Phil Chambers wrote: > On Wed, 02 Jan 2008 18:04:54 -0600 Noel Jones <[EMAIL PROTECTED]> wrote: > >> Phil Chambers wrote: >>> I have a strange situation which I can't explain. >>> >>> I have an Internet-facing front-end server using exim with ClamAV. I also >>> have >>> the Sanesecurity signatures installed. Delivery is achieved by relaying to >>> an >>> Exchange server which is behind the firewall. >>> >>> Some users have re-direction set up so that the Exchange server passes >>> messages >>> back to the front-end server for onward transmission. Note, this is >>> re-direction, not forwarding, so the messages just have an extra Received: >>> line >>> added to the header. >>> >>> Several times per day I see messages to some of these users being rejected >>> by >>> ClamAV as they are being received back from the Exchange server for >>> re-direction! >>> >>> That means that the messages have been cleared by ClamAV as they arrive >>> from >>> the Internet but are then rejected a few seconds later when returning! So >>> far >>> they have all been Sanesecurity signatures which have caused this. >>> >>> One thought is that Exchange could possible be re-writing attachments, but >>> that >>> would mean that ClamAV is sensitive to the way in which attachments are >>> encoded. >>> >>> Any ideas? >>> >>> Phil. >>> --------------------------------------- >>> Phil Chambers ([EMAIL PROTECTED]) >>> University of Exeter >> The simplest explanation is that the messages in question do >> not pass through clamav the first time. Either they are >> somehow sent directly to the exchange box or the original >> client is whitelisted on your frontend. >> >> Possibly capturing some of these for analysis would give more >> clues. >> >> Are you using amavisd-new by any chance? At any rate, details >> of your MTA and clamav integration might help. >> >> >> -- >> Noel Jones > > I am using exim 4.62 with clamd 0.92, both compiled from source. > > All messages first go through an Exim MIME ACL (where I check a specific > regex > against each MIME part). They all then go through an Exim DATA ACL which is > what calls clamd via a UNIX socket, using native Exim support for clamd. > There > is no way to by-pass this. I am not using amavisd-new. > > I can't see any way of capturing examples. I would need to compare copies of > messages when they first arrive against those which are rejected when they > are > returned by Exchange. Since I can't predict which ones are going to be > returned > by Exchange I don't know which ones to capture on the way in. I would have > to > capture every message and that is just not feasable with our volume of > messages. > > Phil. > --------------------------------------- > Phil Chambers ([EMAIL PROTECTED]) > University of Exeter
Is it possible the messages are being delivered directly to the Exchange server? Capturing/quarantining viruses detected as coming from the Exchange box may help, even if you don't have the original message. At the very least you could check the Received: headers to make sure it did pass through your Exim server the first time. I'm not familiar with Exim and how it calls clamd, but I will point out that most of the Sanesecurity signatures expect to be presented with an entire email message, including headers. (The file scanned must be detected as an "email" type file to activate those signatures). The reason I mentioned amavisd-new is that it's possible to configure amavisd-new to decode the mail by itself and just present the parts for scanning - this causes signatures expecting an "email" type file to fail. It's possible you're having a similar issue, but again, I'm not familiar with the mechanics of Exim virus scanning. The SPF suggestion is a dead-end. HTH. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
