hmm. Sounds interesting, I wasn't running any AV as I saw no reason to run since IMGate was rejecting all windows executables just fine. But I'll definitely think about getting something like clamav - amavisd-new combination to work after hearing this. Thanks Len. Serhan.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Len Conrad Sent: Wednesday, May 28, 2003 2:13 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: .pif virus got thru? >Today I detected a .pif virus in a users mailbox . >It somehow tricked IMGate this occurs due to funny, weird stuff that gets past posfix, and is exactly why postfix should not be your only AV defense, although it works very well as first line of defense >, but I'm unable to find the real reason for it. after the msg is received and de-MIMEd or whatever by the MUA, it's very hard to do the forensics. >Here are the logs, > >May 28 08:44:04 mail3 postfix/smtp[29468]: 90F7D17B9: [EMAIL PROTECTED], >relay=216.133.67.7[216.133.67.7], delay=1 >, status=sent (250 Message queued) > >PS: Check out the message size, (114663bytes). >PS 2: The sender seems in the header as [EMAIL PROTECTED] however, >in the logs, it seems it's coming from [EMAIL PROTECTED] Which one is >forged? could be both. if you were running SAV, then perhaps 4784lawa would have been refused by gte's mx and postfix would have refused the msg. Len
