Damian Menscher wrote:
On Wed, 11 Aug 2004, Arthur Kerpician wrote:
Still, about 4-5 times a day, NAV detects [EMAIL PROTECTED] I repeat,
NAV/Exchange server is behind my RH Linux/ClamAV machine which is
supposed to do all filtering (AV/Spam) until it passes the mails to the
Exchange. I saved a copy of the worm detected by NAV and submited to
COSS which detects it as SomeFool.P. Further more, I resent the worm
copy from a different location back to the ClamAV server which, this
time, detects it! Same thing happens with SomeFool.Q. These 2 worms are
the reason for keeping NAV as backup scanner...
I bet if you check the headers of a message that made it "past" your ClamAV machine, you'll find it never actually went through that machine. Probably some virus is sending directly to your Exchange server. This might be because it's coming from an infected machine within your network, or maybe because the exchange server is a backup MX for your clamav server. Either way, checking the headers to see where the specific message went would be a good starting point.
Damian Menscher
As I said, here are the headers of an infected mail:
<BEGIN HEADERS>----------------------------------------------------------------------------------------------
Microsoft Mail Internet Headers Version 2.0
Received: from backup.ccina.ro ([193.41.216.99]) by main-server.ccina.ro with Microsoft SMTPSVC(5.0.2195.6713); Wed, 11 Aug 2004 17:51:46 +0300
Received: (qmail 22270 invoked by uid 513); 11 Aug 2004 14:53:00 -0000
Received: from by backup.ccina.ro by uid 505 with qmail-scanner-1.22 (clamdscan: 0.75.1. spamassassin: 2.60. Clear:RC:0(193.231.236.7):SA:1(10.3/8.0):. Processed in 28.77455 secs); 11 Aug 2004 14:53:00 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Received: from localhost [127.0.0.1] by backup.ccina.ro with SpamAssassin (2.60 1.212-2003-09-23-exp); Wed, 11 Aug 2004 17:53:00 +0300
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [SPAM] failure notice
Date: 20 Jun 2004 20:54:23 -0000
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on backup.ccina.ro
X-Spam-Level: **********
X-Spam-Status: Yes, hits=10.3 required=8.0 tests=BAYES_99,DATE_IN_PAST_96_XX,LARGE_HEX,NO_REAL_NAME,UPPERCASE_25_50,VIRUS_WARNING_EXE1 autolearn=no version=2.60
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------=_411A32CC.A0CB2A31"
Return-Path:
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 11 Aug 2004 14:51:46.0547 (UTC) FILETIME=[B9736430:01C47FB2]
------------=_411A32CC.A0CB2A31 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit
------------=_411A32CC.A0CB2A31 Content-Type: text/plain; x-spam-type=original; name="Quarantined Attachment.txt" Content-Description: Quarantined Attachment Report Content-Disposition: attachment; filename="Quarantined Attachment.txt" Content-Transfer-Encoding: 7bit
------------=_411A32CC.A0CB2A31--
<END HEADERS>-----------------------------------------------------------------------------------------------------
backup.ccina.ro is the Linux/ClamAV machine. Generally, ClamAV stops this kind of messages...
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
