Mailing List Archive

Hi there,

On Mon, 7 Feb 2022, Marc wrote:

> Normally when a client connection is reject by my sendmail server,
> the client is notified of the Reject message and the client server
> is generating a NDR. This is listed in my log as [1] however when I
> send a virus it looks like sendmail is not reporting the reject back
> to the client server. How should I 'enable' this?

This isn't a ClamAV question, more one about Sendmail configuration
and MTA/client behaviour.

If I've understood what you've said you want, and your configuration,
it all seems OK. Both log snippets show a rejection in replies which
are made to the client.

They do not however show any NDR, they're just parts of the client/MTA
conversation which starts with "connect from" and can be terminated by
the MTA more or less at any point during what follows, right up to the
final '.' on a line on its own. If the MTA terminates with a 4xx code
or 5xx code the message[*] is considered rejected (respectively either
temporarily or permanently) and the client MAY take some optional text
attached to the reply by the MTA and use it in an NDR which it creates
for return to the originator of the mail. In this case the MTA does
not create the NDR, it's up to the client, i.e. the administrators at
the client end. If the rejection is temporary most clients wait for a
configurable while and then have another try, without informing the
sender that there's been a delay. They may send a notification after
a couple of hours, something like "you do not need to take any action,
this is just a warning of a delay" and if there's no luck sending the
message after two to five days they may send a final "I gave up" note.
But by no means all MTAs do that, again it's up to the administrators.
If the MTA actually accepts the message but later on finds that it's
undeliverable then according to the RFCs it must create an NDR itself
(but that doesn't appear to be the case in either of your examples).

If you're thinking about what are sometimes called 'bounce' messages,
where a message is received (and accepted) by an MTA and it promptly
replies to that message with one of its own saying that the message
has been dropped in the trash can, then please don't do that because
it will likely add to the problems caused by the original message.

Some of us might say it's safer to use more than one single indicator
to determine that a rejection is called for, but that's up to you.

[*] Simplified here - it could be a recipient, not the whole message,
which is rejected. There are lots of resources on the Web describing
mail client/MTA conversations in as much detail as anyone could want.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 2/7/22 22:36, Marc wrote:
> however when I send a virus it looks like sendmail is not reporting the reject back to the client server.
> How should I 'enable' this?

Don't.
Viruses are usually sent with a spoofed sender address; you would only
annoy victims who didn't really send what you received.

bye
av.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> On 2/7/22 22:36, Marc wrote:
> > however when I send a virus it looks like sendmail is not reporting the
> reject back to the client server.
> > How should I 'enable' this?
>
> Don't.
> Viruses are usually sent with a spoofed sender address; you would only
> annoy victims who didn't really send what you received.
>
> bye
> av.
>

There is a difference between rejecting the message and having the client server decide whether or not it creates a message to the sender. (which is what I want)

or

my server is generating a message to the sender (which is what I do not want)

So please explain, why should I not do this, and why I should care about a server that is delivering a spam message to mine?



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> > Normally when a client connection is reject by my sendmail server,
> > the client is notified of the Reject message and the client server
> > is generating a NDR. This is listed in my log as [1] however when I
> > send a virus it looks like sendmail is not reporting the reject back
> > to the client server. How should I 'enable' this?
>
> This isn't a ClamAV question, more one about Sendmail configuration
> and MTA/client behaviour.

I am not sure about this, also because I have no knowledge of how the communication between the MTA and the milter is handled. I think it could be related to the way the reject is being done by the milter. I have a bit of experience with mailfromd and if I reject a message there the MTA processes it correctly but different from clamav-milter.

> If I've understood what you've said you want, and your configuration,
> it all seems OK. Both log snippets show a rejection in replies which
> are made to the client.
>
> They do not however show any NDR, they're just parts of the client/MTA
> conversation which starts with "connect from" and can be terminated by
> the MTA more or less at any point during what follows, right up to the
> final '.' on a line on its own. If the MTA terminates with a 4xx code
> or 5xx code the message[*] is considered rejected (respectively either
> temporarily or permanently) and the client MAY take some optional text
> attached to the reply by the MTA and use it in an NDR which it creates
> for return to the originator of the mail. In this case the MTA does
> not create the NDR, it's up to the client,

correct! I am only working with this setup.

> If the MTA actually accepts the message but later on finds that it's
> undeliverable then according to the RFCs it must create an NDR itself
> (but that doesn't appear to be the case in either of your examples).

correct! the frontend servers know what can be relayed.

> If you're thinking about what are sometimes called 'bounce' messages,
> where a message is received (and accepted) by an MTA and it promptly
> replies to that message with one of its own saying that the message
> has been dropped in the trash can, then please don't do that because
> it will likely add to the problems caused by the original message.

Indeed, I noticed somewhere in clamav or clamav-milter there was a '--bounce' option. And I was wondering if it really generates a message or it is facilitating the reject function.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 07.02.22 21:36, Marc wrote:
>Normally when a client connection is reject by my sendmail server, the
> client is notified of the Reject message and the client server is
> generating a NDR. This is listed in my log as [1]

> however when I send a virus

what's the difference between "you" and a "client connection"?

> it looks like sendmail is not reporting the reject back to the
> client server. How should I 'enable' this?
>[1]
>xxxxx sendmail[3880]: 217LNkNB003880: ruleset=check_rcpt, arg1=<xxxx.xxxxxxxx@xxxxx.xxx>, relay=hosting.unibit.bg [194.141.8.30], reject=550 5.7.1 < xxxx.xxxxxxxx@xxxxx.xxx>... Relaying denied
>
>[2]
>Feb 7 22:24:18 xxxxx clamav-milter[27526]: Message from <aaaa@aaaaa.aa> to <xxxx.xxxxxxxx@xxxxx.xxx> infected by Eicar-Signature
>Feb 7 22:24:18 xxxxx sendmail[27607]: 217LOGRO027607: Milter insert (1): header: X-Virus-Scanned: clamav-milter 0.103.5 at xxxxx
>Feb 7 22:24:18 xxxxx sendmail[27607]: 217LOGRO027607: Milter insert (1): header: X-Virus-Status: Infected (Eicar-Signature)
>Feb 7 22:24:18 xxxxx sendmail[27607]: 217LOGRO027607: Milter: data, reject=554 5.7.1 Command rejected
>Feb 7 22:24:18 xxxxx sendmail[27607]: 217LOGRO027607: to=<xxxx.xxxxxxxx@xxxxx.xxx>, delay=00:00:00, pri=31328, stat=Command rejected

this looks like your sendmail DID reject mail from client.

btw. I set up my server to give information about virus rejection:

clamav-milter.conf:
...
RejectMsg Clamav detected %v

Jan 31 03:45:56 fantomas sm-mta[2056]: 20V2jeaN002056: Milter: data, reject=550 5.7.1 Clamav detected Sanesecurity.Malware.21241.ZipHeur.UNOFFICIAL
Jan 31 03:45:56 fantomas sm-mta[2056]: 20V2jeaN002056: to=<uhlar@fantomas.sk>, delay=00:00:08, pri=616456, stat=Clamav detected Sanesecurity.Malware.21241.ZipHeur.UNOFFICIAL


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 2/8/22 09:40, Marc wrote:

> There is a difference between rejecting the message and having the client server decide whether or not it creates a message to the sender. (which is what I want)

Sorry, I find that unclear; please explain better.



> my server is generating a message to the sender (which is what I do not want)

Again, I apologize, but AFAICT you are contraddicting what you said
earlier or I cannot understand.



> So please explain, why should I not do this, and why I should care about a server that is delivering a spam message to mine?

You might not care about the server that sent a virus to you, but you
should care about the *apparent* sender, which has probably nothing to
do with this; so you should not bounce.

bye
av.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> > So please explain, why should I not do this, and why I should care about
> a server that is delivering a spam message to mine?
>
> You might not care about the server that sent a virus to you, but you
> should care about the *apparent* sender, which has probably nothing to
> do with this; so you should not bounce.
>

That is the problem of the server that is contacting mine. They should not be relaying such crap to me anyway.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> >Normally when a client connection is reject by my sendmail server, the
> > client is notified of the Reject message and the client server is
> > generating a NDR. This is listed in my log as [1]
>
> > however when I send a virus
>
> what's the difference between "you" and a "client connection"?

Not much I hope, both are delivering to the same server but from my message I have the logs and can see if I receive a bounce or not. Now I switched testing via a thunderbird client, I do have better reporting.

>
> this looks like your sendmail DID reject mail from client.
>

I think you are maybe right, however this is not being reported and it gets stuck in my delivering mail server. Which I do not get because if I put my own email address on the email blacklist, I am getting the delivery error reported from the same server.

This can not be related to that clamav reports 554 5.0.0 and my email blacklist reports 550 5.7.4?



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 2/8/22 10:50, Marc wrote:

> That is the problem of the server that is contacting mine. They should not be relaying such crap to me anyway.

No, this is *your* problem.
If you start annoying people with inappropriate bounces, you'll get into
blacklists fast.

In any case, we are OT, so I'll stop here.

bye
av.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> > That is the problem of the server that is contacting mine. They should
> not be relaying such crap to me anyway.
>
> No, this is *your* problem.
> If you start annoying people with inappropriate bounces, you'll get into
> blacklists fast.
>
> In any case, we are OT, so I'll stop here.
>

Try reading, then thinking and then replying. (I don't you were ever OT)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> >
> > this looks like your sendmail DID reject mail from client.
> >
>
> I think you are maybe right, however this is not being reported and it
> gets stuck in my delivering mail server. Which I do not get because if I
> put my own email address on the email blacklist, I am getting the delivery
> error reported from the same server.
>
> This can not be related to that clamav reports 554 5.0.0 and my email
> blacklist reports 550 5.7.4?
>
>

I think I am not getting the report, because the report contains still the attachment with the test virus, pfffff.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Tuesday 08 February 2022, Marc wrote:

> I have a bit of experience with mailfromd and if I reject a message
> there the MTA processes it correctly but different from clamav-milter.

b.t.w. mailfromd can replace clamav-milter:

prog eom
do
if clamav(current_message(),clamd_port)
reject 554 5.7.0 "virus %clamav_virus_name detected by ClamAV - http://www.clamav.net"
fi
done

--
Regards, Sergey

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Tuesday 08 February 2022, Andrea Venturoli via clamav-users wrote:

> > That is the problem of the server that is contacting mine.
> > They should not be relaying such crap to me anyway.
>
> No, this is *your* problem.

No. Marc is absolutely right. That is sender's server problem and
its server's administrator.

--
Regards, Sergey

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 08.02.22 10:35, Marc wrote:
>> >Normally when a client connection is reject by my sendmail server, the
>> > client is notified of the Reject message and the client server is
>> > generating a NDR. This is listed in my log as [1]
>>
>> > however when I send a virus

>> what's the difference between "you" and a "client connection"?

>Not much I hope, both are delivering to the same server but from my message
> I have the logs and can see if I receive a bounce or not. Now I switched
> testing via a thunderbird client, I do have better reporting.

if by "you" you mean your mail client, then your mailserver rejects message
from your mail client. Your mail client should display error message when
sending mail, not create a bounce.

>> this looks like your sendmail DID reject mail from client.

>I think you are maybe right, however this is not being reported and it gets
> stuck in my delivering mail server.

so, you have two mail servers and the first sends message to another one
that rejects it?

> Which I do not get because if I put
> my own email address on the email blacklist, I am getting the delivery
> error reported from the same server.

Now it's extremely hard to understand what you are talking about when you
report your mail server to reject message from your mail server.

>This can not be related to that clamav reports 554 5.0.0 and my email
> blacklist reports 550 5.7.4?

putting your mail address on any list won't help, you just create another
confusion.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

But the reject may NOT be going to the server/service that sent the virus.

You received a bad email from hackeduser@example.com from server
mail.badisp.ru

However the mx record for example.com is mail.example.com, not the
sending server or ISP.

Now you have annoyed somebody that had nothing to do with the bad email
sent.  This is quite common with any bad email.

Lyle Giese

On 2/8/22 3:50 AM, Marc wrote:
>>> So please explain, why should I not do this, and why I should care about
>> a server that is delivering a spam message to mine?
>>
>> You might not care about the server that sent a virus to you, but you
>> should care about the *apparent* sender, which has probably nothing to
>> do with this; so you should not bounce.
>>
> That is the problem of the server that is contacting mine. They should not be relaying such crap to me anyway.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I just reread my message.  Reject is good behavior. Bouncing is not.  At
least in my opinion.  Replace reject below with bounce and you have my
correct opinion.

Sorry,

Lyle

On 2/8/22 9:49 AM, Lyle Giese via clamav-users wrote:
> But the reject may NOT be going to the server/service that sent the
> virus.
>
> You received a bad email from hackeduser@example.com from server
> mail.badisp.ru
>
> However the mx record for example.com is mail.example.com, not the
> sending server or ISP.
>
> Now you have annoyed somebody that had nothing to do with the bad
> email sent.  This is quite common with any bad email.
>
> Lyle Giese
>
> On 2/8/22 3:50 AM, Marc wrote:
>>>> So please explain, why should I not do this, and why I should care
>>>> about
>>> a server that is delivering a spam message to mine?
>>>
>>> You might not care about the server that sent a virus to you, but you
>>> should care about the *apparent* sender, which has probably nothing to
>>> do with this; so you should not bounce.
>>>
>> That is the problem of the server that is contacting mine. They
>> should not be relaying such crap to me anyway.
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 8 Feb 2022, Marc wrote:

> ... the frontend servers know what can be relayed.

Hmm. Do you have multiple MTAs processing mail in some kind of chain?
Can you describe your setup more fully?

> ... I noticed somewhere in clamav or clamav-milter there was a
> '--bounce' option. And I was wondering if it really generates a
> message or it is facilitating the reject function.

AFAICT The current documentation Website mentions no '--bounce' option.
Please point us to the actual place in the specific document.

Terminology and implementation around 'bounce' messages can be a bit,
well, untidy. ClamAV has some code to deal with what it determines to
be 'bounce' messsages but that's internal.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> >
> > >
> > > this looks like your sendmail DID reject mail from client.
> > >
> >
> > I think you are maybe right, however this is not being reported and it
> > gets stuck in my delivering mail server. Which I do not get because if I
> > put my own email address on the email blacklist, I am getting the
> delivery
> > error reported from the same server.
> >
> > This can not be related to that clamav reports 554 5.0.0 and my email
> > blacklist reports 550 5.7.4?
> >
> >
>
> I think I am not getting the report, because the report contains still the
> attachment with the test virus, pfffff.
>
>

I managed to receive the ndr message from my own server by this change in sendmail.mc, which removes the whole body and also thus the attachment.

define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,restrictqrun')dnl

to

define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,nobodyreturn,restrictqrun')dnl

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml