Szerző: Patrick Starrenburg Dátum: Címzett: exim-users Tárgy: [Exim] Re: Blocking fake virus generated "bounces" not caught by Exiscan
"Tom Kistner" <tom@???> wrote in message
news:3EC54286.9010907@???... >
> It should scan and block them, if everything is set up correctly. The
> headers look genuine, and even the host is genuine AOL. Are you sure
> there are viruses in there? If yes, can you send me a sample message? I
> could then test things here.
(?? I did two other replies to your and Guiliano's messages but they didn't
seem to be posted? Anyway...)
Yes it is correct that the messages are look to be coming from valid AOL
hosts
(mail relays). The email address in my first post was not mine but one of
our
users. His machine has been throughly gone over - no viruses. He is getting
30+
of these emails per day. They definitely look like viruses, most likely
worm_fizza.a,
the attachments (which are getting past Exiscan) are getting caught by next
defence line, anti-virus software which is deleting them...
---------
Source mailbox: ""
Destination mailbox(es): "xxxx@???"
Policy: Replaced with text
Attachment file name: Alexan62.pif - application/octet-stream
Action: Attachment Removal
---------
...they don't get to next step - virus scanning, but they obviously are
viruses.
But to get back to first point - the emails look like bounces and/or are
bounces...
--------- Exim log
2003-05-16 17:04:45 19GglD-00072c-9i <= <> H=omr-d03.mx.aol.com
[205.188.159.1] P=esmtp S=223993
id=200305161504.LAD11517@???
2003-05-16 17:04:45 19GglD-00072c-9i => XXXX@??? R=benq_domains
T=remote_smtp H=XXXX[XXXX]
2003-05-16 17:04:45 19GglD-00072c-9i Completed
---------
Tom you saying that even bounces (no from address, "<>") should have
attachments
scanned and rejected by Exiscan if file is on Exiscan block list?
*If* Exiscan doesn't scan bounces how can we force emails with empty from
addresses (bounces) to be processed by Exim/Exiscan. Can we check what is
being
done by Exiscan (tracing?). We can try to capture a live email if you want,
we just
need to make sure it doesn't get into users mailbox.