Bug: Mail manager shows malware (antivirus engine error)

Hi there,


this a new Bug. Mail manager shows malware (antivirus engine error) for a normal newsletter mail.

In daily Quarantine Report this mail is shown with reason "SPAM". If I release this mail over the embedded link. The mail comes for one account destroyed into the mail store and the utm generates a mail with the hint that the mail was rescanned and a virus has found. For the second account I can't release the mail. If I release the mail from mail manager, all is working as expected.


Regads,

mod

Parents
  • Hi mod and quasar!


    To help investigate this issue, please provide the following details:

     - Is Sandstorm turned on?

     - Are there any log lines starting with "Failure from cssd: ..." in /var/chroot-smtp/tmp/smtpd_debug.log?

     - If you are able to reproduce this issue, please check /var/log/fallback.log for any entries when this happens and paste them here

    Kind regards,

    Niriel

Reply
  • Hi mod and quasar!


    To help investigate this issue, please provide the following details:

     - Is Sandstorm turned on?

     - Are there any log lines starting with "Failure from cssd: ..." in /var/chroot-smtp/tmp/smtpd_debug.log?

     - If you are able to reproduce this issue, please check /var/log/fallback.log for any entries when this happens and paste them here

    Kind regards,

    Niriel

Children
  • Hi Niriel,


    Sandstorm is turned on. No smtpd_debug.log file from this time present. I can't reproduce this issue at the moment. The fallback.log don't show anything that is related to this issue.

    The related log lines from the smtp log:

    2016:02:12-16:45:39 asg-1 exim-in[8770]: 2016-02-12 16:45:39 SMTP connection from [91.192.42.212]:45512 (TCP/IP connection count = 1)
    2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 H=duounusduo.xi.ecm-cluster.com [91.192.42.212]:45512 Warning: localdomain.tld profile excludes SANDBOX scan
    2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 [91.192.42.212] F=<g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de> R=<klaus@localdomain.tld> Verifying recipient address in Active Directory
    2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A DKIM: d=borussia-newsletter.de s=ecm1 c=relaxed/relaxed a=rsa-sha256 t=1455288436 [verification succeeded]
    2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A ctasd reports 'Bulk' RefID:str=0001.0A0B0206.56BDF08B.0171,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A Greylisting: Successful greylist retry from 91.192.42.212 (original host was 91.192.42.214/32)
    2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A <= g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de H=duounusduo.xi.ecm-cluster.com [91.192.42.212]:45512 P=esmtp S=29170 id=wd0e0p.ikjt5s43713wj2t@borussia-newsletter.de
    2016:02:12-16:45:42 asg-1 smtpd[8718]: QMGR[8718]: 1aUFue-0004dQ-1A moved to work queue
    2016:02:12-16:45:46 asg-1 exim-in[17820]: 2016-02-12 16:45:46 SMTP connection from duounusduo.xi.ecm-cluster.com [91.192.42.212]:45512 lost
    2016:02:12-16:45:50 asg-1 smtpd[17857]: SCANNER[17857]: 1aUFuo-0004e1-GI <= g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de R=1aUFue-0004dQ-1A P=INPUT S=26979
    2016:02:12-16:45:51 asg-1 smtpd[17857]: SCANNER[17857]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="91.192.42.212" from="g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de" to="klaus@localdomain.tld" subject="Alle Infos: Der VfL zu Gast beim Hamburger SV." queueid="1aUFuo-0004e1-GI" size="26979" reason="as" extra=""
    2016:02:12-16:45:51 asg-1 smtpd[17857]: SCANNER[17857]: 1aUFue-0004dQ-1A => work R=SCANNER T=SCANNER
    2016:02:12-16:45:51 asg-1 smtpd[17857]: SCANNER[17857]: 1aUFue-0004dQ-1A Completed

    regards

    mod

  • Hi mod,

    This seems to be a simple case of spam mail according to the logs (ctasd identifies it as a bulk mail) and gets quarantined accordingly. When you try to release this mail, an AV scan will be run to see if it also contains a malware besides being a spam mail. Did I get right that the issue happens when you try to release it? If so, then there should be corresponding log lines for the release (and rescan) as well.

    Niriel~

  • Hi Niriel,

    here are the release log lines:

    smtp log:

    2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: (Re-)loading configuration from Confd
    2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: Past 07:00:00, QR status one set to 'sent'
    2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: QR two disabled, status two set to 'disabled'
    2016:02:13-10:37:27 asg-1 exim-in[8770]: 2016-02-13 10:37:27 pid 8770: SIGHUP received: re-exec daemon
    2016:02:13-10:37:27 asg-1 exim-in[8770]: 2016-02-13 10:37:27 exim 4.82_1-5b7a7c0-XX daemon started: pid=8770, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
    2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: Action: scanning mail 1aUFuo-0004e1-GI after quarantine release request.
    2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: Action: replacing mail 1aUFuo-0004e1-GI back after scan because reason: av.
    2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: 1aUFuo-0004e1-GI Sending 'Quarantine release failed' notification to klaus@localdomain.tld
    2016:02:13-10:37:30 asg-1 exim-out[13439]: 2016-02-13 10:37:30 SMTP connection from MailerDaemon
    2016:02:13-10:37:30 asg-1 exim-out[13439]: 2016-02-13 10:37:30 1aUWdu-0003Ul-1p <= <> R=1aUFuo-0004e1-GI U=MailerDaemon P=local-bsmtp S=1256

    fallback.log:
    2016:02:13-10:37:30 asg-1 [daemon:info] cssd[5631]:  [ 0x9c94d40] saviscanner_scan (saviscanner.c:159) Failed to open /var/chroot-smtp/spool/work/.eml: No such file or directory

    regards
    mod

  • Hi mod,

    Thanks to the logs your provided, we managed to find out the cause of the error. The fix is already on the way. Thank you very much for the feedback!

    Niriel~