[Mimedefang] Virus getting by MD

Stefano McGhee SMcGhee at ARCweb.com
Wed Aug 27 10:41:01 EDT 2003


Hello All,
	I have been noticing curious behavior by my MD box over the past
couple days.  It is blocking many instances of SoBig.f and Bugbear (yeah,
it's still out there) quite adeptly over the past few days.  My MD box acts
as a mail gateway to my network with an Exchange server providing mailboxes
for my users.  The box only processes incoming mail.
	Over the past few days, the Exchange server has been notifying me
of viruses that it has been catching.  This is weird, because the MD box,
running uvscan, usually catches everything.  Checking the logs shows that
MD and uvscan is still catching viruses, but the ones that get through are
sent from MAILER-DAEMON,  Mail Delivery System, and  Mail Delivery
Subsystem to internal users.  Some of these addresses have full email
addresses and some only have friendly names.  Checking the logs show that
the message (h7RDDZgS013752)is getting through without an issue.  You can
even see another message that did get discarded(h7RDDrgS013773):

Aug 27 09:13:37 galactica sendmail[13752]: h7RDDZgS013752:
from=<postmaster at alu-menziken.com>, size=230, class=0, nrcpts=1,
msgid=<200308271313.h7RDDZgS013752 at galactica.arcweb.com>, proto=ESMTP,
daemon=MTA, relay=[194.6.180.233]
Aug 27 09:13:38 galactica mimedefang.pl[12902]:
MDLOG,h7RDDZgS013752,Total_mail,,,<postmaster at alu-menziken.com>,<raja at arcwe
b.com>,RE:Re: Details 
Aug 27 09:13:38 galactica mimedefang-multiplexor: Killing idle slave 16
(pid 12902): Slave has processed 50 requests
Aug 27 09:13:38 galactica sendmail[13752]: h7RDDZgS013752: Milter add:
header: X-Spam-Status: No, hits=2.1 req=8
Aug 27 09:13:38 galactica sendmail[13752]: h7RDDZgS013752: Milter add:
header: X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com /
mimedefang)
Aug 27 09:13:38 galactica mimedefang-multiplexor: Reap: Killed slave 16
(pid 12902) exited normally with status 0
Aug 27 09:13:38 galactica mimedefang-multiplexor: Slave 16 resource usage:
req=50, scans=17, user=26.279, sys=1.941, nswap=0, majflt=15096,
minflt=75432, maxrss=0, bi=0, bo=0
Aug 27 09:13:38 galactica sendmail[13771]: h7RDDZgS013752:
to=<raja at arcweb.com>, delay=00:00:01, xdelay=00:00:00, mailer=relay,
pri=30185, relay=mail.corp.arcweb.com. [63.111.209.2], dsn=2.0.0, stat=Sent
( <200308271313.h7RDDZgS013752 at galactica.arcweb.com> Queued mail for
delivery)
Aug 27 09:13:41 galactica mimedefang-multiplexor: Starting slave 16 (pid
13772) (9 running): Bringing slaves up to minSlaves (9)
Aug 27 09:13:54 galactica sendmail[13773]: h7RDDrgS013773:
from=<homes at dennishinojos.com>, size=99685, class=0, nrcpts=1,
msgid=<200308271313.h7RDDrgS013773 at galactica.arcweb.com>, proto=ESMTP,
daemon=MTA, relay=[209.101.192.222]
Aug 27 09:13:56 galactica mimedefang.pl[13012]:
MDLOG,h7RDDrgS013773,virus,W32/Sobig.f at MM,209.101.192.222,<homes at dennishino
jos.com>,<webmaster at arcweb.com>,Re: Details 
Aug 27 09:13:56 galactica mimedefang.pl[13012]:
MDLOG,h7RDDrgS013773,Total_mail,,,<homes at dennishinojos.com>,<webmaster at arcw
eb.com>,Re: Details 
Aug 27 09:13:56 galactica mimedefang.pl[13012]: filter: h7RDDrgS013773:
discard=1 
Aug 27 09:13:56 galactica mimedefang[13774]: h7RDDrgS013773: Discarding
because filter instructed us to
Aug 27 09:13:56 galactica sendmail[13773]: h7RDDrgS013773: Milter: data,
discard
Aug 27 09:13:56 galactica sendmail[13773]: h7RDDrgS013773: discarded

Why did this happen?  Have I allowed things from mailer daemons in by
default somewhere?  I've looked in access.db as well as mimedefang-filter
and don't see anywhere that those come up.  Any ideas?


Thanks,

Stefano S. McGhee
IS and Infrastructure Group Manager
ARC Advisory Group
Three Allied Drive
Suite 212
Dedham, MA 02026
Voice: 781.471.1131
Email: SMcGhee at ARCweb.com 





More information about the MIMEDefang mailing list