Newsletters being blocked by ORF/ClamAV - ORF Forums

Newsletters being blocked by ORF/ClamAV RSS Back to forum

1

I'm having an issue with newsletters being blocked by ORF/ClamAV. I recently installed the ClamAV external agent for ORF which is working great but it is blocking almost every newsletter coming in. An example is from Home Depot. See ORF log:
-------------------------------------------------------------------------------
Version: 4.4 REGISTERED
Log Mode: Verbose
Server: domain.local
Source: SMTPSVC-1
Time: 8/5/2010 7:16:11 AM
Class: Blacklist
Severity: Information
Actions: Tag Subject + Tag Header + Redirect Email
Filtering Point: On Arrival
HELO/EHLO Domain: (not available)
Related IP Address: 207.67.38.32
Message ID: (not available)
Email Subject: FREE Shipping on Select Air Conditioners $249 and Up
Sender:
Recipient(s):
*
Message:
Email blacklisted. Agent "ClamAV for Windows" hit (exit code 1, comment "Virus, spam, scam or encrypted content"). Agent output: "C:\orf_temp_emails\sce-34A7FB330ACFA3B039290FF5C16A75B1.eml: INetMsg.SpamDomain-2w.memberlandingpages_com.UNOFFICIAL FOUND".
--------------------------------------------------------------------------------------
As you can see, I'm only tagging the subject and header and redirecting the email to a place that i look through daily to see what's getting blocked. There are many other newsletters but this was the first example I saw. In the Home Depot email it says "Please add to your address book or safe list". The log shows it comes from something else, which is expected. Each Sender address is different. How do I get these newsletters to go through without getting tagged? Multiple of these messages come in for different recipients.

Thanks for any suggestions/help!

by Aaron 9 years ago
2

@Aaron: According to the log snippet, this email was blocked by one the 3rd party antispam/phishing/scam signatures of ClamAV (Sanesecurity). The quality of these signatures are questionable in many cases. As the ClamAV External Agent runs on whitelisted emails by default, whitelisting in ORF will not help.

Instead, you should either whitelist the domain "homedepot.com" in ClamAV by adding it to the local.ign2 file, or disable the signature in your ClamAV configuration to avoid further false positives.

You might also want to report the false positive to Bill Landry (http://www.sanesecurity.co.uk/fps.htm)

by Krisztian Fekete (Vamsoft) 9 years ago
(in reply to this post)

3

@Krisztian Fekete (Vamsoft): Thanks. I see what's going on but I am not sure about the 'local.ign2' file. I don't see it for ClamAV. There is a 'sigwhitelist.ign2' file but it seems to have the signatures that are valid in it. Would I need to create the 'local.ign2' file and add things as I need to?
If I wanted to disable the signature, could you tell me how to do that or point me to some documentation? I'm trying to get in touch with Bill Landry to see what he can tell me to do alos.
Thanks again!

by Aaron 9 years ago
(in reply to this post)

4

@Aaron: I found the following in the signatures documentation of ClamAV (http://www.clamav.net/doc/latest/signatures.pdf):

"To whitelist a specific signature from the database you just add its name into a
local file called local.ign2 stored inside the database directory. You can addition-
ally follow the signature name with the MD5 of the entire database entry for this
signature, eg:

Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c

In such a case, the signature will no longer be whitelisted when its entry in the
database gets modified (eg. the signature gets updated to avoid false alerts)."

Unfortunately, I have tried this only once a long time ago, so I cannot remember the details on how this should be done exactly, and I do not have ClamAV installed on my home computer currently :(

by Krisztian Fekete (Vamsoft) 9 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2