Page 1 of 1

Problems releasing an infected email from quarantine

Posted: 10 Sep 2019 21:12
by ovizii
Hi there,

I have read a couple of similar posts around here but I think my problem is different. Recently apparently malwarepatrol seems to have started marking email containing docs.gogle.com as viruses:

Code: Select all

sigtool --find-sigs MBL_34101911
[malwarepatrol.ndb] MBL_34101911:0:*:68747470733a2f2f646f63732e676f6f676c652e636f6d

Code: Select all

sigtool --find-sigs MBL_34101911 | sigtool --decode-sigs
VIRUS NAME: MBL_34101911
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://docs.google.com
So, what I usually do in these cases is edit MailScanner.conf and add the signature to the SpamVirus definition so it gets tagged with extra SPAM score but not quarantined:

Code: Select all

Virus Names Which Are Spam = MBL_34101911.UNOFFICIAL
This works fine but unfortunately, I am unable to release the email from quarantine. I go to the emails details within EFA web interface, scroll down check the box next to release, click on submit and nothing happens. Also nothing visible in the mail log while I press submit. YES, the email is inside the quarantine, I went in via SSh and used alpine to send it out as an attachment.

Screenshots:
https://monosnap.com/direct/nCjseJWgSMc ... jMTVM3WYBl
https://monosnap.com/direct/4tmGBhmZeXF ... h3jyKIrWue

oh, I have another EFA instance where this works but I cannot find the difference :-(

Re: Problems releasing an infected email from quarantine

Posted: 28 Oct 2019 11:49
by pdwalker
This is what I do when that happens:
  • edit the /var/lib/clamav/my-whitelist.ign2 file
  • add in the signature MBL_34101911
  • run freshclam or restart clamd
  • resubmit the message
    /usr/sbin/sendmail.postfix -t < /var/spool/MailScanner/quarantine/<YYMMDD>/<MESSAGEID>/message

Re: Problems releasing an infected email from quarantine

Posted: 28 Oct 2019 13:42
by ovizii
pdwalker wrote:
28 Oct 2019 11:49
This is what I do when that happens:
  • resubmit the message
    /usr/sbin/sendmail.postfix -t < /var/spool/MailScanner/quarantine/<YYMMDD>/<MESSAGEID>/message
Thanks. I will try this tip to see if I can resubmit the email the next time this happens.

Re: Problems releasing an infected email from quarantine

Posted: 31 Oct 2019 12:58
by ItemsGmbH
We use ssh (putty) and a ftp program (WinSCP) for this

Connect to server with putty
cd /var/spool/MailScanner/quarantine/<YYMMDD>/<MESSAGEID>/message

copy the files you need to your home directory

cp *.doc /home/username
chown username /home/username/*.doc

Open WinSCP and connect to server.
Copy the file to your computer

The long way but it works and you can check the file for viruses with virustotal.com

Re: Problems releasing an infected email from quarantine

Posted: 31 Oct 2019 13:03
by ovizii
manually releasing isn't a problem. I installed alpine on EFA that way I can send them out via Email straight away, very easy, I was wondering why the "rele4ase" button in Mailscanner wasn't working for me :-)

Re: Problems releasing an infected email from quarantine

Posted: 05 Nov 2019 09:09
by pdwalker
Good question!

I confess I was too lazy to debug it when I found the command line work around.

Any takers?

Re: Problems releasing an infected email from quarantine

Posted: 05 Nov 2019 09:13
by ovizii
I would be very interested, just yesterday I noticed one of my clients had about 40 incoming emails blocked as VIRUS because malwarepatrol as far as I remember blocked emails from alibaba because they contain links to alibaba CDN.
Now imagine having to search for 40 mails manually, copy/paste their path to release them....

Re: Problems releasing an infected email from quarantine

Posted: 13 Nov 2019 06:51
by pdwalker
I shall have to migrate to v4 and see if this is still a problem.