Unable to release some blocked messages

Questions and answers about how to do stuff
gosha
Posts: 12
Joined: 08 Feb 2017 09:12

Unable to release some blocked messages

Post by gosha »

Hi

Messages blocked as a "bad content" can't be released. Seems they are not stored. Where to find these settings? Would be great to notify user about blocked message by a content and store it. Please help.
danield@racmtg.com
Posts: 5
Joined: 10 Jan 2017 17:52

Re: Unable to release some blocked messages

Post by danield@racmtg.com »

I noticed this today as well. I went to the sever and enabled to virus setting to actually deliver the cleaned message and it froze up my mailscanner queue. I have 230 unrecoveralble/deliverable emails stuck in queue. Be careful with this setting!! Backup first or take snapshot if on Hyper-V.
dwmp
Posts: 54
Joined: 05 Feb 2016 13:42

Re: Unable to release some blocked messages

Post by dwmp »

Hi,

I also have the problem, that I cannot release mails with status "Bad content". As far as I remember that was possible, since I activated the options "Quarantine Infections = yes" and "Quarantine Silent Viruses = yes"
When I release the mail in MailWatch, nothing happens, also there is no entry for this release in the overview (should be postmaster@... delivers mail to <recipient>...)

Also we would like to notify users about blocked mails with status "Bad content". Notifications for "normal" spam mails are sent to the users, but not for mails with status "Bad content".

I would really appreciate your help.

Thanks!

dwmp
volodya123
Posts: 6
Joined: 04 Mar 2017 20:43
Location: Moscow, Russia

Re: Unable to release some blocked messages

Post by volodya123 »

dwmp wrote: 12 Apr 2017 13:15 Hi,

I also have the problem, that I cannot release mails with status "Bad content". As far as I remember that was possible, since I activated the options "Quarantine Infections = yes" and "Quarantine Silent Viruses = yes"
...
I have the same problem, some messages were blocked for reason:

Code: Select all

Report:	MailScanner: Attempt to hide real filename extension (.txt.sgn.enc) 
and I can't release the messages, because they don't move to Quarantine

Code: Select all

Spam Learn Results
069D9C0054.A34B2	release	Error: Message not found in quarantine
8424AC0054.A0EA8	release	Error: Message not found in quarantine
DF479C0054.A17C8	release	Error: Message not found in quarantine
How can I set this options to move blocked messages to Quarantine and have the ability to release some of like this messages?

Thanks in advance!
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Unable to release some blocked messages

Post by shawniverson »

Bad Content is hard to handle, mainly because in MailScanner it is an all or nothing setting. It may be possible to use "rename" instead of "allow" or "deny" for certain rules.

I wonder if this setting would have an effect?

Code: Select all

Keep Spam And MCP Archive Clean = no
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: Unable to release some blocked messages

Post by stusmith »

I've seen the same, but there was a setting I changed that made that happen. As for the blocked content, I discovered that Adobe Acrobat under Windows 10 does an unexpected thing in terms of naming PDF files that you Create PDF From Document. It uses the full old filename, such as word-document.docx in the name of the new file, resulting in word-document.docx.pdf.

I have been explaining to my users that they need to rename these files before sending them, but it seems this glitch is also affecting some automated systems; we get invoices from other companies that are blocked because of this bug. As a result, I've had to add

/etc/MailScanner/filtename.rules.conf

Code: Select all

allow	\.doc\.pdf	-	-
allow	\.docx\.pdf	-	-
I thought there was a setting Allow Domain Administrators to View Dangerous Content that would allow the release of blocked files, but you also have to make sure that the Bad Content rules use the Store instead of Delete Action. I'm drawing a blank on where those settings are right now, but I'll look.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Unable to release some blocked messages

Post by pdwalker »

Good suggestion.
dwmp
Posts: 54
Joined: 05 Feb 2016 13:42

Re: Unable to release some blocked messages

Post by dwmp »

The case "Attempt to hide real filename extension" is only one example here. The main problem is, that mails with (probably) bad content are not moved to quarantine and thusly cannot be released. The settings "Quarantine Infections = yes" and "Quarantine Silent Viruses = yes" are ignored here.
So the question is, how can we release mails with bad content?
Thanks!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Unable to release some blocked messages

Post by pdwalker »

Actually, that's a good question.

Short answer, I don't know.

Longer answer, I need to work that out myself. If I get some time in the coming week, I'll see if I can work it out.

(It's one of those things I've been putting off until I got around to it.)
dwmp
Posts: 54
Joined: 05 Feb 2016 13:42

Re: Unable to release some blocked messages

Post by dwmp »

Alright, thank you!
hossmann
Posts: 8
Joined: 21 Jun 2017 14:32

Re: Unable to release some blocked messages

Post by hossmann »

Hi,

any updates in this case? Sorry, but iam looking for a solution.

Thanks.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Unable to release some blocked messages

Post by pdwalker »

no update. it's been a mad month.

I'm testing it now.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Unable to release some blocked messages

Post by pdwalker »

Ok, here was the test I did:

1/ added the following to /etc/MailScanner/filename.rules.conf and restarted mailscanner

Code: Select all

# testing purposes only
deny    \.stop\.me    test extension    test extension that efa
2/ send myself a message with the a text file called "somebody.stop.me" attached
as expected, the message was blocked with a status of "bad contact", and my admin account received a message to my inbox notifying me of the blocked message to check

3/ next I went into "Search and Reports, Message Operations" and clicked on the checkbox in the "R" column (for release) and then hit the learn button.

The message was then successfully delivered to my inbox.

So, it does appear to work for blocked content, at least with the settings I have. If you notice, my "postmaster@*" account is whitelisted so the system won't reject the message
somebody.stop.me1.png
somebody.stop.me1.png (19.76 KiB) Viewed 22270 times

I'll next have to test it with a "virus" infected message, and for a message stopped with the MCP.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Unable to release some blocked messages

Post by shawniverson »

Very good feedback, thanks pdwalker.

So you can release blocked content attached to messages?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Unable to release some blocked messages

Post by pdwalker »

In my case, yes. You can see the released message from postmaster in the above picture. It came through, attachment and all.

That reminds me, I need to finish the test cases.
mreinder
Posts: 9
Joined: 06 Sep 2016 09:06

Re: Unable to release some blocked messages

Post by mreinder »

UPDATE Found the problem why the message is not delivered.
Exchange en Domino check the message id, and the warning email is the same message id as the release email. Exchange and Domino refuse te send this email again. The release of normal spam mail is different because they get a spam message from efa instead of the original email.

Tried the same but it wont work for me.
It says released but I never receive the email.

See the below maillog part. Strange thing it says the mail is delivered?

Nov 22 15:32:26 efa postfix/smtp[25883]: DDE1E100054: to=<marxxxxxx@xxxxx.nl>, relay=10.1.1.48[10.1.1.48]:25, delay=2.3, delays=2.2/0/0.01/0.11, dsn=2.6.0, status=sent (250 2.6.0 <WC20171122142818.74001F@xxxxx.nl> [InternalId=841813590064, Hostname=Exchange.Paswerk.ad] 4443 bytes in 0.104, 41,643 KB/sec Queued mail for delivery)
Nov 22 15:32:26 efa postfix/qmgr[17541]: DDE1E100054: removed
Attachments
2017_11_22_15_32_37_MailWatch_for_MailScanner_Recent_Messages.png
2017_11_22_15_32_37_MailWatch_for_MailScanner_Recent_Messages.png (11.88 KiB) Viewed 21448 times
EFAai
Posts: 12
Joined: 24 Aug 2017 04:00

Re: Unable to release some blocked messages

Post by EFAai »

pdwalker wrote: 30 Jun 2017 04:17 Ok, here was the test I did:

1/ added the following to /etc/MailScanner/filename.rules.conf and restarted mailscanner

Code: Select all

# testing purposes only
deny    \.stop\.me    test extension    test extension that efa
2/ send myself a message with the a text file called "somebody.stop.me" attached
as expected, the message was blocked with a status of "bad contact", and my admin account received a message to my inbox notifying me of the blocked message to check

3/ next I went into "Search and Reports, Message Operations" and clicked on the checkbox in the "R" column (for release) and then hit the learn button.

The message was then successfully delivered to my inbox.

So, it does appear to work for blocked content, at least with the settings I have. If you notice, my "postmaster@*" account is whitelisted so the system won't reject the message

somebody.stop.me1.png


I'll next have to test it with a "virus" infected message, and for a message stopped with the MCP.
I'm trying to follow your method of releasing blocked content, but no matter what I try, I don't get the messages with blocked content in the list of Message Operations. My EFA appliance is on version 3.27. Do I need extra settings in the MailScanner.conf to achieve this?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Unable to release some blocked messages

Post by pdwalker »

Possibly.

What message slows up in your /etc/log/mailllog when you try to release the message? Does anything show up inside your efa message listing after you release the message?
EFAai
Posts: 12
Joined: 24 Aug 2017 04:00

Re: Unable to release some blocked messages

Post by EFAai »

I'm unable to release the message, because it's not listed in the SEARCH AND REPORTS/Message Operations list. Further more I can't release the message from RECENT MESSAGES, because there is no release option.

Is there a way to search for messages with Bad Content?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Unable to release some blocked messages

Post by henk »

Releasing blocked Bad Content (MailScanner: Attempt to hide real filename extension (xxxxxxxx.docx.pdf)

As admin I can release these messages without any problem, without any additional /etc/MailScanner/filename.rules.conf
See spam actions
Message Listing.png
Message Listing.png (24.78 KiB) Viewed 20618 times
My partial /etc/MailScanner/conf.d/01_MailScanner.conf

Code: Select all

Virus Scanners = clamd sophos
Quarantine Infections = yes
#Sign Clean Messages = Yes
Deliver Cleaned Messages = yes
Notify Senders Of Blocked Filenames Or Filetypes = no
Notify Senders Of Other Blocked Content = no
Disarmed Modify Subject = start
Phishing Modify Subject = start
Send Notices = yes
Notices From = MailScanner
Spam List = SPAMHAUS SPAMCOP

Non Spam Actions = store deliver header "X-Spam-Status:No" custom(nonspam)
Spam Actions = store header "X-Spam-Status:Yes" custom(spam)
High Scoring Spam Actions = store
My partial /var/www/html/mailscanner/conf.php

Code: Select all

// Hide High Spam and high mcp from regular users.
// Prevent regular users from seeing high spam and high mcp.
define('HIDE_HIGH_SPAM', false);

// Hide Non Spam from quarantine reports
define('HIDE_NON_SPAM', true);

// Hide Unknown Mail from quarantine reports
define('HIDE_UNKNOWN', true);

// Quarantine Auto Release
// Set true to allow auto release of quarantined items from quarantine report.
define('AUTO_RELEASE', false);

// Give Domain Admins ability to release dangerous content, like viruses
define('DOMAINADMIN_CAN_RELEASE_DANGEROUS_CONTENTS', false);
define('DOMAINADMIN_CAN_SEE_DANGEROUS_CONTENTS', false);
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
EFAai
Posts: 12
Joined: 24 Aug 2017 04:00

Re: Unable to release some blocked messages

Post by EFAai »

Hi Henk,

Thanks ever so much for your quick and spot-on reply. Your settings resulted, as expected, into the message with the blocked content in the list "Message Operations", and also with the option to be released.

Great work!
EFAai
Posts: 12
Joined: 24 Aug 2017 04:00

Re: Unable to release some blocked messages

Post by EFAai »

OK, I applauded a little too soon. On my testing environment, released mail is delivered to a Dovecot IMAP server without a problem. With my Exchange server the released message is never delivered to the user. I think it is related to the conclusion as described by mreinder.
mreinder wrote: 22 Nov 2017 14:36 UPDATE Found the problem why the message is not delivered.
Exchange en Domino check the message id, and the warning email is the same message id as the release email. Exchange and Domino refuse te send this email again. The release of normal spam mail is different because they get a spam message from efa instead of the original email.
Is there a solution or workaround?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Unable to release some blocked messages

Post by henk »

EFAai, just found this topic: viewtopic.php?p=4308
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
MrBob
Posts: 7
Joined: 19 Apr 2018 18:54

Re: Unable to release some blocked messages

Post by MrBob »

I am running into this issue now. would someone help me how to release it please? when i go to Message Operations and release that bad content email,
i get "Message not found in quarantine". Thank you so much.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Unable to release some blocked messages

Post by henk »

Hi Bob

Just look at MailScanner.conf as mentioned in the comments above, aka do you store the bad content mail or not (move to Quarantine)
remember to restart mailscanner

And read EFAai's comment as he did mention some additional issues when using Exchange.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply