Deliver Cleaned Messages and/or Files

Report bugs and workarounds
Post Reply
SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

Deliver Cleaned Messages and/or Files

Post by SupportOU » 03 Nov 2017 15:19

Hi All,

Plz see below example. This inbound message is not delivered to the final recipient. I have no clue why.
I got in mailscanner.conf:
Deliver Disinfected Files = yes
Still Deliver Silent Viruses = no
Deliver Cleaned Messages = yes

Anyone an idea?

Grtz,
Ronald


[root@sys-mailgw12 ~]# cat /var/log/maillog | grep 13CB2100054
Nov 3 13:30:59 sys-mailgw12 postfix/smtpd[27286]: 13CB2100054: client=smarthost-b.hosting2go.nl[83.137.198.202]
Nov 3 13:30:59 sys-mailgw12 postfix/cleanup[27777]: 13CB2100054: hold: header Received: from smarthost-b.hosting2go.nl (smarthost-b.hosting2go.nl [83.137.198.202])??(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))??(No client certificate requested)??by mailgw.officeu from smarthost-b.hosting2go.nl[83.137.198.202]; from=<w.stonner@local2global.nl> to=<Mattis@siebert-becker.nl> proto=ESMTP helo=<smarthost-b.hosting2go.nl>
Nov 3 13:30:59 sys-mailgw12 postfix/cleanup[27777]: 13CB2100054: message-id=<001301d3549f$93b59300$bb20b900$@local2global.nl>
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros :: ./13CB2100054.A28F0/Buro Bau Jaarrekening 2016.xls
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: Infected message 13CB2100054.A28F0 came from 83.137.198.202
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: <A> tag found in message 13CB2100054.A28F0 from w.stonner@local2global.nl
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: HTML Img tag found in message 13CB2100054.A28F0 from w.stonner@local2global.nl
Nov 3 13:31:10 sys-mailgw12 MailScanner[19353]: Saved entire message to /var/spool/MailScanner/quarantine/20171103/13CB2100054.A28F0
Nov 3 13:31:11 sys-mailgw12 MailScanner[19353]: Saved infected "Buro Bau Jaarrekening 2016.xls" to /var/spool/MailScanner/quarantine/20171103/13CB2100054.A28F0
Nov 3 13:31:11 sys-mailgw12 MailScanner[19353]: Logging message 13CB2100054.A28F0 to SQL
Nov 3 13:31:11 sys-mailgw12 MailScanner[19572]: 13CB2100054.A28F0: Logged to MailWatch SQL
[root@sys-mailgw12 ~]#

budy
Posts: 74
Joined: 10 Sep 2017 07:33

Re: Deliver Cleaned Messages and/or Files

Post by budy » 03 Nov 2017 18:40

Hi Ronald,

Code: Select all

Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros :: ./13CB2100054.A28F0/Buro Bau Jaarrekening 2016.xls
the above states, that MailScanner has deviced to not let that xls file pass. This actually a good practise and sending any kind of MS active file via plain e-mail has never been a good idea. ;)

Cheers,
budy

SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

Re: Deliver Cleaned Messages and/or Files

Post by SupportOU » 03 Nov 2017 19:23

Hi,

Yea, I know. But some users do get the stripped message (original attachment replaced by a neat warning message with the messageID) and some don't. No clue why its not always the same. Of course I want the cleaned message to be delivered always (with the replacement attachment).

So, any idea why this particular message gets blocked?

I tell all my customers to educate their customers/suppliers to not send Office documents with macro's, but to no avail. Endless debates.

I was thinking about paid support for malware patrol to take the risk and have Office macro's scanned and passed. Currently I am blocking all documents containing macro's.

Any advice on these matters?

Thanks!

Ronald

User avatar
shawniverson
Posts: 2899
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Deliver Cleaned Messages and/or Files

Post by shawniverson » 12 Nov 2017 11:06

Your best bet is to make an exception in clamd for macros...at your own risk, of course :)

The settings in MailScanner still allow clam to strip the macros from the documents. Sometimes it can and sometimes it can't which is why you see intermittent results.

Code: Select all

sudo echo "Heuristics.OLE2.ContainsMacros" >> /var/lib/clamav/whitelist.ign2
sudo chown clam:clam /var/lib/clamav/whitelist.ign2
Version eFa 4.0.0 now available!

Post Reply