Skip to main content

Virus Attachments Blocked Yet Are Sometimes Still Delivered

Comments

7 comments

  • cPRex Jurassic Moderator

    Hey there!  I'm not able to provide direct support for custom filters here, but is there anything in the /var/log/exim-mainlog file that is unique about that mail delivery?  Does it just bypass the filter with no mention of it in the log?

    0
  • celiac101

    I searched the log and, for example, an email with a .7z banned attachment was accepted today.

     

    Event: success 
    Sender User: -remote-
    Sender Domain:  
    From Address: dejacevic@hertz.rs
    Sender:  
    Sent Time: Feb 12, 2024, 7:07:07 AM
    Sender Host: vps2.tehnoguma-zg.hr
    Sender IP: 185.62.75.78
    Authentication: localdelivery
    Spam Score:  
       
       
       
       
    Router: virtual_user
    Transport: dovecot_virtual_delivery
    Out Time: Feb 12, 2024, 7:07:07 AM
    ID: 1rZXu4-00038v-0G
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 931.12 KB
    Result: Accepted

     

    0
  • cPRex Jurassic Moderator

    That looks more like the data from the mail delivery report than the actual Exim log. This does look like the example we include at https://docs.cpanel.net/knowledge-base/email/how-to-customize-the-exim-system-filter-file/ besides the added "then" portion of the statement, so I would expect that to work.

    Can you post the output of the following command?

    grep 1rZXu4-00038v-0G /var/log/exim_mainlog
    0
  • celiac101

    Yes, I followed those directions to customize the Exim system filter file, and added new file extensions that were not in there, but needed to be.

    Here is the output of that command:

    # grep 1rZXu4-00038v-0G /var/log/exim_mainlog
    2024-02-12 07:07:29 1rZXu4-00038v-0G <= dejacevic@Hertz.rs H=vps2.tehnoguma-zg.hr [185.62.75.78]:44056 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=953471 id=20240212100720.3760CC430CDE7687@Hertz.rs T="Narud\305\276ba 24/012/020121" for scott @ removed . COM
    2024-02-12 07:07:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1rZXu4-00038v-0G
    2024-02-12 07:07:29 1rZXu4-00038v-0G => scott <scott @ removed . COM> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <scott @ removed . COM> UJj4BTE0ymUKLgAARpFy3A Saved"
    2024-02-12 07:07:29 1rZXu4-00038v-0G Completed

     

    Note that each day there are attachments that still pass this filter. From today an email with a .rar extension attachment passed, and here is that log as well:

    grep 176.221.55.121 /var/log/exim_mainlog
    2024-02-12 23:06:18 SMTP connection from [176.221.55.121]:52624 (TCP/IP connection count = 2)
    2024-02-12 23:06:20 1rZmrz-000734-2a <= satis@drf.com.tr H=posta.criticalcase.com [176.221.55.121]:52624 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=882495 id=f1f41ab66ce7067df7b77239fbcce153@drf.com.tr T="Yan\304\261t: Sat\304\261nalma Sipari\305\237i" for scott @ removed . COM
    2024-02-12 23:06:20 SMTP connection from posta.criticalcase.com [176.221.55.121]:52624 closed by QUIT

     

     

    0
  • cPRex Jurassic Moderator

    That's just odd, and wasn't what I was expecting to see.  Could you create a ticket so we can do some more direct testing?

    0
  • celiac101

    I probably won't create a ticket, but was hoping for some advice about they this might be happening. I suspect you could reproduce this on any cPanel setup, but I could be wrong. I do badly need to upgrade my system to AlmaLinux but I doubt that this is the cause of my issue.

    0
  • cPRex Jurassic Moderator

    Sorry about the delay on this - I did some testing on my end and I couldn't reproduce the issue.  Trying to send an attachment that was in the block list was properly rejected on the system.  Since that is the case, we'd likely need to see a ticket to get more details on what may be happening in your environment.

    0

Please sign in to leave a comment.