Page 1 of 1
EFA stops banned content but sends out an Email Virus warning?
Posted: 17 Feb 2017 09:29
by ovizii
Just wondering why EFA didn't send out the proper bad content warning but chose to send out a virus warning?
The email in questions contained an .exe file:
Code: Select all
MailScanner: Executable DOS/Windows programs are dangerous in email (BORDER_ASC.exe) No programs allowed (BORDER_ASC.exe)
The email sent had this subject:
Warning: E-mail viruses detected
which shows that the wrong report was used.
The reports are all configured correctly inside MailScanner.conf:
Code: Select all
# Set where to find the messages that are delivered to the sender, when they
# sent an email containing either an error, banned content, a banned filename
# or a virus infection.
# These can also be the filenames of rulesets.
Sender Content Report = %report-dir%/sender.content.report.txt
Sender Error Report = %report-dir%/sender.error.report.txt
Sender Bad Filename Report = %report-dir%/sender.filename.report.txt
Sender Virus Report = %report-dir%/sender.virus.report.txt
Sender Size Report = %report-dir%/sender.size.report.txt
Re: EFA stops banned content but sends out an Email Virus warning?
Posted: 17 Feb 2017 23:23
by shawniverson
Odd...
Do you have the maillog when this happened...I would be most curious about MailScanner's actions...
Re: EFA stops banned content but sends out an Email Virus warning?
Posted: 18 Feb 2017 07:23
by ovizii
Here it is does that help?
cat /var/log/maillog | grep C948E1007B7
Code: Select all
Feb 17 08:38:26 efa postfix/smtpd[20944]: C948E1007B7: client=mail1.bemta3.messagelabs.com[195.245.230.162]
Feb 17 08:38:26 efa postfix/cleanup[21225]: C948E1007B7: hold: header Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.162])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)? from mail1.bemta3.messagelabs.com[195.245.230.162]; from=<sender> to=<recipient> proto=ESMTP helo=<mail1.bemta3.messagelabs.com>
Feb 17 08:38:26 efa postfix/cleanup[21225]: C948E1007B7: message-id=<69FF33B77DD96746A1BA6A2393106AEE0104D9C747@VOEXM29W.internal.senderdomain>
Feb 17 08:38:28 efa opendkim[28832]: C948E1007B7: mail1.bemta3.messagelabs.com [195.245.230.162] not internal
Feb 17 08:38:28 efa opendkim[28832]: C948E1007B7: not authenticated
Feb 17 08:38:33 efa MailScanner[5500]: Filename Checks: Windows/DOS Executable (C948E1007B7.A120F BORDER_HCM_TO_ASC.exe)
Feb 17 08:38:33 efa MailScanner[5500]: Filetype Checks: No executables (C948E1007B7.A120F BORDER_HCM_TO_ASC.exe)
Feb 17 08:38:38 efa MailScanner[5500]: <A> tag found in message C948E1007B7.A120F from sender
Feb 17 08:38:38 efa MailScanner[5500]: HTML Img tag found in message C948E1007B7.A120F from sender
Feb 17 08:38:38 efa MailScanner[5500]: Saved entire message to /var/spool/MailScanner/quarantine/20170217/C948E1007B7.A120F
Feb 17 08:38:38 efa MailScanner[5500]: Saved infected "BORDER_HCM_TO_ASC.exe" to /var/spool/MailScanner/quarantine/20170217/C948E1007B7.A120F
Feb 17 08:38:46 efa MailScanner[5500]: Logging message C948E1007B7.A120F to SQL
Feb 17 08:38:46 efa MailScanner[5503]: C948E1007B7.A120F: Logged to MailWatch SQL
Re: EFA stops banned content but sends out an Email Virus warning?
Posted: 18 Feb 2017 13:34
by shawniverson
Yes, MailScanner is treating the banned filetype as a virus somehow....
Looking at the MailScanner code, virus reports take precedence over file reports, or default to virus reports if no suitable report was found. So, I am going to set up a test environment and see if I can debug this on my end.
Something fishy here, because SweepOther.pm is setting the nametypes flag correctly.....
Re: EFA stops banned content but sends out an Email Virus warning?
Posted: 18 Feb 2017 16:24
by ovizii
Thanks for looking into it!
Re: EFA stops banned content but sends out an Email Virus warning?
Posted: 18 Feb 2017 19:02
by shawniverson
Okay, this is what I get:
Subject: Warning: E-mail viruses detected
Our e-mail content detector has just been triggered by a message you sent:
To:
name@example.org
Subject: test2
Date: Sat Feb 18 18:58:16 2017
One or more of the attachments (New Text Document.exe.doc) are on
the list of unacceptable attachments for this site and will not have
been delivered.
Consider renaming the files to avoid this constraint.
The virus detector said this about the message:
Report: Report: MailScanner: Attempt to hide real filename extension (New
Text Document.exe.doc)
So, it is working correctly, except for the subject line, which should say something different. I am going to isolate the MailScanner code and possibly produce a PR to address this issue.
Re: EFA stops banned content but sends out an Email Virus warning?
Posted: 18 Feb 2017 22:59
by shawniverson
Mystery solved. Not a code problem.
Look in /etc/MailScanner/reports/en/sender.filename.report.txt
Code: Select all
From: "$postmastername" <$localpostmaster>
To: $from
Subject: Warning: E-mail viruses detected
X-%org-name%-MailScanner: generated
Our e-mail content detector has just been triggered by a message you sent:
To: $to
Subject: $subject
Date: $date
One or more of the attachments ($filename) are on
the list of unacceptable attachments for this site and will not have
been delivered.
Consider renaming the files to avoid this constraint.
The virus detector said this about the message:
Report: $report
--
%org-long-name%
%web-site%
This fix is to simply modify this report to more accurately state what you want.