ZIP file attachment not recognized and therefore no file check performed

Wed Oct 16 14:30:37 IST 2013

I apologize if this has been answered in another thread.  I did spend
quite some time poking through the archived mailing list articles, the
MailScanner docs, and googling around, but we are just stumped and are
hoping a MailScanner guru could enlighten us about this situation.

First, we are running the following (from /usr/sbin/MailScanner -v) -
This is SUSE Linux Enterprise Server 10 (x86_64)
This is Perl version 5.008008 (5.8.8)
This is MailScanner version 4.78.17
Using F-Prot for AV scanning

High level overview - We use Barracuda's for our mail gateways that hand
off to MailScanner before getting routed to the appropriate mail server
for delivery.  This solution has worked great for years, but last week
something strange happened that we cannot figure out.

On Friday we started receiving emails that contained some kind of 0-day
malware.  The Barracudas were blocking some of these email, but based on
score and not on the emails containing a virus.  Later in the day
Barracuda started recognizing the virus so the problem was mitigated at
the mail gateway, but some did slip by the first line of defense and
were passed to MailScanner. 

The attachment was a zipped up EXE file, but something was unique about
these messages.  We block ZIP and EXE files to most of our users, but
our MailScanner instance was not acknowledging these emails contained a
ZIP file and therefore not doing the "Filename Check".  What is very
interesting is when MailScanner delivered the email to an invalid
recipient and it was bounced back to the sender, MailScanner detected
the existence of a ZIP file and blocked it on the way out!  But not on
the way in!  This is the heart of the issue... how can we determine why
these messages were not interrogated while other (legit) zip files were
being rejected at the same time?

We observed these emails were encoded with windows-1251 encoding
(http://en.wikipedia.org/wiki/Windows-1251) and the content type of the
attachment was simply "Content Type ;"  Other than that, we did not see
anything out of the ordinary with these emails. 

We tried to create a zip file of the same name as the malware and send
it from gmail and the ZIP file was detected immediately by MailScanner,
so we were not able to reproduce the problem strictly by name.  Now that
F-prot is detecting this, its getting dropped for containing a virus,
and we can really cannot test further in our production environment.  We
took this into our lab, but we were not testing with the exact same
version of MailScanner and we were not able to recreate the problem.  In
our minds, whether MailScanner could detect the virus or not, it should
have detected the ZIP and/or EXE and rejected it for this reason alone. 

Any information about this issue would be greatly appreciated. 
Management is now questioning the usefulness of MailScanner versus some
commercial offering, but I believe in FOSS.  Thank you in advance for
taking the time to read this post!

Regards,

Tony      

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131016/3bfe2168/attachment.html 