virus passed through mailscanner driven mcafee!
Sandor Dobos
dobos_s at IBCNET.HU
Thu Mar 7 10:34:23 GMT 2002
(mailscanner version 3.04-1)
Hi!
Maybe You know about this, but I think there is an error in parsing mcafee
output.
The sympthom was that I got a message from a webshield running on win that
there is an Exploit-MIME.gen infected email.
But that PC got the email from a linux mail-relay, running mailscanner with
mcafee 4188!
And the email reaching the webshield has a X-Mailscanner: found to be clean
header!
I sent the infected mail as an attachment back through the relay, but this
time I get the viruswarning.
How could this happen?
I run uvscan on the sendmails queue file, it said there is that virus, but
after the "Found...." line there was an other
telling "Please send a copy to..."
I run uvscan on the mailscanners incoming directory, where were the
unpacked attachments, and there was nothing found!
So what to do?
Dobos Sandor
IBCnet Hungary Ltd.
Julian Field
<jkf at ECS.SOTON.AC. To: MAILSCANNER at JISCMAIL.AC.UK
UK> cc:
Sent by: Subject: Re: [OT] Sendmail - Was Re: Re: Filtering
MailScanner
mailing list
<MAILSCANNER at JISCM
AIL.AC.UK>
2002.02.26 11:34
Please respond to
MailScanner
mailing list
At 10:27 26/02/2002, you wrote:
>Is it possible to include these checks in a .mc file instead of the .cf
file
>?
Yes, that's where I put the code below. Just put in a line saying
LOCAL_RULESETS
and then follow it with the example I have given.
>I hate having to add these things after using m4 on my .mc file !
I never touch the cf file, only the mc.
>----- Original Message -----
>From: "Julian Field"
>Sent: Tuesday, February 26, 2002 8:45 AM
>Subject: Re: Filtering
>
>
> > And subject lines can be easily filtered in sendmail too.
> > For example:
> >
> > HSubject: $>Check_Subject
> >
> > D{MelissaPat}Important Message From
> > D{MelissaMsg}This message may contain the Melissa virus.
> > D{PrettyPat}C:\\CoolProgs\\Pretty Park.exe
> > D{PrettyMsg}This message may contain the Pretty Park virus.
> >
> > SCheck_Subject
> > R${MelissaPat} $* $#error $@ 5.7.1 $: ${MelissaMsg}
> > RRe: ${MelissaPat} $* $#error $@ 5.7.1 $: ${MelissaMsg}
> > R${PrettyPat} $* $#error $@ 5.7.1 $: ${PrettyMsg}
> >
> > At 19:55 25/02/2002, you wrote:
> > >sender addresses can be filtered using sendmail's access.db feature..
> > >
> > >Youn Gonzales
> > >System Administrator
> > >Comptia A+, Network+, INET+,
> > >Cisco CCNA/CCDA Certified Technician
> > >Microsoft Certified Professional
> > >
> > >
> > >----- Original Message -----
> > >From: "Henry C. Chorlian" <chorlian at CBR.MED.HARVARD.EDU>
> > >To: <MAILSCANNER at JISCMAIL.AC.UK>
> > >Sent: Monday, February 25, 2002 2:00 PM
> > >Subject: Filtering
> > >
> > >
> > > > Is there a way to filter out sender addresses or certain
> > > > anoying subject headers?
> > > >
> > > > Any suggestions greatly appreciated.
> > > >
> > > > Thanks,
> > > >
> > > > Henry
> > > >
> > > > ------------------------------------------
> > > > Henry C. Chorlian
> > > > Director of Information Systems
> > > > Center for Blood Research
> > > > 800 Huntington Avenue
> > > > Boston, MA 02115-6303
> > > >
> > > > Harvard Medical School Affiliate
> > > > chorlian at cbr.med.harvard.edu
> > > > Voice: (617) 278-3425
> > > > Fax: (617) 278-3493
> >
> > --
> > Julian Field Teaching Systems Manager
> > jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
> > Tel. 023 8059 2817 University of Southampton
> > Southampton SO17 1BJ
> >
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list