Print Page | Close Window

Possible virus loop hole?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6612
Printed Date: 20 October 2017 at 11:10pm


Topic: Possible virus loop hole?
Posted By: lyndonje
Subject: Possible virus loop hole?
Date Posted: 10 February 2009 at 7:47am
Hello,

A customer has contacted me to say one of the users seems to have received an email containing a virus. I asked them to send me a copy of the email firstly to confirm it does actually contain a vuirus. After not receiving the email, and in checking the logs I found that the email they tried to sent to me was reject because it did contain a virus.

Having looked at the headers of the original email, which was only sent a few hours prior, I can see that the email did pass through our SF server. On checking the logs I can see that the TO and FROM address both matched, but were autowhitelisted, which seems to taken priority over the fact SF detected a virus in the email? Log snipped below, using v.4.1.2.801

02/10/09 06:10:33:439 -- (10428) Connection from: 217.175.222.231  -  Originating country : Cyprus
02/10/09 06:10:34:251 -- (10428) Received MAIL FROM: <bins@xxx.com> SIZE=53856
02/10/09 06:10:34:439 -- (10428) Received RCPT TO: bins@xxx.com
02/10/09 06:10:34:485 -- (10428) Resolving 217.175.222.231 - 217-175-222-231.dyn-pool.spidernet.net
02/10/09 06:10:34:485 -- (10428) - Mail From and Mail To are equal -
02/10/09 06:10:34:485 -- (10428) 217.175.222.231 - Mail from: bins@xxx.com To: bins@xxx.com will be rejected
02/10/09 06:10:34:485 -- (10428) Bypassed all rules for: bins@xxx.com from bins@xxx.com ( AutoWhiteList Force Delivery)
02/10/09 06:10:36:673 -- (10428) Bypassed all rules for: bins@xxx.com from bins@xxx.com
02/10/09 06:10:36:704 -- (10428) Start virus scan
02/10/09 06:10:36:720 -- (10428) EMail from bins@xxx.com to bins@xxx.com infected with the virus W32/Bagle.QS
02/10/09 06:10:36:720 -- (10428) Starting queueing procedures
02/10/09 06:10:36:720 -- (10428) EMail from bins@xxx.com to bins@xxx.com was queued. Size: 52 KB, 53248 bytes
02/10/09 06:10:36:735 -- (10428) Starting bayesian procedures
02/10/09 06:10:36:767 -- (2728) Sending email from bins@xxx.com to bins@xxx.com --
02/10/09 06:10:36:782 -- (10488) Time to add Msg to Bayes corpus:0
02/10/09 06:10:36:970 -- (10428) Disconnect
02/10/09 06:10:38:032 -- (2728) EMail from bins@xxx.com to bins@xxx.com --  was forwarded to a.b.c.d:25



Replies:
Posted By: LogSat
Date Posted: 10 February 2009 at 4:11pm
Lyndon, you are absolutely correct here unfortunately. We were able to replicate this, it seems as if whitelisted individuals are treated incorrectly, and emails with viruses are incorrectly whitelisted as well.

We'll have a fix for this ASAP, hopefully within the next 12 hours or less.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: LogSat
Date Posted: 10 February 2009 at 4:59pm
Due to the urgency of the issue (and the fact that this bug is caused by a missing single line of code), we've just pre-released the fastest bug fix in our history, adding it to the current enhancements that were in the works. The updated build is 4.1.2.803 and it is available right now in the registered user area of our website.

The bug caused users who where whitelisted either because they were added in the "Whitelisted Emails TO" or because of entries in the AutoWhiteList-forcedelivery filter to receive unfiltered infected emails.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window