On Sun, May 16, 2004 at 05:41:11PM -0500, McKeever Chris wrote: > ------------------------------------------- > Chris McKeever > If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com > http://www.prupref.com > Prudential Preferred Properties > Chicago and Illinois NorthShore Real Estate Experts > > On Sun, 16 May 2004 13:42 , Eric Becker <[EMAIL PROTECTED]> sent: > > >>Well - in this case it was definitely from outside - and the >proxy I > >>wrote and use passes all email, internal or external, >through clam and > > > >?spam assassin and a bunch of custom rules... but thanks >:-) > > > >Well depending on the virus, it may be sending emails from it's own smtp > >engine and not touching your server that is scanning your emails. The > >virus doesn't care or bother to use any proxy that you may have setup. > >It just sends out emails on it's own. We have qmail with qmail-scanner > >and clamav on box sitting outside our network that scans all incoming > >mail and forwards it on to our groupwise server. I'm not sure how you're > >setup I.E. if clamav is actually sitting on the mailserver that's > >storing your users' emails. If it is, then I would assume the email(s) > >should have been caught. > > > >We thought the same thing had happened. We started getting all kinds of > >viruses emailed to our users and the "from" field appeared to be from a > >known customer outside of our network. Turns out that a laptop user had > >gotten infected when he took the laptop home and was sending the virus > >out to our users from within our network when he vpn'd in. Just > >because the sender field is from an external email address, doesn't mean > >it didn't originate internally. Most return addresses on viruses are > >spoofed. > > > >If you haven't already done so, I would look at the headers of the > >emails with the virus. If you notice that the emails never touch the > >server with clamav, then obviously they were never scanned. > > > Eric - that is exactly what happened here, since the virus has its own SMTP it was > just sending directly to the internal mail-server. since that is > just he server, and never sends itself, I blocked all traffic except for the IP of > the mail gateway - at least it takes out one piece of the > equation if something does 'slip' through > We, in fact, have smtp outbound blocked for ALL but our mail servers, for that very reason. With the notable exception of our network monitoring box and the 3 or 4 outbound smtp servers, nothing can send mail out without passing through a gateway.....now if I could only convince them to let us run clam on the gateway....
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
