Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002710Endian FirewallProxy SMTPpublic2010-02-22 18:552011-03-11 09:43
Reporterbaldy 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version2.3 
Target VersionfutureFixed in Version 
Summary0002710: Viruses in archive not removed.
DescriptionAmavis/Clamav does not remove viruses in zip files.

Also referred to as FedEx / UPS spam, these messages should be removed by amavisd, but they aren't.

Headers show it is detected, but still passed to spam quarantine instead of virus quarantine.

This also happened in EFW 2.2.

Regards,

Klaas-Jan
Additional InformationHeaders of the message.

Received: from mail.baldy.nl (192.168.200.1) by remote.baldy.nl
 (192.168.200.4) with Microsoft SMTP Server id 8.1.393.1; Mon, 22 Feb 2010
 16:53:26 +0100
Received: from localhost (localhost.localhost [127.0.0.1]) by mail.baldy.nl
 (Postfix) with ESMTP id 7D3C7C5A83 for <spam@nospam_baldy.nl>; Mon, 22 Feb 2010
 16:53:26 +0100 (CET)
X-Envelope-From: <Eric@nospam_goll.nl>
X-Envelope-To: <klaas-jan@nospam_baldy.nl>
X-Envelope-To-Blocked: <klaas-jan@nospam_baldy.nl>
X-Quarantine-ID: <lnVslTNOYLhL>
X-Amavis-Alert: BANNED, message contains .exe,.exe-ms,Facebook_password
    _3921.exe
Received: from mail.baldy.nl ([127.0.0.1]) by localhost (mail.baldy.nl
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnVslTNOYLhL for
 <klaas-jan@nospam_baldy.nl>; Mon, 22 Feb 2010 16:53:22 +0100 (CET)
Received: from CPSMTPM-EML108.kpnxchange.com (Cpsmtpm-eml108.kpnxchange.com
 [195.121.3.12]) by mail.baldy.nl (Postfix) with ESMTP id EF754C5A82 for
 <klaas-jan@nospam_baldy.nl>; Mon, 22 Feb 2010 16:53:21 +0100 (CET)
Received: from goll.nl ([62.131.54.34]) by CPSMTPM-EML108.kpnxchange.com with
 Microsoft SMTPSVC(7.0.6001.18000); Mon, 22 Feb 2010 16:53:20 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
Subject: FW: Facebook Password Reset Confirmation! Customer Message.
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----_=_NextPart_001_01CAB3D6.B78AE7AC"
Date: Mon, 22 Feb 2010 16:50:11 +0100
Message-ID: <7542CEA85DEA5F40B140AC566325DF5607B480@goll-srv01.goll.local>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Facebook Password Reset Confirmation! Customer Message.
Thread-Index: Acqz1UBbXjn++6sbRZmaUEQiD2ABNAAAWiAA
From: Eric - Goll Financieel Advies <Eric@nospam_goll.nl>
To: "Klaas-Jan van der Borden" <klaas-jan@nospam_baldy.nl>
X-OriginalArrivalTime: 22 Feb 2010 15:53:20.0790 (UTC) FILETIME=[283CE360:01CAB3D7]
Return-Path: <>
X-MS-Exchange-Organization-Antispam-Report: IPOnAllowList
X-MS-Exchange-Organization-SCL: -1
TagsNo tags attached.
Attached Fileszip file icon Facebook_password _3921.zip [^] (32,024 bytes) 2010-03-08 15:35
zip file icon UPS_invoice_Nr19373.zip [^] (47,150 bytes) 2010-03-08 15:37

- Relationships

-  Notes
(0003960)
baldy (reporter)
2010-03-05 22:58

If needed I can add the zip file containing the virus for testing purposes.

Regards,

Klaas-Jan
(0003966)
peter-endian (administrator)
2010-03-08 12:57

yes please, that could help
(0003967)
peter-endian (administrator)
2010-03-08 12:58

could you try to disable the spam filter by increasing the spam level greatly and then repass that mail in order to understand if it would be recognized as a virus if not as spam?
probably this is only a problem with the order of precedence of the tests
(0003970)
baldy (reporter)
2010-03-08 15:35

Peter,

Looks like you are correct.

After increasing spamlevel to 100 message is passed to quarantine destination (in this case a mail-enabled public folder.

What I also found is that virusnotifications are not send to the virus admin.

Virusinfected message was sent from spam@externaldomain to klaas-jan@mydomain with quarantine info@mydomain and virus admin kvdb@mydomain.

Only mailbox it was delivered to was info, the quarantine destination.

Regards,

Klaas-Jan

Received: from mail.baldy.nl (192.168.200.1) by remote.baldy.nl
 (192.168.200.4) with Microsoft SMTP Server (TLS) id 8.1.393.1; Mon, 8 Mar
 2010 15:29:50 +0100
Received: from localhost (localhost.localhost [127.0.0.1]) by mail.baldy.nl
 (Postfix) with ESMTP id EDCFAC5A83 for <info@nospam_baldy.nl>; Mon, 8 Mar 2010
 15:29:49 +0100 (CET)
X-Envelope-From: <Spam@nospam_goll.nl>
X-Envelope-To: <klaas-jan@nospam_baldy.nl>
X-Envelope-To-Blocked: <klaas-jan@nospam_baldy.nl>
X-Quarantine-ID: <lnCNZRj3zqmD>
X-Amavis-Alert: INFECTED, message contains virus: Trojan.Zbot-7440
X-Amavis-Alert: BANNED, message contains .exe,.exe-ms,Facebook_password
    _3921.exe
Received: from mail.baldy.nl ([127.0.0.1]) by localhost (mail.baldy.nl
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnCNZRj3zqmD for
 <klaas-jan@baldy.nl>; Mon, 8 Mar 2010 15:29:49 +0100 (CET)
Received: from CPSMTPM-EML102.kpnxchange.com (cpsmtpm-eml102.kpnxchange.com
 [195.121.3.6]) by mail.baldy.nl (Postfix) with ESMTP id 8933DC5A82 for
 <klaas-jan@nospam_baldy.nl>; Mon, 8 Mar 2010 15:29:43 +0100 (CET)
Received: from goll.nl ([62.131.54.34]) by CPSMTPM-EML102.kpnxchange.com with
 Microsoft SMTPSVC(7.0.6001.18000); Mon, 8 Mar 2010 15:29:42 +0100
Content-Class: urn:content-classes:message
Subject: FW: Facebook Password Reset Confirmation! Customer Message.
Date: Mon, 8 Mar 2010 15:26:00 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----_=_NextPart_001_01CABECB.4F3EA6E8"
Message-ID: <7542CEA85DEA5F40B140AC566325DF5607E87F@goll-srv01.goll.local>
X-MS-Has-Attach: yes
X-MimeOLE: Produced By Microsoft Exchange V6.5
X-MS-TNEF-Correlator:
Thread-Topic: Facebook Password Reset Confirmation! Customer Message.
Thread-Index: Acqz1UBbXjn++6sbRZmaUEQiD2ABNAAAWiAAAryeYpAAAIkaqg==
References: <C8E4B6BD7957AA4DAA36BB8C6B509632AE2E56893E@BALDY-SBS01.BaldyIT.local>
From: Spam Mailbox <Spam@nospam_goll.nl>
To: <klaas-jan@nospam_baldy.nl>
X-OriginalArrivalTime: 08 Mar 2010 14:29:42.0917 (UTC) FILETIME=[CB22BB50:01CABECB]
Return-Path: <>
X-MS-Exchange-Organization-Antispam-Report: IPOnAllowList
X-MS-Exchange-Organization-SCL: -1
(0003971)
baldy (reporter)
2010-03-08 15:38

Please note that attached files are infected, but as long as you do not open them and run the packed exe there is no problem.

Regards,

Klaas-Jan
(0003986)
baldy (reporter)
2010-03-08 18:38

Also found that the virus is not removed sending it outbound through the GREEN smtp proxy.

This test was done with the same settings that allowed the RED smtp proxy to remove it when sending it inbound.
(0005932)
baldy (reporter)
2011-03-11 09:43

Hi all,

When will this be fixed ?

Issue is open for over a year now and still present in 2.4.1.

Regards,

Baldy

- Issue History
Date Modified Username Field Change
2010-02-22 18:55 baldy New Issue
2010-03-05 15:07 peter-endian Status new => acknowledged
2010-03-05 22:58 baldy Note Added: 0003960
2010-03-08 12:57 peter-endian Note Added: 0003966
2010-03-08 12:58 peter-endian Note Added: 0003967
2010-03-08 15:35 baldy Note Added: 0003970
2010-03-08 15:35 baldy File Added: Facebook_password _3921.zip
2010-03-08 15:37 baldy File Added: UPS_invoice_Nr19373.zip
2010-03-08 15:38 baldy Note Added: 0003971
2010-03-08 18:38 baldy Note Added: 0003986
2010-06-07 15:46 peter-endian Target Version => future
2011-03-11 09:43 baldy Note Added: 0005932

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker