[Avcheck] Scan only incomming msg

Michael Tokarev mjt@tls.msk.ru
Sun, 13 Jan 2002 22:37:39 +0300


RaBL wrote:
> 
>   From outside to inside: (OK)
> -----------------------------
> Jan 13 20:44:23 underworld postfix/smtpd[4924]: connect from
> mail2.centrum.cz[195.47.108.142]
> Jan 13 20:44:23 underworld postfix/smtpd[4924]: EB94643ED0:
> client=mail2.centrum.cz[195.47.108.142]
> Jan 13 20:44:24 underworld postfix/cleanup[4925]: EB94643ED0:
> message-id=<20020113183252Z327702-7479+62@mail.centrum.cz>
> Jan 13 20:44:24 underworld postfix/qmgr[3738]: EB94643ED0:
> from=<rabl@centrum.cz>, size=1107, nrcpt=1 (queue active)
> Jan 13 20:44:24 underworld avcheck[4928]: infected:
> from=rabl@centrum.cz, to=aaa@underworld.blansko.cz, msg=infected:
> EICAR-Test-File

Ok, this looks good.  I hope you have an administrator notification
with *complete* message here, yes?

>   From inside to inside:
> -----------------------------
> Jan 13 20:46:41 underworld postfix/smtpd[4968]: connect from
> unknown[172.29.0.1]
> Jan 13 20:46:41 underworld postfix/smtpd[4968]: 34F1F43ED0:
> client=unknown[172.29.0.1]
> Jan 13 20:46:41 underworld postfix/cleanup[4969]: 34F1F43ED0:
> message-id=<3C41D3D1.7080808@underworld.blansko.cz>
> Jan 13 20:46:41 underworld postfix/qmgr[3738]: 34F1F43ED0:
> from=<blaha@underworld.blansko.cz>, size=1093, nrcpt=1 (queue active)
> Jan 13 20:46:41 underworld postfix/smtpd[4974]: connect from
> underworld[127.0.0.1]
> Jan 13 20:46:41 underworld postfix/smtpd[4974]: 5469343ED4:
> client=underworld[127.0.0.1]
> Jan 13 20:46:41 underworld postfix/cleanup[4969]: 5469343ED4:
> message-id=<3C41D3D1.7080808@underworld.blansko.cz>
> Jan 13 20:46:41 underworld postfix/qmgr[3738]: 5469343ED4:
> from=<blaha@underworld.blansko.cz>, size=1278, nrcpt=1 (queue active)
> Jan 13 20:46:41 underworld postfix/pipe[4970]: 34F1F43ED0:
> to=<aaa@underworld.blansko.cz>, relay=avcheck, delay=0, status=sent
> (underworld.blansko.cz)
> Jan 13 20:46:41 underworld postfix/smtpd[4974]: disconnect from
> underworld[127.0.0.1]
> Jan 13 20:46:41 underworld postfix/local[4975]: 5469343ED4:
> to=<aaa@underworld.blansko.cz>, relay=local, delay=0, status=sent (maildir)

Well, this one wasn't detected.

> Msg. source:
> -----------------------------
> 
>  >From - Sun Jan 13 19:37:18 2002
> X-UIDL: 1010951201.4975_0.underworld.blansko.cz
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 10000000
> Return-Path: <blaha@underworld.blansko.cz>
> Delivered-To: aaa@underworld.blansko.cz
> Received: from localhost (underworld [127.0.0.1])
>         by underworld.blansko.cz (Postfix) with SMTP id 5469343ED4
>         for <aaa@underworld.blansko.cz>; Sun, 13 Jan 2002 20:46:41 +0100 (CET)
> Received: from underworld.blansko.cz (unknown [172.29.0.1])
>         by underworld.blansko.cz (Postfix) with ESMTP id 34F1F43ED0
>         for <aaa@underworld.blansko.cz>; Sun, 13 Jan 2002 20:46:41 +0100 (CET)
> Message-ID: <3C41D3D1.7080808@underworld.blansko.cz>
> Date: Sun, 13 Jan 2002 19:37:05 +0100
> From: RaBL <blaha@underworld.blansko.cz>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.7)
> Gecko/20011221
> X-Accept-Language: cs, en-us
> MIME-Version: 1.0
> To: aaa <aaa@underworld.blansko.cz>
> Subject: FROM Eicar inside
> Content-Type: multipart/mixed;
>   boundary="------------020809080209010509030007"
> 
> This is a multi-part message in MIME format.
> --------------020809080209010509030007
> Content-Type: text/plain; charset=ISO-8859-2; format=flowed
> Content-Transfer-Encoding: 7bit
> 
> body
> 
> --------------020809080209010509030007
> Content-Type: text/plain;
>   name="eicar.com"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline;
>   filename="eicar.com"

This looks suspicious to me.  Content-Type: text/plain, that is.  Please
try the same with e.g. application/octet-stream.

And please look to administrator virus alert you received when a "virus"
was actually detected and find content-type there, and compare with the
above.  I'm *very* curious.

> ## EICAR STRING :  REMOVED  :)) ##
> --------------020809080209010509030007--

And yes, that your message was rejected by *our* mailserver, mail.corpit.ru.

Hmm...  Hmmm.... ;)
This all is interesting.  I'll start a new thread about content-types and
filenames.  The reject we encountered is a bug in drweb.

Regards,
 Michael.