Hi there!
I�ve noted that Trend�s Interscan Viruswall has a horrendous "feature" in it�s
WinNT/2K implementation, that is not present in *UX implementations.
In the most instalations Interscan listens on port 25 (SMTP), receives the message,
scan it, and then re-send it to the "real" SMTP daemon (listening on another port),
preserving the SMTP-header present in the message.
But, since it doesn�t includes a new line on SMTP-header with the sender�s IP, and
doesn�t write any extra log including it (it just logs virus occurrences), the final
message header will not contain the real sender�s IP!!
In other words, if you want to trace-back the origin of a message, you cannot use the
message header to discover the sender�s IP.
I�ve consulted Trend�s support about that, and they say me that it�s a "product
feature", *not* a bug.
Well... If it is a "product feature", why it�s only present in the Win32
implementations, and not in *UX?
Example:
===============================================================================================
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.domain1.com ([172.0.0.1]) by internal.domain1.com with Microsoft
SMTPSVC(5.0.2195.4905);
Thu, 23 May 2002 20:02:08 -0300
Received: from smtp.domain1.com ([172.0.0.1]) by smtp.domain1.com with Microsoft
SMTPSVC(5.0.2195.2966);
Thu, 23 May 2002 20:02:08 -0300
Subject: Test
===============================================================================================
In this header you see that the message was received by smtp.domain1.com from
itself... it was registered by the SMTP daemon when it receives the Interscan
(installed on the same machine) "re-transmition". It�s ok, but, where is the original
sender�s IP???
I�ve tested it on a Interscan Viruswall 3.52 build 1375, but I think that it�s present
on all Win32 versions.
While Trend is a so-called security company, I�m affraid about other hidden "features"
in it�s products.
Pedro Quintanilha
Seguran�a da Informa��o
Editora Abril s/a
[EMAIL PROTECTED]
+55-11-3037-4297
