MailScanner blocking ClamAV emails

Walt Thiessen wt at dld2000.com
Sat Mar 25 15:50:34 UTC 2017 

What exactly should we whitelist? My admins claim that the only thing 
you can whitelist in ClamAV is a signature, and they say there are no 
signatures in the log entries to whitelist.


On 3/25/2017 7:46 AM, Jerry Benton wrote:
> Sane Security: http://sanesecurity.com/usage/signatures/
>
> Did you add those rules to freshclam.conf ?
>
> Regardless, you need to whitelist at the clam level, not MailScanner.
>
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com>
> +1 - 844-436-6245
>
>
>
>> On Mar 25, 2017, at 7:45 AM, Walt Thiessen <wt at dld2000.com 
>> <mailto:wt at dld2000.com>> wrote:
>>
>> I'm not sure what a Sane rule is.
>>
>>
>> On 3/25/2017 7:40 AM, Jerry Benton wrote:
>>> Whitelisting in MailScanner. Whitelisting is for spam checks. You 
>>> will need to whitelist in clamav. It looks like a Sane rule is 
>>> catching it?
>>>
>>> -
>>> Jerry Benton
>>> www.mailborder.com <http://www.mailborder.com/>
>>> +1 - 844-436-6245
>>>
>>>
>>>
>>>> On Mar 25, 2017, at 7:38 AM, Walt Thiessen <wt at dld2000.com 
>>>> <mailto:wt at dld2000.com>> wrote:
>>>>
>>>> I have MailScanner set to check all inbound and outbound email 
>>>> using ClamAV.
>>>>
>>>> I have ClamAV set up to send me an email each day informing me of 
>>>> any possible infections.
>>>>
>>>> For about a week or two now, this email has failed to arrive.
>>>>
>>>> My admins found the problem. ClamAV is apparently blocking itself 
>>>> via MailScanner.
>>>>
>>>> From the maillog:
>>>>
>>>> [root at server ~]# grep 1cqtVW-0002rF-UX /var/log/maillog
>>>> Mar 22 23:33:50 server MailScanner: Filename Checks: Allowing 
>>>> 1cqtVW-0002rF-UX clamav-2017-03-22.log (no rule matched)
>>>> Mar 22 23:33:51 server MailScanner: Filetype Checks: Allowing 
>>>> 1cqtVW-0002rF-UX clamav-2017-03-22.log
>>>> Mar 22 23:33:51 server MailScanner: Clamd::INFECTED:: 
>>>> YARA.r57shell_php_php.UNOFFICIAL :: 
>>>> ./1cqtVW-0002rF-UX/clamav-2017-03-22.log
>>>> Mar 22 23:33:51 server MailScanner: Infected message 
>>>> 1cqtVW-0002rF-UX came from 127.0.0.1
>>>> Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: Received for 
>>>> MailControl Database
>>>> Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: MailControl 
>>>> cannot insert row: 
>>>> %%C7RPN1O2FYP5LGSYVTBFOC2X10OGEDRXXIPRGRGJJJI5KDWFI8S
>>>>
>>>> We tried whitelisting root at server or 127.0.0.1, but it didn't help.
>>>>
>>>> Any ideas?
>>>>
>>>> Walt
>>>>
>>>>
>>>> -- 
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info 
>>>> <mailto:mailscanner at lists.mailscanner.info>
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>
>>>
>>>
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info 
>> <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170325/0eb38e5c/attachment.html>

More information about the MailScanner mailing list