Re: [Assp-user] Virus detected smtp connection ?
Nope, Tried that also, virussess keep bouncing and repeating. This morning i had more than 100 messages about virus detected, did not had this behavioure before! Micheal Espinola Jr schreef: Matti Haack wrote: Mybe you should better send Error 554 (Transaction failed) instead of 500 (Command not recognized 'command') I use: ~~~ 550 5.7.7 [BLOCK REASON] Mail appears infected with '$infection'. Clean and resend. This attempt has been logged. Because (http://www.asspsmtp.org/wiki/SMTP_Error_Codes): ~~~ 550 - Requested action not taken: mailbox unavailable /e.g., mailbox not found, no access, or command rejected for policy reasons/ 5.x.x - Permanent Failure A failure which is not likely to be resolved by resending the message in the current form. Some change to the message or the destination must be made for successful delivery. x.7.7 - Message integrity failure A transport system otherwise authorized to validate a message was unable to do so because the message was corrupted or altered. This may be useful as a permanent, transient persistent, or successful delivery code. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Similar symptoms here. An E-mail with an Eicar signature has been bouncing back and forth for four days. Pascal Dreissen wrote: Hi, When there is a virus detected is the smtp connection with the sending host dropped ? I am asking this because i got repeating virusses this morning from the same hosts. So it seems they are trying to send it again. Also hosts which are running legimit mailsrvers (test server sendmail / kerio / domino / qmail etc..) Also i am seeing this in the logging which looks like the connection isn't dropped at all and times out! Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Received-RBL: pass Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning WL=1:0 NP=1:0 LOCAL=1: Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning done FOUND Eicar-Test-Signature Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] virus detected 'Eicar-Test-Signature' Jan-13-07 09:20:23 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Connection idle for 120 secs - timeout - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8312991 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Questions and Answers for users of ASSP Anti-Spam SMTP Proxy assp-user@lists.sourceforge.net schreibt: When there is a virus detected is the smtp connection with the sending host dropped ? They got the smtp error defined in viruserror I am asking this because i got repeating virusses this morning from the same hosts. So it seems they are trying to send it again. ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Similar symptoms here. An E-mail with an Eicar signature has been bouncing back and forth for four days. ASSP does not bounce. ASSP returns the error you define. So what do think should ASSP do , to prevent the virus from coming again? Should ASSP drop the connection without proper error message? Does that prevent from resending ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Matti, I just tried that and set the message to 554. The error message still doesn't make it back to the sender Inbox. My test messages are sent from my 'home' ISP smarthost to ASSP at work. I know that my 'home' ISP also filter e-mail for viruses. Could it be that my sending 'home' ISP is not letting failed virus mails back into the inbox. I think that is something that someone should test who has full control over both the sending and receiving mailserver. Matti Haack wrote: Mybe you should better send Error 554 (Transaction failed) instead of 500 (Command not recognized 'command') Matti -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8313261 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
You are right - there is something wrong with the handling, because the session is not closed after when a virus is found. The Error message is not send to the server. You can easyly test this if you disable your desktop email/virusscanner, create a textfile and put the eicar test string into it: [EMAIL PROTECTED](P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* and save it as eicar.com Now mail yourself the string directly to your assp server. You will get a timeout, no 5xx error. Jan-13-07 14:12:52 217.95.53.232 authenticated Jan-13-07 14:12:52 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] recipient accepted: [EMAIL PROTECTED] Jan-13-07 14:12:52 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] virus detected 'Eicar-Test-Signature' Jan-13-07 14:13:56 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Connection idle for 60 secs - timeout Jan-13-07 14:13:56 217.95.53.232 [EMAIL PROTECTED] to: [EMAIL PROTECTED] is disconnected The corespondending TheBat! Log: 13.01.2007, 14:12:50: SEND - Sende Nachricht(en) - 1 Nachrichten in der Warteschlange 13.01.2007, 14:12:51: SEND - verbunden mit dem SMTP-Server 13.01.2007, 14:12:52: SEND - authentifizieren (Software CRAM-MD5)... 13.01.2007, 14:12:52: SEND - Sende Nachricht an [EMAIL PROTECTED] !13.01.2007, 14:13:55: SEND - Nachricht wurde nicht versandt. Server Antwort - Connection timeout, try later !13.01.2007, 14:13:55: FETCH - Verbindung zum Host verloren (die letzten gesendeten Kommandos waren: DATA, RSET) 13.01.2007, 14:13:55: SEND - Verbindung beendet - 0 Nachrichten versandt 13.01.2007, 14:13:55: SEND - Einige Nachrichten wurden nicht versendet - prüfen Sie die Logdatei nach Informationen Matti -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
a small detail in the recent releases: the reason for a failed helo is no longer shown in the log files it would be nice to have this back Pascal Dreissen wrote: Hi, When there is a virus detected is the smtp connection with the sending host dropped ? I am asking this because i got repeating virusses this morning from the same hosts. So it seems they are trying to send it again. Also hosts which are running legimit mailsrvers (test server sendmail / kerio / domino / qmail etc..) Also i am seeing this in the logging which looks like the connection isn't dropped at all and times out! Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Received-RBL: pass Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning WL=1:0 NP=1:0 LOCAL=1: Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] ClamAV: scanning done FOUND Eicar-Test-Signature Jan-13-07 09:18:18 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] virus detected 'Eicar-Test-Signature' Jan-13-07 09:20:23 38.96.163.30 [EMAIL PROTECTED] to: [EMAIL PROTECTED] Connection idle for 120 secs - timeout - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8315669 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Matti Haack wrote: Mybe you should better send Error 554 (Transaction failed) instead of 500 (Command not recognized 'command') I use: ~~~ 550 5.7.7 [BLOCK REASON] Mail appears infected with '$infection'. Clean and resend. This attempt has been logged. Because (http://www.asspsmtp.org/wiki/SMTP_Error_Codes): ~~~ 550 - Requested action not taken: mailbox unavailable /e.g., mailbox not found, no access, or command rejected for policy reasons/ 5.x.x - Permanent Failure A failure which is not likely to be resolved by resending the message in the current form. Some change to the message or the destination must be made for successful delivery. x.7.7 - Message integrity failure A transport system otherwise authorized to validate a message was unable to do so because the message was corrupted or altered. This may be useful as a permanent, transient persistent, or successful delivery code. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
a small detail in the recent releases: the reason for a failed helo is no longer shown in the log files it would be nice to have this back ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
Previously the log entry for a failed Helo used to be as follows: Jan-7-07 19:48:23 PB: 201.1.121.97 score: 0+25 = 25 reason:201.1.121.97:ValidHelo-Check Jan-7-07 19:48:23 201.1.121.97 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '201.1.121.97' Jan-7-07 19:48:32 PB: 24.61.137.244 score: 0+25 = 25 reason:24.61.137.244:ValidHelo-Check Jan-7-07 19:48:32 24.61.137.244 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '24.61.137.244' Jan-7-07 19:50:06 PB: 69.139.240.188 score: 0+25 = 25 reason:69.139.240.188:ValidHelo-Check Jan-7-07 19:50:06 69.139.240.188 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '69.139.240.188' Jan-7-07 19:50:19 PB: 89.32.34.231 score: 0+25 = 25 reason:89.32.34.231:ValidHelo-Check Jan-7-07 19:50:19 89.32.34.231 [EMAIL PROTECTED] Validate Sender: Invalid HELO Format '89.32.34.231' now I see only: Jan-13-07 17:41:38 PB: 82.3.70.247 score: 0+25 = 25 reason:82.3.70.247:InvalidHelo-Check Jan-13-07 17:41:38 PB: 82.3.70.247 score: 25+25 = 50 reason:82.3.70.247:InvalidHELO Jan-13-07 17:44:53 PB: 88.229.251.138 score: 0+25 = 25 reason:88.229.251.138:ValidHelo-Check Jan-13-07 17:44:53 PB: 88.229.251.138 score: 25+25 = 50 reason:88.229.251.138:InvalidHELO Jan-13-07 17:45:02 PB: 88.229.251.138 score: 50+25 = 75 reason:88.229.251.138:ValidHelo-Check Jan-13-07 17:45:02 PB: 88.229.251.138 score: 75+25 = 100 reason:88.229.251.138:InvalidHELO I am missing the line telling me the (usually faked) sender and Invalid Helo Format. Fritz Borgstedt wrote: a small detail in the recent releases: the reason for a failed helo is no longer shown in the log files it would be nice to have this back ? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user -- View this message in context: http://www.nabble.com/Virus-detected-smtp-connection---tf2970796.html#a8317338 Sent from the assp-user mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Virus detected smtp connection ?
I am missing the line telling me the (usually faked) sender and Invalid Helo Format. Your logging is turned off for sender validation, turn it on. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user