[Avcheck] infected is sick?

Wed, 28 Nov 2001 08:08:19 -0600

> > I send a snowwhite hybris to the AV box's ip address.
> >
> > 1. jstaiman@snipmail.net gets nothing.
>
>Administrator alert sent first.

Ok, ok, I figured this "problem" out. I had set infected admin address to 
one value, and my client then set it to another value, I didn't know he 
changed it.  fixed. infected is sending to correct admin addy.

> > 2. I, sender, get the message + full virus back (on my mail gateway,
> > body_checks blocks the msg because it finds .exe attachment)
>
>How you sent the affected message then?

I made a Eudora personality with SMTP outbound server of ip of my client's 
avcheck machine.

>   It seems not via your
>gateway, or else body_checks should block original message.

yep, that's why I made the direct-to-avcheck-ip Eudora personality

>1. Check how the message was sent.  Find the jstaiman@snipmail.net
>address in the logs at that time (from address should be empty) and
>trace the message down.  Maybe the same cause as in 2.  And see below.

here, I just sent another snowwhite hybris, postfix log:

Nov 28 08:34:36 virusgate1 postfix/smtpd[14575]: connect from 
unknown[66.64.14.18]
Nov 28 08:34:36 virusgate1 postfix/smtpd[14575]: 7CC5A53501: 
client=unknown[66.64.14.18]
Nov 28 08:34:37 virusgate1 postfix/cleanup[14577]: 7CC5A53501: 
message-id=<5.1.0.14.0.20011128073336.047471b8@wheresmymailserver.com>
Nov 28 08:34:38 virusgate1 postfix/qmgr[13906]: 7CC5A53501: 
from=<lconrad@go2france.com>, size=32912, nrcpt=1 (queue active)
Nov 28 08:34:38 virusgate1 avcheck: infected: from=lconrad@go2france.com, 
to=joel@staiman.net, msg=infected: I-Worm.Hybris.b
Nov 28 08:34:38 virusgate1 postfix/smtpd[14595]: connect from 
localhost.snip.net[127.0.0.1]
Nov 28 08:34:38 virusgate1 postfix/smtpd[14595]: 9E36653504: 
client=localhost.snip.net[127.0.0.1]
Nov 28 08:34:38 virusgate1 postfix/cleanup[14577]: 9E36653504: 
message-id=<20011128133438.9E36653504@virusgate1.snip.net>
Nov 28 08:34:38 virusgate1 postfix/smtpd[14575]: disconnect from 
unknown[66.64.14.18]
Nov 28 08:34:38 virusgate1 postfix/qmgr[13906]: 9E36653504: from=<>, 
size=35369, nrcpt=1 (queue active)
Nov 28 08:34:38 virusgate1 postfix/smtpd[14595]: disconnect from 
localhost.snip.net[127.0.0.1]
Nov 28 08:34:38 virusgate1 postfix/smtpd[14595]: connect from 
localhost.snip.net[127.0.0.1]
Nov 28 08:34:38 virusgate1 postfix/smtpd[14595]: AD41753505: 
client=localhost.snip.net[127.0.0.1]
Nov 28 08:34:38 virusgate1 postfix/cleanup[14577]: AD41753505: 
message-id=<20011128133438.AD41753505@virusgate1.snip.net>
Nov 28 08:34:38 virusgate1 postfix/qmgr[13906]: AD41753505: from=<>, 
size=2546, nrcpt=1 (queue active)
Nov 28 08:34:38 virusgate1 postfix/smtpd[14595]: disconnect from 
localhost.snip.net[127.0.0.1]
Nov 28 08:34:38 virusgate1 postfix/pipe[14579]: 7CC5A53501: 
to=<joel@staiman.net>, relay=avcheck, delay=2, status=sent 
(virusgate1.snip.net)
Nov 28 08:34:38 virusgate1 postfix/smtp[14606]: AD41753505: 
to=<joel@staiman.net>, relay=209.204.64.13[209.204.64.13], delay=0, 
status=sent (250 Message queued)

above, joel@staiman.net is both envelope recipient and "infected" admin 
addy, that's why two msgs to him.

Nov 28 08:36:07 virusgate1 postfix/smtp[14598]: 9E36653504: 
to=<lconrad@go2france.com>, relay=mgw1.meiway.com[212.73.210.75], delay=89, 
status=bounced (host mgw1.meiway.com[212.73.210.75] said: 552 Error: 
content rejected)

The last line is my gateway rejecting the virus msg fully sent back to 
sender, me.

>2. This is a problem with all configuration/antivirus/whatether.
>When more than one mail server involved you should enshure that
>second one will not check messages sent by first.  Note that usually
>the return path to sender comes the same way as original message
>was sent.

you can see in log above the envelope sender is me, directly from my eudora

>What you demonstrated can happen only you sent original message
>from a different place where there is no virusscanner running,

there is no SMTP av scanner on my Thinkpad+Eudora

>Here we have two mailserver, let's say A and B, both runs a
>viruschecker.

no, I have his avcheck+kav ip receiving directly from my Thinkpad.

We will put this box into production as soon as "infected" stops sending 
the entire infected msg back to envelope sender.

thanks
Len