Go back to: Home/MailScanner on FreeBSD/
College Logo
01 An Introduction
02 Installing Free BSD
03 Adding the ports collection
04 Interlude - using SSH
05 Finding your way around
06 Installing Postfix
07 Testing stage 1
08 Installing ClamAV
09 Installing MailScanner
10 Installing Spamassassin
11 Postfix - part 2
12 Virus Scanner
13 Testing
14 Monitoring
15 SNMP Monitoring
16 Ruleset Example
17 Fixing Problems
18 RulesDuJour
19 Mailwatch

These pages are maintained by Steve Rochford at the College of North West London

 

Valid XHTML 1.0!

Testing it

You should now have a system which can scan mail for viruses and spam. Using the setup from before, try sending an email to yourself. When it arrives, look at the header and make sure that it includes the strings to show it's been through MailScanner.

Now send an email containing the string:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

It should be delivered but flagged as {Spam?} - this test string is known as GTUBE and should be picked up by all spam checkers.

Now try sending a message including the string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This shouldn't be delivered. EICAR is a standard virus test (note that it's not a virus; it's just a pattern which virus scanners should all pick up)

You can check if all this has worked by looking a the file /var/log/maillog – it's a plain text file and if you look through it you'll find lines like:

Jun  4 00:14:02 tconwl9 postfix/smtpd[69875]: connect from unknown[65.199.194.153]
Jun  4 00:14:16 tconwl9 postfix/smtpd[69875]: 3BA5F2093: client=unknown[65.199.194.153]
Jun  4 00:14:24 tconwl9 postfix/cleanup[69876]: 3BA5F2093: message-id=<20040603231412.3BA5F2093@tconwl9.cnwl.ac.uk>
Jun  4 00:15:17 tconwl9 postfix/smtpd[69875]: disconnect from unknown[65.199.194.153]
Jun  4 00:15:17 tconwl9 postfix/qmgr[12866]: 3BA5F2093: from=<fxsjj@iname.com>, size=31680, nrcpt=1 (queue active)
Jun  4 00:15:17 tconwl9 postfix/qmgr[12866]: 3BA5F2093: to=<international.admin@cnwl.ac.uk>, relay=none, delay=65, status=deferred (delivery temporarily suspended: deferred transport)
Jun  4 00:15:19 tconwl9 MailScanner[64484]: New Batch: Scanning 1 messages, 31958 bytes
Jun  4 00:15:19 tconwl9 MailScanner[64484]: Spam Checks: Starting
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Message 3BA5F2093 from 65.199.194.153 (fxsjj@iname.com) to cnwl.ac.uk is spam, SpamAssassin (score=17.181, required 6, BAYES_99 5.40, MIME_MISSING_BOUNDARY 1.84, MISSING_MIMEOLE 1.59, MSGID_FROM_MTA_SHORT 3.03, NO_REAL_NAME 0.16, PRIORITY_NO_NAME 1.21, RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05, X_MSMAIL_PRIORITY_HIGH 0.50, X_PRIORITY_HIGH 1.30) 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Spam Checks: Found 1 spam messages 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Spam Actions: message 3BA5F2093 actions are deliver 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Virus and Content Scanning: Starting 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: /3BA5F2093/Notice.zip        Found the W32/Netsky.z@MM!zip virus !!! 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: /3BA5F2093/Notice.txt    .exe        Found the W32/Netsky.z@MM virus !!! 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Virus Scanning: McAfee found 2 infections 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Infected message 3BA5F2093 came from 65.199.194.153 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Virus Scanning: Found 2 viruses 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Filename Checks: Windows/DOS Executable (3BA5F2093 Notice.txt                                                                                                                                     .exe) 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Other Checks: Found 1 problems 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Saved infected "Notice.txt    .exe" to /var/spool/MailScanner/quarantine/20040604/3BA5F2093 
Jun  4 00:15:25 tconwl9 MailScanner[64484]: Saved infected "Notice.zip" to /var/spool/MailScanner/quarantine/20040604/3BA5F2093

This shows you that a computer at IP address 65.199.194.153 has tried to deliver a message for international.admin@Cnwl.ac.uk apparently from fxsjj@iname.com. Postfix has queued it and flagged it for deferred delivery. MailScanner checks at regular intervals and this time has found just 1 message waiting. It runs a spam check and decides it's spam (score 17.1 is nearly 3 times our safety level!)

MailScanner is configured to tag the message as spam but still to deliver it so it now virus scans it. This particular message has an attachment which it recognises as the W32/Netsky virus; it extracts the contents of the file and confirms that there is an .exe file inside which is the virus payload. MailScanner is configured not to deliver infected email so it saves this message to the quarantine folder.