SV: sobig virus
Anders Andersson, IT
andersan at LTKALMAR.SE
Thu Aug 21 21:25:03 IST 2003
> -----Ursprungligt meddelande-----
> Från: Joe Stuart [mailto:jstuart at EDENPR.K12.MN.US]
> Skickat: den 21 augusti 2003 18:32
> Till: MAILSCANNER at JISCMAIL.AC.UK
> Ämne: Re: sobig virus
>
>
> >>> Antony at SOFT-SOLUTIONS.CO.UK 08/20/03 04:40PM >>>
> On Wednesday 20 August 2003 6:08 pm, Joe Stuart wrote:
>
> > I was wrong it did not go through mailscanner Uly told me that some
> of
> > the newer viruses are using lower mx records so we did some
> > investigating and it turns out that the company that handles our
> > external dns had an old entry for a backup mailserver that should
> not
> > have been there that the virus was relaying through.
>
> So.... the virus went through an old mail relay with a
> higher MXvalue...
>
> Surely all that machine did was to forward the mail to the
> system with the lower MX value, where it got scanned and detected?
>
> Or am I missing something about your setup here?
>
> Antony.
>
> --
>
>
> In out setup we have a server running Sendmail, Mailscanner,
> SA and f-prot that has a MX value of 10. Mail is recieved on
> that server and then transports it to a groupwise server that
> delivers it to the clients. The groupwise server was in the
> DNS with a MX value of 100 that I had no idea about. Since
> it appeared that mail was coming in without being scanned we
> went in and closed the groupwise server off to the outside
> world. Then the viruses stopped coming in. If there are any
> suggestions on how things could be setup better I'm open to idea's
Setup a second MS server with the same config.... Remove groupwise from MX
and make sure only the 2 MTA can relay mail to and from groupwise. I hope
you got and FW between MS and groupwise?
just my 2 cents
>
> Thanks
>
More information about the MailScanner
mailing list