The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ClamAV bouncing DKIM JMRP program email

Discussion in 'E-mail Discussions' started by TCC, Apr 3, 2015.

  1. TCC

    TCC Member

    Joined:
    Mar 27, 2015
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    ClamAV is identifying incoming email sent by Google to the abuse address on my vps as dangerous.
    DKIM is set up and I've joined the JMRP program so the return from Google is expected.
    Code:
    1Ydx7Y-0001or-R1 cancelled by system filter: This message has been rejected because it has\npotentially executable content "google.com!*****.com\nThis form of attachment has been used by\nrecent viruses or other malware.\nIf you meant to send this file then please\npackage it up as a zip file and resend it.
    
    Of course it's bounced back to the noreply address at Google.
    The mailserver and ip from google are a match so it appears legit. It may be ClamAV is identifying it as potentially executable content due to the manner the .com is displayed in the report, or the bounce actually contains an executable. Is there any way to whitelist an ip or email account from ClamAV so I can verify if it's a dangerous attachment or if it's a false positive due to the nature of the report? I've chosen afrf reporting. If it's an actual dangerous attachment, I'll ignore them in the future.

    When I first checked Mail Delivery Reports this morning, it showed this email as in process, now it isn't listed in the reports at all even though it's still in the logs.

    TIA
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You can't whitelist a specific IP address or email account using any native options in WHM/cPanel, so you may want to temporarily disable ClamAV if you want to allow a specific message through to verify if it's an actual virus.

    Thank you.
     
  3. JonTheWong

    JonTheWong Active Member

    Joined:
    Oct 8, 2013
    Messages:
    38
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Montreal, Quebec
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've been having the same problems for months, my quick fix was to disable /etc/cpanel_exim_system_filter
    In exim config editor, but that removes support for;

    Code:
    Attachments: Filter messages with dangerous attachments
    
    Apache SpamAssassin™: Global Subject Rewrite [?]
    Prefixes the “X-Spam-Subject” header prefix (set below) onto the “Subject” header and omits the “X-Spam-Subject” header .
    /usr/local/cpanel/etc/exim/sysfilter/options/attachments
    Is included in cpanel_exim_system_filters


    Here is a snippet on how to find a work around

    Code:
    Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is next rebuilt. To have modifications retained, please use one of the following options:
    
    1)     * Place each sysfilter block you wish to include in a unique file at:
             /usr/local/cpanel/etc/exim/sysfilter/options/
            * Enable or disable the custom block in WHM using:
            Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]
    
    2)     * Create a custom sysfilter file in /etc/
            * Change the location of the sysfilter file in WHM using:
            Service Configuration => Exim Configuration Manager => Filters => System Filter File
    
    Based on that, the quick fix would be to remove the COM values in attachments include
    and then merge it all together into a custom filter and set that filter in WHM/EXIM config editor.

    The pro: Will allow the google dmarc emails to be received and/or forwarded to your dmarc manager service.
    The con: Allow .com file attachments

    I'll have to find a better regex, or ask google to stop sending the emails with the .com suffix.

    Another option that i've seen is;
    Disable Attachments: Filter messages with dangerous attachments in WHM/EXIM config manager.
    But that would remove all filtering of email attachments and not just .com files... so the devil is in the details.
     
Loading...

Share This Page