[clamav-users] whitelist with clamav-milter

Wed Sep 26 19:29:25 UTC 2018

Jerry,

A quick google search comes up with this information from 2009.

> Whitelisting is NOT based on the mail header fields (To:, From:) but on
> the "MAIL FROM" and "RCPT TO" SMTP commands.

Is perhaps the "MAIL FROM" not the same as the From address.

Look at the full headers of the message for the "envelope-from" address 
and see if it matches.

I run clamav-milter on a freebsd 11.2-stable machine and your 
configuration looks good to me.

Ted Hatfield

On Wed, 26 Sep 2018, Jerry wrote:

> I am running clamav version 0.100.1 on a FreeBSD 11.2 / amd64 machine. I
> also have the clamav-milter installed. My problem is that even though I am
> trying to whitelist some addresses, they get marked as Spam.
>
> This is an example of one such address: ? Puritan's Pride <puritanspride at e.puritan.com>
>
> I entered this into the white list file: From:puritanspride at e.puritan.com
>
> I then restarted the milter. Unfortunately, the email is still marked as
> Spam. I thought that clamav-milter would simply ignore the file.
>
> X-Virus-Status: Infected (SecuriteInfo.com.Spam-4701.UNOFFICIAL)
> X-Virus-Scanned: clamav-milter 0.100.1 at scorpio.seibercom.net
>
> This is the output from "clamconf"
>
> Checking configuration files in /usr/local/etc
>
> Config file: clamd.conf
> -----------------------
> BlockMax disabled
> PreludeEnable disabled
> PreludeAnalyzerName disabled
> LogFile = "/var/log/clamav/clamd.log"
> LogFileUnlock disabled
> LogFileMaxSize = "1048576"
> LogTime disabled
> LogClean disabled
> LogSyslog disabled
> LogFacility = "LOG_LOCAL6"
> LogVerbose disabled
> LogRotate = "yes"
> ExtendedDetectionInfo disabled
> PidFile = "/var/run/clamav/clamd.pid"
> TemporaryDirectory disabled
> DatabaseDirectory = "/var/db/clamav"
> OfficialDatabaseOnly disabled
> LocalSocket = "/var/run/clamav/clamd.sock"
> LocalSocketGroup disabled
> LocalSocketMode disabled
> FixStaleSocket = "yes"
> TCPSocket disabled
> TCPAddr disabled
> MaxConnectionQueueLength = "200"
> StreamMaxLength = "26214400"
> StreamMinPort = "1024"
> StreamMaxPort = "2048"
> MaxThreads = "10"
> ReadTimeout = "120"
> CommandReadTimeout = "5"
> SendBufTimeout = "500"
> MaxQueue = "100"
> IdleTimeout = "30"
> ExcludePath disabled
> MaxDirectoryRecursion = "15"
> FollowDirectorySymlinks disabled
> FollowFileSymlinks disabled
> CrossFilesystems = "yes"
> SelfCheck = "600"
> DisableCache disabled
> VirusEvent disabled
> ExitOnOOM disabled
> AllowAllMatchScan = "yes"
> Foreground disabled
> Debug disabled
> LeaveTemporaryFiles disabled
> User = "clamav"
> Bytecode = "yes"
> BytecodeSecurity = "TrustSigned"
> BytecodeTimeout = "5000"
> BytecodeUnsigned disabled
> BytecodeMode = "Auto"
> DetectPUA disabled
> ExcludePUA disabled
> IncludePUA disabled
> AlgorithmicDetection = "yes"
> ScanPE = "yes"
> ScanELF = "yes"
> DetectBrokenExecutables disabled
> ScanMail = "yes"
> ScanPartialMessages disabled
> PhishingSignatures = "yes"
> PhishingScanURLs = "yes"
> PhishingAlwaysBlockCloak disabled
> PhishingAlwaysBlockSSLMismatch disabled
> PartitionIntersection disabled
> HeuristicScanPrecedence disabled
> StructuredDataDetection disabled
> StructuredMinCreditCardCount = "3"
> StructuredMinSSNCount = "3"
> StructuredSSNFormatNormal = "yes"
> StructuredSSNFormatStripped disabled
> ScanHTML = "yes"
> ScanOLE2 = "yes"
> OLE2BlockMacros disabled
> ScanPDF = "yes"
> ScanSWF = "yes"
> ScanXMLDOCS = "yes"
> ScanHWP3 = "yes"
> ScanArchive = "yes"
> ArchiveBlockEncrypted disabled
> ForceToDisk disabled
> MaxScanSize = "104857600"
> MaxFileSize = "26214400"
> MaxRecursion = "16"
> MaxFiles = "10000"
> MaxEmbeddedPE = "10485760"
> MaxHTMLNormalize = "10485760"
> MaxHTMLNoTags = "2097152"
> MaxScriptNormalize = "5242880"
> MaxZipTypeRcg = "1048576"
> MaxPartitions = "50"
> MaxIconsPE = "100"
> MaxRecHWP3 = "16"
> PCREMatchLimit = "100000"
> PCRERecMatchLimit = "5000"
> PCREMaxFileSize = "26214400"
> ScanOnAccess disabled
> OnAccessMountPath disabled
> OnAccessIncludePath disabled
> OnAccessExcludePath disabled
> OnAccessExcludeRootUID disabled
> OnAccessExcludeUID disabled
> OnAccessMaxFileSize = "5242880"
> OnAccessDisableDDD disabled
> OnAccessPrevention disabled
> OnAccessExtraScanning disabled
> DevACOnly disabled
> DevACDepth disabled
> DevPerformance disabled
> DevLiblog disabled
> DisableCertCheck disabled
>
> Config file: freshclam.conf
> ---------------------------
> LogFileMaxSize = "2097152"
> LogTime disabled
> LogSyslog disabled
> LogFacility = "LOG_LOCAL6"
> LogVerbose disabled
> LogRotate = "yes"
> PidFile = "/var/run/clamav/freshclam.pid"
> DatabaseDirectory = "/var/db/clamav"
> Foreground disabled
> Debug disabled
> UpdateLogFile = "/var/log/clamav/freshclam.log"
> DatabaseOwner = "clamav"
> Checks = "24"
> DNSDatabaseInfo = "current.cvd.clamav.net"
> DatabaseMirror = "db.US.clamav.net", "database.clamav.net"
> PrivateMirror disabled
> MaxAttempts = "3"
> ScriptedUpdates = "yes"
> TestDatabases = "yes"
> CompressLocalDatabase disabled
> ExtraDatabase disabled
> DatabaseCustomURL disabled
> HTTPProxyServer disabled
> HTTPProxyPort disabled
> HTTPProxyUsername disabled
> HTTPProxyPassword disabled
> HTTPUserAgent disabled
> NotifyClamd = "/usr/local/etc/clamd.conf"
> OnUpdateExecute disabled
> OnErrorExecute disabled
> OnOutdatedExecute disabled
> LocalIPAddress disabled
> ConnectTimeout = "30"
> ReceiveTimeout = "30"
> SafeBrowsing = "yes"
> Bytecode = "yes"
>
> Config file: clamav-milter.conf
> -------------------------------
> LogFile = "/var/log/clamav/clamav-milter.log"
> LogFileUnlock disabled
> LogFileMaxSize = "2097152"
> LogTime = "yes"
> LogSyslog disabled
> LogFacility = "LOG_LOCAL6"
> LogVerbose disabled
> LogRotate = "yes"
> PidFile = "/var/run/clamav/clamav-milter.pid"
> TemporaryDirectory disabled
> FixStaleSocket = "yes"
> MaxThreads = "10"
> ReadTimeout = "120"
> Foreground disabled
> User = "clamav"
> MaxFileSize = "26214400"
> ClamdSocket = "unix:/var/run/clamav/clamd.sock"
> MilterSocket = "/var/run/clamav/clmilter.sock"
> MilterSocketGroup disabled
> MilterSocketMode disabled
> LocalNet = "192.168.0.101/32", "192.168.0.192/32"
> OnClean = "Accept"
> OnInfected = "Accept"
> OnFail = "Defer"
> RejectMsg disabled
> AddHeader = "Add"
> ReportHostname disabled
> VirusAction disabled
> Chroot disabled
> Whitelist = "/usr/local/etc/whitelisted_addresses.txt"
> SkipAuthenticated = "file:/usr/local/etc/clamav_exclusions.txt"
> LogInfected = "basic"
> LogClean disabled
> SupportMultipleRecipients = "yes"
>
> Software settings
> -----------------
> Version: 0.100.1
> Optional features supported: MEMPOOL IPv6 BIGSTACK AUTOIT_EA06 BZIP2 LIBXML2 PCRE JSON RAR
>
> Database information
> --------------------
> Database directory: /var/db/clamav
> [3rd Party] EK_Zeus.yar: 28 sigs
> [3rd Party] foxhole_mail.cdb: 23 sigs
> [3rd Party] securiteinfopdf.hdb: 3367 sigs
> [3rd Party] foxhole_generic.cdb: 211 sigs
> [3rd Party] EK_Crimepack.yar: 49 sigs
> [3rd Party] CVE-2010-1297.yar: 15 sigs
> [3rd Party] spearl.ndb: 150 sigs
> [3rd Party] foxhole_all.cdb: 145 sigs
> [3rd Party] spamimg.hdb: 184 sigs
> daily.cld: version 24983, sigs: 2100133, built on Tue Sep 25 22:39:15 2018
> [3rd Party] spear.ndb: 15009 sigs
> [3rd Party] spamattach.hdb: 14 sigs
> [3rd Party] winnow.attachments.hdb: 182 sigs
> [3rd Party] Maldoc_Hidden_PE_file.yar: 23 sigs
> [3rd Party] malware.expert.hdb: 388 sigs
> [3rd Party] winnow.complex.patterns.ldb: 3 sigs
> [3rd Party] porcupine.ndb: 4012 sigs
> [3rd Party] winnow_phish_complete.ndb: 9320 sigs
> [3rd Party] phishtank.ndb: 27161 sigs
> [3rd Party] scam.ndb: 12501 sigs
> [3rd Party] EK_ZeroAcces.yar: 211 sigs
> [3rd Party] foxhole_js.ndb: 4 sigs
> [3rd Party] securiteinfohtml.hdb: 54089 sigs
> [3rd Party] MiscreantPunch099-INFO-Low.ldb: 21 sigs
> [3rd Party] jurlbl.ndb: 17854 sigs
> [3rd Party] lott.ndb: 2335 sigs
> [3rd Party] rfxn.hdb: 12674 sigs
> [3rd Party] EK_Fragus.yar: 210 sigs
> main.cvd: version 58, sigs: 4566249, built on Wed Jun  7 17:38:10 2017
> [3rd Party] winnow_spam_complete.ndb: 931 sigs
> [3rd Party] phish.ndb: 27425 sigs
> [3rd Party] winnow_malware_links.ndb: 4623 sigs
> [3rd Party] CVE-2013-0074.yar: 17 sigs
> [3rd Party] sanesecurity.ftm: 170 sigs
> [3rd Party] securiteinfoold.hdb: 2213713 sigs
> [3rd Party] jurlbla.ndb: 1682 sigs
> [3rd Party] CVE-2010-0887.yar: 21 sigs
> [3rd Party] foxhole_filename.cdb: 1971 sigs
> [3rd Party] EK_Blackhole.yar: 453 sigs
> [3rd Party] EK_Phoenix.yar: 483 sigs
> [3rd Party] spam_marketing.ndb: 23032 sigs
> [3rd Party] securiteinfoandroid.hdb: 99086 sigs
> [3rd Party] bofhland_malware_attach.hdb: 1835 sigs
> [3rd Party] Sanesecurity_spam.yara: 46 sigs
> [3rd Party] winnow_extended_malware_links.ndb: 1 sig
> bytecode.cvd: version 327, sigs: 91, built on Wed Aug  8 20:43:48 2018
> [3rd Party] winnow_malware.hdb: 293 sigs
> [3rd Party] CVE-2015-5119.yar: 22 sigs
> [3rd Party] malwarepatrol.ndb: 0 sig
> [3rd Party] EK_BleedingLife.yar: 112 sigs
> [3rd Party] foxhole_js.cdb: 48 sigs
> [3rd Party] malware.expert.ndb: 855 sigs
> [3rd Party] winnow_extended_malware.hdb: 245 sigs
> [3rd Party] spam.ldb: 2 sigs
> [3rd Party] porcupine.hsb: 873 sigs
> [3rd Party] maldoc_somerules.yar: 283 sigs
> [3rd Party] securiteinfo.hdb: 1377783 sigs
> [3rd Party] rfxn.ndb: 2034 sigs
> [3rd Party] foxhole_all.ndb: 101 sigs
> [3rd Party] EK_Eleonore.yar: 165 sigs
> [3rd Party] scamnailer.ndb: 50995 sigs
> [3rd Party] shelter.ldb: 15 sigs
> [3rd Party] blurl.ndb: 108974 sigs
> [3rd Party] CVE-2013-0422.yar: 21 sigs
> [3rd Party] javascript.ndb: 44092 sigs
> [3rd Party] securiteinfoascii.hdb: 98180 sigs
> [3rd Party] rogue.hdb: 6761 sigs
> [3rd Party] malwarehash.hsb: 771 sigs
> [3rd Party] malware.expert.ldb: 142 sigs
> [3rd Party] MiscreantPunch099-Low.ldb: 1208 sigs
> [3rd Party] EK_Angler.yar: 283 sigs
> [3rd Party] Javascript_exploit_and_obfuscation.yar: 59 sigs
> safebrowsing.cld: version 47916, sigs: 2840247, built on Wed Sep 26 00:56:14 2018
> [3rd Party] bofhland_cracked_URL.ndb: 24 sigs
> [3rd Party] Sanesecurity_sigtest.yara: 54 sigs
> [3rd Party] badmacro.ndb: 501 sigs
> [3rd Party] bofhland_phishing_URL.ndb: 186 sigs
> [3rd Party] winnow_bad_cw.hdb: 1 sig
> [3rd Party] bofhland_malware_URL.ndb: 60 sigs
> [3rd Party] CVE-2010-0805.yar: 14 sigs
> [3rd Party] hackingteam.hsb: 435 sigs
> [3rd Party] EK_Sakura.yar: 62 sigs
> [3rd Party] crypto.yar: 1 sig
> [3rd Party] malware.expert.fp: 42 sigs
> [3rd Party] EK_Zerox88.yar: 55 sigs
> Total number of signatures: 13738144
>
> Platform information
> --------------------
> uname: FreeBSD 11.2-RELEASE-p3 FreeBSD 11.2-RELEASE-p3 #0: Thu Sep  6 07:14:16 UTC 2018     roo amd64
> OS: freebsd11.2, ARCH: amd64, CPU: amd64
> zlib version: 1.2.11 (1.2.11), compile flags: a9
> platform id: 0x03235c5c0800000000040201
>
> Build information
> -----------------
> Clang: 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565) (4.2.1)
> CPPFLAGS: -I/usr/local/include
> CFLAGS: -O2 -pipe -march=core2  -fstack-protector -fno-strict-aliasing   -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
> CXXFLAGS: -O2 -pipe -march=core2 -fstack-protector -fno-strict-aliasing
> LDFLAGS: -lthr -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector
> Configure: '--libdir=/usr/local/lib' '--with-dbdir=/var/db/clamav' '--with-zlib=/usr' '--disable-clamuko' '--disable-clamav' '--enable-bigstack' '--enable-readdir_r' '--enable-gethostbyname_r' '--disable-dependency-tracking' '--disable-zlib-vcheck' '--enable-clamdtop' '--enable-xml' '--disable-experimental' '--without-iconv' '--enable-ipv6' '--with-libjson' '--enable-milter' '--with-pcre' '--disable-check' '--enable-unrar' '--with-sendmail=/usr/sbin/sendmail' '--prefix=/usr/local' '--localstatedir=/var' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -march=core2  -fstack-protector -fno-strict-aliasing ' 'LDFLAGS= -lthr -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector ' 'LIBS=' 'CPPFLAGS=-I/usr/local/include' 'CPP=cpp'
> sizeof(void*) = 8
> Engine flevel: 92, dconf: 92
>
> If some one could tell me what I am doing incorrectly, I would appreciate it.
>
> -- 
> Jerry
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>