Hi Eric, Yes, I can see the logs like you showed for those emails I tested with zip attachment and rejected by the server. But for those spam mail with zip attachment, the log show like usual to accept the email.
Teruo -----Original Message----- From: Eric Broch [mailto:[email protected]] Sent: Friday, October 7, 2016 11:33 AM To: [email protected] Subject: Re: [qmailtoaster] Reject email with zip attachment Hi Teruo, Look in /var/log/maillog and /var/log/qmail/smtp/current. These are log entries for the same email in each log. smtp log: @4000000057f714642592a124 simscan:[4586]:ATTACH:0.2014s:xxx.zip:65.125.253.154:[email protected]:me@y yy.com @4000000057f7146425abbaec qmail-smtpd: qq hard reject (Your email was rejected because it contains a bad attachment: xxx.zip): MAILFROM:<[email protected]> RCPTTO:[email protected] maillog: Oct 6 21:19:54 myserver spamdyke[4585]: DENIED_OTHER from: [email protected] to: [email protected] origin_ip: 1.2.4.5 origin_rdns: mail.yyy.com auth: ( unknown) encryption: TLS reason: 554_Your_email_was_rejected_because_it_contains_a_bad_attachment:_xxx.zip Eric On 10/6/2016 8:41 PM, Kan Teruo wrote: > Hi Eric, > > I tested by using other email account like yahoo, gmail and others > domain from the same server. > All emails with zip attachment to xxx.com were rejected by the > qmailtoaster server. > > So I wonder how some of the spam mail with zip attachment could be > delivered to xxx.com? > Is it possible to trace the process from the logs? > > Thanks for your time. > Teruo > > -----Original Message----- > From: Eric Broch [mailto:[email protected]] > Sent: Friday, October 7, 2016 10:28 AM > To: [email protected] > Subject: Re: [qmailtoaster] Reject email with zip attachment > > Syntactically, I don't see any issues in your simcontrol file. The > second > (default) line is most likely what is allowing .zip files through though. > Are you receiving zip files for xxx.com? > > On 10/6/2016 7:35 PM, Kan Teruo wrote: >> Hi Eric, >> >> Since only some of the domain want to reject email with zip >> attachment, so I keep the default setting in the last line. >> >> xxx.com:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif:.zi >> p >> :.rar >> >> :clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif >> >> >> The first line stated with >> "xxx.com:clam=yes,spam=yes..................." is the domain which >> don't > want to receive email with zip and rar attachment. >> The last line started with ":clam=yes,spam=yes......................." >> is the default setting for the rest of the domains. >> >> Is there anything wrong in my simcontrol file? >> >> Thanks, >> Alex >> >> >> -----Original Message----- >> From: Eric [mailto:[email protected]] >> Sent: Thursday, October 6, 2016 10:18 PM >> To: [email protected] >> Subject: Re: [qmailtoaster] Reject email with zip attachment >> >> Hi Teruo, >> >> A) Here's my tcp.smtp file: >> >> 1) Entry for localhost relay: >> 127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys >> /%/private",RBLSMTPD="",NOP0FCHECK="1" >> >> 2) Entry for all others: >> :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSE >> R >> _WRONG >> RCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIGN="/var/qmail >> / contro l/domainkeys/%/private",NOP0FCHECK="1" >> >> B) It looks like in your simcontrol file that default processing >> (line beginning with ':') allows .zip files through. >> >> Change >> >> :clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif >> >> to >> >> :clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif:.zip >> >> Eric >> >> >> On 10/5/2016 7:55 PM, Kan Teruo wrote: >>> Hi Eric, >>> >>> Thanks for your reply. >>> Please refer to below: >>> >>> /var/qmail/control/simcontrol >>> ============================================== >>> xxx.com:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif:.z >>> i p :.rar :clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif >>> >>> /etc/tcprules.d/tcp.smtp >>> ============================================== >>> :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUS >>> E >>> R >>> _WRONG >>> RCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DK >>> Q >>> U >>> EUE="/ >>> var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qma >>> i >>> l >>> /contr >>> ol/domainkeys/%/private" >>> >>> By the way, you said you setup mail coming from 127.0.0.1 not to use >>> simscan. >>> May I know how to do it? >>> >>> Thanks for your time and help. >>> >>> Teruo >>> >>> >>> -----Original Message----- >>> From: Eric [mailto:[email protected]] >>> Sent: Wednesday, October 5, 2016 10:18 PM >>> To: [email protected] >>> Subject: Re: [qmailtoaster] Reject email with zip attachment >>> >>> Hi Teruo, >>> >>> 1) Can you dump the /var/qmail/control/simcontrol file for us send >>> it to the list and /etc/tcprules.d/tcp.smtp ? >>> >>> 2) In simcontrol the ':' should only be between (a separator for) >>> file types. >>> >>> So if you wanted to stop .zip attachments only it would be like this >>> >>> attach=.zip >>> >>> not >>> >>> attach=:.zip >>> >>> for multiple file types >>> >>> attach=.typ1:.typ2:.typ3:.typ4 >>> etc... >>> >>> 3) Check /etc/tcprules.d/tcp.smtp >>> >>> In this file it is determined when simscan >>> (QMAILQUE="/var/qmail/bin/simscan") is used. On my setups mail >>> coming from >>> 127.0.0.1 (localhost) simscan is not used so zip attachments would >>> be allowed through. >>> >>> Eric >>> >>> On 10/5/2016 4:18 AM, Kan Teruo wrote: >>>> Hi All, >>>> >>>> >>>> >>>> I had added attach=:.zip in the simcontrol and run the command >>>> "qmailctl cdb". >>>> >>>> It seem work fine to reject all email with zip attachment. (at >>>> least I tested by using different email accounts like gmail and >>>> yahoo) >>>> >>>> But I found that sometime still have spam mail with zip attachment >>>> delivered into users' mailbox. >>>> >>>> I tried to check the log but couldn't find any idea why the spam >>>> mail with zip attachment can be delivered to users' mailbox. >>>> >>>> >>>> >>>> Thanks! >>>> >>>> Teruo >>>> >>>> >>>> >>> -------------------------------------------------------------------- >>> - >>> To unsubscribe, e-mail: >>> [email protected] >>> For additional commands, e-mail: >>> [email protected] >>> >>> >>> >>> -------------------------------------------------------------------- >>> - >>> To unsubscribe, e-mail: >>> [email protected] >>> For additional commands, e-mail: >>> [email protected] >>> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> [email protected] >> For additional commands, e-mail: >> [email protected] >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> [email protected] >> For additional commands, e-mail: >> [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
