Problems releasing an infected email from quarantine

Questions and answers about how to do stuff
Post Reply
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Problems releasing an infected email from quarantine

Post by ovizii »

Hi there,

I have read a couple of similar posts around here but I think my problem is different. Recently apparently malwarepatrol seems to have started marking email containing docs.gogle.com as viruses:

Code: Select all

sigtool --find-sigs MBL_34101911
[malwarepatrol.ndb] MBL_34101911:0:*:68747470733a2f2f646f63732e676f6f676c652e636f6d

Code: Select all

sigtool --find-sigs MBL_34101911 | sigtool --decode-sigs
VIRUS NAME: MBL_34101911
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://docs.google.com
So, what I usually do in these cases is edit MailScanner.conf and add the signature to the SpamVirus definition so it gets tagged with extra SPAM score but not quarantined:

Code: Select all

Virus Names Which Are Spam = MBL_34101911.UNOFFICIAL
This works fine but unfortunately, I am unable to release the email from quarantine. I go to the emails details within EFA web interface, scroll down check the box next to release, click on submit and nothing happens. Also nothing visible in the mail log while I press submit. YES, the email is inside the quarantine, I went in via SSh and used alpine to send it out as an attachment.

Screenshots:
https://monosnap.com/direct/nCjseJWgSMc ... jMTVM3WYBl
https://monosnap.com/direct/4tmGBhmZeXF ... h3jyKIrWue

oh, I have another EFA instance where this works but I cannot find the difference :-(
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Problems releasing an infected email from quarantine

Post by pdwalker »

This is what I do when that happens:
  • edit the /var/lib/clamav/my-whitelist.ign2 file
  • add in the signature MBL_34101911
  • run freshclam or restart clamd
  • resubmit the message
    /usr/sbin/sendmail.postfix -t < /var/spool/MailScanner/quarantine/<YYMMDD>/<MESSAGEID>/message
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Problems releasing an infected email from quarantine

Post by ovizii »

pdwalker wrote: 28 Oct 2019 11:49 This is what I do when that happens:
  • resubmit the message
    /usr/sbin/sendmail.postfix -t < /var/spool/MailScanner/quarantine/<YYMMDD>/<MESSAGEID>/message
Thanks. I will try this tip to see if I can resubmit the email the next time this happens.
ItemsGmbH
Posts: 24
Joined: 20 Dec 2018 14:53

Re: Problems releasing an infected email from quarantine

Post by ItemsGmbH »

We use ssh (putty) and a ftp program (WinSCP) for this

Connect to server with putty
cd /var/spool/MailScanner/quarantine/<YYMMDD>/<MESSAGEID>/message

copy the files you need to your home directory

cp *.doc /home/username
chown username /home/username/*.doc

Open WinSCP and connect to server.
Copy the file to your computer

The long way but it works and you can check the file for viruses with virustotal.com
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Problems releasing an infected email from quarantine

Post by ovizii »

manually releasing isn't a problem. I installed alpine on EFA that way I can send them out via Email straight away, very easy, I was wondering why the "rele4ase" button in Mailscanner wasn't working for me :-)
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Problems releasing an infected email from quarantine

Post by pdwalker »

Good question!

I confess I was too lazy to debug it when I found the command line work around.

Any takers?
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Problems releasing an infected email from quarantine

Post by ovizii »

I would be very interested, just yesterday I noticed one of my clients had about 40 incoming emails blocked as VIRUS because malwarepatrol as far as I remember blocked emails from alibaba because they contain links to alibaba CDN.
Now imagine having to search for 40 mails manually, copy/paste their path to release them....
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Problems releasing an infected email from quarantine

Post by pdwalker »

I shall have to migrate to v4 and see if this is still a problem.
Post Reply