[Mimedefang] Virus getting by MD

[cam]

On Wed, 27 Aug 2003, Ole Craig wrote:

> On 08/27/03 at 10:40, 'twas brillig and Stefano McGhee scrobe:
> > 	Over the past few days, the Exchange server has been notifying me
> > of viruses that it has been catching.  This is weird, because the MD box,
> > running uvscan, usually catches everything.  Checking the logs shows that
> > MD and uvscan is still catching viruses, but the ones that get through are
> > sent from MAILER-DAEMON,  Mail Delivery System, and  Mail Delivery
> > Subsystem to internal users.  Some of these addresses have full email
> > addresses and some only have friendly names.  Checking the logs show that
> > the message (h7RDDZgS013752)is getting through without an issue.  You can
> > even see another message that did get discarded(h7RDDrgS013773):
> 
> [...]
>  
> > Why did this happen?  Have I allowed things from mailer daemons in by
> > default somewhere?  I've looked in access.db as well as mimedefang-filter
> > and don't see anywhere that those come up.  Any ideas?
> 
> 	I'm seeing some of the same kind of behavior with clamscan.
> Certainly lots of SoBig is getting caught (18821 over the last 48
> hours against a total volume of 45282 emails, according to that
> ever-so-useful tool GraphDefang) but occasionally a bounce from some
> less-than-perfectly configured MTA somewhere will show up in a user's
> mailbox with a defanged details.pif or what have you. 
> 


I have been watching for this since i read this message earlier today and 
am seeing the same thing.  all the ones that i have looked at are of the 
same type as mentioned by the original post, all mailer-daemon based type 
addresses.  one other thing i noted, all seem to be from exim  (at least 
the ones since i have been paying attention).