Virus mail slipped through under special condition

Mon Jul 11 09:33:55 IST 2005

Raylund Lai wrote:
> Hi,
> 
> I wonder if anybody has seen this scenario.
> 
> I've set up MailScanner as our gateway.  Recently, I implemented 
> milter-ahead to minimize virus mail sending to non-existing account.  
> This works great as far as the virus mail directly sends to our gateway.
> 
> We've a backup MX services by easyDNS.  The function of this service is 
> that when our internet link is broken, their mail server will hold the 
> mail sending to us.  The mail will be holding for a week at most and 
> will try to re-send them to our MX (gateway) every hour.  This works 
> great too.
> 
> When the above two combined together and with a special condition, 
> MailScanner couldn't detect the virus mail. :(
> 
> The condition is that:
> 1.    Virus mail sending to a non-existing account of us but spoofed 
> from an existing account of us.  e.g. From: support at kankanwoo.com; To: 
> james at kankanwoo.com where "support" is a valid account but not "james".
> 2.    The virus mail was not sending to our gateway directly at the time 
> of sending because: (i) our internet link was broken; or (ii) it 
> deliberately sent to our backup MX.
> 3.    Our backup MX services received the virus mail and queued for 
> later delivery.
> 4.    The backup MX services delivered the virus mail to our gateway.
> 5.    Our gateway rejected the email by milter-ahead. :)
> 6.    The backup MX services received our "550 5.7.1 ..." message and 
> then sent out an "Undelivered Mail Return to Sender" mail.  i.e. sent 
> this notification with the virus mail embedded to support at kankanwoo.com
> 7.    Our gateway received this notification with embedded virus.  But 
> MailScanner "found clean" and relayed to our mail server. :(
> 8.    The virus mail was luckily quarantined by our virus scanner 
> (McAfee) at the mail server.
> 
> I must say that except this special condition MailScanner works fine all 
> the time.
> 
> We're using these on the mail gateway:
> FreeBSD 5.3
> MailScanner 4.42.9_1
> p5-Mail-SpamAssassin-3.0.4
> clamav-0.86.1
> p5-Mail-ClamAV-0.12
> bdc-7.0.1 (BitDefender)
> f-prot-4.5.4
> 
> Have I do something wrong? Or should I disable milter-ahead? Could 
> someone help me fixing this or giving some suggestions?
> 
> Cheers
> Raylund
> 
Raylund

we see quite a bit of this kind of 'bounce' as well, but for me both 
ClamAV and Sophos still pick up the virus laden content as well. 
(Running FreeBSD 4.10 and MS 4.43).

Can you do a MailScanner -v and send the output back to the list...

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!