ClamAV bouncing DKIM JMRP program email


Mar 27, 2015
cPanel Access Level
Root Administrator
ClamAV is identifying incoming email sent by Google to the abuse address on my vps as dangerous.
DKIM is set up and I've joined the JMRP program so the return from Google is expected.
1Ydx7Y-0001or-R1 cancelled by system filter: This message has been rejected because it has\npotentially executable content "!*****.com\nThis form of attachment has been used by\nrecent viruses or other malware.\nIf you meant to send this file then please\npackage it up as a zip file and resend it.
Of course it's bounced back to the noreply address at Google.
The mailserver and ip from google are a match so it appears legit. It may be ClamAV is identifying it as potentially executable content due to the manner the .com is displayed in the report, or the bounce actually contains an executable. Is there any way to whitelist an ip or email account from ClamAV so I can verify if it's a dangerous attachment or if it's a false positive due to the nature of the report? I've chosen afrf reporting. If it's an actual dangerous attachment, I'll ignore them in the future.

When I first checked Mail Delivery Reports this morning, it showed this email as in process, now it isn't listed in the reports at all even though it's still in the logs.



Staff member
Apr 11, 2011

You can't whitelist a specific IP address or email account using any native options in WHM/cPanel, so you may want to temporarily disable ClamAV if you want to allow a specific message through to verify if it's an actual virus.

Thank you.


Active Member
Oct 8, 2013
Montreal, Quebec
cPanel Access Level
Root Administrator
I've been having the same problems for months, my quick fix was to disable /etc/cpanel_exim_system_filter
In exim config editor, but that removes support for;

Attachments: Filter messages with dangerous attachments

Apache SpamAssassin™: Global Subject Rewrite [?]
Prefixes the “X-Spam-Subject” header prefix (set below) onto the “Subject” header and omits the “X-Spam-Subject” header .
Is included in cpanel_exim_system_filters

Here is a snippet on how to find a work around

Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is next rebuilt. To have modifications retained, please use one of the following options:

1)     * Place each sysfilter block you wish to include in a unique file at:
        * Enable or disable the custom block in WHM using:
        Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]

2)     * Create a custom sysfilter file in /etc/
        * Change the location of the sysfilter file in WHM using:
        Service Configuration => Exim Configuration Manager => Filters => System Filter File
Based on that, the quick fix would be to remove the COM values in attachments include
and then merge it all together into a custom filter and set that filter in WHM/EXIM config editor.

The pro: Will allow the google dmarc emails to be received and/or forwarded to your dmarc manager service.
The con: Allow .com file attachments

I'll have to find a better regex, or ask google to stop sending the emails with the .com suffix.

Another option that i've seen is;
Disable Attachments: Filter messages with dangerous attachments in WHM/EXIM config manager.
But that would remove all filtering of email attachments and not just .com files... so the devil is in the details.