ZIP file attachment not recognized and therefore no file check performed

Martin Hepworth maxsec at gmail.com
Wed Oct 16 15:21:01 IST 2013


umm well the mailscanner version you are using is 4 years old. i know the
releases arent coming as fast and furious we  they used to but still..

blocking invalid recipients should be done up front anyway

I'd look at your rulesets in MailScanner to make sure you're not trusting
the Baracuda to some level and there for missing the checks. You should be
able to trace the messages causing problems in the mail logs .

Given you're already scanning with baracuda's and they still delivered the
malware how is their commercial offereing any better??

Martin


-- 
Martin Hepworth, CISSP
Oxford, UK


On 16 October 2013 14:30, Tony Larco <tlarco at polr.com> wrote:

>  I apologize if this has been answered in another thread.  I did spend
> quite some time poking through the archived mailing list articles, the
> MailScanner docs, and googling around, but we are just stumped and are
> hoping a MailScanner guru could enlighten us about this situation.
>
> First, we are running the following (from /usr/sbin/MailScanner -v) -
> This is SUSE Linux Enterprise Server 10 (x86_64)
> This is Perl version 5.008008 (5.8.8)****
> This is MailScanner version 4.78.17
> Using F-Prot for AV scanning
>
> High level overview - We use Barracuda's for our mail gateways that hand
> off to MailScanner before getting routed to the appropriate mail server for
> delivery.  This solution has worked great for years, but last week
> something strange happened that we cannot figure out.
>
> On Friday we started receiving emails that contained some kind of 0-day
> malware.  The Barracudas were blocking some of these email, but based on
> score and not on the emails containing a virus.  Later in the day Barracuda
> started recognizing the virus so the problem was mitigated at the mail
> gateway, but some did slip by the first line of defense and were passed to
> MailScanner.
>
> The attachment was a zipped up EXE file, but something was unique about
> these messages.  We block ZIP and EXE files to most of our users, but our
> MailScanner instance was not acknowledging these emails contained a ZIP
> file and therefore not doing the "Filename Check".  What is very
> interesting is when MailScanner delivered the email to an invalid recipient
> and it was bounced back to the sender, MailScanner detected the existence
> of a ZIP file and blocked it on the way out!  But not on the way in!  This
> is the heart of the issue... how can we determine why these messages were
> not interrogated while other (legit) zip files were being rejected at the
> same time?
>
> We observed these emails were encoded with windows-1251 encoding (
> http://en.wikipedia.org/wiki/Windows-1251) and the content type of the
> attachment was simply "Content Type ;"  Other than that, we did not see
> anything out of the ordinary with these emails.
>
> We tried to create a zip file of the same name as the malware and send it
> from gmail and the ZIP file was detected immediately by MailScanner, so we
> were not able to reproduce the problem strictly by name.  Now that F-prot
> is detecting this, its getting dropped for containing a virus, and we can
> really cannot test further in our production environment.  We took this
> into our lab, but we were not testing with the exact same version of
> MailScanner and we were not able to recreate the problem.  In our minds,
> whether MailScanner could detect the virus or not, it should have detected
> the ZIP and/or EXE and rejected it for this reason alone.
>
> Any information about this issue would be greatly appreciated.  Management
> is now questioning the usefulness of MailScanner versus some commercial
> offering, but I believe in FOSS.  Thank you in advance for taking the time
> to read this post!
>
> Regards,
>
> Tony
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131016/6e30d629/attachment.html 


More information about the MailScanner mailing list