Disable spamd / clamav rule for outgoing spamcheck

[MichaelLoungeIT]

Hi there,

I have the following problem.
A client tries to send an html mail and it fails with this error message:

SMTP Fehler: [550] This message contains a virus or other harmful content
(example.com.Spam-3504.UNOFFICIAL)

I tried to whitelist this entry:
example.com
in clamav to /var/lib/clamav/whitelist.ign2

didnt help.
Then I tried to add to whitelist the domain in /etc/mail/spamassassin/local.cf
-> also no success

last try I created a /etc/skiprbldomains file with the domain added in there..
restartet all services.. still no success ;(

I have no further ideas.
How can I make sure, that my client can send out the html mail and surpasses somehow the outgoing check or atleast whitelists that special case.. but i cannot find out how.

 

[cPanelLauren]

Hi @MichaelLoungeIT


If you're trying to whitelist the user (you can't do the domain) you'd do it in the clamd.conf located at /usr/local/cpanel/3rdparty/etc/clamd.conf.

You'd change the option/s as follows:

# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan.  Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no

# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan.  Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1

If you're trying to whitelist a signature that's the portioin you'd do in the whitelist.ign

You'd want to run clamscan against the file:

/usr/local/cpanel/3rdparty/bin/clamscan -i /users/file.ext

Which should return the specific signature

Then add the signature found to the whitelist you created

Once it's added restart clamd:

/scripts/restartsrv_clamd

Then run

/usr/local/cpanel/3rdparty/bin/clamscan -i /users/file.ext

against the file again

Thanks!

 

[MichaelLoungeIT]

the problem is.. It is an email, that somebody tries to send. So there is no File i can run against clam to get a correct signature.
All i have, is that error message thrown by webmail when trying to send the email.

 

[Infopro]

Wouldn't it be easier to try and figure out what's in that email that's being flagged as "virus or other harmful content"? Even if you get it to send from your server, other servers are most likely going to block it as well.

 

[sneader]

For anyone that is using this thread as a guide for how to whitelist a false-positive ClamAV rule that is blocking incoming file attachment emails, the CORRECT directory to put your whitelist rule is in:

/usr/local/cpanel/3rdparty/share/clamav/

The original post says /var/lib/clamav/, and many online references also mention this directory, but in the cPanel environment, it will not work to put the whitelist.ign2 file there.

- Scott