Phil Chambers wrote: > I have a strange situation which I can't explain. > > I have an Internet-facing front-end server using exim with ClamAV. I also > have > the Sanesecurity signatures installed. Delivery is achieved by relaying to an > Exchange server which is behind the firewall. > > Some users have re-direction set up so that the Exchange server passes > messages > back to the front-end server for onward transmission. Note, this is > re-direction, not forwarding, so the messages just have an extra Received: > line > added to the header. > > Several times per day I see messages to some of these users being rejected by > ClamAV as they are being received back from the Exchange server for > re-direction! > > That means that the messages have been cleared by ClamAV as they arrive from > the Internet but are then rejected a few seconds later when returning! So far > they have all been Sanesecurity signatures which have caused this. > > One thought is that Exchange could possible be re-writing attachments, but > that > would mean that ClamAV is sensitive to the way in which attachments are > encoded. > > Any ideas? > > Phil. > --------------------------------------- > Phil Chambers ([EMAIL PROTECTED]) > University of Exeter
The simplest explanation is that the messages in question do not pass through clamav the first time. Either they are somehow sent directly to the exchange box or the original client is whitelisted on your frontend. Possibly capturing some of these for analysis would give more clues. Are you using amavisd-new by any chance? At any rate, details of your MTA and clamav integration might help. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
