1 (edited by Clouseau 2020-05-01 03:15:56)

Topic: EICAR email sent every 12minutes and quarantined

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): iRedMail 1.0.0
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version:  Debian Stretch
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Yesterday we upgraded from Debian 8 to Debian 9. We had to put that fix for iredadmin uwsgi that is writen in some other topic in the forum.

But, we started to recieve every 12minutes EICAR test mail. I have checked all crons, disabled apache(thought fake sender sent over roundcube) and still cannot find what is sending EICAR test every 12minutes. Weird. Here is the log:

postfix/smtpd[36571]: 28D1E2DC269A: client=localhost[127.0.0.1]
Apr 30 21:05:15 hostname postfix/smtpd[36571]: 28D1E2DC269A: client=localhost[127.0.0.1]
Apr 30 21:05:15 hostname postfix/cleanup[36529]: 28D1E2DC269A: message-id=<VACXEPpAcJ_DcX@hostname.hostname.com>
Apr 30 21:05:15 hostname postfix/cleanup[36529]: 28D1E2DC269A: message-id=<VACXEPpAcJ_DcX@hostname.hostname.com>
Apr 30 21:05:15 hostname postfix/smtpd[36571]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 30 21:05:15 hostname postfix/smtpd[36571]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 30 21:05:15 hostname postfix/qmgr[35386]: 28D1E2DC269A: from=<root@hostname.hostname.com>, size=1956, nrcpt=1 (queue active)
Apr 30 21:05:15 hostname postfix/qmgr[35386]: 28D1E2DC269A: from=<root@hostname.hostname.com>, size=1956, nrcpt=1 (queue active)
Apr 30 21:05:15 hostname amavis[26947]: (26947-09) Blocked INFECTED ({HEX}EICAR.TEST.3.UNOFFICIAL) {DiscardedOutbound,Quarantined}, LOCAL [127.0.0.1] <root@localhost> -> <root@localhost>, quarantine: C/virus-CXEPpAcJ_DcX, mail_id: CXEPpAcJ_DcX, Hits: -, size: 563, 311 ms
Apr 30 21:05:15 hostname amavis[26947]: (26947-09) Blocked INFECTED ({HEX}EICAR.TEST.3.UNOFFICIAL) {DiscardedOutbound,Quarantined}, LOCAL [127.0.0.1] <root@localhost> -> <root@localhost>, quarantine: C/virus-CXEPpAcJ_DcX, mail_id: CXEPpAcJ_DcX, Hits: -, size: 563, 311 ms
Apr 30 21:05:15 hostname postfix/cleanup[35672]: 3C55D2DC26C3: message-id=<VACXEPpAcJ_DcX@hostname.hostname.com>
Apr 30 21:05:15 hostname postfix/cleanup[35672]: 3C55D2DC26C3: message-id=<VACXEPpAcJ_DcX@hostname.hostname.com>
Apr 30 21:05:15 hostname postfix/local[37066]: 28D1E2DC269A: to=<root@hostname.hostname.com>, relay=local, delay=0.19, delays=0.07/0.01/0/0.11, dsn=2.0.0, status=sent (forwarded as 3C55D2DC26C3)
Apr 30 21:05:15 hostname postfix/local[37066]: 28D1E2DC269A: to=<root@hostname.hostname.com>, relay=local, delay=0.19, delays=0.07/0.01/0/0.11, dsn=2.0.0, status=sent (forwarded as 3C55D2DC26C3)

Any clue?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: EICAR email sent every 12minutes and quarantined

- Try to search text "VACXEPpAcJ_DcX" (the one used in message-id) against all files on this server, seems it's hard-coded.
- Please show us full mail headers of this quarantined email.

3 (edited by Clouseau 2020-05-04 22:49:50)

Re: EICAR email sent every 12minutes and quarantined

ZhangHuangbin wrote:

- Try to search text "VACXEPpAcJ_DcX" (the one used in message-id) against all files on this server, seems it's hard-coded.
- Please show us full mail headers of this quarantined email.


"VACXEPpAcJ_DcX" it is changing in every mail.

A virus was found: {HEX}EICAR.TEST.3.UNOFFICIAL

Banned name: application/x-msdos-program,.dat
Bad header:
  Missing required header field: "Date"
Scanner detecting a virus: ClamAV-clamd

Content type: Virus
Internal reference code for the message is 02308-14/gMCRRnYmV97f

First upstream SMTP client IP address: [127.0.0.1]

Return-Path: <root@localhost>
From: root@localhost
Subject: EICAR test
The message has been quarantined as: g/virus-gMCRRnYmV97f

The message WAS NOT relayed to:
<root@localhost>:
   250 2.7.0 Ok, discarded, id=02308-14 - INFECTED: {HEX}EICAR.TEST.3.UNOFFICIAL

Virus scanner output:
  p001: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND


header.hdr

Return-Path: <root@localhost>
Content-Type: multipart/mixed; boundary="----------=_1588595268-14799-0"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.508 (Entity 5.508)
From: root@localhost
To: root@localhost
Subject: EICAR test

4 (edited by Clouseau 2020-05-05 00:57:20)

Re: EICAR email sent every 12minutes and quarantined

Found it. You can delete this topic as it is irrelevant. Some old plugin for zabbix to monitor amavisd, installed 10 years ago and forgotten by maintainers. Don't know why it started sending emails after upgrade to Stretch and not preStretch. Could be perl libs got fixed  again in Stretch :-D