Hello all, I wanted to get some feedback if anyone is having this issue, but a lot of our users have been having their return receipts quarantined. I checked the logs and they are being quarantined as suspect attachments. We are running puremessage 5.5.6 on our edge servers and handing off to Exchange.
Thanks
Hey mrdky,
Could you post the message_log output for one of these types of messages? It would be easier for us to help you troubleshoot if we see which rules these are hitting on.
Here is an example entry from the message log located at /opt/pmx/var/log/message_log:
2009-12-30T11:49:37 q=4B3BAED1_10419_61_4 f=<10fi@duvall.cc> t=<test747@science.cutter.red.sophos> Size=17923 pmx_reason=Spam g=test747@science.cutter.red.sophos|science b=ok h=URI_CLASS_ABS_DOMAIN h=CANPHARM_4PILLS h=CANPHARM_CN_IMGTBL_NOMSGID h=CANPHARM_PATTERN_CN h=CANPHARM_FROM_PATTERN h=CANPHARM_CN_TLD_HREF h=CANPHARM_PATTERN h=CTYPE_JUST_HTML h=CN_TLD h=CN_TLD_HREF_URI h=TO_IN_SUBJECT h=HTML_70_90 h=FROM_SAME_AS_TO h=MSGID_ADDED_BY_MTA h=BODY_SIZE_2000_2999 h=BODY_SIZE_5000_LESS h=__URI_CLASS_ANY s=?q?Personal_75%_OFF_to_rm4dd@striker.ottawa.on.ca._Pfizer. pmx_action=quarantine,Spam,science,test747@science.cutter.red.sophos,test747@science.cutter.red.sophos vs p=1.000 fur=127.0.0.1 r=localhost tm=0.76 a=d/eom
Once we look at the h= statements, we can determine which rule is triggering so heavily that it quarantines the message.
Thanks!
Hi markJD, its actually not tripping h statements. It is getting flagged by one of our siv rules. Here was the message log rule hits. I also attached a piece of our siv. My theory is it could be getting flagged by Sophos true file detection?
2010-01-04T12:52:34 q=4B4238F2_12377_381_1 f=<someone@somedomain.com> t=<mrky@mydomain.com> external pmx_action=quarantine,-,-,mrky@mydomain.com,mrky@mydomain.com external_inbound_suspect_attachment vs fur=74.47.47.32 Size=7362 r=somebox.somedomain.com tm=0.15 a=d/eom
# attr NAME=Quarantine mail containing suspicious attachments
if pmx_suspect_attachment :tft {
pmx_quarantine "suspect";
pmx_mark1 "external_inbound_suspect_attachment";
pmx_notify :recipients :file "/opt/pmx/etc/templates/en/virus.d/suspect.tmpl";
stop;
}
Thanks for the help
Hey mrdky,
You are definitely hitting that rule. Now the question is why ;)
Do you have a graphic or is there some kind of HTML version of the email with the out-of-office reply?
The pmx_suspect_attachment test checks the following two lists:
/opt/pmx/etc/suspect-attachment-names
/opt/pmx/etc/suspect-attachment-types
It would be best to review the names/types in these files and confirm if the reply contains any of them.
There is however another way this test will trigger.
If you do a man pmx-policy, and look at the pmx_suspect_attachment test:
Note: Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "pmx_cantscan" test within "pmx__suspect_attachment" to specify how unscannable messages are handled.
Here is an example using your policy:
# attr NAME=Quarantine mail containing suspicious attachments
if pmx_suspect_attachment :tft {
if pmx_cantscan {
pmx_mark "pmx_reason" "Unscannable Suspect Attachment";
}
else {
pmx_quarantine "suspect";
pmx_mark1 "external_inbound_suspect_attachment";
pmx_notify :recipients :file "/opt/pmx/etc/templates/en/virus.d/suspect.tmpl";
stop;
}
}
This policy will pass the message and mark the log. You may want to quarantine or do some other action depending on your company's policies. Please test this ;)
It's also good to read the pmx_cantscan to see other tests it could trigger on:
pmx_cantscan
Syntax:
pmx_cantscan
Description: Returns true if a message could not be scanned. Must be called after "pmx_attachment_name", "pmx_attachment_true_filetype", "pmx_attachment_type", "pmx_credit_card", "pmx_phrase", or "pmx_suspect_attachment" to be effective.
Can you locate the file in the quarantine via command line?
The quarantine on a local edge box is located in the following directory:
/opt/pmx/var/qdir/cur/[0-9]/...
If you need help locating the file, please let me know.
Once the file is located, you can copy a version to the /tmp directory and run a command on it to see how PMX sees the different parts of the message (as the pmx user):
$ pmx-policy inject --verbose /tmp/ID --relay=external --dry-run
This will output something similar to this for the pmx_suspect_attachment test:
POLICY TEST: pmx_suspect_attachment
pmx_suspect_attachment (part 1): extensions: .txt
pmx_suspect_attachment (part 1): mime types:
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
pmx_suspect_attachment (part 1.1): extensions: .txt
pmx_suspect_attachment (part 1.1): mime types:
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
pmx_suspect_attachment (part 1.2): extensions: .htm, .html, .xht, .xhtml
pmx_suspect_attachment (part 1.2): mime types: text/html
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
This should help you to narrow down what the issue with the out-of-office reply may be.
Cheers,
The best thing to do is open a case with support providing them with a sample of a quarantined message. Support can help you identify what rules are hitting on your particular samples, and advise you on the steps you can take to prevent these false positives. Depending on your mail architecture (ie. downstream MTAs), you may hit different types of rules so it would be best to address this on a case-by-case basis.
If you'd like to post the rule hits from one of the messages, I can attempt to advise you, but engaging the Gateway support team would be the most prudent course of action. If there is a large volume of these type of complaints, SophosLabs will be advised and the antispam rules will be adjusted accordingly.
Hi MarkJD,
Just had some time to go over this issue again today and called Sophos support. They narrowed it down to not allowing .email in suspect-attachment-names. They also recommended not removing this because this is basically an email within an email that can contain links and other malcious stuff. My question are emails within emails not scanned, if we remove this file type from suspect-attachment names?
Thanks
Not seeing your policy, and assuming there is a pmx_virus in both the internal and external section, those emails will be scanned under the pmx_virus test.
pmx_virus - AV test on all parts of the email.
pmx_suspect_attachment - Meant to be a way for administrators to control particular filetypes within their organization.
