Virus mail slipped through under special condition

Raylund Lai raylund.lai at KANKANWOO.COM
Mon Jul 11 03:59:34 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi,

I wonder if anybody has seen this scenario.

I've set up MailScanner as our gateway.  Recently, I implemented 
milter-ahead to minimize virus mail sending to non-existing account.  
This works great as far as the virus mail directly sends to our gateway.

We've a backup MX services by easyDNS.  The function of this service is 
that when our internet link is broken, their mail server will hold the 
mail sending to us.  The mail will be holding for a week at most and 
will try to re-send them to our MX (gateway) every hour.  This works 
great too.

When the above two combined together and with a special condition, 
MailScanner couldn't detect the virus mail. :(

The condition is that:
1.    Virus mail sending to a non-existing account of us but spoofed 
from an existing account of us.  e.g. From: support at kankanwoo.com; To: 
james at kankanwoo.com where "support" is a valid account but not "james".
2.    The virus mail was not sending to our gateway directly at the time 
of sending because: (i) our internet link was broken; or (ii) it 
deliberately sent to our backup MX.
3.    Our backup MX services received the virus mail and queued for 
later delivery.
4.    The backup MX services delivered the virus mail to our gateway.
5.    Our gateway rejected the email by milter-ahead. :)
6.    The backup MX services received our "550 5.7.1 ..." message and 
then sent out an "Undelivered Mail Return to Sender" mail.  i.e. sent 
this notification with the virus mail embedded to support at kankanwoo.com
7.    Our gateway received this notification with embedded virus.  But 
MailScanner "found clean" and relayed to our mail server. :(
8.    The virus mail was luckily quarantined by our virus scanner 
(McAfee) at the mail server.

I must say that except this special condition MailScanner works fine all 
the time.

We're using these on the mail gateway:
FreeBSD 5.3
MailScanner 4.42.9_1
p5-Mail-SpamAssassin-3.0.4
clamav-0.86.1
p5-Mail-ClamAV-0.12
bdc-7.0.1 (BitDefender)
f-prot-4.5.4

Have I do something wrong? Or should I disable milter-ahead? Could 
someone help me fixing this or giving some suggestions?

Cheers
Raylund

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list