Phil Chambers wrote: > I have a strange situation which I can't explain. > > I have an Internet-facing front-end server using exim with ClamAV. I also > have > the Sanesecurity signatures installed. Delivery is achieved by relaying to an > Exchange server which is behind the firewall. > > Some users have re-direction set up so that the Exchange server passes > messages > back to the front-end server for onward transmission. Note, this is > re-direction, not forwarding, so the messages just have an extra Received: > line > added to the header. > > Several times per day I see messages to some of these users being rejected by > ClamAV as they are being received back from the Exchange server for > re-direction! > > That means that the messages have been cleared by ClamAV as they arrive from > the Internet but are then rejected a few seconds later when returning! So far > they have all been Sanesecurity signatures which have caused this. > > One thought is that Exchange could possible be re-writing attachments, but > that > would mean that ClamAV is sensitive to the way in which attachments are > encoded. > > Any ideas? >
It's possibly something along the lines of what we see occasionally with SPF verification. Since the email is forwarded on from the exchange server, the email still appears to be from the original user, but it is now coming from your exchange server. In the SPF case your email server isn't an authorized server for the originating domain, and so the email gets bounced due to an SPF violation. Now if the sanesecurity sigs do some verification which relates the sending domain with the server the email was sent from, this could be the problem you are seeing. Stuart _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
