Mailscanner doesn't mark virus infected message (inline warning)

[TLINDEN]

Our Mailscanner doesn't mark infected mails sometimes with the inline warning, although it's enabled.

Logs say:

Sep 19 10:41:09 s4mailscan2 clamd[83862]: /localdisk/MailScanner/tmp/80613/57CD545C5307.A95B8/nKonkretisierun-1.doc: PUA.Pdf.Trojan.EmbeddedJavaScript-1 FOUND
Sep 19 10:41:09 s4mailscan2 clamd[83862]: /localdisk/MailScanner/tmp/80613/57CD545C5307.A95B8/z22oleObject1.bin: PUA.Pdf.Trojan.EmbeddedJavaScript-1 FOUND
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Clamd::INFECTED:: PUA.Pdf.Trojan.EmbeddedJavaScript-1 :: ./57CD545C5307.A95B8/Konkretisierun-1.doc
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Clamd::INFECTED:: PUA.Pdf.Trojan.EmbeddedJavaScript-1 :: ./57CD545C5307.A95B8/22oleObject1.bin
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Infected message 57CD545C5307.A95B8 came from *.*.*.*
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Saved entire message to /var/spool/postfix/MailScanner/quarantine/20180919/57CD545C5307.A95B8
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Saved infected "Konkretisierun-1.doc" to /var/spool/postfix/MailScanner/quarantine/20180919/57CD545C5307.A95B8
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Saved infected "22oleObject1.bin" to /var/spool/postfix/MailScanner/quarantine/20180919/57CD545C5307.A95B8
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Message 57CD545C5307.A95B8 from *.*.*.* (foo@bar) to bar is not spam, SpamAssassin (nicht zwischen gespeichert, Wertung=0, benoetigt 6, autolearn=disabled)
Sep 19 10:41:09 s4mailscan2 MailScanner[80613]: Requeue: 57CD545C5307.A95B8 to 0A96A45F7289

The message is a correct multipart/mime message with one text/html and one text/plain part:

--=_mixed 002FB483C125830D_=
Content-Type: multipart/alternative; boundary="=_alternative 002FB483C125830D_="

--=_alternative 002FB483C125830D_=
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"

text body

--=_alternative 002FB483C125830D_=
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="ISO-8859-1"

html body

The attachment in question has been quarantined and replaced in the mail to the receipient with the txt warning file. However, the inline message in the body is missing.

This only happens in some cases, most of the time, messages are being marked inline as configured.

How is your inline warning rule enabled? Are you using a ruleset or not?
Do you have silent viruses enabled? Do you have spam viruses enabled?

Please share relevant parts of your configuration so we can dig deeper.

[TLINDEN]

Mark Infected Messages = yes
Inline HTML Signature = %report-dir%/inline.sig.html
Inline Text Signature = %report-dir%/inline.sig.txt
Inline HTML Warning = %report-dir%/inline.warning.html
Inline Text Warning = %report-dir%/inline.warning.txt
Silent Viruses = 
Still Deliver Silent Viruses = yes
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*

Do you have spam viruses enabled?

Which setting would that be exactly?

Virus Names Which Are Spam, which you have included :)

Okay, so based on this config and what you have shared, the inline messages should have been prepended.

Next step will be to do some debugging. I will walk you through that after reviewing the source code we need to trace so we can collect some additional logs.

@TLINDEN which version of MailScanner are you using?

[TLINDEN]

MailScanner-5.0.3_1 on FreeBSD with perl5-5.26.2.

[TLINDEN]

One more thing, this is what can be seen in the mail headers of the delivered email:

X-MailScanner-SpamCheck: not spam,
	SpamAssassin (nicht zwischen gespeichert, Wertung=0, benoetigt 6,
	autolearn=disabled)
X-MailScanner: Found to be infected
X-MailScanner-ID: 57CD545C5307.A95B8

@TLINDEN Would it be possible for you to send me a message source sample that is affected? No need for the attached files, just the message structure. This might be easier to troubleshoot with a sample. You can email shawniverson@efa-project.org

Unable to reproduce so far, still working on this to identify problem...

Closing due to inability to reproduce.

[TLINDEN]

Great. You forgot to ask me if I already had turned the computer off and on again.

Now I have to figure out how to feed a message into Mailscanner manually, dissect your code, add or uncomment print statements myself and fix the Bug myself.

@TLINDEN I sense a hint of sarcasm and distaste.

Since I'm such a nice guy and don't read into such things, I'll reopen this issue.

Now, based on the sample you sent me and the settings you provided, I fed it through mailscanner and it produced an inline signature. I did it three times just to make sure, and sure enough an inline signature each time.