Hello all, I wanted to get some feedback if anyone is having this issue, but a lot of our users have been having their return receipts quarantined. I checked the logs and they are being quarantined as suspect attachments. We are running puremessage 5.5.6 on our edge servers and handing off to Exchange.
Thanks
Hey mrdky,
You are definitely hitting that rule. Now the question is why ;)
Do you have a graphic or is there some kind of HTML version of the email with the out-of-office reply?
The pmx_suspect_attachment test checks the following two lists:
/opt/pmx/etc/suspect-attachment-names
/opt/pmx/etc/suspect-attachment-types
It would be best to review the names/types in these files and confirm if the reply contains any of them.
There is however another way this test will trigger.
If you do a man pmx-policy, and look at the pmx_suspect_attachment test:
Note: Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "pmx_cantscan" test within "pmx__suspect_attachment" to specify how unscannable messages are handled.
Here is an example using your policy:
# attr NAME=Quarantine mail containing suspicious attachments
if pmx_suspect_attachment :tft {
if pmx_cantscan {
pmx_mark "pmx_reason" "Unscannable Suspect Attachment";
}
else {
pmx_quarantine "suspect";
pmx_mark1 "external_inbound_suspect_attachment";
pmx_notify :recipients :file "/opt/pmx/etc/templates/en/virus.d/suspect.tmpl";
stop;
}
}
This policy will pass the message and mark the log. You may want to quarantine or do some other action depending on your company's policies. Please test this ;)
It's also good to read the pmx_cantscan to see other tests it could trigger on:
pmx_cantscan
Syntax:
pmx_cantscan
Description: Returns true if a message could not be scanned. Must be called after "pmx_attachment_name", "pmx_attachment_true_filetype", "pmx_attachment_type", "pmx_credit_card", "pmx_phrase", or "pmx_suspect_attachment" to be effective.
Can you locate the file in the quarantine via command line?
The quarantine on a local edge box is located in the following directory:
/opt/pmx/var/qdir/cur/[0-9]/...
If you need help locating the file, please let me know.
Once the file is located, you can copy a version to the /tmp directory and run a command on it to see how PMX sees the different parts of the message (as the pmx user):
$ pmx-policy inject --verbose /tmp/ID --relay=external --dry-run
This will output something similar to this for the pmx_suspect_attachment test:
POLICY TEST: pmx_suspect_attachment
pmx_suspect_attachment (part 1): extensions: .txt
pmx_suspect_attachment (part 1): mime types:
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
pmx_suspect_attachment (part 1.1): extensions: .txt
pmx_suspect_attachment (part 1.1): mime types:
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
pmx_suspect_attachment (part 1.2): extensions: .htm, .html, .xht, .xhtml
pmx_suspect_attachment (part 1.2): mime types: text/html
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
This should help you to narrow down what the issue with the out-of-office reply may be.
Cheers,
Hey mrdky,
You are definitely hitting that rule. Now the question is why ;)
Do you have a graphic or is there some kind of HTML version of the email with the out-of-office reply?
The pmx_suspect_attachment test checks the following two lists:
/opt/pmx/etc/suspect-attachment-names
/opt/pmx/etc/suspect-attachment-types
It would be best to review the names/types in these files and confirm if the reply contains any of them.
There is however another way this test will trigger.
If you do a man pmx-policy, and look at the pmx_suspect_attachment test:
Note: Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "pmx_cantscan" test within "pmx__suspect_attachment" to specify how unscannable messages are handled.
Here is an example using your policy:
# attr NAME=Quarantine mail containing suspicious attachments
if pmx_suspect_attachment :tft {
if pmx_cantscan {
pmx_mark "pmx_reason" "Unscannable Suspect Attachment";
}
else {
pmx_quarantine "suspect";
pmx_mark1 "external_inbound_suspect_attachment";
pmx_notify :recipients :file "/opt/pmx/etc/templates/en/virus.d/suspect.tmpl";
stop;
}
}
This policy will pass the message and mark the log. You may want to quarantine or do some other action depending on your company's policies. Please test this ;)
It's also good to read the pmx_cantscan to see other tests it could trigger on:
pmx_cantscan
Syntax:
pmx_cantscan
Description: Returns true if a message could not be scanned. Must be called after "pmx_attachment_name", "pmx_attachment_true_filetype", "pmx_attachment_type", "pmx_credit_card", "pmx_phrase", or "pmx_suspect_attachment" to be effective.
Can you locate the file in the quarantine via command line?
The quarantine on a local edge box is located in the following directory:
/opt/pmx/var/qdir/cur/[0-9]/...
If you need help locating the file, please let me know.
Once the file is located, you can copy a version to the /tmp directory and run a command on it to see how PMX sees the different parts of the message (as the pmx user):
$ pmx-policy inject --verbose /tmp/ID --relay=external --dry-run
This will output something similar to this for the pmx_suspect_attachment test:
POLICY TEST: pmx_suspect_attachment
pmx_suspect_attachment (part 1): extensions: .txt
pmx_suspect_attachment (part 1): mime types:
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
pmx_suspect_attachment (part 1.1): extensions: .txt
pmx_suspect_attachment (part 1.1): mime types:
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
pmx_suspect_attachment (part 1.2): extensions: .htm, .html, .xht, .xhtml
pmx_suspect_attachment (part 1.2): mime types: text/html
set_savi_cantscan_errors: start
set_savi_cantscan_errors: count=0
This should help you to narrow down what the issue with the out-of-office reply may be.
Cheers,
