At 17:25 11/02/2004, you wrote:
Hi I have a setup like this: internet | | v primary MX [RaQ3 running Mailscanner/clamav/spamassassin] | | v secondary MX [another RaQ3] Today one of the users told me that he gets alot of (what I think) is MyDoom/worm.SCO even though hes mails are handled by this scanning chain. I can see from the log that ALOT of worm.SCO's hitting the mailboxes handled this way, so I cant figure out how the virus mails gets past this setup? Has anyone experienced the same og maybe knows what could be wrong?
How does the Internet know to deliver mail to the primary MX server? By what mechanism does the primary MX forward the mails onto secondary MX? Are you using RBL's at all as part of your primary MX server Sendmail config or through the MailScanner config?
For example, if the Internet delivers your customer domain email with primary MX set as the primary MX record in DNS and the secondary MX as a backup server, then it would be possible for the primary MX to reject the mail connection based on an RBL check but the sending server doesn't give up. It then tries to deliver to the next priority MX server listed by DNS. In your example this would mean the secondary MX then I presume it would miss out the virus checks.
I would also check whether your customer is really getting the virus mails or rather just the warning messages generated by MailScanner.
Dan