[Rspamd-Users] Clamav Rspamd not reject virus
Vsevolod Stakhov
vsevolod at rspamd.com
Fri Jan 11 14:01:05 UTC 2019
On 11/01/2019 13:51, Emanuel Gonzalez wrote:
> Good morning to everybody, i use exim with rspamd and clamav.
>
> when sending an email with a virus, it is not automatically discarded by rspamd
>
> 2019-01-11 10:45:51 #5552(normal) <020f61>; task; rspamd_task_write_log: id: <3ebd3b84-c6d7-8af1-a8ba-b217796cb9e3 at x.com>, qid: <1ghx88-0000e7-Nd>, ip: 200.58.109.74, from: <emanuel.gonzalez at x.com>, (default: T (reject): [0.87/nan] [IP_SCORE(-3.53){ip: (-9.39), ipnet: 200.58.109.0/24(-4.66), asn: 27823(-3.56), country: AR(-0.05);},MIME_BAD_EXTENSION(2.00){exe;},MIME_BAD_ATTACHMENT(1.60){exe;},HTML_SHORT_LINK_IMG_2(1.00){},R_SPF_ALLOW(-0.20){+ip4:200.58.96.0/20;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},MIME_UNKNOWN(0.10){application/x-msdos-program;},ARC_NA(0.00){},ASN(0.00){asn:27823, ipnet:200.58.109.0/24, country:AR;},DMARC_NA(0.00){x.com;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_X_ANTIABUSE(0.00){},JUST_EICAR(0.00){Eicar-Test-Signature;},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;4:-;4:~;},MX_GOOD(0.00){cached: mx1.x.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_IN_DNSWL_NONE(0.00){74.109.58.200.list.dnswl.org : 127.0.5.0;},RCVD_TLS_ALL(0.00){},RCVD_VIA_SMTP_AUTH(0.00){},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 9670, time: 831.345ms real, 10.011ms virtual, dns req: 43, digest: <88311d5681415f7345c8ecbdad01759b>, rcpts: <bid.bid at x.tk>, mime_rcpts: <bid.bid at x.tk>, forced: reject "clamav: virus found: "Eicar-Test-Signature""; score=nan (set by antivirus)
Why cannot you see that it is clearly *NOT* an Rspamd issue? This log
line is absolutely clear about what's happening. Rspamd has correct
action (reject), however, you don't have any rejection threshold that
is, again, your issue and not Rspamd default behaviour.
Why Exim doesn't understand reject action: no ideas, switch MTA to a
more Rspamd friendly one (e.g. Postfix). Exim integration with Rspamd
sucks and it seems I cannot do anything about it despite of all my
efforts to interact with Exim developers.
Why do you have `nan`: you have no reject threshold being set.
More information about the Users
mailing list