About Site Map Submit Contact Us Log in | Create an account
Create an account Log In
Average Rating
User Rating:
Visitors Rating:
My rating:

Write review
  • License: Freeware
  • Last update: 5 years ago
  • Total downloads: 107
  • Price: Free |
  • Operating system: Linux
  • Publisher: Jason Haar
See full specifications

linux default iconQmail-Scanner Publisher's description

Qmail-Scanner is an add-on that enables a Qmail email server to scan gatewayed email for certain characteristics (i.e. a content scanner).

Qmail-Scanner is an add-on that enables a Qmail email server to scan gatewayed email for certain characteristics (i.e. a content scanner). It is typically used for its anti-virus and anti-spam protection functions, in which case it is used in conjunction with external scanners. It also enables a site (at a server/site level) to create "Policy blocks": i.e. react to email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).


Supports almost all commercial (Unix) virus scanners as well as the ever-popular Open Source ClamAV scanner.
Can call more than one virus scanner for each mail message
Has its own internal scanner that can be used for Policy enforcement, or to quarantine viruses that your AV currently cannot detect
The internal scanner can also be used to quarantine email based on attachment types, or email with certain email headers... Need to stop *.mp3 files or "Subject: ILOVEYOU" email getting onto and off your LAN - can do! :-)
The internal scanner can trigger a "greylist" action instead of a quarantine. This is designed for emergency situations where your current AV and static Policy blocks are not appropriate. e.g. a new ZIP-based virus comes out with random filenames. Your AV cannot detect it, and you can't globally block ZIP files without hurting valid users. A "greylist" action will cause Qmail-Scanner to exit with a SMTP temporary failure instead of delivering the message. Valid emails will simply be requeued and can flow through later once your AV can detect the virus, and you decide to remove the greylist policy.
Internal engine scans for poorly formatted messages that are known to be used by trojans/virii to infect clients. As such, this is independent of any virus scanner, and can successfully operate against future virii/trojans. Such messages are quarantined immediately. Known to block such major virii as Klez and Aliz, and as a side effect, stops a fair amount of spam too! Format checks include:
broken MIME continuation headers
use of comments within standard headers (e.g. "Content-T(xxxxxx)ype:" is *identical* to "Content-Type:" according to the RFCs - but some virii use this as it circumvents some anti-virus scanners). Valid use of this is never seen in the wild - so it's blocked
repeated occurrences of MIME headers makes Q-S rename the latter ones to nullify them
MIME boundaries over 250 chars are blocked
differing definitions of a particular attachment filename causes it to be blocked
double-defining the same MIME boundary is blocked
certain MIME types containing windows executable extensions are specifically blocked (e.g. an "audio/wav" of filename "wav.exe" could only be a virus)
broken headers within a MIME attachment are blocked
windows executable attachments that aren't marked as being of MIME type "application/....." are blocked (e.g. renaming notepade.exe to notepade.gif and sending it as a GIF attachment would be quarantined, as Qmail-Scanner would realise it's an executable pretending to be something else).
attachment filenames over 256 chars are blocked
some double-barreled filenames are blocked (e.g. file.gif.exe). It tries not to block common mistake variants
CLSID file extensions are blocked
Password-protected zip files can be blocked if you wish. This would stop any future viruses stuffed inside password-protected zip files from getting through, but of course would also stop any legitimate usage. Turned off by default, but perhaps useful to turn on during a new outbreak, and turned off again once an AV update occurs that can catch it.
defaults to always running any AV you may have over messages first, then runs the internal scanner (Policy/perlscan) checks. This means if you block ".PIF" files due to them normally containing viruses, then any .PIF files that do contain a virus known to your AV system will be flagged as "viruses", and any that were missed (perhaps they were a Day-Zero virus) are then tagged as being blocked by "policy". This differentiation is then used by the alerting system. It defaults to not notifying the sender that a virus has been found, but can still notify them when it was a "policy" block.
Quarantines emails it finds to contravene the above sub-systems. Viruses are quarantined into a maildir named "viruses/", policy-blocks into "policy/" and (potentially) high-rated SPAM into "spam/"
Email that is quarantined can be configured to trigger one of two different forms of notification:
defaults to generating a localizable (i.e. language support) email alert notifying the sender and/or recipient why their message was quarantined.
a SMTP reject error message (5XX) if desired. This is disabled by default. Needs the Qmail Custom Error patch if you want nicer SMTP error descriptions
Can integrate with SpamAssassin to provide comprehensive anti-spam tagging for an entire site. Typically uses also includes using Qmail-Scanner as a "front end" for Enterprise mail servers such as Notes and Exchange. Qmail-Scanner does all the dirty work - (hopefully) leaving nothing but clean mail for the backend :-)
Auto-detects email from "postmaster"-style and mailing-list addresses - and doesn't send virus alert reports to them (i.e. attempts to act more like a responsible net citizen)
Due to the fact that over 99.9% of all email-borne viruses are now sent using forged sender information, Q-S defaults to NOT alerting the sender that a message has been quarantined, unless it was due to a Policy/Perlscan block. This can be turned back to the "old" style by using "--notify sender" instead of the newer default of "--notify psender" (i.e. only notify sender for policy blocks)
Knows of the virii which forge the From headers - so that the virus appears to come from some poor innocent. Qmail-Scanner will not send alerts to the sender for those types of virii. As the default is to not notify anyway, this only really takes effect if you are using the "--notify sender" option.
Each message is tagged via a new Received: header with a virus report showing whether it is clean or not and virus scanner version numbers/etc
[disabled by default] Messages classified as "serious SPAM" by the "--sa-quarantine" option (basically having a really high SA score) will be quarantined off into a "maildir" mail folder (./spam/). This separation into its own maildir allows sites to come up with their own methods of handling false positives. However...
the "-z" cleanup option will delete messages in the quarantine subfolders older than 14 days - to ensure it doesn't grow too large. If you want to keep them longer, simply script something to move them out daily to another directory/maildir. There is a logrotate script in the contrib directory to automate this (for those systems that can use it - like Redhat/CentOS)
Can optionally add a descriptive header: X-Qmail-Scanner to every email that passes through the system to allow users to see that a scanner has run over their messages.
Messages caught by Qmail-Scanner generate an email message (currently supports English, Italian, Afrikaans, Polish, Swedish, Czech, German, Spanish, Turkish, Lithuanian, French, Portuguese, Dutch and Chinese messages) to a configurable combination of the sender, recipients and a "quarantine-admin" address explaining why their message was blocked.
Can archive some or all processed email (that wasn't quarantined) into an archive maildir. Useful when debugging email-based apps, for backup purposes, and for audit policy reasons. Currently the mail envelope headers (the "rcpt to:" and "mail from:" headers) are appended to the bottom of each message. This option supports being called with a regular expression in which case only envelope headers that match the expression are archived (e.g. can archive "(support|sales)@domain.name" instead of all email)
If an organization is using clamav, Qmail-Scanner can be directly used for Data Loss Prevention (DLP). Localized clamav signature rules can be written that enable Qmail-Scanner to detect and block emails that clamav detects as "malware". A bit of a misuse perhaps - but clamav's built-in support for archival formats and understanding of document types makes it perfect in this role. If you want Qmail-Scanner to log but not block such DLP "hits" (perhaps because the false positive rates are too high to go with full block-mode), then Qmail-Scanner has a "dlp-monitor" option which tells it which regex of normally quarantinable events are in fact to be let past (i.e. without blocking). It will archive a copy of such messages, and the logging will reflect this was a "DLP:" event.
Reports via syslog or to a file, a one-line description of each processed message, giving extensive information such as subject line, attachment filenames, sizes, etc.
Redundant scanning. Not only does it unpack each message before running the scanners over it, it can also scan the original "raw" email message as well as the unpacked components (i.e. if you think a particular scanner has better internal MIME parsing than Qmail-scanner)
Reporting: in the contrib directory there's qs2mrtg.pl. A perl script for monitoring your syslog files for qmail-scanner records. It then graphs how Qmail-Scanner is processing your emails. It creates different graphs for incoming vs outgoing email, as well as the flow of spam and viruses.

What's New in This Release:

В· Some minor bugs were fixed.
В· New features include DLP support and Team Cymru Malware Hash Registry support.

System Requirements:

В· Netqmail 1.05 (or qmail-1.03 with patches)
В· Create a separate account under which to run Qmail-Scanner: defaults to username and groupname "qscand". For extra security, create it with a normal home directory (e.g. "/home/qscand"), but with a "fake" shell (e.g. "/bin/false") - as it's never logged into directly.
В· reformime from Maildrop 1.3.8+
В· Perl 5.005_03+
В· Perl module Time::HiRes
В· Perl module DB_File (most distributions come with it pre-installed, although the latest Perl doesn't)
В· Perl module Sys::Syslog (most distributions come with it pre-installed)
В· Perl module MIME::Base64 (most distributions come with it pre-installed)
В· Optional: Mark Simpson's TNEF unpacker. Can decode those annoying MS-TNEF MIME attachments that Microsoft mail servers just love to use. If you don't have this, there are several classes of email that Qmail-Scanner basically won't be able to extract attachments in. However, your AV might very well be able to handle them
В· Optional: uudecode (part of sharutils on Redhat-style systems)
В· Optional: unzip
Program Release Status: Minor Update
Program Install Support: Install and Uninstall

Qmail-Scanner Tags:

Click on a tag to find related softwares

Is Qmail-Scanner your software?

Manage your software

Most Popular

linux default icon ytalk 3.1.1
YTalk is multi-user talk program, that is compatible with the older Unix talk clients and daemons.
linux default icon Radius Manager 3.8.0
RADIUS billing solution for Mikrotik, Cisco, StarOS, ChilliSpot, pfSense.
linux default icon imapsync 1.404
imapsync software is a command line tool.....
linux default icon gHamachi 0.8.1 Beta
gHamachi program is a GNOME GUI frontend for Hamachi.
linux default icon Empathy 3.4.1
Empathy is a messaging program which supports text, voice, and video.....

Related Category

» Conferencing (37)
» E-Mail Clients (106)
» Email Filters (51)
» Fax Tools (24)
» Filesharing (66)
» Telephony (101)