Found viruses but uninfected delivered
Posted: 17 May 2017 08:44
Hi guys.
Currently EFA version 3.0.2.1
I have situation that VIRUS gets delivered.
I had a similar case in the past (I also opened this thread on EFA FORUM - on november 2016), and solution then was to:
change Maximum Archive Depth to 3 in /etc/MailScanner/MailScanner.conf
SOURCE: viewtopic.php?f=13&t=2007&p=7617&hilit= ... ered#p7617
now this happened again and I have double checked EFA's MailScanner.conf if perhaps that attribute has been changed by any EFA upgrades, but it still remains to 3, so this time something else must be wrong.
MAILLOG:
Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
MailScanner[34859]: Uninfected: Delivered 1 messages
The detailed maillog:
May 17 01:28:04 efa postfix/smtpd[38651]: connect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20]
May 17 01:28:05 efa postfix/smtpd[38651]: warning: 20.123.26.186.static.intelnet.net.gt[186.26.123.20]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:05 efa postfix/smtpd[38651]: disconnect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection rate 1/60s for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection count 1 for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max cache size 3 at May 17 01:24:52
May 17 01:28:34 efa postfix/smtpd[38651]: connect from unknown[52.124.29.50]
May 17 01:28:34 efa postfix/smtpd[38651]: warning: unknown[52.124.29.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:34 efa postfix/smtpd[38651]: disconnect from unknown[52.124.29.50] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 17 01:28:38 efa postfix/smtpd[38651]: connect from mail.tohoma.co.id[103.24.13.138]
May 17 01:28:39 efa postfix/smtpd[38651]: Anonymous TLS connection established from mail.tohoma.co.id[103.24.13.138]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 17 01:28:40 efa postfix/trivial-rewrite[39276]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/cleanup[39277]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/smtpd[38651]: D645D120A29: client=mail.tohoma.co.id[103.24.13.138]
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: hold: header Received: from mail.tohoma.co.id (mail.tohoma.co.id [103.24.13.138])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits
))??(No client certificate requested)??by efa-external-smt.public-domain.com ( from mail.tohoma.co.id[103.24.13.138]; from=<support@dhl.com> to=<custservice@our-public-domain.com> proto=ESMTP helo=<mail.tohoma.co.id>
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: message-id=<98c5190f35935666414d8f47c153cb9f@dhl.com>
May 17 01:28:42 efa postfix/smtpd[38651]: disconnect from mail.tohoma.co.id[103.24.13.138] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8
May 17 01:28:44 efa MailScanner[34859]: New Batch: Scanning 1 messages, 306852 bytes
May 17 01:28:44 efa MailScanner[34859]: Virus and Content Scanning: Starting
May 17 01:28:44 efa MailScanner[34859]: Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
May 17 01:28:44 efa MailScanner[34859]: Found spam based virus Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL in D645D120A29.AF5F2
May 17 01:28:44 efa MailScanner[34859]: HTML Img tag found in message D645D120A29.AF5F2 from support@dhl.com
May 17 01:28:44 efa MailScanner[34859]: Spam Checks: Starting
May 17 01:28:44 efa MailScanner[34859]: Expired 1 records from the SpamAssassin cache
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Whitelist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Whitelist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 35 whitelist entries
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Blacklist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Blacklist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 1 blacklist entries
May 17 01:28:53 efa MailScanner[34859]: Requeue: D645D120A29.AF5F2 to 0C8B7120A2F
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: from=<support@dhl.com>, size=306049, nrcpt=2 (queue active)
May 17 01:28:53 efa MailScanner[34859]: Uninfected: Delivered 1 messages
May 17 01:28:53 efa MailScanner[34859]: Deleted 1 messages from processing-database
May 17 01:28:53 efa MailScanner[34859]: MailWatch: Logging message D645D120A29.AF5F2 to SQL
May 17 01:28:53 efa MailScanner[34863]: MailWatch: D645D120A29.AF5F2: Logged to MailWatch SQL
May 17 01:28:53 efa postfix/smtp[39291]: 0C8B7120A2F: to=<techsupport@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.03/0.09/0.18, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704740, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/smtp[39290]: 0C8B7120A2F: to=<custservice@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.02/0.07/0.21, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704739, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: removed
May 17 01:29:27 efa postfix/smtpd[38651]: connect from unknown[172.252.108.50]
May 17 01:29:29 efa postfix/smtpd[38651]: warning: unknown[172.252.108.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:29:29 efa postfix/smtpd[38651]: disconnect from unknown[172.252.108.50] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:30:04 efa postfix/smtpd[38651]: warning: hostname dedic878.hidehost.net does not resolve to address 91.200.12.173: Name or service not known
May 17 01:30:04 efa postfix/smtpd[38651]: connect from unknown[91.200.12.173]
Please help and advice, how to solve this issue, with best regards.
Currently EFA version 3.0.2.1
I have situation that VIRUS gets delivered.
I had a similar case in the past (I also opened this thread on EFA FORUM - on november 2016), and solution then was to:
change Maximum Archive Depth to 3 in /etc/MailScanner/MailScanner.conf
SOURCE: viewtopic.php?f=13&t=2007&p=7617&hilit= ... ered#p7617
now this happened again and I have double checked EFA's MailScanner.conf if perhaps that attribute has been changed by any EFA upgrades, but it still remains to 3, so this time something else must be wrong.
MAILLOG:
Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
MailScanner[34859]: Uninfected: Delivered 1 messages
The detailed maillog:
May 17 01:28:04 efa postfix/smtpd[38651]: connect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20]
May 17 01:28:05 efa postfix/smtpd[38651]: warning: 20.123.26.186.static.intelnet.net.gt[186.26.123.20]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:05 efa postfix/smtpd[38651]: disconnect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection rate 1/60s for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection count 1 for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max cache size 3 at May 17 01:24:52
May 17 01:28:34 efa postfix/smtpd[38651]: connect from unknown[52.124.29.50]
May 17 01:28:34 efa postfix/smtpd[38651]: warning: unknown[52.124.29.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:34 efa postfix/smtpd[38651]: disconnect from unknown[52.124.29.50] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 17 01:28:38 efa postfix/smtpd[38651]: connect from mail.tohoma.co.id[103.24.13.138]
May 17 01:28:39 efa postfix/smtpd[38651]: Anonymous TLS connection established from mail.tohoma.co.id[103.24.13.138]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 17 01:28:40 efa postfix/trivial-rewrite[39276]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/cleanup[39277]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/smtpd[38651]: D645D120A29: client=mail.tohoma.co.id[103.24.13.138]
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: hold: header Received: from mail.tohoma.co.id (mail.tohoma.co.id [103.24.13.138])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits
))??(No client certificate requested)??by efa-external-smt.public-domain.com ( from mail.tohoma.co.id[103.24.13.138]; from=<support@dhl.com> to=<custservice@our-public-domain.com> proto=ESMTP helo=<mail.tohoma.co.id>
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: message-id=<98c5190f35935666414d8f47c153cb9f@dhl.com>
May 17 01:28:42 efa postfix/smtpd[38651]: disconnect from mail.tohoma.co.id[103.24.13.138] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8
May 17 01:28:44 efa MailScanner[34859]: New Batch: Scanning 1 messages, 306852 bytes
May 17 01:28:44 efa MailScanner[34859]: Virus and Content Scanning: Starting
May 17 01:28:44 efa MailScanner[34859]: Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
May 17 01:28:44 efa MailScanner[34859]: Found spam based virus Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL in D645D120A29.AF5F2
May 17 01:28:44 efa MailScanner[34859]: HTML Img tag found in message D645D120A29.AF5F2 from support@dhl.com
May 17 01:28:44 efa MailScanner[34859]: Spam Checks: Starting
May 17 01:28:44 efa MailScanner[34859]: Expired 1 records from the SpamAssassin cache
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Whitelist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Whitelist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 35 whitelist entries
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Blacklist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Blacklist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 1 blacklist entries
May 17 01:28:53 efa MailScanner[34859]: Requeue: D645D120A29.AF5F2 to 0C8B7120A2F
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: from=<support@dhl.com>, size=306049, nrcpt=2 (queue active)
May 17 01:28:53 efa MailScanner[34859]: Uninfected: Delivered 1 messages
May 17 01:28:53 efa MailScanner[34859]: Deleted 1 messages from processing-database
May 17 01:28:53 efa MailScanner[34859]: MailWatch: Logging message D645D120A29.AF5F2 to SQL
May 17 01:28:53 efa MailScanner[34863]: MailWatch: D645D120A29.AF5F2: Logged to MailWatch SQL
May 17 01:28:53 efa postfix/smtp[39291]: 0C8B7120A2F: to=<techsupport@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.03/0.09/0.18, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704740, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/smtp[39290]: 0C8B7120A2F: to=<custservice@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.02/0.07/0.21, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704739, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: removed
May 17 01:29:27 efa postfix/smtpd[38651]: connect from unknown[172.252.108.50]
May 17 01:29:29 efa postfix/smtpd[38651]: warning: unknown[172.252.108.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:29:29 efa postfix/smtpd[38651]: disconnect from unknown[172.252.108.50] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:30:04 efa postfix/smtpd[38651]: warning: hostname dedic878.hidehost.net does not resolve to address 91.200.12.173: Name or service not known
May 17 01:30:04 efa postfix/smtpd[38651]: connect from unknown[91.200.12.173]
Please help and advice, how to solve this issue, with best regards.