Legit Email Marked as Bad Content/Infected

[nootkan]

Was wondering if someone could help me figure out why when I send an email using webmail (squirrel mail) to someone I know with a pdf attachment and cc it to my own email address the email isn't delivered. It gets flagged in mailscanner/mailwatch as bad content/infected and I have to release it as ham in order for me to see it. When I send it using thunderbird however it get sent just fine. Is there a setting that I cannot seem to locate in the config regarding imap that stops this from happening? I tried disabling the Dangerous Content scanning feature under mailscanner performance but that didn't do it. I also tried whitelisting my email address but that didn't work either. It also seems to take a while to process before it delivers and flags it as bad content/infected as I see it in the Pending Queue for about 5-10 minutes. Doing a search here for imap shows a lot of different issues but none similar to mine.

[nootkan]

Okay after some more research it seems that I have to allow pdf files in the filename.rules file. I used config explorer to do this but when I tried to add the allow \.pdf$ -- to the file and click save it doesn't work. Because explorer won't allow me to use the tab key (it just takes me to the save and cancel buttons when I type the tab key) I tried to copy and paste a rule from above and make the edit to it. I am guessing that I must use the tab key to separate the text. Does anyone know why explorer won't allow the use of the tab key and if there is a way to allow it?

I even tried to download the file and make changes to it using notepad++ where I can use the tab key and then uploading it through the config server explorer via binary but that didn't work either.

[nootkan]

Alright something is definitely amiss as even ssh into root hasn't worked. Am I doing this wrong? This time I was able to use the tab key.
Here were my steps: login to root; pico /usr/mailscanner/etc/filename.rules.conf then added
allow \.pdf$ - -
into the following place:

# These are known to be mostly harmless.
allow \.jpg$ - -
allow \.gif$ - -
# .url is arguably dangerous, but I can't just ban it...
allow \.url$ - -
allow \.vcf$ - -
allow \.txt$ - -
allow \.zip$ - -
allow \.t?gz$ - -
allow \.bz2$ - -
allow \.Z$ - -
allow \.rpm$ - -
allow \.sai$ - -
allow \.cab$ - -
allow \.pdf$ - -

I restarted mailscanner and see this in my logs: Process did not exit cleanly, returned 255 with signal 0. Then I emailed a pdf file from my squirrelmail account to an email address on my server and it was flagged as bad content/infected by mailscanner in mailwatch. Not sure what to do now as I should be able to use webmail instead of thunderbird or outlook to send pdf files.

[Sarah]

You haven't mentioned whether you have definitely determined the *exact* reason that the attachment is being rejected. You need to search both the filename and filetype rules for the exact text of the reason given in MailWatch for blocking the attachment.

FYI whitelisting in the MSFE only works for spam, not viruses/dangerous attachments. If you want to never block attachments you send, you need to "whitelist" your email or domain in a specific way. See this FAQ:
http://www.configserver.com/techfaq/index.php?faqid=13

[nootkan]

Sarah, thanks for replying to my post. The reason I haven't determined the exact reason is I'm unable to figure that out. It seems that pdf files crash mailscanner when sent from webmail as per this log:

Making attempt 4 at processing message 1VqCJn-0006aM-Du: 1 Time(s)
Cannot find Socket (/tmp/clamd) Exiting!: 1 Time(s)
Making attempt 5 at processing message 1VqC27-0006OB-DT: 1 Time(s)
Making attempt 4 at processing message 1VqAPx-00056E-3X: 1 Time(s)
Quarantined message 1VqCJn-0006aM-Du as it caused MailScanner to crash several times: 1 Time(s)
Making attempt 6 at processing message 1VqAPx-00056E-3X: 1 Time(s)
Quarantined message 1VqC27-0006OB-DT as it caused MailScanner to crash several times: 1 Time(s)
Making attempt 3 at processing message 1VqAPx-00056E-3X: 1 Time(s)
skipping message 1Vq9si-0004fL-VU as it has been attempted too many times: 1 Time(s)
Making attempt 2 at processing message 1VqCJn-0006aM-Du: 1 Time(s)
Making attempt 3 at processing message 1Vq9si-0004fL-VU: 1 Time(s)
Making attempt 5 at processing message 1VqCJn-0006aM-Du: 1 Time(s)
Making attempt 6 at processing message 1VqC27-0006OB-DT: 1 Time(s)
Making attempt 2 at processing message 1VqAPx-00056E-3X: 1 Time(s)
Quarantined message 1Vq9si-0004fL-VU as it caused MailScanner to crash several times: 1 Time(s)

There isn't any match in the filename.rules.conf or filetype.rules.conf for the "Report: MailScanner: Message attempted to kill MailScanner". I did create the new files named archives.filename.special.rules.conf and filename.special.rules.conf with allow \.pdf$ - - in both and added FromOrTo: mydomain /usr/mailscanner/etc/filename.special.rules.conf to the /rules/filename.rules.rules file. I will try sending the email again and check mailwatch in the morning to see if that makes a difference.


Not sure if this is related or a separate issue but I also see this in my logs when I restart mailscanner:

/var/log/messages:
Dec 9 14:41:48 vanisle1 MailScanner: Process did not exit cleanly, returned 2 with signal 0
Dec 9 14:45:10 vanisle1 MailScanner: Process did not exit cleanly, returned 2 with signal 0
Dec 9 14:48:25 vanisle1 MailScanner: Process did not exit cleanly, returned 255 with signal 0
Dec 9 14:50:32 vanisle1 MailScanner: Process did not exit cleanly, returned 255 with signal 0
Dec 9 14:53:27 vanisle1 MailScanner: MailScanner setting GID to mail (12)
Dec 9 14:53:27 vanisle1 MailScanner: MailScanner setting UID to mailnull (47)

I will keep digging but I was hoping that someone else was experiencing this besides myself and might be able to shed some light on it.

[Sarah]

OK, that indicates a completely different type of problem then I was expecting. Are you running the latest version of MailScanner? We used to see a problem similar to this fairly frequently but it should be fixed now. I am a bit flummoxed as to why it should be happening only when you send mail via webmail. Is this with *any* webmail program or a particular one?

[Sarah]

Also, does it happen only with this particular file or with other pdf files? And have you tested it with any other kinds of file attachments?

[nootkan]

Hi Sarah, thanks for replying. I only have squirrelmail set up on my server as the webmail of choice.

I've narrowed it down to one domain that is having the issues. I've tried sending different pdf files (lrge and sm) from other domain email addresses on the server to themselves and the files get through no problem. It seems the only time an issue occurs is when the pdf files get sent to this domain or by sending the pdf files to itself. I can however send pdf files from this domain to other domain email addresses with no problem. Sorry if it sounds a little confusing. I haven't tried it with any other file attachments yet, but will try some word docs now.

My version of mailscanner is:

MailScanner - v4.84.5 installed ConfigServer MailScanner Script - v2.89 installed and up to date

Update: The same issues occur with word and excel files.

[nootkan]

Okay well I've confirmed it is a mailscanner problem by disabling mailscanner and resending the messages. They went through without a hitch. Not sure what mailscanner has against this domain and squirrelmail, but it definately crashes when mail with pdf, doc and xls attachments is sent or received. Mailscanner works fine with all other domains and squirrelmail on the server sending and receiving pdf, doc, and xls attacments. Mailscanner also works fine when I use horde mail or roundcube mail with this domain sending and receiving the same attachments, which is why I opened a ticket with cPanel figuring it was a squirrelmail issue, but they are the ones who asked me to disable mailscanner and try again. They then told me it was a mailscanner problem and they couldn't provide support. Any more ideas on how to resolve this?

[Sarah]

If you log a ticket we can have a look.