ClamAV bouncing DKIM JMRP program email
ClamAV is identifying incoming email sent by Google to the abuse address on my vps as dangerous.
DKIM is set up and I've joined the JMRP program so the return from Google is expected.
Of course it's bounced back to the noreply address at Google. The mailserver and ip from google are a match so it appears legit. It may be ClamAV is identifying it as potentially executable content due to the manner the .com is displayed in the report, or the bounce actually contains an executable. Is there any way to whitelist an ip or email account from ClamAV so I can verify if it's a dangerous attachment or if it's a false positive due to the nature of the report? I've chosen afrf reporting. If it's an actual dangerous attachment, I'll ignore them in the future. When I first checked Mail Delivery Reports this morning, it showed this email as in process, now it isn't listed in the reports at all even though it's still in the logs. TIA
1Ydx7Y-0001or-R1 cancelled by system filter: This message has been rejected because it has\npotentially executable content "google.com!*****.com\nThis form of attachment has been used by\nrecent viruses or other malware.\nIf you meant to send this file then please\npackage it up as a zip file and resend it.
Of course it's bounced back to the noreply address at Google. The mailserver and ip from google are a match so it appears legit. It may be ClamAV is identifying it as potentially executable content due to the manner the .com is displayed in the report, or the bounce actually contains an executable. Is there any way to whitelist an ip or email account from ClamAV so I can verify if it's a dangerous attachment or if it's a false positive due to the nature of the report? I've chosen afrf reporting. If it's an actual dangerous attachment, I'll ignore them in the future. When I first checked Mail Delivery Reports this morning, it showed this email as in process, now it isn't listed in the reports at all even though it's still in the logs. TIA
-
Hello, You can't whitelist a specific IP address or email account using any native options in WHM/cPanel, so you may want to temporarily disable ClamAV if you want to allow a specific message through to verify if it's an actual virus. Thank you. 0 -
I've been having the same problems for months, my quick fix was to disable /etc/cpanel_exim_system_filter In exim config editor, but that removes support for; Attachments: Filter messages with dangerous attachments Apache SpamAssassin": Global Subject Rewrite [?] Prefixes the "X-Spam-Subject" header prefix (set below) onto the "Subject" header and omits the "X-Spam-Subject" header .
/usr/local/cpanel/etc/exim/sysfilter/options/attachments Is included in cpanel_exim_system_filters Here is a snippet on how to find a work aroundDirect modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is next rebuilt. To have modifications retained, please use one of the following options: 1) * Place each sysfilter block you wish to include in a unique file at: /usr/local/cpanel/etc/exim/sysfilter/options/ * Enable or disable the custom block in WHM using: Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file] 2) * Create a custom sysfilter file in /etc/ * Change the location of the sysfilter file in WHM using: Service Configuration => Exim Configuration Manager => Filters => System Filter File
Based on that, the quick fix would be to remove the COM values in attachments include and then merge it all together into a custom filter and set that filter in WHM/EXIM config editor. The pro: Will allow the google dmarc emails to be received and/or forwarded to your dmarc manager service. The con: Allow .com file attachments I'll have to find a better regex, or ask google to stop sending the emails with the .com suffix. Another option that i've seen is; Disable Attachments: Filter messages with dangerous attachments in WHM/EXIM config manager. But that would remove all filtering of email attachments and not just .com files... so the devil is in the details.0
Please sign in to leave a comment.
Comments
2 comments