Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Possible virus loop hole?
  FAQ FAQ  Forum Search   Register Register  Login Login

Possible virus loop hole?

 Post Reply Post Reply
Author
lyndonje View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2006
Location: United Kingdom
Status: Offline
Points: 192
Post Options Post Options   Thanks (0) Thanks(0)   Quote lyndonje Quote  Post ReplyReply Direct Link To This Post Topic: Possible virus loop hole?
    Posted: 10 February 2009 at 7:47am
Hello,

A customer has contacted me to say one of the users seems to have received an email containing a virus. I asked them to send me a copy of the email firstly to confirm it does actually contain a vuirus. After not receiving the email, and in checking the logs I found that the email they tried to sent to me was reject because it did contain a virus.

Having looked at the headers of the original email, which was only sent a few hours prior, I can see that the email did pass through our SF server. On checking the logs I can see that the TO and FROM address both matched, but were autowhitelisted, which seems to taken priority over the fact SF detected a virus in the email? Log snipped below, using v.4.1.2.801

02/10/09 06:10:33:439 -- (10428) Connection from: 217.175.222.231  -  Originating country : Cyprus
02/10/09 06:10:34:251 -- (10428) Received MAIL FROM: <bins@xxx.com> SIZE=53856
02/10/09 06:10:34:439 -- (10428) Received RCPT TO: bins@xxx.com
02/10/09 06:10:34:485 -- (10428) Resolving 217.175.222.231 - 217-175-222-231.dyn-pool.spidernet.net
02/10/09 06:10:34:485 -- (10428) - Mail From and Mail To are equal -
02/10/09 06:10:34:485 -- (10428) 217.175.222.231 - Mail from: bins@xxx.com To: bins@xxx.com will be rejected
02/10/09 06:10:34:485 -- (10428) Bypassed all rules for: bins@xxx.com from bins@xxx.com ( AutoWhiteList Force Delivery)
02/10/09 06:10:36:673 -- (10428) Bypassed all rules for: bins@xxx.com from bins@xxx.com
02/10/09 06:10:36:704 -- (10428) Start virus scan
02/10/09 06:10:36:720 -- (10428) EMail from bins@xxx.com to bins@xxx.com infected with the virus W32/Bagle.QS
02/10/09 06:10:36:720 -- (10428) Starting queueing procedures
02/10/09 06:10:36:720 -- (10428) EMail from bins@xxx.com to bins@xxx.com was queued. Size: 52 KB, 53248 bytes
02/10/09 06:10:36:735 -- (10428) Starting bayesian procedures
02/10/09 06:10:36:767 -- (2728) Sending email from bins@xxx.com to bins@xxx.com --
02/10/09 06:10:36:782 -- (10488) Time to add Msg to Bayes corpus:0
02/10/09 06:10:36:970 -- (10428) Disconnect
02/10/09 06:10:38:032 -- (2728) EMail from bins@xxx.com to bins@xxx.com --  was forwarded to a.b.c.d:25
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2009 at 4:11pm
Lyndon, you are absolutely correct here unfortunately. We were able to replicate this, it seems as if whitelisted individuals are treated incorrectly, and emails with viruses are incorrectly whitelisted as well.

We'll have a fix for this ASAP, hopefully within the next 12 hours or less.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2009 at 4:59pm
Due to the urgency of the issue (and the fact that this bug is caused by a missing single line of code), we've just pre-released the fastest bug fix in our history, adding it to the current enhancements that were in the works. The updated build is 4.1.2.803 and it is available right now in the registered user area of our website.

The bug caused users who where whitelisted either because they were added in the "Whitelisted Emails TO" or because of entries in the AutoWhiteList-forcedelivery filter to receive unfiltered infected emails.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.063 seconds.