Some Mails get listed under quarantine but are marked as clean 3.0.0.9

[CABIT]

Hi,

we have the appliance 3.0.0.9 running.

And all works fine.

But we see some clean messages in the Quarantine the mails are delivered and marked as no spam.

Is this a bug in the new Version 3.0.0.9?

The mails with clean mark are in

/var/spool/MailScanner/quarantine/20160322/

And the spam mails are in

/var/spool/MailScanner/quarantine/20160322/spam

Is this a new feature which does not work ?

[pdwalker]

you'll need to provide some details if there is to be any chance of diagnosing your problem

is there any pattern to the messages that are quarentined?

how about the message headers? can you show us any message headers?

what about the log files? Do the log files show any information about the messages that were quarantined?

[CABIT]

Received on: 22/03/16 10:30:40
Received by:
Received from:
*********** [Add to Whitelist | Add to Blacklist]
Received Via:
IP Address Hostname Country RBL Spam Virus All
******* (GeoIP Lookup Failed) [ ] [ ] [ ] [ ]

ID: ************
Message Headers: X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from *(*)
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ******* (Postfix) with ESMTPS
for <@*****>; Tue, 22 Mar 2016 10:30:31 +0100 (CET)
X-MSFBL:
Received: from [] ([] helo=...)
by (envelope-from <>)
(ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTP
id 34/B4-45586-F6F01F65; Tue, 22 Mar 2016 04:25:03 -0500
DKIM-Signature:
Date: Tue, 22 Mar 2016 04:25:03 -0500 (CDT)
From: <reply>
Reply-To: reply-to@
To: @*****
Message-ID: <*****@.....>
Subject: ..........
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_-65279481_2129536560.1458638703486"
X-Binding: bg-abd-171
X-MarketoID: 144-NCB-030:15752:5835:16012:0:5491:7:2502424
X-MktArchive: false
List-Unsubscribe: <mailto:..........@......>
X-Mailfrom: ...............@.....
X-MSYS-API: {"options":{"open_tracking":false,"click_tracking":false}}
X-MktMailDKIM: true
From:
@.... [Add to Whitelist | Add to Blacklist]
To: .....@...............
Subject: .............
Size: 89.2Kb
Anti-Virus/Dangerous Content Protection
Virus: N
Blocked File: N
Other Infection: N
SpamAssassin
Spam: N Action(s): deliver, header, "X-Spam-Status:No"
High Score Spam: N
SpamAssassin Spam: N
Listed in RBL: N
SPAM Whitelisted: N
SPAM Blacklisted: N
Spamassassin Autolearn: N
Spamassassin Score: 2.71
Spam Report:
Score Matching Rule Description
1.10 DCC_CHECK
0.10 DKIM_SIGNED
-0.10 DKIM_VALID
-0.10 DKIM_VALID_AU
0.00 HEADER_FROM_DIFFERENT_DOMAINS
0.00 HTML_FONT_LOW_CONTRAST
0.00 HTML_MESSAGE
0.00 KAM_FROM_MARKETINGBL_PCCC
1.00 KAM_MARKETINGBL_PCCC
0.00 MIME_HTML_MOSTLY
0.72 MPART_ALT_DIFF
-0.00 RCVD_IN_DNSWL_NONE
-0.01 RCVD_IN_MSPIKE_H4
-0.01 RCVD_IN_MSPIKE_WL
-0.00 SPF_HELO_PASS
-0.00 SPF_PASS

[CABIT]

The mails which are clean are stored in

/var/spool/MailScanner/quarantine/DATE/

as folders..

And the Spam marked are stored in

/var/spool/MailScanner/quarantine/DATE/spam

there is another folder
/var/spool/MailScanner/quarantine/DATE/nonspam

after reconfigure with EFA-Configure

9 spam settings
1 non spam settings

Do you want to DISABLE storing non spam ? y

the nonspam is not filed but the non spams get in the folder

/var/spool/MailScanner/quarantine/DATE/



Some Logs tell me

Content Checks: Detected and have disarmed phishing tags in HTML message in

[shawniverson]

Ok,

So if I follow you, if I turn off storing of non-spam, it is landing in quarantine anyway above the nonspam directory?

I'm running some tests now...

[CABIT]

Yes thats it they are stored as folders and in it is a file message
The folder is named like the Quarantine ID

[shawniverson]

So far, this isn't happening on my systems...I'll keep watching.

Also, what are the directory permissions on your DATE directories?

They should be rwxrwx--- (770)

Owner/group:
postfix:apache

[CABIT]

Is it possible that this occurs only for mails which are disarmed?

Because the normal mails aren't in the quarantine.
But in the log i see the content check messaged

Detected and have disarmed phishing tags
Detected and have disarmed web bug

only this one are stored after disabling store non spam

the permissions are correct like you said above.

[shawniverson]

Let's find out

Crafting an email to be disarmed....

[shawniverson]

Still unable to reproduce...

Can you share one of those emails (complete source with header) with me in a pastebin?

I would like to run it through my system.

[CABIT]

Sorry thats not possible.
But here are some screenshots.


Content Checks: Detected and have disarmed phishing tags in HTML message in F369D12031B.A2B76

[shawniverson]

Since I cannot reproduce the issue, and you cannot share the contents of those files, I am afraid our options for troubleshooting here are limited...

[CABIT]

How can we Exchange the file?

I will try to find a not Critical mail.

[shawniverson]

I can set up an SCP connection for you. Would this work?

[shawniverson]

Ok, I put a new envelope on the message and ran it through my system...

Mar 22 10:26:41 efa MailScanner[30319]: Content Checks: Detected and have disarmed phishing tags in HTML message in 6E08D1202D1.A0B41 from spammy@example.com
Mar 22 10:26:41 efa MailScanner[30319]: Requeue: 6E08D1202D1.A0B41 to 2152E1202D2
Mar 22 10:26:41 efa postfix/qmgr[30316]: 2152E1202D2: from=<spammy@example.com>, size=34096, nrcpt=1 (queue active)
Mar 22 10:26:41 efa MailScanner[30319]: Uninfected: Delivered 1 messages

/var/spool/MailScanner/quarantine still looks normal.

So, that means my 3.0.0.9 is somehow different from yours, and I suspect that MailScanner is having trouble cleaning up after itself on your system for some reason when it disarms phishing tags.

Are you using a system updated from 3.0.0.8, or are you using the downloadable 3.0.0.9 VMware or HyperV build?

[CABIT]

We are using a System Updatet from 3.0.0.8 to 3.0.0.9.

We have set this up with 3.0.0.8 and Upgraded when the new version was released.

[shawniverson]

Ok. Let's compare some notes...

I am assuming MailScanner has not changed on your system. I am curious how your MailScanner config may differ from mine...

Code: Select all

grep "^[^#]" /etc/MailSCanner/MailScanner.conf

Here's a dump of my /etc/MailScanner/MailScanner.conf for comparison (with sensitive parts removed):

http://pastebin.com/wq3SJpvw

Please review and let me know anything that might be different (and hopefully significant) to this problem.

[shawniverson]

Also, let's check perl modules, as MailScanner uses them extensively...

Code: Select all

rpm -qa | grep perl

Here's mine:

http://pastebin.com/rxrxpEHg

[shawniverson]

Also, make sure this isn't turned on in postfix:

enable_long_queue_ids

[CABIT]

compared

Scan Messages = %rules-dir%/scan.messages.rules
Maximum Archive Depth = 2
Virus Scanners = esets clamd
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
Allow Password-Protected Archives = yes
Find Phishing Fraud = no
Also Find Numeric Phishing = no
Use Stricter Phishing Net = no
Highlight Phishing Fraud = no
Allow WebBugs = yes
Filename Rules = %rules-dir%/filename.rules
Filetype Rules = %rules-dir%/filetype.rules
Quarantine Infections = yes
Mail Header = X-%org-name%-MailScanner:
Spam Header = X-%org-name%-MailScanner-SpamCheck:
Spam Score Header = X-%org-name%-MailScanner-SpamScore:
Information Header = X-%org-name%-MailScanner-Information:
Envelope From Header = X-%org-name%-MailScanner-From:
Envelope To Header = X-%org-name%-MailScanner-To:
Envelope To Header = X-%org-name%-MailScanner-To:
ID Header = X-%org-name%-MailScanner-ID:
IP Protocol Version Header = # X-%org-name%-MailScanner-IP-Protocol:
Watermark Header = X-%org-name%-MailScanner-Watermark:
Non Spam Actions = deliver header "X-Spam-Status:No"
MCP Header = X-%org-name%-MailScanner-MCPCheck:

[CABIT]

Perl Modules which you have and my installation not:

perl-Authen-SASL-2.13-3.el6.noarch
perl-Convert-ASN1-0.22-1.el6.noarch
perl-Curses-1.28-1.el6.rf.x86_64
perl-GSSAPI-0.26-6.el6.x86_64
perl-IO-Tty-1.08-4.el6.x86_64
perl-LDAP-0.40-1.el6.noarch
perl-POE-1.354-1.el6.noarch
perl-POE-Component-Client-LDAP-0.04-1.el6.rf.noarch
perl-POE-Test-Loops-1.035-1.el6.noarch
perl-TermReadKey-2.30-13.el6.x86_64
perl-Text-Iconv-1.7-6.el6.x86_64
perl-XML-Filter-BufferText-1.01-8.el6.noarch
perl-XML-SAX-Writer-0.50-8.el6.noarch


enable_long_queue_ids not in main.cf..

[shawniverson]

Thanks! Working through these settings...

[shawniverson]

Do you have this on, by chance?

Code: Select all

# Do you want to store copies of messages which have been disarmed by
# having their HTML modified at all?
# This can also be the filename of a ruleset.
Quarantine Modified Body = yes

When I turn this on, I get the exact problem you are having.

[CABIT]

Yes this is activated.

[shawniverson]

Disable it, then, and you should be good.