EFA stops banned content but sends out an Email Virus warning?

[ovizii]

Just wondering why EFA didn't send out the proper bad content warning but chose to send out a virus warning?
The email in questions contained an .exe file:

Code: Select all

MailScanner: Executable DOS/Windows programs are dangerous in email (BORDER_ASC.exe) No programs allowed (BORDER_ASC.exe)

The email sent had this subject:

Warning: E-mail viruses detected

which shows that the wrong report was used.

The reports are all configured correctly inside MailScanner.conf:

Code: Select all

# Set where to find the messages that are delivered to the sender, when they
# sent an email containing either an error, banned content, a banned filename
# or a virus infection.
# These can also be the filenames of rulesets.
Sender Content Report      = %report-dir%/sender.content.report.txt
Sender Error Report        = %report-dir%/sender.error.report.txt
Sender Bad Filename Report = %report-dir%/sender.filename.report.txt
Sender Virus Report        = %report-dir%/sender.virus.report.txt
Sender Size Report         = %report-dir%/sender.size.report.txt

[shawniverson]

Odd...

Do you have the maillog when this happened...I would be most curious about MailScanner's actions...

[ovizii]

Here it is does that help?

cat /var/log/maillog | grep C948E1007B7

Code: Select all

Feb 17 08:38:26 efa postfix/smtpd[20944]: C948E1007B7: client=mail1.bemta3.messagelabs.com[195.245.230.162]
Feb 17 08:38:26 efa postfix/cleanup[21225]: C948E1007B7: hold: header Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.162])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)? from mail1.bemta3.messagelabs.com[195.245.230.162]; from=<sender> to=<recipient> proto=ESMTP helo=<mail1.bemta3.messagelabs.com>
Feb 17 08:38:26 efa postfix/cleanup[21225]: C948E1007B7: message-id=<69FF33B77DD96746A1BA6A2393106AEE0104D9C747@VOEXM29W.internal.senderdomain>
Feb 17 08:38:28 efa opendkim[28832]: C948E1007B7: mail1.bemta3.messagelabs.com [195.245.230.162] not internal
Feb 17 08:38:28 efa opendkim[28832]: C948E1007B7: not authenticated
Feb 17 08:38:33 efa MailScanner[5500]: Filename Checks: Windows/DOS Executable (C948E1007B7.A120F BORDER_HCM_TO_ASC.exe)
Feb 17 08:38:33 efa MailScanner[5500]: Filetype Checks: No executables (C948E1007B7.A120F BORDER_HCM_TO_ASC.exe)
Feb 17 08:38:38 efa MailScanner[5500]: <A> tag found in message C948E1007B7.A120F from sender
Feb 17 08:38:38 efa MailScanner[5500]: HTML Img tag found in message C948E1007B7.A120F from sender
Feb 17 08:38:38 efa MailScanner[5500]: Saved entire message to /var/spool/MailScanner/quarantine/20170217/C948E1007B7.A120F
Feb 17 08:38:38 efa MailScanner[5500]: Saved infected "BORDER_HCM_TO_ASC.exe" to /var/spool/MailScanner/quarantine/20170217/C948E1007B7.A120F
Feb 17 08:38:46 efa MailScanner[5500]: Logging message C948E1007B7.A120F to SQL
Feb 17 08:38:46 efa MailScanner[5503]: C948E1007B7.A120F: Logged to MailWatch SQL

[shawniverson]

Yes, MailScanner is treating the banned filetype as a virus somehow....

Looking at the MailScanner code, virus reports take precedence over file reports, or default to virus reports if no suitable report was found. So, I am going to set up a test environment and see if I can debug this on my end.

Something fishy here, because SweepOther.pm is setting the nametypes flag correctly.....

[ovizii]

Thanks for looking into it!

[shawniverson]

Okay, this is what I get:

Subject: Warning: E-mail viruses detected

Our e-mail content detector has just been triggered by a message you sent:
To: name@example.org
Subject: test2
Date: Sat Feb 18 18:58:16 2017

One or more of the attachments (New Text Document.exe.doc) are on
the list of unacceptable attachments for this site and will not have
been delivered.

Consider renaming the files to avoid this constraint.

The virus detector said this about the message:
Report: Report: MailScanner: Attempt to hide real filename extension (New
Text Document.exe.doc)


So, it is working correctly, except for the subject line, which should say something different. I am going to isolate the MailScanner code and possibly produce a PR to address this issue.

[shawniverson]

Mystery solved. Not a code problem.

Look in /etc/MailScanner/reports/en/sender.filename.report.txt

Code: Select all

From: "$postmastername" <$localpostmaster>
To: $from
Subject: Warning: E-mail viruses detected
X-%org-name%-MailScanner: generated

Our e-mail content detector has just been triggered by a message you sent:
  To: $to
  Subject: $subject
  Date: $date

One or more of the attachments ($filename) are on
the list of unacceptable attachments for this site and will not have
been delivered.

Consider renaming the files to avoid this constraint.

The virus detector said this about the message:
Report: $report

--
%org-long-name%
%web-site%

This fix is to simply modify this report to more accurately state what you want.