[Mimedefang] New virus out, how do I confirm no errors?

Fox, Randy Randy_Fox at csgsystems.com
Wed Dec 5 10:19:47 EST 2001 

>1) Is there any way mail could come in and bypass the MIMEDefang server?
>Since they all have the X-Scanned-By: header, that's unlikely, but it
>may be possible.

We looked at this but haven't seen how this is possible.  The user isn't
popping off the Internet and the messages have a received by headers that
show internal server names.

>2) Do any of the failed messages have an X-MIMEDefang-Warning: header?

I haven't found any.

>3) Can you post your filter code?  Maybe there's something wrong there.

The filter is a variant of the supplied minimal-windows filter, here's the
actual filter sub-routine:

$Stupidity{"flatten"} = 0;
$Stupidity{"NoMultipleInlines"} = 1;

sub filter {
    my($entity, $fname, $ext, $type) = @_;

# CNS's filter/reponse as of 11/19/2001 -- R. Fox
    if (re_match_ext($entity,
'^\.(exe|com|bat|bas|vbs|scr|dll|vxd|pif|reg|lnk|ini)$')) {
        unless ($Sender !~ /<>/) {            # don't respond to
auto-replies
                if ($Sender =~ /csgsys/i) {   # send employees link to
Intranet.
                        action_notify_sender("The attachment '$fname' was
deleted.  We do not\n" .
                                "accept attachments of type '$ext'.\n\n" .
                                "For information on CSG's attachment policy,
go to CORE and see the e-mail\n" .
                                "usage policy, $CSGEMailPolicy.\n");
                } else {                      # send outsiders notice of
attachment deletion.
                        action_notify_sender("The attachment '$fname' was
deleted.  We do not\n" .
                                "accept attachments of type '$ext'.\n");
                }
        }

        my($recip) = @Recipients;
        if (($recip =~ /csgsys/i) && ($Sender !~ /csgsys/)) {  # send
employees link to Intranet and to ftp servers.
                return action_quarantine($entity, "An attachment named
$fname was removed from this document as it\n" .
                        "constituted a security hazard.  If you require this
document, please contact\n" .
                        "the sender and arrange an alternate means of
receiving it\n" .
                        "such as the anonymous ftp server
ftp://ftp.csgsystems.com.\n\n" .
                        "For information on CSG's attachment policy, go to
CORE and see the e-mail\n" .
                        "usage policy, $CSGEMailPolicy\n");
        } else {                                               # send
outsiders notice that attachment deleted.
                return action_quarantine($entity, "An attachment named
$fname was removed from this document as it\n" .
                        "constituted a security hazard.  If you require this
document, please contact\n" .
                        "the sender and arrange an alternate means of
receiving it.\n");
        }
    }

# accept all other attachments
    return action_accept();
}

>4) Could you post the headers and MIME part headers for a message which
failed?

Here's an entire header......

Received: from foghorn.csgsystems.com by exchange.csgsystems.com with SMTP
(Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
	id WLCW9ZNC; Tue, 4 Dec 2001 13:11:39 -0600
Received: from eggheadjr.csgsystems.com
(IDENT:root at eggheadjr.csgsystems.com)
	by foghorn.csgsystems.com (8.11.1/8.11.1) with ESMTP id
fB4JB3Q07662;
	Tue, 4 Dec 2001 13:11:03 -0600 (CST)
Received: from BATL0S04.cbi.customer.com 
	by eggheadjr.csgsystems.com (8.12.1/8.12.1) with ESMTP id
fB4JBaAm011308;
	Tue, 4 Dec 2001 12:11:37 -0700
Received: by batl0s04.cei.customer.com with Internet Mail Service
(5.5.2650.21)
	id <V8QPNP5B>; Tue, 4 Dec 2001 14:00:06 -0500
Message-ID:
<AD927D10BCE3D211AAF600A0C9EA31B306CA020E at batl0s04.cei.customer.com>
From: AT.Turner at customer.com
To: CCI-CSGFaxTransmittals at customer.com
Subject: Hi
Date: Tue, 4 Dec 2001 12:15:20 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/mixed;
	boundary="----_=_NextPart_000_01C17CF5.E1418EAA"
X-Scanned-By: MIMEDefang 2.1 (www dot roaringpenguin dot com slash
mimedefang)

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_000_01C17CF5.E1418EAA
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C17CF5.E1418EAA"


------_=_NextPart_001_01C17CF5.E1418EAA
Content-Type: text/plain

------_=_NextPart_001_01C17CF5.E1418EAA
Content-Type: text/html

------_=_NextPart_001_01C17CF5.E1418EAA--

------_=_NextPart_000_01C17CF5.E1418EAA
Content-Type: application/octet-stream;
	name="gone.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="gone.txt"

------_=_NextPart_000_01C17CF5.E1418EAA--


Thanks,
Randy

More information about the MIMEDefang mailing list