Email with virus getting through
Martin Hepworth
maxsec at gmail.com
Mon Oct 1 17:31:01 IST 2012
the double attachment check should have blocked this - never mind the
anti-virus products
you sure you've not turned that off somehow in the filetypes rule?
http://www.mailscanner.info/files/filename.rules.conf
--
Martin Hepworth, CISSP
Oxford, UK
On 1 October 2012 15:43, Paul Welsh <paul at welshfamily.com> wrote:
> Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS
> 6.3 with Exim 4.76 and an infected message is being delivered. Here's
> the maillog extract. I've changed the recipient domain to
> mydomain.com:
>
> Oct 1 10:34:00 mail MailScanner[15454]: Infected message
>
> 1TIcNu-0004Ww-Ny.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> came from
> Oct 1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from
> 83.149.158.186 (truismsjb95 at paypal.com) to mydomain.com is not spam,
> SpamAssassin (score=2.798, required 6, autolearn=disabled,
> DKIM_ADSP_ALL 1.10, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.72, SPF_SOFTFAIL
> 0.97, UNPARSEABLE_RELAY 0.00)
> Oct 1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message
> 1TIcNu-0004Ww-Ny from truismsjb95 at paypal.com to
> postmaster at mydomain.com with subject Your friend added a new photo
> with you to the album
>
> As you can see, it's identified as Infected but still delivered.
>
> If I manually scan the message, I get this from f-prot:
> # /opt/f-prot/fpscan Y*.eml
> <snip>
> [Found possible security risk] <W32/Heuristic-200!Eldorado (not
> disinfectable)> Your friend added a new photo with you to the
> album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> [Contains infected objects] Your friend added a new photo with you to
> the album.eml
>
>
> I get this from clam:
> # clamscan Y*.eml
> Your friend added a new photo with you to the album.eml: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1314671
> Engine version: 0.97.6
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
>
> In MailScanner.conf I have these set but neither affect virus
> checking, apparently:
> Maximum Archive Depth = 0
> Find Archives By Content = no
>
> I also have:
> Virus Scanning = yes
> Virus Scanners = clamav f-prot-6
> Deliver Disinfected Files = no
> Silent Viruses = HTML-IFrame All-Viruses
> Still Deliver Silent Viruses = no
> Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
> Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
> Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
> Block Encrypted Messages = no
> Allow Password-Protected Archives = no
> Check Filenames In Password-Protected Archives = yes
> Dangerous Content Scanning = yes
> Allow Partial Messages = no
> Find Phishing Fraud = yes
> Also Find Numeric Phishing = yes
> Use Stricter Phishing Net = no
>
> Any ideas?
>
> For now, I have tried this. Previously it was not set:
> Archives: Deny Filenames = \.exe$
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121001/7c1e7211/attachment.html
More information about the MailScanner
mailing list