MailScanner delivering blocked attachments?

rgrignon at INPHACT.COM rgrignon at INPHACT.COM
Wed Jun 4 15:24:43 IST 2003 

Would this be accomplished by making sure I have the most current
MIME::Tools package?

Thanks,

Rob

-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
Sent: Wednesday, June 04, 2003 9:04 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: MailScanner delivering blocked attachments?


Check that you have all 4 security patches applied to your MIME-tools
installation. It's one of these that fixed this problem (a very long time
ago). You may have all the patches on 1 scanner and not on the other one.

At 14:40 04/06/2003, you wrote:
>This happened to me as well. It was the "microsoft" virus. The .exe went
>into the quarantine but was also delivered to the client.
>
>I have upgraded since....
>
>Rob
>
>-----Original Message-----
>From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
>Sent: Monday, June 02, 2003 4:06 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: MailScanner delivering blocked attachments?
>
>
>Has anyone else seen this happening?
>
>At 21:59 02/06/2003, you wrote:
> >We've got two email gateways, both running MailScanner 4.20-3. This
> >afternoon we had a strange occurrence: an .exe (banned attachment) was
> >tagged by the outside gateway as banned, yet still delivered to the
inside
> >gateway with the attachment intact. (See log snippets.) THEN, as this
user
> >is apparently nonexistent, the bounce message, with attachment intact,
> >passed back through the internal gateway! This time, however, the
>attachment
> >was stripped.
> >
> >Any idea why this might have happened? Never seen this before; all other
> >EXEs and other banned filetypes have been dropped with no problem.
> >
> >External gateway ("1.1.1.2"):
> >
> >Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
> >from=<xxx at yyy.com>, size=10272, class=0, nrcpts=1,
> >msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>,
>proto=SMTP,
> >daemon=MTA, relay=mail.yyy.com [000.000.000.000]
> >Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
> >to=<aaa at bbb.com>, delay=00:00:01, mailer=esmtp, pri=40272, stat=queued
> >Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved entire message to
> >/var/spool/MailScanner/quarantine/20030602/h52JwT829916
> >Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved infected
> >"REPAIR.EXE" to /var/spool/MailScanner/quarantine/20030602/h52JwT829916
> >Jun  2 15:59:33 external-smtp sendmail[29990]: h52JwT829916:
> >to=<aaa at bbb.com>, delay=00:01:04, xdelay=00:00:00, mailer=esmtp,
>pri=130272,
> >relay=[1.1.1.1] [1.1.1.1], dsn=2.0.0, stat=Sent (h52JxX5j021222 Message
> >accepted for delivery)
> >
> >Internal gateway ("1.1.1.1"):
> >
> >Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222: from=<xxx at yyy.com>,
> >size=1977, class=0, nrcpts=1,
> >msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>,
> >proto=ESMTP, daemon=MTA, relay=external-smtp.cocci.com [1.1.1.2]
> >Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222: to=<aaa at bbb.com>,
> >delay=00:00:00, mailer=esmtp, pri=31029, stat=queued
> >Jun  2 15:59:35 smtp MailScanner[21082]: Saved entire message to
> >/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
> >Jun  2 15:59:35 smtp MailScanner[21082]: Saved infected "REPAIR.EXE" to
> >/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
> >Jun  2 16:00:52 smtp sendmail[21488]: h52JxX5j021222: to=<aaa at bbb.com>,
> >delay=00:01:19, xdelay=00:00:00, mailer=esmtp, pri=121029,
relay=[2.2.2.2]
> >[2.2.2.2], dsn=2.0.0, stat=Sent (Ok)
> >
> >Then, on the internal:
> >
> >Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: from=<>, size=2793,
> >class=0, nrcpts=1, msgid=<sedb74c7.041 at Mail.cocci.com>, proto=SMTP,
> >daemon=MTA, relay=[2.2.2.2]
> >Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: to=<xxx at yyy.com>,
> >delay=00:00:00, mailer=relay, pri=30430, stat=queued
> >Jun  2 16:00:54 smtp MailScanner[20490]: Saved entire message to
> >/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
> >Jun  2 16:00:54 smtp MailScanner[20490]: Saved infected "REPAIR.EXE" to
> >/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
> >Jun  2 16:01:38 smtp sendmail[21721]: h52K0r5f021520: to=<xxx at yyy.com>,
> >delay=00:00:45, xdelay=00:00:00, mailer=relay, pri=120430,
relay=[1.1.1.2]
> >[1.1.1.2], dsn=2.0.0, stat=Sent (h52K1c830645 Message accepted for
>delivery)
> >
> >Andrew Magnusson
> >Internet Product Analyst
> >COCC
> >1-877-678-0444 extension 640
> >
> >
> >
> >*** This message originates from COCC, Inc.
> >
> >If the reader of this message, regardless of the address or routing, is
> >not an intended recipient, you are hereby notified that you have received
> >this transmittal in error and any review; use, distribution,
dissemination
> >or copying is strictly prohibited.  If you have received this message in
> >error, please delete this e-mail and all files transmitted with it from
> >your system and immediately notify COCC, Inc. by sending reply e-mail to
> >the sender of this message.
> >
> >Thank you. ***
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>
>--
>This message has been scanned and is believed to be clean.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

--
This message has been scanned and is believed to be clean.

More information about the MailScanner mailing list