Hi guys.
Currently EFA version 3.0.2.1
I have situation that VIRUS gets delivered.
I had a similar case in the past (I also opened this thread on EFA FORUM - on november 2016), and solution then was to:
change Maximum Archive Depth to 3 in /etc/MailScanner/MailScanner.conf
SOURCE: viewtopic.php?f=13&t=2007&p=7617&hilit= ... ered#p7617
now this happened again and I have double checked EFA's MailScanner.conf if perhaps that attribute has been changed by any EFA upgrades, but it still remains to 3, so this time something else must be wrong.
MAILLOG:
Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
MailScanner[34859]: Uninfected: Delivered 1 messages
The detailed maillog:
May 17 01:28:04 efa postfix/smtpd[38651]: connect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20]
May 17 01:28:05 efa postfix/smtpd[38651]: warning: 20.123.26.186.static.intelnet.net.gt[186.26.123.20]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:05 efa postfix/smtpd[38651]: disconnect from 20.123.26.186.static.intelnet.net.gt[186.26.123.20] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection rate 1/60s for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max connection count 1 for (smtp:201.86.94.105) at May 17 01:18:49
May 17 01:28:11 efa postfix/anvil[27836]: statistics: max cache size 3 at May 17 01:24:52
May 17 01:28:34 efa postfix/smtpd[38651]: connect from unknown[52.124.29.50]
May 17 01:28:34 efa postfix/smtpd[38651]: warning: unknown[52.124.29.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:28:34 efa postfix/smtpd[38651]: disconnect from unknown[52.124.29.50] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 17 01:28:38 efa postfix/smtpd[38651]: connect from mail.tohoma.co.id[103.24.13.138]
May 17 01:28:39 efa postfix/smtpd[38651]: Anonymous TLS connection established from mail.tohoma.co.id[103.24.13.138]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 17 01:28:40 efa postfix/trivial-rewrite[39276]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/cleanup[39277]: warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual
May 17 01:28:40 efa postfix/smtpd[38651]: D645D120A29: client=mail.tohoma.co.id[103.24.13.138]
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: hold: header Received: from mail.tohoma.co.id (mail.tohoma.co.id [103.24.13.138])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits
))??(No client certificate requested)??by efa-external-smt.public-domain.com ( from mail.tohoma.co.id[103.24.13.138]; from=<support@dhl.com> to=<custservice@our-public-domain.com> proto=ESMTP helo=<mail.tohoma.co.id>
May 17 01:28:41 efa postfix/cleanup[39277]: D645D120A29: message-id=<98c5190f35935666414d8f47c153cb9f@dhl.com>
May 17 01:28:42 efa postfix/smtpd[38651]: disconnect from mail.tohoma.co.id[103.24.13.138] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8
May 17 01:28:44 efa MailScanner[34859]: New Batch: Scanning 1 messages, 306852 bytes
May 17 01:28:44 efa MailScanner[34859]: Virus and Content Scanning: Starting
May 17 01:28:44 efa MailScanner[34859]: Clamd::INFECTED:: Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL :: ./D645D120A29.AF5F2/Parcel_Receipt_SKMBT_pdf.7z
May 17 01:28:44 efa MailScanner[34859]: Found spam based virus Sanesecurity.Foxhole.7z_pdf.UNOFFICIAL in D645D120A29.AF5F2
May 17 01:28:44 efa MailScanner[34859]: HTML Img tag found in message D645D120A29.AF5F2 from support@dhl.com
May 17 01:28:44 efa MailScanner[34859]: Spam Checks: Starting
May 17 01:28:44 efa MailScanner[34859]: Expired 1 records from the SpamAssassin cache
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Whitelist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Whitelist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 35 whitelist entries
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Blacklist refresh time reached
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Starting up MailWatch SQL Blacklist
May 17 01:28:44 efa MailScanner[34859]: MailWatch: Read 1 blacklist entries
May 17 01:28:53 efa MailScanner[34859]: Requeue: D645D120A29.AF5F2 to 0C8B7120A2F
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: from=<support@dhl.com>, size=306049, nrcpt=2 (queue active)
May 17 01:28:53 efa MailScanner[34859]: Uninfected: Delivered 1 messages
May 17 01:28:53 efa MailScanner[34859]: Deleted 1 messages from processing-database
May 17 01:28:53 efa MailScanner[34859]: MailWatch: Logging message D645D120A29.AF5F2 to SQL
May 17 01:28:53 efa MailScanner[34863]: MailWatch: D645D120A29.AF5F2: Logged to MailWatch SQL
May 17 01:28:53 efa postfix/smtp[39291]: 0C8B7120A2F: to=<techsupport@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.03/0.09/0.18, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704740, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/smtp[39290]: 0C8B7120A2F: to=<custservice@our-public-domain.com>, relay=192.168.4.115[192.168.4.115]:25, delay=13, delays=13/0.02/0.07/0.21, dsn=2.6.0, status=sent (250 2.6.0 <98c5190f35935666414d8f47c153cb9f@dhl.com> [InternalId=56904021704739, Hostname=Internal-SMTP-server.domain.local] Queued mail for delivery)
May 17 01:28:53 efa postfix/qmgr[2107]: 0C8B7120A2F: removed
May 17 01:29:27 efa postfix/smtpd[38651]: connect from unknown[172.252.108.50]
May 17 01:29:29 efa postfix/smtpd[38651]: warning: unknown[172.252.108.50]: SASL LOGIN authentication failed: authentication failure
May 17 01:29:29 efa postfix/smtpd[38651]: disconnect from unknown[172.252.108.50] helo=1 auth=0/1 quit=1 commands=2/3
May 17 01:30:04 efa postfix/smtpd[38651]: warning: hostname dedic878.hidehost.net does not resolve to address 91.200.12.173: Name or service not known
May 17 01:30:04 efa postfix/smtpd[38651]: connect from unknown[91.200.12.173]
Please help and advice, how to solve this issue, with best regards.
Found viruses but uninfected delivered
Re: Found viruses but uninfected delivered
Changing
#Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
Virus Names Which Are Spam = HTML/* *Phish*
In /etc/MailScanner/MailScanner.conf
and:
service postfix restart
service mailscanner restart
did the trick.
Can someone else confirm this please?
With best regards
#Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
Virus Names Which Are Spam = HTML/* *Phish*
In /etc/MailScanner/MailScanner.conf
and:
service postfix restart
service mailscanner restart
did the trick.
Can someone else confirm this please?
With best regards
Re: Found viruses but uninfected delivered
So this settings identifies messages detected as spam by the virus scanners and treats them as spam rather than actual harmful viruses?
Re: Found viruses but uninfected delivered
define "harmless"
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Found viruses but uninfected delivered
The Hitchhikers Guide to the Galaxy has Earth defined as "Mostly Harmless"
Re: Found viruses but uninfected delivered
I'm having problems with this.
In Mailscanner.conf I've the following setting:
What am I doing wrong? I want these AV detected spam messages to be treated as spam, and not viruses. Otherwise I just get inundated with false "virus detected" messages.
Any advice or suggestions would be greatly appreciated.
In Mailscanner.conf I've the following setting:
and yet I keep getting emails sayingVirus Names Which Are Spam = Clamd*SecuriteInfo.com.Spam* Clamd*Porcupine.Junk* Sane*UNOFFICIAL HTML/* *Phish*
Mailscanner reports it as a virus under the status column: Virus (Porcupine.Junk.41966.UNOFFICIAL)Virus detected
blah blah blah
Report: Clamd: msg-11701-1.html was infected: Porcupine.Junk.41966.UNOFFICIAL
What am I doing wrong? I want these AV detected spam messages to be treated as spam, and not viruses. Otherwise I just get inundated with false "virus detected" messages.
Any advice or suggestions would be greatly appreciated.
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Found viruses but uninfected delivered
I think the Clamd prefix in your detection string may be throwing it off. It is not really part of the "virus" string.
Code: Select all
Virus Names Which Are Spam = Clamd*SecuriteInfo.com.Spam* Porcupine.Junk*UNOFFICIAL Sane*UNOFFICIAL HTML/* *Phish*
Re: Found viruses but uninfected delivered
I thought it was. I've turned it off now, so we'll see if the problem goes away.
Thanks for the pointer.
Thanks for the pointer.