------------------------------------------- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com Prudential Preferred Properties Chicago and Illinois NorthShore Real Estate Experts
On Sun, 16 May 2004 13:42 , Eric Becker <[EMAIL PROTECTED]> sent: >>Well - in this case it was definitely from outside - and the >proxy I >>wrote and use passes all email, internal or external, >through clam and > >?spam assassin and a bunch of custom rules... but thanks >:-) > >Well depending on the virus, it may be sending emails from it's own smtp >engine and not touching your server that is scanning your emails. The >virus doesn't care or bother to use any proxy that you may have setup. >It just sends out emails on it's own. We have qmail with qmail-scanner >and clamav on box sitting outside our network that scans all incoming >mail and forwards it on to our groupwise server. I'm not sure how you're >setup I.E. if clamav is actually sitting on the mailserver that's >storing your users' emails. If it is, then I would assume the email(s) >should have been caught. > >We thought the same thing had happened. We started getting all kinds of >viruses emailed to our users and the "from" field appeared to be from a >known customer outside of our network. Turns out that a laptop user had >gotten infected when he took the laptop home and was sending the virus >out to our users from within our network when he vpn'd in. Just >because the sender field is from an external email address, doesn't mean >it didn't originate internally. Most return addresses on viruses are >spoofed. > >If you haven't already done so, I would look at the headers of the >emails with the virus. If you notice that the emails never touch the >server with clamav, then obviously they were never scanned. Eric - that is exactly what happened here, since the virus has its own SMTP it was just sending directly to the internal mail-server. since that is just he server, and never sends itself, I blocked all traffic except for the IP of the mail gateway - at least it takes out one piece of the equation if something does 'slip' through > > >------------------------------------------------------- >This SF.Net email is sponsored by: SourceForge.net Broadband >Sign-up now for SourceForge Broadband and get the fastest >6.0/768 connection for only $19.95/mo for the first 3 months! >http://ads.osdn.com/\?ad_id=2562&alloc_id=6184&op=click >_______________________________________________ >Clamav-users mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/clamav-users > ---- Prudential Preferred Properties www.prupref.com Success Driven By Results Results Driven By Commitment Commitment Driven By Integrity We Are Prudential Preferred Properties
