Issue with MailScanner not blocking incoming attachments that SHOULD be denied.

Jason Young jyoung71 at gmail.com
Wed Nov 13 23:35:33 GMT 2013 

Hi Everyone,

 

I am wondering if anyone would have any ideas as to why my mailscanners (I
have 4 in total) would not block / quarantine attachments like .exe etc.  I
have been through all the configs and log files but I can't find anything
that points to a problem in my setup.

 

I am running Mailscanner on Centos 6.  MailScanner is version 4.84.6 and
ClamAV is the Anti-Virus installed.  Once the MailScanner works its magic on
the incoming emails they are then relayed internally to an Exchange Server.

 

I have not really changed much in the standard MailScanner.conf file.  I
have verified :

 

Filename Rules = %etc-dir%/filename.rules.conf

Filetype Rules = %etc-dir%/filetype.rules.conf

 

And the 2 "default" Rules files exist and are standard out of the box.

 

They contain :

 

# These 2 added by popular demand - Very often used by viruses

deny    \.com$          Windows/DOS Executable
Executable DOS/Windows programs are dangerous in email

deny    \.exe$          Windows/DOS Executable
Executable DOS/Windows programs are dangerous in email

 

My testing has so far been to use an external mail server to send an
attached windows executable file (.exe) to an internal exchange account.  I
have tried both using an outlook external client and also a native Linux
based web client with the same result (i.e. the exe file is delivered to the
exchange account).

 

The maillog contains the follow entries when I send the test email in:

 

Nov 14 09:14:04 mailscanner postfix/smtpd[27736]: connect from
unknown[XXX.XXX.XXX.XXX]

Nov 14 09:14:05 mailscanner postfix/smtpd[27736]: B32DF300F7A:
client=unknown[XXX.XXX.XXX.XXX]

Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A: hold:
header Received: from XXXXX.XXX (unknown [XXX.XXX.XXX.XXX])??by
mailscanner.XXXXX.XXX (Postfix) with SMTP id B32DF300F7A??for
<jyoung at XXXXX.XXX>; Thu, 14 Nov 2013 09:14:05 +100 from
unknown[XXX.XXX.XXX.XXX]; from=<jason at XXXXX.XXX> to=<jyoung at XXXXX.XXX>
proto=SMTP helo=<XXXXX.XXXXX.XXX>

Nov 14 09:14:06 mailscanner postfix/cleanup[27980]: B32DF300F7A:
message-id=<70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX>

Nov 14 09:14:08 mailscanner postfix/smtpd[27736]: disconnect from
unknown[XXX.XXX.XXX.XXX]

Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Found 1 messages
waiting

Nov 14 09:14:09 mailscanner MailScanner[27843]: New Batch: Scanning 1
messages, 151691 bytes

Nov 14 09:14:09 mailscanner MailScanner[27843]: Virus and Content Scanning:
Starting

Nov 14 09:14:10 mailscanner MailScanner[27843]: Requeue: B32DF300F7A.AE0C2
to CCE03300F7F

Nov 14 09:14:10 mailscanner MailScanner[27843]: Uninfected: Delivered 1
messages

Nov 14 09:14:10 mailscanner postfix/qmgr[16933]: CCE03300F7F:
from=<jason at XXXXX.XXX>, size=151040, nrcpt=1 (queue active)

Nov 14 09:14:10 mailscanner MailScanner[27843]: Deleted 1 messages from
processing-database

Nov 14 09:14:10 mailscanner MailScanner[27843]: Logging message
B32DF300F7A.AE0C2 to SQL

Nov 14 09:14:10 mailscanner MailScanner[20512]: B32DF300F7A.AE0C2: Logged to
MailWatch SQL

Nov 14 09:14:11 mailscanner postfix/smtp[27944]: CCE03300F7F:
to=<jyoung at XXXXX.XXX>, relay=10.10.10.12[10.10.10.12]:25, delay=5.9,
delays=5.1/0/0/0.78, dsn=2.6.0, status=sent (250 2.6.0
<70df8fbcea6253ccee9a2a40329f09ce.squirrel at webmail.XXXXX.XXX>
[InternalId=20096151978059] Queued mail for delivery)

Nov 14 09:14:11 mailscanner postfix/qmgr[16933]: CCE03300F7F: removed

 

And the email that arrives has the following header (extract):

 

Content-Type: multipart/mixed; boundary="----=_20131114101356_40730"

X-Priority: 3 (Normal)

Importance: Normal

X-SXXXXXXXX-MailScanner-Information: Please contact the ISP for more
information

X-SXXXXXXXX-MailScanner-ID: D5DB6FF800A.AF88E

X-SXXXXXXXX-MailScanner: Found to be clean

X-SXXXXXXXX-MailScanner-From: jason at XXXXX.XXX

X-Spam-Status: No, No

X-RXXXXXXXX -MailScanner-Information: Please contact the ISP for more
information

X-RXXXXXXXX -MailScanner-ID: B32DF300F7A.AE0C2

X-RXXXXXXXX -MailScanner: Found to be clean

X-RXXXXXXXX -MailScanner-From: jason at XXXXX.XXX

 

Running MailScanner -lint gives the following output :

 

[root at mailscanner ~]# MailScanner --lint

Trying to setlogsock(unix)

 

Reading configuration file /etc/MailScanner/MailScanner.conf

Reading configuration file /etc/MailScanner/conf.d/README

Read 872 hostnames from the phishing whitelist

Read 6957 hostnames from the phishing blacklists

Config: calling custom init function MailWatchLogging

Started SQL Logging child

 

Checking version numbers...

Version number in MailScanner.conf (4.84.6) is correct.

 

Your envelope_sender_header in spam.assassin.prefs.conf is correct.

MailScanner setting GID to  (48)

MailScanner setting UID to  (89)

 

Checking for SpamAssassin errors (if you use it)...

Using SpamAssassin results cache

Connected to SpamAssassin cache database

SpamAssassin reported no errors.

Connected to Processing Attempts Database

Created Processing Attempts Database successfully

There are 4 messages in the Processing Attempts Database

Using locktype = posix

MailScanner.conf says "Virus Scanners = clamd"

Found these virus scanners installed: clamd

===========================================================================

Filename Checks: Windows/DOS Executable (1 eicar.com)

Other Checks: Found 1 problems

Virus and Content Scanning: Starting

Clamd::INFECTED::Eicar-Test-Signature :: ./1/

Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com

Virus Scanning: Clamd found 2 infections

Infected message 1 came from 10.1.1.1

Virus Scanning: Found 2 viruses

===========================================================================

Virus Scanner test reports:

Clamd said "eicar.com was infected: Eicar-Test-Signature"

 

If any of your virus scanners (clamd)

are not listed there, you should check that they are installed correctly

and that MailScanner is finding them correctly via its virus.scanners.conf.

Config: calling custom end function MailWatchLogging

 

Does anyone have any ideas or suggestions as to why the attached files
inbound are not being blocked.  I am of course making the assumption that
.exe file should by default be blocked J

 

Regards

 

Jason Young

 



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131114/249d5887/attachment.html

More information about the MailScanner mailing list