MailScanner blocking ClamAV emails

Antony Stone Antony.Stone at mailscanner.open.source.it
Sat Mar 25 16:00:56 UTC 2017


On Saturday 25 March 2017 at 16:50:34, Walt Thiessen wrote:

> What exactly should we whitelist? My admins claim that the only thing
> you can whitelist in ClamAV is a signature, and they say there are no
> signatures in the log entries to whitelist.

I would suggest you want to whitelist emails from 127.0.0.1.

After all, your objective is to scan & filter "inbound" emails and "outbound" 
emails, and I'd say that emails from 127.0.0.1 on the email host itself don't 
count as either.


Antony.

> On 3/25/2017 7:46 AM, Jerry Benton wrote:
> > Sane Security: http://sanesecurity.com/usage/signatures/
> > 
> > Did you add those rules to freshclam.conf ?
> > 
> > Regardless, you need to whitelist at the clam level, not MailScanner.
> > 
> > -
> > Jerry Benton
> > www.mailborder.com <http://www.mailborder.com>
> > +1 - 844-436-6245
> > 
> >> On Mar 25, 2017, at 7:45 AM, Walt Thiessen <wt at dld2000.com
> >> <mailto:wt at dld2000.com>> wrote:
> >> 
> >> I'm not sure what a Sane rule is.
> >> 
> >> On 3/25/2017 7:40 AM, Jerry Benton wrote:
> >>> Whitelisting in MailScanner. Whitelisting is for spam checks. You
> >>> will need to whitelist in clamav. It looks like a Sane rule is
> >>> catching it?
> >>> 
> >>> -
> >>> Jerry Benton
> >>> www.mailborder.com <http://www.mailborder.com/>
> >>> +1 - 844-436-6245
> >>> 
> >>>> On Mar 25, 2017, at 7:38 AM, Walt Thiessen <wt at dld2000.com
> >>>> <mailto:wt at dld2000.com>> wrote:
> >>>> 
> >>>> I have MailScanner set to check all inbound and outbound email
> >>>> using ClamAV.
> >>>> 
> >>>> I have ClamAV set up to send me an email each day informing me of
> >>>> any possible infections.
> >>>> 
> >>>> For about a week or two now, this email has failed to arrive.
> >>>> 
> >>>> My admins found the problem. ClamAV is apparently blocking itself
> >>>> via MailScanner.
> >>>> 
> >>>> From the maillog:
> >>>> 
> >>>> [root at server ~]# grep 1cqtVW-0002rF-UX /var/log/maillog
> >>>> Mar 22 23:33:50 server MailScanner: Filename Checks: Allowing
> >>>> 1cqtVW-0002rF-UX clamav-2017-03-22.log (no rule matched)
> >>>> Mar 22 23:33:51 server MailScanner: Filetype Checks: Allowing
> >>>> 1cqtVW-0002rF-UX clamav-2017-03-22.log
> >>>> Mar 22 23:33:51 server MailScanner: Clamd::INFECTED::
> >>>> YARA.r57shell_php_php.UNOFFICIAL ::
> >>>> ./1cqtVW-0002rF-UX/clamav-2017-03-22.log
> >>>> Mar 22 23:33:51 server MailScanner: Infected message
> >>>> 1cqtVW-0002rF-UX came from 127.0.0.1
> >>>> Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: Received for
> >>>> MailControl Database
> >>>> Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: MailControl
> >>>> cannot insert row:
> >>>> %%C7RPN1O2FYP5LGSYVTBFOC2X10OGEDRXXIPRGRGJJJI5KDWFI8S
> >>>> 
> >>>> We tried whitelisting root at server or 127.0.0.1, but it didn't help.
> >>>> 
> >>>> Any ideas?
> >>>> 
> >>>> Walt

-- 
Perfection in design is achieved not when there is nothing left to add, but 
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the MailScanner mailing list