<div dir="ltr"><div><div><div>umm well the mailscanner version you are using is 4 years old. i know the releases arent coming as fast and furious we they used to but still..<br><br></div>blocking invalid recipients should be done up front anyway<br>
<br></div>I'd look at your rulesets in MailScanner to make sure you're not trusting the Baracuda to some level and there for missing the checks. You should be able to trace the messages causing problems in the mail logs .<br>
<br></div>Given you're already scanning with baracuda's and they still delivered the malware how is their commercial offereing any better??<br><div><br>Martin<br><br></div></div><div class="gmail_extra"><br clear="all">
<div>-- <br>Martin Hepworth, CISSP<br>Oxford, UK</div>
<br><br><div class="gmail_quote">On 16 October 2013 14:30, Tony Larco <span dir="ltr"><<a href="mailto:tlarco@polr.com" target="_blank">tlarco@polr.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I apologize if this has been answered in another thread. I did
spend quite some time poking through the archived mailing list
articles, the MailScanner docs, and googling around, but we are just
stumped and are hoping a MailScanner guru could enlighten us about
this situation.<br>
<br>
First, we are running the following (from /usr/sbin/MailScanner -v)
- <br>
This is SUSE Linux Enterprise Server 10 (x86_64)<br>
This is Perl version 5.008008 (5.8.8)<u></u><u></u><br>
This is MailScanner version 4.78.17<br>
Using F-Prot for AV scanning<br>
<br>
High level overview - We use Barracuda's for our mail gateways that
hand off to MailScanner before getting routed to the appropriate
mail server for delivery. This solution has worked great for years,
but last week something strange happened that we cannot figure out.<br>
<br>
On Friday we started receiving emails that contained some kind of
0-day malware. The Barracudas were blocking some of these email,
but based on score and not on the emails containing a virus. Later
in the day Barracuda started recognizing the virus so the problem
was mitigated at the mail gateway, but some did slip by the first
line of defense and were passed to MailScanner. <br>
<br>
The attachment was a zipped up EXE file, but something was unique
about these messages. We block ZIP and EXE files to most of our
users, but our MailScanner instance was not acknowledging these
emails contained a ZIP file and therefore not doing the "Filename
Check". What is very interesting is when MailScanner delivered the
email to an invalid recipient and it was bounced back to the sender,
MailScanner detected the existence of a ZIP file and blocked it on
the way out! But not on the way in! This is the heart of the
issue... how can we determine why these messages were not
interrogated while other (legit) zip files were being rejected at
the same time?<br>
<br>
We observed these emails were encoded with windows-1251 encoding
(<a href="http://en.wikipedia.org/wiki/Windows-1251" target="_blank">http://en.wikipedia.org/wiki/Windows-1251</a>) and the content type of
the attachment was simply "Content Type ;" Other than that, we did
not see anything out of the ordinary with these emails. <br>
<br>
We tried to create a zip file of the same name as the malware and
send it from gmail and the ZIP file was detected immediately by
MailScanner, so we were not able to reproduce the problem strictly
by name. Now that F-prot is detecting this, its getting dropped for
containing a virus, and we can really cannot test further in our
production environment. We took this into our lab, but we were not
testing with the exact same version of MailScanner and we were not
able to recreate the problem. In our minds, whether MailScanner
could detect the virus or not, it should have detected the ZIP
and/or EXE and rejected it for this reason alone. <br>
<br>
Any information about this issue would be greatly appreciated.
Management is now questioning the usefulness of MailScanner versus
some commercial offering, but I believe in FOSS. Thank you in
advance for taking the time to read this post!<br>
<br>
Regards, <br>
<br>
Tony <br>
<br>
<br>
<br>
<br>
</div>
<br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br></div>