Installing and configuring simscan

Hi,

thanks for nice work. I'm using simscan with below config:

./configure \
--enable-user=clamav \
--enable-clamav=y \
--enable-attach=y \
--enable-spam=y \
--enable-dropmsg=y \
--enable-quarantinedir=/var/qmail/quarantine \
--enable-per-domain=y \
--enable-ripmime \
--enable-spamc-user=y \
--enable-received=y \
--enable-clamavdb-path=/usr/local/share/clamav

The drawback of this configuration is, all spam mail are dropped in the /var/qmail/quarantine/. Later I use a bash restore script to restore the mail to users. This is an example, not actual script:

for file in /home/vpopmail/domains/xyz.com/postmaster/Maildir/.Restore/cur/*;
do 
  /usr/bin/cat $file |/var/qmail/bin/qmail-inject && /usr/bin/rm $file; 
done

I can collect sender's address and match recipient's address from /var/qmail/control/*rcpthosts so no mail outside our domain is restored. But we get huge mail where recipient's addresses are in BCC. In that case, I need to get recipient's address from log file and manually use those dropped mail to restore to the users. It's very painful. If I fail to restore it, the user will miss the important mail. Due to company policy, I'm unable to tag spam mail and deliver to them (Because users are not aware of spam tagging. They click links or open files though spam tagging is enabled. All training attemptd failed several times, so company decided to drop all spam/virus mail and restore it later manually.

In the current situation, I'm thinking about to add a header (for example: X-REQ-BY-COMP: ) where all recipient's email addresses will be added under that header in the main mail and dropped to /var/qmail/quarantine/. While restoring mail, I'll collect email from that header, remove the header and deliver it to users. As a server admin, I think, doing so will not break the email BCC compliance set by intertionally. I can already see all BCC address from log file. To ease my daily work, I'm planning to do it. But I'm unable to find where to start. I'm requesting you to guide me where and if possible how to implement it in my server.

Your help is highly apprecieated.

BR

honestly I have no advice other than to scold and punish your employees properly :-), otherwise you need to crack simscan after diving into the code, which is absolutely time-consuming

Hi,

Thanks for reply. I'd be the most happies man in the world if I could punish the users by reinstalling OS and other staff themselves. But, at the end the pain returns to IT department. If spam tagging and delivering is enabled, everyday at least 5 or 6 PC/Laptop comes to IT department for reinstalling & reconfiguring everything. I tried every possible options, but failed. At last I'm planning to use this solution (I know about BCC address compliance and I'll follow it strictly).

If I use a qmail-queue wrapper between simscan and qmail-queue, will it work? I'm lost and you are the only qmail guru right now in the world, I hope I can find light from you.

Thanks

I never thought of myself as a guru, much less in the qmail field.

I think no, as at the stage before simscan (a qmail-spp plugin could have been the best option) the message hasn't been tagged as spam yet.

If you want to get in touch with real qmail gurus, drop a message to the DJB m/l

Hi,

After analyzing your code, I've found a configuration which is not present. With below configuration I'm dropping messages to /var/qmail/quarantine, but present simscan does not drop Virus messages here. It simply deletes the Virus mail and stops further processing. My configurations are below:

./configure \
--enable-user=clamav \
--enable-clamav=y \
--enable-attach=y \
--enable-spam=y \
--enable-dropmsg=y \
--enable-quarantinedir=/var/qmail/quarantine \
--enable-per-domain=y \
--enable-ripmime \
--enable-spamc-user=y \
--enable-received=y \
--enable-clamavdb-path=/usr/local/share/clamav \
--enable-clamdscan=/usr/local/bin/clamdscan

Below is the code which exists:

if ( FoundVirus == 1 ) {

#ifdef ENABLE_DROPMSG
log_message("VIRUS DROPPED", VirusName, 0);
/* Drop the message, returning success to sender. */
exit_clean(EXIT_0);

I have changed it to following:

if ( FoundVirus == 1 ) {

#ifdef ENABLE_DROPMSG
log_message("VIRUS DROPPED", VirusName, 0);

#ifdef QUARANTINEDIR 
quarantine_msg(message_name); 
#endif 

/* Drop the message, returning success to sender. */
exit_clean(EXIT_0);

Now Virus mail are dropping to /var/qmail/quarantine/ directory. I think it's a very important code for multi domain drop message environment because Clam AV's "Heuristic Alerts" has a tendency to drop password protected files (pdf, zip, doc) to tag as virus. If Clam AV tags as virus, the mail is gone permanently.

BR

Thank you. I'll add it to the next release

Hi

thanks for reply. But there's another problem. See an email header below:
X-Spam-Flag: No
X-Spam-Score: -473.3
X-Spam-Required: 3.0

Here spam score is -.473.3 (because manually set very low score for testing purpose on spamassassin) which should be delivered to inbox, but the mail did not delivered. It dropped to /var/qmail/quarantine/. That means Clam AV scan report has higher priority than spamassassin. Once Clam AV reports a mail as Virus, the mail never deliveres no matter what spamassassin score is. This is a problem specially when user white lists domain or email address and expects every mail to be received from that domain. Which logic can be applied to overcome this situation?

Why do you think that this is a wrong logic? You have quarantine activated so why you want messages with viri delivered? The message is delivered only if both spamassassin and clamav returned a positive response. This is because you turned on both on simscan config. And simscan has nothing to do with sieve filters, which are applied afterwards at delivery time.

How about this?

if (FoundVirus == 1) {
#ifdef ENABLE_SPAM
float current_required_hits;

if (PerDomainHits == 1) {
current_required_hits = PDHits;
} else {
current_required_hits = SAReqHits;
}


if (SpamHits >= current_required_hits) {
#ifdef ENABLE_DROPMSG
log_message("VIRUS DROPPED", VirusName, 0);
#ifdef QUARANTINEDIR
quarantine_msg(message_name);
#endif
/* Drop the message, returning success to sender. */
exit_clean(EXIT_0);
#else // Original behavior if ENABLE_DROPMSG is not defined
log_message("VIRUS", VirusName, 0);
#ifdef ENABLE_CUSTOM_SMTP_REJECT
snprintf(RejectMsg,sizeof(RejectMsg),
"DYour email was rejected because it contains the %s virus",
VirusName );
write(4,RejectMsg, strlen(RejectMsg));
exit_clean(EXIT_MSG);
#else
exit_clean(EXIT_500);
#endif
#endif
} else {
log_message("VIRUS_DETECTED_DELIVERED", VirusName, 0);
}
#else
#ifdef ENABLE_DROPMSG
log_message("VIRUS DROPPED", VirusName, 0);
#ifdef QUARANTINEDIR
quarantine_msg(message_name);
#endif
/* Drop the message, returning success to sender. */
exit_clean(EXIT_0);
#else
log_message("VIRUS", VirusName, 0);
#ifdef ENABLE_CUSTOM_SMTP_REJECT
snprintf(RejectMsg,sizeof(RejectMsg),
"DYour email was rejected because it contains the %s virus",
VirusName );
write(4,RejectMsg, strlen(RejectMsg));
exit_clean(EXIT_MSG);
#else
exit_clean(EXIT_500);
#endif
#endif
#endif
}

your opinion matters.

thank you.

BR

Sure. Here are the comments:

if (FoundVirus == 1) {
#ifdef ENABLE_SPAM // New logic for SpamAssassin score check
float current_required_hits;

// Determine the effective required SpamAssassin hits/score
// Ensure 'PerDomainHits', 'PDHits', and 'SAReqHits' are defined and accessible elsewhere in your code
if (PerDomainHits == 1) {
current_required_hits = PDHits;
} else {
current_required_hits = SAReqHits;
}

// If ClamAV identifies a virus AND SpamAssassin score >= required_hits
if (SpamHits >= current_required_hits) {
#ifdef ENABLE_DROPMSG
log_message("VIRUS DROPPED", VirusName, 0);
#ifdef QUARANTINEDIR // This block assumes you've added quarantine_msg previously
quarantine_msg(message_name);
#endif
/* Drop the message, returning success to sender. */
exit_clean(EXIT_0);
#else // Original behavior if ENABLE_DROPMSG is not defined
log_message("VIRUS", VirusName, 0);
#ifdef ENABLE_CUSTOM_SMTP_REJECT
snprintf(RejectMsg,sizeof(RejectMsg),
"DYour email was rejected because it contains the %s virus",
VirusName );
write(4,RejectMsg, strlen(RejectMsg));
exit_clean(EXIT_MSG);
#else
exit_clean(EXIT_500);
#endif
#endif
} else {
// If ClamAV identifies a virus AND SpamAssassin score < required_hits
// The mail should be normally delivered.
// No action needed here to drop or quarantine; execution will continue.
// Optional: You might want to log this scenario
log_message("VIRUS_DETECTED_DELIVERED", VirusName, 0);
}
#else // If ENABLE_SPAM is NOT defined, fall back to the original virus handling logic
#ifdef ENABLE_DROPMSG
log_message("VIRUS DROPPED", VirusName, 0);
#ifdef QUARANTINEDIR
quarantine_msg(message_name);
#endif
/* Drop the message, returning success to sender. */
exit_clean(EXIT_0);
#else
log_message("VIRUS", VirusName, 0);
#ifdef ENABLE_CUSTOM_SMTP_REJECT
snprintf(RejectMsg,sizeof(RejectMsg),
"DYour email was rejected because it contains the %s virus",
VirusName );
write(4,RejectMsg, strlen(RejectMsg));
exit_clean(EXIT_MSG);
#else
exit_clean(EXIT_500);
#endif
#endif
#endif
}


Hope it will help

Thanks.

BR.

The code is hardly readable. Can you please summarize a bit what you are changing and use code indentation?

Hi,

Thank you for replying me. As per your suggestion, I'll try to build a spp plugin taking help from AI. I'm not a programmer, so I know, I'll fail. If I fail, then I'll have to forget qmail and migrate to other solution. Please wish me luck and if you could help me to build the plugin, that would be highly apprecieated. I hope, to keep another qmail user alive, you'll guide me.

Thanks.

Hello and thanks for your great work.

 I've noticed that if "enable-per-domain" is not activated then the size-limit patch is not activated too.

Not a big deal, as thanks to the "catch-all" rule you can workaround this, but is worth noting and eventually show this in documentation.

I was, in fact, configured with enable-per-domain=n as I was not differentiating simscan behavior for the domains I receive mails for, but message greater than 250K always was bypassing simscan.

In the simscan code I've seen that only with the option (per-domain)  enabled the simcontrol get readed, at least for the size_limit parameter..

Pierluigi

Ciao Pierluigi,

you are right. I'm not differentiating per domain either, but compiling with --enable-per-domain=y and not specifing any domain in simcontrol as follows

:clam=yes,spam=yes,spam_hits=9.0,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif,size_limit=10000000

That should do the trick

Hi Roberto, 

Even I was facing the same issue I checked but the size_limit=10000000 in the simcontrol file was not having any effect files greated than 512K were getting bypassed. Then after a bit of digging I had the following workaround

Create /etc/mail/spamassassin/spamc.conf and add  (-s FileSize) below is a example of 1 MB you can configure this limit to suit your setup . I have tried with 1 MB , 2MB and 5MB and it works like a charm

-s 1000000

Reload spamdctl. And now it passes all mails upto 1MB to simscan. Tested this on myserver serving 5 domains and is working fine . 

Below is the log line .

Before configuring the -s parameter ( Default Setting as per the guide)

May 20 17:33:28 mail spamc[1726036]: skipped message, greater than max message size (512000 bytes)

After configuring the -s 1000000

Jun 4 10:09:57 mail spamc[1690992]: skipped message, greater than max message size (1000000 bytes)

After Raising the limit to 2 MB ( -s 2048000 )

May 21 00:48:29 mail spamc[1829150]: skipped message, greater than max message size (2048000 bytes)

Cheers

HI Roberto , 

I guess we have shifted the path for tcp.smtp and tcp.submission to /var/qmail/control.  Can you please modife the section above 

Turning on scanning

Change

echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp

To 

echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> /var/qmail/control/tcp.smtp

Cheers and Regards

Thank you. Corrected

Hi,

Thanks for keeping qmail alive. simscan-1.4.3 still does not scan file greather than 512000 bytes. I've followed whole procedure that you've described. /var/qmail/control/simsizelimit set to 10000000 as per your suggestion ( echo 10000000 > /var/qmail/control/simsizelimit ). 

journalctl -b -f command shows "skipped message, greater than max message size (512000 bytes)"

Is there anything I'm missing.

OS: Debian bookworm

Thanks

BR.

Hi,

I'm not sure that this log message is from simscan. Can you show the entire qmail-smtpd log line? In addition, what qmail are you using? Do you have any other patch that is filtering the msg size?

Hi,

Thanks for reply. The message generated by spamc. Below is the whole message:

Jul 13 15:06:39 antispam.mydomain.com spamc[2573601]: skipped message, greater than max message size (512000 bytes)

My qmail is running as per your instruction from A to Z no otehr patch are applied. there is no such log on /var/log/qmail/smtpd/current or /var/log/spamassassin/spamd.log

I'm getting this log while I run following command:

journalctl -b -f

Thanks

BR

I'll check it out tomorrow. Anyway, if you are following my instructions, simscan will log in qmail-smtpd log when the size limit is exceeded

Hi,

Thanks for reply. My server is running according to your instructions. All spam messages are sent to querentine insted of bounce back. I'm getting below type of logs on smtpd of simscan:

2024-07-14 11:15:48.459856121 simscan:[3331936]:CLEAN (-191.20/5.00/5.00):4.1441s:Dyeing Status:209.85.210.47:planning7@yourdomain:sujanmia@mydomain.com
2024-07-14 11:15:59.458718411 simscan:[3332769]:SPAM DROPPED (24.40/5.00/5.00):3.3198s:*****SPAM***** Blood screening report:103.63.234.101:blood@quantummethod.org.bd:ripon@mydomain.com
2024-07-14 11:15:59.458753127 simscan:[3332769]: Putting the message in quarantine: /var/qmail/quarantine/msg.1720934156.138996.3332799
2024-07-14 11:15:59.459123471 simscan:[3332769]: Message recorded in quarantine successful
2024-07-14 11:16:04.458407684 simscan:[3332947]:SPAM DROPPED (87.40/5.00/5.00):3.5029s:*****SPAM***** RE_ Sacoor Brothers MAH3143 R2 Style Pre Final Booking //JFK // SS24 // OUTLET SWEATERS:118.179.92.24:abir@jfkfashionbd.com:akik.mahmud@mydomain.com
2024-07-14 11:16:04.458450125 simscan:[3332947]: Putting the message in quarantine: /var/qmail/quarantine/msg.1720934160.955580.3332962
2024-07-14 11:16:04.458875702 simscan:[3332947]: Message recorded in quarantine successful
2024-07-14 11:12:10.905890596 simscan:[3323407]:CLEAN (0.00/0.00/0.00):0.0481s:Re_ WEB240391098/Re_ Manual booking for "AXL & CO"//Shipper_:52.101.65.138:inzamul.haque@yourdoman.com:abc@mydomain.com
2024-07-14 11:12:12.624084538 simscan:[3321687]:CLEAN (0.00/0.00/0.00):0.0372s:Re_ Carton poly booking of style- 2200306924.:44.202.169.32:bj@fardingroup.com:sakib.islam@mydomain.com
2024-07-14 11:12:30.104466291 simscan:[3323969]:CLEAN (-298.50/5.00/5.00):3.3525s:RE_ RENAISSANCE BARIND LTD _ OVERDUE EXP:124.109.104.76:prvs=9187fdb7e=mostafa.karim@yourdomain.com

BR.

None of the above log lines by simscan show a size limit skip. This is the exact  log line that you'll have in case of a size limit exceeded by simscan, with no need to enable simscan's debug:

2024-07-14 10:39:49.989994500 simscan: big file (931698 bytes); size limit is 80 bytes; skipping SpamAssassin

After a quick google search, I found out that the error message "skipped message, greater than max message size" is triggered by spamassassin itself (not simscan) when the variable SA_MAX_MAIL_SIZE is set. Can you do

grep -r SA_MAX_MAIL_SIZE /etc/mail/spamassassin

man spamc says

-s max_size, --max-size=max_size
Set the maximum message size which will be sent to spamd -- any bigger than this threshold and the message will be returned unprocessed (default: 500 KB). If spamc gets handed a message bigger than this, it won't be passed to spamd. The maximum message size is 256 MB.

The size is specified in bytes, as a positive integer greater than 0. For example, -s 500000.

tar xzf simscan-$[SIMSCAN_VER}.tar.gz should be {

Thank you. Corrected

echo "none /var/qmail/simscan tmpfs nodev,noexec,noatime,uid=$CLAMAV_UID,gid=CLAMAV_GID,mode=2750 0 0" >> /etc/fstab

I'd like to use simscan, but I like qmail-scanner's built in perlscan to quickly dump emails. I also like the reports. Any suggestions?

Hi, I dropped qmail-scanner ages ago and I'm not familiar with it anymore, sorry

Hi, 

i would like to ask you for help if you see it sensible, scanning order is first  spamc then clamd, but i manage it to reorder, so clamd scan message first /lighter on resources, than its pass to spamc . I manage to just move block od code above spam definition in simscan.c .

however, i would like to use this logic - if clamd detect virus, stop processing, return code, close it. because its not nececesary go for spamc check, its already detected by clamd as virus /with 3rd party db , even spams are detected by clamd/ , but its above my coding skills. 

this i done/manage somehow years ago, but its lost in server migration somewhere ;)   

main reason is to have it lighter on resources

thnx a lot

Hi, I had a quick look. It's not a task to be accomplished with a few touches to the code. So it would be very time expensive...

thank you Roberto for effort, I understand ,no problem. 

thnx a lot

miki

I'll have a look. Thanks for the comment

Hi

I started noticing the increase of this error
Making a little research that the error appear when clamav can access some file attached to emails
Not a permission problem, is a "name" problem
For example:

Fri Oct 16 11:03:50 2020 -> /var/qmail/simscan/1602857030.173486.80905/Consulta Pública_edited.jpg: Can't access file ERROR

Obviously the file name have special chars, but this can't be a problem
Could be something related with ripmime that's involved in the process ?

did you try to debug ripmime in this way?

ripmime --debug --disable-qmail-bounce -i message.eml -d tmp > ripmime.log

Hi Mr Robert,

i tried to install qmail scanner to replace Sim Scan, but i got 451 qq temporary problem (#4.3.0) while try to send a mail... is it the system designed flow here not compatible to work with qmail scanner?

thank you

Hi, yes it is compatible with qmail scanner, I used it before switchimg to simscan

Hi Mr Roberto,

after qmail scanner installation, i tried to run the "test_installation.sh" to test qmail scanner and the testing was successful... but when i tried to put it to tcp.smtp .. it pop out "451 qq temporary problem (#4.3.0)", i tried to find out what is the issue in qmail-queue.log file, but no error messages inside there. i also checked send and smtp log files, also no error messages.

below is the telnet result:

telnet 192.168.1.2 25
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
220 esmtt.com ESMTP
mail from:abc@mydomain.com
250 ok
rcpt to:kenny@mydomain.com
250 ok
data
354 go ahead
subject: testing
to: kenny@mydomain.com
from: abc@mydomain.com

testing 123
.
451 qq temporary problem (#4.3.0)
quit
221 mydomain.com
Connection closed by foreign host

thank you

Unfortunately I'm not familiar with qmailscanner, as I switched to simscan about 10 years ago

PS be sure that your softlimit is high enough

I tried to compile ripmime, but it kept giving an error. Since I use Debian, it has this package available:

apt-get install ripmime

Hi,

 I would like to inform you that qmailwiki.org seems to be not working anymore.

Being that lot of links ( in simscan at least ) point to that site, it becomes hard to follow instruction.

FYI.

Pierluigi

Thank you. I linked the README file in place of the old qmailwiki

Hello,

Is there a way to disable simscan for outgoing emails? Because we send weekly newsletters with thousands of subscribers, and since simscan scans outgoing emails as well, the server load goes through the roof when we are sending these newsletters.

Any thoughts?

Cheers,

Gabriel.

I don't have simscan enabled for outgoing emails. It is sufficient that you don't export QMAILQUEUE="/var/qmail/bin/simscan" for outgoing emails, nor DKIMQUEUE=/var/qmail/bin/simscan if you are signing by means of qmail-smtpd

Make sure to create the simscan temp folder with the correct permissions, otherwise it won't work, giving the infamous "mail server temporarily rejected message (#4.3.0)"

mkdir /var/qmail/simscan

chown clamav:clamav /var/qmail/simscan

Also, make sure to follow all clamav installation steps before installing simscan.

thank you for all your corrections. Anyway following the order of this guide, simscan is supposed to be installed after clamav

Hi,

I'm trying to get the whole simscan/clamav/spamassassin stuff but I have this problem:

when I receive a mail from the net, the spamc report always clean ( from log )

2019-04-22 18:58:16.984370500 simscan: calling spamc
2019-04-22 18:58:16.984424500 simscan: calling /usr/bin/vendor_perl/spamc spamc -u XXXX@XXXXXXX.XX
2019-04-22 18:58:16.992705500 simscan:[5958]:CLEAN (0.00/0.00):6.6524s:Super aid super erection:212.124.180.14:MarvinAnderson@lrmmotors.it:XXXX@XXXXXXXX.XXX
2019-04-22 18:58:16.992954500 simscan: done, execing qmail-queue
2019-04-22 18:58:17.004802500 simscan: qmail-queue exited 0

If I test it with the command ( I've saved the mail with the SIMSCAN_DEBUG_FILES=2):

env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=3 /var/qmail/bin/qmail-inject XXXX@XXXXXX.XX < /tmp/mailtest.txt

simscan: calling spamc
simscan: calling /usr/bin/vendor_perl/spamc spamc -u XXXXX@XXXXXX.XXX
simscan:[6046]:SPAM DROPPED (19.70/4.40):0.5449s:*****SPAM***** Super aid super erection:(null):root@XXX.XXXXXX.XX:XXX@XXXXXX.XX
simscan: check_spam detected spam refuse message

it works perfectly.

Do you have any idea where to search for the problem ?

Thanks

Do you have your spamassassin behind a firewall? A thing like this happened to me once, when I forgot to add the public IP to the spamd options...

what the spamd/spamc log say?

Roberto,

 no, the spamd/spamc are on the same machine.

It seems I have fixed the problem by increasing softlimit memory in the "run" script for qmail-smtpd.

It's rather strange as at first, with a lower limit I could see errors in logs, and increased a bit.

The error ( spamc: error while loading shared libraries: libcrypto.so.1.1: failed to map segment from shared object ) went away but stil it behaves as described.

I've then, just for test, increased the softlimit again ( although no errors were shown in logs ) and everything started to work as expected.

Thanks, and thank for your website/blog. Very informative !!!!

Hi Roberto,

I have the same error in smtp log.
Do you know how to fix it?

Thanks!
Joao

Do you have spamassassin and clamav working and running?

Hi Roberto,

I found an error in my /service/qmail-smtpd/run.
The problem was fixed.

Thanks
Joao

It would be interesting for those facing the same issue to know what you have found exactly...

Hi Roberto,

I don't now exacly what fixed this problem, because I've tried a lot of things like recompile simscam, clamav and netqmail (with your patch) and try to copy /usr/lib64/libcrypto.so* to /usr/local/lib64/.

I'll reinstall step by step in a fresh machine. If I had the same error, I'll back here with the solution.

Thank you very much

Joao

Hi Roberto,

I've found what I did to fix the problem.
My file /service/qmail-smtpd/run had this line:

exec /usr/local/bin/softlimit -m 8000000

I've changed to:

exec /usr/local/bin/softlimit -m 64000000

Thanks
Joao

Hi,

I had an email with a .mpp attachment got rejected with the bounce error

@400000005c6caf6110c3bd8c qlogreceived: result=rejected code=554 reason=queuereject detail=Your_email_was_rejected_because_it_contains_a_bad_attachment:_r helo=mail-pl1-f178.google.com mailfrom=nic@abc.sg rcptto=nic@xyz.sg relay=no rcpthosts= size= authuser= authtype= encrypted= sslverified=no localip=198.*.*.1 localport=25 remoteip=209.85.214.178 remoteport=34374 remotehost= qp=12744 pid=12743
@400000005c6caf6110c5636c qmail-smtpd: message rejected (Your email was rejected because it contains a bad attachment: r): : nic@abc.sg from 209.85.214.178 to nic@xyz.sg helo mail-pl1-f178.google.com

No matter what file name i change to the mpp file, i keep getting the same error (Your email was rejected because it contains a bad attachment: r). But the file name is not "r" at all.

This is my simcontrol

:clam=yes,spam=yes,spam_hits=10.0,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif:.jar

Any idea?

Thanks

This bug was fixed in the latest patch (tx Pablo Murillo)

I get the previous patch from: http://gcastrop.blogspot.com/2011/02/problemas-con-adjuntos-en-simscan-con.html

I'm using it and works !!!

Thank you. I'll check it out

I found a patch about that error some time ago

Is a problem on simscan and the way it check extension

--- ./configure.orig 2007-10-29 09:14:25.000000000 -0500
+++ ./configure 2012-06-26 14:20:22.000000000 -0500
@@ -1694,11 +1736,15 @@
 for(i=0;i<MaxAttach;++i) {
 if ( DebugFlag > 2 ) fprintf(stderr, "simscan: checking attachment %s against %s\n", mydirent->d_name, bk_attachments[i] ); 
 lowerit(mydirent->d_name); 
+ if ( strlen(mydirent->d_name) >= strlen(bk_attachments[i]) ) {
 if ( str_rstr(mydirent->d_name,bk_attachments[i]) == 0 ) {
 strncpy(AttachName, mydirent->d_name, sizeof(AttachName)-1); 
 closedir(mydir);
 return(1);
 }
+ } else {
+ if ( DebugFlag > 2 ) fprintf(stderr, "simscan: attachment name '%s' (%d) is shorter than '%s' (%d). IGNORED\n", mydirent->d_name, strlen( mydirent->d_name ), bk_attachments[i], strlen( bk_attachments[i] ) );
+ }
 }
 }
 closedir(mydir); 

unfortunately no ideas

Hi
I updated the patch qmail-queue-custom-error.patch to work with netqmail-1.06

--- qmail.c 2018-12-07 16:47:31.950228000 -0300
+++ qmail.c 2018-12-07 17:12:46.186218000 -0300
@@ -23,22 +23,32 @@
 {
 int pim[2];
 int pie[2];
+ int pierr[2];

setup_qqargs();

if (pipe(pim) == -1) return -1;
 if (pipe(pie) == -1) { close(pim[0]); close(pim[1]); return -1; }
+ if (pipe(pierr) == -1) {
+ close(pim[0]); close(pim[1]);
+ close(pie[0]); close(pie[1]);
+ close(pierr[0]); close(pierr[1]);
+ return -1;
+ }

switch(qq->pid = vfork()) {
 case -1:
+ close(pierr[0]); close(pierr[1]);
 close(pim[0]); close(pim[1]);
 close(pie[0]); close(pie[1]);
 return -1;
 case 0:
 close(pim[1]);
 close(pie[1]);
+ close(pierr[0]); /* we want to receive data */
 if (fd_move(0,pim[0]) == -1) _exit(120);
 if (fd_move(1,pie[0]) == -1) _exit(120);
+ if (fd_move(4,pierr[1]) == -1) _exit(120);
 if (chdir(auto_qmail) == -1) _exit(61);
 execv(*binqqargs,binqqargs);
 _exit(120);
@@ -46,6 +56,7 @@

qq->fdm = pim[1]; close(pim[0]);
 qq->fde = pie[1]; close(pie[0]);
+ qq->fderr = pierr[0]; close(pierr[1]);
 substdio_fdbuf(&qq->ss,write,qq->fdm,qq->buf,sizeof(qq->buf));
 qq->flagerr = 0;
 return 0;
@@ -93,10 +104,22 @@
 {
 int wstat;
 int exitcode;
+ int match;
+ char ch;
+ static char errstr[256];
+ int len = 0;

qmail_put(qq,"",1);
 if (!qq->flagerr) if (substdio_flush(&qq->ss) == -1) qq->flagerr = 1;
 close(qq->fde);
+ substdio_fdbuf(&qq->ss,read,qq->fderr,qq->buf,sizeof(qq->buf));
+ while( substdio_bget(&qq->ss,&ch,1) && len < 255){
+ errstr[len]=ch;
+ len++;
+ }
+ if (len > 0) errstr[len]='\0'; /* add str-term */
+
+ close(qq->fderr);

if (wait_pid(&wstat,qq->pid) != qq->pid)
 return "Zqq waitpid surprise (#4.3.0)";
@@ -129,6 +152,9 @@
 case 81: return "Zqq internal bug (#4.3.0)";
 case 120: return "Zunable to exec qq (#4.3.0)";
 default:
+ if (exitcode == 82 && len > 2){
+ return errstr;
+ }
 if ((exitcode >= 11) && (exitcode <= 40))
 return "Dqq permanent problem (#5.3.0)";
 return "Zqq temporary problem (#4.3.0)";
--- qmail.h 1998-06-15 12:53:16.000000000 +0200
+++ ../../qmail-1.03/qmail.h 2004-05-26 14:48:23.000000000 +0200
@@ -8,6 +8,7 @@
 unsigned long pid;
 int fdm;
 int fde;
+ int fderr;
 substdio ss;
 char buf[1024];
 } ;

Hi

I´m using FreeBSD 11.2
I installed simscan from ports, don't worked, so, I installed then simscan "manually" with the patch and with this options:

user = simscan
qmail directory = /var/qmail
work directory = /var/qmail/simscan
control directory = /var/qmail/control
qmail queue program = /var/qmail/bin/qmail-queue
clamdscan program = /usr/local/bin/clamdscan
clamav scan = ON
trophie scanning = OFF
attachement scan = ON
ripmime program = /usr/local/bin/ripmime
custom smtp reject = OFF
drop message = OFF
regex scanner = OFF
quarantine processing = OFF
domain based checking = OFF
add received header = ON
spam scanning = OFF
dspam scanning = OFF

I have:

-rws--x--x 1 simscan simscan /var/qmail/bin/simscan
-rwxr-xr-x 1 simscan simscan /var/qmail/bin/simscanmk

drwxr-s--- 2 simscan simscan simscan

Every time I test the smtp sending and email with or without attachment I get the next error on clamd.log

Access denied: /var/qmail/simscan/???????/textfile2

The directory's content is:

-rw-r----- 1 simscan simscan 52B addr.1543888712.202274.40537
-rw-r----- 1 simscan simscan 766B msg.1543888712.202274.40537
-rw-r----- 1 simscan simscan 0B textfile0
-rw-r----- 1 simscan simscan 23B textfile1
-rw------- 1 simscan simscan 23B textfile2

The problem is obvius, there is a missing permission on textfile2

I created a new jail, I installed all by hand, the same problem
I changed permission on /var/qmail/bin/simscan to:

-rws--x--x 1 simscan wheel /var/qmail/bin/simscan

The same problem

I added on qmail-smtpd/run for debug purpose :

umask 027
export SIMSCAN_DEBUG_FILES=1
export SIMSCAN_DEBUG=3

Any idea ?

Thanks in advance
Pablo Murillo

everyone who decided to run simscan as the "simscan" user should add "clamav" user to the "simscan" group and then patch ripmime in order to make the extracted attachment group-readable, as now is also explained at the top of this page

I would try to recompile it with --enable-user=clamav so that clamd has write permissions in the simscan directory...

Changing the user solved the problem, but I think there is something wrong with ripmime, because, only the attached files to email are with the wrong permission

Thanks

Hello,

I have a problem with simscan with rejecting SPAM with less than 9.5 hits:

SPAM DROPPED (7.00/7.00):1.1858s:*****SPAM*****

In /var/qmail/control/simcontrol I have:

:clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif

In /etc/mail/spamassassin/local.cf I put:

rewrite_header  subject *****SPAM*****

Do you know what could be wrong. 

Thank you a lot.

Regards

did you update simcontrol.cdb?

/var/qmail/bin/simscanmk

Roberto,

 I forgot to do that. Problem is solved now.

Thank you,

Regards,

Al

Hi Roberto,

Yes you are right simscan 1.4.1 is essentially the same as 1.4.0 from functionality POfView

However it has some minor improvements:

1. At line 781 in simscan.c uses  (char *)NULL whitch suppresses some comp warnings
2. Same for line 1785 where val variable initialized (suppresses comp warns)
3. Uses the modern autoconf approach to Makefiles

Additionally to further suppress all comp warnings one should:

1. Edit cdb/conf-cc and append  -fno-builtin-malloc to gcc options
2. Edit line 1735@simscan.c and replace globally: %d --> %zu

As far as the abnormal behaviour of simscan with spamc is concerned I think the relevant  simscan.c block of code is:

(in v1.4.1)

1313,1349

.........................................................................................

if ( MaxRcptTo==1 && i 0){
    spamc_args[i++] = "-u";
    spamc_args[i++] = spamuser;
#ifdef ENABLE_SPAMC_USER
  /*  } else if ( MaxRcptTo==1 && i0 && i 0 ) {
    fprintf(stderr, "simscan:[%d]: calling %s ", getppid(), SPAMC);
    i=0;
    while(spamc_args[i] != NULL){
      fprintf(stderr, " %s", spamc_args[i]);
      ++i;
    }
    fprintf(stderr, "\n");
  }
  if ( pipe(pim) == 0 ) {
    /* fork spamc */
    switch(pid = vfork()) {
      case -1:
        close(pim[0]);
        close(pim[1]);
        close(spam_fd);
        return(-1);
      case 0:
        close(pim[0]);
        dup2(pim[1],1);
        close(pim[1]);
        execve(SPAMC, spamc_args, 0);
        _exit(-1);
    }

.................................................................................................

MaxRcptTo always takes value 1 except when email has many recepients @ Cc or To Fields. In such a case MaxRcptTo counts the recepients

and has a positive value. So if we change the if condition

else if (MaxRcptTo==1 && i

to

else if (MaxRcptTo>0 && i

we get a more normal behavior.

I think it would be wise to ask the developers/mainteners of the current  simscan ver for a more formal and/or consistent amendment.

Ciao 

Bob

Dear Rob

I think before anything else we should somehow unravel the logic of the simscan developer (or at least give it a shot, since he/she is unreachable).

The presence of MaxRcptTo var in simscan.c indicates the fact that at smtpd level one expects, in general, more than one recipients.

This fact has two realisations according to the way various MTAs connect to our smtpd.

Some MTAs open only one tcp conn per email msg (sendmail?), others open one tcp conn per recipient (qmail).

See: http://grokbase.com/t/perl/qpsmtpd/055bt3byjj/opinion-regarding-multiple-recipients-per-connection

So counting recipients in the 'forward smtp buffer' via MaxRcptTo shows us that the developer is aware of all these.

So why then imposes a condition with MaxRcptTo == 1 as if he/she expects only one connection per recipient?

One possible explanation is that he/she wants a somehow "pure" user pref policy ie
   one recipient      --   one local user (RcptTo[0]) --  reliable bayes entries in the SQL backend
   many recipients --                  ?                        --  no entries
                                                                              (Actually, we might get entries for clamd user!
                                                                               So eventually our SQL db gets polluted.
                                                                               Is this simply a real bug?)

So if someone (like me) is willing to impose more flexible policies on his users (eg global blacklists per domain etc) he can patch the condition to  MaxRcptTo > 0.

I've tested the code and the MaxRcptTo > 0  seems a pretty harmless change that meets my needs without spoiling the simscan functionality.

Ciao
Bob

Dear Roberto

After all this is a bug!

It had been pointed out previously by Sossi Andrej (you might know him...)

See: http://simscan.inter7.narkive.com/OQQ5ulG8/simscan-not-send-rcpt-address-to-spamassassin

So feel free to add it to some of your patches for our convenience...

Thanks 

Bob

Patch updated, thank you

Your patch is working here.

Unfortunately I coudn't find any contact of the author of the current 1.4.1 version

did you test your patch already?

Anyway, it's not clear to me why this happens only with gmail/hotmail...

Roberto hi,

FYI there is a newer simscan 'bumdle' 1.4.1 @ https://github.com/qmail/simscan

However, I've noticed a strange simscan behavior (for both vers). When I send emails from @gmail/hotmail with multiple 'local' recepients [To, Cc] to my new qmail-simscan server the spamc scan is executed as null user!!! [SIMSCAN_DEBUG=4](The normal behaviour accordind to README is to extract the first local recepient.)

Any ideas?

Bob

I had a better look to the 1.4.1 fork and noticed that actually it contains many bug fixes and most of the patches I am used to apply. A lot of garbage was cleaned as well so I decided to do the switch...

Hi Bob,

I have the same strange behaviour when receiving from gmail with CC. Test from other senders made simscan call spamc twice (one for the To address and another for the CC address). At the moment I have no idea... Let me know if youe manage to solve or find a patch.

According to the changelog, the new simscan seems not to add anything important, I'll wait for further development.

Hi, for centos distribution in my case i have to put this option in the configure "--enable-spamc=/usr/bin/spamc".

I hope to be useful

Thanks a lot Roberto for this great manual. 

Hi,

I have been using --enable-spam-hits=9.5 and i would like to lower to 8.0. I had recompile simscan with --enable-spam-hits=8.0, make and make install-strip , still it did not change.

Did i missed out anything?

thanks, nic

I think modifing and  recompiling simcontrol should work

Thanks Roberto.

I missed out the simcontol.

It will not compile unless you add the following to the function in "simscanmk.c" where ever it is referenced:

In function ‘open’, inlined from ‘make_cdb’ at simscanmk.c:429:6: /usr/include/x86_64-linux-gnu/bits/fcntl2.h:50:4: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT in second argument needs 3 arguments 

so it looks like:

if ( (fdout = open(CdbTmpFile, O_CREAT | O_TRUNC | O_WRONLY, 0644)) < 0) { 

so in this case on line 429, I added "0644" - add it where ever it there's a "open_missing_mode"

Hope it helps someone.

Thanks for your contribution, Wlad

I wish there was an alternative to simscan 1.4.0 - compiling it requires an older version of gcc - which in this case prevents this from building without proper arguments (for security purposes).

which gcc version? I can compile up to gcc-4.8.2 here

Rather then reply to an email stating why the message was blocked can it just be dropped with no reply as spammers will send a fake repy to address and someone will be inundated with these messages.

there are several options, depending on the delivery program you use. Look at this for details http://www.gossamer-threads.com/lists/qmail/users/133589

I use CHKUSER_WRONGRCPTLIMIT in conjunction with a fail2ban rule

hello everyone , I have a question related to simscan, may I block all kind of attachment in the mail ? I need just this functionnality, is that possible ?