[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Mailscanner not getting viruses all the time
- Subject: Re: [cobalt-users] Mailscanner not getting viruses all the time
- From: Dan Houghton <lists@xxxxxxxxxx>
- Date: Thu Feb 12 02:56:17 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
At 19:21 11/02/2004, you wrote:
> >Hi
> >
> >I have a setup like this:
> >
> >
> >internet
> > |
> > |
> > v
> >primary MX
> >[RaQ3 running Mailscanner/clamav/spamassassin]
> > |
> > |
> > v
> >secondary MX
> >[another RaQ3]
> >
> >
> >Today one of the users told me that he gets alot of (what I think) is
> >MyDoom/worm.SCO even though hes mails are handled by this scanning
> >chain.
> >
> >I can see from the log that ALOT of worm.SCO's hitting the mailboxes
> >handled this way, so I cant figure out how the virus mails gets past
> >this setup?
> >
> >Has anyone experienced the same og maybe knows what could be wrong?
-snip-
The thread has mutated a little onto a discussion regarding general mail
server setups so (after a good nights sleep) I will try and make some
suggestions for tracking down how your user is getting virus infected mails
still.
Briefly on the subject of mail servers though, my experience has been that
spammers will target my backup MX servers directly to inject spam (Bruce
raised this issue I believe) plus my primary mail servers will reject
spammers through RBL checks only to then see the spammers switch to the
next DNS listed MX servers, which then pass through to my main servers. I
always check the full headers when I get spam to see how the spam has
reached me so I can look into whether future instances can be blocked. In
my case I found that my MX servers (run by another company) had not updated
their RBL server list for sometime so that's how the spams were getting
through.
So how is your user getting virus emails?
1. Get a copy of the full headers from these mails. If you're using
MailScanner then it should be adding lines in the header to show that the
mail contents have been checked and what the outcome was. For example a
mail just posted to Cobalt Users has this information:
X-yoursite-MailScanner-Information: Please contact the ISP for more
information
X-yoursite-MailScanner: Found to be clean
A good example as it seems that person has installed MailScanner but not
edited MailScanner.conf so the default settings are still there. My server
also added the following to the same mail:
X-crossharbour-MailScanner-Information: Please report all abuse issues to
[EDITED - GO AWAY SPAMMERS]
X-crossharbour-MailScanner: Found to be clean
So in both cases the mail has been scanned and was found to be clean. So
get a few mails from your customer and check the headers. You should
compare with a non-infected email and see whether it's been scanned then
found to be clean.
2. Check whether your secondary server (I won't call it an MX server since
that's causing some confusion) can accept mails directly from the Internet
in some way. There's been discussion regarding that in this same thread. If
you are using mailertable to push mails from the primary server to the
secondary then consider whether your secondary server needs to have the
SMTP port (25) to the world. If it's not an outbound mail server and it
should only accept mails from your virus/spam scanning server then there's
no reason why you can't firewall off port 25.
3. Is it possible that your customer is using his mail client to check
multiple accounts? I use Eudora which is configured to check multiple
accounts under the personalities function. Maybe he/she is getting the
virus through another service provider and doesn't realise.
If you can get the full headers though that will provide the answer.
Dan