MailScanner delivering blocked attachments?

rgrignon at INPHACT.COM rgrignon at INPHACT.COM
Wed Jun 4 16:32:47 IST 2003


Thanks Julian,

I'm running redhat9.0

I installed the recent version through RPM.

I did notice quite a few packages were upgraded when I applied the new
version.

Thanks again,

Rob

-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
Sent: Wednesday, June 04, 2003 10:20 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: MailScanner delivering blocked attachments?


No. You don't want the most recent MIME-tools packages, they are buggy as
hell. You want to stick with 5.411 but check to make sure your system has
the 4 security patches applied. What version of what OS are you running? If
you used the RPM distribution of MailScanner then all these patches should
have been applied automatically. If you are running a non-RPM system then
you will have installed MIME-tools by hand and should have applied the
patches yourself, as described in the MailScanner documentation.

At 15:24 04/06/2003, you wrote:
>Would this be accomplished by making sure I have the most current
>MIME::Tools package?
>
>Thanks,
>
>Rob
>
>-----Original Message-----
>From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
>Sent: Wednesday, June 04, 2003 9:04 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: MailScanner delivering blocked attachments?
>
>
>Check that you have all 4 security patches applied to your MIME-tools
>installation. It's one of these that fixed this problem (a very long time
>ago). You may have all the patches on 1 scanner and not on the other one.
>
>At 14:40 04/06/2003, you wrote:
> >This happened to me as well. It was the "microsoft" virus. The .exe went
> >into the quarantine but was also delivered to the client.
> >
> >I have upgraded since....
> >
> >Rob
> >
> >-----Original Message-----
> >From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> >Sent: Monday, June 02, 2003 4:06 PM
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Re: MailScanner delivering blocked attachments?
> >
> >
> >Has anyone else seen this happening?
> >
> >At 21:59 02/06/2003, you wrote:
> > >We've got two email gateways, both running MailScanner 4.20-3. This
> > >afternoon we had a strange occurrence: an .exe (banned attachment) was
> > >tagged by the outside gateway as banned, yet still delivered to the
>inside
> > >gateway with the attachment intact. (See log snippets.) THEN, as this
>user
> > >is apparently nonexistent, the bounce message, with attachment intact,
> > >passed back through the internal gateway! This time, however, the
> >attachment
> > >was stripped.
> > >
> > >Any idea why this might have happened? Never seen this before; all
other
> > >EXEs and other banned filetypes have been dropped with no problem.
> > >
> > >External gateway ("1.1.1.2"):
> > >
> > >Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
> > >from=<xxx at yyy.com>, size=10272, class=0, nrcpts=1,
> > >msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>,
> >proto=SMTP,
> > >daemon=MTA, relay=mail.yyy.com [000.000.000.000]
> > >Jun  2 15:58:30 external-smtp sendmail[29916]: h52JwT829916:
> > >to=<aaa at bbb.com>, delay=00:00:01, mailer=esmtp, pri=40272, stat=queued
> > >Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved entire message
to
> > >/var/spool/MailScanner/quarantine/20030602/h52JwT829916
> > >Jun  2 15:58:33 external-smtp MailScanner[18247]: Saved infected
> > >"REPAIR.EXE" to /var/spool/MailScanner/quarantine/20030602/h52JwT829916
> > >Jun  2 15:59:33 external-smtp sendmail[29990]: h52JwT829916:
> > >to=<aaa at bbb.com>, delay=00:01:04, xdelay=00:00:00, mailer=esmtp,
> >pri=130272,
> > >relay=[1.1.1.1] [1.1.1.1], dsn=2.0.0, stat=Sent (h52JxX5j021222 Message
> > >accepted for delivery)
> > >
> > >Internal gateway ("1.1.1.1"):
> > >
> > >Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222:
from=<xxx at yyy.com>,
> > >size=1977, class=0, nrcpts=1,
> > >msgid=<4F043329520A7A4D997C792418D9E552010991CC at osgood.yyy.com>,
> > >proto=ESMTP, daemon=MTA, relay=external-smtp.cocci.com [1.1.1.2]
> > >Jun  2 15:59:33 smtp sendmail[21222]: h52JxX5j021222: to=<aaa at bbb.com>,
> > >delay=00:00:00, mailer=esmtp, pri=31029, stat=queued
> > >Jun  2 15:59:35 smtp MailScanner[21082]: Saved entire message to
> > >/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
> > >Jun  2 15:59:35 smtp MailScanner[21082]: Saved infected "REPAIR.EXE" to
> > >/var/spool/MailScanner/quarantine/20030602/h52JxX5j021222
> > >Jun  2 16:00:52 smtp sendmail[21488]: h52JxX5j021222: to=<aaa at bbb.com>,
> > >delay=00:01:19, xdelay=00:00:00, mailer=esmtp, pri=121029,
>relay=[2.2.2.2]
> > >[2.2.2.2], dsn=2.0.0, stat=Sent (Ok)
> > >
> > >Then, on the internal:
> > >
> > >Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: from=<>,
size=2793,
> > >class=0, nrcpts=1, msgid=<sedb74c7.041 at Mail.cocci.com>, proto=SMTP,
> > >daemon=MTA, relay=[2.2.2.2]
> > >Jun  2 16:00:53 smtp sendmail[21520]: h52K0r5f021520: to=<xxx at yyy.com>,
> > >delay=00:00:00, mailer=relay, pri=30430, stat=queued
> > >Jun  2 16:00:54 smtp MailScanner[20490]: Saved entire message to
> > >/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
> > >Jun  2 16:00:54 smtp MailScanner[20490]: Saved infected "REPAIR.EXE" to
> > >/var/spool/MailScanner/quarantine/20030602/h52K0r5f021520
> > >Jun  2 16:01:38 smtp sendmail[21721]: h52K0r5f021520: to=<xxx at yyy.com>,
> > >delay=00:00:45, xdelay=00:00:00, mailer=relay, pri=120430,
>relay=[1.1.1.2]
> > >[1.1.1.2], dsn=2.0.0, stat=Sent (h52K1c830645 Message accepted for
> >delivery)
> > >
> > >Andrew Magnusson
> > >Internet Product Analyst
> > >COCC
> > >1-877-678-0444 extension 640
> > >
> > >
> > >
> > >*** This message originates from COCC, Inc.
> > >
> > >If the reader of this message, regardless of the address or routing, is
> > >not an intended recipient, you are hereby notified that you have
received
> > >this transmittal in error and any review; use, distribution,
>dissemination
> > >or copying is strictly prohibited.  If you have received this message
in
> > >error, please delete this e-mail and all files transmitted with it from
> > >your system and immediately notify COCC, Inc. by sending reply e-mail
to
> > >the sender of this message.
> > >
> > >Thank you. ***
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >Professional Support Services at www.MailScanner.biz
> >MailScanner thanks transtec Computers for their support
> >
> >--
> >This message has been scanned and is believed to be clean.
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>--
>This message has been scanned and is believed to be clean.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

--
This message has been scanned and is believed to be clean.



More information about the MailScanner mailing list