Virus mail slipped through under special condition
Raylund Lai
raylund.lai at KANKANWOO.COM
Mon Jul 11 19:37:55 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Hi Martin,
Sure, I post my MailScanner -v output here now. For completeness, I
post the virus message (with the virus part stripped ;)). I've a rule
not to scan local sender too. At first, I thought MailScanner should
detect the virus no matter whether it's bounced mail or not. But it
seems that my configuration not doing so. I've tested my setting for
embedded mail with virus and MailScanner found them without problem.
Only this particular condition happen that my configuration let the
virus mail through. I'm out of clue on this issue now. Hope someone
could help.
Cheers
Raylund
----- begin MailScanner -v -----
Running on
FreeBSD mxgw.kankanwoo.com 5.3-RELEASE FreeBSD 5.3-RELEASE #1: Sat Apr
16 15:11:56 EDT 2005
root at mxgw.kankanwoo.com:/usr/obj/usr/src/sys/KANKANWOO i386
This is Perl version 5.008006 (5.8.6)
This is MailScanner version 4.42.9
Module versions are:
1.00 AnyDBM_File
1.16 Archive::Zip
1.03 Carp
1.119 Convert::BinHex
1.00 DirHandle
1.05 Fcntl
2.73 File::Basename
2.08 File::Copy
2.01 FileHandle
1.06 File::Path
0.16 File::Temp
1.29 HTML::Entities
3.45 HTML::Parser
2.30 HTML::TokeParser
1.21 IO
1.10 IO::File
1.123 IO::Pipe
1.66 Mail::Header
3.05 MIME::Base64
5.417 MIME::Decoder
5.417 MIME::Decoder::UU
5.417 MIME::Head
5.417 MIME::Parser
3.03 MIME::QuotedPrint
5.417 MIME::Tools
0.10 Net::CIDR
1.08 POSIX
1.77 Socket
0.05 Sys::Syslog
1.02 Time::localtime
Optional module versions are:
1.810 DB_File
1.10 Digest
1.01 Digest::HMAC
2.33 Digest::MD5
2.10 Digest::SHA1
0.44 Inline
0.12 Mail::ClamAV
3.000004 Mail::SpamAssassin
1.997 Mail::SPF::Query
0.15 Net::CIDR::Lite
0.52 Net::DNS
missing Net::LDAP
1.94 Parse::RecDescent
missing SAVI
1.4 Sys::Hostname::Long
2.42 Test::Harness
0.6 Test::Simple
1.95 Text::Balanced
1.35 URI
----- end MailScanner -v -----
----- begin mail -----
Return-Path: <> Sun Jul 10 21:56:27 2005
Received: from UnknownHost [192.168.0.252] by mercury with SMTP;
Sun, 10 Jul 2005 21:56:27 -0400
Received: from maryjane.easydns.com (smtp.easydns.com [205.210.42.52])
by mxgw.kankanwoo.com (8.13.1/8.13.1) with ESMTP id j6B1u9h9017459
for <support at kankanwoo.com>; Sun, 10 Jul 2005 21:56:09 -0400 (EDT)
Received: by maryjane.easydns.com (Postfix)
id AD462511C0; Sun, 10 Jul 2005 21:56:07 -0400 (EDT)
Date: Sun, 10 Jul 2005 21:56:07 -0400 (EDT)
From: MAILER-DAEMON at mxgw.kankanwoo.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: support at kankanwoo.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="D84D35120F.1121046967/maryjane.easydns.com"
Message-Id: <20050711015607.AD462511C0 at maryjane.easydns.com>
X-KanKanWoo-MailScanner-Information: This message has been scanned for
viruses/spam. Please contact postmaster at kankanwoo.com if you have
questions about this scanning.
X-KanKanWoo-MailScanner: Found to be clean
X-KanKanWoo-MailScanner-SpamCheck: not spam, SpamAssassin (score=-1.348,
required 5, BAYES_20 -1.95, FROM_NO_LOWER 0.38, HTML_20_30 0.23,
HTML_MESSAGE 0.00, SPF_HELO_PASS -0.00)
X-KanKanWoo-MailScanner-From:
This is a MIME-encapsulated message.
--D84D35120F.1121046967/maryjane.easydns.com
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host maryjane.easydns.com.
I'm sorry to have to inform you that your message could not be
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The Postfix program
<james at kankanwoo.com>: host mail.kankanwoo.com[216.138.195.111] said:
550 5.7.1
<james at kankanwoo.com>... server [192.168.0.11] for <james at kankanwoo.com>
rejected address saying "<james at kankanwoo.com> No such user here"
(in reply
to RCPT TO command)
--D84D35120F.1121046967/maryjane.easydns.com
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; maryjane.easydns.com
X-Postfix-Queue-ID: D84D35120F
X-Postfix-Sender: rfc822; support at kankanwoo.com
Arrival-Date: Sun, 10 Jul 2005 21:55:41 -0400 (EDT)
Final-Recipient: rfc822; james at kankanwoo.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mail.kankanwoo.com[216.138.195.111]
said: 550
5.7.1 <james at kankanwoo.com>... server [192.168.0.11] for
<james at kankanwoo.com> rejected address saying "<james at kankanwoo.com> No
such user here" (in reply to RCPT TO command)
--D84D35120F.1121046967/maryjane.easydns.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from kankanwoo.com (unknown [211.75.194.240])
by maryjane.easydns.com (Postfix) with ESMTP id D84D35120F
for <james at kankanwoo.com>; Sun, 10 Jul 2005 21:55:41 -0400 (EDT)
From: support at kankanwoo.com
To: james at kankanwoo.com
Subject: Your password has been successfully updated
Date: Mon, 11 Jul 2005 09:55:49 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_1AA443A3.29DBB61D"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050711015541.D84D35120F at maryjane.easydns.com>
This is a multi-part message in MIME format.
------=_NextPart_000_0009_1AA443A3.29DBB61D
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
<html>
<body>
<BR><STRONG>Dear user james, </STRONG><BR>
<BR>You have successfully updated the password of your Kankanwoo
account.<BR>
<BR>If you did not authorize this change or if you need assistance with
your account, please contact Kankanwoo customer service at:
support at kankanwoo.com<BR>
<BR>Thank you for using Kankanwoo!
<BR>The Kankanwoo Support Team <BR>
<BR><BR><BR><BR><BR>
<BR>+++ Attachment: No Virus (Clean)
<BR>+++ Kankanwoo Antivirus - www.kankanwoo.com
</body>
</html>
------=_NextPart_000_0009_1AA443A3.29DBB61D
Content-Type: application/octet-stream;
name="updated-password.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="updated-password.zip"
[Here is where the virus data]
------=_NextPart_000_0009_1AA443A3.29DBB61D--
--D84D35120F.1121046967/maryjane.easydns.com--
----- end mail -----
----- begin rules -----
# Set "Virus Scanning =
/usr/local/etc/MailScanner/rules/virus.scanning.rules".
#
From: 127.0.0.1 no
FromOrTo: default yes
----- end rules -----
Martin Hepworth wrote:
> Raylund Lai wrote:
>
>> Hi,
>>
>> I wonder if anybody has seen this scenario.
>>
>> I've set up MailScanner as our gateway. Recently, I implemented
>> milter-ahead to minimize virus mail sending to non-existing account.
>> This works great as far as the virus mail directly sends to our gateway.
>>
>> We've a backup MX services by easyDNS. The function of this service
>> is that when our internet link is broken, their mail server will hold
>> the mail sending to us. The mail will be holding for a week at most
>> and will try to re-send them to our MX (gateway) every hour. This
>> works great too.
>>
>> When the above two combined together and with a special condition,
>> MailScanner couldn't detect the virus mail. :(
>>
>> The condition is that:
>> 1. Virus mail sending to a non-existing account of us but spoofed
>> from an existing account of us. e.g. From: support at kankanwoo.com;
>> To: james at kankanwoo.com where "support" is a valid account but not
>> "james".
>> 2. The virus mail was not sending to our gateway directly at the
>> time of sending because: (i) our internet link was broken; or (ii) it
>> deliberately sent to our backup MX.
>> 3. Our backup MX services received the virus mail and queued for
>> later delivery.
>> 4. The backup MX services delivered the virus mail to our gateway.
>> 5. Our gateway rejected the email by milter-ahead. :)
>> 6. The backup MX services received our "550 5.7.1 ..." message and
>> then sent out an "Undelivered Mail Return to Sender" mail. i.e. sent
>> this notification with the virus mail embedded to support at kankanwoo.com
>> 7. Our gateway received this notification with embedded virus.
>> But MailScanner "found clean" and relayed to our mail server. :(
>> 8. The virus mail was luckily quarantined by our virus scanner
>> (McAfee) at the mail server.
>>
>> I must say that except this special condition MailScanner works fine
>> all the time.
>>
>> We're using these on the mail gateway:
>> FreeBSD 5.3
>> MailScanner 4.42.9_1
>> p5-Mail-SpamAssassin-3.0.4
>> clamav-0.86.1
>> p5-Mail-ClamAV-0.12
>> bdc-7.0.1 (BitDefender)
>> f-prot-4.5.4
>>
>> Have I do something wrong? Or should I disable milter-ahead? Could
>> someone help me fixing this or giving some suggestions?
>>
>> Cheers
>> Raylund
>>
> Raylund
>
> we see quite a bit of this kind of 'bounce' as well, but for me both
> ClamAV and Sophos still pick up the virus laden content as well.
> (Running FreeBSD 4.10 and MS 4.43).
>
> Can you do a MailScanner -v and send the output back to the list...
>
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list