Help. When a email is found on a blacklist, is the email checked for viruses?

Steen, Glenn Glenn.Steen at AP1.SE
Fri Dec 3 18:45:25 GMT 2004 

    [ The following text is in the "Windows-1252" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

If I understand things correctly any message that is actually delivered somewhere (regardless of the _spam_ actions etc) will be passed through the virus scanner(s).

Get the him/her to return a copy of it to you, then run your virus scanner on it... Does it detect it? (you might have to dig up how the wrapper script is actually called:).

Another piece of advice: get another AV program too. I use both clamav (http://www.clamav.net), bitdefender (jttp://www.bitdefender.com) which are free for linux (bitdef. might need "beta" code maturity, and is reputed to be unstable.... I've never seen that though) and McAfee (since we pay some handsome sum of money for a license that include it a linux command line anyway:)... At least get clam.

-- Glenn

-----Original Message-----
From:   MailScanner mailing list on behalf of Joe Young
Sent:   fr 2004-12-03 19:22
To:     MAILSCANNER at JISCMAIL.AC.UK
Cc:	
Subject:        Help. When a email is found on a blacklist, is the email checked for viruses?
        Quick question. When the email comes into Mailscanner, does
Mailscanner check viruses then check the blacklists. Or does Mailscanner
check blacklists then for viruses. If a email is found in the blacklist does
the email get scanned for viruses? Is there config settings that I need to
look at?

        My reason for asking is one of my clients report that he found a
virus that passed through our filtering server. He reports that
W32.Mydoom.M at mm  successfully in passing our filter server. The filtering
server is running

        sendmail                ver.    8.11.6
        Mailscanner     ver.    4.28.6
        F-PROT   Prog ver.      4.4.7
                        Engine ver. 3.14.13

        VIRUS SIGNATURE FILES
        SIGN.DEF created 30 November 2004
        SIGN2.DEF created 30 November 2004
        MACRO.DEF created 29 November 2004

I verified that W32.Mydoom.M at mm was in the virus definitions and that his
email indeed when through the filter server.  Here is the raw email...


X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
Received: from coelacanth.sterling.net [199.108.228.124] by
sterling-imail.sterlink.net with ESMTP
  (SMTPD32-8.13) id AF21202B00B2; Thu, 02 Dec 2004 16:11:13 -0800
Received: from cooneyllc.com ([64.95.72.33])
 by coelacanth.sterling.net (8.11.6/8.11.6) with ESMTP id iB30B6S30760
 for <pcooney at cooneyllc.com>; Thu, 2 Dec 2004 16:11:06 -0800
Message-Id: <200412030011.iB30B6S30760 at coelacanth.sterling.net>
From: "Mail Administrator" <MAILER-DAEMON at cooneyllc.com>
To: pcooney at cooneyllc.com
Subject: [SPAM]: Returned mail: see transcript for details
Date: Thu, 2 Dec 2004 19:11:05 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_NextPart_000_0003_67BF40E3.78DFFDA3"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: spam, SBL+XBL
X-MailScanner-From: mailer-daemon at cooneyllc.com
X-RCPT-TO: <pcooney at cooneyllc.com>
Status: R
X-UIDL: 323874575

This is a multi-part message in MIME format.

------=_NextPart_000_0003_67BF40E3.78DFFDA3
Content-Type: text/plain;
 charset=us-ascii
Content-Transfer-Encoding: 7bit

The original message was included as attachment


------=_NextPart_000_0003_67BF40E3.78DFFDA3
Content-Type: plain/text;
 name="Norton AntiVirus Deleted-1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="Norton AntiVirus Deleted-1.txt"

Tm9ydG9uIEFudGlWaXJ1cyByZW1vdmVkIHRoZSBhdHRhY2htZW50OiBwY29vbmV5QGNvb25l
eWxsYy5jb20uemlwLg0KVGhlIFczMi5NeWRvb20uTUBtbSB0aHJlYXQgd2FzIGRldGVjdGVk
IGluIHRoZSBhdHRhY2htZW50Lg==

------=_NextPart_000_0003_67BF40E3.78DFFDA3--






----- Original Message -----
From: "Mail Administrator" <MAILER-DAEMON at cooneyllc.com>
To: <pcooney at cooneyllc.com>
Sent: Thursday, December 02, 2004 4:11 PM
Subject: [SPAM]: Returned mail: see transcript for details


> The original message was included as attachment
>
>




Support - Joe Young
(503) 968-8908 x223
Sterling Internet Solutions, Inc.
support at sterling.net
www.sterling.net

For network status and outage information, please see:
http://www.sterling.net/support/network_status.cfm

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list