the double attachment check should have blocked this - never mind the anti-virus products<br><br>you sure you've not turned that off somehow in the filetypes rule?<br><a href="http://www.mailscanner.info/files/filename.rules.conf">http://www.mailscanner.info/files/filename.rules.conf</a><br>
<br clear="all">-- <br>Martin Hepworth, CISSP<br>Oxford, UK<br>
<br><br><div class="gmail_quote">On 1 October 2012 15:43, Paul Welsh <span dir="ltr"><<a href="mailto:paul@welshfamily.com" target="_blank">paul@welshfamily.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS<br>
6.3 with Exim 4.76 and an infected message is being delivered. Here's<br>
the maillog extract. I've changed the recipient domain to<br>
<a href="http://mydomain.com" target="_blank">mydomain.com</a>:<br>
<br>
Oct 1 10:34:00 mail MailScanner[15454]: Infected message<br>
1TIcNu-0004Ww-Ny.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe<br>
came from<br>
Oct 1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from<br>
83.149.158.186 (<a href="mailto:truismsjb95@paypal.com">truismsjb95@paypal.com</a>) to <a href="http://mydomain.com" target="_blank">mydomain.com</a> is not spam,<br>
SpamAssassin (score=2.798, required 6, autolearn=disabled,<br>
DKIM_ADSP_ALL 1.10, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.72, SPF_SOFTFAIL<br>
0.97, UNPARSEABLE_RELAY 0.00)<br>
Oct 1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message<br>
1TIcNu-0004Ww-Ny from <a href="mailto:truismsjb95@paypal.com">truismsjb95@paypal.com</a> to<br>
<a href="mailto:postmaster@mydomain.com">postmaster@mydomain.com</a> with subject Your friend added a new photo<br>
with you to the album<br>
<br>
As you can see, it's identified as Infected but still delivered.<br>
<br>
If I manually scan the message, I get this from f-prot:<br>
# /opt/f-prot/fpscan Y*.eml<br>
<snip><br>
[Found possible security risk] <W32/Heuristic-200!Eldorado (not<br>
disinfectable)> Your friend added a new photo with you to the<br>
album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe<br>
[Contains infected objects] Your friend added a new photo with you to<br>
the album.eml<br>
<br>
<br>
I get this from clam:<br>
# clamscan Y*.eml<br>
Your friend added a new photo with you to the album.eml: OK<br>
<br>
----------- SCAN SUMMARY -----------<br>
Known viruses: 1314671<br>
Engine version: 0.97.6<br>
Scanned directories: 0<br>
Scanned files: 1<br>
Infected files: 0<br>
<br>
In MailScanner.conf I have these set but neither affect virus<br>
checking, apparently:<br>
Maximum Archive Depth = 0<br>
Find Archives By Content = no<br>
<br>
I also have:<br>
Virus Scanning = yes<br>
Virus Scanners = clamav f-prot-6<br>
Deliver Disinfected Files = no<br>
Silent Viruses = HTML-IFrame All-Viruses<br>
Still Deliver Silent Viruses = no<br>
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar<br>
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:<br>
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*<br>
Block Encrypted Messages = no<br>
Allow Password-Protected Archives = no<br>
Check Filenames In Password-Protected Archives = yes<br>
Dangerous Content Scanning = yes<br>
Allow Partial Messages = no<br>
Find Phishing Fraud = yes<br>
Also Find Numeric Phishing = yes<br>
Use Stricter Phishing Net = no<br>
<br>
Any ideas?<br>
<br>
For now, I have tried this. Previously it was not set:<br>
Archives: Deny Filenames = \.exe$<br>
<span class="HOEnZb"><font color="#888888">--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
</font></span></blockquote></div><br>