Thread Info
  • State Verified Answer
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 15615 views
  • Users 0 members are here
Options
Suggested

Bug: Mail manager shows malware (antivirus engine error)

mod2402

Hi there,


this a new Bug. Mail manager shows malware (antivirus engine error) for a normal newsletter mail.

In daily Quarantine Report this mail is shown with reason "SPAM". If I release this mail over the embedded link. The mail comes for one account destroyed into the mail store and the utm generates a mail with the hint that the mail was rescanned and a virus has found. For the second account I can't release the mail. If I release the mail from mail manager, all is working as expected.


Regads,

mod

Parents
  • 0

    Hi mod and quasar!


    To help investigate this issue, please provide the following details:

     - Is Sandstorm turned on?

     - Are there any log lines starting with "Failure from cssd: ..." in /var/chroot-smtp/tmp/smtpd_debug.log?

     - If you are able to reproduce this issue, please check /var/log/fallback.log for any entries when this happens and paste them here

    Kind regards,

    Niriel

  • 0 in reply to Tamas Bajaki

    Hi Niriel,


    Sandstorm is turned on. No smtpd_debug.log file from this time present. I can't reproduce this issue at the moment. The fallback.log don't show anything that is related to this issue.

    The related log lines from the smtp log:

    2016:02:12-16:45:39 asg-1 exim-in[8770]: 2016-02-12 16:45:39 SMTP connection from [91.192.42.212]:45512 (TCP/IP connection count = 1)
2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 H=duounusduo.xi.ecm-cluster.com [91.192.42.212]:45512 Warning: localdomain.tld profile excludes SANDBOX scan
2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 [91.192.42.212] F=<g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de> R=<klaus@localdomain.tld> Verifying recipient address in Active Directory
2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A DKIM: d=borussia-newsletter.de s=ecm1 c=relaxed/relaxed a=rsa-sha256 t=1455288436 [verification succeeded]
2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A ctasd reports 'Bulk' RefID:str=0001.0A0B0206.56BDF08B.0171,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A Greylisting: Successful greylist retry from 91.192.42.212 (original host was 91.192.42.214/32)
2016:02:12-16:45:40 asg-1 exim-in[17820]: 2016-02-12 16:45:40 1aUFue-0004dQ-1A <= g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de H=duounusduo.xi.ecm-cluster.com [91.192.42.212]:45512 P=esmtp S=29170 id=wd0e0p.ikjt5s43713wj2t@borussia-newsletter.de
2016:02:12-16:45:42 asg-1 smtpd[8718]: QMGR[8718]: 1aUFue-0004dQ-1A moved to work queue
2016:02:12-16:45:46 asg-1 exim-in[17820]: 2016-02-12 16:45:46 SMTP connection from duounusduo.xi.ecm-cluster.com [91.192.42.212]:45512 lost
2016:02:12-16:45:50 asg-1 smtpd[17857]: SCANNER[17857]: 1aUFuo-0004e1-GI <= g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de R=1aUFue-0004dQ-1A P=INPUT S=26979
2016:02:12-16:45:51 asg-1 smtpd[17857]: SCANNER[17857]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="91.192.42.212" from="g-2668693670-2838-1300938333-1455288436371@bounce.borussia-newsletter.de" to="klaus@localdomain.tld" subject="Alle Infos: Der VfL zu Gast beim Hamburger SV." queueid="1aUFuo-0004e1-GI" size="26979" reason="as" extra=""
2016:02:12-16:45:51 asg-1 smtpd[17857]: SCANNER[17857]: 1aUFue-0004dQ-1A => work R=SCANNER T=SCANNER
2016:02:12-16:45:51 asg-1 smtpd[17857]: SCANNER[17857]: 1aUFue-0004dQ-1A Completed

    regards

    mod

  • 0 in reply to mod2402

    Hi mod,

    This seems to be a simple case of spam mail according to the logs (ctasd identifies it as a bulk mail) and gets quarantined accordingly. When you try to release this mail, an AV scan will be run to see if it also contains a malware besides being a spam mail. Did I get right that the issue happens when you try to release it? If so, then there should be corresponding log lines for the release (and rescan) as well.

    Niriel~

  • 0 in reply to Tamas Bajaki

    Hi Niriel,

    here are the release log lines:

    smtp log:

    2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: (Re-)loading configuration from Confd
2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: Past 07:00:00, QR status one set to 'sent'
2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: QR two disabled, status two set to 'disabled'
2016:02:13-10:37:27 asg-1 exim-in[8770]: 2016-02-13 10:37:27 pid 8770: SIGHUP received: re-exec daemon
2016:02:13-10:37:27 asg-1 exim-in[8770]: 2016-02-13 10:37:27 exim 4.82_1-5b7a7c0-XX daemon started: pid=8770, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: Action: scanning mail 1aUFuo-0004e1-GI after quarantine release request.
2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: Action: replacing mail 1aUFuo-0004e1-GI back after scan because reason: av.
2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: 1aUFuo-0004e1-GI Sending 'Quarantine release failed' notification to klaus@localdomain.tld
2016:02:13-10:37:30 asg-1 exim-out[13439]: 2016-02-13 10:37:30 SMTP connection from MailerDaemon
2016:02:13-10:37:30 asg-1 exim-out[13439]: 2016-02-13 10:37:30 1aUWdu-0003Ul-1p <= <> R=1aUFuo-0004e1-GI U=MailerDaemon P=local-bsmtp S=1256

    fallback.log:
    2016:02:13-10:37:30 asg-1 [daemon:info] cssd[5631]:  [ 0x9c94d40] saviscanner_scan (saviscanner.c:159) Failed to open /var/chroot-smtp/spool/work/.eml: No such file or directory

    regards
    mod

Reply
  • 0 in reply to Tamas Bajaki

    Hi Niriel,

    here are the release log lines:

    smtp log:

    2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: (Re-)loading configuration from Confd
2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: Past 07:00:00, QR status one set to 'sent'
2016:02:13-10:37:27 asg-1 smtpd[7052]: MASTER[7052]: QR two disabled, status two set to 'disabled'
2016:02:13-10:37:27 asg-1 exim-in[8770]: 2016-02-13 10:37:27 pid 8770: SIGHUP received: re-exec daemon
2016:02:13-10:37:27 asg-1 exim-in[8770]: 2016-02-13 10:37:27 exim 4.82_1-5b7a7c0-XX daemon started: pid=8770, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: Action: scanning mail 1aUFuo-0004e1-GI after quarantine release request.
2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: Action: replacing mail 1aUFuo-0004e1-GI back after scan because reason: av.
2016:02:13-10:37:30 asg-1 smtpd[7052]: MASTER[7052]: 1aUFuo-0004e1-GI Sending 'Quarantine release failed' notification to klaus@localdomain.tld
2016:02:13-10:37:30 asg-1 exim-out[13439]: 2016-02-13 10:37:30 SMTP connection from MailerDaemon
2016:02:13-10:37:30 asg-1 exim-out[13439]: 2016-02-13 10:37:30 1aUWdu-0003Ul-1p <= <> R=1aUFuo-0004e1-GI U=MailerDaemon P=local-bsmtp S=1256

    fallback.log:
    2016:02:13-10:37:30 asg-1 [daemon:info] cssd[5631]:  [ 0x9c94d40] saviscanner_scan (saviscanner.c:159) Failed to open /var/chroot-smtp/spool/work/.eml: No such file or directory

    regards
    mod

Children
Unfiltered HTML