Virus mail slipped through under special

Drew Marshall drew at THEMARSHALLS.CO.UK
Mon Jul 11 10:21:13 IST 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On Mon, July 11, 2005 9:33, Martin Hepworth said:
> Raylund Lai wrote:
>> The condition is that:
>> 1.    Virus mail sending to a non-existing account of us but spoofed
>> from an existing account of us.  e.g. From: support at kankanwoo.com; To:
>> james at kankanwoo.com where "support" is a valid account but not "james".
>> 2.    The virus mail was not sending to our gateway directly at the time
>> of sending because: (i) our internet link was broken; or (ii) it
>> deliberately sent to our backup MX.
>> 3.    Our backup MX services received the virus mail and queued for
>> later delivery.
>> 4.    The backup MX services delivered the virus mail to our gateway.
>> 5.    Our gateway rejected the email by milter-ahead. :)
>> 6.    The backup MX services received our "550 5.7.1 ..." message and
>> then sent out an "Undelivered Mail Return to Sender" mail.  i.e. sent
>> this notification with the virus mail embedded to support at kankanwoo.com
>> 7.    Our gateway received this notification with embedded virus.  But
>> MailScanner "found clean" and relayed to our mail server. :(
>> 8.    The virus mail was luckily quarantined by our virus scanner
>> (McAfee) at the mail server.
>>

Have you got a rules set for not scanning 'support' e-mail? That would
cause this.

> Raylund
>
> we see quite a bit of this kind of 'bounce' as well, but for me both
> ClamAV and Sophos still pick up the virus laden content as well.
> (Running FreeBSD 4.10 and MS 4.43).

The other thing to do is configure your MTA not to bounce mail with the
virus attached (Which seems sensible not to pass the virus on).
Instructions can be found here http://virbl.bit.nl/faq.php under 'My
mailserver is listed, but it is impossible that it is infected with a
virus.' (9th item down).

Drew


-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list