Today, our sales team received an email from office@alde.az via a distribution group they are part of. While the message wasn’t addressed to me personally, it did reach our shared mailbox. The concerning part is that the email contained an attachment which, after inspection, turned out to be malicious. Unfortunately, ClamAV did not detect any threats in the file. To double-check, I uploaded the attachment to VirusTotal, and a significant number of antivirus engines flagged it as a virus.
My questions are:
Has anyone experienced something similar or can offer insight into this behavior?
Below is detailed information of my ClamAV confugiration ?
This is the ClamAV version
SCAN RESULTS (disappointed me)
Mail Log
Mail headers
My questions are:
- Why was this email accepted and delivered to our inbox?
- Why did ClamAV fail to detect the threat?
- What the best way to fight against this kind of mails
Has anyone experienced something similar or can offer insight into this behavior?
Below is detailed information of my ClamAV confugiration ?
Code:
root@mail:~# apt show clamav
Package: clamav
Version: 1.0.7+dfsg-1~deb12u1
Priority: optional
Section: utils
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Installed-Size: 30.1 MB
Depends: clamav-freshclam (>= 1.0.7+dfsg) | clamav-data, libc6 (>= 2.34), libclamav11 (>= 1.0.7), libcurl4 (>= 7.16.2), libgcc-s1 (>= 4.2), libjson-c5 (>= 0.15), libssl3 (>= 3.0.0), zlib1g (>= 1:1.2.3.3)
Recommends: clamav-base
Suggests: libclamunrar, clamav-docs
Homepage: https://www.clamav.net/
Tag: implemented-in::c, interface::commandline, role::program,
scope::utility, security::antivirus, use::scanning, works-with::file,
works-with::mail
Download-Size: 5,775 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.debian.org/debian bookworm/main amd64 Packages
Description: anti-virus utility for Unix - command-line interface
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable
multi-threaded daemon in the clamav-daemon package, a command-line
scanner in the clamav package, and a tool for automatic updating via
the Internet in the clamav-freshclam package. The programs are based
on libclamav, which can be used by other software.
.
This package contains the command line interface. Features:
- built-in support for various archive formats, including Zip, Tar,
Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others;
- built-in support for almost all mail file formats;
- built-in support for ELF executables and Portable Executable files
compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and
obfuscated with SUE, Y0da Cryptor and others;
- built-in support for popular document formats including Microsoft
Office and Mac Office files, HTML, RTF and PDF.
.
For scanning to work, a virus database is needed. There are two options
for getting it:
- clamav-freshclam: updates the database from Internet. This is
recommended with Internet access.
- clamav-data: for users without Internet access. The package is
not updated once installed. The clamav-getfiles package allows
creating custom packages from an Internet-connected computer.This is the ClamAV version
Code:
root@mail:~# clamscan --version
ClamAV 1.0.7/27608/Mon Apr 14 12:34:28 2025SCAN RESULTS (disappointed me)
Code:
root@mail:~# clamscan /tmp/Yenilənmiş\ Satınalma\ Sifarişi.rar
Loading: 18s, ETA: 0s [========================>] 8.71M/8.71M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/tmp/Yenilənmiş Satınalma Sifarişi.rar: OK
----------- SCAN SUMMARY -----------
Known viruses: 8706304
Engine version: 1.0.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.54 MB
Data read: 0.51 MB (ratio 1.06:1)
Time: 23.531 sec (0 m 23 s)
Start Date: 2025:04:15 12:17:14
End Date: 2025:04:15 12:17:37
root@mail:~#Mail Log
Code:
2025-04-15T11:08:43.710294+04:00 mail postfix/smtpd[62366]: connect from mail.interteach.kz[139.177.177.192]
2025-04-15T11:08:44.148314+04:00 mail postfix/smtpd[62366]: Anonymous TLS connection established from mail.interteach.kz[139.177.177.192]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256
2025-04-15T11:08:45.031284+04:00 mail postfix/smtpd[62366]: 0785990123B: client=mail.interteach.kz[139.177.177.192]
2025-04-15T11:08:45.534091+04:00 mail postfix/cleanup[62372]: 0785990123B: message-id=<41291b795ad9689fc9b3ca4285a8c902@alde.az>
2025-04-15T11:08:47.100714+04:00 mail postfix/qmgr[787]: 0785990123B: from=<office@alde.az>, size=733005, nrcpt=2 (queue active)
2025-04-15T11:08:47.101478+04:00 mail postfix/smtpd[62366]: disconnect from mail.interteach.kz[139.177.177.192] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8
2025-04-15T11:08:47.217655+04:00 mail pmg-smtp-filter[62082]: 90124667FE05FF23E40: new mail message-id=<41291b795ad9689fc9b3ca4285a8c902@alde.az>#012
2025-04-15T11:08:53.208615+04:00 mail pmg-smtp-filter[62082]: 90124667FE05FF23E40: SA score=1/5 time=5.796 bayes=undefined autolearn=disabled hits=DMARC_MISSING(0.1),KAM_DMARC_STATUS(0.01),SPF_HELO_PASS(-0.001),SPF_SOFTFAIL(0.972)
2025-04-15T11:08:53.211918+04:00 mail postfix/smtpd[62379]: connect from localhost.localdomain[127.0.0.1]
2025-04-15T11:08:53.213695+04:00 mail postfix/smtpd[62379]: 3419B90124E: client=localhost.localdomain[127.0.0.1], orig_client=mail.interteach.kz[139.177.177.192]
2025-04-15T11:08:53.218976+04:00 mail postfix/cleanup[62372]: 3419B90124E: message-id=<41291b795ad9689fc9b3ca4285a8c902@alde.az>
2025-04-15T11:08:53.284076+04:00 mail postfix/qmgr[787]: 3419B90124E: from=<office@alde.az>, size=733500, nrcpt=2 (queue active)
2025-04-15T11:08:53.284279+04:00 mail postfix/smtpd[62379]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=2 data=1 commands=6
2025-04-15T11:08:53.284493+04:00 mail pmg-smtp-filter[62082]: 90124667FE05FF23E40: accept mail to <info@mydomain.tld> (3419B90124E) (rule: default-accept)
2025-04-15T11:08:53.284675+04:00 mail pmg-smtp-filter[62082]: 90124667FE05FF23E40: accept mail to <sales@mydomain.tld> (3419B90124E) (rule: default-accept)
2025-04-15T11:08:53.289668+04:00 mail pmg-smtp-filter[62082]: 90124667FE05FF23E40: processing time: 6.093 seconds (5.796, 0.186, 0)
2025-04-15T11:08:53.290508+04:00 mail postfix/lmtp[62374]: 0785990123B: to=<info@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=9, delays=2.8/0/0.05/6.1, dsn=2.5.0, status=sent (250 2.5.0 OK (90124667FE05FF23E40))
2025-04-15T11:08:53.296846+04:00 mail postfix/smtp[62343]: Untrusted TLS connection established to 10.22.10.26[10.22.10.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-04-15T11:08:53.333593+04:00 mail postfix/lmtp[62374]: 0785990123B: to=<sales@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=9, delays=2.8/0/0.05/6.2, dsn=2.5.0, status=sent (250 2.5.0 OK (90124667FE05FF23E40))
2025-04-15T11:08:53.334504+04:00 mail postfix/qmgr[787]: 0785990123B: removed
2025-04-15T11:08:53.465649+04:00 mail postfix/smtp[62343]: 3419B90124E: to=<info@mydomain.tld>, relay=10.22.10.26[10.22.10.26]:25, delay=0.25, delays=0.07/0/0.02/0.16, dsn=2.6.0, status=sent (250 2.6.0 <41291b795ad9689fc9b3ca4285a8c902@alde.az> [InternalId=76149770158090, Hostname=EXCH01.exchange.local] 734855 bytes in 0.135, 5306.648 KB/sec Queued mail for delivery)
2025-04-15T11:08:53.465900+04:00 mail postfix/smtp[62343]: 3419B90124E: to=<sales@mydomain.tld>, relay=10.22.10.26[10.22.10.26]:25, delay=0.25, delays=0.07/0/0.02/0.16, dsn=2.6.0, status=sent (250 2.6.0 <41291b795ad9689fc9b3ca4285a8c902@alde.az> [InternalId=76149770158090, Hostname=EXCH01.exchange.local] 734855 bytes in 0.135, 5306.648 KB/sec Queued mail for delivery)
2025-04-15T11:08:53.466296+04:00 mail postfix/qmgr[787]: 3419B90124E: removedMail headers
Code:
Received: from EXCH01.exchange.local (10.22.10.26) by EXCH01.exchange.local
(10.22.10.26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10 via Mailbox
Transport; Tue, 15 Apr 2025 11:08:54 +0400
Received: from EXCH01.exchange.local (10.22.10.26) by EXCH01.exchange.local
(10.22.10.26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Tue, 15 Apr
2025 11:08:52 +0400
Received: from mail.mydomain.tld (10.22.11.4) by EXCH01.exchange.local
(10.22.10.26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10 via Frontend
Transport; Tue, 15 Apr 2025 11:08:52 +0400
Received: from mail.mydomain.tld (localhost.localdomain [127.0.0.1])
by mail.mydomain.tld (Proxmox) with ESMTP id 3419B90124E;
Tue, 15 Apr 2025 11:08:53 +0400 (+04)
Received-SPF: softfail (alde.az ... _spf.yandex.ru: Sender is not authorized by default to use 'office@alde.az' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail.mydomain.tld; identity=mailfrom; envelope-from="office@alde.az"; helo=mail.interteach.kz; client-ip=139.177.177.192
Received: from mail.interteach.kz (mail.interteach.kz [139.177.177.192])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256)
(No client certificate requested)
by mail.mydomain.tld (Proxmox) with ESMTPS id 0785990123B;
Tue, 15 Apr 2025 11:08:44 +0400 (+04)
Received: from webmail.interteach.kz (localhost [IPv6:::1])
by mail.interteach.kz (Postfix) with ESMTPSA id 426192290;
Tue, 15 Apr 2025 12:08:14 +0500 (+05)
Authentication-Results: interteach.org;
spf=pass (sender IP is ::1) smtp.mailfrom=office@alde.az smtp.helo=webmail.interteach.kz
Received-SPF: pass (interteach.org: connection is authenticated)
X-Virus-Scanned: amavisd-new at example.com
MIME-Version: 1.0
Date: Tue, 15 Apr 2025 08:08:14 +0100
From: Fuad Taghizada <office@alde.az>
To: undisclosed-recipients:;
Subject: =?UTF-8?Q?Yenil=C9=99nmi=C5=9F_Sat=C4=B1nalma_Sifari=C5=9Fi?=
User-Agent: Roundcube Webmail/1.4.15
Message-ID: <41291b795ad9689fc9b3ca4285a8c902@alde.az>
X-Sender: office@alde.az
Content-Type: multipart/mixed; boundary="=_15c3c3d76caaff4a2ecef0f82fe7504d"
X-PPP-Message-ID: <174470089961.21376.16789952818579529179@interteach.org>
X-PPP-Vhost: interteach.kz
X-SPAM-LEVEL: Spam detection results: 1
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_SOFTFAIL 0.972 SPF: sender does not match SPF record (softfail)
Return-Path: office@alde.az
X-MS-Exchange-Organization-Network-Message-Id: 5ea842fc-2ff7-4eea-8395-08dd7bec6106
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: EXCH01.exchange.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5610877
X-MS-Exchange-Processed-By-BccFoldering: 15.02.1748.010