simscan

August 4, 2020 Roberto Puzzanghera50 comments

Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.

Combined patch details

Version 1.4.1 is a fork of the original simscan by Inter7. The sources have been polished and modernized a bit and contain a number of bug fixes and patches, including almost all the patches by jms (the only missing one is the "debug" patch which we will apply below) and the bug fix by Gustavo Castro that I had in my previous bundle of patches. Therefore the new patch simply adds the following:

  • the jms "debug" patch, to improve the debugging of simscan on qmail-smtpd log;
  • a bug fix by Bob Greco where a received message with multiple 'local' recipients executes spamc as null user and not as the user extracted from the first local recipient.

ripMIME

ripMIME's primary purpose is to extract attachments out of a MIME encoded email packages. It is used by simscan. It is a recommended package.

cd /usr/local/src
git clone https://github.com/inflex/ripMIME.git
cd ripMIME
chown -R root:root .
make
make install

Testing

  • man ripmime for more info

Pick up an email file "message.eml" with an attachment.

mkdir tmp
ripmime --debug --disable-qmail-bounce -i message.eml -d tmp > ripmime.log

The extracted attachments should be inside the tmp folder.

# ls -l tmp/ 
total 2352 
-rw------- 1 root root 2396801 Aug  2 16:10 attached_file.jpeg 
-rw-r--r-- 1 root root       0 Aug  2 16:10 textfile0 
-rw-r--r-- 1 root root       4 Aug  2 16:10 textfile1 
-rw-r--r-- 1 root root      25 Aug  2 16:10 textfile2

As you can see, ripMIME extracted a file attached_file.jpeg which is not group readable. This is not a problem for us, because we are going to run simscan as clamav user, but if you are planning to run it as simscan and then including clamav in simscan group, you should patch ripMIME with this patch (perhaps you have to do it manually, as this is for v. 1.4.0.9, which doesn't compile anymore), otherwise clamav will not be allowed to read the attachments.

Installing simscan

Install as follows (we have to create the file configure.in on old compilers). Note that with v. 1.4.1 we have to explicitly tell the compiler where the clamav db is (--enable-clamavdb-path):

cd /usr/local/src
wget https://notes.sagredo.eu/files/qmail/tar/simscan-1.4.1.tar.gz
wget https://notes.sagredo.eu/files/qmail/patches/simscan/simscan-1.4.1_20200803.patch
tar xzf simscan-1.4.1.tar.gz
cd simscan-1.4.1
chown -R root:root .
patch < ../simscan-1.4.1_20200803.patch
cp configure.ac configure.in

./configure \
--enable-user=clamav \
--enable-clamav=y \
--enable-spam=y \
--enable-spam-passthru=y \
--enable-spam-hits=9.5 \
--enable-per-domain=y \
--enable-ripmime \
--enable-attach=y \
--enable-custom-smtp-reject=y \
--enable-spamc-user=y \
--enable-received=y \
--enable-clamavdb-path=/usr/local/share/clamav

make
make install-strip

Take a look to the README file for an explanation of all the configuration options.  Concerning spam, I want to reject via smtp the spam with a score greater than 9.5 and pass to the user the spam below this score.

--enable-per-domain=y|n Turn on per domain based checking.
--enable-spam=y|n Turn on spam scanning. default no.
--enable-spam-passthru=y|n Pass spam email thru or reject. Default: disable (reject)
--enable-spam-hits=number Reject spam above this hit level. Default 10.0
--enable-custom-smtp-reject=y Turns custom smtp reject messages on and off.  When enabled simscan will place the virus name in the reject message if a virus is detected. Requires the qmail-queue-custom-error.patch. Enabling dropmsg disables this option (more info here).
--enable-spamc-user=y Mandatory option if you want to allow the spamassassin user preferences via SQL.
--enable-received=y Add a Received: line to the message, showing the scanners that were used and some stats (you have to patch simscan)

Now create the temporary dir and assign it proper permissions:

mkdir /var/qmail/simscan
chown clamav:clamav /var/qmail/simscan

qmail-queue-custom-error patch

As you know the qmail-queue-custom-error patch (more info here) that we applyed before enables simscan to return the appropriate message for each e-mail it refuses to deliver.

Please refer to this page to understand how the smtp rejection works with simscan. This guide shortly remainds that:

For virus rejection, the message contains the name of the virus such as :

Your email was rejected because it contains the Worm.Bagle.AU virus

For spam rejection, the message is more generic, merely stating that the message was rejected because it was considered spam:

Your email is considered spam (53.5 spam-hits)

For attachment rejection, the message contains the name of the attachment :

Your email was rejected because it contains a bad attachment: trojan.exe

How to setup simscan to manage the spamming as better as possible

Let's assume that spamassassin is configured with a spam level of 5.0, so that hits above this score are labeled as spam.

Of course, soon or later, spamassassin will label as junk an important email for a customer of yours, and we will never want to reject such a message. On the other hand there will be a score level, say 9.5, above which we can absolutely trust in spamassassin response and let simscan reject those emails without storing them in the user's mailbox.

Therefore we will configure simscan/spamassassin in order to:

  • Reject the emails with a score > 9.5
  • Pass through the emails with a 5.0
  • Consider all the other emails with a score

To accomplish this create a simcontrol like the following:

cat > /var/qmail/control/simcontrol << __EOF__
:clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif
__EOF__

Remember to update simcontrol.cdb every time you modify simcontrol

# update simcontrol.cdb
/var/qmail/bin/simscanmk

Turning on scanning

echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp
qmailctl cdb

Now simscan/chkuser will close the smtp communication after 3 wrong recipient. You may want to add an instruction like CHKUSER_RCPTLIMIT="50" to limit to the number of recipient per SMTP connection. To be honest, these are settings  chkuser (not simscan).

Understanding the simcontrol file

You can setup rules for a specific user, a specific domain and a default rule as follows:

cat > /var/qmail/control/simcontrol << __EOF__
postmaster@example.com:clam=yes,spam=no,attach=.txt:.com
example.com:clam=no,spam=yes,attach=.mp3
:clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif
__EOF__
  1. The first line sets clam on and spam off for postmaster@example.com and checks for viruses inside attached file .txt and .com names.
  2. The second line sets clam off and spam on for the example.com domain and disallows .mp3 files for the attachment scanner.
  3. The third line sets the default for the whole machine to enable clam, spam scanning, and sets the reject level for spam hits to 9.5.

Configuring simscan with the DKIM patch

If you want to enable DKIM you have to modify the simscan configuration accordingly as explained in the DKIM page.

Updating simscan

The patch applied will add a line like this to the header:

Received: by simscan 1.4.0 ppid: 5613, pid: 5684, t: 0.7355s
          scanners: attach: 1.4.0 clamav: 0.98.4/m:55/d:19599 spam: 3.4.0

You have to update the simscan's database if you want to get the current versions of clamav and spamassassin:

# /var/qmail/bin/simscanmk -g
simscan versions cdb file built. /var/qmail/control/simversions.cdb

Since the update has to be done each time you refresh the virus database, you have to adjust you freshclam configutation as follows.

First of all let's download and install the program that will do the update:

wget --no-check-certificate https://qmail.jms1.net/simscan/update-simscan.c
gcc -s -o /usr/local/sbin/update-simscan update-simscan.c
chown root:clamav /usr/local/sbin/update-simscan
chmod 4110 /usr/local/sbin/update-simscan

Now modify the freshclam configuration file in order to run the update-simscan executable each time the database is changed. You have to edit the file /usr/local/etc/freshclam.conf and modify it in this way:

OnUpdateExecute
OnUpdateExecute /usr/local/sbin/update-simscan

/var/qmail/simscan on a ramdisk

On his simscan's information page, John Simpson suggests to mount the work directory of simscan on a ramdisk, in order to speed up the process of file load from the disk.

It is sufficient to mount that directory in this way in your /etc/fstab:

none on /var/qmail/simscan type tmpfs (nodev,noexec,noatime,uid=1010,gid=1004,mode=2750)

Be aware that you have to adjust the uid and gid to the actual clamav user and group numbers respectively.

Comments

Error: 451_mail_server_temporarily_rejected_mess

Hi

I started noticing the increase of this error
Making a little research that the error appear when clamav can access some file attached to emails
Not a permission problem, is a "name" problem
For example:

Fri Oct 16 11:03:50 2020 -> /var/qmail/simscan/1602857030.173486.80905/Consulta PÃƒÆ’Ã†â€™Ãƒâ€ Ã¢â‚¬â„¢ÃƒÆ’Ã¢â‚¬Â ÃƒÂ¢Ã¢â€šÂ¬Ã¢â€˛Â¢ÃƒÆ’Ã†â€™ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¡ÃƒÆ’Ã¢â‚¬Å¡Ãƒâ€šÃ‚Âºblica_edited.jpg: Can't access file ERROR

Obviously the file name have special chars, but this can't be a problem
Could be something related with ripmime that's involved in the process ?

Reply | Permalink

Error: 451_mail_server_temporarily_rejected_mess

did you try to debug ripmime in this way?

ripmime --debug --disable-qmail-bounce -i message.eml -d tmp > ripmime.log

Reply | Permalink

SimScan Vs Qmail Scanner

Hi Mr Robert,

i tried to install qmail scanner to replace Sim Scan, but i got 451 qq temporary problem (#4.3.0) while try to send a mail... is it the system designed flow here not compatible to work with qmail scanner?

thank you

Reply | Permalink

SimScan Vs Qmail Scanner

Hi, yes it is compatible with qmail scanner, I used it before switchimg to simscan

Reply | Permalink

SimScan Vs Qmail Scanner

Hi Mr Roberto,

after qmail scanner installation, i tried to run the "test_installation.sh" to test qmail scanner and the testing was successful... but when i tried to put it to tcp.smtp .. it pop out "451 qq temporary problem (#4.3.0)", i tried to find out what is the issue in qmail-queue.log file, but no error messages inside there. i also checked send and smtp log files, also no error messages.

below is the telnet result:

telnet 192.168.1.2 25
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
220 esmtt.com ESMTP
mail from:abc@mydomain.com
250 ok
rcpt to:kenny@mydomain.com
250 ok
data
354 go ahead
subject: testing
to: kenny@mydomain.com
from: abc@mydomain.com

testing 123
.
451 qq temporary problem (#4.3.0)
quit
221 mydomain.com
Connection closed by foreign host

thank you

Reply | Permalink

SimScan Vs Qmail Scanner

Unfortunately I'm not familiar with qmailscanner, as I switched to simscan about 10 years ago

PS be sure that your softlimit is high enough

Reply | Permalink

ripmime

I tried to compile ripmime, but it kept giving an error. Since I use Debian, it has this package available:

apt-get install ripmime

Reply | Permalink

Link to qmailwiki in your page.

Hi,

 I would like to inform you that qmailwiki.org seems to be not working anymore.

Being that lot of links ( in simscan at least ) point to that site, it becomes hard to follow instruction.

FYI.

Pierluigi

Reply | Permalink

Link to qmailwiki in your page.

Thank you. I linked the README file in place of the old qmailwiki

Reply | Permalink

Disabling simscan for outgoing emails

Hello,

Is there a way to disable simscan for outgoing emails? Because we send weekly newsletters with thousands of subscribers, and since simscan scans outgoing emails as well, the server load goes through the roof when we are sending these newsletters.

Any thoughts?

Cheers,

Gabriel.

Reply | Permalink

Disabling simscan for outgoing emails

I don't have simscan enabled for outgoing emails. It is sufficient that you don't export QMAILQUEUE="/var/qmail/bin/simscan" for outgoing emails, nor DKIMQUEUE=/var/qmail/bin/simscan if you are signing by means of qmail-smtpd

Reply | Permalink

Permissions for simscan

Make sure to create the simscan temp folder with the correct permissions, otherwise it won't work, giving the infamous "mail server temporarily rejected message (#4.3.0)"

mkdir /var/qmail/simscan

chown clamav:clamav /var/qmail/simscan

Also, make sure to follow all clamav installation steps before installing simscan.

Reply | Permalink

Permissions for simscan

thank you for all your corrections. Anyway following the order of this guide, simscan is supposed to be installed after clamav

Reply | Permalink

simscan+spamc not working when running under qmail, but works when testing,

Hi,

I'm trying to get the whole simscan/clamav/spamassassin stuff but I have this problem:

when I receive a mail from the net, the spamc report always clean ( from log )

2019-04-22 18:58:16.984370500 simscan: calling spamc
2019-04-22 18:58:16.984424500 simscan: calling /usr/bin/vendor_perl/spamc spamc -u XXXX@XXXXXXX.XX
2019-04-22 18:58:16.992705500 simscan:[5958]:CLEAN (0.00/0.00):6.6524s:Super aid super erection:212.124.180.14:MarvinAnderson@lrmmotors.it:XXXX@XXXXXXXX.XXX
2019-04-22 18:58:16.992954500 simscan: done, execing qmail-queue
2019-04-22 18:58:17.004802500 simscan: qmail-queue exited 0

If I test it with the command ( I've saved the mail with the SIMSCAN_DEBUG_FILES=2):

env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=3 /var/qmail/bin/qmail-inject XXXX@XXXXXX.XX < /tmp/mailtest.txt

simscan: calling spamc
simscan: calling /usr/bin/vendor_perl/spamc spamc -u XXXXX@XXXXXX.XXX
simscan:[6046]:SPAM DROPPED (19.70/4.40):0.5449s:*****SPAM***** Super aid super erection:(null):root@XXX.XXXXXX.XX:XXX@XXXXXX.XX
simscan: check_spam detected spam refuse message

it works perfectly.

Do you have any idea where to search for the problem ?

Thanks

Reply | Permalink

simscan+spamc not working when running under qmail, but works when testing,

Do you have your spamassassin behind a firewall? A thing like this happened to me once, when I forgot to add the public IP to the spamd options...

what the spamd/spamc log say?

Reply | Permalink

simscan+spamc not working when running under qmail, but works when testing,

Roberto,

 no, the spamd/spamc are on the same machine.

It seems I have fixed the problem by increasing softlimit memory in the "run" script for qmail-smtpd.

It's rather strange as at first, with a lower limit I could see errors in logs, and increased a bit.

The error ( spamc: error while loading shared libraries: libcrypto.so.1.1: failed to map segment from shared object ) went away but stil it behaves as described.

I've then, just for test, increased the softlimit again ( although no errors were shown in logs ) and everything started to work as expected.

Thanks, and thank for your website/blog. Very informative !!!!

Reply | Permalink

SMTP reject

Hi,

I had an email with a .mpp attachment got rejected with the bounce error

@400000005c6caf6110c3bd8c qlogreceived: result=rejected code=554 reason=queuereject detail=Your_email_was_rejected_because_it_contains_a_bad_attachment:_r helo=mail-pl1-f178.google.com mailfrom=nic@abc.sg rcptto=nic@xyz.sg relay=no rcpthosts= size= authuser= authtype= encrypted= sslverified=no localip=198.*.*.1 localport=25 remoteip=209.85.214.178 remoteport=34374 remotehost= qp=12744 pid=12743
@400000005c6caf6110c5636c qmail-smtpd: message rejected (Your email was rejected because it contains a bad attachment: r): : nic@abc.sg from 209.85.214.178 to nic@xyz.sg helo mail-pl1-f178.google.com

No matter what file name i change to the mpp file, i keep getting the same error (Your email was rejected because it contains a bad attachment: r). But the file name is not "r" at all.

This is my simcontrol

:clam=yes,spam=yes,spam_hits=10.0,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif:.jar

Any idea?

Thanks

Reply | Permalink

SMTP reject

This bug was fixed in the latest patch (tx Pablo Murillo)

Reply | Permalink

SMTP reject

I get the previous patch from: http://gcastrop.blogspot.com/2011/02/problemas-con-adjuntos-en-simscan-con.html

I'm using it and works !!!

Reply | Permalink

SMTP reject

Thank you. I'll check it out

Reply | Permalink

SMTP reject

I found a patch about that error some time ago

Is a problem on simscan and the way it check extension

--- ./configure.orig 2007-10-29 09:14:25.000000000 -0500
+++ ./configure 2012-06-26 14:20:22.000000000 -0500
@@ -1694,11 +1736,15 @@
for(i=0;i<MaxAttach;++i) {
if ( DebugFlag > 2 ) fprintf(stderr, "simscan: checking attachment %s against %s\n", mydirent->d_name, bk_attachments[i] );
lowerit(mydirent->d_name);
+ if ( strlen(mydirent->d_name) >= strlen(bk_attachments[i]) ) {
if ( str_rstr(mydirent->d_name,bk_attachments[i]) == 0 ) {
strncpy(AttachName, mydirent->d_name, sizeof(AttachName)-1);
closedir(mydir);
return(1);
}
+ } else {
+ if ( DebugFlag > 2 ) fprintf(stderr, "simscan: attachment name '%s' (%d) is shorter than '%s' (%d). IGNORED\n", mydirent->d_name, strlen( mydirent->d_name ), bk_attachments[i], strlen( bk_attachments[i] ) );
+ }
}
}
closedir(mydir); 

Reply | Permalink

SMTP reject

unfortunately no ideas

Reply | Permalink

Updated qmail-queue-custom-error.patch to work with netqmail-1.06

Hi
I updated the patch qmail-queue-custom-error.patch to work with netqmail-1.06

--- qmail.c 2018-12-07 16:47:31.950228000 -0300
+++ qmail.c 2018-12-07 17:12:46.186218000 -0300
@@ -23,22 +23,32 @@
{
int pim[2];
int pie[2];
+ int pierr[2];

setup_qqargs();

if (pipe(pim) == -1) return -1;
if (pipe(pie) == -1) { close(pim[0]); close(pim[1]); return -1; }
+ if (pipe(pierr) == -1) {
+ close(pim[0]); close(pim[1]);
+ close(pie[0]); close(pie[1]);
+ close(pierr[0]); close(pierr[1]);
+ return -1;
+ }

switch(qq->pid = vfork()) {
case -1:
+ close(pierr[0]); close(pierr[1]);
close(pim[0]); close(pim[1]);
close(pie[0]); close(pie[1]);
return -1;
case 0:
close(pim[1]);
close(pie[1]);
+ close(pierr[0]); /* we want to receive data */
if (fd_move(0,pim[0]) == -1) _exit(120);
if (fd_move(1,pie[0]) == -1) _exit(120);
+ if (fd_move(4,pierr[1]) == -1) _exit(120);
if (chdir(auto_qmail) == -1) _exit(61);
execv(*binqqargs,binqqargs);
_exit(120);
@@ -46,6 +56,7 @@

qq->fdm = pim[1]; close(pim[0]);
qq->fde = pie[1]; close(pie[0]);
+ qq->fderr = pierr[0]; close(pierr[1]);
substdio_fdbuf(&qq->ss,write,qq->fdm,qq->buf,sizeof(qq->buf));
qq->flagerr = 0;
return 0;
@@ -93,10 +104,22 @@
{
int wstat;
int exitcode;
+ int match;
+ char ch;
+ static char errstr[256];
+ int len = 0;

qmail_put(qq,"",1);
if (!qq->flagerr) if (substdio_flush(&qq->ss) == -1) qq->flagerr = 1;
close(qq->fde);
+ substdio_fdbuf(&qq->ss,read,qq->fderr,qq->buf,sizeof(qq->buf));
+ while( substdio_bget(&qq->ss,&ch,1) && len < 255){
+ errstr[len]=ch;
+ len++;
+ }
+ if (len > 0) errstr[len]='\0'; /* add str-term */
+
+ close(qq->fderr);

if (wait_pid(&wstat,qq->pid) != qq->pid)
return "Zqq waitpid surprise (#4.3.0)";
@@ -129,6 +152,9 @@
case 81: return "Zqq internal bug (#4.3.0)";
case 120: return "Zunable to exec qq (#4.3.0)";
default:
+ if (exitcode == 82 && len > 2){
+ return errstr;
+ }
if ((exitcode >= 11) && (exitcode <= 40))
return "Dqq permanent problem (#5.3.0)";
return "Zqq temporary problem (#4.3.0)";
--- qmail.h 1998-06-15 12:53:16.000000000 +0200
+++ ../../qmail-1.03/qmail.h 2004-05-26 14:48:23.000000000 +0200
@@ -8,6 +8,7 @@
unsigned long pid;
int fdm;
int fde;
+ int fderr;
substdio ss;
char buf[1024];
} ;

Reply | Permalink

Access denied on textfile2

Hi

I´m using FreeBSD 11.2
I installed simscan from ports, don't worked, so, I installed then simscan "manually" with the patch and with this options:

user = simscan
qmail directory = /var/qmail
work directory = /var/qmail/simscan
control directory = /var/qmail/control
qmail queue program = /var/qmail/bin/qmail-queue
clamdscan program = /usr/local/bin/clamdscan
clamav scan = ON
trophie scanning = OFF
attachement scan = ON
ripmime program = /usr/local/bin/ripmime
custom smtp reject = OFF
drop message = OFF
regex scanner = OFF
quarantine processing = OFF
domain based checking = OFF
add received header = ON
spam scanning = OFF
dspam scanning = OFF

I have:

-rws--x--x 1 simscan simscan /var/qmail/bin/simscan
-rwxr-xr-x 1 simscan simscan /var/qmail/bin/simscanmk

drwxr-s--- 2 simscan simscan simscan

Every time I test the smtp sending and email with or without attachment I get the next error on clamd.log

Access denied: /var/qmail/simscan/???????/textfile2

The directory's content is:

-rw-r----- 1 simscan simscan 52B addr.1543888712.202274.40537
-rw-r----- 1 simscan simscan 766B msg.1543888712.202274.40537
-rw-r----- 1 simscan simscan 0B textfile0
-rw-r----- 1 simscan simscan 23B textfile1
-rw------- 1 simscan simscan 23B textfile2

The problem is obvius, there is a missing permission on textfile2

I created a new jail, I installed all by hand, the same problem
I changed permission on /var/qmail/bin/simscan to:

-rws--x--x 1 simscan wheel /var/qmail/bin/simscan

The same problem

I added on qmail-smtpd/run for debug purpose :

umask 027
export SIMSCAN_DEBUG_FILES=1
export SIMSCAN_DEBUG=3

Any idea ?

Thanks in advance
Pablo Murillo

Reply | Permalink

Access denied on textfile2

everyone who decided to run simscan as the "simscan" user should add "clamav" user to the "simscan" group and then patch ripmime in order to make the extracted attachment group-readable, as now is also explained at the top of this page

Reply | Permalink

Access denied on textfile2

I would try to recompile it with --enable-user=clamav so that clamd has write permissions in the simscan directory...

Reply | Permalink

Access denied on textfile2

Changing the user solved the problem, but I think there is something wrong with ripmime, because, only the attached files to email are with the wrong permission

Thanks

Reply | Permalink

SPAM DROPPED (7.00/7.00):1.1858s:*****SPAM*****

Hello,

I have a problem with simscan with rejecting SPAM with less than 9.5 hits:

SPAM DROPPED (7.00/7.00):1.1858s:*****SPAM*****

In /var/qmail/control/simcontrol I have:

:clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif

In /etc/mail/spamassassin/local.cf I put:

rewrite_header  subject *****SPAM*****

Do you know what could be wrong. 

Thank you a lot.

Regards

Reply | Permalink

did you update simcontrol.cdb

did you update simcontrol.cdb?

/var/qmail/bin/simscanmk

Reply | Permalink

Roberto,

Roberto,

 I forgot to do that. Problem is solved now.

Thank you,

Regards,

Al

Reply | Permalink

On simscan 1.4.1

Hi Roberto,

Yes you are right simscan 1.4.1 is essentially the same as 1.4.0 from functionality POfView

However it has some minor improvements:

  1. At line 781 in simscan.c uses  (char *)NULL whitch suppresses some comp warnings
  2. Same for line 1785 where val variable initialized (suppresses comp warns)
  3. Uses the modern autoconf approach to Makefiles

Additionally to further suppress all comp warnings one should:

  1. Edit cdb/conf-cc and append  -fno-builtin-malloc to gcc options
  2. Edit line 1735@simscan.c and replace globally: %d --> %zu

As far as the abnormal behaviour of simascan with spamc is concerned I think the relevant  simscan.c block of code is:

(in v1.4.1)

1313,1349

.........................................................................................

if ( MaxRcptTo==1 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) > 0){
    spamc_args[i++] = "-u";
    spamc_args[i++] = spamuser;
#ifdef ENABLE_SPAMC_USER
  /*  } else if ( MaxRcptTo==1 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) == 0) {  */
  } else if ( MaxRcptTo>0 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) == 0) {
    spamc_args[i++] = "-u";
    spamc_args[i++] = RcptTo[0];
#endif
  }
  spamc_args[i] = NULL;

  if ( DebugFlag > 0 ) {
    fprintf(stderr, "simscan:[%d]: calling %s ", getppid(), SPAMC);
    i=0;
    while(spamc_args[i] != NULL){
      fprintf(stderr, " %s", spamc_args[i]);
      ++i;
    }
    fprintf(stderr, "\n");
  }
  if ( pipe(pim) == 0 ) {
    /* fork spamc */
    switch(pid = vfork()) {
      case -1:
        close(pim[0]);
        close(pim[1]);
        close(spam_fd);
        return(-1);
      case 0:
        close(pim[0]);
        dup2(pim[1],1);
        close(pim[1]);
        execve(SPAMC, spamc_args, 0);
        _exit(-1);
    }

.................................................................................................

MaxRcptTo always takes value 1 except when email has many recepients @ Cc or To Fields. In such a case MaxRcptTo counts the recepients

and has a positive value. So if we change the if condition

else if (MaxRcptTo==1 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) == 0

to

else if (MaxRcptTo>0 && i<MAX_SPAMC_ARGS-2 && strlen(spamuser) == 0

we get a more normal behavior.

I think it would be wise to ask the developers/mainteners of the current  simscan ver for a more formal and/or consistent amendment.

Ciao 

Bob

Reply | Permalink

Some thoughts...

Dear Rob

I think before anything else we should somehow unravel the logic of the simscan developer (or at least give it a shot, since he/she is unreachable).

The presence of MaxRcptTo var in simscan.c indicates the fact that at smtpd level one expects, in general, more than one recipients.

This fact has two realisations according to the way various MTAs connect to our smtpd.

Some MTAs open only one tcp conn per email msg (sendmail?), others open one tcp conn per recipient (qmail).

See: http://grokbase.com/t/perl/qpsmtpd/055bt3byjj/opinion-regarding-multiple-recipients-per-connection

So counting recipients in the 'forward smtp buffer' via MaxRcptTo shows us that the developer is aware of all these.

So why then imposes a condition with MaxRcptTo == 1 as if he/she expects only one connection per recipient?

One possible explanation is that he/she wants a somehow "pure" user pref policy ie
   one recipient      --   one local user (RcptTo[0]) --  reliable bayes entries in the SQL backend
   many recipients --                  ?                        --  no entries
                                                                              (Actually, we might get entries for clamd user!
                                                                               So eventually our SQL db gets polluted.
                                                                               Is this simply a real bug?)

So if someone (like me) is willing to impose more flexible policies on his users (eg global blacklists per domain etc) he can patch the condition to  MaxRcptTo > 0.

I've tested the code and the MaxRcptTo > 0  seems a pretty harmless change that meets my needs without spoiling the simscan functionality.

Ciao
Bob

Reply | Permalink

It's a bug!

Dear Roberto

After all this is a bug!

It had been pointed out previously by Sossi Andrej (you might know him...)

See: http://simscan.inter7.narkive.com/OQQ5ulG8/simscan-not-send-rcpt-address-to-spamassassin

So feel free to add it to some of your patches for our convenience...

Thanks 

Bob

Reply | Permalink

Patch updated, thank you 

Patch updated, thank you

Reply | Permalink

Your patch is working here.

Your patch is working here.

Unfortunately I coudn't find any contact of the author of the current 1.4.1 version

Reply | Permalink

did you test your patch

did you test your patch already?

Anyway, it's not clear to me why this happens only with gmail/hotmail...

Reply | Permalink

simscan 1.4.1

Roberto hi,

FYI there is a newer simscan 'bumdle' 1.4.1 @ https://github.com/qmail/simscan

However, I've noticed a strange simscan behavior (for both vers). When I send emails from @gmail/hotmail with multiple 'local' recepients [To, Cc] to my new qmail-simscan server the spamc scan is executed as null user!!! [SIMSCAN_DEBUG=4](The normal behaviour accordind to README is to extract the first local recepient.)

Any ideas?

Bob

Reply | Permalink

simscan 1.4.1

I had a better look to the 1.4.1 fork and noticed that actually it contains many bug fixes and most of the patches I am used to apply. A lot of garbage was cleaned as well so I decided to do the switch...

Reply | Permalink

Hi Bob,

Hi Bob,

I have the same strange behaviour when receiving from gmail with CC. Test from other senders made simscan call spamc twice (one for the To address and another for the CC address). At the moment I have no idea... Let me know if youe manage to solve or find a patch.

According to the changelog, the new simscan seems not to add anything important, I'll wait for further development.

Reply | Permalink

Option necessary for centos distributions

Hi, for centos distribution in my case i have to put this option in the configure "--enable-spamc=/usr/bin/spamc".

I hope to be useful

Thanks a lot Roberto for this great manual. 

Reply | Permalink

changing of spam hit

Hi,

I have been using --enable-spam-hits=9.5 and i would like to lower to 8.0. I had recompile simscan with --enable-spam-hits=8.0, make and make install-strip , still it did not change.

Did i missed out anything?

thanks, nic

Reply | Permalink

I think modifing and

I think modifing and  recompiling simcontrol should work

Reply | Permalink

Thanks Roberto.

Thanks Roberto.

I missed out the simcontol.

Reply | Permalink

Simscan update (for gcc 4.1 and up)

It will not compile unless you add the following to the function in "simscanmk.c" where ever it is referenced:

In function ‘open’, inlined from ‘make_cdb’ at simscanmk.c:429:6: /usr/include/x86_64-linux-gnu/bits/fcntl2.h:50:4: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT in second argument needs 3 arguments 

so it looks like:

if ( (fdout = open(CdbTmpFile, O_CREAT | O_TRUNC | O_WRONLY, 0644)) < 0) { 

so in this case on line 429, I added "0644" - add it where ever it there's a "open_missing_mode"

Hope it helps someone.

Reply | Permalink

Thanks for your contribution,

Thanks for your contribution, Wlad

Reply | Permalink

I wish there was an

I wish there was an alternative to simscan 1.4.0 - compiling it requires an older version of gcc - which in this case prevents this from building without proper arguments (for security purposes).

Reply | Permalink

which gcc version?

which gcc version? I can compile up to gcc-4.8.2 here

Reply | Permalink

bounce email

Rather then reply to an email stating why the message was blocked can it just be dropped with no reply as spammers will send a fake repy to address and someone will be inundated with these messages.
 

Reply | Permalink

there are several options

there are several options, depending on the delivery program you use. Look at this for details http://www.gossamer-threads.com/lists/qmail/users/133589

I use CHKUSER_WRONGRCPTLIMIT in conjunction with a fail2ban rule

Reply | Permalink

blocking attachment

hello everyone , I have a question related to simscan, may I block all kind of attachment in the mail ? I need just this functionnality, is that possible ?

Reply | Permalink