Virus mail slipped through under special

Raylund Lai raylund.lai at KANKANWOO.COM
Mon Jul 11 19:45:36 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi Drew,

Thanks for the good advice. :)  I'll try this later.  But I want to find 
out what is wrong in my configuration as MailScanner should detect the 
virus no matter it's a bounced mail or not.  I don't want a hidden hole 
in my server setting. ;)

Cheers
Raylund

Drew Marshall wrote:

>On Mon, July 11, 2005 9:33, Martin Hepworth said:
>  
>
>>Raylund Lai wrote:
>>    
>>
>>>The condition is that:
>>>1.    Virus mail sending to a non-existing account of us but spoofed
>>>from an existing account of us.  e.g. From: support at kankanwoo.com; To:
>>>james at kankanwoo.com where "support" is a valid account but not "james".
>>>2.    The virus mail was not sending to our gateway directly at the time
>>>of sending because: (i) our internet link was broken; or (ii) it
>>>deliberately sent to our backup MX.
>>>3.    Our backup MX services received the virus mail and queued for
>>>later delivery.
>>>4.    The backup MX services delivered the virus mail to our gateway.
>>>5.    Our gateway rejected the email by milter-ahead. :)
>>>6.    The backup MX services received our "550 5.7.1 ..." message and
>>>then sent out an "Undelivered Mail Return to Sender" mail.  i.e. sent
>>>this notification with the virus mail embedded to support at kankanwoo.com
>>>7.    Our gateway received this notification with embedded virus.  But
>>>MailScanner "found clean" and relayed to our mail server. :(
>>>8.    The virus mail was luckily quarantined by our virus scanner
>>>(McAfee) at the mail server.
>>>
>>>      
>>>
>
>Have you got a rules set for not scanning 'support' e-mail? That would
>cause this.
>
>  
>
>>Raylund
>>
>>we see quite a bit of this kind of 'bounce' as well, but for me both
>>ClamAV and Sophos still pick up the virus laden content as well.
>>(Running FreeBSD 4.10 and MS 4.43).
>>    
>>
>
>The other thing to do is configure your MTA not to bounce mail with the
>virus attached (Which seems sensible not to pass the virus on).
>Instructions can be found here http://virbl.bit.nl/faq.php under 'My
>mailserver is listed, but it is impossible that it is infected with a
>virus.' (9th item down).
>
>Drew
>
>
>  
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list