Preventing '{Disarmed}' from being added to outgoing messages

[jman]

Hi, All,

MailScanner v5.3.3
ConfigServer MailScanner Script v5.02
MailScanner Front-Ind v9.07
ConfigServer Security & Firewall v14.08

Not sure exactly when this started, but certain outbound mails to them are being marked "Disarmed".

Have:

• whitelisted the sending IP in both /etc/csf.allow and /etc/csf.ignore

• Restarted CSF

• whitelisted the sending email address in /usr/mailscanner/etc/rules/spam.whitelist.rules

• Reloaded rulesets and restarted MailScanner

After sending a test email, "{Disarmed}" is still being added to the subject line.
(Sending and receiving domains are on the same VPS, so the message never actually left the host. It's definitely us adding the info.)

Here are some relevant Mailscanner headers in the test message (munged for identity as noted):
X-MailScanner-Information: Please contact <munged> for more information.
X-MailScanner-ID: <munged>
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam (whitelisted),
SpamAssassin (not cached, score=1.581, required 5, ALL_TRUSTED -1.00,
AWL 0.01, BAYES_50 0.80, HTML_MESSAGE 0.00,
HTML_OBFUSCATE_05_10 0.26, KAM_DMARC_QUARANTINE 1.50,
KAM_DMARC_STATUS 0.01, URIBL_BLOCKED 0.00)
X-MailScanner-From: <munged - (whitelisted address from above)>
X-Spam-Status: No

There is some html in the message in the form of a signature with an embedded base64 company logo, but as the sender and ip are whitelisted, not sure that's relevant.

What else can I do to prevent these valid outgoing messages from being marked as "{Disarmed}" ?

Thank you!
--
Carl

[jman]

After a little more digging, looks like what's causing the messages to be flagged is some telemetry being inserted into the message.

This is the latest QuickBooks Enterprise sending invoices via Thunderbird. QuickBooks is adding an <img> link to the Thunderbird email template which references a spacer.gif file hosted on AWS. There's an additional URL in the alt tag for the image containing some unique info.

Yuck. I don't have any control over what QuickBooks sends to Thunderbird, and don't know of a way to run a script in TB before sending (running sed to remove the offending link prior to hitting the SMTP server would be ideal).

It's not Exim's job to manipulate message bodies, so that route is out as well, and overriding the recipient address to a script on the server so it could do the work would be a huge pain.

So, until I figure out how to sanitize the messages, seems the best option is to force MailScanner not to flag them, which after following procedures from the initial post does not appear to work.

Any clues would be most appreciated. Thanks!

[Sarah]

Have a look at this knowledgebase article:

https://support.configserver.com/en/kno ... disable-it

[jman]

Thanks for the reply. I'd already done that, and as stated, it does not seem to work.

Added this to /usr/mailscanner/etc/rules/spam.whitelist.rules (actual address munged):

From: whitelistedaddress@domain.tld yes

Based on the other entries in the file, looks like it uses a space between From: and the address, and a tab between the address and yes.

Verified that the line
Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules
is present in /usr/mailscanner/etc/MailScanner.conf

Restarted mailscanner and Exim.

The "Disarmed" tag is still being added to the subject line on outbound messages from the whitelisted email address.

Please advise. Thanks!

[Sarah]

The spam.whitelist.rules file only affects scanning for spam, not for dangerous html, so it does not prevent mails from being tagged as disarmed. If you don't want to see the disarmed tag, you have to follow the instructions in the article I mentioned.