Mailscanner --lint Result / ClamD / Sophos

Report bugs and workarounds
Post Reply
DeRaptor
Posts: 15
Joined: 25 Oct 2017 15:47

Mailscanner --lint Result / ClamD / Sophos

Post by DeRaptor » 19 Nov 2018 12:08

Aha, the site admin prefers weekly backups..... ;)
So back to my problem i posted last week.

For some (other) reason i checked the output of "MailScanner --lint" and was suprised that no installed virusscanner gives a feedback:

Code: Select all

Checking version numbers...
Version number in MailScanner.conf (5.0.7) is correct.

Your envelope_sender_header in spamassassin.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 18 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd sophos"
Found these virus scanners installed: clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Blocked Filename Detected (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
===========================================================================

If any of your virus scanners (clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function SQLBlacklist
MailWatch: Closing down MailWatch SQL Blacklist
Meanwhile i updated EFA to version 3.0.2.6 + CLAMAV 0.100.2-1.el6 according to henk's post here.

Output of clamav-wrapper:

Code: Select all

[root@MW24MailGate wrapper]# ./clamav-wrapper /usr /tmp
/tmp/.tmp_ZWQ0MDdkMzkxMDY3OTczMmM2OGI1MWRkZDI3MTU5NTU_webmin_goto_root: OK
/tmp/.tmp_MmNhNmI1ZmRjMGU0ZGE2NDgxODUwNDM2MzEzNGJjNTE_webmin_goto_root: OK
/tmp/ms-update-sa.1116033710: OK
/tmp/ms-update-sa.1110043919: OK
/tmp/ms-update-sa.1118042250: OK
/tmp/.tmp_ODY4YjEzNDA4NzAxYmFmYWI1ZmI4OGY0Zjg5NTc0YmY_webmin_goto_root: OK
/tmp/.tmp_YjFhZjViZjJlNjZmOWE0ZjM1MzY0MDA5OGNlOGYyYjk_webmin_goto_root: OK
/tmp/MailScanner.conf: OK
/tmp/.tmp_NmZhMzViZmJlNGY1ZjhmZTZkNGJiZTY2OGIzY2U5Y2M_webmin_goto_root: OK
/tmp/.tmp_OGU4MDFkNTMzNDY5Y2Y0OTM2YmIyZGU4ZWYwNTI0NjQ_webmin_goto_root: OK
/tmp/ms-update-sa.1107035934: OK
/tmp/.tmp_ODdiOTE4NmYzNDhhODliZWJhOWJlZDJjNGUwZDEzNDk_webmin_goto_root: OK
/tmp/.tmp_NmJkYzYxNWRkNDI0MDhhNzBmNzVkNTFlMTAzOWMxMzg_webmin_goto_root: OK
/tmp/ClamAV.update.log: OK
/tmp/sa_imageCerberusPLG.log: OK
/tmp/.tmp_OTZiODgzODJkZDRhZTcxZTRiMjE5ZGYzYjIyYjQxN2U_webmin_goto_root: OK
/tmp/.tmp_NDMwNTg0ZmE3N2RjNjAyNDU3YTE4ZGU4MjRmNzZkMTI_webmin_goto_root: OK
/tmp/ms-update-sa.1114041732: OK
/tmp/ms-update-sa.1108035701: OK
/tmp/.tmp_YzViMWVkNzE3YjU0NWUxOWIxYjk2ZjllM2NiMjJmYzA_webmin_goto_root: OK
/tmp/ms-update-sa.1119035508: OK
/tmp/ms-update-sa.1105041903: OK
/tmp/ms-update-sa.1109034219: OK
/tmp/EFA-Version: OK
/tmp/ms-update-sa.1115033737: OK
/tmp/ms-update-sa.1111033407: OK
/tmp/ms-update-sa.1112040448: OK
/tmp/ms-update-sa.1117051745: OK
/tmp/ms-update-sa.1106035438: OK
/tmp/.tmp_NGZhMTIwZTZlM2M2MGE1MzVlYTFmOTM3MTYyYmIxOTU_webmin_goto_root: OK
/tmp/ms-update-sa.1113041924: OK

----------- SCAN SUMMARY -----------
Known viruses: 6871038
Engine version: 0.100.2
Scanned directories: 1
Scanned files: 31
Infected files: 0
Data scanned: 0.63 MB
Data read: 0.22 MB (ratio 2.89:1)
Time: 20.641 sec (0 m 20 s)
Output of sophos-wrapper:

Code: Select all

[root@MW24MailGate wrapper]# ./sophos-wrapper /usr /tmp
SAVScan virus detection utility
Version 5.47.0 [Linux/AMD64]
Virus data version 5.57, November 2018
Includes detection for 27176376 viruses, Trojans and worms
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.

System time 12:59:38, System date 19 November 2018

IDE directory is: /opt/sophos-av/lib/sav

Using IDE file fare-fyp.ide
.
.
.
Using IDE file blada-lb.ide

Quick Scanning


1 file scanned in 6 seconds.
No viruses were discovered.
End of Scan.
Both virus scanner are working as shown here:

Image
Image

Should i be worried about that ?

Best regards,
Frank

henk
Posts: 355
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Mailscanner --lint Result / ClamD / Sophos

Post by henk » 19 Nov 2018 23:26

I watched the 94 minutes episode of mission impossible VIII tonight. Miracles can happen :o

I noticed some differences in the mailscanner output. Did you modify filename rules?
Just compare the first part. No white or blacklists or even configuration files?
Filename Checks: Blocked Filename Detected (1 eicar.com)

my version
Filename Checks: Windows/DOS Executable (1 eicar.com)

My test:

Code: Select all

Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/01_MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 1000 hostnames from the phishing whitelist
Read 21624 hostnames from the phishing blacklists
Config: calling custom init function SQLBlacklist
MailWatch: Starting up MailWatch SQL Blacklist
MailWatch: Read 18 blacklist entries
Config: calling custom init function MailWatchLogging
MailWatch: Started MailWatch SQL Logging child
Config: calling custom init function SQLWhitelist
MailWatch: Starting up MailWatch SQL Whitelist
MailWatch: Read 5 whitelist entries

Checking version numbers...
Version number in MailScanner.conf (5.0.7) is correct.

Your envelope_sender_header in spamassassin.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd sophos"
Found these virus scanners installed: clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com
Virus Scanning: Sophos found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
Sophos said ">>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com"

If any of your virus scanners (clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function SQLBlacklist
MailWatch: Closing down MailWatch SQL Blacklist
Config: calling custom end function MailWatchLogging
Config: calling custom end function SQLWhitelist
MailWatch: Closing down MailWatch SQL Whitelist

DeRaptor
Posts: 15
Joined: 25 Oct 2017 15:47

Re: Mailscanner --lint Result / ClamD / Sophos

Post by DeRaptor » 20 Nov 2018 09:58

Hi henk
I watched the 94 minutes episode of mission impossible VIII tonight. Miracles can happen :o
Don't use salt on the open wounds.... :lol: ...Netherlands in the Final Four :clap: - who would have thought it a few months ago ?

Anyway:
Did you modify filename rules?
Yes, i modified filename.rules.conf - the first section are the filetypes that are allowed (only a few: rar, zip, jpg, dwg, pdf.... and so on) - the remaining filetypes are all blocked (deny) - no exception.
Just compare the first part. No white or blacklists or even configuration files?
Hmmm... :think: i didn't restart the machine after updating yesterday :doh: now blacklists/whitelist are accessable:

Code: Select all

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 1000 hostnames from the phishing whitelist
Read 21641 hostnames from the phishing blacklists
Config: calling custom init function SQLBlacklist
MailWatch: Starting up MailWatch SQL Blacklist
MailWatch: Read 0 blacklist entries
Config: calling custom init function MailWatchLogging
MailWatch: Started MailWatch SQL Logging child
Config: calling custom init function SQLWhitelist
MailWatch: Starting up MailWatch SQL Whitelist
MailWatch: Read 17 whitelist entries

Checking version numbers...
Version number in MailScanner.conf (5.0.7) is correct.

Your envelope_sender_header in spamassassin.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 18 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd sophos"
Found these virus scanners installed: clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Blocked Filename Detected (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
===========================================================================

If any of your virus scanners (clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function SQLBlacklist
MailWatch: Closing down MailWatch SQL Blacklist
Config: calling custom end function MailWatchLogging
Config: calling custom end function SQLWhitelist
MailWatch: Closing down MailWatch SQL Whitelist
I allowed \.com$ + .\exe$ in filename.rules.conf - same result as above.
I have no clue why MailScanner --lint fails - but clamd and sophos are working as expected.

Best regards,
Frank

henk
Posts: 355
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Mailscanner --lint Result / ClamD / Sophos

Post by henk » 20 Nov 2018 11:22

i didn't restart the machine after updating yesterday

A restart can be the final test ;) (Sounds a bit like Windows)
As I was reading your post viewtopic.php?t=2804

Why do you use greylisting when using fetchmail?
And do you whitelist / trust localhost?
You had a problem for using fetchmail on E.F.A. ( all mails are accepted via localhost (127.0.0.1) and whitelisted.)
Mailscanner.conf

Code: Select all

# When working out from IP address the message was sent from,
# no or 0  ==> use the SMTP client address, ie. the address of the system
#              talking to the MailScanner server. This is the normal setting.
# yes or 1 ==> use the first IP address contained in the first "Received:"
#              header at the top of the email message's headers.
# Any number > 1 ==> use the first IP address contained in the n-th
#                    "Received:" header starting from the top of the email
#                    message's headers.
# Users of BarricadeMX should note that this setting will always be forced
# to 2, so it will always give you IP address of the system connecting to
# BarricadeMX.
#
# This is very useful when you are injecting mail into a MailScanner server
# using "fetchmail" as otherwise all mail will appear to be coming from the
# the IP address of the system running "fetchmail", and not the address the
# mail actually came from.
# You need to use this together with the "invisible" option in "fetchmail",
# so that "fetchmail" does not add its own "Received:" header to the start
# of the message.
Just take a look for some ideas at viewtopic.php?t=2545
Last edited by henk on 20 Nov 2018 12:07, edited 2 times in total.

DeRaptor
Posts: 15
Joined: 25 Oct 2017 15:47

Re: Mailscanner --lint Result / ClamD / Sophos

Post by DeRaptor » 20 Nov 2018 12:02

Why do you use greylisting when using fetchmail?
One day we get a real mailserver like Exchange and not the crap we use now - Tobit David.
Therefore i decided to use an e-mail filtering applliance like EFA :D in case we change the MX records for our domain pointing to EFA.
Actually all postboxes are hosted by our provider and i get the POP3 postboxes via fetchmail.
That's why greylisting is running - when i change the configuration i don't will forget that i have disabled greylisting.

All that can't be the reason why MailScanner --lint does this output, or ? :(

henk
Posts: 355
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Mailscanner --lint Result / ClamD / Sophos

Post by henk » 20 Nov 2018 12:47

Actually all postboxes are hosted by our provider and i get the POP3 postboxes via fetchmail.
I use the same method for several providers an it works fine without Exchange.
All that can't be the reason why MailScanner --lint does this output,
Agree. The last option I can think off is your whitelist and/or Mail::SpamAssassin::Plugin::Shortcircuit(s)

Anybody else some ideas?

About greylisting ( I know it's off topic, but I like to unsterstand it)
As I do not use greylisting I still miss the clue why using it with fetchmail, since the sending mailserver is your provider, hosting the mailboxes.

In my view it's the same when you use fetchmail and Postfix restrictions, for example unkown domains. By doing so fetchmail will leave the message from a unknown domain on the providers mailbox and the next time fetchmail runs, the same message wil be there again, and again and again..

So please explain what do I miss on this one.

DeRaptor
Posts: 15
Joined: 25 Oct 2017 15:47

Re: Mailscanner --lint Result / ClamD / Sophos

Post by DeRaptor » 21 Nov 2018 11:26

Henk,

i'm a bit lazy about disabling greylisting, you are right. :)
My configuration makes no sense: :roll:

pop3 -> fetchmail -> efa -> greylisting (5 mins for unkown) -> efa -> mailscanner -> smtp to Tobit David.

But: i'm a linux amateur :shifty: - my configuration works and EFA does exactly what i want (besides of Mailscanner --lint :whistle: )
By doing so fetchmail will leave the message from a unknown domain on the providers mailbox and the next time fetchmail runs, the same message wil be there again, and again and again..
Disagree ...fetchmail takes the mail, flushes the pop3 mailbox at the provider and takes the way i write above.
I use follwing fetchmail example:

Code: Select all

poll Providername proto pop3 user xxx@xxx.de password secret is xxx.xxx.de ssl smtphost EFAmachine.domain.local/25
If we get an Exchange, i have to point the mx record to the EFAMachine and disable only the fetchmail daemon - that's it.

Another off-topic:

Since 2 weeks we are flooded with fake e-mails with attached word documents containg trojans.
None of the virus scanner recognize the OLE Macros - i catch them in quarantine only with the spamassassin plugins RelayCountry and OLE Macro.
We use Clamav + Sophos on EFA, the File Servers have Kaspersky Endpoint Security.
Look here (only German): https://www.heise.de/security/meldung/T ... 19043.html
After 2 weeks i hoped to be safe, because clamd / Sophos and Kaspersky recognises now the Trojans i catched in quarantine the last 2 weeks, but today there is a new variant:

Image

Is it in Netherlands too ?

henk
Posts: 355
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Mailscanner --lint Result / ClamD / Sophos

Post by henk » 21 Nov 2018 15:18

I liked the idea someone uses the same fetchmail method with E.F.A. There is a long list of advantages and a short list disadvantages. :geek:

About the disagree, when running fetchmail, if postfix rejects a message due some restriction, the specific message is not flushed on the providers mailbox. Free free to test it and get prepared for a very busy E.F.A. server, fetching the same rejected mails for every fetchmail run.

Code: Select all

Soft bounce mode. All permanent delivery errors cause messages to be left on the upstream server if the protocol supports that. This option is on by default to match historic fetchmail documentation, and will be changed to hard bounce mode in the next fetchmail release
Versus the risk to lose mail.

Code: Select all

--nosoftbounce 	(since v6.3.10, Keyword: set no softbounce, since v6.3.10) 
Hard bounce mode. All permanent delivery errors cause messages to be deleted from the upstream server,
http://www.fetchmail.info/fetchmail-man.html#10
Thats the reason I need to classify bad mail as spam and do something with it.
My .fetchmailrc for fmuser

Code: Select all

set postmaster "some adminuser"
set bouncemail
set no spambounce
set properties ""
set no syslog

# ----- User defined fetchmail jobs -----
poll a mailserver blabla
        with proto POP3
        user "dirkjan@xxx.xx" there with password "Strongpasswordshere" is "localdirkjan" here
             sslproto "ssl23"
             ssl
        user "the next user" etc,etc

poll another mailserver blabla
      with proto POP3
        user "dirkjan@xxx.xy" there with password "Strongpasswordshere" is "localdirkjan" here
             sslproto "ssl23"
             ssl
        user "the next user" etc	
My cron

Code: Select all

Cron entry		
*/3 * * * * fetchmail --nokeep --invisible -v -a >> /var/log/fetchmail/fetchmail.log 2>&1	
The best thing would be to open a new post with the trojan story. There a many members on this forum with great skils. Maybe somebody has ideas how to solve this.

About the word documents containg trojans. I've never seen such high spam scores. Can you show 1 detail screenshot on how this score is build? --RelayCountry?--

"Sie sind in gutem Deutsch verfasst" As reading/understanding German is easy, writing proper German is something different for the non Germans.
I would follow the advise given as "Antiviren-Software schützt derzeit nicht ausreichend vor dieser Gefahr." Und "Am besten schützt man sich, indem man keine Office-Dateien öffnet, die einen via Mail erreichen. Und auf gar keinen Fall sollte man der Aktivierung der Makros zustimmen – auch wenn es noch so plausibel erscheint."

As the Netherlands is a very small country, it's very difficult to find, even for the Dutch themselves. On top of that we have 17 million experts on a population of 17 million. Did I mention the Dutch language? We need to ask the Belgians how to write and speak proper Dutch.
Long story short, if they find us, I'll let you know :lol:

DeRaptor
Posts: 15
Joined: 25 Oct 2017 15:47

Re: Mailscanner --lint Result / ClamD / Sophos

Post by DeRaptor » 30 Nov 2018 06:51

Sorry, i was ill the last days .... :shifty:
About the word documents containg trojans. I've never seen such high spam scores. Can you show 1 detail screenshot on how this score is build? --RelayCountry?--
My rules - i use all blacklists avaiable in MailScanner (SPAMCOP/SPAMHAUS/SORBS/BARRACUDA) and iXhash (http://www.ixhash.net/) with default values and Plugin RelayCountryBad (https://wiki.apache.org/spamassassin/RelayCountryPlugin). RelayCountryBad adds 30 points to the score except all countries from EU (not all :lol:). We don't have customers outside of germany, but distributors outside Germany.
score > 5 = {Spam?} in the Messages Header -> message delivered to recipient
score > 10 = high score spam -> messages goes in quarantine
RelayCountryBad = 30 points -> messages goes in quarantine
OLEMacro = 200 points :lol: -> messages goes in quarantine regardingless of other rules like whitelist etc.
Mails with positive virus scans will be deleted.


OffTopic:
As the Netherlands is a very small country, it's very difficult to find, even for the Dutch themselves. On top of that we have 17 million experts on a population of 17 million. Did I mention the Dutch language? We need to ask the Belgians how to write and speak proper Dutch.
Long story short, if they find us, I'll let you know :lol:
:shock: oha, i thought the netherlanders and belgians are not friends, and the dutchmen think of the belgians like the little unloved brother.

Post Reply