[Mimedefang] HBEDV Reporting broken? - False Positives Reported

Albert E. Whale aewhale at ABS-CompTech.com
Sun Dec 15 16:19:06 EST 2002 

Ashley,

Thanks for the reply, HOWEVER there are other Factors here, which you did not
Read previously.

1. The Entire Class A network is Blocked, Now nothing from Korea or China gets
in.  INCLUDING DNS Answers.

2. There is no Virus.  Nothing in the Email will distribute a Virus.

This brings up the first question, regarding a possible False Positive, and
secondly Why is a False positive presented on the Mail message.  I too have
access to Unfiltered DNS and also from WHOIS Servers.  I know where the messages
(allegedly) came from.

The intent is to reduce the Amount of Scanning, probing and SPAMming from Asia.
For the most part, it is effective.  However, I cannot explain the the False
Positive in the Email Message.

I didn't mean to overwhelm you, just trying to keep this message focused.

Thanks and Have a Great Day!

"Ashley M. Kirchner" wrote:

> Albert E. Whale wrote:
>
> >Looks more like Sendmail is doing the Lookup.  Here's a sample of the logs.
> >
> >Dec 15 12:06:11 access2 sendmail[2953]: gBDJIOuj002074:
> >to=<debra134 at kebi.com>, delay=1+21:23:24, xdelay=00:00:00,
> >mailer=esmtp, pri=4262908, relay=kebi.com., dsn=4.0.0,
> >stat=Deferred: Name server: kebi.com.: host name lookup failure
> >Dec 15 13:09:17 access2 sendmail[5436]: gBDJIOui002074:
> >to=<suzanne8004 at kebi.com>, delay=1+22:26:30, xdelay=00:00:56,
> >mailer=esmtp, pri=4352763, relay=kebi.com., dsn=4.0.0,
> >stat=Deferred: Name server: kebi.com.: host name lookup failure
> >
> >
>     This is sendmail (or the server it's on) not being able to resolve
> kebi.com.  What happened here (in order) is:
>
>     - someone at @kebi.com sent you a message with a virus attached.
>     - MD successfully identified this and blocked the message
>     - MD also attempted to notify the sender at kebi.com that their
> message had a virus in it
>     - MD passed it's notification message back to sendmail for delivery
>     - sendmail was unable to resolve kebi.com and kept trying for a
> while (couple of days)
>     - sendmail eventually gave up and dropped the message back in
> postmaster at yourdomain (or root at yourdomain)
>
>     When I lookup kebi.com, I get a round robin answer containing 10
> different IPs.  If your mail server can't resolve the address, I'd say
> you need to look at your DNS server and find out why it can't resolve
> that address.  It could be a simple case of it not allowing sendmail to
> communicate with it...who knows.
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

--
Albert E. Whale - CISSP
http://www.abs-comptech.com
----------------------------------------------------------------------
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
Sr. Security, Network, and Systems Consultant
Board of Directors - InfraGard - Pittsburgh, PA

More information about the MIMEDefang mailing list