Found viruses but uninfected delivered

Report bugs and workarounds
Post Reply
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Found viruses but uninfected delivered

Post by bostjanc »

Hi guys.

Currently EFA version 3.0.2.1

I have situation that VIRUS gets delivered.
I had a similar case in the past (I also opened this thread on EFA FORUM - on november 2016), and solution then was to:
change Maximum Archive Depth to 3 in /etc/MailScanner/MailScanner.conf
SOURCE: viewtopic.php?f=13&t=2007&p=7617&hilit= ... ered#p7617

now this happened again and I have double checked EFA's MailScanner.conf if perhaps that attribute has been changed by any EFA upgrades, but it still remains to 3, so this time something else must be wrong.

MAILLOG:
Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
MailScanner[34859]: Uninfected: Delivered 1 messages

The detailed maillog:
May 17 01:28:04 efa postfix/smtpd[38651]: connect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20]
May 17 01:28:05 efa postfix/smtpd[38651]: warning: 20.123.26.186.static.intelnet.net.gt[186.26.123.20]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:05 efa postfix/smtpd[38651]: disconnect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection rate 1/60s for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection count 1 for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max cache size 3 at May 17 01:24:52
May 17 01:28:34 efa postfix/smtpd[38651]: connect from unknown[52.124.29.50]
May 17 01:28:34 efa postfix/smtpd[38651]: warning: unknown[52.124.29.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:34 efa postfix/smtpd[38651]: disconnect from unknown[52.124.29.50] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 17 01:28:38 efa postfix/smtpd[38651]: connect from mail.tohoma.co.id[103.24.13.138]
May 17 01:28:39 efa postfix/smtpd[38651]: Anonymous TLS connection established from mail.tohoma.co.id[103.24.13.138]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 17 01:28:40 efa postfix/trivial-rewrite[39276]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/cleanup[39277]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/smtpd[38651]: D645D120A29: client=mail.tohoma.co.id[103.24.13.138]
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: hold: header Received: from mail.tohoma.co.id (mail.tohoma.co.id [103.24.13.138])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits
))??(No client certificate requested)??by efa-external-smt.public-domain.com ( from mail.tohoma.co.id[103.24.13.138]; from=<support@dhl.com> to=<custservice@our-public-domain.com> proto=ESMTP helo=<mail.tohoma.co.id>
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: message-id=<98c5190f35935666414d8f47c153cb9f@dhl.com>
May 17 01:28:42 efa postfix/smtpd[38651]: disconnect from mail.tohoma.co.id[103.24.13.138] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8
May 17 01:28:44 efa MailScanner[34859]: New Batch: Scanning 1 messages, 306852 bytes
May 17 01:28:44 efa MailScanner[34859]: Virus and Content Scanning: Starting
May 17 01:28:44 efa MailScanner[34859]: Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
May 17 01:28:44 efa MailScanner[34859]: Found spam based virus Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL in D645D120A29.AF5F2
May 17 01:28:44 efa MailScanner[34859]: HTML Img tag found in message D645D120A29.AF5F2 from support@dhl.com
May 17 01:28:44 efa MailScanner[34859]: Spam Checks: Starting
May 17 01:28:44 efa MailScanner[34859]: Expired 1 records from the SpamAssassin cache
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Whitelist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Whitelist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 35 whitelist entries
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Blacklist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Blacklist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 1 blacklist entries
May 17 01:28:53 efa MailScanner[34859]: Requeue: D645D120A29.AF5F2 to 0C8B7120A2F
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: from=<support@dhl.com>, size=306049, nrcpt=2 (queue active)
May 17 01:28:53 efa MailScanner[34859]: Uninfected: Delivered 1 messages
May 17 01:28:53 efa MailScanner[34859]: Deleted 1 messages from processing-database
May 17 01:28:53 efa MailScanner[34859]: MailWatch: Logging message D645D120A29.AF5F2 to SQL
May 17 01:28:53 efa MailScanner[34863]: MailWatch: D645D120A29.AF5F2: Logged to MailWatch SQL
May 17 01:28:53 efa postfix/smtp[39291]: 0C8B7120A2F: to=<techsupport@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.03/0.09/0.18, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704740, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/smtp[39290]: 0C8B7120A2F: to=<custservice@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.02/0.07/0.21, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704739, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: removed
May 17 01:29:27 efa postfix/smtpd[38651]: connect from unknown[172.252.108.50]
May 17 01:29:29 efa postfix/smtpd[38651]: warning: unknown[172.252.108.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:29:29 efa postfix/smtpd[38651]: disconnect from unknown[172.252.108.50] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:30:04 efa postfix/smtpd[38651]: warning: hostname dedic878.hidehost.net does not resolve to address 91.200.12.173: Name or service not known
May 17 01:30:04 efa postfix/smtpd[38651]: connect from unknown[91.200.12.173]

Please help and advice, how to solve this issue, with best regards.
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Found viruses but uninfected delivered

Post by bostjanc »

bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Found viruses but uninfected delivered

Post by bostjanc »

Changing

#Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
Virus Names Which Are Spam = HTML/* *Phish*

In /etc/MailScanner/MailScanner.conf

and:
service postfix restart
service mailscanner restart

did the trick.

Can someone else confirm this please?
With best regards
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Found viruses but uninfected delivered

Post by pdwalker »

So this settings identifies messages detected as spam by the virus scanners and treats them as spam rather than actual harmful viruses?
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Found viruses but uninfected delivered

Post by bostjanc »

define "harmless" ;)
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Found viruses but uninfected delivered

Post by shawniverson »

The Hitchhikers Guide to the Galaxy has Earth defined as "Mostly Harmless" :lol:
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Found viruses but uninfected delivered

Post by bostjanc »

lol
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Found viruses but uninfected delivered

Post by pdwalker »

I'm having problems with this.

In Mailscanner.conf I've the following setting:
Virus Names Which Are Spam = Clamd*SecuriteInfo.com.Spam* Clamd*Porcupine.Junk* Sane*UNOFFICIAL HTML/* *Phish*
and yet I keep getting emails saying
Virus detected
blah blah blah
Report: Clamd: msg-11701-1.html was infected: Porcupine.Junk.41966.UNOFFICIAL
Mailscanner reports it as a virus under the status column: Virus (Porcupine.Junk.41966.UNOFFICIAL)

What am I doing wrong? I want these AV detected spam messages to be treated as spam, and not viruses. Otherwise I just get inundated with false "virus detected" messages.

Any advice or suggestions would be greatly appreciated.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Found viruses but uninfected delivered

Post by shawniverson »

I think the Clamd prefix in your detection string may be throwing it off. It is not really part of the "virus" string.

Code: Select all

Virus Names Which Are Spam = Clamd*SecuriteInfo.com.Spam* Porcupine.Junk*UNOFFICIAL Sane*UNOFFICIAL HTML/* *Phish*
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Found viruses but uninfected delivered

Post by pdwalker »

I thought it was. I've turned it off now, so we'll see if the problem goes away.

Thanks for the pointer.
Post Reply