Virus mail slipped through under special

Raylund Lai raylund.lai at KANKANWOO.COM
Tue Jul 12 18:54:08 IST 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi Drew,

Yes, you're right.  It's not my mta.  I do some testing and found out 
that the milter-ahead terminated the connection right after the rcpt to 
negotiation if the mail account doesn't exist; no data is received by my 

I was also testing MailScanner in debug mode and feeding the virus email 
manually (via telnet).  MailScanner let the virus mail through and the 
console return MailScanner error:

----- begin MailScanner output -----
mxgw# /usr/local/etc/rc.d/ start
Starting MailScanner...
In Debugging mode, not forking...
SA bayes lock is /root/.spamassassin/bayes.lock
Bayes lock is at /root/.spamassassin/bayes.lock
format error: can't find EOCD signature
 at /usr/local/libexec/MailScanner/MailScanner line 598
Stopping now as you are debugging me.
----- end MailScanner output -----

I tried to send the virus mail as attachment of eml file out to my 
hotmail account, but my mail server virusscan quarantined it.  I also 
tried to send it directly to the mail gateway and my hotmail did receive 
it without problem.  That is MailScanner didn't intercept it as virus 
mail.  The error message is the same as above.

At least I've narrowed down the problem now.  Do you still want me to 
send it to you (as attachment eml)?  Or Julian wants it too?

btw, I've switched my gateway with a new box running latest FreeBSD 5.4 
and MailScanner 4.43.8.  I'm using the old box as testing now.


Drew Marshall wrote:

>On Tue, July 12, 2005 7:07, Raylund Lai said:
>>Hi Drew,
>>I've implemented the advice but without luck. :(
>>I still receive the bounced mail and slipped through.  I don't know why
>>sendmail still bounce with the body/attachment with the "nobodyreturn"
>>set.  Am I doing something wrong?
>Looking at your previous message to Martin, you are doing nothing wrong
>but this line is the clue:
>This is the Postfix program at host
>It's not your MTA that's giving the bounce with the virus attached (but
>what you have done is not wasted, so don't worry!).
>So that then brings the problem back to MailScanner. What have you got set
>in your %rules-dir%? And also against virus scanning options in
>MailScanner.conf? Just to discount anything with MailScanner generally,
>feel free to forward me a copy of the bounce notice (Off list obviously!)
>and I'll check it gets picked up.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list