Virus mail slipped through under special

Raylund Lai raylund.lai at KANKANWOO.COM
Mon Jul 11 19:45:36 IST 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi Drew,

Thanks for the good advice. :)  I'll try this later.  But I want to find 
out what is wrong in my configuration as MailScanner should detect the 
virus no matter it's a bounced mail or not.  I don't want a hidden hole 
in my server setting. ;)


Drew Marshall wrote:

>On Mon, July 11, 2005 9:33, Martin Hepworth said:
>>Raylund Lai wrote:
>>>The condition is that:
>>>1.    Virus mail sending to a non-existing account of us but spoofed
>>>from an existing account of us.  e.g. From: support at; To:
>>>james at where "support" is a valid account but not "james".
>>>2.    The virus mail was not sending to our gateway directly at the time
>>>of sending because: (i) our internet link was broken; or (ii) it
>>>deliberately sent to our backup MX.
>>>3.    Our backup MX services received the virus mail and queued for
>>>later delivery.
>>>4.    The backup MX services delivered the virus mail to our gateway.
>>>5.    Our gateway rejected the email by milter-ahead. :)
>>>6.    The backup MX services received our "550 5.7.1 ..." message and
>>>then sent out an "Undelivered Mail Return to Sender" mail.  i.e. sent
>>>this notification with the virus mail embedded to support at
>>>7.    Our gateway received this notification with embedded virus.  But
>>>MailScanner "found clean" and relayed to our mail server. :(
>>>8.    The virus mail was luckily quarantined by our virus scanner
>>>(McAfee) at the mail server.
>Have you got a rules set for not scanning 'support' e-mail? That would
>cause this.
>>we see quite a bit of this kind of 'bounce' as well, but for me both
>>ClamAV and Sophos still pick up the virus laden content as well.
>>(Running FreeBSD 4.10 and MS 4.43).
>The other thing to do is configure your MTA not to bounce mail with the
>virus attached (Which seems sensible not to pass the virus on).
>Instructions can be found here under 'My
>mailserver is listed, but it is impossible that it is infected with a
>virus.' (9th item down).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list