Virus mail slipped through under special condition
raylund.lai at KANKANWOO.COM
Mon Jul 11 03:59:34 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
I wonder if anybody has seen this scenario.
I've set up MailScanner as our gateway. Recently, I implemented
milter-ahead to minimize virus mail sending to non-existing account.
This works great as far as the virus mail directly sends to our gateway.
We've a backup MX services by easyDNS. The function of this service is
that when our internet link is broken, their mail server will hold the
mail sending to us. The mail will be holding for a week at most and
will try to re-send them to our MX (gateway) every hour. This works
When the above two combined together and with a special condition,
MailScanner couldn't detect the virus mail. :(
The condition is that:
1. Virus mail sending to a non-existing account of us but spoofed
from an existing account of us. e.g. From: support at kankanwoo.com; To:
james at kankanwoo.com where "support" is a valid account but not "james".
2. The virus mail was not sending to our gateway directly at the time
of sending because: (i) our internet link was broken; or (ii) it
deliberately sent to our backup MX.
3. Our backup MX services received the virus mail and queued for
4. The backup MX services delivered the virus mail to our gateway.
5. Our gateway rejected the email by milter-ahead. :)
6. The backup MX services received our "550 5.7.1 ..." message and
then sent out an "Undelivered Mail Return to Sender" mail. i.e. sent
this notification with the virus mail embedded to support at kankanwoo.com
7. Our gateway received this notification with embedded virus. But
MailScanner "found clean" and relayed to our mail server. :(
8. The virus mail was luckily quarantined by our virus scanner
(McAfee) at the mail server.
I must say that except this special condition MailScanner works fine all
We're using these on the mail gateway:
Have I do something wrong? Or should I disable milter-ahead? Could
someone help me fixing this or giving some suggestions?
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner