Jason Young
2013-11-13 23:35:33 UTC
Hi Everyone,
I am wondering if anyone would have any ideas as to why my mailscanners (I
have 4 in total) would not block / quarantine attachments like .exe etc. I
have been through all the configs and log files but I can't find anything
that points to a problem in my setup.
I am running Mailscanner on Centos 6. MailScanner is version 4.84.6 and
ClamAV is the Anti-Virus installed. Once the MailScanner works its magic on
the incoming emails they are then relayed internally to an Exchange Server.
I have not really changed much in the standard MailScanner.conf file. I
have verified :
Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf
And the 2 "default" Rules files exist and are standard out of the box.
They contain :
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable
Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable
Executable DOS/Windows programs are dangerous in email
My testing has so far been to use an external mail server to send an
attached windows executable file (.exe) to an internal exchange account. I
have tried both using an outlook external client and also a native Linux
based web client with the same result (i.e. the exe file is delivered to the
exchange account).
The maillog contains the follow entries when I send the test email in:
Nov 14 09:14:04 mailscanner postfix/smtpd[27736]: connect from
unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:05 mailscanner postfix/smtpd[27736]: B32DF300F7A:
client=unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A: hold:
header Received: from XXXXX.XXX (unknown [XXX.XXX.XXX.XXX])??by
mailscanner.XXXXX.XXX (Postfix) with SMTP id B32DF300F7A??for
<jyoung at XXXXX.XXX>; Thu, 14 Nov 2013 09:14:05 +100 from
unknown[XXX.XXX.XXX.XXX]; from=<jason at XXXXX.XXX> to=<jyoung at XXXXX.XXX>
proto=SMTP helo=<XXXXX.XXXXX.XXX>
Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A:
message-id=<70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX>
Nov 14 09:14:08 mailscanner postfix/smtpd[27736]: disconnect from
unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Found 1 messages
waiting
Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Scanning 1
messages, 151691 bytes
Nov 14 09:14:09 mailscanner MailScanner[27843]: Virus and Content Scanning:
Starting
Nov 14 09:14:10 mailscanner MailScanner[27843]: Requeue: B32DF300F7A.AE0C2
to CCE03300F7F
Nov 14 09:14:10 mailscanner MailScanner[27843]: Uninfected: Delivered 1
messages
Nov 14 09:14:10 mailscanner postfix/qmgr[16933]: CCE03300F7F:
from=<jason at XXXXX.XXX>, size=151040, nrcpt=1 (queue active)
Nov 14 09:14:10 mailscanner MailScanner[27843]: Deleted 1 messages from
processing-database
Nov 14 09:14:10 mailscanner MailScanner[27843]: Logging message
B32DF300F7A.AE0C2 to SQL
Nov 14 09:14:10 mailscanner MailScanner[20512]: B32DF300F7A.AE0C2: Logged to
MailWatch SQL
Nov 14 09:14:11 mailscanner postfix/smtp[27944]: CCE03300F7F:
to=<jyoung at XXXXX.XXX>, relay=10.10.10.12[10.10.10.12]:25, delay=5.9,
delays=5.1/0/0/0.78, dsn=2.6.0, status=sent (250 2.6.0
<70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX>
[InternalId=20096151978059] Queued mail for delivery)
Nov 14 09:14:11 mailscanner postfix/qmgr[16933]: CCE03300F7F: removed
And the email that arrives has the following header (extract):
Content-Type: multipart/mixed; boundary="----=_20131114101356_40730"
X-Priority: 3 (Normal)
Importance: Normal
X-SXXXXXXXX-MailScanner-Information: Please contact the ISP for more
information
X-SXXXXXXXX-MailScanner-ID: D5DB6FF800A.AF88E
X-SXXXXXXXX-MailScanner: Found to be clean
X-SXXXXXXXX-MailScanner-From: jason at XXXXX.XXX
X-Spam-Status: No, No
X-RXXXXXXXX -MailScanner-Information: Please contact the ISP for more
information
X-RXXXXXXXX -MailScanner-ID: B32DF300F7A.AE0C2
X-RXXXXXXXX -MailScanner: Found to be clean
X-RXXXXXXXX -MailScanner-From: jason at XXXXX.XXX
Running MailScanner -lint gives the following output :
[root at mailscanner ~]# MailScanner --lint
Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 872 hostnames from the phishing whitelist
Read 6957 hostnames from the phishing blacklists
Config: calling custom init function MailWatchLogging
Started SQL Logging child
Checking version numbers...
Version number in MailScanner.conf (4.84.6) is correct.
Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to (48)
MailScanner setting UID to (89)
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 4 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function MailWatchLogging
Does anyone have any ideas or suggestions as to why the attached files
inbound are not being blocked. I am of course making the assumption that
.exe file should by default be blocked J
Regards
Jason Young
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131114/249d5887/attachment.html
I am wondering if anyone would have any ideas as to why my mailscanners (I
have 4 in total) would not block / quarantine attachments like .exe etc. I
have been through all the configs and log files but I can't find anything
that points to a problem in my setup.
I am running Mailscanner on Centos 6. MailScanner is version 4.84.6 and
ClamAV is the Anti-Virus installed. Once the MailScanner works its magic on
the incoming emails they are then relayed internally to an Exchange Server.
I have not really changed much in the standard MailScanner.conf file. I
have verified :
Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf
And the 2 "default" Rules files exist and are standard out of the box.
They contain :
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable
Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable
Executable DOS/Windows programs are dangerous in email
My testing has so far been to use an external mail server to send an
attached windows executable file (.exe) to an internal exchange account. I
have tried both using an outlook external client and also a native Linux
based web client with the same result (i.e. the exe file is delivered to the
exchange account).
The maillog contains the follow entries when I send the test email in:
Nov 14 09:14:04 mailscanner postfix/smtpd[27736]: connect from
unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:05 mailscanner postfix/smtpd[27736]: B32DF300F7A:
client=unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A: hold:
header Received: from XXXXX.XXX (unknown [XXX.XXX.XXX.XXX])??by
mailscanner.XXXXX.XXX (Postfix) with SMTP id B32DF300F7A??for
<jyoung at XXXXX.XXX>; Thu, 14 Nov 2013 09:14:05 +100 from
unknown[XXX.XXX.XXX.XXX]; from=<jason at XXXXX.XXX> to=<jyoung at XXXXX.XXX>
proto=SMTP helo=<XXXXX.XXXXX.XXX>
Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A:
message-id=<70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX>
Nov 14 09:14:08 mailscanner postfix/smtpd[27736]: disconnect from
unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Found 1 messages
waiting
Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Scanning 1
messages, 151691 bytes
Nov 14 09:14:09 mailscanner MailScanner[27843]: Virus and Content Scanning:
Starting
Nov 14 09:14:10 mailscanner MailScanner[27843]: Requeue: B32DF300F7A.AE0C2
to CCE03300F7F
Nov 14 09:14:10 mailscanner MailScanner[27843]: Uninfected: Delivered 1
messages
Nov 14 09:14:10 mailscanner postfix/qmgr[16933]: CCE03300F7F:
from=<jason at XXXXX.XXX>, size=151040, nrcpt=1 (queue active)
Nov 14 09:14:10 mailscanner MailScanner[27843]: Deleted 1 messages from
processing-database
Nov 14 09:14:10 mailscanner MailScanner[27843]: Logging message
B32DF300F7A.AE0C2 to SQL
Nov 14 09:14:10 mailscanner MailScanner[20512]: B32DF300F7A.AE0C2: Logged to
MailWatch SQL
Nov 14 09:14:11 mailscanner postfix/smtp[27944]: CCE03300F7F:
to=<jyoung at XXXXX.XXX>, relay=10.10.10.12[10.10.10.12]:25, delay=5.9,
delays=5.1/0/0/0.78, dsn=2.6.0, status=sent (250 2.6.0
<70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX>
[InternalId=20096151978059] Queued mail for delivery)
Nov 14 09:14:11 mailscanner postfix/qmgr[16933]: CCE03300F7F: removed
And the email that arrives has the following header (extract):
Content-Type: multipart/mixed; boundary="----=_20131114101356_40730"
X-Priority: 3 (Normal)
Importance: Normal
X-SXXXXXXXX-MailScanner-Information: Please contact the ISP for more
information
X-SXXXXXXXX-MailScanner-ID: D5DB6FF800A.AF88E
X-SXXXXXXXX-MailScanner: Found to be clean
X-SXXXXXXXX-MailScanner-From: jason at XXXXX.XXX
X-Spam-Status: No, No
X-RXXXXXXXX -MailScanner-Information: Please contact the ISP for more
information
X-RXXXXXXXX -MailScanner-ID: B32DF300F7A.AE0C2
X-RXXXXXXXX -MailScanner: Found to be clean
X-RXXXXXXXX -MailScanner-From: jason at XXXXX.XXX
Running MailScanner -lint gives the following output :
[root at mailscanner ~]# MailScanner --lint
Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 872 hostnames from the phishing whitelist
Read 6957 hostnames from the phishing blacklists
Config: calling custom init function MailWatchLogging
Started SQL Logging child
Checking version numbers...
Version number in MailScanner.conf (4.84.6) is correct.
Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to (48)
MailScanner setting UID to (89)
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 4 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function MailWatchLogging
Does anyone have any ideas or suggestions as to why the attached files
inbound are not being blocked. I am of course making the assumption that
.exe file should by default be blocked J
Regards
Jason Young
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131114/249d5887/attachment.html