Eric Becker wrote:
Well - thanks again - nice of all you nice people to respond - but I did very much verify that what got through came from outside - my proxy logs every attempt to send email, the from IP address, all the helo/etc protocol - and two events of this thing did get through clamav. No big deal - I don't expect anything to be 100% effective - it's why clamav is on the email gateway and symantec is on the individual PC's - I'm kind of a belt and suspenders type of engineer :-) At some point I'll integrate my proxy with the other linux/unix capable virus catchers and the proxy will do several layers of defense all by itself - but for the moment it's just one layer.Well - in this case it was definitely from outside - and the >proxy I wrote and use passes all email, internal or external, >through clam and
?spam assassin and a bunch of custom rules... but thanks >:-)
Well depending on the virus, it may be sending emails from it's own smtp
engine and not touching your server that is scanning your emails. The
virus doesn't care or bother to use any proxy that you may have setup. It just sends out emails on it's own. We have qmail with qmail-scanner
and clamav on box sitting outside our network that scans all incoming
mail and forwards it on to our groupwise server. I'm not sure how you're
setup I.E. if clamav is actually sitting on the mailserver that's
storing your users' emails. If it is, then I would assume the email(s)
should have been caught.
We thought the same thing had happened. We started getting all kinds of
viruses emailed to our users and the "from" field appeared to be from a
known customer outside of our network. Turns out that a laptop user had
gotten infected when he took the laptop home and was sending the virus
out to our users from within our network when he vpn'd in. Just
because the sender field is from an external email address, doesn't mean
it didn't originate internally. Most return addresses on viruses are
spoofed.
If you haven't already done so, I would look at the headers of the
emails with the virus. If you notice that the emails never touch the
server with clamav, then obviously they were never scanned.
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
ClamAV here is .70 production, rules are freshclam'd every 4 hours etc. Nothing else has managed to pass through the system in months - it was almost a complete surprise that two events occurred - in the space of ~5 minutes - after all this time.
I do want to thank everyone who has/is working on ClamAV - it is a great tool!
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
