[Mimedefang] Blocking cleaned virus messages.

Charles Mount cmount at csc.com
Thu Aug 28 18:11:01 EDT 2003 

My environment includes a firewall mail relay running a product called
Gauntlet, followed by a Sendmail Switch mailhub running MimeDefang to call
SpamAssassin, then ultimately Exchange( plus some Lotus Notes, GroupWise,
UNIX mail, VAX mail and others).
Gauntlet, like most commercial virus protection software does not offer the
option of discarding virus infected messages; the only option is cleaning.
Changing firewall software or routing of mail are not options.
When Gauntlet detects a virus infected attachment, it replaces the
attachment with a message stating that the virus has been cleaned.  It
retains the name of the original attachment appending a ".htm" to it as in
patch.exe.htm in the example below.
Most users cannot recognize the subtle differences between a virus infected
message and a cleaned message.   This leads to a lot of calls from users
thinking they have a virus.
I have tried to add rules to make SpamAssassin discard these messages.
Below are header, an actual attachment and a couple of rules I have tried.
PLEASE HELP with suggestions of MimeDefang or SpamAssassin rules that can
be used to block these messages.


PIECE OF HEADER:
Subject: Use this patch immediately !
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
X-Scanned-By: MIMEDefang 2.32 (www . roaringpenguin . com / mimedefang)


--xxxx
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

--xxxx
Content-Type: Text/HTML;
  name="patch.exe.htm"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
  filename="patch.exe.htm"
X-NAI-Gauntlet-mimepp: Attachment removed

--xxxx

--xxxx--



ACTUAL ATTACHMENT:
<html><head><meta HTTP-EQUIV="Content-Type" content="text/html; charset=">
<title>VIRUS INFECTION ALERT</title></head>
<body>
<h1><font color="#FF0000">VIRUS INFECTION ALERT</font></h1>
<p>The Gauntlet Firewall&reg discovered a virus in this file.
The file was not repaired and has therefore been removed.
See your system administrator for further information.
</p>
<p>Filename: patch.exe<br>
Virus name: W32/Dumaru at MM</p>

<p>Copyright © 1993-2001, Networks Associates Technology, Inc.All
Rights Reserved.<br>
<a href="http://www.pgp.com">http://www.pgp.com</a></p>
 </body></html>


RULES I TRIED:
uri BLACKLIST_URI_3 /(pgp.com|rest of the list removed for example)/i
describe BLACKLIST_URI_3      Local Blacklisted URLs
score BLACKLIST_URI_3 10
(This works if I remove the attachment and attach it to a test message, but
does not work in real life.)

header drop_gauntlet    X-NAI-Gauntlet-mimepp =~ /removed/
describe drop_gauntlet  remove virus warnings
score drop_gauntlet 10
(this has never worked)

More information about the MIMEDefang mailing list