Virus mail slipped through under special
raylund.lai at KANKANWOO.COM
Mon Jul 11 19:45:36 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Thanks for the good advice. :) I'll try this later. But I want to find
out what is wrong in my configuration as MailScanner should detect the
virus no matter it's a bounced mail or not. I don't want a hidden hole
in my server setting. ;)
Drew Marshall wrote:
>On Mon, July 11, 2005 9:33, Martin Hepworth said:
>>Raylund Lai wrote:
>>>The condition is that:
>>>1. Virus mail sending to a non-existing account of us but spoofed
>>>from an existing account of us. e.g. From: support at kankanwoo.com; To:
>>>james at kankanwoo.com where "support" is a valid account but not "james".
>>>2. The virus mail was not sending to our gateway directly at the time
>>>of sending because: (i) our internet link was broken; or (ii) it
>>>deliberately sent to our backup MX.
>>>3. Our backup MX services received the virus mail and queued for
>>>4. The backup MX services delivered the virus mail to our gateway.
>>>5. Our gateway rejected the email by milter-ahead. :)
>>>6. The backup MX services received our "550 5.7.1 ..." message and
>>>then sent out an "Undelivered Mail Return to Sender" mail. i.e. sent
>>>this notification with the virus mail embedded to support at kankanwoo.com
>>>7. Our gateway received this notification with embedded virus. But
>>>MailScanner "found clean" and relayed to our mail server. :(
>>>8. The virus mail was luckily quarantined by our virus scanner
>>>(McAfee) at the mail server.
>Have you got a rules set for not scanning 'support' e-mail? That would
>>we see quite a bit of this kind of 'bounce' as well, but for me both
>>ClamAV and Sophos still pick up the virus laden content as well.
>>(Running FreeBSD 4.10 and MS 4.43).
>The other thing to do is configure your MTA not to bounce mail with the
>virus attached (Which seems sensible not to pass the virus on).
>Instructions can be found here http://virbl.bit.nl/faq.php under 'My
>mailserver is listed, but it is impossible that it is infected with a
>virus.' (9th item down).
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner