi-module
March 18, 2018 09:15
imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=#.#.#.#, lip=#.#.#.#, session=
February 20, 2018 15:58
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver mariadb mediawiki mozilla mysql owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
SPAM DROPPED (7.00/7.00):1.1858s:*****SPAM*****
Al March 27, 2017 03:23
Hello,
I have a problem with simscan with rejecting SPAM with less than 9.5 hits:
In /var/qmail/control/simcontrol I have:
In /etc/mail/spamassassin/local.cf I put:
Do you know what could be wrong.
Thank you a lot.
Regards
Reply | Permalink
did you update simcontrol.cdb
roberto puzzanghera March 27, 2017 15:03
did you update simcontrol.cdb?
Reply | Permalink
Roberto,
Al March 28, 2017 16:05
Roberto,
I forgot to do that. Problem is solved now.
Thank you,
Regards,
Al
Reply | Permalink
On simscan 1.4.1
Bob Greco December 9, 2016 12:02
Hi Roberto,
Yes you are right simscan 1.4.1 is essentially the same as 1.4.0 from functionality POfView
However it has some minor improvements:
Additionally to further suppress all comp warnings one should:
As far as the abnormal behaviour of simascan with spamc is concerned I think the relevant simscan.c block of code is:
(in v1.4.1) 1313,1349 ......................................................................................... if ( MaxRcptTo==1 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) > 0){ spamc_args[i++] = "-u"; spamc_args[i++] = spamuser; #ifdef ENABLE_SPAMC_USER /* } else if ( MaxRcptTo==1 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) == 0) { */ } else if ( MaxRcptTo>0 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) == 0) { spamc_args[i++] = "-u"; spamc_args[i++] = RcptTo[0]; #endif } spamc_args[i] = NULL; if ( DebugFlag > 0 ) { fprintf(stderr, "simscan:[%d]: calling %s ", getppid(), SPAMC); i=0; while(spamc_args[i] != NULL){ fprintf(stderr, " %s", spamc_args[i]); ++i; } fprintf(stderr, "\n"); } if ( pipe(pim) == 0 ) { /* fork spamc */ switch(pid = vfork()) { case -1: close(pim[0]); close(pim[1]); close(spam_fd); return(-1); case 0: close(pim[0]); dup2(pim[1],1); close(pim[1]); execve(SPAMC, spamc_args, 0); _exit(-1); } .................................................................................................MaxRcptTo always takes value 1 except when email has many recepients @ Cc or To Fields. In such a case MaxRcptTo counts the recepients
and has a positive value. So if we change the if condition
to
we get a more normal behavior.
I think it would be wise to ask the developers/mainteners of the current simscan ver for a more formal and/or consistent amendment.
Ciao
Bob
Reply | Permalink
Some thoughts...
Bob Greco December 12, 2016 14:32
Dear Rob
I think before anything else we should somehow unravel the logic of the
simscan developer (or at least give it a shot, since he/she is unreachable).
The presence of MaxRcptTo var in simscan.c indicates the fact that
at smtpd level one expects, in general, more than one recipients.
This fact has two realisations according to the way various MTAs connect to our smtpd.
Some MTAs open only one tcp conn per email msg (sendmail?), others open
one tcp conn per recipient (qmail).
See: http://grokbase.com/t/perl/qpsmtpd/055bt3byjj/opinion-regarding-multiple-recipients-per-connection
So counting recipients in the 'forward smtp buffer' via MaxRcptTo shows us that
the developer is aware of all these.
So why then imposes a condition with MaxRcptTo == 1 as if he/she expects only one
connection per recipient?
One possible explanation is that he/she wants a somehow "pure" user pref policy ie
one recipient -- one local user (RcptTo[0]) -- reliable bayes entries in the SQL backend
many recipients -- ? -- no entries
(Actually, we might get entries for clamd user!
So eventually our SQL db gets polluted.
Is this simply a real bug?)
So if someone (like me) is willing to impose more flexible policies on his users (eg global blacklists
per domain etc) he can patch the condition to MaxRcptTo > 0.
I've tested the code and the MaxRcptTo > 0 seems a pretty harmless change that meets my needs without
spoiling the simscan functionality.
Ciao
Bob
Reply | Permalink
It's a bug!
Bob Greco December 13, 2016 23:37
Dear Roberto
After all this is a bug!
It had been pointed out previously by Sossi Andrej (you might know him...)
See: http://simscan.inter7.narkive.com/OQQ5ulG8/simscan-not-send-rcpt-address-to-spamassassin
So feel free to add it to some of your patches for our convenience...
Thanks
Bob
Reply | Permalink
Patch updated, thank you
roberto puzzanghera December 14, 2016 18:36
Patch updated, thank you
Reply | Permalink
Your patch is working here.
roberto puzzanghera December 10, 2016 14:49
Your patch is working here.
Unfortunately I coudn't find any contact of the author of the current 1.4.1 version
Reply | Permalink
did you test your patch
roberto puzzanghera December 9, 2016 15:48
did you test your patch already?
Anyway, it's not clear to me why this happens only with gmail/hotmail...
Reply | Permalink
simscan 1.4.1
Bob Greco December 9, 2016 01:26
Roberto hi,
FYI there is a newer simscan 'bumdle' 1.4.1 @ https://github.com/qmail/simscan
However, I've noticed a strange simscan behavior (for both vers). When I send emails from @gmail/hotmail with multiple 'local' recepients [To, Cc] to my new qmail-simscan server the spamc scan is executed as null user!!! [SIMSCAN_DEBUG=4](The normal behaviour accordind to README is to extract the first local recepient.)
Any ideas?
Bob
Reply | Permalink
Hi Bob,
roberto puzzanghera December 9, 2016 10:55
Hi Bob,
I have the same strange behaviour when receiving from gmail with CC. Test from other senders made simscan call spamc twice (one for the To address and another for the CC address). At the moment I have no idea... Let me know if youe manage to solve or find a patch.
According to the changelog, the new simscan seems not to add anything important, I'll wait for further development.
Reply | Permalink
Option necessary for centos distributions
Sergi October 5, 2016 16:19
Hi, for centos distribution in my case i have to put this option in the configure "--enable-spamc=/usr/bin/spamc".
I hope to be useful
Thanks a lot Roberto for this great manual.
Reply | Permalink
changing of spam hit
nic March 8, 2016 21:12
Hi,
I have been using --enable-spam-hits=9.5 and i would like to lower to 8.0. I had recompile simscan with --enable-spam-hits=8.0, make and make install-strip , still it did not change.
Did i missed out anything?
thanks, nic
Reply | Permalink
I think modifing and
roberto puzzanghera March 8, 2016 21:56
I think modifing and recompiling simcontrol should work
Reply | Permalink
Thanks Roberto.
nic March 8, 2016 22:09
Thanks Roberto.
I missed out the simcontol.
Reply | Permalink
Simscan update (for gcc 4.1 and up)
Wlad January 10, 2016 21:39
It will not compile unless you add the following to the function in "simscanmk.c" where ever it is referenced:
In function ‘open’, inlined from ‘make_cdb’ at simscanmk.c:429:6: /usr/include/x86_64-linux-gnu/bits/fcntl2.h:50:4: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT in second argument needs 3 argumentsso it looks like:
if ( (fdout = open(CdbTmpFile, O_CREAT | O_TRUNC | O_WRONLY, 0644)) < 0) {so in this case on line 429, I added "0644" - add it where ever it there's a "open_missing_mode"
Hope it helps someone.
Reply | Permalink
Thanks for your contribution,
roberto puzzanghera January 10, 2016 21:50
Thanks for your contribution, Wlad
Reply | Permalink
I wish there was an
Wlad January 10, 2016 21:18
I wish there was an alternative to simscan 1.4.0 - compiling it requires an older version of gcc - which in this case prevents this from building without proper arguments (for security purposes).
Reply | Permalink
which gcc version?
roberto puzzanghera January 10, 2016 21:48
which gcc version? I can compile up to gcc-4.8.2 here
Reply | Permalink
bounce email
Terry Antonio April 30, 2015 02:52
Rather then reply to an email stating why the message was blocked can it just be dropped with no reply as spammers will send a fake repy to address and someone will be inundated with these messages.
Reply | Permalink
there are several options
roberto puzzanghera May 1, 2015 09:43
there are several options, depending on the delivery program you use. Look at this for details http://www.gossamer-threads.com/lists/qmail/users/133589
I use CHKUSER_WRONGRCPTLIMIT in conjunction with a fail2ban rule
Reply | Permalink
blocking attachment
abdou September 30, 2014 13:17
hello everyone , I have a question related to simscan, may I block all kind of attachment in the mail ? I need just this functionnality, is that possible ?
Reply | Permalink