Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ClamAV bouncing DKIM JMRP program email

Discussion in 'E-mail Discussion' started by TCC, Apr 3, 2015.

  1. TCC

    TCC Member

    Mar 27, 2015
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    ClamAV is identifying incoming email sent by Google to the abuse address on my vps as dangerous.
    DKIM is set up and I've joined the JMRP program so the return from Google is expected.
    1Ydx7Y-0001or-R1 cancelled by system filter: This message has been rejected because it has\npotentially executable content "!*****.com\nThis form of attachment has been used by\nrecent viruses or other malware.\nIf you meant to send this file then please\npackage it up as a zip file and resend it.
    Of course it's bounced back to the noreply address at Google.
    The mailserver and ip from google are a match so it appears legit. It may be ClamAV is identifying it as potentially executable content due to the manner the .com is displayed in the report, or the bounce actually contains an executable. Is there any way to whitelist an ip or email account from ClamAV so I can verify if it's a dangerous attachment or if it's a false positive due to the nature of the report? I've chosen afrf reporting. If it's an actual dangerous attachment, I'll ignore them in the future.

    When I first checked Mail Delivery Reports this morning, it showed this email as in process, now it isn't listed in the reports at all even though it's still in the logs.

  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    You can't whitelist a specific IP address or email account using any native options in WHM/cPanel, so you may want to temporarily disable ClamAV if you want to allow a specific message through to verify if it's an actual virus.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. JonTheWong

    JonTheWong Active Member

    Oct 8, 2013
    Likes Received:
    Trophy Points:
    Montreal, Quebec
    cPanel Access Level:
    Root Administrator
    I've been having the same problems for months, my quick fix was to disable /etc/cpanel_exim_system_filter
    In exim config editor, but that removes support for;

    Attachments: Filter messages with dangerous attachments
    Apache SpamAssassin™: Global Subject Rewrite [?]
    Prefixes the “X-Spam-Subject” header prefix (set below) onto the “Subject” header and omits the “X-Spam-Subject” header .
    Is included in cpanel_exim_system_filters

    Here is a snippet on how to find a work around

    Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is next rebuilt. To have modifications retained, please use one of the following options:
    1)     * Place each sysfilter block you wish to include in a unique file at:
            * Enable or disable the custom block in WHM using:
            Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]
    2)     * Create a custom sysfilter file in /etc/
            * Change the location of the sysfilter file in WHM using:
            Service Configuration => Exim Configuration Manager => Filters => System Filter File
    Based on that, the quick fix would be to remove the COM values in attachments include
    and then merge it all together into a custom filter and set that filter in WHM/EXIM config editor.

    The pro: Will allow the google dmarc emails to be received and/or forwarded to your dmarc manager service.
    The con: Allow .com file attachments

    I'll have to find a better regex, or ask google to stop sending the emails with the .com suffix.

    Another option that i've seen is;
    Disable Attachments: Filter messages with dangerous attachments in WHM/EXIM config manager.
    But that would remove all filtering of email attachments and not just .com files... so the devil is in the details.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice