Damian Menscher wrote:
On Wed, 11 Aug 2004, Arthur Kerpician wrote:
Still, about 4-5 times a day, NAV detects [EMAIL PROTECTED] I repeat,
NAV/Exchange server is behind my RH Linux/ClamAV machine which is
supposed to do all filtering (AV/Spam) until it passes the mails to the
Exchange. I saved a copy of the worm detected by NAV and submited to
COSS which detects it as SomeFool.P. Further more, I resent the worm
copy from a different location back to the ClamAV server which, this
time, detects it! Same thing happens with SomeFool.Q. These 2 worms are
the reason for keeping NAV as backup scanner...
I bet if you check the headers of a message that made it "past" your
ClamAV machine, you'll find it never actually went through that machine.
Probably some virus is sending directly to your Exchange server. This
might be because it's coming from an infected machine within your
network, or maybe because the exchange server is a backup MX for your
clamav server. Either way, checking the headers to see where the
specific message went would be a good starting point.
Damian Menscher
I set the Exchange server to allow SMTP connection only from the Linux
machine. I am absolutely sure about that (telnet 193.41.216.98 25).
Headers show that it went through the Linux/ClamAV server. I'm sorry I
deleted all the infected messages but I'll copy the headers from the
next one (should be there in 1-2 hours) and send it to the list.
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
