MailScanner delivering blocked attachments?

rgrignon at INPHACT.COM rgrignon at INPHACT.COM
Wed Jun 4 14:40:12 IST 2003 

This happened to me as well. It was the "microsoft" virus. The .exe went
into the quarantine but was also delivered to the client.

I have upgraded since....

Rob

-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
Sent: Monday, June 02, 2003 4:06 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: MailScanner delivering blocked attachments?


Has anyone else seen this happening?

At 21:59 02/06/2003, you wrote:
>We've got two email gateways, both running MailScanner 4.20-3. This
>afternoon we had a strange occurrence: an .exe (banned attachment) was
>tagged by the outside gateway as banned, yet still delivered to the inside
>gateway with the attachment intact. (See log snippets.) THEN, as this user
>is apparently nonexistent, the bounce message, with attachment intact,
>passed back through the internal gateway! This time, however, the
attachment
>was stripped.
>
>Any idea why this might have happened? Never seen this before; all other
>EXEs and other banned filetypes have been dropped with no problem.
>
>External gateway ("1.1.1.2"):
>
>Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
>from=<xxx at yyy.com>, size=10272, class=0, nrcpts=1,
>msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>,
proto=SMTP,
>daemon=MTA, relay=mail.yyy.com [000.000.000.000]
>Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
>to=<aaa at bbb.com>, delay=00:00:01, mailer=esmtp, pri=40272, stat=queued
>Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved entire message to
>/var/spool/MailScanner/quarantine/20030602/h52JwT829916
>Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved infected
>"REPAIR.EXE" to /var/spool/MailScanner/quarantine/20030602/h52JwT829916
>Jun  2 15:59:33 external-smtp sendmail[29990]: h52JwT829916:
>to=<aaa at bbb.com>, delay=00:01:04, xdelay=00:00:00, mailer=esmtp,
pri=130272,
>relay=[1.1.1.1] [1.1.1.1], dsn=2.0.0, stat=Sent (h52JxX5j021222 Message
>accepted for delivery)
>
>Internal gateway ("1.1.1.1"):
>
>Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222: from=<xxx at yyy.com>,
>size=1977, class=0, nrcpts=1,
>msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>,
>proto=ESMTP, daemon=MTA, relay=external-smtp.cocci.com [1.1.1.2]
>Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222: to=<aaa at bbb.com>,
>delay=00:00:00, mailer=esmtp, pri=31029, stat=queued
>Jun  2 15:59:35 smtp MailScanner[21082]: Saved entire message to
>/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
>Jun  2 15:59:35 smtp MailScanner[21082]: Saved infected "REPAIR.EXE" to
>/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
>Jun  2 16:00:52 smtp sendmail[21488]: h52JxX5j021222: to=<aaa at bbb.com>,
>delay=00:01:19, xdelay=00:00:00, mailer=esmtp, pri=121029, relay=[2.2.2.2]
>[2.2.2.2], dsn=2.0.0, stat=Sent (Ok)
>
>Then, on the internal:
>
>Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: from=<>, size=2793,
>class=0, nrcpts=1, msgid=<sedb74c7.041 at Mail.cocci.com>, proto=SMTP,
>daemon=MTA, relay=[2.2.2.2]
>Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: to=<xxx at yyy.com>,
>delay=00:00:00, mailer=relay, pri=30430, stat=queued
>Jun  2 16:00:54 smtp MailScanner[20490]: Saved entire message to
>/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
>Jun  2 16:00:54 smtp MailScanner[20490]: Saved infected "REPAIR.EXE" to
>/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
>Jun  2 16:01:38 smtp sendmail[21721]: h52K0r5f021520: to=<xxx at yyy.com>,
>delay=00:00:45, xdelay=00:00:00, mailer=relay, pri=120430, relay=[1.1.1.2]
>[1.1.1.2], dsn=2.0.0, stat=Sent (h52K1c830645 Message accepted for
delivery)
>
>Andrew Magnusson
>Internet Product Analyst
>COCC
>1-877-678-0444 extension 640
>
>
>
>*** This message originates from COCC, Inc.
>
>If the reader of this message, regardless of the address or routing, is
>not an intended recipient, you are hereby notified that you have received
>this transmittal in error and any review; use, distribution, dissemination
>or copying is strictly prohibited.  If you have received this message in
>error, please delete this e-mail and all files transmitted with it from
>your system and immediately notify COCC, Inc. by sending reply e-mail to
>the sender of this message.
>
>Thank you. ***

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

--
This message has been scanned and is believed to be clean.

More information about the MailScanner mailing list