How to whitelist an e-mail address from being filtered by amavis?

mailserver
v7

(Daniele Nosella) #1

Amavis continue to put a message in quarantine, even if I whitelisted it from the Web GUI (e-mail/filter/rules by e-mail address).

Any idea how to whitelist the sender for amavis too?

Here the log from /var/log/maillog

Jul 10 11:50:40 mail amavis[1500]: (01500-03) ESMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20170710T101046-01500-tX_2DJWu: xxx@gmail.com -> <xxx@xxx.com
SIZE=15980 Received: from mail.xxx.com ([127.0.0.1]) by localhost (mail.xxx.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for xxx@xxx.com; Mon, 10 Jul 2017 1
1:50:40 +0200 (CEST)
Jul 10 11:50:40 mail amavis[1500]: (01500-03) Checking: zTmXEZPcDO6q [209.85.128.174] xxx@gmail.com -> xxx@xxx.com
Jul 10 11:50:40 mail amavis[1500]: (01500-03) header_edits_for_quar: xxx@gmail.com -> xxx@xxx.com, No, score=x tag=-1000 tag2=5 kill=18 tests=[] autolearn=unav
ailable
Jul 10 11:50:40 mail amavis[1500]: (01500-03) skip local delivery(3): xxx@gmail.com ->
Jul 10 11:50:40 mail amavis[1500]: (01500-03) Blocked INFECTED (PhishTank.Phishing.5018864.UNOFFICIAL) {RejectedInbound,Quarantined}, [209.85.128.174]:34356 [91.253.72.245] xxx@gmail.com -> xxx@xxx.com, Message-ID: 67F484FF-FE1D-43AD-A5DE-C972424EF969@gmail.com, mail_id: zTmXEZPcDO6q, Hits: -, size: 16185, 110 ms
Jul 10 11:50:40 mail postfix/smtpd[2435]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=01500-03 - INFECTED: PhishTank.Phishing.5018864.UNOFFICIAL; from=xxx@gmail.com t
o=xxx@xxx.com proto=ESMTP helo=<mail-wr0-f174.google.com>


(Davide Principi) #2

The message is not spam, it is infected by a virus. It seems the black/whitelists work for spam messages only.


(Filippo Carletti) #3

You could whitelist that virus signature:

echo "PhishTank.Phishing.5018864" >> /var/lib/clamav/mywhitelist.ign2

Then restart clamd.


(Daniele Nosella) #4

I was suspecting that, It seems I temporarily solved the issue completely deactivating the antivirus in e-mail Server.

It’s interesting cause the e-mail it’s just a google calendar notification, automatically sent by Google Calendar at the creation of an event.
Probabably PhishTank has to update/correct its database.

If I find the time I’ll try to report the issue to them


(Daniele Nosella) #5

Thank you, I’ll try very soon… A lot better than completely turning off the antivirus module :sweat_smile:


(Daniele Nosella) #6

Just tried and tested: solved!

Thank you


(Filippo Carletti) #7

Thanks for feedback.
For the record, here’s the sig:

# sigtool -f PhishTank.Phishing.5018864 | sigtool --decode-sig
VIRUS NAME: PhishTank.Phishing.5018864
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
{STRING_ALTERNATIVE:.|/}goo.gl/7KCT5Y