Banking emails falling in rejectlog

nu01 · October 15, 2025, 4:11pm

All of a sudden for the last 1 week, I can see exim reject logs having my bank emails being rejected. They were never marked spam, nor are the blocked (email, domain, IP). Nothing seems to be blocked. They are just getting rejected with full message header showing in reject log. The rejection reason stated though is spoofed email, but I know for sure they are not spoofed because the bank recently switched back end to a different provider. I am confused and worried as I can find no way to either retrieve them, or unblock/unreject them, even future wise.

How do I get these emails back and not get rejected at all?

Also, the domain is already in my whitelist.

Message contains a virus (Heuristics.Phishing.Email.SpoofedDomain) and has been rejected

sahsanu · October 15, 2025, 9:12pm

I don’t use ClamAV but you could remove that rule or create a whitelist in ClamAV:

You could also create a whitelist of sending domains (the domain that appears in the MAIL_FROM header) to not be scanned by ClamAV.

Create a file /etc/exim4/antivirus_whitelist whit the list of domains you don’t want to scan:

example.com
example.net

Edit /etc/exim4/exim4/exim4.conf.template and modify this block:

.ifdef CLAMD
  warn    set acl_m0    = no

  warn    condition     = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}}
          set acl_m0    = yes

  warn    condition     = ${if match_domain{$sender_address_domain}{/etc/exim4/antivirus_whitelist}{true}{false}}
          set acl_m0    = no
.endif

Once done restart Exim.

nu01 · October 16, 2025, 2:38pm

sahsanu:

.ifdef CLAMD
  warn    set acl_m0    = no

  warn    condition     = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}}
          set acl_m0    = yes

  warn    condition     = ${if match_domain{$sender_address_domain}{/etc/exim4/antivirus_whitelist}{true}{false}}
          set acl_m0    = no
.endif

Exim configuration error in line 58 of /var/lib/exim4/config.autogenerated.tmp:
main option “condition” unknown
Invalid new configfile /var/lib/exim4/config.autogenerated.tmp, not installing
/var/lib/exim4/config.autogenerated.tmp to /var/lib/exim4/config.autogenerated

I kept getting this.

So, I tried the blog you stated.

I hit a snag there too, as I could not make head or tail of the X: or M: url format for the wdb format.

Download failed (3) WARNING: Thu Oct 16 20:13:01 2025 → Message: URL using bad/illegal format or missing URL
WARNING: Thu Oct 16 20:13:01 2025 → Can’t download whitelist.wdb from /etc/clamav/whitelist.wdb

Why could they not have given proper example, instead of writing that. Or give example along with that. But noooo.. :argh:

I even searched for examples on web, but till now have not located examples. I find myself growing old.

sahsanu · October 16, 2025, 2:58pm

I can’t reproduce the error. Are you sure you’re using the right configuration in the right block? Also, double check that you’re not introducing any strange characters when copying and pasting.

nu01 · October 16, 2025, 3:16pm

Actually, I have the path as: /etc/exim4/exim4.conf.template

Summary

Also, this is the block:

.ifdef CLAMD
av_scanner = clamd: /run/clamav/clamd.ctl
.endif

Ahh, just saw line 186 is where I need to do it.

.ifdef CLAMDwarn    set acl_m0    = no

warn    condition     = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}}set acl_m0    = yes.endif

Restarted properly now.

I will keep a tab on this.