MailScanner delivering blocked attachments?

Magnusson, Andrew Andrew.Magnusson at COCC.COM
Mon Jun 2 21:59:58 IST 2003 

We've got two email gateways, both running MailScanner 4.20-3. This
afternoon we had a strange occurrence: an .exe (banned attachment) was
tagged by the outside gateway as banned, yet still delivered to the inside
gateway with the attachment intact. (See log snippets.) THEN, as this user
is apparently nonexistent, the bounce message, with attachment intact,
passed back through the internal gateway! This time, however, the attachment
was stripped.

Any idea why this might have happened? Never seen this before; all other
EXEs and other banned filetypes have been dropped with no problem.

External gateway ("1.1.1.2"):

Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
from=<xxx at yyy.com>, size=10272, class=0, nrcpts=1,
msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>, proto=SMTP,
daemon=MTA, relay=mail.yyy.com [000.000.000.000]
Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
to=<aaa at bbb.com>, delay=00:00:01, mailer=esmtp, pri=40272, stat=queued
Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved entire message to
/var/spool/MailScanner/quarantine/20030602/h52JwT829916
Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved infected
"REPAIR.EXE" to /var/spool/MailScanner/quarantine/20030602/h52JwT829916
Jun  2 15:59:33 external-smtp sendmail[29990]: h52JwT829916:
to=<aaa at bbb.com>, delay=00:01:04, xdelay=00:00:00, mailer=esmtp, pri=130272,
relay=[1.1.1.1] [1.1.1.1], dsn=2.0.0, stat=Sent (h52JxX5j021222 Message
accepted for delivery)

Internal gateway ("1.1.1.1"):

Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222: from=<xxx at yyy.com>,
size=1977, class=0, nrcpts=1,
msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>,
proto=ESMTP, daemon=MTA, relay=external-smtp.cocci.com [1.1.1.2]
Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222: to=<aaa at bbb.com>,
delay=00:00:00, mailer=esmtp, pri=31029, stat=queued
Jun  2 15:59:35 smtp MailScanner[21082]: Saved entire message to
/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
Jun  2 15:59:35 smtp MailScanner[21082]: Saved infected "REPAIR.EXE" to
/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
Jun  2 16:00:52 smtp sendmail[21488]: h52JxX5j021222: to=<aaa at bbb.com>,
delay=00:01:19, xdelay=00:00:00, mailer=esmtp, pri=121029, relay=[2.2.2.2]
[2.2.2.2], dsn=2.0.0, stat=Sent (Ok)

Then, on the internal:

Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: from=<>, size=2793,
class=0, nrcpts=1, msgid=<sedb74c7.041 at Mail.cocci.com>, proto=SMTP,
daemon=MTA, relay=[2.2.2.2]
Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: to=<xxx at yyy.com>,
delay=00:00:00, mailer=relay, pri=30430, stat=queued
Jun  2 16:00:54 smtp MailScanner[20490]: Saved entire message to
/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
Jun  2 16:00:54 smtp MailScanner[20490]: Saved infected "REPAIR.EXE" to
/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
Jun  2 16:01:38 smtp sendmail[21721]: h52K0r5f021520: to=<xxx at yyy.com>,
delay=00:00:45, xdelay=00:00:00, mailer=relay, pri=120430, relay=[1.1.1.2]
[1.1.1.2], dsn=2.0.0, stat=Sent (h52K1c830645 Message accepted for delivery)

Andrew Magnusson
Internet Product Analyst
COCC
1-877-678-0444 extension 640



*** This message originates from COCC, Inc.

If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited.  If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message.

Thank you. ***

More information about the MailScanner mailing list