On Wed, 02 Jan 2008 18:04:54 -0600 Noel Jones <[EMAIL PROTECTED]> wrote:
> Phil Chambers wrote: > > I have a strange situation which I can't explain. > > > > I have an Internet-facing front-end server using exim with ClamAV. I also > > have > > the Sanesecurity signatures installed. Delivery is achieved by relaying to > > an > > Exchange server which is behind the firewall. > > > > Some users have re-direction set up so that the Exchange server passes > > messages > > back to the front-end server for onward transmission. Note, this is > > re-direction, not forwarding, so the messages just have an extra Received: > > line > > added to the header. > > > > Several times per day I see messages to some of these users being rejected > > by > > ClamAV as they are being received back from the Exchange server for > > re-direction! > > > > That means that the messages have been cleared by ClamAV as they arrive > > from > > the Internet but are then rejected a few seconds later when returning! So > > far > > they have all been Sanesecurity signatures which have caused this. > > > > One thought is that Exchange could possible be re-writing attachments, but > > that > > would mean that ClamAV is sensitive to the way in which attachments are > > encoded. > > > > Any ideas? > > > > Phil. > > --------------------------------------- > > Phil Chambers ([EMAIL PROTECTED]) > > University of Exeter > > The simplest explanation is that the messages in question do > not pass through clamav the first time. Either they are > somehow sent directly to the exchange box or the original > client is whitelisted on your frontend. > > Possibly capturing some of these for analysis would give more > clues. > > Are you using amavisd-new by any chance? At any rate, details > of your MTA and clamav integration might help. > > > -- > Noel Jones I am using exim 4.62 with clamd 0.92, both compiled from source. All messages first go through an Exim MIME ACL (where I check a specific regex against each MIME part). They all then go through an Exim DATA ACL which is what calls clamd via a UNIX socket, using native Exim support for clamd. There is no way to by-pass this. I am not using amavisd-new. I can't see any way of capturing examples. I would need to compare copies of messages when they first arrive against those which are rejected when they are returned by Exchange. Since I can't predict which ones are going to be returned by Exchange I don't know which ones to capture on the way in. I would have to capture every message and that is just not feasable with our volume of messages. Phil. --------------------------------------- Phil Chambers ([EMAIL PROTECTED]) University of Exeter _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
