It seems that some viruses are slipping by my filters. I don't understand how they could but they are. I have Amavisd-new with McAfee on my Imgate box, and it seems to pick up pretty much all viruses, but some do slip by. The AV on Imail which is also McAfee picked up the virus just fine. The log on Imail shows that the infected mail came from the Imgate box. Here's the log from the Imail box.
01:28 11:27 SMTPD(005E0062) [10.25.1.6] connect 10.25.1.14 port 2232 01:28 11:27 SMTPD(005E0062) [10.25.1.14] EHLO mailgate.mydomain.com 01:28 11:27 SMTPD(005E0062) [10.25.1.14] MAIL FROM:<> 01:28 11:27 SMTPD(005E0062) [10.25.1.14] RCPT TO:<[EMAIL PROTECTED]> 01:28 11:27 SMTPD(005E0062) [10.25.1.14] C:\IMail\spool\Df0f4005e006202e6.SMD 0 01:28 11:27 SMTP-(00000000) Info - Adding Queue file C:\IMail\spool\Qf0f4005e006202e6.SMD 01:28 11:27 SMTP-(038441AA) processing C:\IMail\spool\Qf0f4005e006202e6.SMD 01:28 11:27 SMTP-(038441AA) finished C:\IMail\spool\Qf0f4005e006202e6.SMD status=2 Here's the log that shows amavisd scanning the E-mail. Jan 28 11:21:26 mailgate postfix/smtpd[41442]: 3C08C1EA: client=webhost4sites.com[216.127.78.35] Jan 28 11:21:26 mailgate postfix/cleanup[41533]: 3C08C1EA: message-id=<[EMAIL PROTECTED]> Jan 28 11:21:26 mailgate postfix/nqmgr[41032]: 3C08C1EA: from=<>, size=32608, nrcpt=1 (queue active) Jan 28 11:21:34 mailgate amavis[41559]: (41559-07) ESMTP::10026 /var/amavis/amavis-20040128T111554-41559: <> -> <[EMAIL PROTECTED]> Received: SIZE=32608 from mailgate.mydomain.com ([127.0.0.1]) by localhost (mailgate.mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 41559-07 for <[EMAIL PROTECTED]>; Wed, 28 Jan 2004 11:21:34 -0600 (CST) Jan 28 11:21:35 mailgate amavis[41559]: (41559-07) Checking: <> -> <[EMAIL PROTECTED]> Jan 28 11:21:54 mailgate postfix/cleanup[41533]: C21A91F3: message-id=<[EMAIL PROTECTED]> Jan 28 11:21:54 mailgate amavis[41559]: (41559-07) Passed, <> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: 3.246 Jan 28 11:21:54 mailgate postfix/smtp[41573]: 3C08C1EA: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1], delay=30, status=sent (250 2.6.0 Ok, id=41559-07, from MTA: 250 Ok: queued as C21A91F3) Jan 28 11:21:54 mailgate postfix/nqmgr[41032]: 3C08C1EA: removed Jan 28 11:21:54 mailgate postfix/smtpd[41519]: C21A91F3: client=unknown[127.0.0.1] Jan 28 11:21:54 mailgate postfix/cleanup[41533]: C21A91F3: message-id=<[EMAIL PROTECTED]> Jan 28 11:21:54 mailgate postfix/nqmgr[41032]: C21A91F3: from=<>, size=33045, nrcpt=1 (queue active) Jan 28 11:21:54 mailgate postfix/smtp[41573]: 3C08C1EA: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1], delay=30, status=sent (250 2.6.0 Ok, id=41559-07, from MTA: 250 Ok: queued as C21A91F3) Jan 28 11:21:54 mailgate amavis[41559]: (41559-07) spam_scan: hits=3.246 tests=LARGE_HEX,NO_DNS_FOR_FROM,NO_REAL_NAME,UPPERCASE_25_50 Jan 28 11:21:54 mailgate amavis[41559]: (41559-07) FWD via SMTP: [127.0.0.1]:10025 <> -> <[EMAIL PROTECTED]> Jan 28 11:21:54 mailgate amavis[41559]: (41559-07) Passed, <> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: 3.246 Jan 28 11:21:54 mailgate amavis[41559]: (41559-07) TIMING [total 19937 ms] - SMTP EHLO: 3 (0%), SMTP pre-MAIL: 1 (0%), SMTP pre-DATA-flush: 6 (0%), SMTP DATA: 195 (1%), body hash: 2 (0%), mime_decode: 72 (0%), AV-scan-1: 2315 (12%), SA msg read: 14 (0%), SA parse: 4 (0%), SA check: 17253 (87%), fwd-connect: 17 (0%), fwd-mail-from: 1 (0%), fwd-rcpt-to: 5 (0%), write-header: 7 (0%), fwd-data: 5 (0%), fwd-data-end: 20 (0%), fwd-rundown: 5 (0%), unlink-1-files: 12 (0%), rundown: 1 (0%) Jan 28 11:21:54 mailgate postfix/smtp[41573]: 3C08C1EA: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1], delay=30, status=sent (250 2.6.0 Ok, id=41559-07, from MTA: 250 Ok: queued as C21A91F3) Jan 28 11:21:55 mailgate postfix/smtp[41575]: C21A91F3: to=<[EMAIL PROTECTED]>, relay=10.25.1.6[10.25.1.6], delay=1, status=sent (250 Message queued) Jan 28 11:21:55 mailgate postfix/nqmgr[41032]: C21A91F3: removed What could it be?
