[Assp-user] Virus detected smtp connection ?
Hi, When there is a virus detected is the smtp connection with the sending host dropped ? I am asking this because i got repeating virusses this morning from the same hosts. So it seems they are trying to send it again. Also hosts which are running legimit mailsrvers (test server sendmail / kerio / domino / qmail etc..) Also i am seeing this in the logging which looks like the connection isn't dropped at all and times out! Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Received-RBL: pass Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning WL=1:0 NP=1:0 LOCAL=1: Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning done FOUND Eicar-Test-Signature Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] virus detected 'Eicar-Test-Signature' Jan-13-07 09:20:23 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Connection idle for 120 secs - timeout - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Similar symptoms here. An E-mail with an Eicar signature has been bouncing back and forth for four days. Pascal Dreissen wrote: Hi, When there is a virus detected is the smtp connection with the sending host dropped ? I am asking this because i got repeating virusses this morning from the same hosts. So it seems they are trying to send it again. Also hosts which are running legimit mailsrvers (test server sendmail / kerio / domino / qmail etc..) Also i am seeing this in the logging which looks like the connection isn't dropped at all and times out! Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Received-RBL: pass Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning WL=1:0 NP=1:0 LOCAL=1: Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning done FOUND Eicar-Test-Signature Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] virus detected 'Eicar-Test-Signature' Jan-13-07 09:20:23 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Connection idle for 120 secs - timeout - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8312991 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Questions and Answers for users of ASSP Anti-Spam SMTP Proxy assp-user@lists.sourceforge.net schreibt: When there is a virus detected is the smtp connection with the sending host dropped ? They got the smtp error defined in viruserror I am asking this because i got repeating virusses this morning from the same hosts. So it seems they are trying to send it again. ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Similar symptoms here. An E-mail with an Eicar signature has been bouncing back and forth for four days. ASSP does not bounce. ASSP returns the error you define. So what do think should ASSP do , to prevent the virus from coming again? Should ASSP drop the connection without proper error message? Does that prevent from resending ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Matti, I just tried that and set the message to 554. The error message still doesn't make it back to the sender Inbox. My test messages are sent from my 'home' ISP smarthost to ASSP at work. I know that my 'home' ISP also filter e-mail for viruses. Could it be that my sending 'home' ISP is not letting failed virus mails back into the inbox. I think that is something that someone should test who has full control over both the sending and receiving mailserver. Matti Haack wrote: Mybe you should better send Error 554 (Transaction failed) instead of 500 (Command not recognized 'command') Matti -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8313261 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
You are right - there is something wrong with the handling, because the session is not closed after when a virus is found. The Error message is not send to the server. You can easyly test this if you disable your desktop email/virusscanner, create a textfile and put the eicar test string into it: [EMAIL PROTECTED](P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* and save it as eicar.com Now mail yourself the string directly to your assp server. You will get a timeout, no 5xx error. Jan-13-07 14:12:52 217.95.53.232 authenticated Jan-13-07 14:12:52 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] recipient accepted: [EMAIL PROTECTED] Jan-13-07 14:12:52 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] virus detected 'Eicar-Test-Signature' Jan-13-07 14:13:56 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Connection idle for 60 secs - timeout Jan-13-07 14:13:56 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] is disconnected The corespondending TheBat! Log: 13.01.2007, 14:12:50: SEND - Sende Nachricht(en) - 1 Nachrichten in der Warteschlange 13.01.2007, 14:12:51: SEND - verbunden mit dem SMTP-Server 13.01.2007, 14:12:52: SEND - authentifizieren (Software CRAM-MD5)... 13.01.2007, 14:12:52: SEND - Sende Nachricht an [EMAIL PROTECTED] !13.01.2007, 14:13:55: SEND - Nachricht wurde nicht versandt. Server Antwort - Connection timeout, try later !13.01.2007, 14:13:55: FETCH - Verbindung zum Host verloren (die letzten gesendeten Kommandos waren: DATA, RSET) 13.01.2007, 14:13:55: SEND - Verbindung beendet - 0 Nachrichten versandt 13.01.2007, 14:13:55: SEND - Einige Nachrichten wurden nicht versendet - prüfen Sie die Logdatei nach Informationen Matti -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
a small detail in the recent releases: the reason for a failed helo is no longer shown in the log files it would be nice to have this back Pascal Dreissen wrote: Hi, When there is a virus detected is the smtp connection with the sending host dropped ? I am asking this because i got repeating virusses this morning from the same hosts. So it seems they are trying to send it again. Also hosts which are running legimit mailsrvers (test server sendmail / kerio / domino / qmail etc..) Also i am seeing this in the logging which looks like the connection isn't dropped at all and times out! Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Received-RBL: pass Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning WL=1:0 NP=1:0 LOCAL=1: Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning done FOUND Eicar-Test-Signature Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] virus detected 'Eicar-Test-Signature' Jan-13-07 09:20:23 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Connection idle for 120 secs - timeout - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8315669 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
[Assp-user] ASSP returns the error you define (was: Virus detected smtp connection)
Fritz Borgstedt wrote: ASSP does not bounce. ASSP returns the error you define. Speaking of this; would it be possible to again have the ability to customize the SPF message? I think the most administrative overhead I get from ASSP is from people not reading or understanding the SPF response code. I would really appreciate being able to customize that message - preferably being able to add instructions for the sender to contact their own email support, and not me! Thanks for considering this. I can certainly live with it if its too much of a hassle. I'm only thinking of how I could make ASSP more hands-off with less administrative support requirements. Thanks! - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Matti Haack wrote: Mybe you should better send Error 554 (Transaction failed) instead of 500 (Command not recognized 'command') I use: ~~~ 550 5.7.7 [BLOCK REASON] Mail appears infected with '$infection'. Clean and resend. This attempt has been logged. Because (http://www.asspsmtp.org/wiki/SMTP_Error_Codes): ~~~ 550 - Requested action not taken: mailbox unavailable /e.g., mailbox not found, no access, or command rejected for policy reasons/ 5.x.x - Permanent Failure A failure which is not likely to be resolved by resending the message in the current form. Some change to the message or the destination must be made for successful delivery. x.7.7 - Message integrity failure A transport system otherwise authorized to validate a message was unable to do so because the message was corrupted or altered. This may be useful as a permanent, transient persistent, or successful delivery code. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
a small detail in the recent releases: the reason for a failed helo is no longer shown in the log files it would be nice to have this back ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Previously the log entry for a failed Helo used to be as follows: Jan-7-07 19:48:23 PB: 201.1.121.97 score: 0+25 = 25 reason:201.1.121.97:ValidHelo-Check Jan-7-07 19:48:23 201.1.121.97 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '201.1.121.97' Jan-7-07 19:48:32 PB: 24.61.137.244 score: 0+25 = 25 reason:24.61.137.244:ValidHelo-Check Jan-7-07 19:48:32 24.61.137.244 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '24.61.137.244' Jan-7-07 19:50:06 PB: 69.139.240.188 score: 0+25 = 25 reason:69.139.240.188:ValidHelo-Check Jan-7-07 19:50:06 69.139.240.188 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '69.139.240.188' Jan-7-07 19:50:19 PB: 89.32.34.231 score: 0+25 = 25 reason:89.32.34.231:ValidHelo-Check Jan-7-07 19:50:19 89.32.34.231 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '89.32.34.231' now I see only: Jan-13-07 17:41:38 PB: 82.3.70.247 score: 0+25 = 25 reason:82.3.70.247:InvalidHelo-Check Jan-13-07 17:41:38 PB: 82.3.70.247 score: 25+25 = 50 reason:82.3.70.247:InvalidHELO Jan-13-07 17:44:53 PB: 88.229.251.138 score: 0+25 = 25 reason:88.229.251.138:ValidHelo-Check Jan-13-07 17:44:53 PB: 88.229.251.138 score: 25+25 = 50 reason:88.229.251.138:InvalidHELO Jan-13-07 17:45:02 PB: 88.229.251.138 score: 50+25 = 75 reason:88.229.251.138:ValidHelo-Check Jan-13-07 17:45:02 PB: 88.229.251.138 score: 75+25 = 100 reason:88.229.251.138:InvalidHELO I am missing the line telling me the (usually faked) sender and Invalid Helo Format. Fritz Borgstedt wrote: a small detail in the recent releases: the reason for a failed helo is no longer shown in the log files it would be nice to have this back ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8317338 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
I am missing the line telling me the (usually faked) sender and Invalid Helo Format. Your logging is turned off for sender validation, turn it on. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
