The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim blocking DMARC reports from Gmail

Discussion in 'E-mail Discussions' started by zydu, Jun 10, 2016.

Tags:
  1. zydu

    zydu Member

    Joined:
    Oct 30, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I have set up DMARC records for some of the websites I host on my server.

    I have noticed that EXIM is blocking reports being sent from Gmail. The generated error message is:

    "
    postmaster@somedomain.com
    This message has been rejected because it has
    potentially executable content "google.com!somedomain.com
    This form of attachment has been used by
    recent viruses or other malware.
    If you meant to send this file then please
    package it up as a zip file and resend it."

    Attachment in the report sent from Gmail looks like this:

    google.com!somedomainname.com!1465344000!1465430399.zip

    Despite attachment being sent as a zip file, .com in the file name is triggering some filter. How can I prevent this from happening.

    I am running up to date version of WHM/Exim.

    EDIT: I have noticed that other reports arrive without problems. The file format they use is:
    sendingdomain.com!somedomain.com!1465344000!1465430399!31565113.xml.zip

    EDIT: hotmail reports arrive without problems:
    hotmail.com!somedomain.com!1465470000!1465556400.zip

    Regards

    Mike
     
    #1 zydu, Jun 10, 2016
    Last edited: Jun 10, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    123
    Likes Received:
    36
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    @zydu
    I got exactly the same results as you did - dmarc reports from hotmail etc are delivered to my mail account without problems, but the reports from google.com are always filtered as having malware and blocked (and then, to aggravate the situation further, exim tries to send a mail back to a no-reply google address ! )

    I have got round this temporarily, and somewhat unsatisfactorily, by changing my dmarc txt to send reports to an off-server email address (actually a gmail account !) which works but is no definitive solution.

    I think that perhaps the cpanel_exim_system_filter file is being overly aggressive, or some other solution needs to be found to allow these dmarc reports to get through without having to compromise the mail system security.
     
  4. zydu

    zydu Member

    Joined:
    Oct 30, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for your suggestions.

    I would prefer to solve it at the filter level so I followed the 2nd link from cPanelMichael's reply and created a custom version of /etc/cpanel_exim_system_filter

    I can see that the attachment from Gmail is triggering the following 2nd filter in that file:

    Code:
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
    then
      fail text "This message has been rejected because it has\n\
                 potentially executable content $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it.2"
      seen finish
    endif
    
    If you look at the source of the message from Gmail, the reason is this line:
    Content-Type: application/zip;
    name="google.com!mydomain.com!1466208000!1466294399.zip"

    Reports from other providers contain similar attachemtns but their names are not in quotes:

    Content-Type: application/zip; name=hotmail.com!mydomain.com!1466089200!1466175600.zip

    Can somebody help modify the regular expression in the above code, so it would not trigger the filter for the DMARC report from Gmail containing the following header but still reject messages with suspicious attachments:
    Content-Type: application/zip;
    name="google.com!mydomain.com!1466208000!1466294399.zip"

    Regards

    Mike
     
    #4 zydu, Jun 19, 2016
    Last edited: Jun 19, 2016
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @zydu,

    Would you mind opening a support ticket using the link in my signature so we can take a closer look at this issue? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  6. zydu

    zydu Member

    Joined:
    Oct 30, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The ticket number is 7606933
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, internal case CPANEL-7667 is open to address the following issue:

    I'll update this thread with more information on the status of this case as it becomes available.

    Thank you.
     
  8. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    This has been a problem for at least 18 months now. I reported it, submitted tickets on it, and nothing ever happened. It's a cPanel/exim issue. Good to see that it may get resolved finally.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, CPANEL-7667 is included with cPanel version 60 to address this issue. Here's a description of the resolution from the case:

    Thank you.
     
Loading...

Share This Page