Virus mail slipped through under special

Raylund Lai raylund.lai at KANKANWOO.COM
Tue Jul 12 07:07:46 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi Drew,

I've implemented the advice but without luck. :(

I did the followings:

   1. edit /etc/mail/freebsd.mc
   2. modified the line define(`confPRIVACY_FLAGS',
      `authwarnings,noexpn,novrfy') --> define(`confPRIVACY_FLAGS',
      `authwarnings,noexpn,novrfy,nobodyreturn')
   3. then m4 /usr/src/contrib/sendmail/cf/m4/cf.m4 freebsd.mc > sendmail.cf
   4. then /usr/local/etc/rc.d/mta.sh stop and start

I still receive the bounced mail and slipped through.  I don't know why 
sendmail still bounce with the body/attachment with the "nobodyreturn" 
set.  Am I doing something wrong?

Cheers
Raylund

Raylund Lai wrote:

> Hi Drew,
>
> Thanks for the good advice. :)  I'll try this later.  But I want to 
> find out what is wrong in my configuration as MailScanner should 
> detect the virus no matter it's a bounced mail or not.  I don't want a 
> hidden hole in my server setting. ;)
>
> Cheers
> Raylund
>
> Drew Marshall wrote:
>
>> On Mon, July 11, 2005 9:33, Martin Hepworth said:
>>  
>>
>>> Raylund Lai wrote:
>>>   
>>>
>>>> The condition is that:
>>>> 1.    Virus mail sending to a non-existing account of us but spoofed
>>>> from an existing account of us.  e.g. From: support at kankanwoo.com; To:
>>>> james at kankanwoo.com where "support" is a valid account but not 
>>>> "james".
>>>> 2.    The virus mail was not sending to our gateway directly at the 
>>>> time
>>>> of sending because: (i) our internet link was broken; or (ii) it
>>>> deliberately sent to our backup MX.
>>>> 3.    Our backup MX services received the virus mail and queued for
>>>> later delivery.
>>>> 4.    The backup MX services delivered the virus mail to our gateway.
>>>> 5.    Our gateway rejected the email by milter-ahead. :)
>>>> 6.    The backup MX services received our "550 5.7.1 ..." message and
>>>> then sent out an "Undelivered Mail Return to Sender" mail.  i.e. sent
>>>> this notification with the virus mail embedded to 
>>>> support at kankanwoo.com
>>>> 7.    Our gateway received this notification with embedded virus.  But
>>>> MailScanner "found clean" and relayed to our mail server. :(
>>>> 8.    The virus mail was luckily quarantined by our virus scanner
>>>> (McAfee) at the mail server.
>>>>
>>>>     
>>>
>>
>> Have you got a rules set for not scanning 'support' e-mail? That would
>> cause this.
>>
>>  
>>
>>> Raylund
>>>
>>> we see quite a bit of this kind of 'bounce' as well, but for me both
>>> ClamAV and Sophos still pick up the virus laden content as well.
>>> (Running FreeBSD 4.10 and MS 4.43).
>>>   
>>
>>
>> The other thing to do is configure your MTA not to bounce mail with the
>> virus attached (Which seems sensible not to pass the virus on).
>> Instructions can be found here http://virbl.bit.nl/faq.php under 'My
>> mailserver is listed, but it is impossible that it is infected with a
>> virus.' (9th item down).
>>
>> Drew
>>
>>
>>  
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list